Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 19 submissions in the queue.
posted by hubie on Friday November 17 2023, @06:41PM   Printer-friendly
from the complaints-department-5000-miles-> dept.

https://arstechnica.com/security/2023/11/teens-with-digital-bazookas-are-winning-the-ransomware-war-researcher-laments/

What do Boeing, an Australian shipping company, the world's largest bank, and one of the world's biggest law firms have in common? All four have suffered cybersecurity breaches, most likely at the hands of teenage hackers, after failing to patch a critical vulnerability that security experts have warned of for more than a month, according to a post published Monday.

[...] All four companies have confirmed succumbing to security incidents in recent days, and China's ICBC has reportedly paid an undisclosed ransom in exchange for encryption keys to data that has been unavailable ever since.

[...] After the CitrixBleed exploit grants initial remote access through software known as Virtual Desktop Infrastructure, LockBit escalates its access to other parts of the compromised network using tools such as Atera, which provides interactive PowerShell interfaces that don't trigger antivirus or endpoint detection alerts. This access remains even after CitrixBleed is patched unless administrators take special actions.


Original Submission

Related Stories

Ransomware Gang Files SEC Complaint over Victim’s Undisclosed Breach 12 comments

The ALPHV/BlackCat ransomware operation has taken extortion to a new level by filing a U.S. Securities and Exchange Commission complaint against one of their alleged victims for not complying with the four-day rule to disclose a cyberattack:

Earlier today, the threat actor listed the software company MeridianLink on their data leak with a threat that they would leak allegedly stolen data unless a ransom is paid in 24 hours.

MeridianLink is a publicly traded company that provides digital solutions for financial organizations such as banks, credit unions, and mortgage lenders.

According to DataBreaches.net, the ALPHV ransomware gang said they breached MeridianLink's network on November 7 and stole company data without encrypting systems.

The ransomware actor said that "it appears MeridianLink reached out, but we are yet to receive a message on their end" to negotiate a payment in exchange for not leaking the supposedly stolen data.

The alleged lack of response from the company likely prompted the hackers to exert more pressure by sending a complaint to the U.S. Securities and Exchange Commission (SEC) about MeridianLink not disclosing a cybersecurity incident that impacted "customer data and operational information."

[...] In their own words, the attacker told the SEC that MeridianLink suffered a "significant breach" and did not disclose it as required in Form 8-K, under Item 1.05.

The SEC's new cybersecurity rules are set to take effect on December 15, 2023.

Originally spotted on Schneier on Security.

Related: Teens With "Digital Bazookas" Are Winning the Ransomware War, Researcher Laments


Original Submission

“Disabling Cyberattacks” Are Hitting Critical US Water Systems, White House Warns 36 comments

https://arstechnica.com/security/2024/03/critical-us-water-systems-face-disabling-cyberattacks-white-house-warns/

The Biden administration on Tuesday warned the nation's governors that drinking water and wastewater utilities in their states are facing "disabling cyberattacks" by hostile foreign nations that are targeting mission-critical plant operations.

"Disabling cyberattacks are striking water and wastewater systems throughout the United States," Jake Sullivan, assistant to the president for National Security Affairs, and Michael S. Regan, administrator of the Environmental Protection Agency, wrote in a letter. "These attacks have the potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities."

[...] The letter extended an invitation for secretaries of each state's governor to attend a meeting to discuss better securing the water sector's critical infrastructure. It also announced that the EPA is forming a Water Sector Cybersecurity Task Force to identify vulnerabilities in water systems. The virtual meeting will take place on Thursday.

"EPA and NSC take these threats very seriously and will continue to partner with state environmental, health, and homeland security leaders to address the pervasive and challenging risk of cyberattacks on water systems," Regan said in a separate statement.

This discussion was created by hubie (1068) for logged-in users only, but now has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 5, Insightful) by Rosco P. Coltrane on Friday November 17 2023, @08:24PM (7 children)

    by Rosco P. Coltrane (4757) on Friday November 17 2023, @08:24PM (#1333318)

    What do Boeing, an Australian shipping company, the world's largest bank, and one of the world's biggest law firms have in common?

    They all run closed source software.

    Not to say that open source software is immune from vulnerabilities, far from it. But I can't help but noticing most high-profile exploits target mostly closed source software, and often the vendor either doesn't know about it, doesn't care, takes its own sweet time to address it, or doesn't disclose before it's way too late. Whereas exploits in high-profile open-source software usually gets discussed openly, gets fixed fast, and of course many more people than just the engineers of one vendor can look at the problem.

    • (Score: 4, Interesting) by pTamok on Friday November 17 2023, @09:59PM (4 children)

      by pTamok (3042) on Friday November 17 2023, @09:59PM (#1333331)

      Whereas exploits in high-profile open-source software usually gets discussed openly, gets fixed fast, and of course many more people than just the engineers of one vendor can look at the problem.

      I'm glad you said 'usually'.

      Linux-based operating systems still have a small fraction of 'the desktop', and a lot of enterprise/business is still based on Microsoft servers. So people developing exploits will target the most common software in use, so it is no surprise that Microsoft-based systems get hit so often. It's basic statistics.

      The idea behind open source meaning all bugs ( including security bugs ) are shallow is nice, but the reality is there is FLOSS software that is under-resourced for maintenance and bug-fixing. Some of it in use in business critical systems. All s NOT sweetness and light on the FLOSS side of the mountain.

      Personally, I use Linux-based software when I can, but as it gets more popular, more exploits will come along, and indeed are. Linux is not immune to script-kiddies.

      There are some things large companies can do to help, both themselves, and everyone: employ people who know what they are doing and listen to them; and send money and/or other support resources to the FLOSS projects you use so they can be maintained. Think of it as insurance.

      • (Score: 5, Interesting) by Thexalon on Friday November 17 2023, @11:58PM (1 child)

        by Thexalon (636) on Friday November 17 2023, @11:58PM (#1333342)

        Here's how I tend to look at it, which has nothing to do with "all bugs are shallow to somebody" and everything to do with "what resources can you use to address the problem".

        Let's compare the situations of CTO A running the proprietary MacroHard W, and CTO B running the FLOSS X that does basically the same thing. And a serious 0-day bug is discovered for both of them at the same time that's being actively exploited in the wild.

        CTO A's options:
        1. Wait for MacroHard to distribute an update for W, and install it as quickly as possible.

        CTO B's options:
        1. Wait for literally anybody else (who may or may not be connected to the maintainers of X) to put a patch out somewhere on the Internet, and install the patch as quickly as possible.
        2. Direct any in-house software developers they might have to try to create a patch themselves.
        3. Direct any in-house admins they might have to try to create some kind of clever workaround for the problem, because they have access to all the components and documentation to tinker with things.
        4. Hire an outside developer, e.g. somebody who has contributed to the system at some point (which conveniently is public information, just look in the git history), to develop a patch for it.
        5. Hire an outside admin to create the clever workaround for the problem that the in-house admins didn't think of.
        6. Organize some sort of multi-organization cooperative effort with everybody else who is facing the exact same problem.
        etc etc etc.
        Oh, and if your guys fix it first, you can publicize the fix and get some nice publicity from that.

        So CTO A might have the advantage of being able to blame everything on MacroHard, but CTO B has lots of avenues for fixing the damn problem that CTO A doesn't. These also apply to situations like:
        - The upstream abandons the software, for whatever reason.
        - There's a feature that would be really useful for you to have, and isn't currently part of the software.
        - There's a non-security bug that's still really friggin' annoying.

        I'd rather be CTO B in all of these scenarios. But again, I approach technical problems like an engineer, not a politician, which means I want to actually fix them and not just send the blame somewhere else.

        --
        "Think of how stupid the average person is. Then realize half of 'em are stupider than that." - George Carlin
        • (Score: 2) by Freeman on Monday November 20 2023, @04:14PM

          by Freeman (732) on Monday November 20 2023, @04:14PM (#1333620) Journal

          CTO A is why we switched from a proprietary Integrated Library System (book Library). To an open source ILS (Koha). There were a few other options, but we'd already had experience with Koha. So far, we're quite happy.

          --
          Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
      • (Score: 3, Touché) by mcgrew on Saturday November 18 2023, @03:53PM (1 child)

        by mcgrew (701) <publish@mcgrewbooks.com> on Saturday November 18 2023, @03:53PM (#1333405) Homepage Journal

        Personally, I use Linux-based software when I can

        Android is a Linux distro. A bad crappy one, yes, but it uses the Linux kernel. Odd that I had to patch the kernel on my Linux tower a couple of weeks ago, but not my phone or tablet.

        Lay your phone on the desk. That's Linux on the desktop but is no safer than Windows.

        --
        Our nation is in deep shit, but it's illegal to say that on TV.
        • (Score: 1) by pTamok on Saturday November 18 2023, @10:28PM

          by pTamok (3042) on Saturday November 18 2023, @10:28PM (#1333460)

          Good call.

          I don't use Android. Or iOS.

          The Android 'userland' is not one I'm happy to use.

    • (Score: 0) by Anonymous Coward on Friday November 17 2023, @10:51PM

      by Anonymous Coward on Friday November 17 2023, @10:51PM (#1333337)

      They all run closed source software.

      They should be running in-house software. Oh well, too big to punish... must be nice

    • (Score: 2) by mcgrew on Saturday November 18 2023, @03:49PM

      by mcgrew (701) <publish@mcgrewbooks.com> on Saturday November 18 2023, @03:49PM (#1333404) Homepage Journal

      ..."after failing to patch a critical vulnerability..."

      Looks like it's not closed source's fault this time to me. Don't you ever patch your Linux box? I did mine yesterday, a couple weeks ago I even had to boot it for a kernel patch. Yes, the way Microsoft patches makes one not want to, but that's different.

      And even lazy closed source users don't lose any data they've backed up. Anyone who doesn't back up is a brain-dead moron, or doesn't give a damn about their employer's data.

      --
      Our nation is in deep shit, but it's illegal to say that on TV.
  • (Score: 5, Insightful) by Thexalon on Friday November 17 2023, @09:32PM

    by Thexalon (636) on Friday November 17 2023, @09:32PM (#1333327)

    So what these whiners are actually saying is "The security and backup strategies of extremely well-funded organizations are so atrociously badly done that they're being beaten by basically untrained script kiddies." Yes, the people trying to rob the banks are ultimately the bad guys, but if your bank keeps getting robbed by a bunch of 12-year-olds and your entire security system consists of the digital equivalent of 1 half-asleep security guard with a drinking problem, that's on you.

    Sure, dealing with that properly involves actually listening to the people in your tech team with gray hair and grubby T-shirts and spending some money you'd rather not spend. Oh, wait, you fired all of them and outsourced IT to somebody in a cheaper country who offered you a nice under-the-table kickback but doesn't know their rear end from a hole in the ground, didn't you? And now you're surprised to find out that they knew something about what they were doing. Yeah, that's on you too, Mr Short-sighted CTO.

    --
    "Think of how stupid the average person is. Then realize half of 'em are stupider than that." - George Carlin
  • (Score: 5, Interesting) by DannyB on Friday November 17 2023, @10:15PM (4 children)

    by DannyB (5839) Subscriber Badge on Friday November 17 2023, @10:15PM (#1333333) Journal

    Ransomware group reports victim it breached to SEC regulators [arstechnica.com]

    Group tells SEC that the victim is in violation for not reporting it was hacked.

    One of the world’s most active ransomware groups has taken an unusual—if not unprecedented—tactic to pressure one of its victims to pay up: reporting the victim to the US Securities and Exchange Commission.

    The pressure tactic came to light in a post published on Wednesday on the dark web site run by AlphV, a ransomware crime syndicate that’s been in operation for two years. After first claiming to have breached the network of the publicly traded digital lending company MeridianLink, AlphV officials posted a screenshot of a complaint it said it filed with the SEC through the agency’s website. Under a recently adopted rule [sec.gov] that goes into effect next month, publicly traded companies must file an SEC disclosure within four days of learning of a security incident that had a “material” impact on their business.

    Maybe that's what happens if you don't pay the ransom, AND you try to hide the attack, AND you're a publicly tiraded company.

    --
    Santa/Satan maintains a database and does double verification of it.
    • (Score: 2) by Whoever on Saturday November 18 2023, @12:58AM (2 children)

      by Whoever (4524) on Saturday November 18 2023, @12:58AM (#1333344) Journal

      Maybe that's what happens if you don't pay the ransom, AND you try to hide the attack, AND you're a publicly tiraded company.

      Maybe they figured that, if they could just keep the intrusion secret, it would not have a material effect on their business.

      • (Score: 3, Funny) by sgleysti on Saturday November 18 2023, @03:03AM (1 child)

        by sgleysti (56) Subscriber Badge on Saturday November 18 2023, @03:03AM (#1333354)

        Along similar lines: It's not racketeering if you use a bat.

        • (Score: 2) by DannyB on Monday November 20 2023, @04:05PM

          by DannyB (5839) Subscriber Badge on Monday November 20 2023, @04:05PM (#1333618) Journal

          Isn't a bat more effective than a racket?

          --
          Santa/Satan maintains a database and does double verification of it.
    • (Score: 2) by sgleysti on Saturday November 18 2023, @03:06AM

      by sgleysti (56) Subscriber Badge on Saturday November 18 2023, @03:06AM (#1333355)

      The SEC report by the ransomware gang is by far the most interesting part of this story. X got hacked has ceased to be news to me and always recalls to mind an early scene from the movie Hackers:

      Dade's Mom: You hooked it up to the phone, didn't you? Dade! Turn the shower off! You screw up again and you won't get into college!

  • (Score: 5, Insightful) by ElizabethGreene on Saturday November 18 2023, @02:54PM (4 children)

    by ElizabethGreene (6748) Subscriber Badge on Saturday November 18 2023, @02:54PM (#1333392) Journal

    It's dangerous to trivialize these groups as "teenagers". The people developing those "digital bazookas" have office space, desks, and regular paychecks. They work for companies whose business happens to be crime. To put it in perspective, Cybercrime is a ~$300b/year industry, which puts it in the same neighborhood as illegal drugs in terms of annual revenue.

    You'd get laughed out of journalism if you described Pablo Escobar as a drug dealer, and that's roughly on par with calling these people "Teens with digital bazookas".

    • (Score: 2) by istartedi on Saturday November 18 2023, @11:10PM (3 children)

      by istartedi (123) on Saturday November 18 2023, @11:10PM (#1333463) Journal

      Yeah, they might be young but they're not the kind of "teens" people are thinking of. I saw an article that says the groups have a buy-in of one BTC. Most teens with that kind of scratch aren't going to spend it on that. I think most of them probably aren't teens, and if they are then their daddy is mafia and bankrolls them. The press loves the image of teen hackers, good or bad, fixed in our minds by things like War Games. Not that I don't love that movie, but it's just that. A movie.

      So if you're in your Mom's basement, have no morals, and are thinking of wading in to those waters for fun and profit; think again. If you can scare up 1 BTC you'll probably just keep doing the OF you did to make it.

      --
      Appended to the end of comments you post. Max: 120 chars.
      • (Score: 2) by canopic jug on Sunday November 19 2023, @10:37AM (2 children)

        by canopic jug (3949) Subscriber Badge on Sunday November 19 2023, @10:37AM (#1333488) Journal

        These aren't bazookas. Read any of the very many ransomware articles and follow up articles out there. The commonality is the misplaced reliance on M$ products in place of acceptable production systems. Basically the "hardened" systems have rice paper armor and are getting taken down with slingshots. However, they are not kids, they are organized criminals which operate with a number of side agendas at the same time.

        The article is just disingenuous spin covering for Bill and M$ while distracting from the inconvenient truth of the necessity of eliminating m$ products from production environments. That however is not a technical problem but a staffing problem and can only be solved with a longer process which starts with a stack of pink slips.

        Through Bill's rice paper armor and swiss cheese spaghetti code, the M$ systems have been and will always remain incurably vulnerable to compromise. The only group to benefit from that, aside from the politicians from Redmond, are the ransomware crews and their investors. Bill's sloppy code has launched ransomware from a fringe, cottage industry into a major boom which has grown explosively year on year:

        In 2020 alone, ransomware groups reportedly earned $692 million from their collective attacks, a 380 per cent increase over the previous six years combined ($144 million from 2013-2019).
        -- https://telanganatoday.com/ransomware-as-a-service-creates-cottage-industry-of-cybercrime [telanganatoday.com]

        The technical part of that is already a solved problem: ditch m$. It's never going to be solved with patches and aftermarket add-ons [strongdm.com] but only by upgrading to FOSS systems. Although dealing with the politics which allowed m$ to infiltrate work place, and for that matter discussion forums, is a hard problem it is solvable with some will and effort.

        --
        Money is not free speech. Elections should not be auctions.
        • (Score: 0) by Anonymous Coward on Monday November 20 2023, @01:30AM (1 child)

          by Anonymous Coward on Monday November 20 2023, @01:30AM (#1333564)

          Sorry. No silver bullets. Security isn't a product, and that means just dumping MS ins't the answer. Sure, they've gone for low-hanging fruit but if you move up the tree, so will they [zdnet.com]. If security isn't a product, what is it? A process. A mindset. A significant portion of these attacks are the result of infiltration, or even mere carelessness. All the F/OSS "security" in the world won't help you if you treat your employees badly to the point where leaving a few back doors open in exchange for a nice meal seems OK.

          Is a patched-up MS product behind a properly maintained and configured firewall better or worse than simply sprinkling F/OSS all over your organization and calling it secure? I think you know the answer.

          • (Score: 2) by canopic jug on Monday November 20 2023, @08:03AM

            by canopic jug (3949) Subscriber Badge on Monday November 20 2023, @08:03AM (#1333584) Journal

            A "patched" and "maintained" m$ box is always going to remain a dumpster fire in regards to security. We have decades of data on that already. You can almost say that the holes are there by design or intent based on having been deprioritized for literal decades. A firewall won't help and never could help since the services it has to allow through are the very same ones that are vulnerable in a Windoze environment.

            Yes, security is an ongoing process. It is a process which starts with the early stages of design and continues through the life cycle of the tool, system, or service. m$ is closed source, which is a deal breaker itself [acm.org], and m$ even missed the boat in regards to even basic design. Their way of thinking infects minds far and wide, and we end up with people lying that it is somehow acceptable to deploy m$ products in production. That leads to a cascade of problems and a terrible ongoing mess and, often, a state of perpetual crises. In general, problems cannot be solved with the same thinking (read: the same people) as who caused the resulting mess in the first place. Therefore, as mentioned earlier, the clean up starts with a lot of firings, most importantly of the managers who failed their institutions by bringing in the m$ products in the first place.

            Upgrading to FOSS systems won't in and of itself "cause" security. I'll say again that security is an ongoing process. However, moving to FOSS systems and away from m$ to FOSS systems and software is an essential prerequisite, without which the process cannot even be started.

            --
            Money is not free speech. Elections should not be auctions.
(1)