Connect with us

Technology

‘It’s quite feasible to start a war’: just how dangerous are ransomware hackers? | Cybercrime

Voice Of EU

Published

on

They have the sort of names that only teenage boys or aspiring Bond villains would dream up (REvil, Grief, Wizard Spider, Ragnar), they base themselves in countries that do not cooperate with international law enforcement and they don’t care whether they attack a hospital or a multinational corporation. Ransomware gangs are suddenly everywhere, seemingly unstoppable – and very successful.

In June, meat producer JBS, which supplies over a fifth of all the beef in the US, paid a £7.8m ransom to regain access to its computer systems. The same month, the US’s largest national fuel pipeline, Colonial Pipeline, paid £3.1m to ransomware hackers after they locked the company’s systems, causing days of fuel shortages and paralysing the east coast. “It was the hardest decision I’ve made in my 39 years in the energy industry,” said a deflated-looking Colonial CEO Joseph Blount in an evidence session before Congress. In July, hackers attacked software firm Kaseya, demanding £50m. As a result, hundreds of supermarkets had to close in Sweden, because their cash registers didn’t work.

The gangs – criminal enterprises that hack into internet-connected computer systems, lock access to them, and then sell a decryption key in exchange for payment in bitcoin – have targeted schools, hospitals, councils, airports, government bodies, oil pipelines, universities, nuclear contractors, insurance companies, chemical distributors and arms manufacturers. Hackers haven’t targeted air traffic controllers yet, but some believe that it’s only a matter of time.

All organisations are vulnerable, although a sweet spot is mid-size businesses that have enough revenue to make them a lucrative target, but aren’t large enough to have dedicated cybersecurity teams. “Everybody who uses internet-connected computer systems has vulnerabilities,” says Dr Herb Lin, a cybersecurity expert at Stanford University.

Russia is a major hotspot for ransomware attackers to headquarter themselves, as is Iran. Cyrillic – the Russian alphabet – is commonly used in ransomware forums or source codes. “It’s not that the Russian government is conducting these ransomware attacks,” Lin says, “but they have an arrangement in which the Russian-based cyber-mobs can do their activities outside Russia, and the country turns a blind eye to it. The tacit agreement is, if you hack a Russian system, you’re in trouble.” I ask Lin why the Russian authorities are so lenient. “My guess is that Putin gets a cut,” he says.

These hackers operate as organised gangs: some members specialise in identifying compromised systems and gaining access, while others handle the ransom negotiations. (Investigators tracing ransom payments will often see cryptocurrency transferred into many different cyberwallets after a transaction has been made, for this reason.)

And they are not shy of publicity – some have even given media interviews. “I know at the very least several affiliates have access to a ballistic missile launch system… It’s quite feasible to start a war,” said an unnamed REvil spokesperson airily in one interview. “But it’s not worth it – the consequences are not profitable.” Each group has a distinct character. “REvil has some flair, as does Pysa, who are quite snarky,” says Brett Callow of the cybersecurity firm Emsisoft. “At the other end of the spectrum, Ryuk are robotic in their approach.”

More recently, these gangs have pivoted into extorting individuals. If victims don’t pay, their stolen data is dumped online, or sold on the dark web to the highest bidder. (There is no way to know if the data is sold anyway, even if the victim does pay.) Some of these extortion demands take a vicious tenor: REvil recently threatened to publish damaging information about Invenergy CEO Michael Polsky after he refused to pay a ransom. “We know his secrets… we will share with you some disgusting photos, and many interesting facts from his life,” wrote the hackers on their dark web blog. And the pandemic has proved especially fecund for ransomware gangs. According to a report from cybersecurity software firm Bitdefender, attacks increased by 485% in 2020 alone. “It’s taken off since Covid because we have more people working from home,” says Sophia, a crisis communications expert who specialises in advising companies who have been targeted by ransomware hackers. Poorly secured remote access logins are a common route in. “More of a digital environment leads to more points of entry for the attackers,” she says. “The last year and a half has been a whole new ballgame.”

‘You can’t be a puritan in this space. You are dealing with the livelihoods of your staff’: a hacked computer screen.
‘You can’t be a puritan in this space. You are dealing with the livelihoods of your staff’: a hacked computer screen. Photograph: Getty Images

I ask how many cases she has personally worked on this year. Sophia sighs. “It’s probably upwards of 50 this year. And it’s only July.”

All the experts I speak with agree – many victims of ransomware do pay. “About half do,” says Sophia of her clients. “I did one job for an organisation in Australia,” says Nick Klein of Australian cybersecurity firm CyberCX, “where the CEO was literally walking around their office with a credit card, saying, ‘How can I convert money into bitcoin?’” Alastair MacGibbon of CyberCX always advises his clients not to pay, but he is not judgmental of those who do: “You can’t be a puritan in this space. You are dealing with the livelihoods of your staff, and trying to protect your suppliers. There are legitimate reasons to pay.”

Specialist negotiators are often brought in to haggle the gangs down. “It’s a business deal,” says Klein, who is one such negotiator. “You need to make the attackers understand that you want to do a business transaction with them, and they need to be realistic and come to an agreement that works for both parties.” He’s successfully bartered down hackers from demands of tens of millions of dollars, to under $100,000. “Conversely,” Klein says, “I’ve done jobs where we’ve gone to criminals and said, the company can’t afford this, and they send back a copy of their financial statements.” He chuckles: “That’s a well-informed criminal.”

But despite the fact that many ransomware victims do pay up, a code of omertà prevails. No one will talk about it to me. Phone calls go unanswered; emails ignored. One CEO answers his mobile, garbles incoherently at break-neck speed, and hangs up. Everyone who works in this space tells me the same thing: they know dozens, if not hundreds, of executives who have paid ransoms, and not one will speak with me. “There’s a stigma attached,” MacGibbon says. “And there’s a fear of revictimisation.”

But eventually, I do track down someone who will talk…

Thursday, 11 January 2018 was a day like any other at Hancock Regional Hospital in the city of Greenfield, Indiana. Inclement weather was approaching and flu cases were on the rise. At 9.30pm, messages began appearing on computer screens, announcing that the system had been encrypted using SamSam ransomware. Hackers got in through a password belonging to a third-party vendor that had been breached and sold on the dark web. If the hospital wanted to regain access to its systems, it had to pay a ransom of four bitcoins, then the equivalent of about £40,000. Until then, every file was locked.

At home, in bed beside his wife, Steve Long received a phone call from an administrator around midnight. He drove to the hospital immediately, where he stared in puzzlement at row upon row of locked computer screens.

“They were targeting us specifically,” he says. “What kind of a person does that? It’s unconscionable to do that to a hospital.”

Long is that rarest of people – a man willing to admit to paying a ransom demand. The hospital CEO has the genial air of a headteacher and is remarkably candid about his decision to pay the hackers, who were based in Iran.

“It was a terrible decision,” he says, “and I agree with all the reasons for not paying ransoms. But when you’re in that situation you discover pretty quickly it’s about business continuity.” There was some blowback, of course. “People said, ‘You should never pay a ransom for any reason.’ But they were people who have never been in that situation.”

After staying up all Thursday night, Long made the decision to pay up around noon the following day – they were going into a holiday weekend and the bank would be closed until Tuesday. Just as he was preparing to make the transaction, he received the phone call: a reporter at the local paper had gotten wind of the story.

Long had three choices: lie, obfuscate, or tell the truth. He invited the reporter into the hospital and told him exactly what was going on. “We thought it was important to tell our story,” he says, “because no one ever talks about this and, because no one ever talks about it, no one ever learns.”

He hopes that sharing his experience will encourage other organisations to take the threats posed by ransomware hackers seriously.“As an individual,” Long says, “you think it won’t happen and you’ll never find yourself in the thick of it. And then you’re sitting in the administrator conference room and the only outside access you have to the world is your personal laptop, email address, and the hotspot on your phone.”

Early Saturday morning, the hospital paid the ransom. The hackers, good to their word, provided the decryption keys and by Monday morning most things were back to normal. Long threw a staff party with a cupcake van and drinks. He even had T-shirts made up. They read: “I survived the cyber apocalypse of 2018, and all I got was this silly T-shirt.”

In the world of ransomware, there are no pat moral absolutes. Long paid, protected patient safety, and got the hospital back up and running again, but he also put money into the pocket of criminals, and encouraged them to do it again, to another hospital. To not pay is a principled stance, but one fraught with risk. Oftentimes, not paying is damaging, disruptive, and actually costs organisations more than the ransom demand. When Atlanta refused to pay a £36,000 ransom in 2018, it cost the city more than £1.8m to rebuild.

“We won’t entertain the idea of paying ransoms,” says Rob Miller of Hackney council, which was hit in October 2020. “It places other organisations and councils at risk, because it creates a precedent that we will pay. And it funds nasty criminality, including child exploitation.” An ethical decision, certainly, although Hackney’s residents may not agree because, 10 months on, the council still does not have access to many of its core systems. The council tax system is not fully operational, nor is the system to record business rates. It could be another nine months before the benefits office is back to normal.

As a result of the chaos, people’s house sales fell through and many have not been able to access the benefits they are entitled to. Perhaps worst of all, hackers posted personal information about Hackney residents, including passport data, on the dark web, for criminals to exploit. “Obviously,” says Miller, “that feels terrible.” But he robustly rejects the notion that it would have been better to pay, or that Hackney Council should be held culpable for not protecting their residents better. “We’re really clear that the people who should feel guilty are the criminals that caused this,” Miller says.

Perhaps. But the truth is that criminals were able to access Hackney’s systems through a security weakness and as a result, residents have suffered. Miller tells me council officers have been working around the clock to minimise service disruption, and identify people who may have been affected by the breach, and offer support. But is that enough?

“It’s my personal view that organisations should be held liable for cybersecurity breaches they could have fixed, but didn’t,” Lin says. Under existing UK and US law, organisations have to notify individuals whose data has been compromised by cybercriminals, but they don’t usually have to pay fines. “Let’s pretend they had to pay $20 every time they wrote to someone notifying them of a data breach,” says Lin. “They would start to pay attention [to their cybersecurity] then.” I ask him whether it’s right to re-victimise victims of crime – after all, we wouldn’t fine burglary victims for leaving a window open. “I’m also the victim of a crime,” Lin says. “Who compensates me? Why should they get off for having inadequate security precautions that caused me to suffer this harm?”

It’s a punchy proposition, albeit one unlikely to see the light of day, because hundreds, if not thousands, of businesses would probably go bankrupt. Some of the organisations targeted by criminals have been sloppy, certainly. The hackers who got into Colonial Pipeline did so because there wasn’t dual-factor authentication set up on a VPN account – a basic security measure. But a talented and conscientious hacker can gain access to most internet-connected computer systems.

“What we have right now is a feeding frenzy which is the result of companies paying increasingly ridiculous amounts of money,” Callow says, “and criminals being able to operate with almost complete impunity.” He believes the solution is for governments to make paying ransoms to cybercriminals illegal. In the US and UK it is not currently illegal and insurers will often cover ransom payments, which are sometimes tax-deductible. “Ransomware attacks happen for one reason,” Callow says. “Because they are profitable. So organisations have to stop paying ransoms. That’s the only way to stop attacks.”

Governments are finally waking up to the terrible threat posed by ransomware hackers. In the UK, GCHQ’s cybersecurity lead recently warned that ransomware poses a bigger threat to online security than hostile states. In the US, President Biden has established a multi-agency anti-ransomware government taskforce. The FBI recently succeeded in recovering £1.6m of the Colonial Pipeline ransom, suggesting that bitcoin is either not as untraceable as previously thought, or that investigators had intelligence on the group behind the attack. This month, REvil – the most high-profile of all the ransomware groups – went offline. No one is sure why, but the crackdown may have played a role.

While legislators try to find solutions, the savvier organisations are doing all they can to inoculate themselves against attacks. “I tell my clients to prepare for their worst nightmare cyber incident,” Sophia says. Miller and Long urge organisations to increase their cybersecurity spend: Hackney council has accelerated its move to cloud-based services, which are less vulnerable to hackers, while Hancock Regional Hospital pays an external security firm to watch their network 24/7, monitoring for potential breaches. “It’s a bit like after the Great Fire of London,” says Miller of the council’s security efforts post-hack, “they built stone buildings with wider streets. It didn’t stop all fires from happening, but it reduced the likelihood.”

And of course, there’s going back to basics. “The backup is always paper,” Long says. “We have other safeguards electronically. But the hospital has a paper backup we always go to.” Because in a digital world, sometimes the only way to protect oneself from the cybercriminals of the future is to seek sanctuary in an analogue past.

Some names have been changed

Source link

Technology

Ubiquiti dev charged with data-breaching own employer • The Register

Voice Of EU

Published

on

A Ubiquiti developer has been charged with stealing data from the company and extortion attempts totalling $2m in what prosecutors claim was a vicious campaign to harm the firm’s share price – including allegedly planting fake press stories about the breaches.

US federal prosecutors claimed that 36-year-old Nickolas Sharp had used his “access as a trusted insider” to steal data from his employer’s AWS and GitHub instances before “posing as an anonymous hacker” to send a ransom demand of 50 Bitcoins.

The DoJ statement does not mention Sharp’s employer by name, but a Linkedin account in Sharp’s name says he worked for Ubiquiti as a cloud lead between August 2018 and March 2021, having previously worked for Amazon as a software development engineer.

In an eyebrow-raising indictment [PDF, 19 pages, non-searchable] prosecutors claim Sharp not only pwned his employer’s business from the inside but joined internal damage control efforts, and allegedly posed as a concerned whistleblower to make false claims about the company wrongly downplaying the attack’s severity, wiping $4bn off its market capitalisation.

Criminal charges were filed overnight in an American federal court against Sharp, of Portland, Oregon. The indictment valued the 50 Bitcoins at $1.9m “based on the prevailing exchange rate at the time.”

US attorney Damian Williams said in a US Justice Department statement: “As further alleged, after the FBI searched his home in connection with the theft, Sharp, now posing as an anonymous company whistle-blower, planted damaging news stories falsely claiming the theft had been by a hacker enabled by a vulnerability in the company’s computer systems.”

Sharp is alleged to have downloaded an admin key which gave him “access to other credentials within Company-1’s infrastructure” from Ubiquiti’s AWS servers at 03:16 local time on 10 December 2020, using his home internet connection. Two minutes later, that same key was used to make the AWS API call GetCallerIdentity from an IP address linked to VPN provider Surfshark – to which Sharp was a subscriber, prosecutors claimed.

Later that month, according to the prosecution, he is alleged to have set AWS logs to a one-day retention policy, effectively masking his presence.

Eleven days after the AWS naughtiness, the indictment claims, he used his own connection to log into Ubiquiti’s GitHub infrastructure. “Approximately one minute later,” alleged the indictment, Sharp used Surfshark to ssh into GitHub and clone around 155 Ubiquiti repos to his home computer.

“In one fleeting instance during the exfiltration of data,” said the indictment, “the Sharp IP address was logged making an SSH connection to use GitHub Account-1 to clone a repository.”

For the rest of that night, prosecutors said, logs showed Sharp’s personal IP alternating with a Surfshark exit node while making clone calls. Although it was not spelled out in the court filing, prosecutors appeared to be suggesting that Surfshark VPN was dropping out and revealing “the attacker’s” true IP.

Ubiquiti discovered what was happening on 28 December. Prosecutors claimed Sharp then joined the company’s internal response to the breaches.

In January 2021 Ubiquiti received a ransom note sent from a Surfshark VPN IP address demanding 25 Bitcoins. If it paid an extra 25 Bitcoins on top of that, said the note, its anonymous author would reveal a backdoor in the company’s infrastructure. This appears to be what prompted Ubiquiti to write to its customers that month alerting them to a data breach. Ubiquiti did not pay the ransom, said the indictment.

Shortly after Federal Bureau of Investigation workers raided Sharp’s home, prosecutors claim he “caused false or misleading news stories to be published about the Incident and Company-1’s disclosures and response to the Incident. Sharp identified himself as an anonymous source within Company-1 who had worked on remediating the Incident. In particular, Sharp pretended that Company-1 had been hacked by an unidentified perpetrator who maliciously acquired root administrator access [to] Company-1’s AWS accounts.”

This appears to be referencing an article by infosec blogger Brian Krebs that was published that day, on 30 March 2021. He spoke “on condition of anonymity for fear of retribution by Ubiquiti”, and El Reg (among many other outlets) followed up Krebs’ reporting in good faith. In that article, the “whistleblower” said he had reported Ubiquiti in to the EU Data Protection Supervisor, the political bloc’s in-house data protection body.

We have asked Krebs for comment.

Sharp is innocent unless proven guilty. He is formally charged with breaches of the Computer Fraud and Abuse Act, transmitting interstate threats, wire fraud and making false statements to the FBI. If found guilty on all counts and handed maximum, consecutive sentences on each, he faces 37 years in prison. ®

Source link

Continue Reading

Technology

Limerick’s Serosep crowned Irish Medtech Company of the Year 2021

Voice Of EU

Published

on

Other winners at the Irish Medtech Association awards included Alcon Ireland, West, Vertigenius, Luminate Medical, BioMEC, Jabil Healthcare, Cook Medical and Aerogen.

Limerick-headquartered business Serosep has been named Irish Medtech Company of the Year at a virtual conference hosted today (2 December) by The Irish Medtech Association with Enterprise Ireland and IDA Ireland.

The Irish Medtech Association which represents the medtech sector in Ireland made the announcement at its annual Medtech Rising conference. This year’s awards ceremony was the first to feature new categories. Alcon Ireland won the Sustainable Medtech company of the Year, while West scooped the Best Medtech Talent Strategy Award.

According to the association’s director Sinéad Keogh, the annual awards ceremony offers the medtech community a chance to “recognise and celebrate the strength and importance of the industry in improving life.”

“The sector has remained resilient despite the challenges of the Covid pandemic, with over 42,000 people now working in the industry, across 450 companies,” she added.

The overall winner, Serosep, is a self-funded, family run business, which manufactures clinical diagnostic products at its base in Annacotty, Co Limerick. It serves more than 35 different countries spread over 5 continents. The company is 25 years in business and employs 114 people. Earlier this year, it announced a five-year contract to supply its gastroenteritis diagnostic system to Liverpool University Hospital. The company already supplies the NHS.

Serosep CEO and founder Dermot Scanlon, said he was “humbled” to receive the award, adding that the company’s innovative diagnostic test tools have “changed the way gastroenteritis is tested in clinical laboratories.”

“We are currently manufacturing in excess of one million tests in our state-of-the-art facility,” he said, explaining that the award would motivate the whole company to “continue forging ahead, achieving bigger and better things.”

Other award winners included:

Trinity College Dublin spin-out Vertigenius, winner of the eHealth Innovation of the Year Award. Vertigenius is a platform which aims to enhance clinical and patient engagement in the treatment of balance problems.

Luminate Medical, winners of the Emerging Medtech Company of the Year Award. The NUI Galway spin-out has developed a technology to prevent chemotherapy induced hair loss.

NUI Galway’s Biomechanics Research Centre (BioMEC) won the Academic Contribution to Medtech Award. The company’s technology integrates the latest in silico computational models to simulate the mechanical performance of implanted coronary stents.

Bray-based Jabil Healthcare scooped the Medtech Partner/Supplier of the Year Award for its new Covid-19 PCR testing device.

Cook Medical received the Women in Leadership Company initiative Award for its commitment to gender balance in the workplace.

The Covid-19 Response Recognition Award was awarded to Aerogen which has developed an inhaled vaccine station. The company’s products have been used on more than 3m critically ill people since March 2020, according to Enterprise Ireland’s head of life sciences, Deirdre Glenn. Aerogen won last year’s Medtech Company of the Year award.

Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.

Source link

Continue Reading

Technology

‘A lemon’: Coalition fights to keep Covidsafe app data under wraps | Australia news

Voice Of EU

Published

on

The Morrison government insists it is negotiating with the states about “future uses” for its troubled Covidsafe app despite it not being used during the outbreaks that prompted lockdowns in Victoria, New South Wales and the Australian Capital Territory.

The government is also refusing to release how many Australians continue to use the app, with one tech expert accusing the government of trying to avoid disclosing embarrassing data rather than admit it had failed to achieve its purpose.

Since vaccination rates reached more than 90% of the eligible population in most states, contact tracing is slowly being scaled back, with health authorities limiting the number of people contacted and asked to test and isolate.

Even when contact tracing played a critical role in reducing the number of cases, the app was of little assistance.

Almost none of the contacts were identified through the federal government’s CovidSafe contact tracing app despite well over 7 million people in Australia downloading it last year and the prime minister, Scott Morrison, declaring it the ticket out of lockdown.

Since launching in April last year, just 17 “close contacts” in NSW were found directly through the app that were not otherwise identified through manual contact tracing methods.

Guardian Australia has been engaged in a year-long freedom of information battle with the Digital Transformation Agency to reveal how many people continued to use the app after installing it.

This month the agency said releasing the information would hurt negotiations with the states over the app’s future uses.

“The Commonwealth is engaged in ongoing consultations and discussions with the states and territories on a framework around the use of Covidsafe data and data derived from Covidsafe data as a key tool for contact tracing,” DTA’s chief technology officer, Anthony Warnock, told the Office of the Australian Information Commissioner in a letter provided to Guardian Australia.

When asked about these discussions, both NSW and Victoria said the app had not been used at all in 2021.

“To date, it has not been necessary to use the Covidsafe app with any case clusters in 2021,” a NSW Health spokesperson said. “NSW Health’s contact tracing team has access to a variety of information to contain the spread of Covid-19 and keep the community safe.”

The ACT also said the app had never been used in the capital and, as of September, Queensland said it had used the app twice, with one contact identified but no positive cases identified.

It’s also unclear what future uses the federal government is considering.

Electronic Frontiers Australia’s chair, Justin Warren, who has been involved in complex FOI battles with the government, suggested the only reason the the release of the information would be damaging was if it showed far fewer people continued to use the app.

“The DTA appears to be trying to argue that we can’t learn the truth about just how big a lemon the Covidsafe app is because then people might know it’s a lemon and act accordingly,” he said. “It’s clear to me that they wouldn’t try to make this argument if the app was useful.”

The app costs around $75,000 a month to run, and a spokesperson for the federal health department said there were “no plans” to shut it down until the health minister determined it was no longer required.

Experts in the tech community last year called for the app to be modified using the Apple-Google exposure notification framework, which would work similarly to the UK’s NHS app and alert people when they had been in contact with a confirmed Covid-19 case.

A study published in Nature in May about how effective the NHS app in England and Wales had been between September and December last year found that for every positive case who agreed to alert their contacts, one case was averted.

The government has long argued against switching to an NHS-style version of the app, arguing that it left it up to users to contact the health department and get tested and isolate, rather than giving contact tracers a list of those exposed to follow up.

But a ministerial brief prepared by the DTA in May 2020, released this week on the transparency website Right to Know, reveals that the government believed it would require massive changes to the app and privacy laws to accommodate the change.

“The app would need to be significantly redesigned and rebuilt,” the agency said. “The ENF cannot simply be embedded into the current app. The health portal would also need to be redesigned and rebuilt.”

The DTA warned that a new privacy assessment would need to be undertaken, legislation might need to be amended, all current users would need to download and re-register through the app, and contact data could not be transferred.

The briefing also noted that the alerts people received through the app “may cause alarm” if contact tracers were not involved in the process.

Sign up to receive an email with the top stories from Guardian Australia every morning

But the agency said a change to the Apple/Google version would improve connectivity between devices and might encourage people who had hesitated to download the original app.

“Certain users who have avoided the app may perceive that the ENF provides stronger privacy protections through this largely decentralised non-government-controlled model.”

Victoria now automatically alerts people who were at high-risk venues through the Service Victoria app, and advises them to test and isolate, but does not do any further contact tracing except when someone tests positive.

NSW is planning to ditch QR code check-ins from all but high-risk venues from 15 December, or when the state reaches 95% of the eligible population having two doses of the vaccine.

Source link

Continue Reading

Trending

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates 
directly on your inbox.

You have Successfully Subscribed!