Monthly Archives: January 2017

Ransomware Infection Causes Loss of 8 Years Of Police Department Evidence

Oh when will you learn to “BACKUP” your data.  Check your backups before you have an issue !!!

The Police Department in Cockrell Hill, Texas released in a press release that they lost 8 years worth of evidence after the department’s server was infected with ransomware.

The lost evidence includes all body camera video, and sections of in-car video, in-house surveillance video, photographs, and all their Microsoft Office documents. OUCH.

Eight years worth of evidence lost

Some of the lost data goes back to 2009, there are some files that era that are backed up on DVDs and CDs and remained available.

“It is […] unknown how many videos or photographs that could have assisted newer cases will not be available, although the number of affected prosecutions should remain relatively small,” the press release reads.

In an interview with WFAA, who broke the story, Stephen Barlag, Cockrell Hill’s police chief, said that none of the lost data was critical. The department also notified the Dallas County District Attorney’s office of the incident.

Backup Procedure Kicked In After Locky Infection

The department says the infection was discovered on December 12, last year, and the crooks asked for a $4,000 ransom fee to unlock the files.

After consulting with the FBI’s cyber-crime unit, the department decided to wipe their data server and reinstall everything. Data could not be recovered from backups, as the backup procedure kicked in shortly after the ransomware took root, and backed up copies of the encrypted files. OUCH.

Infection Source: Phishing email with spoofed address

The press release says the infection took place after an officer opened a spam message from a cloned (spoofed) email address imitating a department issued email address. Security awareness training would have likely prevented this.

The infection did not spread to other computers because the server was taken offline and disconnected from the local network as soon as staff discovered the ransom demand.

DHS Cyber Incident Response Plan Focuses on Infrastructure Risk

The National Cyber Incident Response Plan describes how stakeholders in numerous areas can properly react to cybersecurity threats.

The Department of Homeland Security released a refreshed version of its National Cyber Incident Response Plan (NCIRP), with a strong focus on how the US can react to cybersecurity threats to critical infrastructure.

The NCIRP as previously published on September 30, 2016, with a national engagement period that went until October 31, 2016.

“The NCIRP describes a national approach to dealing with cyber incidents; addresses the important role that the private sector, state and local governments, and multiple federal agencies play in responding to incidents and how the actions of all fit together for an integrated response,” the US Computer Emergency Readiness Team (US-CERT) stated on its website.

Public and private partnerships are critical to address major cybersecurity risks to critical infrastructure, the NCRIP executive summary explains. Furthermore, the plan “sets common doctrine and a strategic framework for national, sector, and individual organization cyber operational plans.”

Several guiding principles outlined in the Presidential Policy Directive (PPD)-41 also helped DHS and other agencies create the NCRIP:

  • Shared responsibility
  • Risk-based response
  • Respecting affected entities
  • Unity of governmental effort
  • Enabling restoration and recovery

“While steady-state activities and the development of a common operational picture are key components of the NCIRP, the Plan focuses on building the mechanisms needed to respond to a significant cyber incident,” according to the NCRIP.

The plan also differentiates between a “cyber incident” and a “significant cyber incident.” The former is when the “confidentiality, integrity, or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers or information systems, or information resident” are potentially jeopardized.

Significant cyber incidents on the other hand are events that potentially result in “demonstrable harm” to national security interests, foreign relations, US economy, public confidence, civil liberties, or public health and safety.

The DHS Office of Cybersecurity and Communications will also conduct and oversee NCIRP reviews and maintenance in coordination with the DOJ, Office of the Director of National Intelligence, and Sector Specific Agencies.

“The revision process includes developing or updating any documents necessary to carry out capabilities,” the NCIRP explained. “Significant updates to the Plan will be vetted through a public-private senior-level review process.”

The Healthcare Information Management Systems Society (HIMSS) previously commented on DHS response plan, saying it supported the overall principle of cybersecurity education and readiness being shared responsibilities.

HIMSS did point out that all dimensions of potential cybersecurity threats should be considered. For example, IT infrastructure and assets can exist in terrestrial, sea, air, and space. The NCIRP should therefore address all dimensions to help create a flexible response plan.

“The complexity of threat and asset response may be significantly compounded, especially when multiple dimensions are in play— including in the private and public sectors (e.g., underwater data centers, undersea Internet cables, satellite communications, and over-the-air communications),” HIMSS wrote to DHS.

HIMSS also said in its October 2016 letter that a better definition of what qualifies as a cyber incident was necessary. Large cyber threats that could potentially impact public health and safety are a top concern for HIMSS, the organization explained. HIMSS said it is already working to ensure that the healthcare industry understands how to properly prepare for such threats.

“As the federal government’s decision to fund two grants for the NH-ISAC indicated, coordination across the healthcare community is becoming increasingly important in the fight against cyberattacks,” the letter stated. “Collaboration with the NH-ISAC and other stakeholders, particularly on threat identification and incident mitigation, will have a significant impact on public health and safety.”


New Phishing Campaign Targeting Gmail Users

A new phishing campaign has been discovered this week that targets even the most tech-savvy Gmail users. By posing as someone you may know, cybercriminals are gathering personally identifiable information that could be leveraged against the individual or against your company. Learn how the newest phishing campaign works and how you can keep yourself and your company safe from becoming the next victim.

What is Phishing?

Phishing is nothing new to the cybersecurity world. However, it is often mistaken for being general spam emails which is how many forms of ransomware are distributed. Take the newest form of ransomware, Spora, as an example. Spora is distributed through spam emails disguised as invoices for charges that victims didn’t make. These emails are coming from an individual or organization that is unknown to the potential victim.

What’s different about phishing is that the emails are coming from a known contact whose account has been compromised. Or, the emails are coming from someone who you think you know, but the email address has been changed by a letter or two. For example, compared to Notice the ‘S’ at the end of Gmail on the second example.

Phishing campaigns can certainly be used to distribute ransomware. However, it would take the cybercriminal much more time to distribute the emails as they are more sophisticated attacks. The targets of phishing campaigns using ransomware would be high-profile targets where a large ransom can be demanded.

Most phishing emails contain an attachment or link set up to trick the user into divulging personally identifiable information such as financial information, login credentials, or credit card details.

Gmail Phishing Campaign

As mentioned before, the new Gmail phishing attack can trick even the most tech-savvy users. The attack works like this:

  • Hackers breach someone’s Gmail account and look through emails for correspondence containing attachments.
  • They then send emails from the compromised account, with each email leveraging similarities to prior communications, so as to make the new messages seem legitimate and familiar. Hackers will even use subject lines that were used in the past.
  • Here’s where the hack takes place. The email is embedded with an image of an attachment that has been used in the past. Rather than opening the attachment, clicking on the image will lead the user to a phishing page that looks like a Google login. Because the user is opening a Gmail attachment, the presentation of a phony Gmail login page does not sound any alarms.
  • Once the new victim enters their credentials into the phony Google login page, the hackers now have access to the victim’s account.

It’s believed that this phishing campaign has been going on for about a year with increasing intensity. How are these hackers using this campaign against their victims? Take a moment to think about all the ways your email account is used for everyday purposes. The first thing that comes to my mind is my banking sites. We have all forgotten a username or password before, right? How do you recover or reset your credentials? Enter your email address, and they will send you a temporary password or a code to reset your credentials. All a hacker has to do is search through your emails, find what banks you use, and go to those sites to request a reset to these credentials. In as little as five minutes, these cybercriminals have access to all of your personally identifiable information.

How can you stay safe?

Below are some tips, rather, necessities you need to implement into your everyday life to stay safe from phishing campaigns.

  • First, for the Gmail campaign, using two-factor authentication (2FA) can protect your Gmail account from being compromised. While this may be a pain to login to your account every time, it could save you from becoming a victim. 2FA basically means that you will need to use your password as well as a temporary code sent via text message to log in to your Gmail account. If hackers have access to your password but not the temporary code, they won’t be able to login to your account.
  • Always think twice before entering login credentials. For the Gmail campaign, why would you have to enter your login credentials again if you were already on the site? Second, do not log into sites via login pages generated by clicking links. Always go directly to the site through entering the URL into the Web browser.
  • Never enter passwords or other sensitive information into any Website with a data:text Furthermore, do not rely on warnings by Web browsers. The red warning used on insecure Websites, the certificate warnings used for invalid certificates, and the ‘unsafe site’ messages often do not appear for data:text URLs.
Be Prepared

Phishing campaigns can be used for ransomware attacks and gathering personally identifiable information on victims. However, they can also be the ‘in’ for hackers to gain access to a company’s servers and databases. Did you know? The average cost of a data breach in 2016 was $4 million, up from $3.8 million in 2015. How would a $4 million data breach affect your company? Would you be able to survive? Employees are and probably always will be the weakest link in the cybersecurity chain. Make sure your employees are educated not only on the persistent threats of cyberattacks and how to stay safe but the effect a cyberattack could have on your company. Unfortunately, this could be one of the biggest factors for continued success for your company.

It’s a bird, it’s a plane, no it’s a Perdix

What’s small, fast, and is launched from the bottom of a fighter jet? Not missiles, but a swarm of drones.

I watched a 60 minute report on Tuesday night that had me so intrigued in what the military is doing with new technology.  This is not just about Drones, it’s about where the future is going with the following technologies.

  • Unmanned ground vehicle (UGV), such as the autonomous car.
  • Unmanned aerial vehicle (UAV), unmanned aircraft commonly known as a “drone” …
  • Unmanned surface vehicle (USV), for the operation on the surface of the water.
  • Autonomous underwater vehicle (AUV) or unmanned undersea vehicle (UUV), for the operation underwater.

U.S. military officials have announced that they’ve carried out their largest ever test of a drone swarm released from fighter jets in flight. In the trials, three F/A-18 Super Hornets released 103 Perdix drones, which then communicated with each other and went about performing a series of formation flying exercises that mimic a surveillance mission.

But the swarm doesn’t know how, exactly, it will perform the task before it’s released. As William Roper of the Department of Defense explained in a statement:

Perdix are not pre-programmed synchronized individuals, they are a collective organism, sharing one distributed brain for decision-making and adapting to each other like swarms in nature. Because every Perdix communicates and collaborates with every other Perdix, the swarm has no leader and can gracefully adapt to drones entering or exiting the team.

Releasing drones from a fast-moving jet isn’t straightforward, as high speeds and turbulence buffet them, causing them damage. But the Perdix drone, originally developed by MIT researchers and named after a Greek mythical character who was turned into a partridge, is now in its sixth iteration and able to withstand speeds of Mach 0.6 and temperatures of -10 °C during release.

A Washington Post report last year explained that they had been developed as part of a $20 million Pentagon program to augment the current fleet of military drones. It’s hoped that the small aircraft, which weigh around a pound each and are relatively inexpensive because they’re made from off-the-shelf components, could be dropped by jets to perform missions that would usually require much larger drones, like the Reaper.

Clearly, they’re well on the way to being that useful. Now the Pentagon is working with its own Silicon Valley-style innovation organization, the Defense Innovation Unit Experimental, to build fleets of the micro-drones.

I’ll be talking about some of the individual technologies in the future.

Let me know your thoughts and what you think of this type of technology.

Android Banking Trojans Now Include Ransomware

The newest generation of banking Trojans is now equipped with ransomware, creating a hybrid malware. The primary function of banking Trojans is still to collect login credentials for banking portals and instant messaging applications. However, with the addition of ransomware, cybercriminals are increasing the odds that they collect on every device that has been infected.

Mobile Banking Trojans

If you own a smartphone, it’s very likely you also have a bank card. Since banks use mobile phone numbers for authorization, it makes sense for cybercriminals to penetrate this channel of communication to execute payments and transfers from your account. Banking Trojans are the most prominent mobile threat, constituting over 95% of mobile malware. Over 98% of mobile banking Trojan attacks target Android devices, which should also come as no surprise, as Android is the most popular platform for mobile devices.

How do cybercriminals infiltrate Android devices with banking Trojans? Trojans are less dangerous than viruses because they require action on the user’s end, however, through social engineering, cybercriminals lure users into performing such actions. Trojans can mimic applications and prompt the user to run an important update or activate a bonus level for your favorite game. Exploits are also able to run the malware automatically, once the user accidently executes the malicious file. Once the malware is installed, there are three major methods that banking Trojans employ:

  • Hiding Text Messages: Malware on phones hides incoming SMS from banks and then sends them to cybercriminals who then proceed to transfer money to their accounts.
  • Small Cash Movements: Cybercriminals will occasionally transfer relevantly small amounts of money to fraudulent accounts from an infected user’s account, hoping it won’t be noticed so that they can continue to do so.
  • App Mirroring: Malware mimics a bank’s mobile application and gathers login credentials on the infected device. Once the credentials are gathered, cybercriminals are able to perform the two actions above.
Banking Trojans with Ransomware

Not all users who have been infected with an Android banking Trojan use banking applications, which is where the ransomware features come into play. The ransomware essentially acts as a backup plan for cybercriminals to increase their chances of extracting some form of payment from their victims.

Android.SmsSpy, Fanta SDK, and Svpeng are the first banking trojans to add ransomware-like features to their malware; locking user’s screen with a random PIN. This feature is to keep users busy while cybercriminals initiate fraudulent transactions. While the user is trying to figure out how to unlock their phone, hackers hope the victim will be too busy to see the text or email alerts they receive for large or fraudulent transactions that take place on their bank account. This gives cybercriminals hours, or even days, to transfer the stolen money to different bank accounts and withdraw the money from ATMs. By the time it’s discovered, police will be unable to identify the criminals as the money has likely been transferred through several fake bank accounts before being cashed out.

Faketoken and Tordow 2.0

Faketoken and Tordow 2.0 are the first to fully implement ransomware into their banking Trojans. Faketoken’s primary function is to generate fake login screens for more than 2,000 financial applications in order to steal login credentials. Creators of Faketoken have now added the capability to encrypt user files stored on the phone’s SD card. Once the relevant command is received, the Trojan compiles a list of files located on the device and encrypts them.

Tordow 2.0 can make phone calls, control text messages, download and install programs, steal login credentials, access contacts, visit web pages, manipulate banking data, remove security software, reboot devices, rename files, encrypt files, and act as ransomware. To date, Tordow 2.0 has infected 16,000 devices in 27 countries with most of them located in Russia, Ukraine, Germany, and Thailand.

Once infected with the ransomware feature, victims will see something similar to the image below appear on their screens.

With the fully integrated ransomware feature, cybercriminals are targeting the least technical savvy users possible. If you think about it, encrypting files on a mobile device is essentially pointless. The point of ransomware is to encrypt files on a device and demand a ransom to get the decryption key. However, many files stored on mobile devices are backed up by cloud services. Therefore, users who have been infected could easily wipe their phone clean and download all their files from the cloud service they use. If they haven’t backed up for awhile, data may be lost, but it typically wouldn’t be anything of great value.


It’s still very early in the development stages of banking Trojans being paired with ransomware. Thus, the encryption of files is likely to have the same purpose of locking users’ screens which is to give cybercriminals time to perform fraudulent transfers before users can figure out how to restore their mobile phones.

We recommend that Android users only install applications from the official Google Play store and should make sure that their phones don’t allow the installation of applications from unknown sources. Lastly, it’s a good idea to read user reviews and only download highly rated applications.

Top Internet Outages of 2016

As we sipped on warm holiday beverages and gradually watched the year wind down, it’s rather customary to reflect on the past and contemplate the future. Following traditions, we took a stroll down memory lane analyzing the state of the Internet and the “cloud”. In today’s blog post we discuss the most impactful outages of 2016, understand common trends and evaluate some of the key learnings.

As we analyzed the outages that have hit us hard this year, we noticed four clear patterns emerge.

  • DDoS attacks took center stage and clearly dominated this past year. While the intensity and frequency of DDoS attacks have been increasing over time, the ones that plagued 2016 exposed the vulnerability of the Internet and the dependency on critical infrastructure like DNS.
  • Popular services weren’t ready for a crush of visitors. Network and capacity planning is critical to address the needs of the business during elevated traffic patterns. For example, lack of a CDN (Content Delivery Networks) frontend can prove to be costly if not factored into the network architecture during peak load.
  • Infrastructure redundancy is critical. Enterprises spend considerable time and money focusing on internal data center and link-level failure. However, there is often oversight when it comes to external services and vendors.
  • The Internet is fragile and needs to be handled with care. Cable-cuts, routing misconfigurations can have global impact and result in service instabilities and blackholed traffic.

DDoS Attacks: Hitting where it Hurts

While there were a plethora of DDoS attacks in all shapes and forms, four different attacks had the highest impact. Three out of the four attacks targeted DNS infrastructure.

On May 16th, NS1, a cloud-based DNS provider was a victim of a DDoS attack in Europe and North America. Enterprises relying on NS1 for DNS services like Yelp and Alexa were severely impacted. While this started out as an attack on DNS, it slowly spread to NS1’s online-facing assets and their website hosting provider.

The Second attack on June 25th, came in the form of 10 million packets per second, targeting all 13 of the DNS root servers. It was a large-scale attack on the most critical part of the internet infrastructure and resulted in roughly 3 hours of performance issues. Even though all the 13 root servers were impacted, we noticed varying levels of impact intensity and resilience. There was a strong correlation between the anycast DNS architecture and the impact of the attack. Root servers with greater anycast locations saw diluted attack traffic and were relatively more stable than root servers with fewer locations.

The  mother of all DNS DDoS attacks was single-handedly responsible for bringing down SaaS companies, social networks, media, gaming, music and consumer products. On October 21st, a series of three large-scale attacks were triggered against Dyn, a managed DNS provider. The attack impacted over 1200 domains that our customers were monitoring and had global reach, with heavy effects in North America and Europe. We saw impacts on 17 of the 20 Dyn data centers around the world for both free and paid managed DNS services. Customers who relied only on Dyn for DNS services were vulnerable and severely impacted, but those who load-balanced their DNS name servers across multiple providers had the luxury to fall back on the secondary vendor during the DDoS attack. For example, had multiple DNS providers: Ultra DNS and Dyn. As a result, it did not suffer the same unavailability issues as many of Dyn’s other customers.

The DDoS attack on the Krebs on Security website on September 13th was record-breaking in terms of the size of the attack, peaking at 555 Gbps. Both the Dyn and the Krebs attacks were triggered by the Mirai botnet of hacked consumer devices. While the Internet-of-Things is set to revolutionize the networking industry, security needs to be top-of-mind.

Targeting critical infrastructure, like DNS, is an efficient attack strategy. The Internet, for the most part runs like a well-oiled machine; however, incidents like this present a reality check on network architecture and monitoring mechanisms. Consider monitoring not just your online-facing assets but also any critical service, like DNS. Be alerted as soon as you start seeing instabilities in the network to trigger the right mitigation strategy for your environment.

Application Popularity: Overloaded Networks

When it comes to application usage and websites there is no such thing as too many visitors. Until the network underneath begins to collapse. 2016 witnessed some popular services unable to keep up with demand.

January 13th witnessed one of the largest lottery jackpots in U.S history. Unfortunately, it also witnessed the crumbling of Powerball, the website that serves up the jackpot estimates and winning numbers. Increased packet loss and extended page load times indicated that neither the network or the application could handle the uptick in traffic. In an attempt to recover, Powerball introduced Verizon’s Edgecast CDN network right around the time of the drawing. Traffic was distributed across three different data centers (Verizon Edgecast CDN, Microsoft’s data center and the Multi-State Lottery Association datacenter), but it was too late. The damage was already done and user experience to the website was sub-standard.

The summer of 2016 saw a gaming frenzy, thanks to PokemonGo. There were two separate occasions (July 16th and July 20th) when Pokemon trainers were unable to catch and train their favorite characters. The first outage, characterized by elevated packet loss for 4 hours, was a combination of the network architecture and overloaded target servers unable to handle the uptick in traffic. The second worldwide outage was caused by a software update resulting in user login issue and incomplete game content.

November 8th was a defining moment in global politics. It was also the day the Canadian Immigration webpage was brought down by scores of frantic Americans. As US states closed the presidential polls and results began trickling in, the immigration website started choking before finally giving up. We noticed 94% packet loss at one of the upstream ISP providers, an indication that the network could not keep up with the spike in traffic.

Benchmarking and capacity planning is critical for network operations. Best practices include testing your network prior to new software updates and large-scale events. Bolster your network architecture through CDN vendors and anycast architectures to maximize user-experience. Monitor to make sure your vendors are performing as promised.

Fragile Infrastructure: Cable Cuts and Routing Outages

The network is not free from those occasional cable cuts and user induced misconfigurations. Let’s see how, sometimes a simple user oversight can impact services even across geographical boundaries.

On April 22nd, AWS experienced route leaks when more specific /21 prefixes were advertised by Innofield (AS 200759) as belonging to a private AS and propagated through Hurricane Electric. This resulted in all of Amazon-destined traffic transiting Hurricane Electric, to be routed to the private AS rather than Amazon’s AS. While the impact of this route leak was minimal, it was rather tricky as the leaked prefixes were not the same as Amazon’s prefixes, but more specific and thus preferred over Amazon. This was no malicious act, but rather a misconfiguration on a route optimizer at Innofield.

Level 3 experienced some serious network issues across several locations in the U.S and U.K on May 3rd. The outage lasted for about an hour and took down services including Cisco, Salesforce, SAP and Viacom. We were able to trace down the issue to a possible misconfiguration or failure in one of the transcontinental links.

On May 17th, a series of network and BGP level issues were correlated to a possible cable fault in the cross-continental SEA-ME-WE-4 line. While the fault seemed to be located around the Western European region, it had ripple effects across half the globe, affecting Tata Communications in India and the TISparkle network in Latin America. While monitoring your networks, look for indicators of cable faults. Some examples include dropped BGP sessions or peering failure, multiple impacted networks with elevated loss and jitter.

On July 10th, JIRA, the SaaS-based project tracking tool was offline for about an hour. From a BGP reachability perspective, all routes to the /24 prefix for JIRA were withdraw from Level 3. This resulted in the self-adjusting routing algorithm searching for an alternate path. Unfortunately, the backup path funnelled all the traffic to the wrong destination AS. Traffic was terminating in NTT’s network instead of being routed to JIRA due to a misconfiguration of the backup prefix.

Looking Ahead

So, what have we learned? By its very nature, it is expected that networks are bound to have outages and security threats. Smarter networks are not the ones that are built to be foolproof, but the ones that can quickly react to failures and inconsistencies. As the internet becomes the glue that binds SaaS and service delivery, it is paramount to have visibility over its shortcomings, especially during a crisis. As you move into the new year, take stock of the past year’s events and prepare for the future. Bolster your network security, but at the same time monitor how your network is performing under adverse conditions. Detect bottlenecks, common points of failure and distribute dependencies across ISPs, DNS service providers or hosting providers. Wishing you a happy outage-free New Year !