Lack Of Computer Security Can Kill You

The last story presented below is of a ransomware attack on a hospital system that has been listed as being responsible for 4 deaths. By comparison, the other incidents are just annoyances.

First we have Ransomware. And there is a lot of it. The Week in Ransomware – September 25th 2020 – A Modern-Day Gold Rush

Companies still refuse to take security seriously, and as a result, the Forces of Ransomware™ are running amok.

The linked article is dismaying, with how many cases/varieties of Ransomware have been discovered. There was one bright spot, in that the insurance companies are not just blindly underwriting insanity, but insisting on some security.

News also broke this week about how an insurance company utilizes security scans to find exposed and vulnerable devices on clients’ networks. These proactive scans have reduced their ransomware claims by 65%!

They have to do something, or they are going to put themselves out of business insuring companies that have limited security in place.

Then there is the continuing resistance to applying software updates. Over 247K Exchange servers unpatched for actively exploited flaw. I can’t even feel sorry for these people.

The systems in question have not been patched AT LEAST since February of 2020. So 7 months, soon to be 8 months.

Cyber-security firm Rapid7, added an MS Exchange RCE module to the Metasploit penetration testing framework it develops on March 4, after several proof-of-concept exploits surfaced on GitHub.

One week later, both CISA and the NSA urged organizations to patch their servers against the CVE-2020-0688 flaw as soon as possible given that multiple APT groups were already actively exploiting it in the wild.

That was back in March; here’s the situation today.

Rapid7 once again made use of its Project Sonar internet-wide survey tool for another headcount.

And the numbers are almost as grim as they were before, with 61.10% (247,986 out of a total of 405,873) of vulnerable servers (i.e., Exchange 2010, 2013, 2016, and 2019) still being left unpatched and exposed to ongoing attacks.

The company’s researchers found that 87% of almost 138,000 Exchange 2016 servers and 77% of around 25,000 Exchange 2019 servers were left exposed to CVE-2020-0688 exploits, and that roughly 54,000 Exchange 2010 servers “have not been updated in six years.” [My emphasis. Z-Deb]

So you don’t update your systems for 6 freaking years. What exactly do you think is going to happen? I can’t even feel sorry for any of these people.

And finally we have the RYUK attack on Universal Health Services. UHS hospitals hit by reported country-wide Ryuk ransomware attack.

“When the attack happened multiple antivirus programs were disabled by the attack and hard drives just lit up with activity,” one of the reports reads.

“After 1min or so of this the computers logged out and shutdown. When you try to power back on the computers they automatically just shutdown.

“We have no access to anything computer based including old labs, ekg’s, or radiology studies. We have no access to our PACS radiology system.”

And it isn’t just that a bunch of hospital employees can’t access their email, or billing records.

Four deaths were also reported after the incident impacting UHS’ facilities, caused by the doctors having to wait for lab results to arrive via courier. BleepingComputer has not been able to independently corroborate if the deaths were related to the attack.

Look I get that modern medicine is dependent on computers for a whole bunch of stuff, but this incident demonstrates that we are not doing it correctly. Not by half.

The internet was fun while it lasted. (Hat tip Security Now.)

Ransomware Roundup

You could spend your whole life writing about ransomware. Maybe that is an exaggeration. Maybe.

First up, Carnival Cruise Lines. World’s largest cruise line operator Carnival hit by ransomware

“On August 15, 2020, Carnival Corporation and Carnival plc (together, the “Company,” “we,” “us,” or “our”) detected a ransomware attack that accessed and encrypted a portion of one brand’s information technology systems. The unauthorized access also included the download of certain of our data files,” the cruise line operator stated in their filing.

Employee and customer data was probably stolen as part of the attack.

Konica Minolta was hit. Business technology giant Konica Minolta hit by new ransomware.

Business technology giant Konica Minolta was hit with a ransomware attack at the end of July that impacted services for almost a week, BleepingComputer has learned.

The company that produces Jack Daniels whiskey, Brown-Forman, was also hit, but they seem to be doing something right. U.S. spirits and wine giant hit by cyberattack, 1TB of data stolen.

Sodinokibi (REvil) ransomware operators were able to steal data, but apparently failed to encrypt systems.

“Brown-Forman was the victim of a cybersecurity attack. Our quick actions upon discovering the attack prevented our systems from being encrypted” – Brown-Forman spokesperson

Brown-Forman is not negotiating with REvil, so any data stolen is likely up for sale.

At least some of the people are taking security seriously, but there is still work to be done.

Companies never like to talk about “what happened?” Or “How did this happen?” so there aren’t many lessons to be learned.

The Norsk Hydro Ransomware Attack

A review of the 2019 ransomware attack on Norsk Hydro, for the geeks in the audience. How to Survive a Ransomware Attack Without Paying the Ransom.

For those who don’t follow these things… It has been called, “The worst cyberattack in Norway’s history.”

At around midnight Oslo time on March 19, 2019, computers owned by Norsk Hydro ASA, a large aluminum manufacturer, started encrypting files and going offline en masse. It took two hours before a worker at its operations center in Hungary realized what was happening. He followed a scripted security procedure and took the company’s entire network offline—including its website, email system, payroll, and everything else. By then, a lot of damage was already done. Five hundred of Hydro’s servers and 2,700 of its PCs had been rendered useless, and a ransom note was flashing on employees’ computer screens.

Norsk Hydro didn’t pay the ransom for all the reasons that you can imagine. Lack of guarantees. Making Norsk Hydro an attractive target for other attacks. Feeding the evil beast.

It ended up costing the company 60 million US dollars. Insurance paid 3.6 million. Oh, and they had a reasonable amount of security in place before all this started. They weren’t ignoring stuff and hoping for the best. Here’s the moral of the story…

Even when you do everything you can to protect yourself from a cyberattack, a determined adversary will almost always be able to wreak havoc. In other words, it’s less a question of how to stop hackers from breaking in than how to best survive the inevitable damage.

The description of how things worked at an aluminum plant in Cressona, Pennsylvania is pretty fascinating. How people adapted to every computer at work being shut off.

Ransomware Paid: $140 Million

That is a pretty big payday for the bad guys. FBI Says $140+ Million Paid to Ransomware, Offers Defense Tips.

At the RSA security conference this week, FBI Special Agent Joel DeCapua explained how he used bitcoin wallets and ransom notes that were collected by the FBI, shared by private partners, or found on VirusTotal to compute how much money was paid in ransom payments over 6 years.

According to DeCapua between 10/0/1/2013 and 11/07/2019, there have been approximately $144,350,000 in bitcoins paid to ransomware actors as part of a ransom. This money does not include operational costs related to the attack, but purely the ransom payments.

Still think it isn’t worth spending the resources on? I’m sure there is someone in some E-suite somewhere saying he doesn’t believe they will be targeted.

At Some Point, You Deserve What You Get

“It can’t happen to me,” is the stupidest statement you can make when it comes to computer security. Swiss Govt Says Ransomware Victims Ignored Warnings, Had Poor Security.

If you’re going to ignore warnings, from software and from people who support your business, and you’re going to ignore the recommendations from people who know what they are talking about, how exactly do you expect to avoid becoming a victim of hackers?

While analyzing the recently reported ransomware incidents, the Swiss cybersecurity body identified a number of weaknesses that allowed attackers to successfully breach the companies’ defenses (all of them can be mitigated by MELANI’s recommendations):

• Virus protection and warning messages: Companies either did not notice or did not take seriously the warning messages from antivirus software that malware had been found on servers (e.g. domain controllers).
• Remote access protection: Remote connections to systems, so-called Remote Desktop Protocols (RDP), were often protected with a weak password and the input was only set to the default (standard port 3389) and without restrictions (e.g. VPN or IP filter).
• Notifications from authorities: Notifications from authorities or from internet service providers (ISPs) about potential infections were ignored or not taken seriously by the affected companies.
• Offline backups and updates: Many companies only had online backups which were not available offline. In the event of an infestation with ransomware, these backups were also encrypted or permanently deleted.

There are more things that have been suggested and ignored.

Either turn off or secure RDP. Update your operating systems, and other software. Pay attention to warning messages (both from software and from people). Otherwise you too can find out what it’s like to be the victim of ransomware.

1,000 Ransomware Attacks on Schools for 2019

Because they love to put stuff online, but can’t be bothered about security. Ransomware Hit Over 1,000 U.S. Schools in 2019.

The FBI advises all U.S. entities currently targeted by a heavy barrage of ransomware attacks to follow these best practices:

  • Regularly back up data and verify its integrity
  • Focus on awareness and training
  • Patch the operating system, software, and firmware on devices
  • Enable anti-malware auto-update and perform regular scans
  • Implement the least privilege for file, directory, and network share permissions
  • Disable macro scripts from Office files transmitted via email
  • Implement software restriction policies and controls
  • Employ best practices for use of RDP
  • Implement application whitelisting
  • Implement physical and logical separation of networks and data for different org units
  • Require user interaction for end-user apps communicating with uncategorized online assets

Of course a lot of the problems for the past few years were caused by (or at least it was a contributing factor) unpatched, unsupported Windows machines. So I seriously doubt that the rest of this will happen. And the backups must be offline. (Ransomware will encrypt your raid server.)

If you can’t update or upgrade, then you have no business putting stuff on the public internet. Unless dealing with ransomware is something you like to do. But schools and cities will continue to put insecure servers on the public internet, and then shriek about how it was “totally unexpected” when bad things happen.

New Orleans Hit With Ransomware

Are we surprised? New Orleans declares state of emergency following ransomware attack.

Suspicious activity was spotted around 5 a.m. Friday morning. By 8 a.m., there was an uptick in that activity, which included evidence of phishing attempts and ransomware, Kim LaGrue, the city’s head of IT said in a press conference. Once the city confirmed it was under attack, servers and computers were shut down.

Ransomware was detected, but they didn’t say how many computers were hit or what variety it was. They were mostly reassuring everyone that all is fine.

“If there is a positive about being a city that has been touched by disasters and essentially been brought down to zero in the past, is that our plans and activity from a public safety perspective reflect the fact that we can operate with internet, without city networking,” said Collin Arnold, director of Homeland Security, adding that they’ve gone back to pen and paper for now.

I’m sure there will be more info later in the week.

More Ransomware Targeting Health Care

Because of course they are. At some point this stops being news. Zeppelin Ransomware Targets Healthcare and IT Companies.

And it is important to note that this is a phishing (may be spear phishing) attack on health care.

In a new report from Cylance, researchers have discovered the Zeppelin ransomware being used in targeted attacks against IT and healthcare companies. In at least some of the attacks, Cylance believes that they targeted MSPs in order to further infect customers via management software.

Because if you infect a service provider, you infect all of their clients. (I just said something about outsourcing of IT work…)

My take is still that doctors refuse to follow instructions that aren’t provided by doctors of higher status, but a lot of this probably overworked people, and a good phishing campaign. With probably a little bit of “It won’t happen to me! What are the chances?” Welcome to the 21st Century.

Your After Holiday Security Update

Medical facilities are still getting hit with ransomware. Ransomware Locks Medical Records at Great Plains Health.

On Tuesday, GPHealth announced that it was canceling a large number of non-emergent patient appointments and procedures. This decision does not affect surgeries and select imaging procedures, which continued as planned.

Mel McNea, GPHealth chief executive officer, says that there is no reason to suspect that patient data was accessed but the organization will do a full audit, nevertheless.

My take is still that doctors refuse to follow procedures outlined by IT security professionals. They are not doctors!

In the ironic story of the week… Ryuk Ransomware Forces Prosegur Security Firm to Shut Down Network.

Spanish multinational security company Prosegur announced that it was the victim of a cybersecurity incident disrupting its telecommunication platform.

eCards are a problem? Color me shocked. Beware of Thanksgiving eCard Emails Distributing Malware. OK, I’m not that shocked, since eCards have ALWAYS been a bad idea.

New email campaigns are underway that pretend to be Thanksgiving Day greeting cards and office closing notices with last minute invoices. Users who fall for the emails and open the attached word documents will be left with a Windows computer infected with a password-stealing Trojan and possibly other malware.

Companies in The Netherlands are targeted. Dutch Govt Warns of 3 Ransomware Infecting 1,800 Businesses.

The three ransomware strains named by the NCSC are LockerGoga, MegaCortex, and Ryuk. All of them have been involved in attacks against businesses.

Yet another reason to not store passwords in your browser. New Chrome Password Stealer Sends Stolen Data to a MongoDB Database. This is actually a fairly common occurrence.

This trojan is called CStealer, and like many other info-stealing trojans, was created to target and steal login credentials that were saved in Google Chrome’s password manager.

Yet Another School Hit By Ransomware

Is this even if news anymore? When do we start looking at the number of schools not hit with ransomware? Livingston School District in New Jersey Hit With Ransomware.

Students at the Livingston public school district in New Jersey are undoubtedly happy for a two hour delayed opening tomorrow. Unfortunately, this delay is not being caused by snow, but rather by a ransomware attack that the district is still recovering from.

There is little other real information. The district made some “reassuring statements” that didn’t cross over into lies, but were probably close.

“Our understanding is that these criminals do not typically steal data, but rather render the systems unusable”

While true, is not an assurance that no data was stolen. And then of course Bleeping Computer cites an instance were encrypted data was stolen, and released because no ransom was paid.

Hospital Ransomware Attacks Cause Deaths

What a shock. Study: Ransomware, Data Breaches at Hospitals tied to Uptick in Fatal Heart Attacks.

As PBS noted in its coverage of the Vanderbilt study, after data breaches as many as 36 additional deaths per 10,000 heart attacks occurred annually at the hundreds of hospitals examined.

The researchers found that for care centers that experienced a breach, it took an additional 2.7 minutes for suspected heart attack patients to receive an electrocardiogram.

Do you think that security is worth anything? Do you think that doctors will actually follow recommendations from someone who isn’t a doctor?

Does a Hospital Getting Hit with Ransomware Count as News?

I’m leaning toward not news. Brooklyn Hospital Loses Patient Data In Ransomware Attack.

The hospital provided very little information, except to say that the attack happened in July. There was an investigation, and attempts to recover the files in the intervening months.

The unrecoverable information includes names and certain dental or cardiac images. The hospital highlights that the investigation did not find any evidence that the data was exfiltrated from its systems or otherwise misused.

Does it need to be stated again? Organizations have decided that backups are not needed. (People have decided that as well, both are wrong.) Or in other cases, they have a backup server which is online to their network, and that gets encrypted as well. At least some of the backups need to be offline.

Alabama Hospital Pays Ransom

But it’s OK, because they have insurance. Alabama Hospitals Back Online 10 Days After Malware Attack.

The DCH Health System said its hospitals in the west Alabama cities of Tuscaloosa, Northport and Fayette resumed admitting patients Thursday, and its imaging and patient scheduling services were going back online Friday.

So they did what the FBI has been telling people not to do, which is pay the ransom. I wonder if they will take any action to prevent a repeat attack, or if the bad guys are just keeping a list for places to revisit next year. I also wonder how long insurance will be available. You can get homeowners’ insurance because house fires are relatively rare occurrences. If half of your neighborhood burned every year, insurance would be harder to come by, or it would cost a whole lot more.

Is Ransomware Getting Worse? Yes

The FBI sees the writing on the wall. Will anyone listen? FBI warns of major ransomware attacks as criminals go “big-game hunting.

Where certain attacks have behaved like opportunistic attacks – Baltimore is mentioned – that is changing as the bad guys get better, or worse. Better at being bad guys, anyway.

Data from CrowdStrike has shown a rise in what the firm refers to as “big-game hunting” over the past 18 months. These attacks focus on high-value data or assets within organizations that are especially sensitive to downtime—so the motivation to pay a ransom is consequently very high.

And the FBI, though they didn’t give much info, thought the situation warranted a warning. Not that anyone will listen. Actually preparing for such an attack costs money, and means we have to change the way I do things, in ways that I don’t like, and besides those damn IT folks are always wanting to spend money some crazy thing. And what can it cost, anyway?

What Is the Cost of a Ransomware Attack?

In the case of Demant (a Danish company), the costs are high. Ransomware incident to cost Danish company a whopping $95 million.

While they had an insurance policy, it will not cover a quarter of that bill. And there are worries that while they were down, and unable even to support retail sales, customers switched brands, and will not be back.

And the company isn’t saying “ransomware.” Though Danish media is reporting it that way, and it “sure did look like one from the outside.”

Most of the losses have come from lost sales and the company not being able to fulfill orders. The actual cost of recovering and rebuilding its IT infrastructure were only around $7.3 million, a small sum compared to the grand total.

So what part of that $7 million has the IT department been pleading for? But as they say, there is much more.

Furthermore, “in our hearing aid retail business, many clinics across our network have not been able to service end-users in a regular fashion.”

These business upheavals have been a disaster for the company’s bottom line. In a message to its investors, Demant said it expects to lose somewhere between $80 million and $95 million.

So, for that $7 million, could the IT folks have made themselves immune to ransomware? Probably not. But they might have been able to mitigate the cost, and it’s not like the company didn’t end up spending the money anyway. The difference is between a scrambling emergency, that impacts customers, as well as both top-line growth and the bottom-line, and a planned implementation.

Other incidents from 2019 include…

defence contractor Rheinmetall, airplane parts manufacturer Asco, aluminum provider Norsk Hydro, cyber-security firm Verint, the UK Police Federation, utility vehicles manufacturer Aebi Schmidt, Arizona Beverages, engineering firm Altran, the Cleveland international airport, and chemicals producers Hexion and Momentive.

Hat tip to Security Now episode #735.

RobinHood Ransomware Ups Its Game

Ransomware as a business, means marketing will play a role. RobbinHood Ransomware Using Street Cred to Make Victims Pay.

RobinHood was the ransomware responsible for the Baltimore outage. The number referenced for what the city spent on remediation (they did NOT pay the ransom) is 10 million dollars. That’s a bit disingenuous, because a fair amount of that money was for new equipment. And they spending even more to harden their infrastructure. I would argue that is money they should have spent BEFORE they were hit. But hey, I’m not in politics.

The operators behind the RobbinHood ransomware have changed their language in the ransom note to take from victims all hope of decrypting the files for free and to make them pay for the recovery.

Boastful and arrogant in their message, the cybercriminals point to past incidents involving their ransomware, which ended with victims paying much more than the ransom demand.

Is there any politician or corporate drone who can say, after their organization gets hit with ransomware, that the attack was “unexpected?” Of course their are; I forget that they are paid to lie every day.

Ransomware Continues to Impact Health Care

Remember when Obama said computerizing medical records would be such a good idea. U.S. and Australian Hospitals Targeted by New Ransomware Attacks.

Three hospitals in Alabama and seven in Victoria, Australia have been hit with ransomware. Some are not accepting new patients. Some are reverting to manual procedures.

In a related bit of news, a California clinical group is closing its offices because they can’t recover patient records.

In related news, following another ransomware attacks from early August, Californian medical practice Wood Ranch Medical announced on September 18 that it will be closing offices on December 17 because of the extensive loss of patient healthcare records.

Their “backup server” was online, so it too, was encrypted. Having a separate copy of your data is NOT ENOUGH. How many times do people need to be told that before they’ll listen? Well, if they don’t listen to this advice at this point, then they never will. And my level of sympathy for people playing in traffic was exhausted decades ago.

So I can’t decide if Obama and Company saying how great things would be when all medical records are computerized counts as politicians pretending to be engineers (or computer scientists), or if it just evidence of colossal arrogance. From my POV, having all the records on computers, that the doctors won’t pay to secure, hasn’t made things better. I’m sure the hackers LOVE the fact that all those records are computerized. And poorly secured. You could think Obama has some interest in the hacking, but that would be giving him too much credit for understanding what encryption can do. Smartest President Ever™

Just Because It Claims to Be Ransomware…

Or why you shouldn’t pay ransom, and why you should have backups. Destructive Ordinypt Malware Hitting Germany in New Spam Campaign.

A new spam campaign is underway that pretends to be a job application from “Eva Richter” who is sending her photo and resume. This resume, though, is actually an executable masquerading as a PDF file that destroys a victim’s files by installing the Ordinypt Wiper.

It masquerades as ransomware, and demands a ransom, but even if you pay, the files have been overwritten with garbage, NOT encrypted. You won’t/can’t get them back.

So do you have those multiple backups? Are some of the them offline? How would you recover?

A City Says “Nuts” to Ransomware Demand

Granted, coming up with a payment that large is probably a problem from most municipalities. $5.3M Ransomware Demand: Massachusetts City Says No Thanks.

Okay, they aren’t really channeling Anthony McAuliffe and 101st Airborne, but they decided not to pay.

New Bedford, population 95,000 is near Boston.

After a ransomware attack slapped a hefty payout demand of $5.3 million on New Bedford, Mass., the city announced that it is instead opting to pick up the pieces and restore what it can from backups itself.

They had a little bit of luck, and they had some decent architecture. Which resulted in only about 4 percent of computers being hacked. They did have to shut down for an extended period of time.

That’s because after learning of the attack, the city was able to rapidly disconnect its computer servers and shut down systems. In addition, the attack hit after the July 4 holiday, meaning that a large number of computers were turned off at the same time that the ransomware was attempting to spread; and, officials said the city’s network was compartmentalized “to a certain degree,” making it harder for the malware to spread.

And they told us what the ransomware was, Ryuk (Ree-ook). Ryuk is both a strain of ransomware that is been wreaking havoc in various places and a character from a Manga (Japanese comic book) called Death Note. He is a Shinigami, “supernatural spirits that invite humans toward death in certain aspects of Japanese religion and culture.” I think that says something about the authors of the ransomware.

The city tried to negotiate a smaller payment, but that was rejected by the attackers. So off they go to restore.

Ransomware Attacks on Cities, Schools and Dentists

People need to figure out how to work with data that is NOT online. Because if you don’t have the resources to defend your data, it will be encrypted. Cybercriminals Attacking Schools, Governments With Ransomware.

Cybercriminals are wreaking havoc across America in recent months, with the latest target being local governments and even schools.

A school in Orange County, New York, was all set to welcome students back from summer vacation on Wednesday, but a ransomware attack has delayed the start of the school year.

As many have said, the smaller cities and schools are not spending money on cybersecurity. Which at this point, they need to seriously consider doing, or they should consider stopping with the “put all the data online” push.

And the dentists? Ransomware Attack on Digital Dental Records Impacts Many Providers.

The computers systems of a large number of US dental offices were infected with ransomware on Monday, [week ago] after a malware attack on the Digital Dental Record and PerCSoft’s cloud remote management software. The impacted providers are still attempting to recover access to their patient data and systems.

And also Ransomware Bites Dental Data Backup Firm. Attacks on service providers mean one attack can impact multiple offices/sites, whether that be dentists, doctors, cities or schools.

Attacks on hospitals and larger clinics remain common, but cities and schools are more likely to be in the news.

And sadly, things will get worse before they get better.