Category Archives: ryuk

Cyber Security Roundup for November 2020

A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, October 2020.

London's Hackney Borough Council has been tight-lipped about "a serious cyber-attack" which took down its IT systems, impacting its service delivery to citizens. Providing scant information about the attack, but it does have all the hallmarks of a ransomware outbreak. The council says it is working with the UK's National Cyber Security Centre (NCSC) and the Ministry of Housing to investigate and understand the impact of the incident. Ransomware attacks continue to be a major blight for UK public services, with councils to hospitals struggling to defend their IT systems against ransomware. Earlier this year Redcar and Cleveland Borough Council said it had been hit by a ransomware attack, which cost it more than £10m.

It looks like the ransomware will continue to pose a major threat to the UK for some time to come, with separate reports advising a resurgence in the Emotet trojan, a common dropper of ransomware, while the hacking group behind the notorious Ryuk ransomware has been reported as being active again. A new variant of the Ryuk ransomware was behind a cyberattack on Sopra Steria’s operations in October 2020, the digital services company confirmed.

British Airways had it credit card breach DPA fine cut by a massive £163m to £20m by the UK Information Commissioner's Office (ICO), which imposed the original fine after the now pandemic financially beleaguered airline lost 430,000 payment card details to hackers after an e-commence skimming attack in 2018

 BA lost 430,000 payment card details to hackers after Magecart e-commence skimming attack in 2018
This data breach was a lesson in failing at PCI DSS compliance, with customer credit card details stolen due to ‘Magecart’ payment card skimming script being injected onto the BA payment page. The attackers initially compromised the BA network through a third-party worker’s remote access (not MFA protected), gaining access to BA's Citrix environment. Once inside the BA network, the attackers were gifted privilege level access after finding a domain admin account username and password in plaintext on a server folder. I understand investigators found the storage of payment cards in plaintext, including CVV numbers post-payment authorisation which is never permitted under PCI DSS rules. Aside from the ICO fine and reputational damage, this breach cost is likely to have cost BA a small fortune in specialised PCI PFI digital investigation forensic work, a complete solution rebuild, and with card brand penalties. The Visa Chief Enterprise Risk Officer once said ‘no compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach’, I understand that statement still rings true today.

The ICO didn't hold back in dishing a massive DPA (GDPR) fine to the Marriott Hotels chain to the tune of £18.4m after a major data breach which affected up to 7 million UK guests. The ICO reported UK citizen names, contact information, and passport details were compromised in the cyber-attack. The ICO also said the company failed to put appropriate safeguards in place but acknowledged it had improved.

Meanwhile, the UK NCSC released an advisory which repeated an earlier United States warning that Chinese Threat Actors are exploiting well-known software vulnerabilities. The advisory details 25 top vulnerabilities that are being exploited whilst offering mitigation advice. Many of the vulnerabilities allow attackers to gain access to a victim’s network by exploiting products directly connected to the internet. The NSA has also produced a nice infographic breaking the 25 vulnerabilities down by threat.


Stay safe and secure.

BLOG

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

    FBI, DHS, HHS Warn of Imminent, Credible Ransomware Threat Against U.S. Hospitals

    On Monday, Oct. 26, KrebsOnSecurity began following up on a tip from a reliable source that an aggressive Russian cybercriminal gang known for deploying ransomware was preparing to disrupt information technology systems at hundreds of hospitals, clinics and medical care facilities across the United States. Today, officials from the FBI and the U.S. Department of Homeland Security hastily assembled a conference call with healthcare industry executives warning about an “imminent cybercrime threat to U.S. hospitals and healthcare providers.”

    The agencies on the conference call, which included the U.S. Department of Health and Human Services (HHS), warned participants about “credible information of an increased and imminent cybercrime threat to US hospitals and healthcare providers.”

    The agencies said they were sharing the information “to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats.”

    The warning came less than two days after this author received a tip from Alex Holden, founder of Milwaukee-based cyber intelligence firm Hold Security. Holden said he saw online communications this week between cybercriminals affiliated with a Russian-speaking ransomware group known as Ryuk in which group members discussed plans to deploy ransomware at more than 400 healthcare facilities in the U.S.

    One participant on the government conference call today said the agencies offered few concrete details of how healthcare organizations might better protect themselves against this threat actor or purported malware campaign.

    “They didn’t share any IoCs [indicators of compromise], so it’s just been ‘patch your systems and report anything suspicious’,” said a healthcare industry veteran who sat in on the discussion.

    However, others on the call said IoCs may be of little help for hospitals that have already been infiltrated by Ryuk. That’s because the malware infrastructure used by the Ryuk gang is often unique to each victim, including everything from the Microsoft Windows executable files that get dropped on the infected hosts to the so-called “command and control” servers used to transmit data between and among compromised systems.

    Nevertheless, cybersecurity incident response firm Mandiant today released a list of domains and Internet addresses used by Ryuk in previous attacks throughout 2020 and up to the present day. Mandiant refers to the group by the threat actor classification “UNC1878,” and aired a webcast today detailing some of Ryuk’s latest exploitation tactics.

    Charles Carmakal, senior vice president for Mandiant, told Reuters that UNC1878 is one of most brazen, heartless, and disruptive threat actors he’s observed over the course of his career.

    “Multiple hospitals have already been significantly impacted by Ryuk ransomware and their networks have been taken offline,” Carmakal said.

    One health industry veteran who participated in the call today and who spoke with KrebsOnSecurity on condition of anonymity said if there truly are hundreds of medical facilities at imminent risk here, that would seem to go beyond the scope of any one hospital group and may implicate some kind of electronic health record provider that integrates with many care facilities.

    So far, however, nothing like hundreds of facilities have publicly reported ransomware incidents. But there have been a handful of hospitals dealing with ransomware attacks in the past few days.

    Becker’s Hospital Review reported today that a ransomware attack hit Klamath Falls, Ore.-based Sky Lakes Medical Center’s computer systems.

    WWNY’s Channel 7 News in New York reported yesterday that a Ryuk ransomware attack on St. Lawrence Health System led to computer infections at Caton-Potsdam, Messena and Gouverneur hospitals.

    SWNewsMedia.com on Monday reported on “unidentified network activity” that caused disruption to certain operations at Ridgeview Medical Center in Waconia, Minn. SWNews says Ridgeview’s system includes Chaska’s Two Twelve Medical Center, three hospitals, clinics and other emergency and long-term care sites around the metro area.

    NBC5 reports The University of Vermont Health Network is dealing with a “significant and ongoing system-wide network issue” that could be a malicious cyber attack.

    -A story at BleepingComputer.com says Wyckoff Hospital in New York suffered a Ryuk ransomware attack on Oct. 28.

    This is a developing story. Stay tuned for further updates.

    Update, 10:11 p.m. ET: The FBI, DHS and HHS just jointly issued an alert about this, available here.

    Update, Oct. 30, 11:14 a.m. ET: Added mention of Wyckoff hospital Ryuk compromise.

    Cyber Security Roundup for October 2020

    A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, September 2020.

    COVID-19 wasn't the only virus seriously disrupting the start of the new UK academic year, with ransomware plaguing a number of University and Colleges in September.  Newcastle University was reportedly hit by the 'DoppelPaymer' crime group, a group known for deploying malware to attack their victims, and behind leaking online documents from Elon Musk's SpaceX and Tesla companies. The northeast university reported a personal data breach to the UK Information Commissioner's Office after its stolen files were posted online, along with a Twitter threat to release further confidential student and staff data if a ransom payment was not paid. In a statement, the university said "it will take several weeks" to address the issues, and that many IT services will not be operating during this period", that statement is the hallmark of recovery from a mass ransomware infection.

    Doppelpaymer Ransom notice

    On the back of the Newcastle University cyberattack, the UK National Cyber Security Centre (NCSC) issued a warning to all British universities and colleges about a spike in ransomware attacks targeting the British educational sector. NCSC's director of operations Paul Chichester said the agency had seen an increase in the "utterly reprehensible" attacks over the past 18 months and was concerned they would disrupt young people's education.  The NCSC's guidance for organisations on defending against ransomware attacks is available here.

    Across the pond, healthcare giant Universal Heather Services (UHS), which operates nearly 400 hospitals and clinics, was said to be severely disrupted by the Ryuk ransomware. According to Bleeping Computer, a UHS employee said encrypted files had the telltale .ryk extension, while another employee described a ransom note fitted the Ryuk ransomware demand note. A Reddit thread claimed “All UHS hospitals nationwide in the US currently have no access to phones, computer systems, internet, or the data center. Ambulances are being rerouted to other hospitals, the information needed to treat patients – health records, lab works, cardiology reports, medications records, etc. – is either temporarily unavailable or received with delay, affecting patient treatment. Four people died tonight alone due to the waiting on results from the lab to see what was going on”. In response, UHS released a statement which said, “We implement extensive IT security protocols and are working diligently with our IT security partners to restore IT operations as quickly as possible. In the meantime, our facilities are using their established back-up processes including offline documentation methods".

    'Dark Overlord', the handle of a British hacker involved in the theft of information as part of "The Overlord" hacking group was jailed for five years in the United States and ordered to pay $1.5 million in restitution, after pleading guilty to conspiring to commit aggravated identity theft and computer fraud, in other words, orchestrating cyber exportation attacks against US firms.


    ZeroLogon:  IT Support Staff must Patch Now!
    A critical Microsoft Windows Server Domain Controller vulnerability (CVE-2020-1472) is now causing concern for IT staff, after the Microsoft, CISA, the UK NCSC, and other security bodies warned the vulnerability was being actively exploited in mid-September. Dubbed 'Zerologon', Microsoft issued a security fix for the bug, which scored a maximum criticality rate of 10.0, as part of their August 2020 'Patch Tuesday' release of monthly security updates. Since that public disclosure of the flaw, there have been multiple proofs-of-concept (PoC) exploits appearing on the internet, which threat actors are now adapting into their cyberattacks. There are no mitigation or workarounds for this vulnerability, so it is essential for the CVE-2020-1472 security update is installed on all Microsoft Windows Domain Controllers, and then ensure DC enforcement mode is enabled. 

    Stay safe and secure.

    BLOG

    NEWS
    AWARENESS, EDUCATION AND THREAT INTELLIGENCE