Yet Another Security Blog

  Summary The Colonial pipeline hack dominated the news cycle this week.  This is probably the largest infrastructure hack in the history of the world. It is probable that this event will be in the news for weeks to come.   News Colonial Pipeline Ransomware Hack This may end up being the largest infrastructure attack in U.S. history.  From the various reports, it looks like the threat actor that launched the attack is Darkside.  Darkside is a group thought to be Russian as they avoid Russian companies and others in Russian speaking former Eastern Block countries.  They released a statement Monday saying that it was an affiliated group and they were vowing to reign in their partners in the future to avoid causing social and political strife.  In the past, the  Darkside group has held themselves as social justice warriors taking down corrupt corporations and has been known to donate 10% of their ransoms to charities.   While none have indi...

  Summary Spent a week driving around the western US then had to get caught up with work and school, so didn't have the time nor ability to post an update.  Here is what has happened over that time frame. For such a long time period there really is not too much actual news.  In my scanning of sites, it appears that the focus has returned to financial sectors and work from home attacks.  One of the things I have noted over the years is that these things tend to be cyclic, which could indicate that there is some dark web coordination that security practitioners are not yet privy to (though nation-state experts might be).   News Washington D.C. police server hacked by Russian group A Russian hacking group named Babuk posted screenshots that seek to prove that they have accessed several databases by the Washington D.C. police department.  The group left a text document on their network outlining how to pay the ransom to get locked files back and to bribe t...

I try never to second guess an organizations decision when faced with a security or disaster challenge.  That being said, I believe the less these bad actors get paid the less likely they are to do ransom attacks. Image from the Greenfield Reporter  http://www.greenfieldreporter.com/2018/01/16/01162018dr_hancock_health_pays_ransom / Here is a story about a hospital that paid even with backups.  The reason given is a valid concern for many organizations.  If you get large enough, the backups can take days to complete.  That is something that needs to be taken in to consideration when creating a threat profile and response matrix.  While they don't say how it happens, the SamSam that was used normally travels by RDP. Bleeping has a right up on the issue here: https://www.bleepingcomputer.com/news/security/hospital-pays-55k-ransomware-demand-despite-having-backups/