Archive for Hacked

College Of Nurses Of Ontario Pwned In Ransomware Attack

Posted in Commentary with tags , on September 22, 2020 by itnerd

The College of Nurses of Ontario (CNO) is still trying to figure out if the personal information of its 300 employees and 195,500 members has been compromised more than ten days following a ransomware attack. CBC News has the details:

“We are aware of a claim on the dark web regarding data theft from CNO,” the nursing regulatory body told CBC News in a statement.

“While we are not able to confirm at this time, through a comprehensive forensic investigation, CNO is seeking to determine whether personal information was compromised as result of the incident that may require notification to individuals. Although CNO was affected by ransomware, the organization is implementing a range of approaches to resume operations safely and securely, including restoring from backups.”

Hackers have posted some of the information they claim to have obtained online, including folders marked “Human Resources” and “Human Rights Matters.” Among the information posted are photos of small claims and Superior Court settlements, which include the full names, addresses and phone numbers of people. 

Lovely. This isn’t a trivial attack as clearly someone has information that they shouldn’t have. And it will be interesting to see what The College of Nurses of Ontario does to remedy this situation. You should likely stay tuned for updates.

David Masson, Director of Enterprise Security at Darktrace had this to say:

This latest news follows a number of intensifying ransomware attacks globally – just last week a woman’s death in Germany has been directly linked to a cyber-attack. Threat actors no longer simply lock up data until the ransom is paid; instead they steal it and threaten exposure until they receive payment. This ransomware technique has been a developing trend since the end of 2019 in Canada. When attackers are able to target data, we can assume they have been lying dormant in the infrastructure for some time before they launch a full blown attack.

This is common amongst organizations around the world who struggle to get visibility over their increasingly disparate and dynamic workforces. CNO may now pay a price in loss of trust through not having disclosed to their clients as soon as possible that they suffered a compromise. In situations like this it is best practice to have a disclosure plan and to disclose as soon as possible otherwise it is likely that someone else will make the story public and it won’t be on the company’s terms.

Ransomware is evolving but the key to preventing attacks remains the same. It is clearer than ever before that the status quo is not good enough. Organizations need to ensure they are using the best technologies available to them, like AI, to automatically stop fast-moving attacks in their tracks.

BREAKING: Canada Revenue Agency Now Says 48500 Accounts Affected By Credential Stuffing Attack

Posted in Commentary with tags , on September 17, 2020 by itnerd

Well, this is a wee bit alarming.

The Canada Revenue Agency or CRA for short now says a mind blowing 48500 accounts were affected by the credential stuffing attack that happened in August that forced the CRA website offline for a few days and affected a number of government departments in the process while security was improved. CTV News has the details:

In a major update to the impact of a series of credential stuffing attacks on government websites including the Canada Revenue Agency, the country’s top information officer now says that “suspicious activities” have been found on 48,500 CRA user accounts.

And:

While it was initially reported that 5,500 CRA account users had their personal information accessed, officials then updated that number, saying a total of 11,200 accounts across Government of Canada services were compromised in the attacks. These included cyberattacks directly targeting both CRA accounts as well as “GCKey” accounts, which can be used by 30 government departments and agencies to access other online portals such as veterans’ benefits and immigration applications.

Every Canadian should be running to the CRA website and doing the following right now:

  1. Log in and see if you can still do so. If you cannot, you may have a problem.
  2. If you can log in, check to see if you applied for the Canada Emergency Response Benefit. If you haven’t but the CRA website says you have, you have a problem.
  3. Check to see if your address or banking information has changed. If it has you have a problem.

Now if any of the above falls under the “you have a problem” category, you should do what is recommended in this release from the CRA, which is to call 1-800-959-8281 (English) or 1-800-959-7383 (French) immediately.

If all is well with your CRA account, I would instantly change your password to something is at least 8 characters long, contains an uppercase letter, a number, and for bonus points a special character (!@#$%^&* for example). And I would enable email notifications on your account so that you can get notified of any changes. Especially ones that you didn’t make.

The bottom line is that the Government of Canada has now seriously dropped the ball here. To have about 4 times as many people affected by this hack is appalling. And they are beyond due to answer some serious questions about why this happened and why they should be trusted to protect the personal information of Canadians going forward.

One Of Chile’s Biggest Banks Pwned By Ransomware

Posted in Commentary with tags on September 8, 2020 by itnerd

BancoEstado, one of Chile’s three biggest banks, was forced to shut down all branches on Monday following a ransomware attack that took place over the weekend:

Our branches will not be operational and will remain closed today,” the bank said in a statement published on its Twitter account on Monday. Details about the attack have not been made public, but a source close to the investigation told ZDNet that the bank’s internal network was infected with the REvil (Sodinokibi) ransomware. The incident is currently being investigated as having originated from a malicious Office document received and opened by an employee. The malicious Office file is believed to have installed a backdoor on the bank’s network.

Well, this is an example of why you need to train people to avoid the sorts of behaviors that lead to something like this. Clicking on a boobytrapped Office document is something that should not happen if users are aware of the risks. Having said that, you have to wonder why whatever anti-malware application that this bank uses didn’t catch this as REvil isn’t new. Perhaps it’s a new variant? There are so many questions about this attack that I would like to see answered so that we can all learn from this and protect ourselves.

Class Action Lawsuit Filed Over CRA Hack

Posted in Commentary with tags , on August 31, 2020 by itnerd

Given how easily hackers appear to have used the personal information of Canadians to get their hands on COVID-19 benefits and how shambolic the response has been, as well as how lame the security measures that were put in place after this hack, I am not at all surprised that there’s now a class action lawsuit over this whole affair. CBC News has the details:

The lawsuit alleges that a series of “failings” by the government and the Canada Revenue Agency (CRA) allowed at least three cyberattacks between mid-March and mid-August, but the public wasn’t alerted until CBC News broke the story on Aug. 15.

The Treasury Board and the CRA held a news briefing to confirm the security breaches Aug. 17.

The proposed class proceeding claims the delayed detection of the hacks caused the number of victims to balloon to at least 14,500.

“The actions of the [CRA] are reprehensible,” states the claim, “and showed a callous disregard for the rights of [victims].” 

It alleges the agency’s conduct was “a deliberate … departure from ordinary standards of decent behaviour, and as such merits punishment.”

The CRA has blamed “a vulnerability in security software” for the online breaches, and has said it wasn’t aware of the first cyberattack until Aug. 7.

The agency and the federal government have yet to file a legal response.

And what’s really interesting is the fact that the lawsuit alleges that the government was hasty in implementing COVID-19 benefits and didn’t take the time and effort to make sure that they could be securely delivered:

The legal action alleges the CERB and CESB were “implemented hastily,” without adequate security measures.

As a result, it claims hackers were able to steal the personal information of applicants — including social insurance numbers, home addresses, bank account details and tax information — and use the stolen data to impersonate victims, change addresses and direct deposit information and file fraudulent claims under the emergency programs.

The lawsuit alleges the victims have been hit with a double whammy: their aid applications have been frozen while the breaches are investigated, causing financial strain, plus they will have to guard against identity theft for the rest of their lives.

I’ve said before that people within the government need to be held accountable for this mess. A class action lawsuit is a great way to do that because assuming that the government doesn’t settle out of court first, all the facts will come out in court under oath. That’s not going to look good for those in the government who were responsible for this fiasco. I for one hope that the government loses big as protecting the personal information of Canadians needs to be their number one priority 100% of the time.

University Of Utah Gets Hit By Ransomware And Data Theft…. And Pays Up

Posted in Commentary with tags on August 24, 2020 by itnerd

In a strange twist, The University of Utah supports cybercriminals with a “donation” of $457,000 to support future attacks. Or put another way, they got hit by ransomware and paid up:

“On Sunday, July 19, 2020, the university’s College of Social and Behavioral Science (CSBS) was notified by the university’s Information Security Office (ISO) of a ransomware attack on CSBS computing servers. Content on the compromised CSBS servers was encrypted by an unknown entity and no longer accessible by the college,” the University of Utah disclosed.

The attack encrypted the servers in the university’s College of Social and Behavioral Science (CSBS) department. As part of the attack, the threat actors stole unencrypted data before encrypting computers.

Since the end of 2019, ransomware operators have started stealing unencrypted files before deploying their ransomware. The ransomware gang then threatens the victims by saying they will publicly leak the stolen files if a ransom is not paid.

As the stolen data contained student and employee information, the university decided to pay the ransom to prevent it from being leaked.

“After careful consideration, the university decided to work with its cyber insurance provider to pay a fee to the ransomware attacker. This was done as a proactive and preventive step to ensure information was not released on the internet,” stated in their data security incident notification.

The university states that their cyber insurance policy paid a ransom of $457,059.24 USD and that no “tuition, grant, donation, state or taxpayer funds were used to pay the ransom.”

I get why companies pay the scumbags behind these attacks, but they shouldn’t. All paying up does is encourage these low life losers to do more attacks. After all they got paid. So why not try again and see if you get paid again. That’s wrong and should not be encouraged. Until people stop paying up, this activity will simply continue.

The Canada Revenue Agency Site Is Back Online…. And I Believe Their New Security Measures Are A #Fail

Posted in Commentary with tags , on August 20, 2020 by itnerd

Today the online services related to the Canadian Revenue Agency are back online for the most part. They were taken down after they were pwned by hackers using a technique called credential stuffing. Now during a news conference the Canadian Government said that they were going to mitigate this. I’ve had a look at their mitigation strategy, and I am not impressed. But I am getting ahead of myself here. Let me explain what credential stuffing is using this Wikipedia article:

Credential stuffing is a type of cyberattack where stolen account credentials typically consisting of lists of usernames and/or email addresses and the corresponding passwords (often from a data breach) are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application.

Since the attack is automated, you have to stop the automation from being effective. The way that the Canada Revenue Agency has chosen to do this is to use a CAPTCHA like system. In short, when you log in, you’ll be required to recognize shapes or objects. Something that humans excel at, but computers suck at. Which is why this is a way of stopping an automatic attack such as credential stuffing. Here’s what I saw when I logged into the Canada Revenue Agency:

In this case, I had to pick out all the buses on this screen. There were 9 pictures of which I only had to pick out the correct three pictures. I logged in a few times and I only had to pick out three pictures every time. Which seems kind of low to me.

Here’s my main problem with this. This is not the best way to stop this kind of attack. What the Canada Revenue Agency should be doing is using multi-factor authentication. In short, multi-factor authentication requires multiple factors to verify your identity. For example, a password and a code from an app installed on your smart phone. The reason why this is better is that CAPTCHA like systems can be defeated by machine learning attacks, cheap human labor, or services on the dark web that specialize in defeating CAPTCHA like systems. Multi-factor authentication systems on the other hand requires the attacker to have all the factors in hand, or to simulate them to make an attack successful. That’s possible to do, but is way harder to pull off. Especially if a system like Microsoft Authenticator or Google Authenticator is used. Another plus is that if you out of the blue get a request to authenticate a login, and you are not logging into anything, then you know that you are potentially being hacked. Think of it of being a canary in the coal mine.

Given that the Canada Revenue Agency has been hacked multiple times, they have to do much better to protect Canadians. And I do not believe that what they have done is enough to stop the next attack. Hopefully, they improve the security of their infrastructure over time.

One other thing. If you are a Canadian with a Canada Revenue agency account, I would strongly suggest that you log in and do the following:

  • Change your password to something that is at least 8 characters long, contains upper and lower case character, and has at least one numeric character in it. And it should not be something that is used in whole or in part on another website.
  • Make sure you have an email address entered so that if your personal information is changed, you will get an email alert. That will alert you to a possible hack. You can get more info on that here here.
  • Check your account to make sure that your personal information such as baking info and address info has not been changed.

The Canada Revenue Agency Hacks Affects 24 Different Government Agencies…. Some Serious Questions Need To Be Asked About This Incident

Posted in Commentary with tags , on August 17, 2020 by itnerd

Yesterday I reported on a significant hack on the Canada Revenue Agency. Today, more details have been revealed by the Canadian Government. Apparently attackers used a technique called credential stuffing, along with bugs in the Canada Revenue Agency online services gained access to Canada Revenue Agency accounts. Which in turn allowed the attackers to apply for and get the Canada Emergency Response Benefit.

In total, at least 5600 accounts out of 15 million CRA accounts were affected. And affected accounts have been taken offline. And those affected will get a letter from the Canada Revenue that they were pwned, and how to fix this. Another 9,000 or so accounts were affected by a attack on the Government’s GCKey system. In total 24 different Government departments were affected by this.

I watched the news conference related to this, and while they were handing out important and valid information, and giving a cursory overview of what happened and how they are responding to it, there was a bit of “blame the victim” at play here by the Government. Yes you should use unique passwords, update your OS, and use multi-factor authentication as well as being aware of spear phishing attacks. But there were issues that the Government has addressed that led to this hack. Such as not having the means to defeat credential stuffing. So to heavily push the narrative that it is all the fault of Canadians is a bit of a #fail. Another problem is that that the RCMP was called in on August 11th, but Canadians didn’t find out about this until the weekend. And the systems weren’t taken down until the weekend after multiple attacks occurred. That’s a #fail as well.

Serious questions need to be asked to the Government about this. Especially since the Canada Revenue Agency has been pwned before. Canadians need to hold the Canadian Government accountable for this and for making sure these online systems are actually secure.

UPDATE: David Masson, Director of Enterprise Security at Darktrace had this to say on this hack:

Threat actors will always look to exploit a crisis. During the ongoing pandemic, we have seen attackers capitalize on the fear, uncertainty and doubt surrounding COVID-19, particularly by increasing spear phishing attacks. Since the public is desperate for information, successful attacks are able to take advantage of their desperation by getting victims to click on links, view attachments, visit fake websites and even give up personal information. 

Many pre-pandemic spear phishing attacks were successful, and continue to be successful, since this method leads to a treasure trove of personal information. Threat actors may use this information in a variety of ways – some may sell passwords on the dark web, while others may use this information for “credential stuffing” attacks. During these attacks, bad actors simply try to use known passwords to get into a system, and since many people continue to use the same password for several applications and websites, threat actors can end up being lucky. In the case of these attacks against the CRA – the bad guys have been lucky over five thousand times!

Any individual can avoid such an attack by using different passwords for every login. It is simple – if you use a strong, unique password for every application, you will massively reduce the risk of compromised credentials. 

For businesses and organizations, prevention is a bit trickier. Only security solutions that leverage artificial intelligence can really prevent these sorts of threats before damage is done, since AI is able to provide full visibility of an entire digital infrastructure.

Canada Revenue Agency Pwned By Hackers….. Again

Posted in Commentary with tags , on August 16, 2020 by itnerd

Yesterday it was revealed that the Canada Revenue Agency has been hacked.Though there had been indications for some time that they were hacked. The CBC has the details:

Earlier this month, Canadians began reporting online that email addresses associated with their CRA accounts had been changed, that their direct deposit information was altered and that CERB payments had been issued in their name even though they had not applied for the COVID-19 benefit.

Most reported that they were first alerted to the suspicious activity after receiving legitimate emails from the CRA confirming that their email addresses had been discontinued.

CERB for those outside of Canada is the Canada Emergency Response Benefit which is an income support for those who lost their jobs because of the COVID-19 Pandemic. You use your CRA account to apply for this, which is why they are a target for hackers. Here’s how they got in:

The incidents are a type of attack known as “credential stuffing,” the Treasury Board’s Office of the Chief Information Officer shared in a statement.

“These attacks, which used passwords and usernames collected from previous hacks of accounts worldwide, took advantage of the fact that many people reuse passwords and usernames across multiple accounts.”

Aside from CRA accounts, thousands of others linked to GCKey — a secure portal that allows Canadians to access government services online — were also affected.

“Of the roughly 12 million active GCKey accounts in Canada, the passwords and usernames of 9,041 users were acquired fraudulently and used to try and access government services, a third of which accessed such services and are being further examined for suspicious activity,” the statement read.

Compromised accounts connected to that platform, which is used by about 30 federal departments, were shut down when the threat was first discovered. 

The thing is that this isn’t the first time that the Canada Revenue Agency has been hacked. Though the person behind that hack was ultimately tracked down and arrested. While credential stuffing isn’t entirely the fault of the Canada Revenue Agency, you would think that the Canada Revenue Agency should have done more to stop this attack from being successful. Hopefully they decide to harden their environment so that Canadians are safe.

Reddit Pwned…. Apparently In Support Of Trump

Posted in Commentary with tags , on August 7, 2020 by itnerd

A massive attack has hit Reddit today after at least tens of Reddit channels (subreddits) have been hacked and defaced to show messages in support of Donald Trump’s reelection campaign:

The hacks are still ongoing at the time of writing, but we were told Reddit’s security team is aware of the issue and has already begun restoring defaced channels. A partial list of impacted channels (subreddits) is available below, according to ZDNet’s research: r/NFL, r/49ers, r/TPB (The Pirate Bay’s Reddit channel), r/BlackMirror, r/Beer, r/Vancouver, r/Dallas, r/Gorillaz, r/Podcasts, r/freefolk, r/StartledCats, r/TheDailyZeitgeist, r/Supernatural, r/GRE, r/GMAT, r/greatbritishbakeoff, r/11foot8, r/truecrimepodcasts, r/Leafs, r/weddingplanning, r/Chadsriseup, r/bertstrips, r/CFB …and many many other more.

Now I am not a Trump supporter. Far from it in fact. I am not American either. But this hack is so dumb that it feels like a massive false flag operation. But then again, the whole US political scene is such a clown show at the moment that I wouldn’t be surprised whether it is actual Trump supporters that are behind this hack, or the people behind this are trying to smear them.

Intel Pwned By Hackers…. At Least 20GB Of Data Swiped Including Data That COULD Lead To Attacks

Posted in Commentary with tags , on August 7, 2020 by itnerd

Intel is the latest company to be pwned by hackers. According to BleepingComputer, A hacker has released 20GB of confidential chip engineering data stolen from Intel. The data that was stolen contains BIOS information and source code of proprietary Intel technology that could be used in building the means to attack computers that use Intel chips. Which would be most of the planet:

According to Tillie Kottmann, a developer and reverse engineer who received the documents from an anonymous hacker, most of the information is supposed to be protected intellectual property. The developer was told that the information was stolen from Intel in a breach this year.

“They were given to me by an Anonymous Source who breached them earlier this Year, more details about this will be published soon,” Kottmann says.

“Most of the things here have NOT been published ANYWHERE before and are classified as confidential, under NDA or Intel Restricted Secret,” the developer added.

The following list was provided as a partial overview of the 20GB file:

  • Intel ME Bringup guides + (flash) tooling + samples for various platforms
  • Kabylake (Purley Platform) BIOS Reference Code and Sample Code + Initialization code (some of it as exported git repos with full history)
  • Intel CEFDK (Consumer Electronics Firmware Development Kit (Bootloader stuff)) SOURCES
  • Silicon / FSP source code packages for various platforms
  • Various Intel Development and Debugging Tools
  • Simics Simulation for Rocket Lake S and potentially other platforms
  • Various roadmaps and other documents
  • Binaries for Camera drivers Intel made for SpaceX
  • Schematics, Docs, Tools + Firmware for the unreleased Tiger Lake platform
  • (very horrible) Kabylake FDK training videos
  • Intel Trace Hub + decoder files for various Intel ME versions
  • Elkhart Lake Silicon Reference and Platform Sample Code
  • Some Verilog stuff for various Xeon Platforms, unsure what it is exactly.
  • Debug BIOS/TXE builds for various Platforms
  • Bootguard SDK (encrypted zip)
  • Intel Snowridge / Snowfish Process Simulator ADK
  • Various schematics
  • Intel Marketing Material Templates (InDesign)

So what does this mean for you? Now that this file is out there, and there is possibly more coming, bad actors will definitely be scraping through this data dump to find any useful vulnerability to attack. That of course is bad.

Intel for its part had this to say:

“We are investigating this situation. The information appears to come from the Intel Resource and Design Center, which hosts information for use by our customers, partners and other external parties who have registered for access. We believe an individual with access downloaded and shared this data” – Intel representative

It still looks really bad on Intel to have this happen. If it’s an internal party, that is easy to deal with. Though I think Intel will still have some questions to answer. But if an external party did this, then Intel will likely find itself having to answer a lot of questions that they likely would not want to answer from a variety of people.

I think it’s safe to say that this is a developing story and we’ll likely be hearing more details about this in the coming days.