covid-19 Student who installed pirated software rigged with Ryuk ransomware crippled a Covid-19 research facility for 10 days

[leadeater]

38 minutes ago, captain_to_fire said:

That doesn't excuse them for having shitty security practices just because many are doing it

And what is actually bad about it? We have people accessing our RDS published applications from all countries over the world from corporate owned computers to personally owned devices, this really is not the issue at all. This is what is called a red herring, it's simply not the security risk you think it is.

 

The issue is simply down to the lack of MFA on the account which would have 100% prevented this from happening. Really is as simple as that.

 

38 minutes ago, captain_to_fire said:

That would be applicable if you're not a Covid-19 research facility. Remember that they've lost 10 days worth of work, that would translate to several man-hours. Just imagine if a hospital didn't have backups and got hit by a ransomware.

No it's still applicable to that, we're literally doing COVID research here to and I can tell you right now not everything is backed up or needs to be, or could be with the available funding. If you spend all your funding on mitigating every risk possible you'll have nothing to actually do the research.

 

Let me ask you a question. If you brought a car for $5000 and it was going to cost $5000/month for insurance on that car is it fiscally responsible to pay that monthly cost or evaluate the risk and self insure by setting aside $5000 to replace the car should something happen?

 

Not EVERYTHING actually need to be backed up. Not ALL data is the same.

[Kisai]

46 minutes ago, Arika S said:

right. I'm old. Back when i was in school, no one was allowed to bring laptops or anything to school, phones had to be kept in lockers. we had text-books and the only PCs were in the Library and the IT lab

I’m older. Nobody had laptops or phones and you had to lug 30lbs books home daily.

 

The point, in the last 10 years, phones and tablets have replaced that 30 lb bag of books, and an internet connection has replaced libraries. 
 

It is entirely possible for stupid things to happen because not everyone grew up with he same tech, and one persons shortcut is another’s policy.

[XWAUForceflow]

10 hours ago, captain_to_fire said:

That doesn't excuse them for having shitty security practices just because many are doing it. Also, since when should a measly student have such high clearance and stupidly install a pirated program rigged whit god knows what that eventually spread laterally to the entire network. And considering that Ryuk ransomware isn't something new, none of their systems have endpoint agents to protect them or did their IT allowed so many ports open?

 

That would be applicable if you're not a Covid-19 research facility. Remember that they've lost 10 days worth of work, that would translate to several man-hours. Just imagine if a hospital didn't have backups and got hit by a ransomware.

He didn't have a super high clearance, but you don't need that to attack a company, please read the full article. The institute offers a remote login capability and allows to use personal devices to do use this. (Without a two factor authentication) What he did was install the pirated software on his own laptop. Of course he can do this, it's his own device. The malware that came with the pirated software then took his credentials that he used for the login to the institute.

 

Those login credentials were apparently then used by someone unknown to log into the institutes system from somewhere else. At this point nothing within the institute was infected and the student was no longer part of the attack chain. The real attacker was then inside the institutes system free to sniff out any further vulnerabilities of the environment and actually installed the malware on the institutes system.

So the student himself did not install the malware on any of the institutes systems at all. This demonstrates why BYOD are so problematic these days. They are simply not secure, and using them without any additional security layer and especially a two factor authentication to access the network is just plain stupid.

[Radium_Angel]

On 5/7/2021 at 12:46 AM, captain_to_fire said:

The thing I'm curious is how can a measly student have such high clearance and stupidly use a cracked program rigged with ransomware.

Because management frequently overrides IT recommendations and security protocols when it comes to their new flavor of the week shining star employee.

Go on, ask me how I fucking know this...

[Kisai]

31 minutes ago, Radium_Angel said:

Because management frequently overrides IT recommendations and security protocols when it comes to their new flavor of the week shining star employee.

Go on, ask me how I fucking know this...

That's definitely a thing, though I haven't personally seen this outside of educational facilities.

 

Like every place I've worked at either:

- Everyones devices were locked down that you couldn't install software to it, thus negating most security risks from running unauthorized programs, but doing nothing about social engineering

or

- The version of the OS was so poorly maintained that nothing could prevent it. (such as a college computer lab filled with W95.cih viruses on win95 machines and piracy ftp servers running in the background.), The modern day equivalent would be bitcoin miners on every pc.

 

That college had a Windows NT 4 lab and a Windows Windows 95 lab, and can you guess which lab was not productive? I hated used the 95 lab because the AV software was never updated, and when I happened to update it, made the machine unusable because the OS was utterly hosed already.

 

Like the real problem is letting "management" have access to things they do not need. Like I can name one thing right now that is suffering from this. OneDrive for Enterprise. If I know what I'm looking for, I can see pretty much everything anyone has ever put on it with "sharing" privacy. I won't even get into how much of every business I've ever worked at I could see just by using the "find" tool in Windows. Just because I can't write to it, doesn't mean I can't read it, print it, take a photo of it with a cameraphone, etc. I have no reason to go looking for things, but imagine if someone did?

 

It runs into a catch-22 situation where you don't know what you need access to until you need access to it, and you have to wait to get access to things. If someone leaves the company, their documents are forever unobtanium unless someone had access to it that didn't need access to it.

 

[Guest willies leg]

Why does everything need to be connected to the internet?

And connected to all of the internet?

I block AFRINIC, APNIC, LACNIC and RIPE right at the router, both inbound and outbound. Everything still works that I need to do.

[GDRRiley]

On 5/6/2021 at 9:41 PM, Arika S said:

Every workplace and school i've ever seen, software can only be installed by the IT department or administrators.

my works policy is I can install whatever I want on my mac, if I wanted I can even remove their admin account.

 

On 5/7/2021 at 8:25 AM, leadeater said:

Not at all uncommon. Was only a couple of years ago Post-Grad students doing institute research projects had staff accounts, they sign an employment agreement like anyone else does. These are adults we are talking about that are not any different to any other person they just happen to be undertaking higher education courses and research

I'm an undergrad and I've got a "staff" account at my internship

[Shreyas1]

On 5/6/2021 at 10:06 PM, Kisai said:

There is no reason to crack software that you can purchase. If you have to resort to it, it's likely because of some limitation preventing the activation to work (such as no internet access, optical disk failure, DRM OS incompatibility), and I've never run into this in a context where it was necessary for commercial software, always games have broken drm.

 

 

Nah, data visualization software can have DRM too. And can be very annoying bc sometimes the software is locked to one computer or the manufacturer of an instrument doesn't support it anymore 

[Rakanoth]

I suggest you first test it on a virtual machine and examine its behaviour.

[StDragon]

6 hours ago, Rakanoth said:

I suggest you first test it on a virtual machine and examine its behaviour.

I suggest people don't download keygens and warez from dubious sources.

[dalekphalm]

2 hours ago, StDragon said:

I suggest people don't download keygens and warez from dubious sources.

Especially for a corporate environment?

 

Like seriously - if you wanna mess with Keygens and warez at home, on your own computer, for your own personal private things? That's your business.

 

But you doing that on a corporate VPN or RDP connection? Most places will (rightfully so) fire your ass for it, even if the software turns out to be safe. You could even be charged with a crime or sued under civil court, depending on the circumstances.

[XWAUForceflow]

4 hours ago, dalekphalm said:

Especially for a corporate environment?

 

Like seriously - if you wanna mess with Keygens and warez at home, on your own computer, for your own personal private things? That's your business.

 

But you doing that on a corporate VPN or RDP connection? Most places will (rightfully so) fire your ass for it, even if the software turns out to be safe. You could even be charged with a crime or sued under civil court, depending on the circumstances.

But he didn't do it on the corporate environment. He did it on his own PC. Unfortunately he also was allowed to use this PC to remotely connect to the institute. Because he did this the malware was able to steal his credentials and use said credentials to log into the network from a completely different system and then infect it.

 

Nothing he did infected the institutes systems, the only thing that he was responsible for was that his credentials were stolen. Yes that is bad, and no he shouldn't have used cracked software, but not using two factor authentication for remote connecting into a commercial network, that's just plan stupid. Especially in a setting where you have students logging in.

[dalekphalm]

1 hour ago, XWAUForceflow said:

But he didn't do it on the corporate environment. He did it on his own PC.

This

1 hour ago, XWAUForceflow said:

Unfortunately he also was allowed to use this PC to remotely connect to the institute.

And this, are contradictory statements. His personal PC had remote access to the company. Therefore he did it "on the corporate environment". It's no different from him bringing an infected USB drive to the office and plugging it into an office PC, or installing the compromised software itself directly onto an office PC.

1 hour ago, XWAUForceflow said:

Because he did this the malware was able to steal his credentials and use said credentials to log into the network from a completely different system and then infect it.

Exactly my point.

1 hour ago, XWAUForceflow said:

Nothing he did infected the institutes systems,

Incorrect. He installed questionable software onto a PC that had remote access to the company networks. His actions literally directly resulted in the systems being infected.

1 hour ago, XWAUForceflow said:

the only thing that he was responsible for was that his credentials were stolen. Yes that is bad, and no he shouldn't have used cracked software, but not using two factor authentication for remote connecting into a commercial network, that's just plan stupid. Especially in a setting where you have students logging in.

Of course there's definitely some blame on the side of the company for allowing this situation to even be a thing. But you cannot absolve the student of his part in it either. He directly resulted in the comprised network.

 

Even if there was 2FA, how would that prevent infection the moment he simply connected when doing legitimate work? At best, 2FA would have slowed this down, not stopped it (granted, it depends on the specific malware and how it's programmed, but typically speaking once you initiate a connection, everything you have access to is fair game).

[XWAUForceflow]

12 hours ago, dalekphalm said:

And this, are contradictory statements. His personal PC had remote access to the company. Therefore he did it "on the corporate environment". It's no different from him bringing an infected USB drive to the office and plugging it into an office PC, or installing the compromised software itself directly onto an office PC.

No he didn't, he did it on his personal PC. If the institute expects him to use his own PC for work then that is on them.

BYOD means the company must secure against attacks, not you as a user. It's your PC, you can do what you want and you cannot be expected to keep it secure. That simply is way beyond the capabilities of the average Joe. Yes using cracked software was really stupid, but this really shouldn't be the focus of this story. He could have just as easily been infected by a drive-by-download or a phishing mail, or any other means of attack.

 

The companies IT department is responsible to keep the infrastructure save. Not the normal user. You can make them aware of risks and you can mitigate risks by training them, but it's nor their responsibility. And as soon as you allow BYOD you simply must accept that those devices are not safe and always treat them as compromised.

[leadeater]

2 hours ago, XWAUForceflow said:

BYOD means the company must secure against attacks, not you as a user. It's your PC, you can do what you want and you cannot be expected to keep it secure.

Well you can, it's called Security Posture Assessment which does require a client application on the device but that is the corporate requirement to use remote applications and connect to the network. If you don't have an AV, it's not up to date, firewall is disabled etc etc then connection is denied.

 

There are things you can do in this area but it requires money, time and training to do it and you may not have one or all of these to do it. Such is life.

 

2 hours ago, XWAUForceflow said:

And as soon as you allow BYOD you simply must accept that those devices are not safe and always treat them as compromised.

On this and a similar point in your post not quoted, from what I gathered from the article and information there was no infection path from the BYOD device to the corporate network. Far as I could tell this was purely credential theft then remote access and deployment. Sounded to me like this person had multiple days to assess the network, know what AV was used, compile a variant of the crypto software that would not be in their AV signature and then deploy it.

 

This is a point I've seen in this topic, people complain and blame the IT department for not having AV or similar types of comments, that wasn't the issue at all or very unlikely. I highly doubt it. High value networks get targeted attacks, public variants of crypto software is not being using, the names you are hearing are the class variant that was used, there is not a "single" one of these or they would only ever work once thus not be an ongoing threat. The people doing these targeted attacks are not that basic and dumb, not all attackers are incompetent monkey see monkey do people.

[XWAUForceflow]

2 hours ago, leadeater said:

Well you can, it's called Security Posture Assessment which does require a client application on the device but that is the corporate requirement to use remote applications and connect to the network. If you don't have an AV, it's not up to date, firewall is disabled etc etc then connection is denied.

 

There are things you can do in this area but it requires money, time and training to do it and you may not have one or all of these to do it. Such is life.

 

On this and a similar point in your post not quoted, from what I gathered from the article and information there was no infection path from the BYOD device to the corporate network. Far as I could tell this was purely credential theft then remote access and deployment. Sounded to me like this person had multiple days to assess the network, know what AV was used, compile a variant of the crypto software that would not be in their AV signature and then deploy it.

 

This is a point I've seen in this topic, people complain and blame the IT department for not having AV or similar types of comments, that wasn't the issue at all or very unlikely. I highly doubt it. High value networks get targeted attacks, public variants of crypto software is not being using, the names you are hearing are the class variant that was used, there is not a "single" one of these or they would only ever work once thus not be an ongoing threat. The people doing these targeted attacks are not that basic and dumb, not all attackers are incompetent monkey see monkey do people.

Absolutely, there are ways to secure the devices, but the responsibilities for this lies mostly in the IT departments hands and not in the end-users hands. Never ever rely on the end-user for your security, they are part of the chain for sure, but they are also the weakest link that has to be separated from the rest. You have to expect that part of the chain to fail and you need to make sure that this does not lead to a catastrophic failure.

 

Yeah, from what I gathered the attack didn't come from the originally infected system at all. It appears that the original malware owners didn't even do the final attack but only sold the credentials that they stole. Once that was used and the attackers were able to access the network it was over. For me it all boils down to the missing 2FA and inability to verify the logins. Apparently the system was accessed from a Russian system (a Russian printer driver was installed automatically) This should have put up all kinds of red-flags and blocked the account immediately.

 

Yes, the student did a stupid thing. But in my opinion the blame mostly falls to the IT security department here. They really dropped the ball on this one.

[OldFord76]

frickin kids

ransomware isn't a joke, I live in the area affected by the gas pipeline ransomware and its not fun. But in a pandemic? At a research facility? Jeez bro

[NeuesTestament]

Well, I guess that guy had some very fun conversations.

[Rakanoth]

On 5/13/2021 at 2:40 PM, StDragon said:

I suggest people don't download keygens and warez from dubious sources.

You can never be sure the source is trustworthy. Pirating is good.

[StDragon]

1 hour ago, Rakanoth said:

You can never be sure the source is trustworthy. Pirating is good.

The proverb "there's no honor among thieves" is for a reason.