Archive for Hacked

NurseryCam Pwned After Security Shortcomings Reported To The Register

Posted in Commentary with tags on February 22, 2021 by itnerd

This is a bit complicated so hang with me in a bit.

Daycare camera product NurseryCam was apparently hacked late last week. The BBC reported the news on the weekend and the company has shut the service down to lock it down. But here’s where things get interesting. The company was contacted by a security researcher who discovered flaws in the service. And according to The Register….. :

El Reg reported on the company’s security shortcomings last week after its inappropriate attempts to strongarm an infosec researcher into deleting a Twitter thread detailing vulnerabilities in its FootfallCam product.

When companies do that sort of thing, it never ends well. This incident was no exception:

A hacker contacted El Reg on Friday to say they had obtained real names, usernames, what appeared to be SHA-1 hashed passwords, and email addresses for 12,000 NurseryCam users’ accounts – and had then dumped them online.

Although this person claimed to have “redacted” those details, the redaction was so poor it was trivial to figure out the real names and contact details of NurseryCam’s parent users. El Reg, together with IoT security expert Andrew Tierney, verified that the credentials were genuine before notifying NurseryCam of the breach. The company began emailing parents the following day after taking its cameras offline.

This is likely now under investigation by the Information Commissioner’s Office and this might not end well for the company behinds this service. Especially since warnings about the lax security of this service have been floating around for years. It sucks to be the company behind this product.

User Credentials From The Canada Revenue Agency Are Floating Around The Dark Web…. Yikes!!

Posted in Commentary with tags , on February 18, 2021 by itnerd

Clearly the Canada Revenue Agency has a serious IT security problem as two days ago an unknown number of accounts were locked as a precaution. Though the CRA wouldn’t provide details. Now we have those details. Apparently around 100000 accounts were locked because leaked login info was found on the dark web. Which of course is not good:

If you received an unexpected and cryptic email on Feb. 16 from CRA warning you that your email had been deleted from the agency’s web platform, MyCRA, do not worry: your account has not been breached.

In fact, the agency says it means that their new early cyber security issue detection system is working (though the communication strategy will be reviewed and it “regrets the inconvenience.”)

But that also means your login data has probably been compromised through a third-party breach and you will need to contact CRA in order to regain access to your online account, particularly if you plan on filing your 2020 taxes online starting next week.

“To be clear, these accounts were not impacted by a cyber attack at the CRA. These accounts have not been compromised and the action taken to lock the accounts was a preventative measure,” agency spokesperson Christopher Doody said in an emailed statement.

Steps on how to regain access to their online account will be sent to affected taxpayers by mail, he added.

I’m sorry, but this is a #fail on so many levels. First, simply sending an email out saying that your Canada Revenue Agency account has been locked is going to freak people out. That’s because the history of the Canada Revenue Agency when it comes to IT security quite frankly sucks as they have been repeatedly pwned by hackers. Thus if you get one of these emails, you are going to assume that hackers have pwned them again. It also doesn’t inspire confidence. I get that the Canada Revenue Agency was trying to act in the best interest of Canadians, but they way that they did it really isn’t fit for purpose. Hopefully they not only provide details about how these 100000 or so accounts were compromised, but they also rethink their communication strategy.

Power Plant Hack Could Have Killed Many Because Of Lax IT Security

Posted in Commentary with tags on February 12, 2021 by itnerd

Earlier this week, a hack came to light that was quite scary now that more details are coming to light. Here’s the facts:

  • A water treatment facility in Oldsmar, Florida, home to 15,000 people was hacked by a unknown party.
  • The unknown party got in via the facilities use of an unsupported version of Windows with no firewall and shared the same TeamViewer password among its employees. This computer controlled equipment inside the plant.
  • The unknown party increased the amount of sodium hydroxide, A.K.A. lye, by a factor of 100. Which could have killed anyone who drank it.

Clearly this isn’t a trivial event. And it clearly was preventable. I reached out to two people to get their views on this incident. The first being Mieng Lim, VP of product management at Digital Defense, Inc., (www.digitaldefense.com), a provider of vulnerability management and threat assessment solutions:

The incident at the Oldsmar, Florida water treatment plant is a reminder that our nation’s critical infrastructure is continually at risk; not only from nation-state attackers, but also from malicious actors with unknown motives and goals. Our dependency on critical infrastructure – power grids, utilities, water supplies, communications, financial services, emergency services, etc. – on a daily basis emphasizes the need to ensure the systems are defended against any adversary. Proactive security measures are crucial to safeguard critical infrastructure systems when perimeter defenses have been compromised or circumvented. We have to get back to the basics – re-evaluate and rebuild security protections from the ground up.

The second person that I talked to was Chris Hickman, chief security officer at digital identity security vendor Keyfactor (www.keyfactor.com):

This event reinforces the increasing need to authenticate not only users, but the devices and machine identities that are authorized to connect to an organization’s network. If your only line of protection is user authentication, it will be compromised. It’s not necessarily about who connects to the system, but what that user can access once they’re inside. If the network could have authenticated the validity of the device connecting to the network, the connection would’ve failed because hackers rarely have possession of authorized devices. This and other cases of highjacked user credentials can be limited or mitigated if devices are issued strong, crypto-derived, unique credentials like a digital certificate. In this case, it looks like the network had trust in the user credential but not in the validity of the device itself. Unfortunately, this kind of scenario is what can happen when zero trust is your end state, not your beginning point.

Clearly this incident highlights the fact that those who are responsible critical infrastructure need to up their game when it comes to security. Otherwise the next time this happens, and there will be a next time, people could die.

Canadian Busted By Cops In Ransomware Attack Scheme

Posted in Commentary with tags , on January 29, 2021 by itnerd

An investigation done by the U.S. Department of Justice on NetWalker ransomware attacks has led to charges against a Canadian man in Quebec. The accused is alleged to be part of a shadowy group of cyber criminals who have attacked several targets in Canada, including the College of Nurses of Ontario, a Canadian Tire store in B.C., and the Northwest Territories Power Corporation.

Details about the Canadian national indicted today are not yet available beyond his name and residence — Sebastien Vachon-Desjardins, of Gatineau.

Vachon-Desjardins is currently believed to be an “affiliate,” a person who rented the ransomware code from the NetWalker creator.

This type of business is called Ransomware-as-a-Service, or RaaS, and is a common setup employed by many ransomware gangs today.

This is yet another example of how ransomware attacks are affecting Canadians writ large and also sparks a broader concern on how threat-actors behind such attacks can be just around the corner.

David Masson, Director of Enterprise Security for Darktrace had this to say:

In the increasingly interconnected world we now live in, we can be anywhere and everywhere – which means the cyber threats we face can now reach us in new places. The recent NetWalker ransomware arrests follow worldwide attacks, including attacks launched against victims right here in Canada like the College of Nurses of Ontario and the Northwest Territories Power Corporation, and reveal a worldwide threat network stretching from Florida (where a Canadian alleged perpetrator has been arrested) to Bulgaria and beyond.

Complex and sophisticated malware like NetWalker are supported by highly complex and sophisticated criminal groups. The ability to see and make sense of what is happening, and how to deal with the threat, increasingly relies on AI as the essential solution in cybersecurity. 

Intel Pwned By Hackers…. Forced To Release Financials Early As A Result

Posted in Commentary with tags , on January 22, 2021 by itnerd

Intel said it was the victim of a hacker who stole financially sensitive information from its corporate website on Thursday, prompting the company to release its earnings statement ahead of schedule:

The US computer chipmaker believed an attacker had obtained advanced details about a strong earnings report it was due to publish after the stock market closed, said George Davis, chief financial officer. It published its formal earnings announcement upon discovering the problem, six minutes before the market closed. Intel’s shares rose more than 6 per cent on Thursday, including almost 2 per cent in the final 15 minutes of trading. “An infographic was hacked off of our PR newsroom site,” Mr Davis said. “We put [our earnings] out as soon as we were aware.” He did not provide more details, but said that the leak was the result of an illicit action that had not involved any unintentional disclosure by the company itself. An Intel spokesperson added: “We were notified that our infographic was circulating outside the company. I do not believe it was published. We are continuing to investigate this matter.”

At least Intel was looking for trouble and were able to take quick action upon finding it. But the fact that they got hacked is still problematic. Clearly there will be a deep dive to figure out how to make sure that this never happens again.

Colliers International Group Pwned By Hackers

Posted in Commentary with tags , on January 22, 2021 by itnerd

It’s January 2021 and the pwange by hackers continues.

Toronto-based commercial real estate services and investment management firm, Colliers International Group, has acknowledged it was the victim of a cyberattack but isn’t disclosing whether the incident was ransomware, following a listing on the dark web by the Netfilim ransomware gang.

“In November 2020, Colliers’ information technology team discovered a cyberattack to the company’s IT infrastructure in North America,” company communications director Pamela Smith said in an email. “Thanks to the immediate and decisive actions taken by Colliers’ IT team, the impacts on business continuity were limited. Colliers conducted a comprehensive investigation with the support of leading cybersecurity experts in an effort to determine what data may have been impacted during the recent event. Colliers continues to monitor the situation closely and will continue to notify affected individuals or organizations. The Colliers IT network is secure, safe and fully operational at this time.”

The spokesperson was mum when asked to confirm if the attack was ransomware, that files had been copied, whether the information affected was corporate or personal, and, if personal, did it involve current and former employees.

Well, that does not inspire confidence in the slightest. When someone refuses to answer questions about a hack, it’s usually never good.

David Masson, Director of Enterprise Security for Darktrace had this to say:

While exact details on the attackers’ modus operandi is yet to emerge – this latest attack comes as no surprise.

We have entered a new era of cyber-threat where attackers act in more targeted ways than ever before. As sophisticated threat actors work to disrupt not just financial stability, but company reputation, the potential damages of a cyber breach have never been more devastating.

All industries have sensitive data to protect, and rather than simply stealing it, attackers are now looking to weaponize that data in ways that benefit them. Ransomware gangs have upped their tactics from simply locking up private info in exchange for payment to now releasing it, causing embarrassment and reputational damage, and using it as blackmail.

Beyond stealing or exposing data, businesses need to be on high alert for what we call ‘trust attacks’ – we are seeing an increase in attacks where hackers go after data not only to extort ransom payments, but to actually change the data and undermine its integrity – or use disinformation to smear a brand. For the real estate industry, there is a very real danger that data stores can be deliberately tampered with undermining transactions and redirecting funds into their own accounts. Next generation attacks like these are increasingly outpacing security teams and require sophisticated defenses and AI to respond instantaneously when they strike.

BREAKING: Microsoft Pwned By Russian Hackers…. Source Code Allegedly Viewed

Posted in Commentary with tags , on December 31, 2020 by itnerd

This isn’t a good way to end the year. The news is breaking that Microsoft has admitted that they were hacked as part of the huge Solarwinds hack. And the results are not good:

While the hackers, suspected to be working for Russia’s S.V.R. intelligence agency, did not appear to use Microsoft’s systems to attack other victims, they were able to view some Microsoft source code by hacking into an employee account, the company said.

Microsoft had previously said it was not breached in the attack, which compromised dozens of federal agencies, as well as corporations. Microsoft said its subsequent investigation revealed that the hackers were not able to access emails or its products and services, and that they were not able to modify the source code they viewed.

This is far from good. If the hackers saw source code, they could exploit it to attack anyone with a Microsoft OS or product installed. That’s pretty scary. I suspect that we’re going to find out more details about this in the coming days. And those details will send chills down the spines of security experts everywhere.

Finnish Parliament Pwned…. Likely By State Sponsored Hackers

Posted in Commentary with tags , on December 29, 2020 by itnerd

The Finnish Parliament said on Monday that hackers gained entry to its internal IT system and accessed email accounts for some members of Parliament (MPs):

Government officials said the attack took place in the fall of 2020 and was discovered this month by the Parliament’s IT staff. The matter is currently being investigated by the Finnish Central Criminal Police (KRP). In an official statement, KRP Commissioner Tero Muurman said the attack did not cause any damage to the Parliament’s internal IT system but was not an accidental intrusion either. Muurman said the Parliament security breach is currently being investigated as a “suspected espionage” incident. “At this stage, one alternative is that unknown factors have been able to obtain information through the hacking, either for the benefit of a foreign state or to harm Finland,” Muurman said. “The theft has affected more than one person, but unfortunately, we cannot tell the exact number without jeopardizing the ongoing preliminary investigation.

Hacks like these are getting to the point where they are becoming so common that it’s now just noise. And that’s a problem because every one of these hacks needs to be taken seriously. Which means they need to be looked at with urgency and corrective action needs to be taken quickly. Especially given who got hacked in this case. But it is safe to say that it’s likely a nation state behind this hack and there would be a small list of suspects that would be responsible for this.

Hackers Target Vietnam In Complex Supply Chain Attack

Posted in Commentary with tags , on December 28, 2020 by itnerd

Vietnam appears to have been the target of a complex supply chain attack by unknown hackers utilizing malware. Targets were Vietnamese private companies and government agencies by inserting malware inside an official government software toolkit. This is according to a report from ESET:

ESET researchers uncovered this new supply-chain attack in early December 2020 and notified the compromised organization and the VNCERT. We believe that the website has not been delivering compromised software installers as of the end of August 2020 and ESET telemetry data does not indicate the compromised installers being distributed anywhere else. The Vietnam Government Certification Authority confirmed that they were aware of the attack before our notification and that they notified the users who downloaded the trojanized software.

I find it difficult to believe that the Vietnam Government Certification Authority or VGCA was aware of this seeing as the day that ESET released their report the VGCA admitted to the security breach and published a tutorial on how users could remove the malware from their systems. So read into that what you will. I read it as “or crap we got caught out and we now have to make it look like we were on top of things.”

The NSO Group Is Back With More State Sponsored Attacks On iOS Users

Posted in Commentary with tags on December 21, 2020 by itnerd

Researchers at Toronto’s Citizen Lab say they have found evidence that dozens of journalists had their iPhones silently compromised with spyware known to be used by nation states:

For more than the past year, London-based reporter Rania Dridi and at least 36 journalists, producers and executives working for the Al Jazeera news agency were targeted with a so-called “zero-click” attack that exploited a now-fixed vulnerability in Apple’s iMessage. The attack invisibly compromised the devices without having to trick the victims into opening a malicious link. Citizen Lab, the internet watchdog at the University of Toronto, was asked to investigate earlier this year after one of the victims, Al Jazeera investigative journalist Tamer Almisshal, suspected that his phone may have been hacked. In a technical report out Sunday and shared with TechCrunch, the researchers say they believe the journalists’ iPhones were infected with the Pegasus spyware, developed by Israel-based NSO Group. The researchers analyzed Almisshal’s iPhone and found it had between July and August connected to servers known to be used by NSO for delivering the Pegasus spyware. The device revealed a burst of network activity that suggests that the spyware may have been delivered silently over iMessage. Logs from the phone show that the spyware was likely able to secretly record the microphone and phone calls, take photos using the phone’s camera, access the victim’s passwords, and track the phone’s location.

This sounds like the exploit is similar to a jailbreak that was in iOS 13 that I wrote about recently. And we’ve seen this before. Specifically an exploit with iOS 9 which was also discovered by Citizen Lab and Apple had to rush out a patch to fix. And allegedly the NSO Group was behind that one as well. It will be interesting to see if Apple can do anything to stop this. In the meantime, this is major incentive for you to be on iOS 14.