Archive for Hacked

BREAKING: Massive Ransomware Attack Spreading Across The Globe

Posted in Commentary with tags on June 27, 2017 by itnerd

Many news sites including Motherboard are reporting that a massive ransomware attack is underway. Computers in Spain, France, Ukraine, Russia, and other countries have apparently been hit by this:

The attacks bear some resemblance to the recent WannaCry outbreak, in which thousands of computer systems were locked down with ransomware around the world.

Motherboard has seen several reports of infections shared by victims on Twitter. We were not able to immediately confirm the veracity of the reports, but several security researchers and firms also reported the attacks.

“We are seeing several thousands of infection attempts at the moment, comparable in size to Wannacry’s first hours,” Costin Raiu, a security researcher at Kaspersky Lab, told Motherboard in an online chat.

Judging by photos posted to Twitter and images provided by sources, many of the alleged attacks involved a piece of ransomware that displays red text on a black background, and demands $300 worth of bitcoin.

“If you see this text, then your files are no longer accessible, because they are encrypted,” the text reads, according to one of the photos. “Perhaps you are busy looking for a way to recover your files, but don’t waste your time. Nobody can recover your files without our decryption service.”

I suspect that this will be a very long day for IT admins in various places around the world. And we shouldn’t be shocked that this is happening as it was only a matter of time before something like this happened. The question is, how bad can this get?

Watch this space for updates as they come.

UPDATE: The ransomware in question is called Petya. Many security experts are theorizing that it is spreading so fast because it is leveraging the same NSA supplied attack vector that the last epic cyberattack used. Thus a fully patched Windows system should be able to be resistant to this ransomware.

UPDATE #2: McAfee’s Gary Davis has written a blog with three tips for consumers to keep their systems secure from ransomware attacks such as Petya.


Ohio Government Websites Pwned…. Pro IS Messages Displayed

Posted in Commentary with tags on June 26, 2017 by itnerd

I’m going to go out on a limb and say that heads are about to roll over this…. If they already haven’t. I say that because according to many outlets including Bloomberg, numerous Ohio Government website have been pwned by hackers who defaced the websites with messages purported to be from the terrorist group known as the Islamic State or IS:

Ten state websites and two servers were affected, and they’ve been taken off line for an investigation with law enforcement into how the hackers were able to deface them, said Tom Hoyt, a spokesman for the Ohio Department of Administrative Services.

The Ohio governor’s website wasn’t loading on Sunday afternoon, and a cached version showed the message “hacked by Team System Dz.’’ It said, “You will be held accountable Trump, you and all your people for every drop of blood flowing in Muslim countries’’ and added, “I love the Islamic state.”

Lovely. But I’m really not focused on whomever did this. The real question is why in 2017 was anyone actually able to do this? Website defacement isn’t new. Neither is how to defend against this sort of thing. Take these suggestions, or these suggestions for example. I’m sure as I am typing this there is a root cause analysis going on to figure out how these hackers got in, and who they are. The public will likely never see it, but it’s a safe bet that if someone in the IT department in Ohio screwed something up or missed something, they may be mass e-mailing their CV to find a new job in short order.

Bell Ignored Ransom Demand Prior To Data Breach

Posted in Commentary with tags , on May 19, 2017 by itnerd

Earlier this week I told you about Bell having customer data leak and the possibility that more leaks would be coming. It now seems that the reason for the leak was the fact that Bell ignored a ransom demand from the hacker behind this. Here’s what The Financial Post had to say:

“A demand for payment was made by the hacker, but it was not paid,” Bell spokesman Marc Choma said via email on Tuesday. “We did not reply to their demand.”

You can completely understand why Bell didn’t pay. It would have opened the floodgates for extortion. But you still have to wonder how this happened in the first place? Bell isn’t exactly offering up those details. But the Canadian Privacy Commissioner is investigating and if they discover that Bell dropped the ball, we’ll be told pretty darn quick.

Zomato Pwned….. Data Of 17 Million Users’ Data Briefly Appears On Dark Web

Posted in Commentary with tags on May 19, 2017 by itnerd

Another day, another data breach. This time it’s Zomato and the hack is big. Here’s the details via HackRead:

Recently, HackRead found out a vendor going by the online handle of “nclay” is claiming to have hacked Zomato and selling the data of its 17 million registered users on a popular Dark Web marketplace.

The database includes emails and password hashes of registered Zomato users while the price set for the whole package is USD 1,001.43 (BTC 0.5587). The vendor also shared a trove of sample data to prove that the data is legit. Here’s a screenshot of the sample data publicly shared by “nclay.”

The company via a blog post has acknowledged that they’ve been pwned. Passwords have apparently been reset and Zomato are looking for any breaches in their system. But they also say that any credit card info that is stored on the system is secure. Thus there’s nothing to worry about. I am not so sure. If there’s a breach, anything could have been taken. And chances are it will only be discovered and/or admitted to much later. Thus, I’ll provide my standard advice. Assume the worst and take whatever precautions that you need to so that you’re protected.

#Fail: Trump Properties Are Easily Pwnable Via Poorly Secured WiFi

Posted in Commentary with tags , on May 18, 2017 by itnerd

Gizmodo is running a story where they test the security at a few properties owned by US President Donald Trump including The Mar-a-Lago Club where he has brought foreign leaders and found that any “half decent hacker” can break into their networks via poorly secured WiFi:

We parked a 17-foot motor boat in a lagoon about 800 feet from the back lawn of the Mar-a-Lago Club in Palm Beach, and pointed a two-foot wireless antenna that resembled a potato gun toward the club. Within a minute, we spotted three weakly encrypted Wi-Fi networks. We could have hacked them in less than five minutes, but we refrained.

A few days later, we drove through the grounds of the Trump National Golf Club in Bedminster, N.J., with the same antenna and aimed it at the clubhouse. We identified two open Wi-Fi networks that anyone could join without a password. We resisted the temptation.

We also visited two of President Donald Trump’s other family-run retreats, the Trump International Hotel in Washington, D.C., and a golf club in Sterling, Va. Our inspections found weak and open Wi-Fi networks, wireless printers without passwords, servers with outdated and vulnerable software, and unencrypted login pages to back-end databases containing sensitive information.

That doesn’t sound good. But you’re likely asking “is this really a big deal?” Well, yes it is. Here’s why:

The risks posed by the lax security, experts say, go well beyond simple digital snooping. Sophisticated attackers could take advantage of vulnerabilities in the Wi-Fi networks to take over devices like computers or smart phones and use them to record conversations involving anyone on the premises.

“Those networks all have to be crawling with foreign intruders, not just [Gizmodo and] ProPublica,” said Dave Aitel, chief executive officer of Immunity, Inc., a digital security company, when we told him what we found.

Seeing as Trump is President, likes to go to these places frequently, take foreign leaders to these places, and likely conduct business that affects the security of the United States, this is a problem. Now, if you also consider that he signed an executive order to force the government to step up its game on the cybersecurity front, maybe he should get his own house in order first as the optics from this are pretty craptastic.

Roundup: NHS Cyberattack Is Now Global In Scope… Here’s What You Need To Know

Posted in Commentary with tags on May 13, 2017 by itnerd

What started out about a story about the NHS getting pwned by ransomware has now evolved into the biggest cyberattack in history. The New York Times has a map that illustrates how wide spread the attack is. The Financial Times has an excellent story on the attack itself which utilizes a piece of NSA developed malware to leverage poorly secured or antiquated systems running the Windows OS. In terms of the latter, the NHS in the UK was apparently running Windows XP systems which haven’t had security patches from Microsoft in years. Thus making them great targets for this sort of thing. You can bet that heads will roll over that. Organizations such as Fed Ex, Telefonica, Renault, The Russian Interior Ministry among others have hit by this cyberattack.

All is not lost though. Microsoft has added detection and prevention routines to their antivirus products. Other antivirus vendors are doing the same. And by sheer luck, A British cybersecurity researcher accidentally stopped the attack from spreading more widely.

The only good news is that this may be the event that finally forces companies and governments to take cybersecurity seriously. Not to mention the average consumer. After this calms down, I suspect that a serious rethink about how one protects themselves in the age of the cyberattack.

UPDATE: Microsoft has advice for customers here. This page also includes emergency patches for operating systems as far back as Windows XP.

UPDATE #2: If you are a network admin who wants to protect their network from potentially getting pwned by this, here’s what you need to know. Disabling SMBv1 disables the bug that the NSA sourced ransomware uses. Guidance on how to do that can be found here. This applies to devices like network attached storage boxes that may use SMBv1 as well. You should also firewall off SMB ports 139 and 445 from the outside world and restrict access to the service where possible on internal networks.

UPDATE #3: Another way to protect yourself is to ensure that your computer(s) are fully patched. Thus this is a really good time to run software update to make sure that you are covered. This applies to companies, governments, and individuals.

UPDATE #4: A reader just asked me if this ransomware affects Macs. It does not.

UPDATE #5: Motherboard is reporting that there is a new version of this ransomware. The difference is that this one cannot be stopped accidentally or otherwise. Thus we may about to see round two this cyberattack.

NHS Hospitals Pwned By Ransomware In Epic Fashion

Posted in Commentary with tags on May 12, 2017 by itnerd

Across the United Kingdom, people were seeing Tweets like these pop up in their Twitter feeds:

The reason for this is simple. National Health Service hospitals (or NHS for short) have been pwned by ransomware in a co-ordianted attack. Here’s the details from the BBC:

Staff cannot access patient data, which has been scrambled by ransomware. There is no evidence patient data has been compromised, NHS Digital has said.

The BBC understands up to 25 NHS organisations and some GP practices have been affected.

It comes amid reports of cyber-attacks affecting organisations worldwide.

A Downing Street Spokesman said Prime Minister Theresa May was being kept informed of the situation, while Health Secretary Jeremy Hunt is being briefed by the National Cyber Security Centre.

According to cybersecurity firm Foursys The ransomware is holding each computer hostage for $300 in Bitcoin. The malware demands that hospitals pay by May 15, or all the encrypted files will be deleted by May 19. Ironically, this firm manages cybersecurity for 140 NHS sites. Read into that wha you will. Also of note, according to cybersecurity expert Brian Krebs, the ransomware was spread through a recently patched flaw Microsoft Windows SMB or Server Message Block service which Windows computers rely upon to share files and printers across a local network. Which implies that they didn’t patch their systems when the patch came out in March. #fail.

This is serious and proof that organizations of all sizes need to get serious about protecting themselves against this sort of attack.