Archive for Hacked

Macmillan Pwned In Ransomware Attack

Posted in Commentary with tags on June 30, 2022 by itnerd

Macmillan, one of the largest book publishers in the US, have been hit by a ransomware attack causing book retailers nationwide the inability to place new orders from the publisher. The company first reported the incident Monday, noting that to prevent further damages to its network, it had taken its systems offline.

Darren Williams, CEO and Founder of BlackFog offered this perspective:

  “Taking systems offline post attack is a reassuring and necessary response to a ransomware attack such as this one against Macmillan, but as ever, prevention is better than cure. 

Organisations need effective, modern protective security measures in place to prevent attacks. A common challenge with traditional defensive approaches to cybersecurity is that they require too much time to adequately protect organisations from these types of attacks, and often lead to a reliance on post-attack measures such as taking systems offline.

Instead of waiting for an attack to happen and then responding, organisations should be focusKevin​,ed on newer technologies that prevent the exfiltration of data from the device, effectively stopping the attacker in their tracks. By looking at the mechanism of action across various ransomware gangs it is possible to stop these attacks at many stages of the attack life cycle and prevent a full blown incident such as the one against Macmillan.”

Hopefully they are able to get things sorted soon. Though I think it is safe to say that their long weekend is ruined.

AMD Apparently Pwned By RansomHouse…. And It Might Have Been Easy To Do

Posted in Commentary with tags , on June 29, 2022 by itnerd

It seems that chipmaker AMD had been pwned by the ransomware and extortion group RansomHouse:

RansomHouse, a relatively new data-extortion cybercrime group, has announced a major new victim. Today, the group published a new update on its darknet site and are claiming to have breached Advanced Micro Devices (AMD), the large chip manufacturing company.

RansomHouse is claiming to have breached AMD’s network and exfiltrated “more than 450 Gb” of data back in January 2022. The group has also published a data sample as evidence.

And assuming that this happened, it looks like AMD was pwned rather easily. Check this out:

It’s no secret that hackers can easily launch attacks against networks with commonly-used passwords to to gain access. 

According to RansomHouse, this was the case with AMD, which the group claims was using “simple passwords” to protect its network.

An era of high-end technology, progress and top security…there’s so much in these words for the crowds. But it seems those are still just beautiful words when even technology giants like AMD use simple passwords like ‘password’ [others passwords redacted] … to protect their networks from intrusion. It is a shame those are real passwords used by AMD employees, but a bigger shame to AMD Security Department which gets significant financing according to the documents we got our our hands on – all thanks to these passwords.

– RansomHouse group

If that’s true, that’s really embarrsing for AMD.

AMD had this to say when they were asked about this:

On June 27th, we reached out to AMD for comment. AMD provided us with the following statement on June 28th:

AMD is aware of a bad actor claiming to be in possession of stolen data from AMD. An investigation is currently underway.  

-AMD Communications Director

RestorePrivacy is in contact with both AMD and RansomHouse and will update this article with any new information provided to us from either party.

That sounds like to me that this has actually happened. But we may want to wait for a more fulsome confirmation.

Saryu Nayyar, CEO and Founder, Gurucul:

     “In an ironic twist of fate, AMD survived the global chip supply chain crisis during the COVID-19 pandemic only to be victimized by ransomware from a new data extortion group. Doubling down on irony is that AMD staff used “password” as the password for critical network access. How does this still happen in companies with security savvy engineers? It’s beyond comprehension quite frankly. Time to spin all the passwords and clean up security controls. Seriously, it’s time.”

I can’t wait for the full details to come out. Because if these details are fact, a lot of people at AMD have some explaining to do.

UPDATE: Darren Williams, CEO and Founder of BlackFog added this comment:

     “We haven’t yet seen evidence of the attack on AMD, but RansomHouses’ recent attack on the Shoprite Group in South Africa would indicate that they are focused on large organizations with weak security. As with all cyberattacks it really doesn’t matter how the bad actors found their way in, weak passwords or otherwise, if they want to find a way in, they will be successful! What really matters is what data they were able to leave with. Extortion is the focus for cybercriminal gangs and organizations should look to newer technologies like anti data exfiltration to stop them in their tracks and prevent any unauthorized data from being exfiltrated.”

Baptist Medical Center Pwned…. 1.24 Million Patients Data Is In The Wild

Posted in Commentary with tags on June 28, 2022 by itnerd

Baptist Medical Center has suffered a malware attack, which involved the exfiltration of data affecting more than 1.24 million patients from two Texas hospitals, according to a statement from Baptist Medical Center:

On April 20, 2022, it was discovered that certain systems within our network may have been infected with malicious code as a result of potentially unauthorized activity. In response to this incident, user access was immediately suspended to impacted information technology applications, extensive cybersecurity protection protocols were executed, and steps were quickly taken to restrict further unauthorized activity. In parallel, an investigation of the incident was immediately launched, and a national forensic firm was engaged to assist with investigation and remediation efforts. Although the investigation is ongoing, it has been determined that an unauthorized third party was able to access certain systems that contained personal information and remove some data from the network between March 31, 2022 and April 24, 2022. As a result of this review, it appears that your personal information may have been involved.

Clearly this isn’t a trivial event given the large number of people who were affected.

I have two comments on this. The first is from Saryu Nayyar, CEO and Founder of Gurucul:

     “Here is yet another example of a security lapse involving a third party. All network access should be monitored continuously in order to detect unauthorized access by malicious insiders, third party contractors, and cybercriminals. Insider threats can quickly become external threats as we’ve seen in this case. Organizations need to re-evaluate their threat detection, investigation and response (TDIR) programs to enhance insider risk and threat initiatives. The most effective defense is an advanced set of behavioral analytics, to baseline and monitor for unusual user behaviors and catch bad actors in real-time before data is exfiltrated.”

The second comment is from Artur Kane, VP of Product for GoodAccess:

     “Hospitals are a tempting target for financially oriented cyberattacks, as the records of malware and ransomware incidents from the past couple of years show. There are three main reasons why cyber criminals like to pick them:

  • First, they have a lot of data to steal. Healthcare institutions contain enormous troves of patients’ personal data, which provides hackers with plenty of loot to sell, if not exploit directly. 
  • Second, hospitals are more likely to pay a high ransom. Healthcare institutions often have large budgets that are required to sustain the large number of highly qualified staff in their employment and cover the upkeep of hi-tech medical equipment. But when a ransomware attack encrypts their sensitive information, hospitals face the threat of a data leak and, worse still, they can no longer provide treatment, which directly threatens human lives. Under such circumstances, healthcare institutions are pushed to comply with the ransom demands to allow them to resume providing medical services.
  • Third, hospitals often lack defenses. Hospitals are similar to banks in how much sensitive data they curate, but they don’t have information protection so deeply rooted in their pedigree. Their purpose is to provide health care, not guard someone’s assets. This could be why their IT is often understaffed and their vast infrastructures often contain vulnerabilities or run-on legacy systems, offering exploitable points of entry for potential attackers. Some of their medical equipment can also harbor malware without it being detected, such as an MRI scanner that runs on Windows but doesn’t even have an antivirus. Their priority is uptime, not security.

However, healthcare institutions can still significantly reduce the risk of an attack by implementing a few security measures:

  • The first is regular and thorough backup of all sensitive data. This is an absolute no-brainer. The likelihood of attacks on healthcare institutions borders on the inevitable and having the ability to recover lost data can save millions of dollars in ransom or damages.
  • Next is adopting a zero-trust network access (ZTNA) policy, which on its own brings several benefits. Under ZTNA, users have to use strong authentication, typically reinforced by multiple identity factors (multi-factor authentication). This makes it much harder for attackers to exploit stolen access credentials. In addition, proper ZTNA keeps logs on all access attempts by users, which can be a helpful resource for tracing the progress of the breach during post-compromise analysis and patching up vulnerabilities thus discovered.

ZTNA operates on the least-privilege principle, which means that users can only access those systems they require for their work, but no others. This approach segments the network, confining the attacker only to a pool of systems to exploit, but denying them free rein of the network, causing difficulty escalating the attack further.

  • Lastly, healthcare institutions need real-time end-to-end network-centric threat detection. Even with the latest patches and vulnerability updates in place, compromise is likely, and hospitals need to invest in solutions that can detect threat activity in network traffic, such as NDR (network detection and response). Given the exorbitant cost of damage that hospitals suffer as a result of malware and ransomware attacks, the investment pays for itself rapidly.”

Things really need to improve as these events keep happening and it is my perception that little is being done until after the event happens. That needs to change or else I suspect that events like this will become more frequent and more severe.

Black Basta Ransomware Group Going After New Targets: Report

Posted in Commentary with tags on June 27, 2022 by itnerd

Security researchers with Cybereason have warned that the Black Basta ransomware-as-a-service group has been observed targeting manufacturing, construction, pharmaceuticals and other industries, in the latest update of the new threat group. Additionally, the ransomware syndicate has developed a Linux variant, designed to attack VMware ESXI virtual machines running on enterprise servers.

Chris Olson, CEO, The Media Trust had this to say:

“Today, data breaches aren’t just about stealing sensitive data for financial gain: they are also a danger to public safety. On average, cyber defenders have less than an hour to stop a ransomware event in progress. In addition to virtualization and cloud computing software, web and mobile apps are increasingly targeted by cyber actors using sophisticated techniques such as obfuscated and polymorphic code to dodge blockers or URL filters. Businesses must pivot to prevention over treatment, monitoring IT and digital infrastructure in real time while working to harden entry points.”

I’ve written about the fact that you have less than an hour to stop a ransomware attack here. That alone makes defending against these attacks a must. I would read the warning and my previous story so that you can harden your enterprise accordingly.

UPDATE: I have additional commentary from Jake Williams who is the Executive Director of Cyber Threat Intelligence for SCYTHE:

The Black Basta threat group is a capable player in ransomware operations. Their capability to encrypt ESXi servers underscores the necessity of security access to hypervisor systems. While Black Basts isn’t the first to develop capabilities against ESXi (LockBit, Hive, and Cheerscrypt already have demonstrated ESXi capabilities), this shows the relative sophistication of the teams working under Black Basta performing the ransomware operations. 

Use of commodity malware like Qakbot demonstrates that there is no such thing as a “commodity” malware infection. Organizations must treat every malware detection as an opportunity for a threat actor to deploy ransomware. Black Basta highlights just how damaging the outcome can be if commodity malware infections are ignored simply because they were “mitigated” by endpoint protection platforms. Other threat actor malware can be – and often is – in the network.

And I have additional commentary from Robert Shaughnessy, VP, Federal for GRIMM:

“Ransomware-as-a-service (RaaS), including groups like “Black Basta,” is a fast-growing business, with comparisons being made to traditional Software-as-a-Service (SaaS) offerings. It may be more accurate to think of groups like Black Basta as loosely affiliated criminal gangs forming from the leftovers of larger organized criminal organizations. Conti, for example, has been broken up as if a lockpick, alarm specialist, appraiser, and accountant who met in prison decided to rob houses together. Enterprises are the houses, and their data are the jewels. Like home invaders, the Black Basta syndicate is looking for enterprises with a combination of valuable data and vulnerable defenses. With Black Basta, the current thinking is it was formed from former members of Conti and REvil, the leading Ransomware gangs from 2021, and leveraging partnerships including with the QBot malware. As reported recently by Nathan Eddy, writing for DARKReading (https://www.darkreading.com/threat-intelligence/black-basta-ransomware-esxi-servers-active-campaign), one interesting feature of Black Basta is a trend toward encrypting Virtual Machines (VMs) via the VM ESXi hypervisor. Leveraging larger servers, typically acting as ESXi hypervisor host machines, provides Black Basta with access to much more powerful processing and memory pools than a single workstation would typically have, resulting in faster encryption times and reducing the overall Time to Ransom. This makes it substantially harder for defenders to detect, isolate, and remediate attacks. Even though emerging ransomware gangs are beginning to use novel Tools, Techniques, and Procedures (TTPs), including VM hypervisor attacks, they are not invincible. As with most ransomware campaigns, a good defense against Black Basta starts with basic cyber hygiene: conduct regular in-depth threat assessments, ensure complete enterprise visibility, keep all systems properly patched, employ a zero-trust model across the enterprise, and closely monitor systems for the earliest signs of atypical utilization and access rights modifications.”

Lithuania Hit By Cyber Attack From A Russian Linked Threat Actor

Posted in Commentary with tags on June 27, 2022 by itnerd

Reuters is reporting that Lithuania has been hit by a cyber attack. Specifically that Lithuanian state and a some private institutions were hit by a denial-of-service cyber attack on Monday the National Cyber Security Centre said in a statement released by the defence ministry. Considering that the country is in a “feud” with Russia over scansions related to Russia’s invasion of Ukraine, it’s likely not a shock that this happened. Nor is it a shock that a Russian linked hacker group has claimed responsibility for the attack.

Chris Clymer who is a Director & CISO at Inversion6 had this comment:

Every significant military power in the world has developed cyber capabilities. These have evolved from espionage tools into full fledged weapons to be used as part of a coordinated military response. Targeting another country with these arguably constitutes an act of war, but one less severe than kinetic attacks with missiles and tanks.  Russia has a collection of theoretically autonomous groups like Killnet which give it the ability to strike at its enemies while still denying responsibility – not a new tactic.  This year alone, Killnet has reportedly targeted Romania, Moldova, Czech Republic, and Italy with Lithuania now added to the list. This harassment will continue, and what’s more interesting is that it doesn’t seem to have targeted the US and major European powers as strongly as first expected. With what we know of internet infrastructure, it’s hard to believe this is because those targets are stronger. Perhaps the Russians are trying to stay focused on targets it feels it can afford to antagonize.

Clearly we live in an era where the battlefield includes cyberspace. Thus it makes anyone and everyone a target. Thus now is a really, really good time for everyone to review their cyber defences so that they aren’t the next target.

Auto Parts Maker Nichirin Pwned By Ransomware

Posted in Commentary with tags on June 22, 2022 by itnerd

Japanese automotive hose maker Nichirin has been hit by a ransomware attack forcing it to shut down its computerized production controls, as reported by Reuters:

“We are investigating what impact this may have on our customers, and we will promptly disclose any necessary information,” the company said.

Nichirin also posted a warning on its website about possible spoof emails that appeared to be from the company and asked recipients not to open any attached files.

Darren Williams, CEO of BlackFog has offered some perspective on this:

“We continue to see threat actors targeting manufacturers in the automotive, infrastructure and government sectors. Cyber criminals continue to target organizations with older infrastructure, lack of investment in cyber security in terms of both product and personnel. These industries continue to outpace the rest of the market in terms of attacks. It should serve as a reminder that even the smallest contributors to the supply chain must do their part to defend against cyberattacks.”

Additionally, the UK has decided not to impose regulations on the cyber security profession after an 8-week consultation conducted by the Department for Digital, Culture, Media and Sport. The UK Cyber Security Council will its planned chartered standards, as the Government monitors its adoption. In response, an expert with GoodAccess has offered commentary.

Artur Kane, VP of Product of GoodAccess also offers some perspective:

“According to Forbes, there are nearly 465,000 unfilled cyber jobs across the US. At the same time, the number of cyber-attacks has never been so high in history. While society becomes more digitized and wars move more often to cybersecurity space, those nations who want to be relevant must support their digitalization notions with strong security legislation. The lack of unfilled jobs must be supported through investments in education, but without clear directives on what skills, roles and frameworks, graduates rarely leave school being fully prepared for their new jobs. Leaving much of work on recruiting and requalifying employees on organizations and inherently slowing down the whole process and raising costs. Also, the diversity in approaches leads to varying quality and leaves some organization more vulnerable. The UK’s Embedding Standards and Pathways Across the Cyber Profession by 2025 has the potential of filling those gaps. With the decision to postpone its enforcement the UK government heard the voices of organizations, which is a good thing in democratic society, but on the other hand we’ve learnt in history that for big changes to make impact, more swift adoption is required. With GDPR, being controversial, not ideally communicated and left quite big space for speculative understanding of some standards, we are now all thankful for this directive to exist. Yes, companies struggled at the beginning to adopt those standards, but by enforcing it and leaving a protective period when fines were waived, companies felt the urgency and acted swiftly towards full adoption. Postponing the enforcement of the Embedding Standards might be a generous thing but will inherently compromise the speed at which UK solves one of most crucial problems of fully digital and globally competitive country.”

You can see how crippling an attack like this can be. Thus every company needs to make sure that their defences are in tip top shape and that they have the people required to fight this sort of battle if they have to, or make sure that they are in a position never to have to fight this sort of battle.

Texas Tech University Health Sciences Center Pwned As Part Of A Larger Event…. Up To Two Million Patients Affected

Posted in Commentary with tags , on June 17, 2022 by itnerd

Texas Tech University Health Sciences Center has confirmed that the protected health information of 1,290,104 patients was compromised in a data breach at its electronic medical record vendor, Eye Care Leaders.

Eye Care Leaders said it detected a breach on Dec. 4, 2021, and disabled the affected systems within 24 hours. Texas Tech University Health Sciences Center said it received the final results of the forensic investigation on April 19, 2022. The compromised information included the following data elements: name, address, phone numbers, driver’s license number, email, gender, date of birth, medical record number, health insurance information, appointment information, social security number, as well as medical information related to ophthalmology services. No evidence of data exfiltration was found. But I’ll point out that it doesn’t mean that it didn’t happen. It just means that there’s no proof that it did.

Over the past few weeks, the number of eye care providers known to have been affected by the Eye Care Leaders data breach has been growing. At least 20 eye care providers have confirmed they have been affected and the protected health information of at least 1.9 million patients is known to have been exposed.

As the value of stolen credit cards has gone down in value, the value of health records has gone up.  With a complex web of interconnected providers in the healthcare space, many being small businesses, its impossible for the security safeguards in HIPAA to be fully maintained across the board.  That said, a breach at an Electronic Healthcare Records provider is especially concerning, as these are the types of vendors those small mom and pops rely on to provide more secure solutions than they could build on their own.

It’s commendable that they had their own incident response team that did detect a breach rather than it being reported by a 3rd party…a good sign that they are doing the right things.  For those who haven’t been through an investigation like this before, it is worth noting that there are many reasons that “no evidence of data being exfiltrated” could be found.  Very often logs that would have showed evidence aren’t kept for long enough…or at all.  If forensics teams don’t have the right data to work form, it becomes impossible to prove an exfiltration.  And there will be legal and executive pressure to state that no evidence was found in the absence of clear data that it was.  In short, anyone who was part of this breach still might be well off to scrutinize their bills closely, and be prepared to find healthcare services procured in their name at some later date, unfortunately.

We’ll have to see how bad this breach is. Starting with info showing up on the dark web which would be a sign that data was stolen. You might want to stay tuned to this one as I suspect I may be providing an update.

University of Pisa Pwned By Ransomware

Posted in Commentary with tags , on June 14, 2022 by itnerd

The University of Pisa in Italy is currently being held to ransom for $4.5 million, according to cybersecurity360 (Translation here). The BlackCat ransomware group has claimed responsibility for the cyberattack, issuing a ransom note stating that the University has until June 16th to pay the ransom. Though I will note that the report indicates that some of the data is already online. Which of course is bad.

Chris Olson who is the CEO of The Media Trust, had this comment:

“The University of Pisa attack follows a trend of ransomware actors targeting universities and schools, possibly because they assume these institutions are well-funded and eager to resume operations. Unfortunately, BlackCat is a sophisticated ransomware strain that is capable of targeting organizations through multiple entry points – it also uses a modern programming language (Rust) to evade detection, making it hard for cyber defenders to fight back.”

“Together with the attack on Palermo, this incident is a reminder that cyber actors are shifting to more valuable targets and using advanced methods to infiltrate them. As cyber threats encroach on critical infrastructure and vulnerable institutions, it’s more important than ever for today’s businesses to understand how ransomware actors compromise their systems, from reconnaissance to execution. This includes digital attack surfaces like Web and mobile devices, where many ransomware incidents begin.”

The Palermo attack that Chris is referring to is on the Italian municipality of Palermo where the ransomware group Vice Society has claimed responsibility for that attack. Thus it makes understanding and addressing weak points in your IT security along with having prevention methods in place along with training of staff the best defence in terms of getting pwned.

Kaiser Permanente Pwned…. Info On 70K Patients Exposed

Posted in Commentary with tags on June 13, 2022 by itnerd

Kaiser Permanente has issued a breach notice regarding a data breach which occurred in early April, exposing 70k patients’ names, medical record numbers, dates of service and lab test results. Although not specified in Kaiser’s breach notice, regulators from the US Department of Health and Human Services Office for Civil Rights confirms this as a result of the email security slip-up at Kaiser’s Washington unit that let threat actors get in and have a few hours of access before they were shut down. I use the words “slip-up” based on this from the breach notice:

The employee received additional training on safe email practices, and we are exploring other steps we can take to ensure incidents like this do not happen in the future.

That means that the employee was either phished or clicked on something that ran malware to allow this to happen.

Sanjay Raja, VP of Product, Gurucul:

“It is most likely that the threat actor(s) involved were already inside for some time and what was detected was the actual data being exfiltrated within hours. What is becoming more evident as we see attacks similar to the Kaiser disclosure is Identity Threat Detection and Response (ITDR) is a critical component of any security operations program. However, too many solutions are rushing to announce identity-based capabilities for XDR or SIEM, but are simply correlating Active Directory data, while claiming to offer ‘identity analytics. This does nothing to automatically detect a threat and leaves security teams to continue to manually determine if an attack is active, which also leaves them chasing a lot of false positives that can potentially waste a lot of time and resources. Incorporating a full-blown set of identity data ingestion, analytics on infrastructure activity, access privileges and entitlements, combined with user and entity behavior analytics can provide security teams with not only understanding of risky or suspicious activity, but rapidly determine if an actual attack is taking place. More importantly, the key to stopping data from being stolen is enabling identity-centric response based on a full understanding of the risk to an organization based on what the context discovered and analyzed. Unfortunately, the vendor marketing hype is in full force already.” 

Hopefully Kaiser Permanente does more than just do training on one employee. Because now that this is out there, a lot of patients are going to be worried about their personal information. Which will likely lead to some of them calling their lawyers. And that won’t end well for Kaiser Permanente.

“SeaFlower” Goes After Web3 Wallets On iOS And Android

Posted in Commentary with tags , , on June 13, 2022 by itnerd

Confiant’s Taha Karim has released a deep-dive into an extensive campaign from threat actor SeaFlower, where backdoored Web3 Wallets for iOS and Android mimics official cryptocurrency wallet websites intending to distribute apps that drain victims’ funds. The threat actor is likely Chinese according to the deep dive.

Chris Olson of The Media Trust had this to say:

“Cryptocurrency is rapidly becoming a battlefield for global cyber actors who target crypto owners through multiple channels. While many are waking up to the danger of email-based phishing scams, few are prepared for SEO and web-based attacks that target Internet traffic and mobile users. Aside from encouraging caution among NFT and crypto users, this incident has three implications: first, web and mobile devices are growing as threat surfaces – second, foreign actors can leverage those surfaces to target users around the world. Finally, Web3 may be vulnerable to the same threats that have made Web 2.0 unsafe for years, unless early adopters of the technology commit to minimal standards of digital safety and trust.”

There are mitigation strategies in the deep dive, along with promises of a “part 2” to this. Thus if you’re in the cryptocurrency space, you might want to stay tuned for that.