Hackers may have bitten off too much
Discussion
Hackers are said to have taken hold of data from Johnson Controls but it turns out that Johnsons are involved with systems for state and federal buildings.
I wouldn't like to be on either side of this - or stuck in the middle!!
https://www.bitdefender.com/blog/hotforsecurity/ra...
I wouldn't like to be on either side of this - or stuck in the middle!!
https://www.bitdefender.com/blog/hotforsecurity/ra...
Pistom said:
I'm amazed they've got themsleves into this pickle, am interested to see how it plays out but furthermore together with how it will impact the business going forward.
I wonder if they hackers realised what they were getting into?
It (ransomware attacks) are much more complex than it first appears.I wonder if they hackers realised what they were getting into?
Simplistically, It should be possible to go back to a backup made before the attack.
I realise there won't be a single backup, in a single location as it is a global distributed business - but, theoretically possible.
The problem is that the ransomware usually runs in two phases.
First it exports data which is stored on the intruder's system.
Second it lies dormant possibly for months and then performs the encryption - it is only at the point that the target knows they have been hacked.
So again simplistically, it is very difficult to wind back to a point where both the data is not encrypted, and also the dormant encryption agents aren't also restored.
Payday #1 is asking for cash to decrypt the data.
Payday #2 is leaking the data captured on day 1, before the encryption.
Payday 2 can also be using the captured data to compromise other systems.
It can actually be quite easy to compromise some systems. People are usually the weekness.
As to whether the hackers will be worried about being detected - no, not at all. Pretty well untraceable - and quite possibly located in Russia who isn't going to help anyone.
25TB of data is a whopping amount of data.
its taken 8 days for me to transfer 5TB of data across a gigabyte switch from one NAS to another.
so unless they had 40 days of unfettered access and then as many days to encrypt the data at the source without anyone noticing then I would question the validity.
Its like the plot in Goldfinger. He wasn't out to steal the gold just make it unusable.
Hacking is about being believed. Tell a whopper that certain people in the know don't believe then your credibility as a hacker plummets and so does your demands.
its taken 8 days for me to transfer 5TB of data across a gigabyte switch from one NAS to another.
so unless they had 40 days of unfettered access and then as many days to encrypt the data at the source without anyone noticing then I would question the validity.
Its like the plot in Goldfinger. He wasn't out to steal the gold just make it unusable.
Hacking is about being believed. Tell a whopper that certain people in the know don't believe then your credibility as a hacker plummets and so does your demands.
Greenmantle said:
25TB of data is a whopping amount of data.
its taken 8 days for me to transfer 5TB of data across a gigabyte switch from one NAS to another.
so unless they had 40 days of unfettered access and then as many days to encrypt the data at the source without anyone noticing then I would question the validity.
Its like the plot in Goldfinger. He wasn't out to steal the gold just make it unusable.
Hacking is about being believed. Tell a whopper that certain people in the know don't believe then your credibility as a hacker plummets and so does your demands.
I'd get the IT guy in.its taken 8 days for me to transfer 5TB of data across a gigabyte switch from one NAS to another.
so unless they had 40 days of unfettered access and then as many days to encrypt the data at the source without anyone noticing then I would question the validity.
Its like the plot in Goldfinger. He wasn't out to steal the gold just make it unusable.
Hacking is about being believed. Tell a whopper that certain people in the know don't believe then your credibility as a hacker plummets and so does your demands.
As far as I am aware, at least some of the issue was a compromise of VMWare servers. You can take down entire (virtual) servers in a single command. Once it is down, you can encrypt in the background. Servers can be down, the company know about it, but the attack still happening in the background.
There is a trick to moving large amounts of data - as already mentioned, it may have already been off-site in the way of backups.
It is better to copy data slowly over a large time span as this might not trigger intrusion detection software.
Smaller scale, but I get traffic graphs from some of my sites and can spot outgoing traffic pegged at maximum bandwidth. Usually a simple email issue, but can react to that and shut it down. If I was seeing a lower level for a longer time it is harder to spot.
Probably a large transfer just 'looks like' an off-site backup.
'Quality' hacks will probably vary that data rate so it doesn't trigger also.
It is possible to spoof IP addresses too, so far than simple to spot it going to the wrong place.
You can get compromised as easily as by sending someone inside the organisation a USB stick. Make it attractive to them to plug in (some reward, or something they are interested in) and you can have software that will then tunnel back out and give the hacker 'inside' access.
There is a trick to moving large amounts of data - as already mentioned, it may have already been off-site in the way of backups.
It is better to copy data slowly over a large time span as this might not trigger intrusion detection software.
Smaller scale, but I get traffic graphs from some of my sites and can spot outgoing traffic pegged at maximum bandwidth. Usually a simple email issue, but can react to that and shut it down. If I was seeing a lower level for a longer time it is harder to spot.
Probably a large transfer just 'looks like' an off-site backup.
'Quality' hacks will probably vary that data rate so it doesn't trigger also.
It is possible to spoof IP addresses too, so far than simple to spot it going to the wrong place.
You can get compromised as easily as by sending someone inside the organisation a USB stick. Make it attractive to them to plug in (some reward, or something they are interested in) and you can have software that will then tunnel back out and give the hacker 'inside' access.
No ideas for a name said:
Smaller scale, but I get traffic graphs from some of my sites and can spot outgoing traffic pegged at maximum bandwidth. Usually a simple email issue, but can react to that and shut it down.
I remember the one time I managed to trigger a response from the very expensive cybersecurity apparatus as implemented by a large multinational that sells this stuff to many other people.Query comes in - 'it looks like you uploaded XXXX gigabytes to somewhere external at this time & date'; not a surprise someone noticed something, it was a hefty transfer.
Never heard back again after pointing out it was a *download* of data (from a very trusted source) & the time it happened was a few hours out from when they asked about (I had full logs of what/when/where) - basically their monitoring setup was all sorts of f
ked and telling stories. 
No ideas for a name said:
You can get compromised as easily as by sending someone inside the organisation a USB stick. Make it attractive to them to plug in (some reward, or something they are interested in) and you can have software that will then tunnel back out and give the hacker 'inside' access.
It doesn't even need to be / look like a USB memory stick these days. What can look to be a (working) USB charging cable can have a chip inside which can deliver malware, so leave a few in a coffee shops, trade shows etc and people will pick them up or borrow them. The really clever ones don't show us a storage device either, so aren't always blocked by endpoint controls / restrictions.
Gassing Station | News, Politics & Economics | Top of Page | What's New | My Stuff