The IT Nerd

In light of the recent wave of high-profile ransomware attacks that have caused havoc in the US and Europe, the member states of the G7 group have called on Russia and other countries to crack down on ransomware gangs operating within their borders:

“We call on all states to urgently identify and disrupt ransomware criminal networks operating from within their borders, and hold those networks accountable for their actions,” the G7 group said in a communique published on Sunday, at the end of a three-day conference held in Cornwall, UK. “In particular, we call on Russia […] to identify, disrupt, and hold to account those within its borders who conduct ransomware attacks, abuse virtual currency to launder ransoms, and other cybercrimes,” the G7 group added.

The joint statement was signed by the governments of Canada, France, Germany, Italy, Japan, the UK, and the US — more commonly known as the Group of Seven (G7). It comes after a series of ransomware attacks that caused disruptions at hospitals during the COVID-19 pandemic, fuel outages on the US East Coast following the Colonial Pipeline attack, and beef supply issues across Australia and the US following the JBS Foods ransomware incident.

This isn’t going to happen. Russia, China, and others who shield these gangs aren’t going to do anything about these gangs simply by being asked nicely by the G7. This is state sanctioned activity. Which means you need to punish the states in question via sanctions and other means. Then and only then they might change how they treat ransomware gangs. So maybe the G7 should rethink this and come up with a plan that makes these states feel some real consequences.

NBC reports that the Teamsters labor union was hit by a ransomware attack demanding $2.5 million back in 2019. But unlike a lot of companies out there, they decided to tell the scumbags behind the attack to take a hike and not pay them. This despite the FBI at the time telling them to pay up:

Personal information for the millions of active and retired members was never compromised, according to a Teamsters spokesperson, who also said that only one of the union’s two email systems was frozen along with other data. Teamsters officials alerted the FBI and asked for help in identifying the source of the attack. They were told that many similar hacks were happening and that the FBI would not be able to assist in pursuing the culprit. 

The FBI advised the Teamsters to “just pay it,” the first source said. “They said ‘this is happening all over D.C. … and we’re not doing anything about it,'” a second source said.

Union officials in Washington were divided over whether to pay the ransom — going so far as to bargain the number down to $1.1 million, according to the sources — but eventually sided with their insurance company, which urged them not to pony up… The Teamsters decided to rebuild their systems, and 99 percent of their data has been restored from archival material — some of it from hard copies — according to the union’s spokesperson.

The FBI’s communications office did not reply to repeated requests for comment. The FBI’s stance is to discourage ransomware payments.

Clearly the Teamsters are made of tougher stuff than most. They were willing to rebuild everything rather than pay up. And I applaud them for that. This should be a case study for every other company out there of what to do when you get attacked by ransomware. If more companies do what the Teamsters did, the scumbags behind ransomware attacks would be out of business tomorrow.

The group of hackers that stole a wealth of data from game publishing giant Electronic Arts broke into the company in part by tricking an employee over Slack to provide a login token. Proving that social engineering is very much a thing:

The group stole the source code for FIFA 21 and related matchmaking tools, as well as the source code for the Frostbite engine that powers games like Battlefield and other internal game development tools. In all, the hackers claim they have 780GB of data, and are advertising it for sale on various underground forums. EA previously confirmed the data impacted in the breach to Motherboard. 

A representative for the hackers told Motherboard in an online chat that the process started by purchasing stolen cookies being sold online for $10, and using those to gain access to a Slack channel used by EA. In this case, the hackers were able to get into EA’s Slack using the stolen cookie. “Once inside the chat we messaged a IT Support members we explain to them we lost our phone at a party last night,” the representative said.

This is a prime reason why you need to include training for ALL your employees if you’re a company. Because while companies are weak at IT security, humans are still a factor in these hacks. My recommendation is that companies look at both infrastructure and training to address their cybersecurity needs.

Volkswagen says more than 3.3 million customers had their information exposed after one of its vendors left a cache of customer data unsecured on the internet:

The car maker said in a letter that the vendor, used by Volkswagen, its subsidiary Audi, and authorized dealers in the U.S. and Canada, left the customer data spanning 2014 to 2019 unprotected over a two-year window between August 2019 and May 2021. The data, which Volkswagen said was gathered for sales and marketing, contained personal information about customers and prospective buyers, including their name, postal and email addresses, and phone number. But more than 90,000 customers across the U.S. and Canada also had more sensitive data exposed, including information relating to loan eligibility. The letter said most of the sensitive data was driver’s license numbers, but that a “small” number of records also included a customer’s date of birth and Social Security numbers.

Well, if you own a VW or Audi product, you might have a problem. And if you’re like me who is on a VW mailing list, you might also have a problem. I wonder why the company thought they deserved to have that information to begin with. This idea that every business you interact with needs to know all about you is absurd. Sell me your product, don’t try to make me your product.

In any case, I hope VW gets slapped pretty hard for this screw up as this is not acceptable.

McDonald’s said hackers stole some data from its systems in markets including the U.S., South Korea and Taiwan, in another example of cybercriminals infiltrating high-profile global companies:

The burger chain said Friday that it recently hired external consultants to investigate unauthorized activity on an internal security system, prompted by a specific incident in which the unauthorized access was cut off a week after it was identified, McDonald’s said. The investigators discovered that company data had been breached in markets including the U.S., South Korea and Taiwan, the company said. In a message to U.S. employees, McDonald’s said the breach disclosed some business contact information for U.S. employees and franchisees, along with some information about restaurants such as seating capacity and the square footage of play areas. 

The company said no customer data was breached in the U.S., and that the employee data exposed wasn’t sensitive or personal. The company advised employees and franchisees to watch for phishing emails and to use discretion when asked for information. McDonald’s said attackers stole customer emails, phone numbers and addresses for delivery customers in South Korea and Taiwan. In Taiwan, hackers also stole employee information including names and contact information, McDonald’s said. The company said the number of files exposed was small without disclosing the number of people affected. The breach didn’t include customer payment information, McDonald’s said.

I suspect the Hamburger.

In all seriousness, the only thing that is good about this hack is that customer info hasn’t been exposed. The bad news is that clearly a company the size of McDonald’s did not have their act together when it comes to cybersecurity. It really underscores that companies big and small need to up their cybersecurity game.

U.S. Senate Majority Leader Chuck Schumer on Thursday said he is initiating a review of recent high-profile cyber attacks on governments and businesses to find out whether a legislative response is needed:

“Today I am asking Chairman Gary Peters of our Homeland Security Committee and our other relevant committee chairs to begin a government-wide review of these attacks and determine what legislation may be needed to counter the threat of cyber crime and bring the fight to the cyber criminals.” Schumer noted that the New York City subway system was the victim of a computer hack in early June. This came on the heels of Colonial Pipeline having to shut down some operations, resulting in disrupted fuel supplies in the U.S. Southeast, as a result of a cyber attack.

In case you were wondering about the cyberattack on the New York subway system, The New York Times has a story about it that you can read.

In any case. I for one would be in favor of laws to address cyberattacks. The thing is that it has to cover a number of areas:

• It has to force companies to employ defenses against cyberattacks. And face punishments if they fail to do so. Along with worse punishments if they get pwned and those defenses were not in place.
• It has to require companies who get pwned to report that they got pwned.
• It has to make paying the ransom illegal to make it less profitable for the scumbags behind these crimes.
• It has to go after the scumbags behind these crimes and target the cash. Because if its not profitable to do these crimes, they won’t do it.
• It has to go after the nation states who shield these scumbags. That way the scumbags in question have no place to hide.

The fact is that this cannot be some token measure. It has to have teeth. Otherwise we’re going to be talking about this day after day.

Hackers have broken into gaming giant Electronic Arts, the publisher of Battlefield, FIFA, and The Sims, and stole a wealth of game source code and related internal tools, Motherboard reported Thursday:

“You have full capability of exploiting on all EA services,” the hackers claimed in various posts on underground hacking forums viewed by Motherboard. A source with access to the forums, some of which are locked from public view, provided Motherboard with screenshots of the messages. In those forum posts the hackers said they have taken the source code for FIFA 21, as well as code for its matchmaking server. The hackers also said they have obtained source code and tools for the Frostbite engine, which powers a number of EA games including Battlefield. Other stolen information includes proprietary EA frameworks and software development kits (SDKs), bundles of code that can make game development more streamlined. In all, the hackers say they have 780gb of data, and are advertising it for sale in various underground hacking forum posts viewed by Motherboard.

Lovely. This is a bad look for Electronic Arts. And Electronic Arts have confirmed to Motherboard that it had suffered a data breach and that the information listed by the hackers was the data that was stolen. So you can expect that there is a ton of damage control going on inside the company right now as the damage is going to be extensive and multi-faceted.

You might recall that I brought you the story of JBS Foods who got pwned in a cyberattack that shut the company down globally. Well it seems that they decided to pay up to get themselves back online:

The world’s largest meat processing company has paid the equivalent of $11m (£7.8m) in ransom to put an end to a major cyber-attack.

Computer networks at JBS were hacked last week, temporarily shutting down some operations in Australia, Canada and the US.

The payment was reportedly made using Bitcoin after plants had come back online.

JBS says it was necessary to pay to protect customers.

Paying these guys is a mistake. Why? The fact that we are still talking about cyberattack after cyberattack every single day shows that paying the attackers isn’t the solution to the problem as all that paying them does is encourage more attacks.

The solution is stronger cyber-defenses that all companies big and small must introduce. More aggressive law enforcement action, especially against those who backed by nation states like China and Russia. And more moves like the one the FBI did the other day to go after the proceeds of these crimes. Actions like those will turn the tide on this issue. Paying them is not the answer.

When hackers pwned Colonial Pipeline last month and shut off the distribution of gas along much of the East Coast of the United States, the world woke up to the danger of digital disruption of the petrochemical pipeline industry. Now it appears another pipeline-focused business was also hit by a ransomware crew around the same time, but kept its breach quiet — even as 70 gigabytes of its internal files were stolen and dumped onto the dark web:

A group identifying itself as Xing Team last month posted to its dark web site a collection of files stolen from LineStar Integrity Services, a Houston-based company that sells auditing, compliance, maintenance, and technology services to pipeline customers. The data, first spotted online by the WikiLeaks-style transparency group Distributed Denial of Secrets, or DDoSecrets, includes 73,500 emails, accounting files, contracts, and other business documents, around 19 GB of software code and data, and 10 GB of human resources files that includes scans of employee driver’s licenses and Social Security cards. And while the breach doesn’t appear to have caused any disruption to infrastructure like the Colonial Pipeline incident, security researchers warn the spilled data could provide hackers a roadmap to more pipeline targeting. LineStar did not respond to requests for comment.

This isn’t good as clearly this is going to affect employees first as this info will be a springboard for things like identity theft for example.

But the larger issue is this. Critical infrastructure like this needs to be disconnected from the public Internet until a real solution to security is provided. Or just be disconnected forever. This kind of pwnage will happen EVERY SINGLE DAY as it has been for the last few years. Companies need either to stop doing what is easy and start doing what is secure, or be forced to do it. The other thing that needs to happen is that countries who are the victims of these attacks should sanctioning countries heavily where these threat actors originate from. That would start to force some of these countries to ensure that their citizens behave better. But I guess I expect too much.

This is a first. The FBI announced yesterday that they have seized cryptocurrency that is valued at $2.3 million that apparently came from the ransom paid to the hackers behind the Colonial pipeline cyberattack:

US investigators have recovered millions in cryptocurrency they say was paid in ransom to hackers whose attack prompted the shutdown of the key East Coast pipeline last month, the Justice Department announced Monday. 

The announcement confirms CNN’s earlier reporting about the FBI-led operation, which was carried out with cooperation from Colonial Pipeline, the company that fell victim to the ransomware attack in question. 

Specifically, the Justice Department said it seized approximately $2.3 million in Bitcoins paid to individuals in a criminal hacking group known as DarkSide. The FBI said it has been investigating DarkSide, which is said to share its malware tools with other criminal hackers, for over a year. 

The ransom recovery, which is the first seizure undertaken by the recently created DOJ digital extortion taskforce, is a rare outcome for a company that has fallen victim to a debilitating cyberattack in the booming criminal business of ransomware.

And:

“Following the money remains one of the most basic, yet powerful, tools we have,” Deputy Attorney General Lisa Monaco said Monday during the DOJ announcement, which followed CNN’s reporting about the recovery operation. “Ransom payments are the fuel that propels the digital extortion engine, and today’s announcement demonstrates that the United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises.”

The seizure warrant was authorized through the US Attorney’s Office for the Northern District of California.”The extortionists will never see this money,” acting US Attorney Stephanie Hinds for the Northern District of California said at the news conference at the Justice Department Monday. “New financial technologies that attempt to anonymize payments will not provide a curtain from behind which criminals will be permitted to pick the pockets of hardworking Americans.”

I have to applaud the FBI here as I have never heard of law enforcement being able to pull off something like this. Perhaps that should serve as a warning to the scumbags behind these cyberattacks that they may not get paid. That still should not stop companies to doing their level best to stop these attacks by having their IT security on point.