homepage
Open menu

SANS NewsBites

Ransomware's Real World Impacts: Corporate Fatality, School District Delays Start Date, Law Suit Against Attackers, and More

January 7, 2020  |  Volume XXII - Issue #2

Top of the NewsThe Rest of the Week's NewsInternet Storm Center Tech Corner

Top of the News

2020-01-03

Company Closes After Ransomware Attack

Last month, an Arkansas-based telemarketing company told employees that it was "temporarily suspending operations" after struggling to recover from an October 2019 ransomware attack. The Heritage Company notified employees of its decision on December 23. On January 2, 2020, employees learned that the company is urging them to seek new employment elsewhere because it has not made sufficient strides in its recovery.

Editor's Note

That size business (300 - 500 employees) often faces the toughest cybersecurity challenge - big enough to have fairly complex IT operations but too small to routinely staff IT and security teams with enough skilled people to achieve basic security hygiene. If you work at one of those companies and have been fighting that battle, this is a good case study to show management. The Center for Internet Security has a good starting point in a Small Midsize Enterprise guide to the Critical Security Controls found at https://www.cisecurity.org/white-papers/cis-controls-sme-guide/: CIS Controls SME Companion Guide

John Pescatore
John Pescatore

As we have seen with other attacks, such as the attacks to NOLA and Baltimore, IT and business process recovery can take a long time. Further, recovery of necessary capital to continue to make payroll and other expenses can be even harder, particularly after the added expenditures associated with system recovery. In this case, both billing and payment processing capabilities were shut down, closing off the business income sources. Beyond purchasing cyber insurance, make sure to take a hard look at your business resumption plan and identify conditions which, if present, are fatal to the business and develop a plan accordingly. Clear communication about the nature and breadth of incidents can help employees make good decisions and build support around recovery efforts.

Lee Neely
Lee Neely

This demonstrates that the risk of "ransomware" attacks is existential. This will not be the last enterprise to be destroyed by "ransomware." However, at this stage in the game, every enterprise should be aware and prepared. Preparations should include strong authentication, "least privilege" access control, end-to-end application layer encryption, "three" copies of mission critical data, on "two" kinds of media, at least "one" offsite, with a capability to recover critical applications in a timely manner.

William Hugh Murray
William Hugh Murray

2020-01-03

Ransomware Forces School District to Delay Start Date

A ransomware attack forced Richmond Community Schools in Michigan to delay their re-opening after the holidays. The malware, which hit the district's IT systems on December 27, appears to have made its way onto school systems through a network connection with the district's HVAC provider. The attack affected numerous Richmond Community Schools systems, including heating, telephones, and classroom technology. IT staff are restoring systems from the district's backup server. The district was scheduled to reopen on January 2, 2020, but pushed the start date out to January 6.

2020-01-03

Company Targeted by Ransomware Sues Attackers

Wire and cable manufacturer Southwire is suing the operators of the Maze ransomware that infected its computers in December 2019. When Southwire refused to pay the $6 million ransom, the operators posted data taken from the company's systems online. The company is suing the unknown operators "for injunctive relief and damages" under the Computer Fraud and Abuse Act (CFAA). The company is also seeking injunctions against the company that hosts the site the attackers used to post the stolen data.

Editor's Note

While the identities of the operator of the Maze ransomware remain unknown, and the outcome of that action is uncertain, the injunction against the hosting company resulted in taking down the site that hosted the stolen data. The question remains of will this be an effective way to recover this type of content or will this result in the content being moved to other providers or Tor which will be harder to take down.

Lee Neely
Lee Neely

2020-01-07

Bicycle Maker Experiences "Massive Cyber Attack"

Canyon Bicycles was hit with what is likely a ransomware attack at the very end of 2019. The company, which is based in Koblenz, Germany, says that the incident will affect customer contact and delivery for several days.

Editor's Note

With 800 employees and just under $300M in revenue, Canyon is a good example of the higher end of small midsize enterprise space in the manufacturing space. If you work at a company with a similar profile, this is a good example to use to get across the direct connection between basic security hygiene and revenue - when products don't ship, revenue stops and competitors zoom forward.

John Pescatore
John Pescatore

Make sure that your DR/COOP plans include objectives that support the company remaining both viable and competitive. Those plans may also need to include verified alternate business options to bridge the gap.

Lee Neely
Lee Neely

The Rest of the Week's News

2020-01-06

DHS Warns of Possibility of Cyber Retaliation from Iran

The US Department of Homeland Security (DHS) has issued a National Terrorism Advisory System Bulletin warning of possible avenues of retaliation Iran could take against the US. The bulletin notes that "Iran maintains a robust cyber program and can execute cyber attacks against the United States. Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States."

Editor's Note

While Iran has cyber offense capabilities, there is no indication as to what to expect when. The best thing to do now is report suspicious activities, ensure security personnel are monitoring for relevant IOCs and TTPs, exercise incident response plans, and make sure you take care of the basics, such as effective backups and multifactor authentication. The CISA.gov and DHS Hometown Security Campaign are good resources here: https://www.dhs.gov/cisa/hometown-security: Hometown Security

Lee Neely
Lee Neely

It is never a bad idea to use current events to ramp up attention being paid to cybersecurity. However, physical attacks are more often met with physical retaliation. Good idea to make sure your mail room is alert for suspicious packages - US Postal Service Publication 166 is a good set of guidelines at https://about.usps.com/publications/pub166.pdf: Who Protects Your Mail? (PDF)

John Pescatore
John Pescatore

The same pervasive vulnerabilities that are being exploited in "ransomware" attacks can be exploited in "wiper" attacks by nation states in times of hostility. The problem of attribution of these attacks makes them particularly attractive.

William Hugh Murray
William Hugh Murray

2020-01-02

New Orleans Cyberattack Update

Three weeks after computer systems at the city of New Orleans, Louisiana, were hit with a ransomware attack, city officials said that the city's Police department and its court system were expected to have access to their computer networks. The system for paying city-related bills should be bank online by the end of January.

2020-01-06

Cisco Releases Fixes for 12 Vulnerabilities in Data Center Network Manager

Cisco has released fixes to address a dozen vulnerabilities in its Data Center Network Manager. Three of the vulnerabilities are rated critical. Cisco also warned of an increase in attacks exploiting a known denial-of-service and information disclosure flaw in its Adaptive Security Appliance and Firepower Appliance.

Editor's Note

As a general rule, it is more important to patch thoroughly than urgently. That said, patches to infrastructure should get priority.

William Hugh Murray
William Hugh Murray

2020-01-06

Travelex Currency Exchange Takes Down Online Services After Malware Attack

Currency exchange Travelex was hot with malware on New Year's Eve, prompting it to take down all of its online services as well as its mobile app. As of Monday, January 6, the online services were still unavailable. (Please note that the WSJ story is behind a paywall.)

Editor's Note

Travelex was hit by REvil/Sodinokibi Ransomware and the current demand is $3 million. The compromise appears to be the result of exploiting the Critical Pulse Secure VPN vulnerability (CVE-2019-11510); highlighting the importance of patching services which provide or control access to your network. The exfiltrated data includes dates of birth, social security numbers and card numbers, and as Sodinokibi says they will publish it if not paid; if you are (or were) a Travelex customer, verifying that you have active credit monitoring, including any Travelex issued cards, would be prudent.

Lee Neely
Lee Neely

2020-01-04

Erie, CO Lost $1 Million to Scammers

Hackers pretending to be a contractor hired by the town of Erie, Colorado stole more than $1 million from the town's coffers. The hackers requested a change in the method of payment from a check to an electronic funds transfer.

Editor's Note

Out-of-band confirmation of all payment mechanisms, no longer just wire transfers, is essential for both establishment of and changes to payment methods. Even legitimate communications can include transcription errors that can be corrected prior to failed or misdirected payments.

Lee Neely
Lee Neely

2020-01-06

Austria's Foreign Ministry Hit with Cyberattack

A "serious cyberattack" on systems at Austria's Foreign Ministry may be the work of another foreign country, according to the ministry. The attack began on Saturday, January 4.

2020-01-06

Chrome Extension Stole Cryptocurrency

A Chrome extension that purported to be a cryptocurrency wallet actually stole $16,000 in cryptocurrency from at least one user. The extension, called "Ledger Secure," had been available in the Chrome Web Store. It is not related to the physical cryptocurrency wallet maker Ledger. The extension has been removed from the store.

Editor's Note

Not a bad idea to scan for and remove this extension if detected. Also, relative to the use of cryptocurrency wallets on corporate computers: users right to privacy, or lack thereof, and corporate liability, particularly for security, needs to be carefully considered.

Lee Neely
Lee Neely

While the blockchain on which cryptocurrency is based is secure, the wallets and exchanges are so vulnerable as to put the whole scheme at risk.

William Hugh Murray
William Hugh Murray

2020-01-06

UK Government is Taking a Closer Look at August London Stock Exchange Outage

Government authorities in the UK are reportedly taking a closer look at an August 2019 outage that delayed trading at the London Stock Exchange (LSE) for more than an hour and a half. At the time, the incident was attributed to a software glitch. Sources say that British intelligence has requested additional information from the LSE. GCHQ has denied that it is investigating the incident. (Please note that the WSJ story is behind a paywall.)

2020-01-05

Active Network Discloses Breach Affecting Blue Bear Software Platform

Active Network, the company that makes the Blue Bear web-based accounting software platform used by K-12 schools in the US, has acknowledged a data breach. People who accessed schools' Blue Bear web stores between October 1 and November 13, 2019 may have had their data exposed. The compromised information includes names and payment card numbers, expiration dates, and security codes. The attackers appear to have skimmed the information in real-time during transactions. Active Network reported the incident to the California Attorney General's office late last year.

Editor's Note

"Card not present" fraud is now the preferred way to compromise and monetize credit and debit card numbers. Only a small number of merchants can provide the necessary security required to process credit or debit card account numbers safely. Online merchants must employ checkout proxies like PayPal and Apple Pay and must not accept, process, or store credit or debit card numbers in the clear. Consumers who deal with merchants that require credit or debit card numbers should use one-time or one merchant card numbers like those provided by privacy.com.

William Hugh Murray
William Hugh Murray

Internet Storm Center Tech Corner