InfoSec News

Hacking

Riviera Beach Florida City Council Agrees to Pay Cybercriminals Nearly $600K Malware Ransom

By

By William Knowles @c4i
Senior Editor
InfoSec News
June 20, 2019

Riviera Beach Florida just became the newest member of a club no city or local government hopes to join. Taking only a few minutes and by a unanimous vote of 5-0 on Monday night the board authorized Riviera Beach’s insurer to pay 65 bitcoins valued at approximately $592K USD. Paying off a malware ransom that has crippled all of the city’s information technology infrastructure since May 29th after someone in the police department clicked on a malicious email.

But unlike the 2000 action flick Proof of Life, there’s no guarantee paying the ransom will unlock the affected computer network and all the encrypted files, and while its 2019, Its not likely Cyber-Insurance companies have former 22nd SAS and 75th Ranger Battalion types running around the world with machine guns blazing for a successful hostage rescue of a malware-infected network.

The council held a special meeting earlier in June to authorize $941,000 for 310 new desktop and 90 laptop computers and other hardware. Much of the existing hardware was a half-dozen-years old and vulnerable to another malware attack, so it was time to replace it anyway, Riviera Beach Councilwoman Julie Botel said.

In a 2016 survey, CIO’s for local governments across the country said more than a third of them were using outdated technology, making them more vulnerable to attacks. Riviera Beach will also spend an additional $25,000 coming out of their budget, to cover its insurance policy deductible.

With rising deficits and pension obligations, its understandable how a city like Riviera Beach or Baltimore Maryland can be compromised so easily when there isn’t the budget to hire a full-time information security professional and institute security awareness training for topics like not clicking on shit or scanning random QR codes.

Chad Loder, Founder & CEO of security awareness training firm Habitu8 posted on Twitter recently.

I’m astounded that some companies still purchase the cheapest security awareness training content “to save money”, but will put 2,000 employees each through an hour of terrible training.

You’re not saving money – you’re wasting it.

Chad Loder (@chadloder) – 19 Jun 2019

Cities across the United States and around the world will now have to decide, what is cheaper? hiring a full-time security professional, a part-time person, a managed service provider, or just paying the ransom and hope the files recover completely. However, hope is not a strategy.

With additional reporting from The Palm Beach Post

The Weather Channel compromised by Malware Attack Trevor

By

By William Knowles @c4i
Senior Editor
InfoSec News
April 19, 2019

The Weather Channel’s normally quiet morning broadcast was suspended for a brief time on Thursday after what it said was a “malicious software attack on the network.”

America’s Morning Headquarters – “AMHQ” the Weather Channel’s morning show, was unable to air at 6 a.m. The Weather Channel showed “Heavy Rescue: 401” until 7:39 a.m. when “AMHQ” was back on the air.

“We experienced issues with this morning’s live broadcast following a malicious software attack on the network,” the Weather Channel said in a statement. “We were able to restore live programming quickly through backup mechanisms. Federal law enforcement is actively investigating the issue. We apologize for any inconvenience to viewers as we work to resolve the matter.”

pic.twitter.com/ovSgrgHxXY

— The Weather Channel (@weatherchannel) April 18, 2019

“The Weather Channel, sadly, has been the victim of a malicious software attack today,” said The Weather Channel anchor Jim Cantore. “Yes, and it has affected our ability to bring you your weather information,” added anchor Stephanie Abrams. “So we just wanted to say thank you again for your patience and we want to get right to today’s severe weather.”

The Weather Channel tweeted “We are experiencing technical difficulties with our live broadcast. We apologize for any inconvenience while we resolve this issue. We appreciate your patience.” — The Weather Channel (@weatherchannel) April 18, 2019

It’s too early to know if this was a targeted attack and what the vector was to upload malware to The Weather Channel. It could have been as simple as phishing the Weather Channel employees with a salacious email like “Reed Timmer and Ginger Zee vacation photos” but it was obvious The Weather Channel had learned inexpensive lessons about making regular backups and keeping copies offline to prevent future compromises like the $300 million ransomware attack on the Maersk Group.

Citrix compromised by international cybercriminals

By

By William Knowles @c4i
Senior Editor
InfoSec News
March 11, 2019

Late last week, Citrix announced in a statement by Chief Security and Information Officer, Stan Black that they were hit by hackers in attacks that potentially exposed terabytes of customer data and potentially internal Citrix corporate secrets.

“On March 6, 2019, the FBI contacted Citrix to advise they had reason to believe that international cybercriminals gained access to the internal Citrix network.”

“Citrix has taken action to contain this incident. We commenced a forensic investigation; engaged a leading cybersecurity firm to assist; took actions to secure our internal network; and continue to cooperate with the FBI.”

“Citrix is moving as quickly as possible, with the understanding that these investigations are complex, dynamic and require time to conduct properly. In investigations of cyber incidents, the details matter, and we are committed to communicating appropriately when we have what we believe is credible and actionable information.”

“While our investigation is ongoing, based on what we know to date, it appears that the hackers may have accessed and downloaded business documents. The specific documents that may have been accessed, however, are currently unknown. At this time, there is no indication that the security of any Citrix product or service was compromised.”

Hackers Deface Electronic Billboard Near Seattle Washington

By

By William Knowles @c4i
Senior Editor
InfoSec News
January 1, 2019
Updated: January 3, 2019

For 99.9999% of the world’s population, New Year’s Eve is a time to let your hair down and have a few drinks celebrating the passing of another year, but I suspect its just another day on the calendar for John McAfee when he shared this tweet (Very NSFW) to his 885K followers on Twitter.

So it comes to no surprise that billboard hackers @le_keksec shared McAfee’s tweet to hundreds of thousands more near Seattle Washington and was reposted posted to Twitter. (NSFW)

On Tuesday, a McAfee spokesperson confirmed that the billboard operator was hacked and as a result, the display has been shut down.  McAfee, a device to cloud cybersecurity company headquartered in Santa Clara, California, also noted that John McAfee has not been affiliated with the company in any capacity for over 25 years.

Someone repeatedly compromised NASA servers

By

By William Knowles @c4i
Senior Editor
InfoSec News
December 19, 2018

 

This isn’t going to improve NASA’s FISMA scorecard rating for 2018.

On Tuesday, December 18, 2018. Bob Gibbs, Assistant Administrator, Office of the Chief Human Capital Officer sent an agency-wide message to the 17,000+ NASA employees, according to SpaceRef which posted the memo on their site.

On Oct. 23, 2018, NASA cybersecurity personnel began investigating a possible compromise of NASA servers where personally identifiable information (PII) was stored. After initial analysis, NASA determined that information from one of the servers containing Social Security numbers and other PII data of current and former NASA employees may have been compromised.

Upon discovery of the incidents, NASA cybersecurity personnel took immediate action to secure the servers and the data contained within. NASA and its Federal cybersecurity partners are continuing to examine the servers to determine the scope of the potential data exfiltration and identify potentially affected individuals. This process will take time. The ongoing investigation is a top agency priority, with senior leadership actively involved. NASA does not believe that any Agency missions were jeopardized by the cyber incidents.

NASA Civil Service employees who were on-boarded, separated from the agency, and/or transferred between Centers, from July 2006 to October 2018, may have been affected.

NASA employees should be counting their lucky stars that this doesn’t happen more often, In 2016 NASA’s Office of Inspector General found that NASA lacks a mature cyber program, earning a score of 27 out of 100 under the Office of Management and Budget’s and DHS’ five-step maturity model.

In the 2017 Federal Information Security Modernization Act: Fiscal Year 2017 Evaluation of NASA came to the conclusion that…

Despite progress made to address previously identified weaknesses related to its cybersecurity program, we concluded that NASA, based on the results of our current review, has not implemented an effective information technology security program. Further, without implementing additional improvements to ensure that NIST requirements are implemented, the Agency may lose ground in its efforts to address the challenges in a rapidly evolving cybersecurity landscape. To strengthen its information security program, we believe the Agency should continue its initiatives in each of the seven IG FISMA domains.

  1. Risk Management. Strengthen the enterprise architecture risk management framework by closing the gap between mission systems and inventory, and complete the transition to RISCS.
  2. Configuration Management. Augment secure configuration settings, improve hardware and software asset management, and remediate configuration-related vulnerabilities including unsupported operating systems.
  3. Identity and Access Management. Increase the use of PIV authentication for unprivileged users.
  4. Security Training. Complete applicable role-based training for personnel with significant security responsibilities.
  5. Continuous Monitoring. Develop a comprehensive continuous monitoring strategy for automatic hardware and software inventory detection and data exfiltration defense capabilities.
  6. Incident Response. Bridge the gap between reactive and proactive intelligence gathering and analysis techniques.
  7. Contingency Planning.

Finally, we are concerned that many recommended corrective actions from prior FISMA and other IT-related reviews remain open after more than a year. We urge a renewed Agency commitment to addressing our previous recommendations given the constant and growing cybersecurity threats. Although this memorandum made no specific recommendations to NASA, management provided a brief response that is reproduced in Enclosure V. Technical comments provided by management have been incorporated, as appropriate.

Sadly, Its easier to blame this all on aliens.