From Security Weekly Wiki
Jump to navigationJump to search

Security Weekly News Episode #35 - May 19, 2020

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. News - DEFCON Safe Mode, Ransomware Gangs, & SpaceX to ISS - 02:00 PM-02:30 PM


This week, Dr. Doug returns to the studio, to discuss how DEFCON is Cancelled, Many Applications have Security flaws, Verizon Security Report for 2019, The FBI and DoJ want encryption backdoors, and Space, the final Frontier! The Master of Commentary Jason Wood joins us to talk about how a Ransomware Gang Was Arrested for Spreading Locky to Hospitals!


Doug White's Content:


  1. DEFCON has actully entered Safe Mode.
  2. Veracode found that 7 of 10 apps have security flaws.
  3. Square joins twitter in telling employes they can stay home forever.
  4. Experts say that Apple and Google's contact tracing app will likely be useless.
  5. Verizon's 2019 report shows that money is the main hacker motivation.
  6. Compliance may be a way forward to reduce insider threats.
  7. Microsoft announces they will open source their COVID-19 threat intelligence.
  8. DoJ again complains about lack of backdoors in encryption and attacks Apple.
  9. Congress renews FISA warrantless surveillance bill.
  10. Elon Musk and SpaceX prepare to launch astronauts to the ISS.

Jason Wood's Content:


Ransomware Gang Arrested for Spreading Locky to Hospitals

This is always news that I like to see. Romanian law enforcement announced that they’ve arrested 4 individuals for, amongst other things, spreading ransomware at Romanian hospitals. The arrests were made in collaboration with Moldova’s law enforcement, as one of the individuals was in that country. The group was actually a newer organization and apparently began operating early the year. However, I’m sure they were weren’t new to this type of activity. They just hadn’t been caught yet.

The group called themselves Pentagard and liked to compromise and deface websites using SQL injection. They also would send out emails containing the Locky ransomware and several remote access trojans to steal data. One of their mistakes was that they decided to operate in their own countries. So there was no need for law enforcement to request cooperation from law enforcement in countries that were unaffected by their attacks. Obviously the police in their own countries took some offense at their actions, in particular their plans to attack local hospitals. While hospitals are obviously under stress and may be more likely to fall to these types of attacks, it does get more government attention when someone heads down this path. More resources get thrown at it and then they get caught.

One thing that this story points out to me is that it’s relatively easy to start attacking organizations and obtain some level of success. However, the operational security is going to be much harder and if someone is new at this game, they are more likely to make mistakes. The press release from the Romanian police indicate that they had knowledge of the groups future plans. Either someone started talking when they got picked up (very possible) or the police had some insights into their communications (also possible). Regardless, their opssec wasn’t good enough to prevent their identification.

The story also mentions that healthcare is generally under sustained attack during the coronavirus pandemic. From my own experience, that was the case before the pandemic, but the attacks certainly haven’t backed off at all. They appear to have ramped up, if anything.

In the past we would complain that no one really knew how organizations were getting breached and what techniques were being used. That is definitely no longer the case. We actually have quite a bit more insight into what attackers are doing, what they are after, and how they are going about it. The information isn’t perfect of course and there’s frequently a marketing angle applied to accessing this data. At the same time, we at least have the information available.

I would strongly recommend that we all take a look at these stories. This type of information can teach us what weaknesses are being attacked and we can look at our organization’s related defenses. If we find that things aren’t quite up to the task, then we can adjust. It’s far better to learn from the experiences of others than to find out on our own how an attacker just encrypted our SQL databases.