The IT Nerd

InsideRadio reporting of Marketron Radio hit by a cyberattack. It’s so bad virtually all of its systems are offline. The cyberattack hit over the weekend and is impacting all 6,000 customers. CEO Jim Howard has stated Russian criminal organization BlackMatter is responsible. And if you’re keeping track, BlackMatter seems to be pwning all sorts of companies:

“Marketron recently discovered a cyberattack involving certain aspects of our network infrastructure that is causing an interruption in our normal business operations,” VP of Marketing Bo Bandy told Inside Radio. “Immediately upon learning of this event, we took swift action to notify law enforcement, secure our systems and information, and contain the event.”

The company, which manages $5 billion in annual U.S. advertising revenue, says it’s working with third-party specialists to assist in its response and recovery efforts, which include working to investigate the source and root cause, understand the full nature and scope of the event, and to restore full functionality. “We are also working to confirm the security of our systems and to assess the existing security measures we have in place to protect the integrity of our systems and data,” Bandy said.

Marketron’s customers were informed about the breach Sunday night in an email from CEO Jim Howard. 

“This issue comes despite significant recent investments in separating backup and disaster recovery in different physical and network environments, instituting ‘zero trust’ access management policies, and new security detection and recovery tools,” Howard said in the email. “We have not yet discovered how the hackers exploited our networks.”

Howard said the company is communicating with both BlackMatter and the FBI and using all of its resources to restore systems as quickly as possible. The company has set up a status page to keep clients informed and set up a help line for customers at 888-239-8878 or via email at help@marketron.com.

Saumitra Das, CTO and Cofounder, Blue Hexagon had this to say about this epic attack:

Blackmatter is the resurgence of folks associated with the DarkSide and REvil group (famous for the Colonial pipeline attack). Both of these groups were either shutdown or went dark after the high profile attacks they pursued brought pushback from the US and other government entities. They operate a ransomware-as-a-service platform which includes initial access brokers (IAB) and ransomware affiliates doing the initial legwork.  As is common, these always occur during the weekend where it is the hardest to get staff back in to respond quickly.

Expect to hear more from DarkMatter as this criminal organization clearly has some momentum. Which is bad news for everybody else.

The Republican Governors Association email server was breached by state hackers. The RGA revealed in a data breach notification letter sent last week that its servers were breached during an extensive Microsoft Exchange hacking campaign that hit organizations worldwide in March 2021:

On March 10, 2021, RGA was alerted to an exploit in Microsoft’s Exchange Service email software. This was a widespread exploit at Microsoft that threat actor(s) utilized to attack companies across the globe. Once RGA learned of the exploit, it immediately launched an investigation, with the assistance of cybersecurity experts, into the nature and scope of the incident. As part of this investigation, RGA determined that the threat actors accessed a small portion of RGA’s email environment between February 2021 and March 2021, and that personal information may have been accessible to the threat actor(s) as a result.

The forensic investigation was unable to identify what personal information, if any, was impacted as a result of this incident. Out of an abundance of caution, RGA commenced a thorough data mining effort to identify potentially impacted individuals. Once impacted individuals were identified, RGA worked to identify addresses, prepare statutorily compliant notification deliverables, and engage a vendor to provide call center, notification, and credit monitoring services. RGA completed its extensive address search on September 1, 2021.

The address search determined that your state resident(s) had name in addition to one of the following accessible to the threat actor(s): Social Security number or payment card information.

Saumitra Das, CTO and Cofounder, Blue Hexagon had this to say about the attack:

The MS Exchange vulnerabilities affected a large number of organizations such as the RGA. Even after the vulnerabilities were announced several servers remained (1) Accessible to the general Internet, and (2) Unpatched. So the attacks likely continued for a long time after the original CVEs were published. In addition, organizations are typically not inspecting East-West internal network traffic and even North-South external traffic is inspected usually with a legacy threat or malware signature-based firewall. Post initial access, detection and response at the network and endpoint layer could potentially thwart such state-sponsored attacks.

It’s time for companies to alter how they defend their Exchange server so that attacks like this aren’t as effective.

The people of Afghanistan have lots of problems. And if you’re someone who worked with NATO, your problems are worse. But they just got worse than that with the news that the UK Ministry Of Defence has been pwned:

It is not yet clear if the interpreters concerned are in the UK or Afghanistan after dozens were left behind following the withdrawal of UK troops from Afghanistan last month after the Taliban took the country.

An MoD spokeswoman told Sky News 250 email addresses are part of the breach but it is not yet known if they contain the names or photos of the translators involved.

The breach was carried out by the Afghan Relocations Assistance Policy (ARAP) team, which is led by the Home Office and MoD.

The MoD spokeswoman said: “An investigation has been launched into a data breach of information from the Afghan Relocations Assistance Policy team.

“We apologise to everyone impacted by this breach and are working hard to ensure it does not happen again.

“The Ministry of Defence takes its information and data handling responsibilities very seriously.”

The MoD is going to help these people. But I hope by “help” they are going to ensure that these people are safe from any retaliation from the Taliban or others. But this illustrates why cyberdefences need to be 100% on point 100% of the time. Otherwise, you are on the wrong side of the headlines.

Market Watch is reporting French Container Operator CMA CGM Hit by a cyberattack with unknown hackers leaking part of its customer information. 

French liner CMA CGM S,A. said Monday that it suffered a cyberattack with unknown hackers leaking part of its customer information.

The world’s third biggest boxship operator said the “limited customer information” leak includes their names, positions, emails and phone numbers.

“The IT team has immediately developed and installed security patches, and surveillance of all our application programming interfaces has been strengthened,” the company said.

The hackers said in an email they obtained more than 499,000 customer records and that they would “lay out the entire” database in a week after CMA CGM refused to pay ransom.

This isn’t trivia. Especially since they were pwned by hackers at this time last year. Saumitra Das, CTO and Cofounder, Blue Hexagon had this to say:

This is a classic example of double extortion where the hackers have leverage even if CMA CGM has a good backup and DR strategy laid out. Today’s ransomware landscape requires not just reducing the attacker’s downtime leverage but also reducing the risk of exfiltration or disruption. Most attacks use vulnerabilities that have been known for months or in many cases just live off the land without requiring a major vulnerability so an IT team developing patches at this late stage seems unusual. Most IT teams already know patches are needed but due to business pressure or lack of cycles from developers teams, these patches do not get deployed in time. 

It’s clear that it’s a time for IT teams to shift their strategies in terms of fighting cyberattacks. Otherwise bad things will happen to them.

A nation-state cyber-espionage group has gained access to the IT network of the Alaska Department of Health and Social Service (DHSS), the agency said last week:

The attack, which is still being investigated, was discovered on May 2, earlier this year, by a security firm, which notified the agency. While the DHSS made the incident public on May 18 and published two updates in June and August, the agency did not reveal any details about the intrusion until last week, when it officially dispelled the rumor that this was a ransomware attack. Instead, the agency described the intruders as a “nation-state sponsored attacker” and “a highly sophisticated group known to conduct complex cyberattacks against organizations that include state governments and health care entities.”

You have to believe that the US Federal Government is involved in investigating this attack. And if they can prove that a nation state was behind this, the nation state in question is going to get a knock on the door. That combined with having strong cyberdefences are the only ways that this sort of thing stops.

I would stay tuned to this story as I suspect that this might get “interesting.”

Iowa-based grain cooperative New Cooperative was struck by ransomware in recent days and has shut down its computer systems as it tries to mitigate the attack. And the threat actor is a ransomware group known as BlackMatter:

The attack occurred on or around Friday, according to Allan Liska, senior threat analyst at the cybersecurity firm Recorded Future. The ransomware gang, which goes by the name BlackMatter, is demanding a $5.9 million ransom, Liska said. New Cooperative confirmed that they had been attacked and said they had contacted law enforcement and were working with data security experts to investigate and remediate the situation. 

“New Cooperative recently identified a cybersecurity incident that is impacting some of our company’s devices and systems,” according to a statement from the cooperative. “Out of an abundance of caution, we have proactively taken our systems offline to contain the threat, and we can confirm it has been successfully contained.” New Cooperative has communicated with its feed customers and is working to create workarounds to get feed to animals while its systems are down, a person familiar with the matter said.

BlackMatter is apparently the successor to the DarkSide group who were active and very “successful” earlier this year. What makes this attack really bad is that this is effectively an attack on America’s food supply. Which means that if this group is state sponsored, then this could be seen as an act of war. Thus it will be interesting to see what the White House does about this situation. In the meantime, if you don’t want to be the next company to get pwned, you should make sure your cyberdefenses are on point.

UPDATE: Marcus Fowler, Director of Strategic Threat at Darktrace had this to day:

The ransomware attack on Iowa-based grain cooperative New Cooperative is the fourth crippling and high-profile attack on U.S. critical infrastructure in recent months. We can no longer tolerate cybercriminals forcing our public authorities and essential public services to bring their systems to a grinding halt while they hold organizations to ransom – we urgently need to fix fundamental problems.

The Biden Administration can aspire for certain sectors to be off-limits from hackers, but our nation’s infrastructure and businesses are too interconnected, and cyber-attackers today are too sophisticated for this to ever be a reality. What’s more, if BlackMatter truly is DarkSide 2.0, then this is evidence that the President’s talks and warnings have had little impact.

Based on the details currently available, there are striking parallels between this attack and the recent campaigns against Colonial Pipeline and JBS. Just like in these instances, New Cooperative took their operational technology (OT) systems offline as a precautionary measure to an IT side attack. We still need to get better at securing OT. Ransomware moves incredibly quickly in locking down files and bringing down digital systems – regularly too fast for humans to respond. Too often, organizations’ backs are against the wall in having to shut down because they lack visibility into where the attack is spreading and are concerned for safety.

The good news is that artificial intelligence is making leaps and bounds in both fighting back against ransomware and securing OT (like industrial equipment). Organizations hit with ransomware need an alternative solution beyond complete shutdown and payments to stop ransomware before problems turn into crises. Thousands of organizations across the U.S. have turned to self-learning AI in response to the rise in ransomware attacks and use the technology to gain visibility over their entire infrastructure.

The justice ministry of the South African government has apparently been pwned in epic fashion by a ransomware attack. As it stands, they are completely down with all electronic services unavailable both internally and to the public:

The incident happened on September 6 and the department activated the contingency plan for such events to ensure the continuation of some activity in the country. Last week, [Steve Mahlangu, spokesperson for the Department of Justice and Constitutional Development] said that court sittings continued after a switch into manual mode for recording the hearings. A manual process has also been adopted for issuing various legal documents. However, the ransomware attack impacted monthly child maintenance payments, which have been delayed until the systems are restored. 

The department is still in the process of returning to regular operations but it is cannot say when the activity will become normal again. Part of this effort was setting up a new email system, to which some staff has already migrated. Coupled with the long time needed for network restoration, this is a sign that the hackers did not get paid. It is unclear who is behind this attack. Many ransomware gangs also steal data before encrypting it, to force the victim into paying the ransom under the pressure of a public leak. Mahlangu said last week that the Department’s IT experts have found “no indication of data compromise.” Until now, the attack has not been claimed by any of the gangs with a data leak site.

This is a very serious situation and shows that a ransomware attack can have far reaching consequences. Thus this is yet another example of why companies need to take the threat of a ransomware attack or some other network intrusion seriously and protect themselves accordingly. Otherwise, you could be these guys.

I haven’t written about anything to do with Parler for a while now. But there are back in the news for all the wrong reasons as it seems that Epik Hosting who has been hosting Parler since they were Thanos snapped off of Amazon Web Hosting has allegedly been pwned by Anonymous:

Members of the hacktivist collective Anonymous claim to have hacked web registration company Epik, allegedly stealing ‘a decade’s worth of data,’ including reams of information about its clients and their domains. Epik is controversial, having been known to host a variety of rightwing clients, including ones that previous web hosting providers, like GoDaddy, have dropped for various reasons. Its users have included conservative social media networks Parler and Gab, as well as conspiracy-theory-laden YouTube wannabe Bitchute and former President Trump fansite, The Donald. The company recently hosted prolifewhistleblower.com — the website designed to help people snitch on Texas residents who want abortions — but later forcibly removed the tip-collecting platform after determining that it had violated Epik’s terms by nonconsensually collecting third-party information.

I’m going to be completely transparent here. I am not sure how I feel about this.

On one hand, I am no fan of any of the clients that they host. So part of me feels that their hosting company deserves to get pwned. On the flip side nobody, no matter how unsavory, deserves to get pwned. Thus I am very conflicted about this.

UPDATE: Saumitra Das, CTO and Cofounder, Blue Hexagon had this to say:

“The response from Epik does not make it clear if they know what happened. This has happened to a lot of the right-wing outlets (Parler and Gab) because they have been brought up in record time to capitalize on current events like the Election, Vaccines, Voting, Deplatforming to be able to fundraise or get traction quickly. Unfortunately, this usually means that security takes a back seat from business pressure which can result in breaches. Usually, hacktivists are not known to be as sophisticated as nation-state groups or the big game ransomware operators but nowadays a lot of tools and malware are for sale and can be used by anyone who is reasonably technically adept at penetrating networks.”

Japanese tech giant Olympus has apparently become the victim of a ransomware attack:

Olympus said in a brief statement that it is “currently investigating a potential cybersecurity incident” affecting its European, Middle East and Africa computer network.

“Upon detection of suspicious activity, we immediately mobilized a specialized response team including forensics experts, and we are currently working with the highest priority to resolve this issue. As part of the investigation, we have suspended data transfers in the affected systems and have informed the relevant external partners,” the statement said.

But according to a person with knowledge of the incident, Olympus is recovering from a ransomware attack that began in the early morning of September 8. The person shared details of the incident prior to Olympus acknowledging the incident on Saturday.

The people allegedly behind the attack are apparently the BlackMatter group. Here’s what you need to know about them:

BlackMatter is a ransomware-as-a-service group that was founded as a successor to several ransomware groups, including DarkSide, which recently bounced from the criminal world after the high-profile ransomware attack on Colonial Pipeline, and REvil, which went silent for months after the Kaseya attack flooded hundreds of companies with ransomware.

And:

Groups like BlackMatter rent access to their infrastructure, which affiliates use to launch attacks, while BlackMatter takes a cut of whatever ransoms are paid. Emsisoft has also found technical links and code overlaps between Darkside and BlackMatter.

Here’s what Director of Strategic Threat at Darktrace, Marcus Fowler had to say:

The ransomware attack on Olympus continues the trend that no organization, irrespective of size or industry, is immune from cyber-threats. The group responsible for the Olympus attack is assessed to be BlackMatter, a newer ransomware-as-a-service group. BlackMatter is said to be born out of DarkSide, the hacking group responsible for the Colonial Pipeline attack. In the aftermath of the Colonial attack, the Biden Administration’s designation of ransomware as a national security threat most likely resulted in the dissolution of DarkSide, and this may be a new trend of these hacking groups being more temporary to distract from a government focus on any one group. Over the long-term this could make it even more difficult for the intelligence community and law enforcement to target and dismantle these groups.

The emergence of ransomware-as-a-service and double extortion ransomware has made this kind of cybercrime more efficient and profitable for cybercriminals. As ransomware attacks increase globally across industries, traditional approaches to cyber security are no longer good enough. Ransomware attacks move so rapidly across an organization’s digital environment to disable systems and encrypt files that they outpace a human security team’s ability to respond. By the time organizations like Olympus have managed to detect and “mobilize a specialized response team” – the damage has already been done. The reality is that you can’t stop breaches – but you can prevent the disruption they cause. This is why organizations are increasingly turning to AI and ‘autonomous response’ technology that is capable of pinpointing anomalous, threatening activity in real time and interrupting the threat before it escalates to a full-blown attack.

I’ve said this many times before, but companies are now running out of time to make sure that their cyber defenses are in tip top shape. If they don’t do anything substantive to protect themselves, I’ll be writing about them and the fact that they got pwned in due course.

Apparently back in April of this year, the United Nations had their computer systems pwned by hackers who made of with some data. And apparently according to Bloomberg, it wasn’t all that hard:

The hackers’ method for gaining access to the UN network appears to be unsophisticated: They likely got in using the stolen username and password of a UN employee purchased off the dark web.

And:

The credentials belonged to an account on the UN’s proprietary project management software, called Umoja. From there, the hackers were able to gain deeper access to the UN’s network, according to cybersecurity firm Resecurity, which discovered the breach. The earliest known date the hackers obtained access to the UN’s systems was April 5, and they were still active on the network as of Aug. 7.

Ouch. Well that’s a #EpicFail. And the #EpicFail gets worse. The company who found this hack had this sequence of events happen when they informed the UN:

UN officials informed Resecurity that the hack was limited to reconnaissance, and that the hackers had only taken screenshots while inside the network, according to Resecurity. When Resecurity’s [Chief Executive Officer Gene] Yoo provided proof to the UN of stolen data, the UN stopped corresponding with the company, he said. 

So the UN shot the messenger. A response that I am seeing more and more of.

The data that the hackers made off with could be used to target agencies within the intergovernmental organization. Which of course is really bad. Saumitra Das, CTO and Cofounder, Blue Hexagon had this to say:

 “Initial access via credentials purchased from the dark web is now becoming standard modus operandi. So much so that we now have Initial Access Brokers (IABs) who specialize in just that and then sell off that access to other entities like ransomware affiliates or state sponsored groups.”

     “Usually, organizations are too focused on the perimeter and once the attacker is inside there is little visibility on-premises and in the cloud. Organizations need to focus on both Endpoint and Network monitoring with a well-defined approach to detection engineering to deal with these types of stealthy attacks.”

Given how frequent hacks like this have become, businesses of all sizes should heed this advice.