The IT Nerd

Four Danish researchers have demonstrated how a hacker could exploit a  vulnerability in the firmware of some cable modems and completely hijack the modem to do whatever they want. The vulnerability which is called “Cable Haunt” is said to be present in way over 200 million cable modems worldwide and is described in this manner by the people who found it:

Cable Haunt is a critical vulnerability found in cable modems from various manufacturers across the world. The vulnerability enables remote attackers to execute abitrary code on your modem, indirectly through an endpoint on the modem. Your cable modem is in charge of the internet traffic for all devices on the network. Cable Haunt might therefore be exploited to intercept private messages, redirect traffic, or participation in botnets.

The vulnerable endpoint is exposed to the local network, but can be reached remotely due to improper websocket usage. Through malicious communication with this endpoint, a buffer overflow can be exploited to gain control of the modem.

The one thing that these cable modems have in common is that all the affected modems use Broadcom designed firmware. And updates to said firmware will be needed to close this vulnerability. The researchers note that there are presently no known attacks in the wild. But with the release of this report and the demonstration of how to exploit it, that is likely to change. Thus you have to hope that you haven’t been affected. To test if you could be vulnerable, there is a test script that you could run, but it’s not something that I would direct the general public to. Thus I am hoping that a more “user friendly” way to test for this vulnerability appears. That way it increases the pressure on ISP’s and modem manufacturers to get about fixing this.

Earlier today I wrote about a company who’s less than optimal actions in response to a cyber attack left three hundred out of work. Today I am going to bring you a story from Brian Krebs on another cyber attack and how it was badly handled:

In mid-November 2019, Wisconsin-based Virtual Care Provider Inc. (VCPI) was hit by the Ryuk ransomware strain. VCPI manages the IT systems for some 110 clients that serve approximately 2,400 nursing homes in 45 U.S. states. VCPI declined to pay the multi-million dollar ransom demanded by their extortionists, and the attack cut off many of those elder care facilities from their patient records, email and telephone service for days or weeks while VCPI rebuilt its network.

Just hours after that story was published, VCPI chief executive and owner Karen Christianson reached out to say she hoped I would write a follow-up piece about how they recovered from the incident. My reply was that I’d consider doing so if there was something in their experience that I thought others could learn from their handling of the incident.

I had no inkling at the time of how much I would learn in the days ahead.

Now I will stop here. Clearly this CEO thought that they were going to recover their IT systems and get up and running in glorious fashion. Thus showing the world how brilliant they were and attract all sorts of positive press and make her look brilliant. Except that didn’t happen. It quickly became evident that the company had been further compromised. Here’s an example:

On December 3, I contacted Christianson to schedule a follow-up interview for the next day. On the morning of Dec. 4 (less than two hours before my scheduled call with VCPI and more than two weeks after the start of their ransomware attack) I heard via email from someone claiming to be part of the criminal group that launched the Ryuk ransomware inside VCPI.

That email was unsettling because its timing suggested that whoever sent it somehow knew I was going to speak with VCPI later that day. This person said they wanted me to reiterate a message they’d just sent to the owner of VCPI stating that their offer of a greatly reduced price for a digital key needed to unlock servers and workstations seized by the malware would expire soon if the company continued to ignore them.

“Maybe you chat to them lets see if that works,” the email suggested.

The anonymous individual behind that communication declined to provide proof that they were part of the group that held VPCI’s network for ransom, and after an increasingly combative and personally threatening exchange of messages soon stopped responding to requests for more information.

You can read the rest of the story for all the details. But what was clear was that the company had actually been pwned by hackers some 14 months earlier. And that the company had clearly been the victim of password theft. Which is how the hackers were able intercept these emails as they were still on the network.

#Fail.

The take home messages are as follows:

1. When it comes to cybersecurity, you should start from a premise that the hackers are already in. As was the case here. And it is often the case in may cyberattacks. From there you can figure out how they got in, what they’ve touched, and how to get them out and keep them out. And you should do that long before something really bad happens.
2. You should assume all passwords — not just endpoint/domain credentials — are compromised. This may mean changing/adding two factor authentication for hundreds or thousands of endpoints and servers. But doing that is better than getting pwned again.
3. If you get pwned, get professional help. Fireeye / Mandiant is who I would recommend. They aren’t cheap, but they have a proven track record of responding to stuff like this.

The bottom line is that cybersecurity isn’t to be taken lightly. You need to do everything possible to defend yourself. Otherwise, bad things will happen to you.

If you don’t think that defending yourself against threats like ransomware shouldn’t be at the top of your list of priorities, consider this story:

An Arkansas-based telemarketing firm sent home more than 300 employees and told them to find new jobs after IT recovery efforts didn’t go according to plan following a ransomware incident that took place at the start of October 2019:

Employees of Sherwood-based telemarketing firm The Heritage Company were notified of the decision just days before Christmas, via a letter sent by the company’s CEO. Speaking with local media, employees said they had no idea the company had even suffered a ransomware attack, and the layoffs were unexpected, catching many off guard. “Unfortunately, approximately two months ago our Heritage servers were attacked by malicious software that basically ‘held us hostage for ransom’ and we were forced to pay the crooks to get the ‘key’ just to get our systems back up and running,” wrote Sandra Franecke, the company’s CEO, in the letter sent to employees. She goes on to say that data recovery efforts, initially estimated at one week, have not gone according to plan and the company had failed to recover full service by Christmas. Franecke said the company lost “hundreds of thousands of dollars” because of the incident and have been forced to “restructure different areas in the company.” As a result of the botched ransomware recovery process, the company’s leadership decided to suspend all services, leaving more than 300 employees without jobs.

So let me summarize this for you.

Due to the shortsightedness of this company’s CEO, CTO and executive management, their IT systems were not properly built and secured. They figured that this was an acceptable risk and spend money elsewhere rather than on protecting themselves from something like a ransomware attack. Then they got pwned and had to pay up to try and get back up and running. Except that their attempts to get back up and running failed and now 300 people are out of work.

This is a textbook example of why companies of all sizes need to protect themselves. Companies are responsible for their employees and they need to ensure that they are taking any and all steps to ensure that they are properly protected from this sort of thing. Otherwise you get this bad situation.

Are you an IT worker? Does your company annoy you to the point where you think it’s a good idea to get some revenge against them? I would say think twice about that. And consider the case of a former Jet2 IT contractor with a grudge. He has been jailed for a cyber-attack on the company which he did to get revenge against the company:

Scott Burns, 27, of Queen Street in Morley, Leeds, was jailed for 10 months for his actions, which cost the company $214,000. The attack shut down Jet2’s computer network for 12 hours in January 2018. Burns wanted revenge for the firm’s treatment of him following an incident at a 2017 “Benidorm roadshow,” Leeds Crown Court heard. Details about happened at the event in Benidorm were not outlined in court. The court heard only fast-thinking by one employee at the Leeds-based airline stopped Burns’ actions being a “complete disaster” for Jet2. Burns pleaded guilty to eight counts under the Computer Misuse Act at a previous hearing. Judge Andrew Stubbs QC told Burns: “You intended to cause as much damage to Jet2’s computer system as you could. “This went far beyond being mischievous. This was a revenge attack for a perceived slight you had suffered.”

From my perspective, 10 months seems light to me. This attack harmed a company and thousands of employees. It cost them money, and likely led to angry customers, potential compensation for those customers, stressed staff and staff being abused by the public. Perhaps it should have been higher so that those with revenge fantasies think twice about doing something like this.