Archive for Hacked

Albuquerque Pwned By Ransomware Attack

Posted in Commentary with tags on January 6, 2022 by itnerd

The Albuquerque Bernalillo County government offices have been impacted by a ransomware attack. The county government buildings and public offices were closed on Wednesday across the cities of Albuquerque, Los Ranchos and Tijeras after a disruption occurred some time between Midnight and 5:30 AM January 5, county officials said in a press release:

Bernalillo County is continuing its assessment of suspected ransomware discovered on Bernalillo County systems. The county has taken affected systems offline and has severed network connections. The disruption likely occurred between Midnight and 5:30 a.m. on Jan. 5.

Most county building are closed to the public; however, county employees are remote working and will assist the public as much as possible, given the circumstances. The Sheriff’s Office customer service window at Alvarado Square is also closed.

Sam Jones, VP of Product Management of Stellar Cyber:

“Ransomware is getting easier and easier to orchestrate as an attacker. Operational downtime to critical public services will be the gravest by-product of these attacks, especially as they become more rampant. State and local governments are unfortunately perfect targets for attackers.”

The way I read that, it means that governments of all stripes need to make sure that they circle the wagons so to speak so given that they are prime targets for getting pwned.


Saryu Nayyar, CEO and Founder of Gurucul:

“Despite widespread deployment of traditional SIEM, endpoint solutions and now Endpoint-based XDR, what has been lacking within most organizations that are victims of successful ransomware attacks is true behavioral-based modeling and detection within the infrastructure. The ability to characterize proper behaviors and user and application access with the right modeling and machine learning can lead to high-fidelity detection of deviations in “normal” behaviors and unusual access to systems that are often tell-tale signs of ransomware infections. The ability to bubble these types of alerts as high-priority when appropriate empowers security teams to investigate and detect ransomware much earlier to then respond and thwart a successful attack.”

Lapsus$ Ransomware Gang Pwns Portugal’s Largest TV Channel

Posted in Commentary with tags on January 3, 2022 by itnerd

The Record is reporting that the Lapsus$ ransomware gang has hit SIC, Portugal’s largest TV channel:

The attack has taken place over the New Year holiday and has hit the company’s online IT server infrastructure. Websites for the Impressa group, Expresso, and all the SIC TV channels are currently offline.

National airwave and cable TV broadcasts are operating normally, but the attack has taken down SIC’s internet streaming capabilities.

The Lapsus$ group took credit for the attack by defacing all of Impressa’s sites with a ransom note (pictured at the top of this article). Besides a ransom request, the message claims that the group has gained access to Impresa’s Amazon Web Services account.

Impresa staff appeared to have regained control over this account earlier today when all the sites were put into maintenance mode, but the attackers immediately tweeted from Expresso’s verified Twitter account to show that they still had access to company resources.

The Impresa attack is one of the largest cybersecurity incidents in Portugal’s history. Impresa is, by far, the country’s largest media conglomerate.

This is clearly not a good look for SIC. Elizabeth Wharton who is the Vice President, Operations for SCYTHE had this to say:

“Being able to continuously validate people, processes, and technologies is always going to be a struggle. Ransomware gangs like Lasus$ may use the same tactics, techniques, and procedures (TTPs) to carry out their attacks, or they may reorder the TTPs to fly under the radar. Companies need to continuously test their controls using threat intelligence, like the news of this attack, to protect their business interests.”

Hopefully SIC gets control back from this gang. And more importantly, the rest of us use this as a case study as to how to defend yourself from getting pwned in this manner.

UPDATE: I got additional commentary from Dave Pasirstein, CPO & Head of Engineering, TruU:

Ransomware is not going away.  It’s a lucrative business that is nearly impossible to protect all risk vectors; however, it is made easy by enterprises failing to take enough precautionary steps.  Those steps must include: zero trust approaches, active patching, end-point and email protection, employee culture/training/testing, and very strong authentication such as modern MFA, ideally a password-less MFA that is not based on shared-secrets and thus, cannot easily be bypassed by a server compromise.

Norway’s Largest Media Company Is Being Pwned By Hackers As I Type This

Posted in Commentary with tags on December 29, 2021 by itnerd

Apparently an active cyberattack on Norway’s largest media company is underway and the results are absolutely catastrophic according to The Record:

Amedia, the largest local news publisher in Norway, announced on Tuesday that several of its central computer systems were shut down in what it is calling an apparent “serious” cyberattack.

The attack is preventing the company from printing Wednesday’s edition of physical newspapers, and presses will continue to be halted until the issue is resolved, Amedia executive vice president of technology Pal Nedregotten said in a statement. The hack also impacts the company’s advertising and subscription systems, preventing advertisers from purchasing new ads and stopping subscribers from ordering or canceling subscriptions. 

The company said it is unclear whether personal information has been compromised — the subscription system affected by the attack contains names, addresses, phone numbers, and subscription history of customers. Data such as passwords, read history, and financial information are not affected, the company said.

Amedia publishes more than 90 newspapers and other publications that reach more than 2.5 million Norwegians, according to the company’s website. The attack on Amedia is the third major Norwegian cyberattack reported over the last several days.

This is pretty bad as whoever these bad actors are, they’ve taken down this company. And recovery will likely be difficult. I’ll be keeping an eye on this evolving situation.

T-Mobile Has Been Pwned Again

Posted in Commentary with tags , on December 28, 2021 by itnerd

If you’re a T-Mobile customer you have to be wondering if the company can keep customer data safe. I say that because the news is out that they’ve been pwned. Again:

Affected customers fall into one of three categories. First, a customer may have only been affected by a leak of their CPNI. This information may include the billing account name, phone numbers, number of lines on the account, account numbers, and rate plan info. That’s not great, but it’s much less of an impact than the breach back in August had, which leaked customer social security numbers.

The second category an affected customer might fall into is having their SIM swapped. This is where a malicious actor will change the physical SIM card associated with a phone number in order to obtain control of said number. This can, and often does, lead to the victim’s other online accounts being accessed via two-factor authentication codes sent to their phone number. The document says that customers affected by a SIM swap have now had that action reversed.

The final category is simply both of the other two. Affected customers could have had both their private CPNI viewed as well as their SIM card swapped.

This comes after T-Mobile had a massive data breach in the summer. And keep in mind that this company has been pwned in the past too. Clearly this company does not have the best track record of protecting data. Which if you’re a T-Mobile customer, should make you reconsider if you should be dealing with them.

Has LastPass Been Pwned? [UPDATED x2]

Posted in Commentary with tags on December 28, 2021 by itnerd

That’s the question that a lot of LastPass users have been asking as LastPass members have reported multiple attempted logins using correct master passwords from various locations. This comes via multiple users in a Hacker News forum who have shared that their master passwords for LastPass appear to be compromised. There is a patten that seems to be emerging though. The majority of reports appear to come from users with outdated LastPass accounts. This indicates the master password list being used may have come from an earlier hack. Which also means that threat actors were possibly inside LastPass for a while. And changing the master password doesn’t help. Which spells big trouble for anyone who use this service.

The only conclusion that I can come to is that there must have been a data breach at LastPass which if true is catastrophic for LastPass and their users.

Now to protect yourself, I’ll give you two options. Here’s the first if you want to stick with LastPass:

  • Users should change their passwords AND enable two-factor authentication
  • Then users should keep an eye out for suspicious login attempts.

I won’t go as far as to guarantee that this will fully secure your passwords, but it’s better than nothing. I think the real solution is to migrate away from LastPass to keep yourself secure. I personally use eWallet as that isn’t reliant on a third party and is totally in my control. But importing your LastPass data into another password manager is another option. A search with the search engine of your choosing will help you find directions for that.

Now I have been scanning Twitter and the LastPass website and I have seen no comment from the company on this. But I have to assume that they will have to make some sort of comment on this as the longer they stay silent, and the more people report issues, the worse this gets for LastPass.

UPDATE: BleepingComputer is reporting the following:

LogMeIn Global PR/AR Senior Director Nikolett Bacso-Albaum told BleepingComputer that “LastPass investigated recent reports of blocked login attempts and determined the activity is related to fairly common bot-related activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services.”

“It’s important to note that we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure,” Bacso-Albaum added.

However, users receiving these warnings have stated that their passwords are unique to LastPass and not used elsewhere. BleepingComputer has asked LastPass about these concerns but has not received a reply as of yet.

To me this sounds like more than credential stuffing. But there’s more. I got this tip from a reader:

BleepingComputer has noted the same thing:

To make things even worse, customers who tried disabling and deleting their LastPass accounts after receiving these warnings also report [12] receiving “Something went wrong: A” errors after clicking the “Delete” button.

So what’s clear to me is something is really up with LastPass in a bad way. And whatever it is, it isn’t trivial. That’s not good for LastPass users. At this point, the company really needs to explain what is going on.

UPDATE #2: I just got this Tweet in terms of being able to delete your LastPass account:

The NSO Group May Be In Very Deep Trouble

Posted in Commentary with tags on December 15, 2021 by itnerd

It seems that lawsuits from Apple and sanctions from the US Government may be having an effect on everybody’s most hated purveyor of spyware, The NSO Group. Bloomberg reports that the company is now running out of cash and looking for options:

NSO Group Ltd., the scandal-plagued spyware company that’s in danger of defaulting on its debts, is exploring options that include shutting its controversial Pegasus unit and selling the entire company, according to people familiar with the matter.

Talks have been held with several investment funds about moves that include a refinancing or outright sale, said the people, who asked not to be identified as the discussions are private.

The report claims that Pegasus would be repurposed, from hacking smartphones to protecting them:

The prospective new owners include two American funds that have discussed taking control and closing Pegasus, one of the people said. Under that scenario, the funds would then inject about $200 million in fresh capital to turn the know-how behind Pegasus into strictly defensive cyber security services.

While

While I am happy that The NSO Group is in deep trouble and is on the brink of extinction, a couple of random thoughts come to mind:

  1. Who would trust these people to secure anything after spending years trying to hack iPhones? The answer is nobody.
  2. How do we know that the spyware tech that this company created won’t end up in the wild if this company fails? Which means that everyone would be in deep trouble if that ended up to be true.

The best outcome in my mind would be to have someone buy the company, lock up every employee with a strict NDA, and bury the spyware tech. Then prove to governments worldwide that this has happened. That way we are all safe. But I fully expect some other outcome that puts us all at risk. Bu I am free to surprised.

Kronos Gets Pwned And Could Be Down For Weeks [UPDATED]

Posted in Commentary with tags on December 14, 2021 by itnerd

Kronos workforce management solutions provider has suffered a ransomware attack that will likely disrupt many of their cloud-based solutions for weeks:

As we previously communicated, late on Saturday, December 11, 2021, we became aware of unusual activity impacting UKG solutions using Kronos Private Cloud. We took immediate action to investigate and mitigate the issue, and have determined that this is a ransomware incident affecting the Kronos Private Cloud—the portion of our business where UKG Workforce Central, UKG TeleStaff, Healthcare Extensions, and Banking Scheduling Solutions are deployed. At this time, we are not aware of an impact to UKG Pro, UKG Ready, UKG Dimensions, or any other UKG products or solutions, which are housed in separate environments and not in the Kronos Private Cloud.

We are working with leading cyber security experts to assess and resolve the situation, and have notified the authorities. The investigation remains ongoing, as we work to determine the nature and scope of the incident.

Their UKG solutions using ‘Kronos Private Cloud’ are unavailable due to a weekend ransomware attack on December 11th.

Ayal Yogev, CEO and Cofounder, Anjuna Security:

“We continue to see that even the most fastidious SaaS companies struggle to protect their business because today’s computing paradigm equates host access with unfettered data and process access.  A new generation of powerful secure computing technologies uncouple this dangerous link that is the enabler of so many breaches today.”

This isn’t a good look for Kronos as a lot of companies rely on their services. And they could go elsewhere which will cost the company both in terms of money, and to their reputation.

UPDATE: Eddy Bobritsky, CEO of Minerva Labs had this to say:

Ransomware attacks are becoming bolder and more sophisticated, using evasive malware techniques to get around regular EDR antivirus solutions. As we can see here, even with quick detection and immediate action, a small ransomware attack can result in damages that can take “up to several weeks to restore system availability”. This is why, despite its difficulty, it is important to start moving towards a prevention approach, rather than a detect and respond one.

Former Ubiquiti Developer Charged With Extortion Among Other Things Related To Whistleblowing Incident

Posted in Commentary with tags on December 3, 2021 by itnerd

You might recall the mess that Ubiquiti got into earlier this year when they had to admit that they massively downplayed a security breach. Well there was a serious plot twist in that story. It seems that the person who blew the whistle on Ubiquiti was a former developer for the company who was also trying to extort them. And now he’s charged:

Nickolas Sharp, a former employee of networking device maker Ubiquiti, was arrested and charged today with data theft and attempting to extort his employer while posing as a whistleblower and an anonymous hacker.

“As alleged, Nickolas Sharp exploited his access as a trusted insider to steal gigabytes of confidential data from his employer, then, posing as an anonymous hacker, sent the company a nearly $2 million ransom demand,” U.S. Attorney Damian Williams said today.

“As further alleged, after the FBI searched his home in connection with the theft, Sharp, now posing as an anonymous company whistleblower, planted damaging news stories falsely claiming the theft had been by a hacker enabled by a vulnerability in the company’s computer systems.”

According to the indictment [PDF], Sharp stole gigabytes of confidential data from Ubiquiti’s AWS (on December 10, 2020) and GitHub (on December 21 and 22, 2020) infrastructure using his cloud administrator credentials, cloning hundreds of GitHub repositories over SSH.

Throughout this process, the defendant tried hiding his home IP address using Surfshark’s VPN services. However, his actual location was exposed after a temporary Internet outage.

To hide his malicious activity, Sharp also altered log retention policies and other files that would have exposed his identity during the subsequent incident investigation.

“Among other things, SHARP applied one-day lifecycle retention policies to certain logs on AWS which would have the effect of deleting certain evidence of the intruder’s activity within one day,” the court documents read.

After Ubiquiti disclosed a security incident in January following Sharp’s data theft, while working to assess the scope and remediate the security breach effects he also tried extorting the company (posing as an anonymous hacker).

His ransom note demanded almost $2 million in exchange for returning the stolen files and the identification of a remaining vulnerability.

The company refused to pay the ransom and, instead, found and removed a second backdoor from its systems, changed all employee credentials, and issued the January 11 security breach notification.

After his extortion attempts failed, Sharp shared information with the media while pretending to be a whistleblower and accusing the company of downplaying the incident.

This caused Ubiquiti’s stock price to fall by roughly 20%, from $349 on March 30 to $290 on April 1, amounting to losses of over $4 billion in market capitalization.

This pretty much proves that one not only has to worry about hackers on the outside, but those inside your company with an axe to grind. That makes having a solid security posture insanely difficulty. But it’s clearly now a requirement based on this incident.

BREAKING: Governor General’s Internal Network Pwned

Posted in Commentary with tags , on December 2, 2021 by itnerd

For those of you who aren’t in Canada, the Governor General is the representative of the Queen Elizabeth II in Canada. If you want to find out what responsibility that this position entails, you can click here. But with that out of the way, news is breaking that the internal network of the Governor General has had ‘unauthorized access to its internal network’ which is code for saying that their network got pwned. Here’s a snippet from the statement that the Governor General’s office put out:

The Office of the Secretary to the Governor General (OSGG) confirms that there was an unauthorized access to its internal network. The OSGG is working with the Canadian Centre for Cyber Security on the investigation and took immediate action to strengthen its network.

The CSE who are the people who are responsible for providing the Government of Canada with information technology security and foreign signals intelligence put out a statement on this as well:

CSE and its Canadian Centre for Cyber Security (Cyber Centre) can confirm we are working with the Office of the Secretary of the Governor General (OSGG) in response to a recent cyber incident. We are unable to comment further on any specific details regarding this incident.

Although this investigation is ongoing we can assure you that we are working closely with OSGG to ensure there are robust systems and tools in place to monitor, detect, and investigate potential threats, and to neutralize threats when they occur.

While there’s no word on the extent of the breach. Any breach of any network for any government is not trivial. Thus you can fully expect that there will be a lot of work over the coming days to figure out what happened and what was done. I also expect to see over the coming days commentary from the Canadian government on this. Especially since Revenue Canada has been pwned in the past. Thus you should watch this space for more on this story.

Panasonic Pwned…. Full Extent Of Data Breach Unknown

Posted in Commentary with tags on November 29, 2021 by itnerd

Happy Monday. Unless you’re with Panasonic.

I say that because Panasonic has disclosed a data breach after threat actors gained access to servers on its network. Panasonic Corporation confirmed that the network was illegally accessed by a third party on November 11, 2021. Panasonic reported the incident to the relevant authorities and has taken measures to prevent access to its network from external servers, including hiring a third party to investigate the attack and find if any of the data access during the intrusion includes customer personal information. In short, they don’t know the full extent of the data breach. That’s bad.

Yan Michalevsky, CTO and Cofounder, Anjuna Security had this comment on this data breach:

 “It’s crucial to encrypt data at rest to prevent exactly those kinds of incidents. Solutions such as full-disk encryption might not be enough when attackers have gained access to the systems, but luckily there are alternatives that enable protecting data at the level of the application such that the files themselves are always encrypted.”

Hopefully Panasonic does a follow up to advise on the full extent of the data breach so that those affected can protect themselves accordingly.

UPDATE: I have additional commentary from Eddy Bobritsky, CEO, Minerva Labs:

“This attack, much like ransomware attacks, are becoming all too common. An attacker uses evasive malware techniques to gain a foothold in the company to either steal proprietary data or encrypt or even destroy important information. Although their investigation hasn’t been completed yet, Panasonic seem to be lucky here as they were able to detect the breach relatively quickly. According to the IBM “Cost of Data Breach 2021” report, on average it took 287 days to identify and contain a data breach. This increase in sophistication of evasive techniques is simply making it much more difficult for regular EDR antivirus solutions to cope.”