“From this, we’ve also managed to get into the accounts of the other users. We will also set up new accounts if we gain permissions which will allow us to move around the network,” explains Tomer Nahum, an MVR who is leading the red team of hackers during this Semperis-hosted tabletop.

Often configured and then forgotten, service accounts are used to manage and update servers. Because they are designed to perform automated tasks, and often come with elevated privileges, service accounts have become attractive targets for hackers looking to compromise networks and move around laterally.

The hackers are also starting to sniff around for financial information across the network. While it’s of lower priority than patient data in healthcare, it can still help hackers decide how much to ask for during ransom negotiations.

“For defence evasion, we’re trying to stay within the boundaries of normal activity — we don’t want to draw attention to ourselves, so, to do this, we need to understand what normal activity looks like,” adds Nahum.

For the purple team charged with leading the hospital’s defences, the goal is threat detection with customer rules that they’ve built. They use tools designed to examine user behaviour and have a network detection and response (NDR) system set up that feeds into a security information and event management (SIEM) tool. This allows IR to monitor anomalies in terms of traffic, file transfers, access controls and “anything that looks like it’s leaving the organisation but shouldn’t.”

Exfiltration Vs containment

In terms of moving the data out of the network, the Red Raccoons decide to move the data laterally rather than vertically through soft targets such as the university and research groups as well as acquired companies with lesser managed networks.

For good measure, they’ve also orchestrated a disinformation campaign online that has resulted in a physical protest outside one of the main hospital buildings, maximising chaos, to distract senior management.

Ransomware has also been scheduled to go off at certain points, encrypting documents that can only be released with a key.

Momdjian notes that one trick attackers have gone for recently is not going for full encryption but going for just part of a file: “just enough to damage it so you can’t use the whole file.”

On the other hand, he adds that if you detect a change in file size or any change to the file itself, your security systems should alert you.

The Purple Knights, meanwhile, have been refining their detection capabilities and noticing some of Red Raccoons’ tactics. Their IR is now focussed on containment: lockouts, isolation, and segmentation of the network and critical hosts.

The question is, will they pull the plug on all the connected devices — including connected beds and live saving machines — that exist within the hospital’s IoT ecosystem?

“We’ve been isolating a lot of our IoT devices and bio-med devices just to make sure they are on a safe network – so if we get hit by a ransomware load, it would be contained within a certain segment,” explains Jeff Wichman, purple team lead and Semperis director of incident response.

“In the meantime, we will try and transition physically all beds that can be moved. And, of course, decisions must be made for critical patients,” he adds.

Ransom demands

The red team has an idea of the amount they want Sunshine Health to pay out. “They probably already know what their target is going to pay and what the cyber security insurance payout will likely be if policy documents have been kept anywhere on the network,” Momdjian adds.

Back to the hack, and the Raccoons are ramping up the pressure with threats of leaking information to the media if the Purple Knights don’t pay up.

“Little by little, we will leak data until it’s too much for them to take,” says one team member, a little too gleefully.

The purple team, meanwhile, have brought in several third parties to aid with containment and negotiations. “We’ve brought in the FBI as well a Computer Security Incident Response Teams (CSIRT),” Wichman reports. “Communications about the attack are also going on at a stakeholder level, and we’ve activated our disaster recovery plan.”

The team is hopeful that they will receive customised indicators of compromise (IOCs) from some of these partners that will help them to detect and prevent attacks, or limit the damage done by stopping attacks early.

From a recovery perspective, Wichman — a former ransomware negotiator at Palo Alto’s Unit 42 division — explains that the purple team is negotiating to stall: “That gives the third-party time to investigate and time to understand the full scope and additional monitoring in place.

He adds: “We’re also starting with a full reset of every account — which is very painful but better than building the Active Directory (AD) from scratch.”

Semperis’s 2024 Ransomware Risk Report reveals that only one-quarter of respondents maintain a dedicated AD backup system. Yet, Gartner notes that adding dedicated tools for backup and recovery of AD can accelerate and simplify recovery from cyberattacks.

The Knights added that they also aimed to compromise the attack infrastructure and encrypt all their files before the hackers could access them.

The IR team has decided that there will be no comment to the press while they were still investigating the attack. “That would be more of a stakeholder decision – it’s executives that should make those calls, which should be controlled by legal and PR,” says Wichman.

Cyber healthcare expert Marty Momdjian, who has been leading the exercise, adds that every healthcare system currently has its legal teams and third-party council on speed dial.

To pay or not to pay?

Momdjian says that the big question that always comes up is whether to pay the ransom.

“The straightforward answer is “No, never.”  But there are situations where firms have had to pay the ransom because it’s really the only way out.

It’s lucrative for threat actors at the end of the day,” he admits.

According to Seperis’ latest ransomware risk report, around 66% of all healthcare companies end up paying the ransom, with 16% admitting that payout was a matter of life and death.

While these figures seem high, Healthcare is one of the sectors least likely to pay, with Education paying up in 70% of cases, Travel paying up in 85% of cases, and Finance paying up in 80% of cases.

According to Wichman, each organisation has its own risk tolerance on whether it is willing or not willing to pay. “It comes down to a couple of factors of what data the attackers have; in a healthcare situation, someone’s life is on the line. The attackers know that and will use it to their advantage.”

Third-party support

Wichman advises using third party services when entering negotiations with attackers. “I do not recommend any organisation communicate with an attacker directly,” he stresses.

He adds that the person shouldn’t be someone from the internal IR team, especially not someone who is solely focussed on IT. They tend to only look at things from the point of view of their own department and might not grasp the repercussions or the bigger picture.

“They also tend to be more emotionally involved in what should be conducted as a business transaction,” he says.

According to Wichman, it’s also becoming increasingly common for cyber insurers to become involved during the negotiation stage, although this can also complicate things.

The negotiator has had incidents in the past where he hasn’t been able to seek the required approval of a cyber insurer because the person responsible had clocked off for the weekend and wasn’t available until the Monday. “Hackers don’t work to that 9 to 5 timetable,” he warns.

Pizza advice

We wrap with takeout pizza — the incident response room’s meal of choice “because it allows you to keep one hand free to do something else,” Momdjian adds.

During a controlled environment like a tabletop, the whole team is together — but Momdjian warns that in the real world, this experience would be “far harder and more chaotic.”

“For healthcare, when there is an adversary in the network, decisions have to be made instantly, but they can’t be executed instantly because of the level of approval needed from clinicians,” he says.

According to Momdjian, during a real-life incident, there would be a different roster of people working rotating shifts, as it’s not possible for people to manage incidents like this effectively if they’ve been working around the clock for days on end.

One of TechInformed’s key takeaways was just how pervasive, successful, and lucrative the ‘business’ of ransomware is. According to Semperis’ 2024 risk report, 74% of respondents who were victimised by ransomware within the past 12 months were attacked multiple times, many in the span of a week.

In total, 78% of the targeted organisations surveyed paid the ransom, with 72% paying out multiple times.

This last stat suggests that paying attackers does not solve the larger problem. According to Semperis, more than a third of organisations that paid the ransom failed to receive decryption keys or were unable to recover their files.

So, while planning, contingency, and backup — as well as tabletops like this one — might not prevent hospitals from paying up in life-or-death situations, having the right tech and knowledge at their disposal certainly increases their bargaining power and limits their chances of subsequent attacks.

And kudos to the Purple Knights — the Red Raccoons really did have the easier job in this exercise. As Wichman says: “Detecting everything is the tough job  — because all attackers need to do is find one hole.”

Did you miss Part 1 of this healthcare attack scenario? Click here.

The post Going for the Jugular: Anatomy of an Attack (Part Two) appeared first on TechInformed.

The outage crashed more than eight million computers, causing chaos for flights, trains and businesses worldwide. The aftermath saw Crowdstrike’s share price drop by more than 32%, wiping more than $25 billion off the value of the company.

The outage was blamed on a faulty update in Crowdstrike’s EDR tool Falcon, running on Microsoft’s operating system, causing around 1% of all Windows computers to experience the so-called “blue screen of death”.

The lawsuit – filed in Austin, Texas by the Plymouth County Retirement Association in Massachusetts – claims Crowdstrike made “false and misleading” claims over its software testing, defrauding investors.

It asks the Texas Federal Court to grant an unspecified amount in damages to investors who owned shares in Crowdstrike between 29 November 2023 and 29 July.

CrowdStrike boss George Kurtz apologised to those affected and blamed a “software bug” but admitted it would take “some time” to fully fix the problems.

The lawsuit quotes statements from Kurtz during a conference call in March, in which he described the company’s software as “validated, tested and certified”.

Crowdstrike has claimed the suit “lacks merit” and said it plans to defend itself, but the cybersecurity firm could face further action from companies hit by the outage.

For example, the CEO of US airline Delta lashed out at Crowdstrike over the outage, claiming the meltdown cost the firm up to $500 million.

Ed Bastian told CNN: “They haven’t offered us anything. Free consulting advice to help us.”

He also criticised the vendor for its testing policy, adding: “If you’re going to have priority access to the Delta ecosystem in terms of technology, you’ve got to test this stuff.

“You can’t come into a mission critical 24/7 operation and tell us we have a bug. It doesn’t work.”

According to the report from CNN, Delta has hired the law firm of high-profile attorney David Boies to pursue compensation from Crowdstrike and Microsoft, though this has not been confirmed by the airline.

Following the outage, experts shared their key takeaways and advice to avoid future problems with TechInformed.

The post Investors sue Crowdstrike over global outage appeared first on TechInformed.

Saboteurs have attacked long-distance fibre cables in an attempt to disrupt the Paris Olympics, according to France’s digital minister.

Marina Ferrari, France’s junior minister for digital affairs, said that in the early hours of Monday morning, multiple locations around France were affected by several “damages” that impacted telecoms providers. They resulted in “localised consequences” to fibre optic services and mobile connectivity.

Service providers in France have also confirmed the attacks. Netalis, an ISP aimed at corporate customers, said the sabotage had impacted its services, while Iliad-owned Free Pro warned it would cause a significant slowdown on the operator’s network.

“Last night, our telecommunications operators were affected by damage in several departments,” Ferrari said. “I condemn these cowardly and irresponsible acts.”

It is the second major sabotage incident to impact the 2024 Olympics, after vandals attacked France’s high-speed rail network on Friday prior to the Opening Ceremony.

Read more…

Tesla recalls 1.8m vehicles over safety concerns

Another month, another mass recall for Tesla. The electric vehicle maker is recalling more than 1.8 million vehicles because of a hood issue that could increase the risk of a crash.

Elon Musk’s car-making giant is recalling some 2021-2024 Model 3, Model S, Model X, and 2020-2024 Model Y vehicles because the hood latch assembly may fail to detect an unlatched hood after it has been opened.

The issue means that the unlatched hood of the car can potentially open while the vehicle is in motion, with the risk of obstructing the driver’s view, increasing the potential for a crash.

It follows an announcement at the end of last year that Tesla would have to recall over two million vehicles due to a flaw with its autopilot software.

It also had to recall over 100,000 vehicles earlier this year due to a faulty seat belt warning system. Plus, its Cybertruck model faced a recall last month due to a problem with windscreen wipers — the fourth time the vehicle had been recalled.

Read more…

EU grants unconditional approval to $14bn HPE/Juniper deal

EU regulators have rubber-stamped HPE’s $14 billion acquisition of Juniper Networks, bringing the merger a step closer to completion.

The European Commission announced this week that it has given unconditional approval to the agreement, leaving a pending investigation by the UK’s Competition and Markets Authority as one of the final regulatory hurdles.

The merger will put HPE Juniper directly in competition with networking market leader Cisco, which has dominated the sector since the mid-90s.

In the UK, the CMA’s initial review will determine whether the acquisition warrants a more in-depth investigation. A decision is expected by August 14.

If the deal is finalised, it could close by the end of 2024 or early 2025.

Read more…

Uber agrees EV deal with China’s BYD

Uber has reached an agreement with BYD to add 100,000 of the China carmaker’s electric vehicles to its global fleet.

The deal means the ride-hailing firm’s drivers will be offered incentives to switch to BYD cars, such as discounts on maintenance, charging, and leasing.

The deal includes Uber’s operations in Europe and Latin America, which will see the initial rollout before the BYD cars are made available in the Middle East, Canada, Australia, and New Zealand.

Earlier this year, Uber announced a deal with BYD’s biggest rival, Tesla, to promote EV adoption among its drivers in the US. It also unveiled plans to develop a purpose-built EV with South Korean car giant Kia.

Read more…

The post Olympic saboteurs target French fibre network appeared first on TechInformed.

They explore the causes of the outage, the challenges faced in recovery, and the impact on businesses, and Ann-Marie covers some of her top takeaways from the ordeal; read her full article for more.

Joined by Danny Jenkins, the CEO and co-founder of Orlando-based cybersecurity firm ThreatLocker, the conversation also touches on the importance of endpoint security tools and the need for better testing and release processes.

Jenkins provides insights on how to restore trust in cybersecurity and offers advice for those affected by the outage. The conversation highlights the vulnerability of relying heavily on technology and the importance of proactive cybersecurity measures; definitely not one to miss!

Don’t miss the latest episodes of TI:TALKS, including an exclusive breakdown of the technology behind the scenes at the Paris 2024 Olympics with Bertrand Rojat, Orange’s CTO of events.

The post Crowdstrike crash course with Danny Jenkins, ThreatLocker appeared first on TechInformed.

Google’s parent company, Alphabet, was in advanced talks to acquire Wiz, valued at $12bn. The acquisition would have been Google’s largest to date, eclipsing its $600 million acquisition of DeepMind in 2014.

Founded in 2020, Wiz has quickly grown into a major player in the cybersecurity sector. It has attracted significant venture capital investments from major firms like Sequoia Capital and Thrive Capital.

The planned acquisition was significant not only because of its size but also because of its potential to change the competitive environment of cloud security.

Acquiring Wiz would have bolstered Google’s position against major competitors like Microsoft and Amazon Web Services in the cloud services market.

What led to the collapse of the Google-Wiz deal?

Once the negotiations became public, internal opposition grew stronger. Reports claim members of both companies’ boards had reservations about the deal.

Both Google and Wiz were wary of potential regulatory hurdles. The antitrust environment has become increasingly stringent, particularly for big tech acquisitions.

According to the Financial Times, a source close to the deal stated, “Lina Khan has killed another deal,” in reference to the chair of the Federal Trade Commission. Khan has garnered both praise and criticism for her actions since assuming the role.

In addition, Wiz’s leadership believed that pursuing an IPO would be more beneficial in the long term. A decision that reflects a strategic bet on the company’s future growth and valuation.

What are Wiz’s future plans?

Wiz has now set its sights on an initial public offering. CEO Assaf Rappaport said in a statement to employees, “While we are flattered by offers we have received, we have chosen to continue on our path to building Wiz…Our next milestones are $1bn in ARR and an IPO.”

The memo Wiz CEO sent his company after passing on a $23 billion deal from Google.

—
Wizards,

I know the last week has been intense, with the buzz about a potential acquisition. While we are flattered by offers we have received, we have chosen to continue on our path to…

— Austin Rief (@austin_rief) July 23, 2024

Experts believe Wiz’s choice to reject Google’s offer and pursue an IPO is a bold move that underscores the confidence of its leadership and investors.

Neil Shah, head of tech and primary markets at the London Stock Exchange, said in a LinkedIn post, “The largest companies are built in public markets with evergreen capital. This is the mindset we need in Europe. The founders of Wiz are walking away from a billion-dollar payday and have put it back on the roulette table in the hope of a more rewarding outcome in the long term.”

John Idowu, cloud engineering lead at ATC Africa, said in a LinkedIn post, ” Wiz is banking on its own future by going ahead with its IPO plans. But to have the audacity to walk away from $23bn cash is truly incredible from the 4-year-old startup.”

How will this impact Google and the cybersecurity industry?

Google’s cloud segment has been under pressure to compete with Microsoft and AWS.

With regulatory scrutiny tightening, Google might focus on smaller, more manageable acquisitions or invest heavily in internal development to enhance its competitive edge, experts said.

The decision highlights the potential for high-growth cybersecurity startups to achieve significant valuations independently, shaping the competitive landscape.

Wiz’s rapid growth trajectory suggests that it is well-positioned to continue expanding its market presence.

“The market validation we have experienced following this news only reinforces our goal — creating a platform that both security and development teams love,” said Rappaport.

Wiz claims a significant portion of Fortune 100 companies are among its client base.

As it prepares for its IPO, it will need to focus on sustaining its growth momentum, scaling its operations, and meeting the expectations of public market investors.

The post Google-Wiz $23bn deal collapses appeared first on TechInformed.