Episode 29: October 03 2022
Vice Society sets a deadline for LA School District to pay ransom
- deadline was posted on web site maintained by Vice Society
- On Tor network
- Also confirmed they were responsible to three different journalists
- Amount of Ransome not disclosed.
- “The papers will be published by London time on Oct. 4, 2022, at 12 a.m.,” the webpage states.
- Midnight in London would translate to 4 p.m. Monday in Los Angeles.
- claim to have stolen 500 gigs of data
- District staff believes confidential information of employees was not stolen
- They are less certain about information related to students, which could include names, grades, course schedules, disciplinary records and disability status.
- School District and law enforcement haven’t attributed the attack
- CISA did put out a warning to educations about the group.
- School Superintendent did acknowledge the attack came from a group that is familiar to law enforcement and known to attack school systems.
- School District not negotiating
- “What I can tell you is that the demand — any demand — would be absurd,” Supt. Alberto Carvalho said. “But this level of demand was, quite frankly, insulting. And we’re not about to enter into negotiations with that type of entity.”
- Paying ransom never guarantees the full recovery of data, and Los Angeles Unified believes public dollars are better spent on our students rather than capitulating to a nefarious and illicit crime syndicate.”
- Happened on Sept 3rd
- Labor Day
- Holiday’s often when hackers target.
- Once detected by district staff all systems were shut down.
- Everything was back online by the scheduled Tuesday return date.
- 600,000 users had to reset passwords and systems were gradually screened for breaches and restored
- Left Trip Wires in system
- Possible to damage more systems or data or access when accidentally tripped.
- Hackers this year have attacked at least 27 U.S. school districts and 28 colleges
- 36 of those organizations had data stolen and released online
- at least two districts and one college paid the attackers
- Typical Extortion
- Pay or Release
SolarMarker Makers uses spamdexing to target tax consulting organization
- Group behind “SolarMarker” found targeting a global tax consulting company
- Company has a presence in US, Canada, UK and Europe
- Using fake “Chrome browser updates”
- multistage malware attacking browsers
- exfil autofill data
- exfil saved passwords
- exfil saved credit card info
- First seen in 2020
- .Net malware
- Powershell installer
- Detected exploiting WordPress sites
- Medical manufacturers website
- End User on Tax consulting agency
- Searched for manufacturer by name on Google
- Disguised as a Chrome update.
- But is based upon victim, could be Firefox or Edge
- Tricked them into download and running SolarMarker
- Group is known for using SEO techniques to raise their malware pages up in ranking
BEC Attacks on the Rise
- Research on ransomware all over the place
- Some reports higher
- Some reports lower
- Undisputed champion
- Business Email Compromise
- according to Arctic Wolf’s “1H 2022 Incident Response Insights
- More than doubled in April, May and June
- 17% to 34%
- Abnormal Security
- Reports of BEC attacker per mailbox up 84% this year
- Crypto fluctuations
- Easier to get away with
- 2021, BEC attacks accounted for 35%, or $2.4 billion, of the $6.9 billion in potential losses tracked by the FBI’s Internet Crime Complaint Center (IC3)
- Network segmentation
- Data segmentation
- Security awareness
Former IT Administrator Criples Company
- Casey K. Umetsu, Sr
- Age 40
- IT Professional with company for 2 years
- Administering Network, Helpdesk like stuff
- Hawaii-Based Financial Company
- Contract Terminated
- Pled Guilty
- accessed his former employer’s website and made configuration changes to redirect web and email traffic to external site
- Crippled the company
- Used his own credentials
- Then locked out the IT department from fixing changes
- End Game
- All to be hired back at a higher salary
- Backfired when the FBI investigated
- January 19, 2023 sentencing
- maximum of 10 years of prison time
- fine of up to $250,000.
LinkedIN CISO Struggles
- Krebs on Security Blog Reports
- Creation of a number of fake CISO accounts.
- No attribution yet
- Big Companies
- These are made to appear to be CISO at major 500 companies
- Even search results will bring up the fake accounts, near the real ones
- Some are well crafter, some rushed and some copy pieces from other CISOs
- Cybercrime Magazine’s CISO 500
- Fell for the fake CISO
- Listing one as a person on the listing
- Thinks its North Korean hackers trying to get jobs at crypto companies
- Battling the fakes
- In our transparency report we share how our teams plus automated systems are stopping the vast majority of fraudulent activity we detect in our community – around 96% of fake accounts and around 99.1% of spam and scam