Krebs on Security

Does Your Domain Have a Registry Lock?

January 24, 2020

If you’re running a business online, few things can be as disruptive or destructive to your brand as someone stealing your company’s domain name and doing whatever they wish with it. Even so, most major Web site owners aren’t taking full advantage of the security tools available to protect their domains from being hijacked. Here’s the story of one recent victim who was doing almost everything possible to avoid such a situation and still had a key domain stolen by scammers.

On December 23, 2019, unknown attackers began contacting customer support people at OpenProvider, a popular domain name registrar based in The Netherlands. The scammers told the customer representatives they had just purchased from the original owner the domain e-hawk.net — which is part of a service that helps Web sites detect and block fraud — and that they were having trouble transferring the domain from OpenProvider to a different registrar.

The real owner of e-hawk.net is Raymond Dijkxhoorn, a security expert and entrepreneur who has spent much of his career making life harder for cybercrooks and spammers. Dijkxhoorn and E-HAWK’s CEO Peter Cholnoky had already protected their domain with a “registrar lock,” a service that requires the registrar to confirm any requested changes with the domain owner via whatever communications method is specified by the registrant.

In the case of e-hawk.net, however, the scammers managed to trick an OpenProvider customer service rep into transferring the domain to another registrar with a fairly lame social engineering ruse — and without triggering any verification to the real owners of the domain.

Specifically, the thieves contacted OpenProvider via WhatsApp, said they were now the rightful owners of the domain, and shared a short screen grab video showing the registrar’s automated system blocking the domain transfer (see video below).

“The support agent helpfully tried to verify if what the [scammers] were saying was true, and said, ‘Let’s see if we can move e-hawk.net from here to check if that works’,” Dijkxhoorn said. “But a registrar should not act on instructions coming from a random email address or other account that is not even connected to the domain in question.”

Dijkxhoorn shared records obtained from OpenProvider showing that on Dec. 23, 2019, the e-hawk.net domain was transferred to a reseller account within OpenProvider. Just three days later, that reseller account moved e-hawk.net to another registrar — Public Domain Registry (PDR).

“Due to the previously silent move to another reseller account within OpenProvider, we were not notified by the registrar about any changes,” Dijkxhoorn said. “This fraudulent move was possible due to successful social engineering towards the OpenProvider support team. We have now learned that after the move to the other OpenProvider account, the fraudsters could silently remove the registrar lock and move the domain to PDR.”

REGISTRY LOCK

Dijkxhoorn said one security precaution his company had not taken with their domain prior to the fraudulent transfer was a “registry lock,” a more stringent, manual (and sometimes offline) process that effectively neutralizes any attempts by fraudsters to social engineer your domain registrar.

With a registry lock in place, your registrar cannot move your domain to another registrar on its own. Doing so requires manual contact verification by the appropriate domain registry, such as Verisign — which is the authoritative registry for all domains ending in .com, .net, .name, .cc, .tv, .edu, .gov and .jobs. Other registries handle locks for specific top-level or country-code domains, including Nominet (for .co.uk or .uk domains), EURID (for .eu domains), CNNIC for (for .cn) domains, and so on.

According to data provided by digital brand protection firm CSC, while domains created in the top three most registered top-level domains (.com, .jp and .cn) are eligible for registry locks, just 22 percent of domain names tracked in Forbes’ list of the World’s Largest Public Companies have secured registry locks.

Unfortunately, not all registrars support registry locks (a list of top-level domains that do allow registry locks is here, courtesy of CSC). But as we’ll see in a moment, there are other security precautions that can and do help if your domain somehow ends up getting hijacked.

Dijkxhoorn said his company first learned of the domain theft on Jan. 13, 2020, which was the date the fraudsters got around to changing the domain name system (DNS) settings for e-hawk.net. That alert was triggered by systems E-HAWK had previously built in-house that continually monitor their stable of domains for any DNS changes.

By the way, this continuous monitoring of one’s DNS settings is a powerful approach to help blunt attacks on your domains and DNS infrastructure. Anyone curious about why this might be a good approach should have a look at this deep-dive from 2019 on “DNSpionage,” the name given to the exploits of an Iranian group that has successfully stolen countless passwords and VPN credentials from major companies via DNS-based attacks. Continue reading →

Apple Addresses iPhone 11 Location Privacy Concern

January 22, 2020

25 Comments

Apple is rolling out a new update to its iOS operating system that addresses the location privacy issue on iPhone 11 devices that was first detailed here last month.

Beta versions of iOS 13.3.1 include a new setting that lets users disable the “Ultra Wideband” feature, a short-range technology that lets iPhone 11 users share files locally with other nearby phones that support this feature.

In December, KrebsOnSecurity pointed out the new iPhone 11 line queries the user’s location even when all applications and system services are individually set never to request this data.

Apple initially said the company did not see any privacy concerns and that the location tracking icon (a small, upward-facing arrow to the left of the battery icon) appears for system services that do not have a switch in the iPhone’s settings menu.

Apple later acknowledged the mysterious location requests were related to the inclusion of an Ultra Wideband chip in iPhone 11, Pro and Pro Max devices.

The company further explained that the location information indicator appears because the device periodically checks to see whether it is being used in a handful of countries for which Apple hasn’t yet received approval to deploy Ultra Wideband.

Apple also stressed it doesn’t use the UWB feature to collect user location data, and that this location checking resided “entirely on the device.” Still, it’s nice that iPhone 11 users will now have a setting to disable the feature if they want.

Spotted by journalist Brandon Butch and published on Twitter last week, the new toggle switch to turn off UWB now exists in the “Networking & Wireless” settings in beta versions of iOS 13.3.1, under Locations Services > System Services. Beta versions are released early to developers to help iron out kinks in the software, and it’s not clear yet when 13.3.1 will be released to the general public.

DDoS Mitigation Firm Founder Admits to DDoS

January 20, 2020

48 Comments

A Georgia man who co-founded a service designed to protect companies from crippling distributed denial-of-service (DDoS) attacks has pleaded to paying a DDoS-for-hire service to launch attacks against others.

Tucker Preston, 22, of Macon, Ga., pleaded guilty last week in a New Jersey court to one count of damaging protected computers by transmission of a program, code or command. DDoS attacks involve flooding a target Web site with so much junk Internet traffic that it can no longer accommodate legitimate visitors.

Preston was featured in the 2016 KrebsOnSecurity story DDoS Mitigation Firm Has History of Hijacks, which detailed how the company he co-founded — BackConnect Security LLC — had developed the unusual habit of hijacking Internet address space it didn’t own in a bid to protect clients from attacks.

Preston’s guilty plea agreement (PDF) doesn’t specify who he admitted attacking, and refers to the target only as “Victim 1.” Preston declined to comment for this story.

But that 2016 story came on the heels of an exclusive about the hacking of vDOS — at the time the world’s most popular and powerful DDoS-for-hire service.

KrebsOnSecurity exposed the co-administrators of vDOS and obtained a copy of the entire vDOS database, including its registered users and a record of the attacks those users had paid vDOS to launch on their behalf.

Those records showed that several email addresses tied to a domain registered by then 19-year-old Preston had been used to create a vDOS account that was active in attacking a large number of targets, including multiple assaults on networks belonging to the Free Software Foundation (FSF).

The 2016 story on BackConnect featured an interview with a former system administrator at FSF who said the nonprofit briefly considered working with BackConnect, and that the attacks started almost immediately after FSF told the company’s owners they would need to look elsewhere for DDoS protection.

Perhaps having fun at the expense of the FSF was something of a meme that the accused and his associates seized upon, but it’s interesting to note that the name of the FSF’s founder — Richard Stallman — was used as a nickname by the co-author of Mirai, a potent malware strain that was created for the purposes of enslaving Internet of Things (IoT) devices for large-scale DDoS attacks.

Ultimately, it was the Mirai co-author’s use of this nickname that contributed to him getting caught, arrested, and prosecuted for releasing Mirai and its source code (as well as for facilitating a record-setting DDoS against this Web site in 2016).

According to a statement from the U.S. Justice Department, the count to which he pleaded guilty is punishable by a maximum of 10 years in prison and a fine of up to $250,000, or twice the gross gain or loss from the offense. He is slated to be sentenced on May 7.

Patch Tuesday, January 2020 Edition

January 14, 2020

88 Comments

Microsoft today released updates to plug 50 security holes in various flavors of Windows and related software. The patch batch includes a fix for a flaw in Windows 10 and server equivalents of this operating system that prompted an unprecedented public warning from the U.S. National Security Agency. This month also marks the end of mainstream support for Windows 7, a still broadly-used operating system that will no longer be supplied with security updates.

As first reported Monday by KrebsOnSecurity, Microsoft addressed a severe bug (CVE-2020-0601) in Windows 10 and Windows Server 2016/19 reported by the NSA that allows an attacker to spoof the digital signature tied to a specific piece of software. Such a weakness could be abused by attackers to make malware appear to be a benign program that was produced and signed by a legitimate software company.

An advisory (PDF) released today by the NSA says the flaw may have far more wide-ranging security implications, noting that the “exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities.”

“NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable,” the advisory continues. “The consequences of not patching the vulnerability are severe and widespread.”

Matthew Green, an associate professor in the computer science department at Johns Hopkins University, said the flaw involves an apparent implementation weakness in a component of recent Windows versions responsible for validating the legitimacy of authentication requests for a panoply of security functions in the operating system.

Green said attackers can use this weakness to impersonate everything from trusted Web sites to the source of software updates for Windows and other programs.

“Imagine if I wanted to pick the lock in your front door,” Green analogized. “It might be hard for me to come up with a key that will open your door, but what if I could tamper with or present both the key and the lock at the same time?”

Kenneth White, security principal at the software company MongoDB, equated the vulnerability to a phone call that gets routed to a party you didn’t intend to reach.

“You pick up the phone, dial a number and assume you’re talking to your bank or Microsoft or whomever, but the part of the software that confirms who you’re talking to is flawed,” White said. “That’s pretty bad, especially when your system is saying download this piece of software or patch automatically and it’s being done in the background.”

Both Green and White said it likely will be a matter of hours or days before security researchers and/or bad guys work out ways to exploit this bug, given the stakes involved. Indeed, already this evening KrebsOnSecurity has seen indications that people are teasing out such methods, which will likely be posted publicly online soon. Continue reading →

Cryptic Rumblings Ahead of First 2020 Patch Tuesday

January 13, 2020

145 Comments

Sources tell KrebsOnSecurity that Microsoft Corp. is slated to release a software update on Tuesday to fix an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows. Those sources say Microsoft has quietly shipped a patch for the bug to branches of the U.S. military and to other high-value customers/targets that manage key Internet infrastructure, and that those organizations have been asked to sign agreements preventing them from disclosing details of the flaw prior to Jan. 14, the first Patch Tuesday of 2020.

According to sources, the vulnerability in question resides in a Windows component known as crypt32.dll, a Windows module that Microsoft says handles “certificate and cryptographic messaging functions in the CryptoAPI.” The Microsoft CryptoAPI provides services that enable developers to secure Windows-based applications using cryptography, and includes functionality for encrypting and decrypting data using digital certificates.

A critical vulnerability in this Windows component could have wide-ranging security implications for a number of important Windows functions, including authentication on Windows desktops and servers, the protection of sensitive data handled by Microsoft’s Internet Explorer/Edge browsers, as well as a number of third-party applications and tools.

Equally concerning, a flaw in crypt32.dll might also be abused to spoof the digital signature tied to a specific piece of software. Such a weakness could be exploited by attackers to make malware appear to be a benign program that was produced and signed by a legitimate software company.

This component was introduced into Windows more than 20 years ago — back in Windows NT 4.0. Consequently, all versions of Windows are likely affected (including Windows XP, which is no longer being supported with patches from Microsoft).

Microsoft has not yet responded to requests for comment. However, KrebsOnSecurity has heard rumblings from several sources over the past 48 hours that this Patch Tuesday (tomorrow) will include a doozy of an update that will need to be addressed immediately by all organizations running Windows.

Update 7:49 p.m. ET: Microsoft responded, saying that it does not discuss the details of reported vulnerabilities before an update is available. The company also said it does “not release production-ready updates ahead of regular Update Tuesday schedule. “Through our Security Update Validation Program (SUVP), we release advance versions of our updates for the purpose of validation and interoperability testing in lab environments,” Microsoft said in a written statement. “Participants in this program are contractually disallowed from applying the fix to any system outside of this purpose and may not apply it to production infrastructure.”

Continue reading →

Phishing for Apples, Bobbing for Links

January 13, 2020

37 Comments

Anyone searching for a primer on how to spot clever phishing links need look no further than those targeting customers of Apple, whose brand by many measures remains among the most-targeted. Past stories here have examined how scammers working with organized gangs try to phish iCloud credentials from Apple customers who have a mobile device that is lost or stolen. Today’s piece looks at the well-crafted links used in some of these lures.

KrebsOnSecurity heard from a reader in South Africa who recently received a text message stating his lost iPhone X had been found. The message addressed him by name and said he could view the location of his wayward device by visiting the link https://maps-icloud[.]com — which is most definitely not a legitimate Apple or iCloud link and is one of countless spoofing Apple’s “Find My” service for locating lost Apple devices.

While maps-icloud[.]com is not a particularly convincing phishing domain, a review of the Russian server where that domain is hosted reveals a slew of far more persuasive links spoofing Apple’s brand. Almost all of these include encryption certificates (start with “https://) and begin with the subdomains “apple.” or “icloud.” followed by a domain name starting with “com-“.

Here are just a few examples (the phishing links in this post have been hobbled with brackets to keep them from being clickable):

apple.com-support[.]id
apple.com-findlocation[.]id
apple.com-sign[.]in
apple.com-isupport[.]in
icloud.com-site-log[.]in

Savvy readers here no doubt already know this, but to find the true domain referenced in a link, look to the right of “http(s)://” until you encounter the first forward slash (/). The domain directly to the left of that first slash is the true destination; anything that precedes the second dot to the left of that first slash is a subdomain and should be ignored for the purposes of determining the true domain name.

For instance, in the case of the imaginary link below, example.com is the true destination, not apple.com:

https://www.apple.com.example.com/findmyphone/

Of course, any domain can be used as a redirect to any other domain. Case in point: Targets of the phishing domains above who are undecided on whether the link refers to a legitimate Apple site might seek to load the base domain into a Web browser (minus the customization in the remainder of the link after the first forward slash). To assuage such concerns, the phishers in this case will forward anyone visiting those base domains to Apple’s legitimate iCloud login page (icloud.com).

The best advice to sidestep phishing scams is to avoid clicking on links that arrive unbidden in emails, text messages and other mediums. Most phishing scams invoke a temporal element that warns of dire consequences should you fail to respond or act quickly. If you’re unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark so as to avoid potential typosquatting sites.

Alleged Member of Neo-Nazi Swatting Group Charged

January 10, 2020

47 Comments

Federal investigators on Friday arrested a Virginia man accused of being part of a neo-Nazi group that targeted hundreds of people in “swatting” attacks, wherein fake bomb threats, hostage situations and other violent scenarios were phoned in to police as part of a scheme to trick them into visiting potentially deadly force on a target’s address.

In July 2019, KrebsOnSecurity published the story Neo-Nazi Swatters Target Dozens of Journalists, which detailed the activities of a loose-knit group of individuals who had targeted hundreds of individuals for swatting attacks, including federal judges, corporate executives and almost three-dozen journalists (myself included).

A portion of the Doxbin, as it existed in late 2019.

An FBI affidavit unsealed this week identifies one member of the group as John William Kirby Kelley. According to the affidavit, Kelley was instrumental in setting up and maintaining the Internet Relay Chat (IRC) channel called “Deadnet” that was used by he and other co-conspirators to plan, carry out and document their swatting attacks.

Prior to his recent expulsion on drug charges, Kelley was a student studying cybersecurity at Old Dominion University in Norfolk, Va. Interestingly, investigators allege it was Kelley’s decision to swat his own school in late November 2018 that got him caught. Using the handle “Carl,” Kelley allegedly explained to fellow Deadnet members he hoped the swatting would get him out of having to go to class.

The FBI says Kelley used virtual private networking (VPN) services to hide his true Internet location and various voice-over-IP (VoIP) services to conduct the swatting calls. In the ODU incident, investigators say Kelley told ODU police that someone was armed with an AR-15 rifle and had placed multiple pipe bombs within the campus buildings.

Later that day, Kelley allegedly called ODU police again but forgot to obscure his real phone number on campus, and quickly apologized for making an accidental phone call. When authorities determined that the voice on the second call matched that from the bomb threat earlier in the day, they visited and interviewed the young man.

Investigators say Kelley admitted to participating in swatting calls previously, and consented to a search of his dorm room, wherein they found two phones, a laptop and various electronic storage devices.

The affidavit says one of the thumb drives included multiple documents that logged statements made on the Deadnet IRC channel, which chronicled “countless examples of swatting activity over an extended period of time.” Those included videos Kelley allegedly recorded of his computer screen which showed live news footage of police responding to swatting attacks while he and other Deadnet members discussed the incidents in real-time on their IRC forum.

The FBI believes Kelley also was linked to a bomb threat in November 2018 at the predominantly African American Alfred Baptist Church in Old Town Alexandria, an incident that led to the church being evacuated during evening worship services while authorities swept the building for explosives.

The FBI affidavit was based in part on interviews with an unnamed co-conspirator, who told investigators that he and the others on Deadnet IRC are white supremacists and sympathetic to the neo-Nazi movement.

“The group’s neo-Nazi ideology is apparent in the racial tones throughout the conversation logs,” the affidavit reads. “Kelley and other co-conspirators are affiliated with or have expressed sympathy for Atomwafen Division,” an extremist group whose members are suspected of having committed multiple murders in the U.S. since 2017. Continue reading →

Lawmakers Prod FCC to Act on SIM Swapping

January 9, 2020

44 Comments

Crooks have stolen tens of millions of dollars and other valuable commodities from thousands of consumers via “SIM swapping,” a particularly invasive form of fraud that involves tricking a target’s mobile carrier into transferring someone’s wireless service to a device they control. But the U.S. Federal Communications Commission (FCC), the entity responsible for overseeing wireless industry practices, has so far remained largely silent on the matter. Now, a cadre of lawmakers is demanding to know what, if anything, the agency might be doing to track and combat SIM swapping.

On Thursday, a half-dozen Democrats in the House and Senate sent a letter to FCC Chairman Ajit Pai, asking the agency to require the carriers to offer more protections for consumers against unauthorized SIM swaps.

“Consumers have no choice but to rely on phone companies to protect them against SIM swaps — and they need to be able to count on the FCC to hold mobile carriers accountable when they fail to secure their systems and thus harm consumers,” reads the letter, signed by Sens. Ron Wyden (OR), Sherrod Brown (OH) and Edward Markey (MA), and Reps. Ted Lieu (CA), Anna Eshoo (CA) and Yvette Clarke (NY).

SIM swapping is an insidious form of mobile phone fraud that is often used to steal large amounts of cryptocurrencies and other items of value from victims. All too frequently, the scam involves bribing or tricking employees at mobile phone stores into seizing control of the target’s phone number and diverting all texts and phone calls to the attacker’s mobile device.

Once in control of the stolen phone number, the attacker can then reset the password for any online account that allows password resets and/or two-factor verification requests via text messages or automated phone calls (i.e. most online services, including many of the mobile carrier Web sites).

From there, the scammers can pivot in a variety of directions, including: Plundering the victim’s financial accounts; hacking their identities on social media platforms; viewing the victim’s email and call history; and abusing that access to harass and scam their friends and family.

The lawmakers asked the FCC to divulge whether it tracks consumer complaints about fraudulent SIM swapping and number “port-outs,” which involve moving the victim’s phone number to another carrier. The legislators demanded to know whether the commission offers any guidance for consumers or carriers on this important issue, and if the FCC has initiated any investigations or taken enforcement actions against carriers that failed to secure customer accounts.

The letter also requires the FCC to respond as to whether there is anything in federal regulations that prevents mobile carriers from sharing with banks information about the most recent SIM swap date of a customer as a way to flag potentially suspicious login attempts — a method already used by financial institutions in other countries, including Australia, the United Kingdom and several nations in Africa.

“Some carriers, both in the U.S. and abroad, have adopted policies that better protect consumers from SIM swaps, such as allowing customers to add optional security protections to their account that prevent SIM swaps unless the customer visits a store and shows ID,” the letter continues. “Unfortunately, implementation of these additional security measures by wireless carriers in the U.S. is still spotty and consumers are not likely to find out about the availability of these obscure, optional security features until it is too late.”

The FCC did not immediately respond to requests for comment. Continue reading →

Tricky Phish Angles for Persistence, Not Passwords

January 7, 2020

59 Comments

Late last year saw the re-emergence of a nasty phishing tactic that allows the attacker to gain full access to a user’s data stored in the cloud without actually stealing the account password. The phishing lure starts with a link that leads to the real login page for a cloud email and/or file storage service. Anyone who takes the bait will inadvertently forward a digital token to the attackers that gives them indefinite access to the victim’s email, files and contacts — even after the victim has changed their password.

Before delving into the details, it’s important to note two things. First, while the most recent versions of this stealthy phish targeted corporate users of Microsoft’s Office 365 service, the same approach could be leveraged to ensnare users of many other cloud providers. Second, this attack is not exactly new: In 2017, for instance, phishers used a similar technique to plunder accounts at Google’s Gmail service.

Still, this phishing tactic is worth highlighting because recent examples of it received relatively little press coverage. Also, the resulting compromise is quite persistent and sidesteps two-factor authentication, and it seems likely we will see this approach exploited more frequently in the future.

In early December, security experts at PhishLabs detailed a sophisticated phishing scheme targeting Office 365 users that used a malicious link which took people who clicked to an official Office 365 login page — login.microsoftonline.com. Anyone suspicious about the link would have seen nothing immediately amiss in their browser’s address bar, and could quite easily verify that the link indeed took them to Microsoft’s real login page:

This phishing link asks users to log in at Microsoft’s real Office 365 portal (login.microsoftonline.com).

Only by copying and pasting the link or by scrolling far to the right in the URL bar can we detect that something isn’t quite right:

Notice this section of the URL (obscured off-page and visible only by scrolling to the right quite a bit) attempts to grant a malicious app hosted at officesuited.com full access to read the victim’s email and files stored at Microsoft’s Office 365 service.

As we can see from the URL in the image directly above, the link tells Microsoft to forward the authorization token produced by a successful login to the domain officesuited[.]com. From there, the user will be presented with a prompt that says an app is requesting permissions to read your email, contacts, OneNote notebooks, access your files, read/write to your mailbox settings, sign you in, read your profile, and maintain access to that data.

Image: PhishLabs

According to PhishLabs, the app that generates this request was created using information apparently stolen from a legitimate organization. The domain hosting the malicious app pictured above — officemtr[.]com — is different from the one I saw in late December, but it was hosted at the same Internet address as officesuited[.]com and likely signed using the same legitimate company’s credentials.

PhishLabs says the attackers are exploiting a feature of Outlook known as “add-ins,” which are applications built by third-party developers that can be installed either from a file or URL from the Office store.

“By default, any user can apply add-ins to their outlook application,” wrote PhishLabs’ Michael Tyler. “Additionally, Microsoft allows Office 365 add-ins and apps to be installed via side loading without going through the Office Store, and thereby avoiding any review process.”

In an interview with KrebsOnSecurity, Tyler said he views this attack method more like malware than traditional phishing, which tries to trick someone into giving their password to the scammers.

“The difference here is instead of handing off credentials to someone, they are allowing an outside application to start interacting with their Office 365 environment directly,” he said.

Many readers at this point may be thinking that they would hesitate before approving such powerful permissions as those requested by this malicious application. But Tyler said this assumes the user somehow understands that there is a malicious third-party involved in the transaction.

“We can look at the reason phishing is still around, and it’s because people are making decisions they shouldn’t be making or shouldn’t be able to make,” he said. “Even employees who are trained on security are trained to make sure it’s a legitimate site before entering their credentials. Well, in this attack the site is legitimate, and at that point their guard is down. I look at this and think, would I be more likely to type my password into a box or more likely to click a button that says ‘okay’?” Continue reading →

The Hidden Cost of Ransomware: Wholesale Password Theft

January 6, 2020

40 Comments

Organizations in the throes of cleaning up after a ransomware outbreak typically will change passwords for all user accounts that have access to any email systems, servers and desktop workstations within their network. But all too often, ransomware victims fail to grasp that the crooks behind these attacks can and frequently do siphon every single password stored on each infected endpoint. The result of this oversight may offer attackers a way back into the affected organization, access to financial and healthcare accounts, or — worse yet — key tools for attacking the victim’s various business partners and clients.

In mid-November 2019, Wisconsin-based Virtual Care Provider Inc. (VCPI) was hit by the Ryuk ransomware strain. VCPI manages the IT systems for some 110 clients that serve approximately 2,400 nursing homes in 45 U.S. states. VCPI declined to pay the multi-million dollar ransom demanded by their extortionists, and the attack cut off many of those elder care facilities from their patient records, email and telephone service for days or weeks while VCPI rebuilt its network.

Just hours after that story was published, VCPI chief executive and owner Karen Christianson reached out to say she hoped I would write a follow-up piece about how they recovered from the incident. My reply was that I’d consider doing so if there was something in their experience that I thought others could learn from their handling of the incident.

I had no inkling at the time of how much I would learn in the days ahead.

EERIE EMAILS

On December 3, I contacted Christianson to schedule a follow-up interview for the next day. On the morning of Dec. 4 (less than two hours before my scheduled call with VCPI and more than two weeks after the start of their ransomware attack) I heard via email from someone claiming to be part of the criminal group that launched the Ryuk ransomware inside VCPI.

That email was unsettling because its timing suggested that whoever sent it somehow knew I was going to speak with VCPI later that day. This person said they wanted me to reiterate a message they’d just sent to the owner of VCPI stating that their offer of a greatly reduced price for a digital key needed to unlock servers and workstations seized by the malware would expire soon if the company continued to ignore them.

“Maybe you chat to them lets see if that works,” the email suggested.

The anonymous individual behind that communication declined to provide proof that they were part of the group that held VPCI’s network for ransom, and after an increasingly combative and personally threatening exchange of messages soon stopped responding to requests for more information.

“We were bitten with releasing evidence before hence we have stopped this even in our ransoms,” the anonymous person wrote. “If you want proof we have hacked T-Systems as well. You may confirm this with them. We havent [sic] seen any Media articles on this and as such you should be the first to report it, we are sure they are just keeping it under wraps.” Security news site Bleeping Computer reported on the T-Systems Ryuk ransomware attack on Dec. 3.

In our Dec. 4 interview, VCPI’s acting chief information security officer — Mark Schafer, CISO at Wisconsin-based SVA Consulting — confirmed that the company received a nearly identical message that same morning, and that the wording seemed “very similar” to the original extortion demand the company received.

However, Schafer assured me that VCPI had indeed rebuilt its email network following the intrusion and strictly used a third-party service to discuss remediation efforts and other sensitive topics. Continue reading →

Last »