The IT Nerd

It seems that Marriott is unable to keep itself out of the news for all the wrong reasons. CNET among others is reporting that they’ve been hacked again. This hack affects at least 5 million guests. This follows a hack of Marriott property MGM Resorts back in February which leaked the details of 10.8 million guests. And that was on top of this absolutely epic hack from 2018. Here’s what happened this time around:

At the end of February, Marriott international said that it spotted an “unexpected amount” of guest information may have been accessed with the login credentials of two employees at a franchise property. The exposed information may include names, addresses, emails, phone numbers and birthdays.  Loyalty account details and information like room preferences may also have been breached. This is the second major incident to impact the hotel over a two year period. 

Clearly Marriott can’t get its act together when it comes to cybersecurity. It’s time that this hotel chain get slapped silly so that they get the point that they have to take cybersecurity seriously. Because they clearly don’t based on how often they get hacked.

Four Danish researchers have demonstrated how a hacker could exploit a  vulnerability in the firmware of some cable modems and completely hijack the modem to do whatever they want. The vulnerability which is called “Cable Haunt” is said to be present in way over 200 million cable modems worldwide and is described in this manner by the people who found it:

Cable Haunt is a critical vulnerability found in cable modems from various manufacturers across the world. The vulnerability enables remote attackers to execute abitrary code on your modem, indirectly through an endpoint on the modem. Your cable modem is in charge of the internet traffic for all devices on the network. Cable Haunt might therefore be exploited to intercept private messages, redirect traffic, or participation in botnets.

The vulnerable endpoint is exposed to the local network, but can be reached remotely due to improper websocket usage. Through malicious communication with this endpoint, a buffer overflow can be exploited to gain control of the modem.

The one thing that these cable modems have in common is that all the affected modems use Broadcom designed firmware. And updates to said firmware will be needed to close this vulnerability. The researchers note that there are presently no known attacks in the wild. But with the release of this report and the demonstration of how to exploit it, that is likely to change. Thus you have to hope that you haven’t been affected. To test if you could be vulnerable, there is a test script that you could run, but it’s not something that I would direct the general public to. Thus I am hoping that a more “user friendly” way to test for this vulnerability appears. That way it increases the pressure on ISP’s and modem manufacturers to get about fixing this.

Earlier today I wrote about a company who’s less than optimal actions in response to a cyber attack left three hundred out of work. Today I am going to bring you a story from Brian Krebs on another cyber attack and how it was badly handled:

In mid-November 2019, Wisconsin-based Virtual Care Provider Inc. (VCPI) was hit by the Ryuk ransomware strain. VCPI manages the IT systems for some 110 clients that serve approximately 2,400 nursing homes in 45 U.S. states. VCPI declined to pay the multi-million dollar ransom demanded by their extortionists, and the attack cut off many of those elder care facilities from their patient records, email and telephone service for days or weeks while VCPI rebuilt its network.

Just hours after that story was published, VCPI chief executive and owner Karen Christianson reached out to say she hoped I would write a follow-up piece about how they recovered from the incident. My reply was that I’d consider doing so if there was something in their experience that I thought others could learn from their handling of the incident.

I had no inkling at the time of how much I would learn in the days ahead.

Now I will stop here. Clearly this CEO thought that they were going to recover their IT systems and get up and running in glorious fashion. Thus showing the world how brilliant they were and attract all sorts of positive press and make her look brilliant. Except that didn’t happen. It quickly became evident that the company had been further compromised. Here’s an example:

On December 3, I contacted Christianson to schedule a follow-up interview for the next day. On the morning of Dec. 4 (less than two hours before my scheduled call with VCPI and more than two weeks after the start of their ransomware attack) I heard via email from someone claiming to be part of the criminal group that launched the Ryuk ransomware inside VCPI.

That email was unsettling because its timing suggested that whoever sent it somehow knew I was going to speak with VCPI later that day. This person said they wanted me to reiterate a message they’d just sent to the owner of VCPI stating that their offer of a greatly reduced price for a digital key needed to unlock servers and workstations seized by the malware would expire soon if the company continued to ignore them.

“Maybe you chat to them lets see if that works,” the email suggested.

The anonymous individual behind that communication declined to provide proof that they were part of the group that held VPCI’s network for ransom, and after an increasingly combative and personally threatening exchange of messages soon stopped responding to requests for more information.

You can read the rest of the story for all the details. But what was clear was that the company had actually been pwned by hackers some 14 months earlier. And that the company had clearly been the victim of password theft. Which is how the hackers were able intercept these emails as they were still on the network.

#Fail.

The take home messages are as follows:

1. When it comes to cybersecurity, you should start from a premise that the hackers are already in. As was the case here. And it is often the case in may cyberattacks. From there you can figure out how they got in, what they’ve touched, and how to get them out and keep them out. And you should do that long before something really bad happens.
2. You should assume all passwords — not just endpoint/domain credentials — are compromised. This may mean changing/adding two factor authentication for hundreds or thousands of endpoints and servers. But doing that is better than getting pwned again.
3. If you get pwned, get professional help. Fireeye / Mandiant is who I would recommend. They aren’t cheap, but they have a proven track record of responding to stuff like this.

The bottom line is that cybersecurity isn’t to be taken lightly. You need to do everything possible to defend yourself. Otherwise, bad things will happen to you.

If you don’t think that defending yourself against threats like ransomware shouldn’t be at the top of your list of priorities, consider this story:

An Arkansas-based telemarketing firm sent home more than 300 employees and told them to find new jobs after IT recovery efforts didn’t go according to plan following a ransomware incident that took place at the start of October 2019:

Employees of Sherwood-based telemarketing firm The Heritage Company were notified of the decision just days before Christmas, via a letter sent by the company’s CEO. Speaking with local media, employees said they had no idea the company had even suffered a ransomware attack, and the layoffs were unexpected, catching many off guard. “Unfortunately, approximately two months ago our Heritage servers were attacked by malicious software that basically ‘held us hostage for ransom’ and we were forced to pay the crooks to get the ‘key’ just to get our systems back up and running,” wrote Sandra Franecke, the company’s CEO, in the letter sent to employees. She goes on to say that data recovery efforts, initially estimated at one week, have not gone according to plan and the company had failed to recover full service by Christmas. Franecke said the company lost “hundreds of thousands of dollars” because of the incident and have been forced to “restructure different areas in the company.” As a result of the botched ransomware recovery process, the company’s leadership decided to suspend all services, leaving more than 300 employees without jobs.

So let me summarize this for you.

Due to the shortsightedness of this company’s CEO, CTO and executive management, their IT systems were not properly built and secured. They figured that this was an acceptable risk and spend money elsewhere rather than on protecting themselves from something like a ransomware attack. Then they got pwned and had to pay up to try and get back up and running. Except that their attempts to get back up and running failed and now 300 people are out of work.

This is a textbook example of why companies of all sizes need to protect themselves. Companies are responsible for their employees and they need to ensure that they are taking any and all steps to ensure that they are properly protected from this sort of thing. Otherwise you get this bad situation.