The IT Nerd

It seems that HBO has a new problem which comes hot off the heels of getting pwned earlier this week by hackers. The upcoming episode of Game Of Thrones has been leaked. It’s apparently a low quality screener copy. But the fact that even that got leaked is what matters because it came from a distribution partner rather than the hack that happened this week. Clearly, they have some issues both inside and outside that they have to deal with. And they likely need to deal with them fast to keep from being in the news for all the wrong reasons.

Cyber security was supposed to be a top of mind item for the folks running the US right now. But if I had to grade them on their efforts, that grade would be “F” based on the news that White House staffers fell victim to a social engineering attack:

A self-described “email prankster” in the UK fooled a number of White House officials into thinking he was other officials, including an episode where he convinced the White House official tasked with cyber security that he was Jared Kushner and received that official’s private email address unsolicited.

“Tom, we are arranging a bit of a soirée towards the end of August,” the fake Jared Kushner on an Outlook account wrote to the official White House email account of Homeland Security Adviser Tom Bossert. “It would be great if you could make it, I promise food of at least comparible (sic) quality to that which we ate in Iraq. Should be a great evening.”

Bossert wrote back: “Thanks, Jared. With a promise like that, I can’t refuse. Also, if you ever need it, my personal email is” (redacted).

Bossert did not respond to CNN’s request for comment; the email prankster said he was surprised Bossert responded given his expertise. The emails were shared with CNN by the email prankster.

Now, you’re likely wondering what the big deal is. As famed hacker Kevin Mitnick pointed out in his book The Art Of Deception, all the firewalls and security software in the world won’t save you from someone who leverages people to get the information that they want from computer systems. Thus, if this wasn’t a prankster, but instead it was a nation state looking to pwn the White House, the lack of security awareness by these people could be catastrophic.

It looks like the US Government needs some remedial education when it comes to cyber security.

Hackers are clearly fans of HBO as EW is reporting that HBO has been pwned by hackers and info related to the network has been leaked:

“HBO recently experienced a cyber incident, which resulted in the compromise of proprietary information,” the network confirmed in a statement. “We immediately began investigating the incident and are working with law enforcement and outside cybersecurity firms. Data protection is a top priority at HBO, and we take seriously our responsibility to protect the data we hold.”

Hackers claimed to have obtained 1.5 terabytes of data from the company. So far, an upcoming episode of Ballers and Room 104 have apparently been put online. There is also written material that’s allegedly from next week’s fourth episode of Game of Thrones. More is promised to be “coming soon.” 

I guess that winter has come for HBO.

It appears that the hackers are looking for fame and not fortune. At least for now because no ransom demand has been made. But this is part of a trend of movie and TV studios and networks being pwned by hackers to leak content. After all, content is king.

Research and investigation into Petya ransomware which has affected computers in over 60 countries has yielded three interesting facts according to Comae’s Matthieu Suiche:

1. Ukraine was the epicenter of the attack. According to Kaspersky, 60 percent of all machines infected were located within Ukraine.
2. The attackers behind the attack have made little money. At most they made around $10,000. Which suggests that money wasn’t a motive at all.
3. Petya was either “incredibly buggy, or irreversibly destructive on purpose.” Thus Suiche suggests that this ransomware was really a “wiper” which is malicious code meant to destroy and damage.

Here’s some more details from Suiche:

We believe the ransomware was in fact a lure to control the media narrative, especially after the WannaCry incidents to attract the attention on some mysterious hacker group rather than a national state attacker like we have seen in the past in cases that involved wipers such as Shamoon.

The attacker took an existing ransomware which he repackaged.

Lately, the number of attacks against Ukraine increased from Power Grids being shut down to the car a top military intelligence officer exploding yesterday — the day Petya.2017 infected Ukraine.

The fact of pretending to be a ransomware while being in fact a nation state attack — especially since WannaCry proved that widely spread ransomware aren’t financially profitable — is in our opinion a very subtle way from the attacker to control the narrative of the attack.

That would suggest that Russia was behind this as nobody else that I know of would gain a lot from destabilizing Ukraine. It also suggests that the computers in other countries that were affected by this were cover for this operation or they were simply collateral damage. Here’s the danger for any country, Russia or otherwise, who chooses to engage in activities like this. Sooner or later, someone will hit someone with some sort of cyber attack, and the recipient will hit back and hit back hard. That will lead to an all-out cyber war and that has the potential not to end well because the potential for a cyber war to spill out into something with bombs and guns is a very real possibility.

Many news sites including Motherboard are reporting that a massive ransomware attack is underway. Computers in Spain, France, Ukraine, Russia, and other countries have apparently been hit by this:

The attacks bear some resemblance to the recent WannaCry outbreak, in which thousands of computer systems were locked down with ransomware around the world.

Motherboard has seen several reports of infections shared by victims on Twitter. We were not able to immediately confirm the veracity of the reports, but several security researchers and firms also reported the attacks.

“We are seeing several thousands of infection attempts at the moment, comparable in size to Wannacry’s first hours,” Costin Raiu, a security researcher at Kaspersky Lab, told Motherboard in an online chat.

Judging by photos posted to Twitter and images provided by sources, many of the alleged attacks involved a piece of ransomware that displays red text on a black background, and demands $300 worth of bitcoin.

“If you see this text, then your files are no longer accessible, because they are encrypted,” the text reads, according to one of the photos. “Perhaps you are busy looking for a way to recover your files, but don’t waste your time. Nobody can recover your files without our decryption service.”

I suspect that this will be a very long day for IT admins in various places around the world. And we shouldn’t be shocked that this is happening as it was only a matter of time before something like this happened. The question is, how bad can this get?

Watch this space for updates as they come.

UPDATE: The ransomware in question is called Petya. Many security experts are theorizing that it is spreading so fast because it is leveraging the same NSA supplied attack vector that the last epic cyberattack used. Thus a fully patched Windows system should be able to be resistant to this ransomware.

UPDATE #2: McAfee’s Gary Davis has written a blog with three tips for consumers to keep their systems secure from ransomware attacks such as Petya.

I’m going to go out on a limb and say that heads are about to roll over this…. If they already haven’t. I say that because according to many outlets including Bloomberg, numerous Ohio Government website have been pwned by hackers who defaced the websites with messages purported to be from the terrorist group known as the Islamic State or IS:

Ten state websites and two servers were affected, and they’ve been taken off line for an investigation with law enforcement into how the hackers were able to deface them, said Tom Hoyt, a spokesman for the Ohio Department of Administrative Services.

The Ohio governor’s website wasn’t loading on Sunday afternoon, and a cached version showed the message “hacked by Team System Dz.’’ It said, “You will be held accountable Trump, you and all your people for every drop of blood flowing in Muslim countries’’ and added, “I love the Islamic state.”

Lovely. But I’m really not focused on whomever did this. The real question is why in 2017 was anyone actually able to do this? Website defacement isn’t new. Neither is how to defend against this sort of thing. Take these suggestions, or these suggestions for example. I’m sure as I am typing this there is a root cause analysis going on to figure out how these hackers got in, and who they are. The public will likely never see it, but it’s a safe bet that if someone in the IT department in Ohio screwed something up or missed something, they may be mass e-mailing their CV to find a new job in short order.