Secure With Celerity Episode 20
DAVID TAYOR [00:00:16] Hello and welcome to Secure with Celerity. I’m your host, David Taylor, and help me digest the week’s top cyber security news. We’ve got Joshua Read, how’s going Josh?
JOSHUA READ [00:00:24] Alright. How you doing?
DAVID TAYOR [00:00:27] Yeah. Not too bad. Right. Let’s kick off with the first headline we’re going to cover today. So that is the ransomware attack has occurred on a French container shipping giant CMA-CGM, which led to a temporary closure of the company’s shipping website and applications. This isn’t the first shipping giant to be hit and I’m sure will be the last.
JOSHUA READ [00:00:48] Yes, This was on Tuesday, yes. Tuesday they came out and stated that the CMA-CGM group, excluding their logistics division, is currently dealing with a cyber attack impacts on peripheral servers. At the time that they posted the company shipping website remained an accessible return, a five fold gateway time out to the company’s subsidiaries, ANL and CNC which I think that location based subsidiaries site the Australian version of them and the Chinese version. Along with the company’s I.T. application weren’t available with the statement due to internal IP infrastructure issue. Although I think ransomware qualifies as a bit more than an issue. Yes, they use Twitter, which in two months about announcing cyber attacks and dealing with cyber attacks. It’s got good sides on both sides. But I’m seeing more and more companies using Twitter as their communication method to share that they’ve been involved part of a cyber attack. To to inform their customers and their stakeholders. It’s a good idea because it’s good and bad really. You know, you’ve been public about the progress and what’s happened since the fallout, but then obviously your advertising that you company has fallen victim to ransomware, which is only invite in other hacker groups to maybe come in, you know, try their best efforts to some money away from you with ransomware. Yeah, it’s good on and bad at the same time. Now, the ransomware behind this attack was sourced to regner locker, which hits the energy giant ADP back in April. It’s interestingly, I had a look through some threat intelligence on some websites and over the last well on based on the samples that were submitted, the ransom note personally addresses the victim. So it says, you know, ransom note usually follows Hello, Victim. Hello, Victim EDP or CMA-CGM, if you’re reading this message, then your network was penetrated and all your files and data has been encrypted by Ragnhild Locker. Obviously it don’t speak good English because this conflict in misspellings and missing words from Nilsson’s is book. What can you come to expect? I don’t think English was their first language when they typed up the ransom note. Meaning towards large infrastructure companies such as energy shipping and so on and so forth. Usually the case with these that the China target critical infrastructure to cripple it has been more of an impact. I found samples online from and because of the ransom note is addressed to the victim or the company name. I found samples that were submitted to any room that were addressed to Viji Cargo, Piercey Credit Union, EDP, Map Free, which have all been logged in the last two months. So it’s a very active ransomware and it’s ver targetedm obviously, with the ransom note. It’s you know, I mean, the gang contacted the French carrier via e-mail on Sunday with instructions to make contact within two days via live chat and pay for a special decryption case in inverted commas. How much money the gang are demanding? Nobody’s really sharing how much. I think, moreover, it goes back to the conversation we had last week around to the site to explore on the education sector being targeted. I think maritime sector, transportation sector, all those are equally as targets. I mean, how many cyber attacks is Marusek had in the last couple of years? You know, whenever there’s a breach, you know, you can almost put money on that. It’s going to be from the education sector or, you know, transportation and manufacture sectors. I think, more interestingly is the maritime sector is becoming more and more connected with IoT devices. So it basically includes basically enlargement in their presence online by having these IoT sensors. And, you know, many ships contain hundreds of different devices and systems, whether they’re operators know what each and every single system does and whether it’s their job to do that is a different story. So really, I think the art of cyber attack in maritime industry is gonna evolve tenfold over the next couple of months.
DAVID TAYOR [00:06:24] I mean, their are huge multi-national company. And you know that the whole business is shipping. So it’s like transportation goods. And if you haven’t gone since your systems, it’s going to like track orders and what containers like. I think some of the mega ones are gone like thousands of containers on one ship. So this assumption that could be caused from hitting a transportation company like Elon Musk or CMA-CGM is gonna be huge. And you’re hoping that that’s going to give them the urgency to be like. Right. We just got to pay, get this over as quick as possible.
JOSHUA READ [00:06:58] I mean, if you think of a critical infrastructure is a broadly used term nowadays, I mean, you can you know, brand ISP in a service providers as critical infrastructure now. You went back 20 years ago, there was only really a handful of sectors which were critical infrastructure. Now it’s much more broadee term supply because there’s so much reliance on these types of things. You know, Internet service providers that sort of, you know, company’s like what we’ve just spent like a VG Cargo, EDP, CMA-CGM. They’re all very, very critical companies because although you probably wouldn’t think of them as critical companies or critical sectors, they’re the ones that are transported in medication, manufacturing, goods, foods, everything. And, you know, it’s without that, the country can’t perform as effectively, and that’s why I see it’s a critical area of critical sector. If a cyber attack was able to take down, you know, success, which they’ve had not been able to take online like bookings for sort of fly that, if it was a very sophisticated cyber attack and they wouldn’t be able to do it for several weeks, then the impact would be huge because it would be like a domino effect. So you might say that your supermarkets might not have any more any food? There’ll be a food shortage or overall shortage and not because it’s COVID-19 but because the supply bringing the stuff to the country can’t bring stuff to the country because they haven’t got the infrastructure to do it anymore.
DAVID TAYOR [00:08:56] Well, I think and again, you’ve seen it, you’ve seen ransomware attacks on big shipping containers and transportation. Unfortunately, it’s probably not gonna be the last time we see it. So let’s move on to the next story, which is a Russian hacker has been sentenced to seven years in prison. And this is the Russian hacker gonna ruin his name but Yevgeniy Alexander.. Nikulin from Moscow and he hacked the sectors and servers even belonging to three American social media firms, LinkedIn, Dropbox and the now defunct Formspring. And he stole over 200 million users records. So quite a big deal. But it’s quiet, I guess we’re talking about this earlier. It’s the strangest thing about this is like the sentences that they’re given on, usually publicly disclosed on it when hackers…
JOSHUA READ [00:09:51] It’s difficult. They don’t usually get a lot of limelight that don’t. You know, if someone’s convicted of a cyber crime nine times out of ten, there isn’t really the media hunger to, you know, want that news. So media corporate see the benefit but like we’ve seen over the last couple of months with the Twitter hack, those that were responsible for the Twitter hack of that being quite open in the media about it and said, look, this is a person who did it. I think it’s dependent on what’s being hacked. What a social media platform everyone uses. You know, social media is a part of everyone’s life at the moment. So if you look at unique companies that have been hacked, there isn’t as much interest in that. You make company unless it’s someone like Apple, Microsoft, Google, Twitter, you know, not offense to these companies, they are big companies, but there isn’t the media interest. I think there should be open with how long a prison sentence you get for being, you know, doing the hacking and if it’s gone by the wayside. You know, you quite often don’t say how long someone gets in prison for hacking and defacing a website but, you know, if the government deem it worthy, they can arrest you and put you in prison. And that’s exactly what they’ve done with this column, Nicklen, because it’s on them. But, yeah. I mean, it was found guilty of hacking LinkedIn, Dropbox and Formspring. And I compete about Formspring existed and this was over eight years ago.
DAVID TAYOR [00:11:37] Yeah. How long it’s probably taken to you know, since he’s has been arrested for long? Or is it just the..
JOSHUA READ [00:11:48] Because bviously it’s Russian, America and basically it was basically Trump versus Putin. But, yeah, they’re basically because he’s Russian. And he was secretly seeking extradition, seeking them so-called.
DAVID TAYOR [00:12:07] Imunity..?
JOSHUA READ [00:12:08] It is basically hiding in Czechoslovakia. But then Interpol got older women expert extradite them to US. And then up for basically being in this, like, legal wall with Russia to get him to say basically we have the right to imprison him. Because, well, the Russians are probably bringing us the country slap on the wrist and you know, send them as well. All those sentence, a lot in Siberia. You never know with the Russians.
DAVID TAYOR [00:12:42] It’s actually made me sad because I’m you know, you go to the website. have I been pawns? And now I’ll tell you, like, whether you’ve had a date reached with you, your information’s been leaked in one. And one of the big major ones that I personally was in was the LinkedIn one. And that was the word that’s probably this guy ,he’s reason a lot of us have shown up on that.
JOSHUA READ [00:13:01] Yeah, definitely. I think you know. Well, yeah, you know, how long it took to sentence him. Honestly, it’s been a really complicated sentences and because it hard to extradite him to the US, then how to build a case. But then Russia got involved and said, right. You know, put him in prison in the US and Russia basically said, yeah, go and put in prison. And then they brought to court. But then COVID-19, happened. So that’s a delay even further. So it’s just been a really complicated and really distracting sentence in both, I mean going back eight years, basically between March and July 2012, McLEAR perhaps it’s the computers of LinkedIn, Dropbox and Formspring installed malware on them, which then allowed in to remotely control and download user databases. And there was 117 million LinkedIn users, more than 68 million Dropbox user account details and personal identifiable information stolen over that time period. He was arrested in Prague back in 2016 by Paul and it will work with the FBI. And then they went back to the United States in March 2018. And then the US and Russia got in that old extradition wall. And then each finally being put down for seven years. So, I mean. He was convicted of selling stolen usernames and passwords installed in malware on protected computers conspiracy. Computer intrusion, aggravated identity theft. So there’s quite a lot of charges being put up against him. I mean. There’s a lot and there’s a lot in there that, you know, a little bit a lot more to it than just always yeah. He’s committed to computer intrusion and aggravated identity theft. It’s there’ll be a lot more evidence of forensic information about it. Which is probably why it’s also taken so long. A lot of times with these legal cases with involving digital technologies, the forensic data that you have to provide to the court is it has to be squeaky clean. Otherwise they can just write it off and say that’s been touched or, you know, fiddled with by the prosecutor. So it’s a very complicated and long, drawn out process, strong evidence for a case like this but I think they’ve had long enough, especially when he was hiding in Czechoslovakia.
DAVID TAYOR [00:15:47] We actually did an episode on Security Panel, which is around cyber security law, and we got QC said, tell the come on and just talk about some of the cases he’s involved in. So that’s anyone watching now, that’s interesting… on security panel page and you can watch that episode, which is there, got loads of information and some really cool stories in there. So, yeah, let’s move on to our third story we’re gonna be covering. So this was the alleged ransomware attack that disrupted the medical care at UHS hospitals all across the US. So this was an apparent cyber attack that happened over the weekend. And this happened to disrupt the IT influennce systems at the health care facilities in California, Florida, Texas, Arizona and Washington. And that happened on September 27th, which was Sunday. And one, a crime and it’s happened before, it’s happening again. I mean, we talk about ransomware and the shipping containers. It just seems to be really ramping up the whole ransomware attacks in everywhere.
JOSHUA READ [00:16:45] Ransomware always seems to be ransomware is just gonna be the new norm househusbands, like when a crime was the real catalyst for everything. And then everyone started basically engineering their own versions of it and not pay the kind of crap they all came up with one work. I think with this one don’t we want to pay attention to the fact this in America, because, well, America is America. The health care systems are completely different to the UK, but the principal of a hospital remained the same in America. You have to pay money to go and see the doctor instead of getting it free on the NHS. But with this one. What I found most interesting was how it shut down the phone and I.T. infrastructure. Quite often it doesn’t have the ability to shut down the phone systems. It just has like one or the other. What was most impactful from the Reddit threads, which was basically a conversation between various staff members that were part of the UHS group, which is a group of hospitals, and they were saying, oh, yeah, I work in the site department as a psychologist and what’s happening on my PC it’s not working. And does anyone have any news? And it was basically just a long thread of people describing what happened. It was actually goldmine from my perspective. Basically, it’s just stories outside COVID, it was just full of information. There was a few things in there. I mean, one day it’s I was sitting at my computer chatting and then all of a sudden this started. It was surreal and definitely seemed to propagate over the network. All machines in my apartment had Dell Windows 10 boxes. When the attack happened, what virus programs were disabled by the attack, hard drives, just little with activity after one minute all servers of the computer was locked out and shut down. And when you try to power them back home, they automatically shut down again. So it’s is a bit different ransomware. It’s a bit odd. I mean, I’ve got to take what he says on face value. It could be wrong. Both. Quite usually ransomware doesn’t keep the machine compound on it, let the machine power on it a little those encrypt the files and give you instructions on how to decrypt them by paying Bitcoin or paying whatever digital currency you feel is necessary. So the fact that the ransomeware stop the machine from doin is quite interesting specially in this scenario, it almost seems like it’s targeted because, well, even if the machine was powered on they wouldn’t be able to run anything on it because all the file formats would’ve been encrypted to random formats. It won’t be able to be used. It’s, I think, Moler and Nayer has been, I mean, it was the educate the emergency care unit of the hospitals which were impacted. So it was even more specific. The attack occurred on Sunday morning. Of all times, as well, everyone out on the the last room Saturday night evening hopefully not because of COVID-19, but concomitant hospital emergency care and the best way to have to shut down the emergency department because they couldn’t operate as an emergency department without phones and computers. I think with these, they actually take a step back and understand what is impacted as a result of around somewhere. Infection is too easy just to look at it at face value and gooh, it’s a ransomware attack. Yet they’ve had all that files encrypted. Yeah. So while we have to look further afield and say. Yeah, I’ve heard that false encrypted, but what’s actually been encrypted so that I.T. infrastructure has been encrypted and the phone network has been encrypted. I mean, databases containing patient records that would have been encrypted and brought down. How many times you go to a hospital and see someone on a phone talking to another ward of talking to the hospital. That goes down. That’s gone. They won’t be able to talk to that. I’d be pigeon and papers, trumpet to the pigeons. like the dark ages. It does remain below. This is also said online. Just so the hospital attack, that’s what attack to Germany, a few years ago, which basically was started as a network disruption which forced the hospital to deregister, as you mentioned care facility. And as a result, someone died because they were on the way to the hospital. But then they shut down and said, oh, we can’t take this person because we haven’t got the right infrastructure up to basically deal with this person. So they don’t read it off to another hospital. And she died in transport to the hospital. So it’s a really, really is impactful. Not many people will understand. I mean, not many people in the hospital will understand the full impact of that ransomware. It’s incalculable. You can’t look at something and go. Right. Yeah, that’s impacted that, that’s impacted that. Internal network, if one server goes down, it could impact all the servers around, specially if it’s a patch relay or AV or anything. If that one server goes down. It’s basically a link and a chain is just snapped and everything else is, you know, it doesn’t function as a chain anymore. And it’s very, very impactful. And would it be interesting to see if there’s anything, any developments on this one as to whether they catch the person is in the US? So they will probably put it forward and make it very public about arresting the person?
DAVID TAYOR [00:23:00] I mean, you mentioned before that COVID it’s probably one of the worst times not for the hospitals to be out of action.
JOSHUA READ [00:23:07] Yeah. I mean, I don’t know the situations over in America. Every time I turn on the TV, it does involve the social distance. And now Donald Trump’s got Coronavirus. I mean, a completely different country. I think it’s a little bit different with the US because obviously they pay for health care. But it still remains the same. It actually probably more impactful in the US because people are paying for the healthcare. They expect a level of service if they’re paying for it. And they are real customers, whereas it was like us in the UK. We’re not really customers of the NHS. We just, you know, patients. We we don’t pay anything per se unless it’s, you know, something that’s not covered by the NHS. In the US, if you go to see a doctor, you have to pay. And, you know, you break your leg, you have to pay. And that’s what the differences is. You know, that payment of money. So they expect to service. And that’s why I think this has got so much publicity because, you know, that time is also costing them money.
DAVID TAYOR [00:24:25] Definitely. Well, let’s crack on with our last story for the show. So this is the joker malware, which has shown its head again, like quite a lot. And the malware that is mainly being flown in the Android markets and a few other ones we’ve got the Google Play store and some of the ones. But basically, it started in late 2016, I think if I’m right. And then recently it’s been hitting the Android apps. And what it do is once it’s installed, the joker app secretly subscribes the users to pricey subscriptions, services, and then it can steal sms messages, contact lists and price information. So, yes, it’s shown inside of it. And it’s not fun to get.
DAVID TAYOR [00:25:13] Now, that’s basically the story. It has the ability to steal us mass messages, contact lists, device information. Last July, researchers said they found, joker lurking in 11 seemingly legitimate applications downloads from the PlayStore, which had been downloaded around 500,000 times. So, I mean, I’ve said this a million times. Both the smartphone app stores are a breeding ground for malware. They get it. There’s very little police in on it. It is so easy to upload. It’s so accessible by devices. If you get your keywords right, you can hit millions on that first search. You know, if you put COVID-19 in the title right now, when you upload an application there’s malware base to Google Play, you can guarantee you’ll have 10,000 downloads within it if you make it look like it’s genuine. You can have a high number of downloads within the first couple of hours. It’s I have a weird psychological difference when I’m dealing with mobile phone downloads fired up. When I’m downloading ifrom my pc. I’m very, very laborious with it, I will go through SD-Wan, you know, make sure it’s okay. That’s it. And when I’m on my mobile was almost a sense of like, who cares? And it’s just like install, install. And quite often let you know, you’ll get an ad for a game and it looks all right. So I alright, I’ll download that. Then, you know. Who knows what’s in it? I mean, hopefully GooglePlay will take down as soon as they see anything but it’s horrible. It’s a really really rife problem on the Google Play store, even IOS store. You know.
DAVID TAYOR [00:27:10] It always used to, well, not always, but I feel like most stories we cover when it’s about, you know, malicious acts, it tends to be hidden the Android market. Is there a reason? Do they have a different vetting process? Or is it more like the…
JOSHUA READ [00:27:27] Because it’s such an open platform. IOS, it’s a little bit more complicated because of the states owned by Apple. And whereas Android, it’s sort of, you know, open source, a lot of systems run on Android as well. There’s a lot more systems. But, yeah, it’s. I mean, if you think the amount of information is stored on your mobile device. Off the top of my heads, phone numbers. Database of phone numbers. Personal messages, passwords, payment details that all stored on your phone, somewhere the files are within the applications. If you can get an app onto Google Play, which it basically just sniffs what you’re typing and when it’s a logo or it’s even a screen recorder and records your screen whilst you know you’re not aware of it. Then you could have access to all of that, but then because it’s so accessible, the Play Store, if it’s downloaded 10,000 times, that’s 10,000 uses phones, but then most you know, how many contacts you have on your phone? I have over a hundred. Then, you know, you’re looking at even more contacts than the 10,000 that download the app, your looking at even more pictures, even more messages, even potentially even more payment details. If people got more than one cards save to that device, it is really scary. And I think the state of mobile security is a tipping point, I think security is playing catchup to the mobile. I think the mobile smartphone market has come on in leaps and bounds, literally, just phenomenally that every single year, something brand new. The level of development is so agile and the security of those devices have almost been left by the wayside and everything’s left to capture. So, I mean, my personal advice just be really concerned over the apps that you install in the first place. The good guiding principle I follow is to choose apps that serve a true purpose. And when possible, choose developers that are well-known entities. So, you know, those that have lots of downloads all have a tick next to them. But yeah, and a good rule of thumb as well is just install Avast on your mobile. It’s free. You know, I personally use McAfee on my mobile. But those are the free ones, the Malware Bites, E-Safe, F-Secure. They’ll all serve the same purpose. Some will be more successful than others. My personal trust is McAfee just because I like McAfee products. But you know that using a solution on your phone. You can be apps of anything that’s downloaded. Completely different architecture to a PC. You know that they behave completely differently. They use different processes. They use different methods to download stuff. And a lot of times you don’t even know whether you’ve downloaded stuff. Depends how your device is set up. So I really would, you know, take this heat as one and and, you know, follow the steps that I’m giving you. It’s a worry inside that I think every single month there’s a report of an android going out about how live, how to save the world because they’ve removed 500,000 apps from the Play Store, they shouldn’t be on the Play Store in the first place. You should go through in some box all the applications and make sure they are malicious before you upload them to your platform. There’s a sense of responsibility that, you know, what can you do?
DAVID TAYOR [00:31:34] Well, everyone’s have that advice says they should be aware of apps that you can download, especially on the Android app. I would say. And so that’s unfortunately all we’ve got time for today guys. Hope you enjoyed some of the stories. And we’ll catch you in a couple weeks time for some more Secure with Celerity. We’ll see you then.