Every time there is another data breach, we are asked to change our password at the breached entity. But the reality is that in most cases by the time the victim organization discloses an incident publicly the information has already been harvested many times over by profit-seeking cybercriminals. Here’s a closer look at what typically transpires in the weeks or months before an organization notifies its users about a breached database.
Our continued reliance on passwords for authentication has contributed to one toxic data spill or hack after another. One might even say passwords are the fossil fuels powering most IT modernization: They’re ubiquitous because they are cheap and easy to use, but that means they also come with significant trade-offs — such as polluting the Internet with weaponized data when they’re leaked or stolen en masse.
When a website’s user database gets compromised, that information invariably turns up on hacker forums. There, denizens with computer rigs that are built primarily for mining virtual currencies can set to work using those systems to crack passwords.
How successful this password cracking is depends a great deal on the length of one’s password and the type of password hashing algorithm the victim website uses to obfuscate user passwords. But a decent crypto-mining rig can quickly crack a majority of password hashes generated with MD5 (one of the weaker and more commonly-used password hashing algorithms).
“You hand that over to a person who used to mine Ethereum or Bitcoin, and if they have a large enough dictionary [of pre-computed hashes] then you can essentially break 60-70 percent of the hashed passwords in a day or two,” said Fabian Wosar, chief technology officer at security firm Emsisoft.
From there, the list of email addresses and corresponding cracked passwords will be run through various automated tools that can check how many email address and password pairs in a given leaked data set also work at other popular websites (and heaven help those who’ve re-used their email password elsewhere).
This sifting of databases for low-hanging fruit and password re-use most often yields less than a one percent success rate — and usually far less than one percent.
But even a hit rate below one percent can be a profitable haul for fraudsters, particularly when they’re password testing databases with millions of users. From there, the credentials are eventually used for fraud and resold in bulk to legally murky online services that index and resell access to breached data.
Much like WeLeakInfo and others operated before being shut down by law enforcement agencies, these services sell access to anyone who wants to search through billions of stolen credentials by email address, username, password, Internet address, and a variety of other typical database fields.TARGETED PHISHING
So hopefully by this point it should be clear why re-using passwords is generally a bad idea. But the more insidious threat with hacked databases comes not from password re-use but from targeted phishing activity in the early days of a breach, when relatively few ne’er-do-wells have got their hands on a hot new hacked database.
Earlier this month, customers of the soccer jersey retailer classicfootballshirts.co.uk started receiving emails with a “cash back” offer. The messages addressed customers by name and referenced past order numbers and payment amounts tied to each account. The emails encouraged recipients to click a link to accept the cash back offer, and the link went to a look-alike domain that requested bank information.
“It soon became clear that customer data relating to historic orders had been compromised to conduct this attack,” Classicfootballshirts said in a statement about the incident.
Allison Nixon, chief research officer with New York City-based cyber intelligence firm Unit221B, recalled what happened in the weeks leading up to Dec. 22, 2020, when cryptocurrency wallet company Ledger acknowledged that someone had released the names, mailing addresses and phone numbers for 272,000 customers.
Nixon said she and her colleagues noticed in the preceding months a huge uptick in SIM-swapping attacks, a scheme in which fraudsters trick or bribe employees at wireless phone companies into redirecting the target’s text messages and phone calls to a device they control. From there, the attackers can reset the password for any online account that allows password resets via SMS.
“A week or two prior to that we were seeing a whole lot of SIM swapping activity,” Nixon said. “We knew the information was coming from some database but we couldn’t figure out what service they all had in common. After the Ledger database got leaked publicly, we started looking at the [SIM swapping] victims and found 100 percent of them were present in the Ledger database.”
In a statement about the breach, Ledger said the data was likely stolen in June 2020, meaning hackers had roughly six months to launch targeted attacks using extremely detailed information about customers.
“If you were to look [on cybercrime forums] at the past history of people posting about that Ledger database, you’d see people were selling it privately for months prior to that,” Nixon said. “It seems like this database was slowly percolating out wider and wider, until someone decided to remove a lot of its value by posting the whole thing publicly.”
Here are some tips to help avoid falling prey to incessant data breaches and increasingly sophisticated phishing schemes:
–Avoid clicking on links and attachments in email, even in messages that appear to be sent from someone you have heard from previously. And as the phishing examples above demonstrate, many of today’s phishing scams use elements from hacked databases to make their lures more convincing.
–Urgency should be a giant red flag. Most phishing scams invoke a temporal element that warns of negative consequences should you fail to respond or act quickly. Take a deep breath. If you’re unsure whether the message is legitimate, visit the site or service in question manually (ideally, using a browser bookmark so as to avoid potential typosquatting sites).
–Don’t re-use passwords. If you’re the kind of person who likes to use the same password across multiple sites, then you definitely need to be using a password manager. That’s because password managers handle the tedious task of creating and remembering unique, complex passwords on your behalf; all you need to do is remember a single, strong master password or passphrase. In essence, you effectively get to use the same password across all Web sites. Some of the more popular password managers include Dashlane, Keepass, LastPass and Roboform.
–Phone-based phishing uses hacked databases, too: A great many scams are perpetrated over the phone, leveraging personal and financial information gleaned from past data breaches to make them sound more believable. If you think you’d never fall for someone trying to scam you over the phone, check out this story about how a tech-savvy professional got taken for thousands of dollars by a fraudster masquerading as his credit union. Remember, When in Doubt: Hang Up, Look Up, & Call Back.
One day after last summer’s mass-hack of Twitter, KrebsOnSecurity wrote that 22-year-old British citizen Joseph “PlugwalkJoe” O’Connor appeared to have been involved in the incident. When the U.S. Justice Department last week announced O’Connor’s arrest and indictment, his alleged role in the Twitter compromise was well covered in the media.
But most of the coverage seems to have overlooked the far more sinister criminal charges in the indictment, which involve an underground scene wherein young men turn to extortion, sextortion, SIM swapping, death threats and physical attacks — all in a frenzied effort to seize control over social media accounts.
Skim the government’s indictment and you might overlook a footnote on Page 4 that says O’Connor is part of a group that had exactly zero reservations about using their playbook of harassment tactics against federal agents who were already investigating their alleged crimes.
“O’Connor has potentially been linked to additional prior swatting incidents and possibly (although not confirmed and currently still under investigation) the swatting of a U.S. law enforcement officer,” the footnote reads.
Swatting involves making a false report to authorities in a target’s name with the intention of sending a heavily armed police force to that person’s address. It’s a potentially deadly hoax: Earlier this month, a Tennessee man was sentenced to 60 months in prison for setting in motion a swatting attack that led to the death of a 60-year-old grandfather.
As for the actual criminal charges, O’Connor faces ten counts, including conspiracy, computer intrusion, extortive communications, stalking and threatening communications.FEMALE TARGETS
All of those come into play in the case of the Snapchat account of actor Bella Thorne, who was allegedly targeted by PlugwalkJoe and associates in June 2019.
Investigators say O’Connor was involved in a “SIM swap” against Thorne’s mobile phone number. Unauthorized SIM swapping is a scheme in which fraudsters trick or bribe employees at wireless phone companies into redirecting the target’s text messages and phone calls to a device they control. From there, the attackers can reset the password for any online account that allows password resets via SMS.
In this case, the SIM swap was done to wrest control over Thorne’s Snapchat account. Once inside, the attackers found nude photos of Thorne, which they then threatened to release unless she agreed to post on social media thanking the hackers using their online handles.
The intruders posted on Thorne’s Snapchat, “Will drop nudes if 5000 of you follow @PlugwalkJoe.” Thorne told the feds her phone lost service shortly before her account was hijacked. Investigators later found the same Internet address used to access Thorne’s Snapchat account also was used minutes later to access “@Joe” on Instagram, which O’Connor has claimed publicly.
On June 15, 2019, Thorne posted on Twitter that she’d been “threatened with my own nudes,” and posted screenshots of the text message with the individual who had extorted him/her. Thorne said she was releasing the photographs so that the individual would not be able to “take yet another thing from me.”
The indictment alleges O’Connor also swatted and cyberstalked a 16-year-old girl, sending her nude photos and threatening to rape and/or murder her and her family.
Social media personality Addison Rae had 55 million followers when her TikTok account got hacked last August. I noted on Twitter at the time that PlugWalkJoe had left his calling card yet again. The indictment alleges O’Connor also was involved in a SIM-swap against Rae’s mobile number.
Prosecutors believe that roughly a week after the Twitter hack O’Connor called in bomb threats and swatting attacks targeting a high school and an airport in California. They’re confident it was O’Connor making the swatting and bomb threat calls because his voice is on record in a call he made to federal investigators, as well as to an inmate arrested for SIM swapping.
Curiously left out of the media coverage of O’Connor’s alleged crimes is that PlugwalkJoe appears to have admitted in a phone call with the FBI to being part of a criminal conspiracy. In the days following the Twitter mass-hack, O’Connor was quoted in The New York Times denying any involvement in the Twitter bitcoin scam. “I don’t care,” O’Connor told The Times. “They can come arrest me. I would laugh at them. I haven’t done anything.”
Speaking with KrebsOnSecurity via Instagram instant message just days after the Twitter hack, O’Connor demanded that his name be kept out of future blog posts here. After he was told that couldn’t be promised, he mentioned that some people in his circle of friends had been known to hire others to deliver physical beatings on people they didn’t like. In nearly the same breath, O’Connor said he was open to talking to federal investigators and telling his side of the story.
According to the indictment, a week after the Twitter hack a man identifying himself as O’Connor called federal investigators in Northern California. Specifically, the call went to the REACT Task Force. REACT is a team of law enforcement officers and prosecutors based in Santa Clara, Calif. that is focused on catching criminal SIM swappers, and by this point REACT already had plenty of audio from phone calls traced back to O’Connor in which he allegedly participated in a SIM swapping or swatting attack.
“REACT began receiving tips in 2018 regarding illegal activity of an individual using the online moniker ‘PlugwalkJoe,’ purportedly identified as O’Connor from the United Kingdom,” the indictment states.
Prosecutors redacted the name of the law enforcement officer who allegedly was swatted by PlugwalkJoe, referring to him only as “C.T.,” a criminal investigator for the Santa Clara District Attorney and a REACT Task Force member.
FBI agents called O’Connor back at the number he left. O’Connor told the FBI that on the afternoon of July 15, 2020 he’d been in contact with other associates who were in communications with the alleged mastermind of the Twitter bitcoin scam. Those intermediaries worked directly with Graham Clark, then 17, who pleaded guilty to fraud charges last summer in connection with the Twitter hack and agreed to serve three years in prison followed by three years of probation.
The indictment says O’Connor told the feds he only wanted his friends to relay his desire for Clark to secure several different short Twitter usernames that belonged to other people, accounts that were to be later sold for a profit. The other associates who allegedly helped PlugwalkJoe interact with Clark also have since been charged in connection with the Twitter hack.
A copy of the indictment is here (PDF).
A 18-year-old Tennessee man who helped set in motion a fraudulent distress call to police that lead to the death of a 60-year-old grandfather in 2020 was sentenced to 60 months in prison today.
Shane Sonderman, of Lauderdale County, Tenn. admitted to conspiring with a group of criminals that’s been “swatting” and harassing people for months in a bid to coerce targets into giving up their valuable Twitter and Instagram usernames.
At Sonderman’s sentencing hearing today, prosecutors told the court the defendant and his co-conspirators would text and call targets and their families, posting their personal information online and sending them pizzas and other deliveries of food as a harassment technique.
Other victims of the group told prosecutors their tormentors further harassed them by making false reports of child abuse to social services local to the target’s area, and false reports in the target’s name to local suicide prevention hotlines.
Eventually, when subjects of their harassment refused to sell or give up their Twitter and Instagram usernames, Sonderman and others would swat their targets — or make a false report to authorities in the target’s name with the intention of sending a heavily armed police response to that person’s address.
For weeks throughout March and April 2020, 60-year-old Mark Herring of Bethpage, Tenn. was inundated with text messages asking him to give up his @Tennessee Twitter handle. When he ignored the requests, Sonderman and his buddies began having food delivered to Herring’s home via cash on delivery.
At one point, Sonderman posted Herring’s home address in a Discord chat room used by the group, and a minor in the United Kingdom quickly followed up by directing a swatting attack on Herring’s home.
Ann Billings was dating Mr. Herring and was present when the police surrounded his home. She recalled for the Tennessee court today how her friend died shortly thereafter of a heart attack.
Billings said she first learned of the swatting when a neighbor called and asked why the street was lined with police cars. When Mr. Herring stepped out on the back porch to investigate, police told him to put his hands up and to come to the street.
Unable to disengage a lock on his back fence, Herring was instructed to somehow climb over the fence with his hands up.
“He was starting to get more upset,” Billings recalled. “He said, ‘I’m a 60-year-old fat man and I can’t do that.'”
Billings said Mr. Herring then offered to crawl under a gap in the fence, but when he did so and stood up, he collapsed of a heart attack. Herring died at a nearby hospital soon after.
Mary Frances Herring, who was married to Mr. Herring for 28 years, said her late husband was something of a computer whiz in his early years who secured the @Tennessee Twitter handle shortly after Twitter came online. Internet archivist Jason Scott says Herring was the creator of the successful software products Sparkware and QWIKMail; Scott has 2 hours worth of interviews with Herring from 20 years ago here.
Perhaps the most poignant testimony today came when Ms. Herring said her husband — who was killed by people who wanted to steal his account — had a habit of registering new Instagram usernames as presents for friends and family members who’d just had children.
“If someone was having a baby, he would ask them, ‘What are your naming the baby?’,” Ms. Herring said. “And he would get them that Instagram name and give it to them as a gift.”
Valerie Dozono also was an early adopter of Instagram, securing the two-letter username “VD” for her initials. When Dozono ignored multiple unsolicited offers to buy the account, she and many family and friends started getting unrequested pizza deliveries at all hours.
When Dozono continued to ignore her tormentors, Sonderman and others targeted her with a “SIM-swapping attack,” a scheme in which fraudsters trick or bribe employees at wireless phone companies into redirecting the target’s text messages and phone calls to a device they control. From there, the attackers can reset the password for any online account that allows password resets via SMS.
But it wasn’t the subsequent bomb threat that Sonderman and friends called in to her home that bothered Dozono most. It was the home invasion that was ordered at her address using strangers on social media.
Dozono said Sonderman created an account on Grindr — the location-based social networking and dating app for gay, bi, trans and queer people — and set up a rendezvous at her address with an unsuspecting Grindr user who was instructed to waltz into her home as if he was invited.
“This gentleman was sent to my home thinking someone was there, and he was given instructions to walk into my home,” Dozono said.
The court heard from multiple other victims targeted by Sonderman and friends over a two-year period. Including Shane Glass, who started getting harassed in 2019 over his @Shane Instagram handle. Glass told the court that endless pizza deliveries, as well as SIM swapping and swatting attacks left him paranoid for months that his assailant could be someone stalking him nearby.
Judge Mark Norris said Sonderman’s agreement to plead to one count of extortion by threat of serious injury or damage carries with it a recommended sentence of 27 to 33 months in prison. However, the judge said other actions by the defendant warranted up to 60 months (5 years) in prison.
Sonderman might have been eligible to knock a few months off his sentence had he cooperated with investigators and refrained from committing further crimes while out on bond.
But prosecutors said that shortly after his release, Sonderman went right back to doing what he was doing when he got caught. Investigators who subpoenaed his online communications found he’d logged into the Instagram account “FreeTheSoldiers,” which was known to have been used by the group to harass people for their social media handles.
Sonderman was promptly re-arrested for violating the terms of his release, and prosecutors played for the court today a recording of a phone call Sonderman made from jail in which he brags to a female acquaintance that he wiped his mobile phone two days before investigators served another search warrant on his home.
Sonderman himself read a lengthy statement in which he apologized for his actions, blaming his “addiction” on several psychiatric conditions — including bipolar disorder. While his recitation was initially monotone and practically devoid of emotion, Sonderman eventually broke down in tears that made the rest of his statement difficult to hear over the phone-based conference system the court made available to reporters.
The bipolar diagnoses was confirmed by his mother, who sobbed as she simultaneously begged the court for mercy while saying her son didn’t deserve any.
Judge Norris said he was giving Sonderman the maximum sentenced allowed by law under the statute — 60 months in prison followed by three years of supervised release, but implied that his sentence would be far harsher if the law permitted.
“Although it may seem inadequate, the law is the law,” Norris said. “The harm it caused, the death and destruction….it’s almost unspeakable. This is not like cases we frequently have that involve guns and carjacking and drugs. This is a whole different level of insidious criminal behavior here.”
Sonderman’s sentence pales in comparison to the 20-year prison time handed down in 2019 to serial swatter Tyler Barriss, a California man who admitted making a phony emergency call to police in late 2017 that led to the shooting death of an innocent Kansas resident.
A federal judge in Connecticut today handed down a sentence of time served to spam kingpin Peter “Severa” Levashov, a prolific purveyor of malicious and junk email, and the creator of malware strains that infected millions of Microsoft computers globally. Levashov has been in federal custody since his extradition to the United States and guilty plea in 2018, and was facing up to 12 more years in prison. Instead, he will go free under three years of supervised release and a possible fine.
A native of St. Petersburg, Russia, the 40-year-old Levashov operated under the hacker handle “Severa.” Over the course of his 15-year cybercriminal career, Severa would emerge as a pivotal figure in the cybercrime underground, serving as the primary moderator of a spam community that spanned multiple top Russian cybercrime forums.
Severa created and then leased out to others some of the nastiest cybercrime engines in history — including the Storm worm, and the Waledac and Kelihos spam botnets. His central role in the spam forums gave Severa a prime spot to advertise the services tied to his various botnets, while allowing him to keep tabs on the activities of other spammers.
Severa rented out segments of his Waledac botnet to anyone seeking a vehicle for sending spam. For $200, vetted users could hire his botnet to blast one million emails containing malware or ads for male enhancement drugs. Junk email campaigns touting employment or “money mule” scams cost $300 per million, and phishing emails could be blasted out through Severa’s botnet for the bargain price of $500 per million.
Early in his career, Severa worked very closely with two major purveyors of spam. One was Alan Ralsky, an American spammer who was convicted in 2009 of paying Severa and other spammers to promote pump-and-dump stock scams.
The other was a major spammer who went by the nickname “Cosma,” the cybercriminal thought to be responsible for managing the Rustock botnet (so named because it was a Russian botnet frequently used to send pump-and-dump stock spam). Microsoft, which has battled to scrub botnets like Rustock off of millions of PCs, later offered a still-unclaimed $250,000 reward for information leading to the arrest and conviction of the Rustock author.
Severa ran several affiliate programs that paid cybercriminals to trick people into installing fake antivirus software. In 2011, KrebsOnSecurity dissected “SevAntivir” — Severa’s eponymous fake antivirus affiliate program — showing it was used to deploy new copies of the Kelihos spam botnet.
In 2010, Microsoft — in tandem with a number of security researchers — launched a combined technical and legal sneak attack on the Waledac botnet, successfully dismantling it. The company would later do the same to the Kelihos botnet, a global spam machine which shared a great deal of code with Waledac and infected more than 110,000 Microsoft Windows PCs.
Levashov was arrested in 2017 while in Barcelona, Spain with his family. According to a lengthy April 2017 story in Wired.com, he got caught because he violated a basic security no-no: He used the same log-in credentials to both run his criminal enterprise and log into sites like iTunes.
In fighting his extradition to the United States, Levashov famously told the media, “If I go to the U.S., I will die in a year.” But a few months after his extradition, Levashov would plead guilty to four felony counts, including intentional damage to protected computers, conspiracy, wire fraud and aggravated identity theft.
At his sentencing hearing today, Levashov thanked his wife, attorney and the large number of people who wrote the court in support of his character, but otherwise declined to make a statement. His attorney read a lengthy statement explaining that Levashov got into spamming as a way to provide for his family, and that over a period of many years that business saw him supporting countless cybercrime operations.
The plea agreement Levashov approved in 2018 gave Judge Robert Chatigny broad latitude to impose a harsh prison sentence. The government argued that under U.S. federal sentencing guidelines, Levashov’s crimes deserved an “offense level” of 32, which for a first-time offender means a sentence of anywhere from 121 to 151 months (10 to 12 years).
But Judge Chatigny said he had concerns that “the total offense level does overstate the seriousness of Mr. Levashov’s crimes and his criminal culpability,” and said he believed Levashov was unlikely to offend again.
“33 months is a long time and I’m sure it was especially difficult for you considering that you were away from your wife and child and home,” Chatigny told the defendant. “I believe you have a lot to offer and hope that you will do your best to be a positive and contributing member of society.”
Mark Rasch, a former federal prosecutor with the U.S. Justice Department, the sentencing guidelines are no longer mandatory, but they do reflect the position of Congress, the U.S. Sentencing Commission, and the Administrative Office of the U.S. Courts about what seriousness of the offenses.
“One of the problems you have here is it’s hard enough to catch and prosecute and convict cybercriminals, but at the end of the day the courts often don’t take these offenses seriously,” Rasch said. “One the one hand, sentences like these do tend to diminish the deterrent effect, but also I doubt there are any hackers in St. Petersburg right now who are watching this case and going, ‘Okay, great now I can keep doing what I’m doing.'”
Judge Chatigny deferred ruling on what — if any — financial damages Levashov may have to pay as a result of the plea.
The government acknowledged that it was difficult to come to an accurate accounting of how much Levashov’s various botnets cost companies and consumers. But the plea agreement states a figure of approximately $7 million — which prosecutors say represents a mix of actual damages and ill-gotten gains.
However, the judge delayed ruling on whether to impose a fine because prosecutors had yet to supply a document to back up the defendant’s alleged profit/loss figures. The judge also ordered Levashov to submit to three years of supervised release, which includes constant monitoring of his online communications.
Browse the comments on virtually any story about a ransomware attack and you will almost surely encounter the view that the victim organization could have avoided paying their extortionists if only they’d had proper data backups. But the ugly truth is there are many non-obvious reasons why victims end up paying even when they have done nearly everything right from a data backup perspective.
This story isn’t about what organizations do in response to cybercriminals holding their data for hostage, which has become something of a best practice among most of the top ransomware crime groups today. Rather, it’s about why victims still pay for a key needed to decrypt their systems even when they have the means to restore everything from backups on their own.
Experts say the biggest reason ransomware targets and/or their insurance providers still pay when they already have reliable backups is that nobody at the victim organization bothered to test in advance how long this data restoration process might take.
“In a lot of cases, companies do have backups, but they never actually tried to restore their network from backups before, so they have no idea how long it’s going to take,” said Fabian Wosar, chief technology officer at Emsisoft. “Suddenly the victim notices they have a couple of petabytes of data to restore over the Internet, and they realize that even with their fast connections it’s going to take three months to download all these backup files. A lot of IT teams never actually make even a back-of-the-napkin calculation of how long it would take them to restore from a data rate perspective.”
Wosar said the next most-common scenario involves victims that have off-site, encrypted backups of their data but discover that the digital key needed to decrypt their backups was stored on the same local file-sharing network that got encrypted by the ransomware.
The third most-common impediment to victim organizations being able to rely on their backups is that the ransomware purveyors manage to corrupt the backups as well.
“That is still somewhat rare,” Wosar said. “It does happen but it’s more the exception than the rule. Unfortunately, it is still quite common to end up having backups in some form and one of these three reasons prevents them from being useful.”
Bill Siegel, CEO and co-founder of Coveware, a company that negotiates ransomware payments for victims, said most companies that pay either don’t have properly configured backups, or they haven’t tested their resiliency or the ability to recover their backups against the ransomware scenario.
“It can be [that they] have 50 petabytes of backups … but it’s in a … facility 30 miles away.… And then they start [restoring over a copper wire from those remote backups] and it’s going really slow … and someone pulls out a calculator and realizes it’s going to take 69 years [to restore what they need],” Siegel told Kim Zetter, a veteran Wired reporter who recently launched a cybersecurity newsletter on Substack.
“Or there’s lots of software applications that you actually use to do a restore, and some of these applications are in your network [that got] encrypted,” Siegel continued. “So you’re like, ‘Oh great. We have backups, the data is there, but the application to actually do the restoration is encrypted.’ So there’s all these little things that can trip you up, that prevent you from doing a restore when you don’t practice.”
Wosar said all organizations need to both test their backups and develop a plan for prioritizing the restoration of critical systems needed to rebuild their network.
“In a lot of cases, companies don’t even know their various network dependencies, and so they don’t know in which order they should restore systems,” he said. “They don’t know in advance, ‘Hey if we get hit and everything goes down, these are the services and systems that are priorities for basic network that we can build off of.'”
Wosar said it’s essential that organizations drill their breach response plans in periodic tabletop exercises, and that it is in these exercises that companies can start to refine their plans. For example, he said, if the organization has physical access to their remote backup data center, it might make more sense to develop processes for physically shipping the backups to the restoration location.
“Many victims see themselves confronted with having to rebuild their network in a way they didn’t anticipate. And that’s usually not the best time to have to come up with these sorts of plans. That’s why tabletop exercises are incredibly important. We recommend creating an entire playbook so you know what you need to do to recover from a ransomware attack.”
Microsoft today released updates to patch at least 116 security holes in its Windows operating systems and related software. At least four of the vulnerabilities addressed today are under active attack, according to Microsoft.
Thirteen of the security bugs quashed in this month’s release earned Microsoft’s most-dire “critical” rating, meaning they can be exploited by malware or miscreants to seize remote control over a vulnerable system without any help from users.
Another 103 of the security holes patched this month were flagged as “important,” which Microsoft assigns to vulnerabilities “whose exploitation could result in compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources.”
Among the critical bugs is of course the official fix for the PrintNightmare print spooler flaw in most versions of Windows (CVE-2021-34527) that prompted Microsoft to rush out a patch for a week ago in response to exploit code for the flaw that got accidentally published online. That patch seems to have caused a number of problems for Windows users. Here’s hoping the updated fix resolves some of those issues for readers who’ve been holding out.
CVE-2021-34448 is a critical remote code execution vulnerability in the scripting engine built into every supported version of Windows — including server versions. Microsoft says this flaw is being exploited in the wild.
Chad McNaughton, technical community manager at Automox, called attention to CVE-2021-34458, a remote code execution flaw in the deepest areas of the operating system. McNaughton said this vulnerability is likely to be exploited because it is a “low-complexity vulnerability requiring low privileges and no user interaction.”
Another concerning critical vulnerability in the July batch is CVE-2021-34494, a dangerous bug in the Windows DNS Server that earned a CVSS score (severity) of 9.8 out of a possible 10.
“Both core and full installations are affected back to Windows Server 2008, including versions 2004 and 20H2,” said Aleks Haugom, also with Automox.
“DNS is used to translate IP addresses to more human-friendly names, so you don’t have to remember the jumble of numbers that represents your favorite social media site,” Haugom said. “In a Windows Domain environment, Windows DNS Server is critical to business operations and often installed on the domain controller. This vulnerability could be particularly dangerous if not patched promptly.”
Microsoft also patched six vulnerabilities in Exchange Server, an email product that has been under siege all year from attackers. Satnam Narang, staff research engineer at Tenable, noted that while Microsoft says two of the Exchange bugs tackled this month (CVE-2021-34473 and CVE-2021-34523) were addressed as part of its security updates from April 2021, both CVEs were somehow omitted from that April release. Translation: If you already applied the bevy of Exchange updates Microsoft made available in April, your Exchange systems have protection against these flaws.
Other products that got patches today include Microsoft Office, Bing, SharePoint Server, Internet Explorer, and Visual Studio. The SANS Internet Storm Center as always has a nice visual breakdown of all the patches by severity.
Adobe also issued security updates today for Adobe Acrobat and Reader, as well as Dimension, Illustrator, Framemaker and Adobe Bridge.
Chrome and Firefox also recently have shipped important security updates, so if you haven’t done so recently take a moment to save your tabs/work, completely close out and restart the browser, which should apply any pending updates.
The usual disclaimer:
Before you update with this month’s patch batch, please make sure you have backed up your system and/or important files. It’s not uncommon for Windows updates to hose one’s system or prevent it from booting properly, and some updates even have been known to erase or corrupt files.
So do yourself a favor and backup before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.
And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide.
As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips. Also, check out AskWoody, which keeps a close eye out for specific patches that may be causing problems for users.
Last summer, financial institutions throughout Texas started reporting a sudden increase in attacks involving well-orchestrated teams that would show up at night, use stolen trucks and heavy chains to rip Automated Teller Machines (ATMs) out of their foundations, and make off with the cash boxes inside. Now it appears the crime — known variously as “ATM smash-and-grab” or “chain gang” attacks — is rapidly increasing in other states.
The Texas Bankers Association documented at least 139 chain gang attacks against Texas financial institutions in the year ending November 2020. The association says organized crime is the main source of the destructive activity, and that Houston-based FBI officials have made more than 50 arrests and are actively tracking about 250 individuals suspected of being part of these criminal rings.
From surveillance camera footage examined by fraud investigators, the perpetrators have followed the same playbook in each incident. The bad guys show up in the early morning hours with a truck or tractor that’s been stolen from a local construction site.
Then two or three masked men will pry the front covering from the ATM using crowbars, and attach heavy chains to the cash machine. The canisters of cash inside are exposed once the crooks pull the ATM’s safe door off using the stolen vehicle.
In nearly all cases, the perpetrators are done in less than five minutes.
Tracey Santor is the bond product manager for Travelers, which insures a large number of financial institutions against this type of crime. Santor said investigators questioning some of the suspects learned that the smash-and-grabs are used as a kind of initiation for would-be gang members.
“One of the things they found out during the arrest was the people wanting to be in the gang were told they had to bring them $250,000 within a week,” Santor said. “And they were given instructions on how to do it. I’ve also heard of cases where the perpetrators put construction cones around the ATM so it looks to anyone passing by that they’re legitimately doing construction at the site.”
Santor said the chain gang attacks have spread to other states, and that in the year ending June 2021 Travelers saw a 257 percent increase in the number of insurance claims related to ATM smash-and-grabs.
That 257 percent increase also includes claims involving incidents where attackers will crash a stolen car into a convenience store, and then in the ensuing commotion load the store’s ATM into the back of the vehicle and drive away.
In addition to any cash losses — which can often exceed $200,000 — replacing destroyed ATMs and any associated housing can take weeks, and newer model ATMs can cost $80,000 or more.
“It’s not stopping,” Santor said of the chain gang attacks. “In the last year we counted 32 separate states we’ve seen this type of attack in. Normally we are seeing single digits across the country. 2021 is going to be the same or worse for us than last year.”
Increased law enforcement scrutiny of the crime in Texas might explain why a number of neighboring states are seeing a recent uptick in the number of chain gang attacks, said Elaine Dodd, executive vice president of the fraud division for the Oklahoma Bankers Association.
“We have a lot of it going on here now and they’re getting good at it,” Dodd said. “The numbers are surging. I think since Texas has focused law enforcement attention on this it’s spreading like fingers out from there.”
It’s not hard to see why physical attacks against ATMs are on the rise. In 2019, the average amount stolen in a traditional bank robbery was just $1,797, according to the FBI.
In contrast, robbing ATMs is way less risky and potentially far more rewarding for the perpetrators. That’s because bank ATMs can typically hold hundreds of thousands of dollars in cash.
Dodd said she hopes to see more involvement from federal investigators in fighting chain gang attacks, and that it would help if more of these attacks were prosecuted as bank robberies, which can carry stiff federal penalties. As it is, she said, most incidents are treated as property crimes and left to local investigators.
“We had a rash of three attacks recently and contacted the FBI, and were told, ‘We don’t work these,'” Dodd said. “The FBI looks at these attacks not as bank robbery, but just the theft of cash.”
In January, Texas lawmakers are introduced legislation that would make destroying an ATM a third degree felony offense. Such a change would mean chain gang members could be prosecuted with the same zeal Texas applies to people who steal someone’s livestock, a crime which is punishable by 2-10 years in prison and a fine of up to $10,000 (or both).
“The bottom line is, right now bank robbery is a felony and robbing an unattended ATM is not,” Santor said.
KrebsOnSecurity checked in with the European ATM Security Team (EAST), which maintains statistics about fraud of all kinds targeting ATM operators in Europe. EAST Executive Director Lachlan Gunn said overall physical attacks on ATMs in Europe have been a lot quieter since the pandemic started.
“Attacks fell right away during the lockdowns and have started to pick up a little as the restrictions are eased,” Gunn said. “So no major spike here, although [the United States is] further ahead when it comes to the easing of restrictions.”
Gunn said the most common physical attacks on European ATMs continue to involve explosives — such as gas tanks and solid explosives that are typically stolen from mining and construction sites.
“The biggest physical attack issue in Europe remains solid explosive attacks, due to the extensive collateral damage and the risk to life,” Gunn said.
The Texas Bankers Association report, available here (PDF), includes a number of recommended steps financial institutions can take to reduce the likelihood of being targeted by chain gangs.
Last week cybercriminals deployed ransomware to 1,500 organizations that provide IT security and technical support to many other companies. The attackers exploited a vulnerability in software from Kaseya, a Miami-based company whose products help system administrators manage large networks remotely. Now it appears Kaseya’s customer service portal was left vulnerable until last week to a data-leaking security flaw that was first identified in the same software six years ago.
On July 3, the REvil ransomware affiliate program began using a zero-day security hole (CVE-2021-30116) to deploy ransomware to hundreds of IT management companies running Kaseya’s remote management software — known as the Kaseya Virtual System Administrator (VSA).
According to this entry for CVE-2021-30116, the security flaw that powers that Kaseya VSA zero-day was assigned a vulnerability number on April 2, 2021, indicating Kaseya had roughly three months to address the bug before it was exploited in the wild.
Also on July 3, security incident response firm Mandiant notified Kaseya that their billing and customer support site —portal.kaseya.net — was vulnerable to CVE-2015-2862, a “directory traversal” vulnerability in Kaseya VSA that allows remote users to read any files on the server using nothing more than a Web browser.
As its name suggests, CVE-2015-2862 was issued in July 2015. Six years later, Kaseya’s customer portal was still exposed to the data-leaking weakness.
Mandiant notified Kaseya after hearing about it from Alex Holden, founder and chief technology officer of Milwaukee-based cyber intelligence firm Hold Security. Holden said the 2015 vulnerability was present on Kaseya’s customer portal until Friday afternoon, allowing him to download the site’s “web.config” file, a server component that often contains sensitive information such as usernames and passwords and the locations of key databases.
“It’s not like they forgot to patch something that Microsoft fixed years ago,” Holden said. “It’s a patch for their own software. And it’s not zero-day. It’s from 2015!”
The official description of CVE-2015-2862 says a would-be attacker would need to be already authenticated to the server for the exploit to work. But Holden said that was not the case with the vulnerability on the Kaseya portal that he reported via Mandiant.
“This is worse because the CVE calls for an authenticated user,” Holden said. “This was not.”
Michael Sanders, executive vice president of account management at Kaseya, confirmed that the customer portal was taken offline Friday in response to a vulnerability report. Sanders said the portal had been retired in 2018 in favor of a more modern customer support and ticketing system, yet somehow the old site was still left available online.
“It was deprecated but left up,” Sanders said.
In a written statement shared with KrebsOnSecurity, Kaseya said that in 2015 CERT reported two vulnerabilities in its VSA product.
“We worked with CERT on responsible disclosure and released patches for VSA versions V7, R8, R9 and R9 along with the public disclosure (CVEs) and notifications to our customers. Portal.kaseya.net was not considered by our team to be part of the VSA shipping product and was not part of the VSA product patch in 2015. It has no access to customer endpoints and has been shut down – and will no longer be enabled or used by Kaseya.”
“At this time, there is no evidence this portal was involved in the VSA product security incident,” the statement continued. “We are continuing to do forensic analysis on the system and investigating what data is actually there.”
The REvil ransomware group said affected organizations could negotiate independently with them for a decryption key, or someone could pay $70 million worth of virtual currency to buy a key that works to decrypt all systems compromised in this attack.
But Sanders said every ransomware expert Kaseya consulted so far has advised against negotiating for one ransom to unlock all victims.
“The problem is that they don’t have our data, they have our customers’ data,” Sanders said. “We’ve been counseled not to do that by every ransomware negotiating company we’ve dealt with. They said with the amount of individual machines hacked and ransomwared, it would be very difficult for all of these systems to be remediated at once.”
In a video posted to Youtube on July 6, Kaseya CEO Fred Voccola said the ransomware attack had “limited impact, with only approximately 50 of the more than 35,000 Kaseya customers being breached.”
“While each and every customer impacted is one too many, the impact of this highly sophisticated attack has proven to be, thankfully, greatly overstated,” Voccola said.
The zero-day vulnerability that led to Kaseya customers (and customers of those customers) getting ransomed was discovered and reported to Kaseya by Wietse Boonstra, a researcher with the Dutch Institute for Vulnerability Disclosure (DIVD).
In a July 4 blog post, DIVD’s Victor Gevers wrote that Kaseya was “very cooperative,” and “asked the right questions.”
“Also, partial patches were shared with us to validate their effectiveness,” Gevers wrote. “During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched. They showed a genuine commitment to do the right thing. Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch.”
Still, Kaseya has yet to issue an official patch for the flaw Boonstra reported in April. Kaseya told customers on July 7 that it was working “through the night” to push out an update.
Gevers said the Kaseya vulnerability was discovered as part of a larger DIVD effort to look for serious flaws in a wide array of remote network management tools.
“We are focusing on these types of products because we spotted a trend where more and more of the products that are used to keep networks safe and secure are showing structural weaknesses,” he wrote.
Microsoft on Tuesday issued an emergency software update to quash a security bug that’s been dubbed “PrintNightmare,” a critical vulnerability in all supported versions of Windows that is actively being exploited. The fix comes a week ahead of Microsoft’s normal monthly Patch Tuesday release, and follows the publishing of exploit code showing would-be attackers how to leverage the flaw to break into Windows computers.
At issue is CVE-2021-34527, which involves a flaw in the Windows Print Spooler service that could be exploited by attackers to run code of their choice on a target’s system. Microsoft says it has already detected active exploitation of the vulnerability.
Satnam Narang, staff research engineer at Tenable, said Microsoft’s patch warrants urgent attention because of the vulnerability’s ubiquity across organizations and the prospect that attackers could exploit this flaw in order to take over a Windows domain controller.
“We expect it will only be a matter of time before it is more broadly incorporated into attacker toolkits,” Narang said. “PrintNightmare will remain a valuable exploit for cybercriminals as long as there are unpatched systems out there, and as we know, unpatched vulnerabilities have a long shelf life for attackers.”
In a blog post, Microsoft’s Security Response Center said it was delayed in developing fixes for the vulnerability in Windows Server 2016, Windows 10 version 1607, and Windows Server 2012. The fix also apparently includes a new feature that allows Windows administrators to implement stronger restrictions on the installation of printer software.
“Prior to installing the July 6, 2021, and newer Windows Updates containing protections for CVE-2021-34527, the printer operators’ security group could install both signed and unsigned printer drivers on a printer server,” reads Microsoft’s support advisory. “After installing such updates, delegated admin groups like printer operators can only install signed printer drivers. Administrator credentials will be required to install unsigned printer drivers on a printer server going forward.”
Windows 10 users can check for the patch by opening Windows Update. Chances are, it will show what’s pictured in the screenshot below — that KB5004945 is available for download and install. A reboot will be required after installation.
Friendly reminder: It’s always a good idea to backup your data before applying security updates. Windows 10 has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.
This post will be updated if Windows users start reporting any issues in applying the patch.