Tag Archives: cyber criminal

Ransoms: To pay nothing or not to pay? That is the question.

Sometimes, reading an article about what to do in case of a ransomware attack, I come across words like: ‘Think about paying up’. It’s then when I sigh, exhale with puffed-out cheeks… and close the browser tab. Why? Because you should never pay extortionists! And not only because if you did you’d be supporting criminal activity. There are other reasons. Let me go over them here.

First, you’re sponsoring malware development

Read on…

Ransomware: no more jokes.

First: brief backgrounder…

On September 10, the ransomware-malware DoppelPaymer encrypted 30 servers of a hospital in the German city of Dusseldorf, due to which throughput of sick patients fell dramatically. A week ago, due to this fall, the hospital wasn’t able to accept a patient who was in need of an urgent operation, and had to send her to a hospital in a neighboring city. She died on the way. It was the first known case of loss of human life as a result of a ransomware attack.

A very sad case indeed – especially when you look closer: there was the fatal ‘accident’ itself (presuming the attackers didn’t foresee a fatality caused by their ghastly actions); there was also a clear neglect of the following of basic rules of cybersecurity hygiene; and there was also an inability on the part of the law enforcement authorities to successfully counter the organized criminals involved.

The hackers attacked the hospital’s network via a vulnerability (aka Shitrix) on the Citrix Netscaler servers, which was patched as far back as January. It appears that the system administrators waited way too long before finally getting round to installing the patch, and in the meantime the bad guys were able to penetrate the network and install a backdoor.

Up to here – that’s all fact. From here on in: conjecture that can’t be confirmed – but which does look somewhat likely…

It can’t be ruled out that after some time access to the backdoor was sold to other hackers on underground forums as ‘access to a backdoor at a university’. The attack indeed was initially aimed at the nearby Heinrich Heine University. It was this university that was specified in the extortionists’ email demanding a ransom for the return of the data they’d encrypted. When the hackers found out that it was a hospital – not a university – they were quick to hand it all the encryption keys (and then they disappeared). It looks like Trojan’ed hospitals aren’t all that attractive to cybercriminals – they’re deemed assets that are too ‘toxic’ (as has been demonstrated in the worst – mortal – way).

It’s likely that the Russian-speaking Evil Corp hacker group is behind DoppelPaymer, a group with dozens of other high-profile hacks and shakedowns (including on Garmin‘s network) to its name. In 2019 the US government issued a indictment for individuals involved in Evil Corp, and offered a reward of five million dollars for help in catching them. What’s curious is that the identities of the criminals are known, and up until recently they’d been swaggering about and showing off their blingy gangster-style lifestyles – including on social media.

Source

What’s the world come to? There’s so much wrong here. First, there’s the fact that hospitals are suffering at the hands of ransomware hackers in the first place – even though, at least in this deadly case in Dusseldorf, it looks like it was a case of mistaken identity (hospital – not a university). Second, there’s the fact that universities are being targeted (often to steal research data – including COVID-19 related). But here’s my ‘third’ – from the cybersecurity angle…

How can a hospital be so careless? Not patching a vulnerability on time – leaving the door wide open for cyber-scum to walk right through it and backdoor everything? How many times have we repeated that FreeBSD (which is what Netscaler works on) is in no way a guarantee of security, and in fact is just the opposite: a cybersecurity expert’s faux ami? This operating system is far from being immune and has weaknesses that can be used in sophisticated cyberattacks. And then of course there’s the fact that such a critical institution as a hospital (also infrastructural organizations), need to have multi-level protection, where each level backs up the others: if the hospital had had reliable protection installed on its network the hackers would probably never have managed to pull off what they did.

The German police are now investigating the chain of events that led up to the death of the patient. And I hope that the German authorities will turn to those of Russia with a formal request for cooperation in detaining the criminals involved.

See, for police to open a criminal case, a formal statement/request or subject matter of a crime committed needs to be presented at the very least. This or that article in the press or some other kind of non-formal comments or announcement aren’t recognized by the legal system. No formal request – no case. Otherwise attorneys would easily cause the case to collapse in the blink of an eye. However, if there is what looks like credible evidence of a crime committed, there’s an inter-governmental interaction procedure in place that needs to be followed. OTT-formal: yes; but that’s ‘just the way it is’. Governments need to get past their political prejudices and act together. Folks are dying already – and while international cooperation is largely frozen by geopolitics, cybercriminals will keep on reaching new heights lows of depraved actions against humanity.

UPD: The first step toward reinstating cooperation in cybersecurity has been taken. Fingers crossed…

Btw: Have you noticed how there’s hardly ever any news of successful attacks by ransomware hackers against Russian organizations? Have you ever wondered why? I personally won’t entertain for a moment the silly conspiracy theories about these hackers working for Russian secret services – as there are many ransomware groups around the world. Here’s why, IMHO: Because most Russian companies are protected by good quality cyber-protection, and soon they will be protected by a cyber-immune operating system – yep, that very protection that’s been banned for use in U.S. state institutions. Go figure.

UPD2: Just yesterday a ransomware attack was reported on one of America’s largest hospital chains, UHS: its computers – which serve ~250 facilities across the whole country – were shut down, which led to cancelled surguries, diverted ambulances, and patient registrations having to be completed oin paper. There are no further details as yet…

Cyber-tales update from the quarantined side: March 92, 2020.

Most folks around the world have been in lockdown now for around three months! And you’ll have heard mention of a certain movie over those last three months, I’m sure, plenty; but here’s a new take on it: Groundhog Day is no longer a fun film! Then there’s the ‘damned if you’re good, damned if you’re bad’ thing with the weather: it stays bad and wet and wintry: that’s an extra downer for everyone (in addition to lockdown); it gets good and dry and summery: that’s a downer for everyone also, as no one can go out for long to enjoy it!

Still, I guess that maybe it’s some consolation that most all of us are going through the same thing sat at home. Maybe. But that’s us – good/normal folks. What about cyber-evil? How have they been ‘coping’, cooped up at home? Well, the other week I gave you some stats and trends about that. Today I want to follow that up with an update – for, yes, the cyber-baddies move fast. // Oh, and btw – if you’re interested in more cyber-tales from the dark side, aka I-news, check out this archives tag.

First off, a few more statistics – updated ones; reassuring ones at that…

March, and then even more so – April – saw large jumps in overall cybercriminal activity; however, May has since seen a sharp drop back down – to around the pre-corona levels of January-February:

At the same time we’ve been seeing a steady decline in all coronavirus-connected malware numbers:

// By ‘coronavirus-connected malware’ is meant cyberattacks that have used the coronavirus topic in some way to advance its criminal aims.

So, it would appear the news is promising. The cyber-miscreants are up to their mischief less than before. However, what the stats don’t show is – why; or – what are they doing instead? Surely they didn’t take the whole month of May off given its rather high number of days-off in many parts of the world, including those for celebrating the end of WWII? No, can’t be that. What then?…

Read on…

Enter your email address to subscribe to this blog
(Required)

Cyber-news from the dark side – ver. SAS-2019.

Hi folks!

Herewith, the next in my series of occasional iNews, aka cyber-news from the dark side updates – this one based on some of the presentations I saw at our annual Security Analyst Summit in Singapore last month.

One of the main features of every SAS is the presentations given by experts. Unlike other geopolitically-correct conferences, here the analysts up on stage share what they’ve discovered regarding any cyberthreat, no matter where it may come from, and they do this based on principle. After all, malware is malware and users need to be protected from all of it, regardless of the declared virtue of the intentions of those behind it. Just remember the boomerang effect.

And if certain media outlets blatantly lie about us in response to this principled position, so be it. And it’s not just our principles they attack – for we practice what we preach: we’re way ahead of the competition when it comes to the numbers of solved cyberespionage operations. And we’re not planning on changing our position in any way to the detriment of our users.

So here are a few synopses of the coolest investigations talked about at SAS by the experts behind them. The most interesting, most shocking, most scary, most OMG…

1. TajMahal

Last year, we uncovered an attack on a diplomatic organization from Central Asia. Of course, that an organization like that is interesting to cybercriminals should come as no surprise. The information systems of embassies, consulates and diplomatic missions have always been of interest to other states and their spy agencies or generally any bad guys with sufficient technical ability and financial wherewithal. Yes, we’ve all read spy novels. But here was something new: here a true ‘TajMahal’ was built for the attacks – an APT platform with a vast number of plugins used (we’ve never seen so many used on one APT platform – by far) for all sorts of attack scenarios using various tools.

The platform consists of two parts: Tokyo and Yokohama. The former is the main backdoor, which also fulfils the function of delivery of the latter malicious program. The latter has very broad functionality: stealing cookies, intercepting documents from the printer queue, recording VoIP calls (including WhatsApp and FaceTime), taking screenshots, and much more. The TajMahal operation has been active now for at least five years. And its complexity would suggest that it’s been built with more than one target in mind; the rest remain for us to find…

Details of this APT-behemoth you can find here.

Read on…

Keeping Cybersecurity Separate from Geopolitics.

Last week, Kaspersky Lab was in the spotlight again in another ‘sensational’ news stream.

I say ‘again’ as this isn’t the first time we’ve been faced with allegations, ungrounded speculation and all sorts of other made-up things since the change of the geopolitical situation a few years ago. With the U.S. and Russia at odds, somehow, my company, its innovative and proven products as well as our amazing employees are repeatedly being defamed, given that I started the company in Russia 20 years ago. While this wasn’t really a problem before, I get it– it’s definitely not popular to be Russian right now in some countries.

For some reason the assumption continues to resonate that since we’re Russian, we must also be tied to the Russian government. But really, as a global company, does anyone seriously think we could survive this long if we were a pawn of ANY government? Our whole business is based on one thing – besides expertise – and that’s trust. Would we really risk our whole business by undermining our trustworthiness?

Especially given that the best non-Kaspersky Lab security researchers (hackers) are constantly scouring our code/products to find and report vulnerabilities. In fact, we even have a public bug bounty program, where we pay researchers to examine our products and search for any issues or possible security concerns. If there was anything suspicious or nefarious to find, they would have publicly shouted it to the roof tops by now.

Read on: Five destructive repercussions of a technology sanctions game…

Cyber-Forecast: 2017.

Such is the way Homo Sapiens are: we’re constantly – even recklessly – looking to the future to try and work out what it might hold for us. Many say we should all live in the present – after all, the future never comes – but, well, that doesn’t work for everyone, and most of us do need to make at least some plans for our futures.

But there are different approaches to looking ahead.

There’s belief in fate, pure guessing, flipping a coin, and so on. There’s also not thinking about the future at all. But there’s a far superior, science-based approach too. This is doing the eastern spirituality thing a bit – not quite being in the present but carefully analyzing the present instead – to be able to predict the future as accurately as possible. And this is exactly what is done to predict the cyber-future; in particular – the security of the cyber-future. And that’s what we do – little by little every day, but also broadly and deeply and especially – and merrily – every year, when we bring together the world’s cybersecurity elite for a week-long pow-wow in a tropical seaside resort, which pow-wow we call the Security Analyst Summit (SAS):

Oops – wrong vid. Here u go…:

Dough! Nope. This one:

I don’t know quite how it’s done but every single year SAS just gets better. I mean, it’s always been GReAT, but the GReATness just keeps going up and up: more experts, better quality content, better and more original ideas, slicker, cooler, and more and more world scoops and exclusive material.

And it’s exclusive material that I’ll be writing about in this here post. Specifically, my Top-5 favorite presentations from SAS-2017. I’m not saying the others were no good or just so-so, it’s just I wasn’t physically able to see them all as they were running simultaneously in different halls. Also – everyone has their own taste; well here’s a guide to mine!…

Off we go!…

Read on: A Maze for a Penguin Under the Moonlight…

Uh-Oh Cyber-News: Infect a Friend, Rebooting Boeings, No-Authentication Holes, and More.

Hi folks!

Herewith, the next installment in my ‘Uh-oh Cyber-News’ column – the one in which I keep you up to date with all that’s scarily fragile and frailly scary in the digital world.

Since the last ‘Uh-oh’ a lot has piled up that really needs bringing to your attention. Yep, the flow of ‘Uh-ohs’ has indeed turned from mere mountain-stream trickle to full-on Niagara levels. And that flow just keeps on getting faster and faster…

As a veteran of cyber-defense, I can tell you that in times past cataclysms of a planetary scale were discussed for maybe half a year. While now the stream of messages is like salmon in spawning season: overload! So many they’re hardly worth mentioning as they’re already yesterday’s news before you can say ‘digital over-DDoSe’. “I heard how they hacked Mega-Corporation X the other day and stole everything; even the boss’s hamster was whisked away by a drone!”…

Anyway, since the stream of consciousness cyber-scandals is rapidly on the up and up, accordingly, the number of such scandals I’ll be writing about has also gone up. In the past there were three of four per blogpost. Today: seven!

Popcorn/coffee/beer at the ready? Off we go…

1) Infect a Friend and Get Your Own Files Unlocked for Free.

Read on: Effective Hacker Headhunting…

A Brief History of DDoS Attacks.

And so it’s come to pass: the abbreviation ‘DDoS‘ has entered the lexicon to such an extent that it often doesn’t get written out in full these days in the general interest newspapers. Well, some actually may still not know what it stands for, but everyone and their dog does know that a DDoS is very bad thing for a certain large target, with something very important suddenly not working, with employees twiddling their thumbs as the network’s down, and with their tech-support’s telephones requiring an ice bath as they’re so hot from ringing – and disgruntled clients swearing down them all the time. What’s more, everyone and their cat also knows that normally a DDoS attack gets carried out by unknown, mysterious – and just plain bad – cyber-enemies.

DDoS attacks have evolved very quickly, as you’ll find out reading this blogpost. They’ve grown much nastier and become a lot more technically advanced; from time to time the adopt utterly unusual attack methods; they go after fresh new targets; and break new world records in being the biggest and baddest DDoS’s ever. But, then, the world in which DDoS find themselves in has evolved very quickly too. Everything and the kitchen sink is online: the number of assorted ‘smart’ [sic] devices connected to the net now far outstrips the number of good old desktop and laptop computers.

The result of these two evolutions running in parallel – of DDoS’s themselves plus the digital landscape in which they dwell – has brought us equally evolved headlines: botnets made up of IP cameras and home Wi-Fi routers breaking DDoS records on size (Mirai), and massive DDoS attacks on Russian banks.

If, earlier, botnets were made up of zombie PCs, soon they’ll be made up of zombie refrigerators, vacuum cleaners, tumble dryers and coffee machines.

brevity-comic

Read on: So what’s next?…

Uh-oh Cyber-News: The Future’s Arrived, and Malware Back from the Dead.

As always for this ‘column‘, I’ll be giving you a round-up of some of the most eek recent items of cybersecurity news, which might not have made the headlines but which are no less eek for that. And as usual, it’s all mostly bad news. There are still a few reasons to be optimistic though – but only a few. Eek!

Uh-oh Cyber-News Item No. 1: The Future’s Arrived.

news-1A screenshot from Blade Runner

Many authors like to fantasize about how things will be in the future. Often, science fiction writers come up with deep philosophical reflections upon man and his place in the Universe. There’s Russia’s Strugatsky brothers, there’s Philip K. Dick, and there’s Arthur C. Clarke (plus his ‘translator’ to the silver screen Stanley Kubrick), for example. And very often such deep philosophical reflection is rather bleak and scary.

Other times, the reflection is a little less deep and philosophical, but no less likely to one day lead to reality – in fact, oftentimes more so. This is where I make appearances!…

So. Back in the first decade of this century, during my presentations your humble servant liked to tell fun ‘scare’ stories about what could happen in the future. Example: a coffeemaker launches a DDoS attack on the fridge, while the microwave works out the factory PINs of the juicer so it can then show text-adverts on its digital display.

Fast forward less than a decade and such ‘sci-fi’ is coming true…

Read on: Computer worms rising from the dead…

Uh-oh Cyber-News: Infected Nuclear Reactors, Cyber-Bank Robbers, and Cyber-Dam-Busters.

Just a quick read of the news these days and you can find yourself wanting to reach for… a Geiger counter. I mean, some of the news stories are just so alarming of late. Or am I overreacting? Let’s see…

Uh-oh News Item No. 1: Apocalypse Averted – for Now. 

inews-1Photo courtesy of Wikipedia

It was reported that the IT system of Unit B of the Gundremmingen Nuclear Power Plant in Swabia, Bavaria, southwestern Germany – right on the 30-year anniversary to-the-day of the Chernobyl disaster (!) – had been infected by some malware. However, it was also reported that there’s no reason to worry at all as no danger’s being posed whatsoever. All’s ok; we can all sleep soundly; everything’s under control; the danger level couldn’t be lower.

After sighing a ‘pheewwwww’ and mopping one’s brow, you read further…

… And as you do, you get a few more details of the incident. And it does indeed seem all is ok: the background radiation level, after all, didn’t go up – that’s the main thing, surely. Right? But then you read further still…

And you find out that the (Internet-isolated) system that was infected happens to be the one that controls the movement of nuclear fuel rods. It’s here you stop, rub the eyes, and read that again slowly…

WHAAAAT?

Read on: Cyber-Spy-Novel-Worthy …