RobinHood Ransomware Ups Its Game

Ransomware as a business, means marketing will play a role. RobbinHood Ransomware Using Street Cred to Make Victims Pay.

RobinHood was the ransomware responsible for the Baltimore outage. The number referenced for what the city spent on remediation (they did NOT pay the ransom) is 10 million dollars. That’s a bit disingenuous, because a fair amount of that money was for new equipment. And they spending even more to harden their infrastructure. I would argue that is money they should have spent BEFORE they were hit. But hey, I’m not in politics.

The operators behind the RobbinHood ransomware have changed their language in the ransom note to take from victims all hope of decrypting the files for free and to make them pay for the recovery.

Boastful and arrogant in their message, the cybercriminals point to past incidents involving their ransomware, which ended with victims paying much more than the ransom demand.

Is there any politician or corporate drone who can say, after their organization gets hit with ransomware, that the attack was “unexpected?” Of course their are; I forget that they are paid to lie every day.


Millions of Compromised Online Stores?

Magecart steals credit card info from online purchases. Magecart Impacts Hundreds of Thousands of Websites, Still Growing.

In a report released today, RiskIQ notes that the first Magecart threat they observed was on August 8, 2010. The phenomenon did not take off until last year, though, when British Airways, Ticketmaster, OXO, and Newegg were hit.

Since then, multiple attackers emerged creating dozens of card info skimming scripts and infecting thousands of websites. In one automated attack alone, over 960 stores were compromised.

If they can’t breach the site directly, they might be able to breach a 3rd-party.

Getting the code on the checkout page is possible by breaching the website directly or by compromising a web resource from a third party that is loaded on the page, such as an analytics script or a customer support widget.

Incorrectly configured Amazon Web Services accounts for a lot of that.

Ransomware Continues to Impact Health Care

Remember when Obama said computerizing medical records would be such a good idea. U.S. and Australian Hospitals Targeted by New Ransomware Attacks.

Three hospitals in Alabama and seven in Victoria, Australia have been hit with ransomware. Some are not accepting new patients. Some are reverting to manual procedures.

In a related bit of news, a California clinical group is closing its offices because they can’t recover patient records.

In related news, following another ransomware attacks from early August, Californian medical practice Wood Ranch Medical announced on September 18 that it will be closing offices on December 17 because of the extensive loss of patient healthcare records.

Their “backup server” was online, so it too, was encrypted. Having a separate copy of your data is NOT ENOUGH. How many times do people need to be told that before they’ll listen? Well, if they don’t listen to this advice at this point, then they never will. And my level of sympathy for people playing in traffic was exhausted decades ago.

So I can’t decide if Obama and Company saying how great things would be when all medical records are computerized counts as politicians pretending to be engineers (or computer scientists), or if it just evidence of colossal arrogance. From my POV, having all the records on computers, that the doctors won’t pay to secure, hasn’t made things better. I’m sure the hackers LOVE the fact that all those records are computerized. And poorly secured. You could think Obama has some interest in the hacking, but that would be giving him too much credit for understanding what encryption can do. Smartest President Ever™

What’s the Cost of Being Stupid About Security?

If you’re working in the area of national security, the cost can be high. Exclusive: Russia carried out a ‘stunning’ breach of FBI communications system, escalating the spy game on U.S. soil.

This is a long article. And some of the conclusions differ from other reports in the media. But the conclusion is clear. The average person in the FBI (or CIA) is clueless about technology, and security, and incapable of making decisions about either. And the people who should have known better were delusional, about the “reset option” that Barack Obama had Hilary Clinton undertake. (They were sure to love us, once Bush was out of office. Or something.)

“It caused a really big rift within the [National Security Council] on how seriously they took analysis from the agency,” said the former CIA official. Senior administration leaders “went along with” some of the more optimistic analysis on the future of U.S.-Russia relations “in the hopes that this would work out,” the official continued.

Those disagreements were part of a “reset hangover” that persisted, at least for some inside the administration, until the 2016 election meddling, according to a former senior national security official.

After the Obama Administration finally admitted to itself that Russia was still an adversary…

American officials discovered that the Russians had dramatically improved their ability to decrypt certain types of secure communications and had successfully tracked devices used by elite FBI surveillance teams. Officials also feared that the Russians may have devised other ways to monitor U.S. intelligence communications, including hacking into computers not connected to the internet.

As a result of all of this, we expelled a batch of Russians and seized two estates Russia owned.

The article is long, but if you are interested in the world of signals intelligence, you will find it interesting. (The NBC article – second link at the top – is much shorter.)

And it isn’t a new problem, that the FBI sucks when it comes to security.

We do know, from research Matt Blaze and others did almost ten years ago, that at least one FBI radio system was horribly insecure in practice — but not in a way that breaks the encryption. Its poor design just encourages users to turn off the encryption. [From Schneier on Security, who get’s the hat tip]

Because I don’t need security, or something and it’s inconvenient. And besides, I don’t understand it so the Russians can’t either, right?

Oh, and also consider…

It’s unclear whether the Russians were able to recover encrypted data or just perform traffic analysis. The Yahoo story implies the former; the NBC News story says otherwise. It’s hard to tell if the reporters truly understand the difference.

The FBI isn’t the only group ignorant of security.

DoorDash Has Been Hacked

Of course it was. DoorDash hack spills loads of data for 4.9 million people.

The breach took place on May 4, but DoorDash officials didn’t learn of it until earlier this month when they noticed unusual activity involving an unnamed third-party service provider. That’s what DoorDash says in post, which began: “We take the security of our community very seriously.” Data obtained by the attacker could include names, email addresses, delivery addresses, order histories, phone numbers, and cryptographically hashed and salted passwords.

Of course they take security “seriously.” Just once I would like a corporation to admit that proper security takes a lot of time and money that they either don’t have, or don’t want to spend. But of course that wouldn’t make good PR copy.

Whether or not the loss of the passwords will be an issue depends on the hash used and the quality of the salt. And DoorDash is not saying what that is, so the fear is that it is very weak cryptography. The moral of the story is, change your DoorDash passwords now, and if you use the same password for multiple accounts STOP doing that. Invest some time in a password manager. They are (or can be) free. I use Keepass. LastPass is very popular, and has great features for married couples, and businesses if you pay for various premium services. There are probably more available.

A Cellphone Quandary

So I’ve been putting off upgrading my cellphone, waiting for Android 10, which is now available, because it has better security. I also have been torn between a base-level phone (well, inexpensive smartphone) and something like OnePlus 7. I really don’t need an $1000 phone. I probably don’t need a $700 phone either. (A Moto G7 or G7-power would probably suffice, for about $250 or so.)

But with the disclosure of Simjacker, and the fact that no phone is secure, I don’t know what to do. Simjacker is Being Actively Exploited in The Wild To Steal Location Data

And the hack can be used for oh so much more than just location tracking. It can turn your phone into a listening device, steal data. Basically everything that you’ve seen in spy movies or the TV Show Person of Interest can pretty much be done to a cellphone. Android, iOS, even feature phones are vulnerable to some hacking. I think flip phones might even be forced to call premium numbers, to report location and act as a listening device. (It seems to be an issue for any GSM network phone.)

Researchers from AdaptiveMobile Security have found a vulnerability that exploits SIM cards to takeover phones. Termed Simjacker, the attack begins when an adversary triggers the bug by sending malicious messages. The researchers have shared a detailed blog post about the attack. They have also set up a dedicated webpage for Simjacker.

And while the hacks seen in the wild are apparently the work of State Actors monitoring “people of interest” things won’t stay that way for long. At the very least the hack can be used to make your phone call a premium number, costing you real money.

And all of this because a committee in 2001 decided that it would be neat to include some extra capabilities, and no one revisited that decision in the light of the last 18 years of computer and phone security issues.

The Quandary? Whehter or not to get rid of the phone. No SIM card, no Simjacker. I have a perfectly good home phone. I just can’t see carrying around a device that invites hackers to bill my account for the premium services, steal the little information I do keep on the phone. (Hence Android 10’s security updates.)

Yet another example of why building the Swiss-army-knife of software products is ALWAYS a bad idea.

Update: is the website on this issue.

Just Because It Claims to Be Ransomware…

Or why you shouldn’t pay ransom, and why you should have backups. Destructive Ordinypt Malware Hitting Germany in New Spam Campaign.

A new spam campaign is underway that pretends to be a job application from “Eva Richter” who is sending her photo and resume. This resume, though, is actually an executable masquerading as a PDF file that destroys a victim’s files by installing the Ordinypt Wiper.

It masquerades as ransomware, and demands a ransom, but even if you pay, the files have been overwritten with garbage, NOT encrypted. You won’t/can’t get them back.

So do you have those multiple backups? Are some of the them offline? How would you recover?