The IT Nerd

Honda Motor company got pwned by hackers via some sort of ransomware. And the attack took down the car maker globally. That make it the most devastating cyberattacks that I have heard of. Here’s what the BBC reported:

“Honda can confirm that a cyber-attack has taken place on the Honda network,” the Japanese car-maker said in a statement.

It added that the problem was affecting its ability to access its computer servers, use email and otherwise make use of its internal systems.

“There is also an impact on production systems outside of Japan,” it added.

“Work is being undertaken to minimise the impact and to restore full functionality of production, sales and development activities.”

The firm – which makes motorcycles, cars, generators and lawn mowers, among other products – said one of its internal servers was attacked externally. 

It added that “the virus had spread” throughout its network, but did not provide further details.

And:

The company has confirmed that work at the UK plant has been halted alongside a suspension of other operations in North America, Turkey, Italy and Japan.

Dave Palmer, director of technology for Darktrace had this to say:

“This reported attack is a stark reminder of the risks that come from hyper connectivity.

EKANS is a relatively new form of ransomware – a tool which has the power to lock down industrial control systems and machinery in factories.

Critical environments do not fail gracefully. There isn’t the option of reverting to pen and paper and muddling along.

We need to build in cyber resiliency so these systems are able to resist and fight back against cyber-attacks. Last month, AI detected an attempted ransomware attack at a steel manufacturer and automatically stopped the attack from spreading to the sensitive (and much more valuable) industrial control systems avoiding any shut down of systems.

Now that industrial environments cannot simply be air-gapped to keep them safe, we need to invest in artificial intelligence systems that can work in the background to automatically and dynamically block attacks that not only bleed from IT but originate in industrial systems.”

Hopefully Honda will do some sort of post mortem on this and figure out how to improve their environment to avoid this situation in the future. I say that because shutting down production can’t be cheap. I’m going to guess that it’s tens if not hundreds of millions of dollars. Something a company like Honda can afford. I will also say that other companies should be watching so that they can learn from this and don’t become the next Honda.

Reuters is reporting that a previously unknown IT firm in India were apparently hackers for hire who spied on a variety of high value targets. Here’s the details:

A little-known Indian IT firm offered its hacking services to help clients spy on more than 10,000 email accounts over a period of seven years. New Delhi-based BellTroX InfoTech Services targeted government officials in Europe, gambling tycoons in the Bahamas, and well-known investors in the United States including private equity giant KKR and short seller Muddy Waters, according to three former employees, outside researchers, and a trail of online evidence. A cache of data reviewed by Reuters provides insight into the operation, detailing tens of thousands of malicious messages designed to trick victims into giving up their passwords that were sent by BellTroX between 2013 and 2020. The data was supplied on condition of anonymity by online service providers used by the hackers after Reuters alerted the firms to unusual patterns of activity on their platforms. On the list: judges in South Africa, politicians in Mexico, lawyers in France and environmental groups in the United States. These dozens of people, among the thousands targeted by BellTroX, did not respond to messages or declined comment. 

Researchers at internet watchdog group Citizen Lab, who spent more than two years mapping out the infrastructure used by the hackers, released a report here on Tuesday saying they had “high confidence” that BellTroX employees were behind the espionage campaign. “This is one of the largest spy-for-hire operations ever exposed,” said Citizen Lab researcher John Scott-Railton. Reuters was not able to establish how many of the hacking attempts were successful.

This firm at first blush seem to be a version of the rather infamous NSO Group. But to be clear, it doesn’t matter how successful or not that they happen to be. The fact is that groups like these are a legitimate threat that we’ll all need to deal with. Thus my advice for businesses and even individuals would be to make sure that your cyber securities are “on point” as the kids say so that you can avoid being a victim of a group like this.

The BBC is reporting that a bunch of anti-racism sites that have appeared since the death of George Floyd seem to be under attack from unknown parties. Here’s the details:

Cyber-attacks against anti-racism organizations shot up in the wake of the death of George Floyd, a leading provider of protection services says. Cloudflare, which blocks attacks designed to knock websites offline, says advocacy groups in general saw attacks increase 1,120-fold. Mr Floyd’s death, in police custody, has sparked nationwide civil unrest in the US. Government and military websites also saw a notable increase in attacks. Cloudflare says that after Mr Floyd’s death and the ensuing violent clashes between police and protesters, it saw a noticeable jump in the amount of requests it blocked — an extra 19 billion (17%) from the corresponding weekend the previous month. That equates to an extra 110,000 blocked requests every second, it said. 

The problem was particularly acute for certain types of organizations. One single website belonging to an unnamed advocacy group dealt with 20,000 requests a second. Anti-racism groups which belong to Cloudflare’s free program for at-risk organizations saw a large surge in the past week, from near-zero to more than 120 million blocked requests. Attacks on government and military websites were also up — by 1.8 and 3.8 times respectively.

The doesn’t surprise me as when people demand change, others want to stop that change from happening. My question is who are “they?” I think it’s really important to figure out who these bad actors are as exposing them and dealing with them via the legal system is one step to resolving the long standing issues that led to the creation of these websites.

Discount airline EasyJet has been pwned by hackers. While several outlets are reporting this, here’s the key highlights:

• The email and travel details of around 9 million customers were accessed.
• The credit card information for 2,208 customers were accessed.

Clearly this is far from a trivial hack. and this quote says it all:

“This was a highly sophisticated attacker. It took time to understand the scope of the attack and to identify who had been impacted,” EasyJet said to the BBC.

Customers who have been affected have been contacted, and the U.K. Information Commissioner (ICO) and National Cyber Security Centre have also been contacted.

Andrew Tsonchev, director of technology for Darktrace had this to say:

18 months after British Airways suffered a major data breach, it is not surprising that airline companies continue to be a target for cyber attackers, particularly at a time when the industry is suffering from financial woes and reduced workforce due to furloughing.

Across our global customer base we’ve seen an increase in highly targeted and sophisticated attacks like these in recent months. Often their goal is to compromise customer data and demand a ransom payment at a time when the business is already highly stressed. Alternatively, the data collected can help inform secondary attacks, for example to tailor a spearphishing attack.

This is another wake-up call to businesses that they need to step up to the challenge and invest in innovations such as AI that are suited to monitoring and protecting very distributed digital systems. Security teams alone cannot keep up with the speed and stealth of today’s attackers.

It will be interesting to see what happens to EasyJet. And more importantly how this data will be misused.

It seems that Marriott is unable to keep itself out of the news for all the wrong reasons. CNET among others is reporting that they’ve been hacked again. This hack affects at least 5 million guests. This follows a hack of Marriott property MGM Resorts back in February which leaked the details of 10.8 million guests. And that was on top of this absolutely epic hack from 2018. Here’s what happened this time around:

At the end of February, Marriott international said that it spotted an “unexpected amount” of guest information may have been accessed with the login credentials of two employees at a franchise property. The exposed information may include names, addresses, emails, phone numbers and birthdays.  Loyalty account details and information like room preferences may also have been breached. This is the second major incident to impact the hotel over a two year period. 

Clearly Marriott can’t get its act together when it comes to cybersecurity. It’s time that this hotel chain get slapped silly so that they get the point that they have to take cybersecurity seriously. Because they clearly don’t based on how often they get hacked.

Four Danish researchers have demonstrated how a hacker could exploit a  vulnerability in the firmware of some cable modems and completely hijack the modem to do whatever they want. The vulnerability which is called “Cable Haunt” is said to be present in way over 200 million cable modems worldwide and is described in this manner by the people who found it:

Cable Haunt is a critical vulnerability found in cable modems from various manufacturers across the world. The vulnerability enables remote attackers to execute abitrary code on your modem, indirectly through an endpoint on the modem. Your cable modem is in charge of the internet traffic for all devices on the network. Cable Haunt might therefore be exploited to intercept private messages, redirect traffic, or participation in botnets.

The vulnerable endpoint is exposed to the local network, but can be reached remotely due to improper websocket usage. Through malicious communication with this endpoint, a buffer overflow can be exploited to gain control of the modem.

The one thing that these cable modems have in common is that all the affected modems use Broadcom designed firmware. And updates to said firmware will be needed to close this vulnerability. The researchers note that there are presently no known attacks in the wild. But with the release of this report and the demonstration of how to exploit it, that is likely to change. Thus you have to hope that you haven’t been affected. To test if you could be vulnerable, there is a test script that you could run, but it’s not something that I would direct the general public to. Thus I am hoping that a more “user friendly” way to test for this vulnerability appears. That way it increases the pressure on ISP’s and modem manufacturers to get about fixing this.

Earlier today I wrote about a company who’s less than optimal actions in response to a cyber attack left three hundred out of work. Today I am going to bring you a story from Brian Krebs on another cyber attack and how it was badly handled:

In mid-November 2019, Wisconsin-based Virtual Care Provider Inc. (VCPI) was hit by the Ryuk ransomware strain. VCPI manages the IT systems for some 110 clients that serve approximately 2,400 nursing homes in 45 U.S. states. VCPI declined to pay the multi-million dollar ransom demanded by their extortionists, and the attack cut off many of those elder care facilities from their patient records, email and telephone service for days or weeks while VCPI rebuilt its network.

Just hours after that story was published, VCPI chief executive and owner Karen Christianson reached out to say she hoped I would write a follow-up piece about how they recovered from the incident. My reply was that I’d consider doing so if there was something in their experience that I thought others could learn from their handling of the incident.

I had no inkling at the time of how much I would learn in the days ahead.

Now I will stop here. Clearly this CEO thought that they were going to recover their IT systems and get up and running in glorious fashion. Thus showing the world how brilliant they were and attract all sorts of positive press and make her look brilliant. Except that didn’t happen. It quickly became evident that the company had been further compromised. Here’s an example:

On December 3, I contacted Christianson to schedule a follow-up interview for the next day. On the morning of Dec. 4 (less than two hours before my scheduled call with VCPI and more than two weeks after the start of their ransomware attack) I heard via email from someone claiming to be part of the criminal group that launched the Ryuk ransomware inside VCPI.

That email was unsettling because its timing suggested that whoever sent it somehow knew I was going to speak with VCPI later that day. This person said they wanted me to reiterate a message they’d just sent to the owner of VCPI stating that their offer of a greatly reduced price for a digital key needed to unlock servers and workstations seized by the malware would expire soon if the company continued to ignore them.

“Maybe you chat to them lets see if that works,” the email suggested.

The anonymous individual behind that communication declined to provide proof that they were part of the group that held VPCI’s network for ransom, and after an increasingly combative and personally threatening exchange of messages soon stopped responding to requests for more information.

You can read the rest of the story for all the details. But what was clear was that the company had actually been pwned by hackers some 14 months earlier. And that the company had clearly been the victim of password theft. Which is how the hackers were able intercept these emails as they were still on the network.

#Fail.

The take home messages are as follows:

1. When it comes to cybersecurity, you should start from a premise that the hackers are already in. As was the case here. And it is often the case in may cyberattacks. From there you can figure out how they got in, what they’ve touched, and how to get them out and keep them out. And you should do that long before something really bad happens.
2. You should assume all passwords — not just endpoint/domain credentials — are compromised. This may mean changing/adding two factor authentication for hundreds or thousands of endpoints and servers. But doing that is better than getting pwned again.
3. If you get pwned, get professional help. Fireeye / Mandiant is who I would recommend. They aren’t cheap, but they have a proven track record of responding to stuff like this.

The bottom line is that cybersecurity isn’t to be taken lightly. You need to do everything possible to defend yourself. Otherwise, bad things will happen to you.

If you don’t think that defending yourself against threats like ransomware shouldn’t be at the top of your list of priorities, consider this story:

An Arkansas-based telemarketing firm sent home more than 300 employees and told them to find new jobs after IT recovery efforts didn’t go according to plan following a ransomware incident that took place at the start of October 2019:

Employees of Sherwood-based telemarketing firm The Heritage Company were notified of the decision just days before Christmas, via a letter sent by the company’s CEO. Speaking with local media, employees said they had no idea the company had even suffered a ransomware attack, and the layoffs were unexpected, catching many off guard. “Unfortunately, approximately two months ago our Heritage servers were attacked by malicious software that basically ‘held us hostage for ransom’ and we were forced to pay the crooks to get the ‘key’ just to get our systems back up and running,” wrote Sandra Franecke, the company’s CEO, in the letter sent to employees. She goes on to say that data recovery efforts, initially estimated at one week, have not gone according to plan and the company had failed to recover full service by Christmas. Franecke said the company lost “hundreds of thousands of dollars” because of the incident and have been forced to “restructure different areas in the company.” As a result of the botched ransomware recovery process, the company’s leadership decided to suspend all services, leaving more than 300 employees without jobs.

So let me summarize this for you.

Due to the shortsightedness of this company’s CEO, CTO and executive management, their IT systems were not properly built and secured. They figured that this was an acceptable risk and spend money elsewhere rather than on protecting themselves from something like a ransomware attack. Then they got pwned and had to pay up to try and get back up and running. Except that their attempts to get back up and running failed and now 300 people are out of work.

This is a textbook example of why companies of all sizes need to protect themselves. Companies are responsible for their employees and they need to ensure that they are taking any and all steps to ensure that they are properly protected from this sort of thing. Otherwise you get this bad situation.