Archive for Hacked

#Fail: American Pipeline Company Got Pwned Because Of A Compromised Password

Posted in Commentary with tags on June 6, 2021 by itnerd

Remember the ransomware attack of Colonial Pipelines which took down a major pipeline along the east coast of the US, and in the process severely constrained the fuel supply for millions of Americans? Well, we now know how the hackers got in. And it’s a illustration as to why password hygiene is important:

The hack that took down the largest fuel pipeline in the U.S. and led to shortages across the East Coast was the result of a single compromised password, according to a cybersecurity consultant who responded to the attack. Hackers gained entry into the networks ofColonial Pipeline Co.on April 29 through a virtual private network account, which allowed employees to remotely access the company’s computer network, said Charles Carmakal, senior vice president at cybersecurity firm Mandiant, part of FireEye Inc., in an interview. The account was no longer in use at the time of the attack but could still be used to access Colonial’s network, he said. 

The account’s password has since been discovered inside a batch of leaked passwords on the dark web. That means a Colonial employee may have used the same password on another account that was previously hacked, he said. However, Carmakal said he isn’t certain that’s how hackers obtained the password, and he said investigators may never know for certain how the credential was obtained. The VPN account, which has since been deactivated, didn’t use multifactor authentication, a basic cybersecurity tool, allowing the hackers to breach Colonial’s network using just a compromised username and password. It’s not known how the hackers obtained the correct username or if they were able to determine it on their own. “We did a pretty exhaustive search of the environment to try and determine how they actually got those credentials,” Carmakal said. “We don’t see any evidence of phishing for the employee whose credentials were used. We have not seen any other evidence of attacker activity before April 29.” 

A little more than one week later, on May 7, an employee in Colonial’s control room saw a ransom note demanding cryptocurrency appear on a computer just before 5 a.m. The employee notified an operations supervisor who immediately began to start the process of shutting down the pipeline, Colonial Chief Executive Officer Joseph Blount said in an interview. By 6:10 a.m., the entire pipeline had been shut down, Blount said. It was the first time Colonial had shut down the entirety of its gasoline pipeline system in its 57-year history, Blount said. “We had no choice at that point,” he said. “It was absolutely the right thing to do. At that time, we had no idea who was attacking us or what their motives were.”

So, what would have stopped this hack from happening? Well, having multi-factor authentication would have helped because the hackers would have required not only the password, but a token or some other authentication device to get in. But since they wouldn’t have either a token or some other authentication device, they would have been kept out. Colonial needs do up their game on that front. But Colonial should have done a better job of making sure the VPN password that was used was changed frequently or erased if it wasn’t needed. The fact that it was available and then leaked to the dark web is a problem. and Colonial needs to do something about that too.

My advice to every business out there of any size. Use this as a case study to make your IT environments more secure. After all, you don’t want to be the next guy who gets pwned.

America To Give Ransomware Attacks Similar Priority As Terrorism

Posted in Commentary with tags , on June 4, 2021 by itnerd

The U.S. Department of Justice is elevating investigations of ransomware attacks to a similar priority as terrorism in the wake of the Colonial Pipeline hack and mounting damage caused by cyber criminals, a senior department official told Reuters:

Internal guidance sent on Thursday to U.S. attorney’s offices across the country said information about ransomware investigations in the field should be centrally coordinated with a recently created task force in Washington. “It’s a specialized process to ensure we track all ransomware cases regardless of where it may be referred in this country, so you can make the connections between actors and work your way up to disrupt the whole chain,” said John Carlin, acting deputy attorney general at the Justice Department.

Last month, a cyber criminal group that the U.S. authorities said operates from Russia, penetrated a pipeline operator on the U.S. East Coast, locking its systems and demanding a ransom. The hack caused a shutdown lasting several days, led to a spike in gas prices, panic buying and localized fuel shortages in the southeast. Colonial Pipeline decided to pay the hackers who invaded their systems nearly $5 million to regain access, the company said.

The problem is that this won’t help as a lot of these threat actors are based in countries where the US can’t get them and toss them into jail. Here’s what will actually help:

  1. Business systems should be running ONLY applications needed to do the job, and no others.
  2. Business systems networks should be isolated from operations networks. Air Gapped as needed.
  3. Systems that need access in or out should be properly firewalled, including blocking entire countries or regions as needed.

The fact is that good IT is expensive. Bad IT is costly. We are in a place where bad IT is the norm. On top of that, it is perceived that it is much easier to have bad IT and pay the BITCOIN when they get pwned. But it isn’t cheaper. And that needs to change. When it does, this problem will get mitigated.

Fujifilm Pwned By Ransomware Attack

Posted in Commentary with tags on June 3, 2021 by itnerd

Oh look. We have another victim of ransomware. This time, Japanese multinational conglomerate Fujifilm has been forced to shut down parts of its global network after being pwned in a ransomware attack:

The company, which is best known for its digital imaging products but also produces high-tech medical kit, including devices for rapid processing of COVID-19 tests, confirmed that its Tokyo headquarters was hit by a cyberattack on Tuesday evening. “Fujifilm Corporation is currently carrying out an investigation into possible unauthorized access to its server from outside of the company. As part of this investigation, the network is partially shut down and disconnected from external correspondence,” the company said in a statement posted to its website. “We want to state what we understand as of now and the measures that the company has taken. In the late evening of June 1, 2021, we became aware of the possibility of a ransomware attack. As a result, we have taken measures to suspend all affected systems in coordination with our various global entities,” it said.

Well, this isn’t good. When will these companies learn that preventing attacks like this is an absolute necessity these days? Clearly they didn’t figure this out and now they are paying for it. And worse yet, I’ll be writing about another company that got pwned in some way, shape, and form.

REvil Fingered As Group Behind Meat Plant Cyberattack

Posted in Commentary with tags on June 3, 2021 by itnerd

Earlier this week JBS Foods were pwned in some sort of cyberattack. The New York Times has now said that the FBI have identified REvil as the group behind this attack:

REvil is considered one of the most sophisticated ransomware groups and has demanded as much as $50 million to recover data belonging to companies as prominent as Apple. Its attack on JBS, a Brazilian company that accounts for roughly a fifth of cattle and hog slaughter in the United States, temporarily shut down some operations at a time when prices were already surging for beef, poultry and pork.

The US government is taking a very dim view of this, and the fact that the Russians are basically shielding this group from justice:

The attack highlighted concerns about the vulnerability of critical American businesses. Jen Psaki, the White House press secretary, urged companies on Wednesday to increase their cybersecurity measures, saying it was “up to a number of these private-sector sector entities to protect themselves.”

Ms. Psaki declined to say whether the U.S. government was planning to retaliate. “We’re not taking any options off the table in terms of how we may respond, but of course there is an internal policy review process to consider that,” she said.

And:

Ms. Psaki said Wednesday that the administration was in direct contact with the Russians and that President Biden would bring up the issue of cyberattacks with President Vladimir Putin of Russia when they meet in two weeks.

“Responsible states do not harbor ransomware criminals,” she said.

The fact is that you will not see these attacks slow down or stop. And I am going to go out on a limb and say that you will not see the Russians help in stopping these attacks. So companies need to take Jen Psaki’s advice and strengthen their cyber defences so that they don’t become the next company that gets pwned.

Massachusetts Ferry Operator Pwned By Ransomware

Posted in Commentary with tags on June 3, 2021 by itnerd

It seems that this is yet another day where the pwnage of companies is front and center in the news. This time, a ransomware attack has caused delays and disruptions at Steamship Authority, the largest ferry service in Massachusetts, and has disrupted ferry transports between mainland US and the Martha’s Vineyard and Nantucket islands.

The attack took place earlier today, according to a series of tweets posted on the company’s official Twitter account. Steamship Authority said the incident impacted its land-based IT systems and that ships are not impacted. “There is no impact to the safety of vessel operations, as the issue does not affect radar or GPS functionality,” a Steamship Authority spokesperson said.

“Scheduled trips to both islands continue to operate, although customers may experience some delays during the ticketing process. Customers are currently unable to book or change vehicle reservations online or by phone. Existing vehicle reservations will be honored at Authority terminals, and rescheduling and cancellation fees will be waived,” it added. The company has asked

I am guessing that as a result, a lot of rich people are seriously ticked off as a result. Maybe they should demand that this ferry company up their IT security game so that they aren’t inconvenienced. Just a thought.

Where’s The Beef? The World’s Largest Meat Processing Company Pwned In Cyberattack That Has Shut Down Operations Globally

Posted in Commentary with tags on May 31, 2021 by itnerd

Here’s a cyberattack that has world wide ramifications. JBS Foods has fallen victim to a cyberattack that have shut down production around the world:

The world’s largest meat processing company, JBS Foods, has fallen victim to cyber attacks that have shut down production around the world, including in Australia.

The company’s information systems were targeted, chief executive Brent Eastwood confirmed to Beef Central on Monday.

JBS has 47 facilities across Australia and operates the largest network of production facilities and feedlots in the country.

The company also has meat processing facilities in North and South America, Brazil and Canada.

A spokesperson refused to comment on the cyber attacks.

It isn’t clear what type of cyberattack this is. But seeing as it is global in scope, this has the potential to become a major problem and affect a whole lot of us.

As usual, law enforcement and the like have been informed. But as usual, this is way too late as the pwnage has already happened and now this company is in damage control mode. Thus highlighting that a ounce of prevention is worth more than a pound of cure.

UPDATE: I have some commentary from David Masson, Director of Enterprise Security of Darktrace:  

Just weeks after the Colonial Pipeline was shut down and Ireland’s national health service was knocked out, the JBS breach serves as another example of the vulnerabilities of critical national infrastructure in the wake of destructive cyber-attacks. 

The details of the breach hint that this too was a ransomware attack, the target this time being national food supply chains. Once again, the notion that ransomware is a national security threat is ringing true – and we need a fundamentally different approach to security without throwing more humans into the mix. 

As our world becomes increasingly hyperconnected, the barriers to attack become lower – and many more points of entry open up for hackers to exploit. Traditional security tools and human teams are struggling to contain attacks, and the result is often blunt and heavy-handed responses that stop the spread of the attack, but cause major operational disruption. Organizations need an alternative way out – one which can thwart attacks before they have a chance to spread. This is why thousands of organizations are turning to technologies like autonomous response to fight fire with fire – and contain attacks before the damage is done. 

Canada Post Pwned… Data On 950,000+ Customers Has Been Compromised

Posted in Commentary with tags on May 26, 2021 by itnerd

Thanks to a malware attack on one of its suppliers, Canada Post has been pwned by hackers. Canada’s postal carrier put out a release on this today:

Canada Post has informed 44 of its large business customers of a data breach caused by a malware attack on one of our suppliers, Commport Communications. The supplier notified Canada Post late last week (on May 19) that manifest data held in their systems, which was associated with some Canada Post customers, had been compromised.

Commport Communications is an electronic data interchange (EDI) solution supplier used by Canada Post to manage the shipping manifest data of large parcel business customers. Shipping manifests are used to fulfill customer orders. They typically include sender and receiver contact information that you would find on shipping labels, such as the names and addresses of the business sending the item and the customer receiving it.

After a detailed forensic investigation, there is no evidence that any financial information was breached. In all, the impacted shipping manifests for the 44 commercial customers contained information relating to just over 950 thousand receiving customers. After a thorough review of the shipping manifest files, we’ve determined the following:

  • The information is from July 2016 to March 2019
  • The vast majority (97%) contained the name and address of the receiving customer 
  • The remainder (3%) contained an email address and/or phone number

Here’s the problem with this. It’s 2021 and the data is from 2016 to 2019. And the planet is only finding out about this today. That’s a #fail. Sure Canada Post notes that it will engage external cybersecurity experts to conduct additional forensic work and that the Office of the Privacy Commissioner has been notified. But that’s not good enough given how much info and the timeframe that this info spans. Hopefully the Privacy Commissioner slaps Canada post silly over this as this is not acceptable.

And I have to wonder if the 950,000 customers will be notified? Based on the Canada Post press release, I don’t think so. But they are free to surprise me.

UPDATE: I have a comment on this hack from David Masson, Director of Enterprise Security for Darktrace: 

This attack follows the rising trend of hackers infiltrating organizations via the supply chain. From the SolarWinds Orion campaign to the recent attack on Centreon software, we can be in little doubt complex digital supply chains are a hacker’s paradise. 

Canada Post are just the latest victim in what is a new era of cyber-threat, one where attackers exploit supply chain vulnerabilities to launch mass attacks with maximum return on their investment. The volume of data breached indicates that malicious activity had been going on for some time unnoticed, with hackers lurking on systems with their finger on the trigger.  

These silent and stealthy attacks are virtually impossible to detect with traditional security tools and companies today must adopt a zero-trust policy when it comes to third-party suppliers. Perimeter defences won’t work – these attacks come from the inside. That’s why thousands of organizations today rely on cutting-edge technology like AI to identify the subtle indicators of this malicious activity wherever it emerges, and thwart it before damage is done. 

New Zealand Hospitals Pwned By Ransomware…. Some Surgeries Cancelled

Posted in Commentary with tags on May 19, 2021 by itnerd

New Zealand’s Waikato District Health Board (DHB) has been hit with ransomware that took down most IT services Tuesday morning and drastically reduced services at six of its affiliate hospitals:

Waikato District Health Board’s entire IT service is down due to a major cyber attack affecting all clinical services and forcing patient appointments to be cancelled.

“We have engaged external assistance to address a cyber security incident affecting our Information Services environment,” the DHB said in a Facebook post this morning.

Government agencies have been advised and an investigation is under way, the DHB said.

The people claiming to behind this have made contact with the health board according to this report:

As well as bringing in outside cyber security experts, the National Cyber Security Centre was also guiding his team in how to deal with those claiming to be the hackers, Snee said.

“We’ve had a communication, but whether that is from the … malicious actors or whether it is somebody else – we have to check the veracity of that,” he said.

As a result, some surgeries and other procedures have been cancelled. Which makes this event non-trivial. This is the second health group in the last week or two to be hit by ransomware. That highlights the fact that everyone needs to up their cybersecurity game to stop themselves from being the next headline in the news for being pwned. Not to mention the fact that it has significant knock on effects.

Irish Health Service Pwned By Ransomware

Posted in Commentary with tags on May 14, 2021 by itnerd

Ireland’s national health service has shut down its IT systems following a “human-operated” Conti ransomware attack, causing a Dublin hospital to cancel outpatient appointments. The news came to light via Twitter:

CNBC has more details:

The Irish Health Service Executive said there was a “significant ransomware attack” on its IT systems, without commenting further on specifics.

And:

Ireland’s vaccination program has not been affected and appointments will go ahead as planned, but the registration portal has been taken offline. Doctors also can’t refer people for Covid-19 tests, so patients have been told to use walk-in testing centers. HSE said its ambulance service was operating normally.

Dublin’s Rotunda Hospital, a maternity hospital, said all outpatient visits for Friday have been canceled, except for women who are 36 weeks pregnant or later. All gynecology clinics are canceled.

And this attack is described as “very sophisticated” as described by Paul Reid HSE chief exec:

Ransomware attacks on healthcare environments are becoming more of a preference for the criminal gangs that do these attacks because it is perceived that healthcare environments are more likely to pay up. Which means while everyone needs to up their game when it comes to cybersecurity, healthcare environments need to do even more as this one appears to hurt.

Pipeline Company Pays $5 Million To Release Their Systems From A Ransomware Attack

Posted in Commentary with tags on May 13, 2021 by itnerd

Things are starting to return to normal for Colonial Pipeline who got pwned by ransomware by an Eastern European based group of hackers. This in turn caused gas stations to start to run out of gas yesterday. And here’s the reason why things are getting back to normal. They paid the hackers according to Bloomberg:

Colonial Pipeline Co. paid nearly $5 million to Eastern European hackers on Friday, contradicting reports earlier this week that the company had no intention of paying an extortion fee to help restore the country’s largest fuel pipeline, according to two people familiar with the transaction.

The company paid the hefty ransom in untraceable cryptocurrency within hours after the attack, underscoring the immense pressure faced by the Georgia-based operator to get gasoline and jet fuel flowing again to major cities along the Eastern Seaboard, those people said. A third person familar with the situation said U.S. government officials are aware that Colonial made the payment.

Once they received the payment, the hackers provided the operator with a decrypting tool to restore its disabled computer network. The tool was so slow that the company continued using its own backups to help restore the system, one of the people familiar with the company’s efforts said.

A representative from Colonial declined to comment, as did a spokesperson for the National Security Council.

I have always said that you shouldn’t pay scumbags like these as it only encourages them to do more attacks like this. Here’s a few more reasons why you shouldn’t pay up:

The FBI discourages organizations from paying ransom to hackers, saying there is no guarantee they will follow through on promises to unlock files. It also provides incentive to other would-be hackers, the agency says. Such guidance provides a quandary for victims who have to weigh the risks of not paying with the costs of lost or exposed records.

So while this news is disappointing, it isn’t surprising. These sorts of things are a business decision at the end of the day. Which means that companies should focus on defending themselves from these sorts of attacks so that they don’t have to make these sorts of decisions.