It was unheard of at the time that you could do this. So we set up a test to clone a credit card of ours. The kicker was, the software didn't work when you disconnected the computer it ran on from the internet. Security mechanism from the creator? Nope, it turns out after tracing/dissassembly it sent the data from the cards to a third party to sell it.
Our informant was first confused, then outraged. No honor amongs thieves!
So to encourage merchants using Dip and Tap instead of swipe, brick and mortar cc processor companies said they no longer would cover fraud from cloned swipes. Sounds fine right? Except their own payment terminals after 2 or 3 dips/taps not working just go “fine just use swipe” -_-
That's part of the EMV standards; the terminal parameters set by the bank or the merchant are combined with the card parameters set by the issuer to determine threshold for risk.
A merchant or bank in a 3rd world country may decide on thresholds that effectively never do a fallback transaction.
In my experience CC Processors rarely covered fraud anyway (at least in the US). Which is one of the reason fraud is so wide spread
Rare is the bank, and/or CC processor on the hook, it is either the consumer or merchant that is left holding the bag, if the Bank and/or CC processor were always on the hook for fraud, fraud would be almost impossible
Same is true for so called "ID Theft" if the bank and/or other lenders where on the hook for that type of fraud "ID Theft" would also be impossible, but since consumers have to clean up their own victimization the banks and lenders just play lip service to fixing it
> cc processor companies said they no longer would cover fraud from cloned swipes. Sounds fine right?
yes, and it makes sense that it would encourage adoption of the new dip-tap machines. That they can also swipe does not decrease the incented appeal of the new safer system
“Yes” cards were a threat but they had two problems - they could only work with static data authentication (which has hopefully been phased out by now) and the terminal itself would contain 1-in-n goes online regardless checks, plus limits for offline transactions.
An oversight in the EMV specs certainly, but not a showstopper.
IIRC I made one of these with an ICC Solutions programmable card about 20 years ago (in the context of building an EMV system at the time)
Hey, you would not believe that if I had no proof ;-) ... but the true cause of the "yes cards" was some kind of glitch on side of visa/mastercard AND the banks. So at that time some banks had not even issued chip cards to their customers. If you "cloned"/transformed the data from the magstripe to the chip and tweaked a few bits ... well, that confused the system and defaulted to "yes" due visa/mastercards setup/fallback. Naturally, this problem has sloved itself by now.
I thiink I can see why Revil added the backdoor. It's not to steal ransoms. It's to prevent too juicy a target.
There have been reports of crews stating "we won't hit hospitals in covid". With this backdoor, if your customers hit a hospital, you can hold your promise.
Even worse than hospitals (from their perspective) is agitating the American intelligence services. Hit too many pipelines, or similar high-news high-impact targets and 'national security threat' is your new name.
Worse than that still, imagine one of your affiliates is stupid enough to target inside Russia. You need to keep the Russians happy or all of a sudden trial or extradition become likely outcomes.
At the same time, once you have the opportunity, why not use back door for some more money.
Glad to see that they still aren't fully cooperating like legal businesses yet.
> Worse than that still, imagine one of your affiliates is stupid enough to target inside Russia. You need to keep the Russians happy or all of a sudden trial or extradition become likely outcomes.
I read somewhere that a lot of these attacks are orchestrated by Russians because the Russian authorities will turn a blind eye as long as such attacks don't hit domestic targets.
There's indications that the Russian intelligence services are intertwined with organized crime. The oligarchs get help laundering money out of the state, the intelligence services get untraceable money that they can use to bribe foreign assets and the organized crime syndicates get paid for their money laundering services and get a free pass from the authorities as long as they don't inconvenience those in power too much. Seems like one of the most impressive rackets in history.
I think we can assume that all intelligence agencies are intertwined with organized crimes in some way. It’s not like spy activity is completely legal anyway.
In Russia the Oligarchs are mob bosses. It's really that simple. And who do they work with ? Putin who has access to 100% of all government capabilities. It's a big birthday cake and there are plenty slices to go around.
Lol, I don't believe that, but I like to entertain the thought that malware leaves me alone just because I have had a Russian layout installed ever since I can remember.
Honestly, this looks like yet another Russian Hoax iteration.
Also, made me to figure Brian Krebs is merely a journalist, while real infosec researcher is Chris Krebs.
They also talked to other people including the Founder and Chief Research Officers at Unit221B about whether workarounds e.g. adding an additional keyboard were effective.
So clearly it's well known that this is real and accurate just as most of the reporting is on Russia.
> is real and accurate just as most of the reporting is on Russia
Except when it turn out to be fake news as it usually happens. For instance, linked malware research paper doesn't mentions alleged keyboard layout probe and never reveal how this probe to be performed. So, bogus.
> workarounds e.g. adding an additional keyboard
Just as bogus as placing succulent plant to "protect from computer radiation"
This is really common, not just keyboards but time zone settings and even geo IP lookup.
The effort required to make your enterprise look like it’s in Russia is definitely not worth the effort given that this would only stop one slice of organized crime.
Instead, there are stats indicating that The Mother Of All Hoaxes definitely ISN'T safe haven infosec-wise.
Additionally, Krebs completely forgot what there is war between Ukraine and Russia, so there are no reasons for such alleged protective measures any more.
They have a long history of turning a blind eye on criminal activities like drug trafficking as long as it's not sold in Russia. Then again, so do many other governments.
Anything that might interfere with the interests of western democracies is okay with the Russian authorities as long as it doesn't affect Russians finances.
No need for “orchestration”. Pretty straight forward, hackers gonna hack and if you don’t give them a legal outlet they will just attack domestic targets all the same. Works the same way here, the feds don’t coordinate with black hats to attack adversaries. Black hats can become some of the most patriotic fighters, it’s pretty interesting.
Now, if I repeat what you told us, someone might say:
"My friend told he read somewhere that someone read somewhere that a lot of these attacks are orchestrated by Russians because the Russian authorities will turn a blind eye as long as such attacks don't hit domestic targets."
This isn't a rumour and I don't share information unless I'm either personally trained on the topic or have learn that information from a reputable news source. This feature in question even included interviews with some individuals who have ran ransomware attacks.
The only reason I said "somewhere" in my original post was because I cannot remember which network it was published on.
Its OK as long as gossip fit "progressive" agenda and/or comes from renowned "progressive" newspaper Pravda. Otherwise it is a racis' conspiracy.
That WaPo Krebs article links malware analysis which goes into dire detail on how that ransomware probes for Volume Shadow Copy (via amateur WMI) yet... omits keyboard layout probe method(s) at all (there are at least 3 possible ways)
On the other hand, why shouldn't NSA and CIA be invested 100% in pushing back on these attacks already? The potential harm from this vector is obviously gigantic, so why wait for a really significant attack to happen?
Ransomware make private sector aware of security issues and resilient against attacks. It’s like developing antibodies to viruses.
NSA rather not to interfere, unless infrastructure is involved.
Interference from public sector may actually not be successful in the long run, as companies simply adjust to that, and keep ignoring security at a new equilibrium level.
Not suggesting you're doing this, but their existence should still not be framed as positive. They are malicious and sophisticated, and should be pursued accordingly. If they're willing to extort others by holding their data ransom, there's no telling what else they may be willing to do.
But yes, ransomware does lead to a hardening of network infrastructure, and reduces the likelihood of successful espionage operations, by alerting parties - via the ransomware attack - to security vulnerabilities.
> On the other hand, why shouldn't NSA and CIA be invested 100% in pushing back on these attacks already?
For the same reason that neither them, nor the Army doesn't serve drug warrants, or investigate tax evasion. Because policing is not their mandate. That's the job of either your local police department, or the FBI, or any one of a number of the other federal police forces.
If ransomware gangs are seen as a potential threat to national security, wouldn't preemptive action against these groups fall under the claimed remit of the NSA or CIA?
Tax evasion is a potential threat to national security, drugs are a potential threat to national security, protests are a potential threat to national security, q-anonsense is a potential threat to national security, especially when it culminates in an invasion of the Capitol.
You don't just get to sprinkle 'potential threat to national security' to turn criminal activity into a problem for the extra-judicial arms of your government. How about we let the police do their core competency - policing, and the military and the spooks to stick to their core competency - extra-judicial violence, and kidnapping random people to hold/torture without trial in Gitmo.
I'm not doing any such thing, hence the phrasing of my comment.
Your comment seems to imply you think the most/all of the remit of the CIA is or should be invalid. That position doesn't contradict my comment in any way.
That is a rather different claim than saying that premptively pursuing ransomware gangs in other countries is outside what the relevant decision makers view as the remit of the CIA. To me it seems to clearly fall in-line with their historic actions (as long as the cyber ransomers are outside of the country.)
The target was a different university, and when the scammers realized their mistake they handed over the encryption keys.
I wouldn't say morals play no role, since someone that is perfectly fine robbing a wealthy institution isn't automatically going to be OK with causing someone's death, but there absolutely is risk management at play since the hunt for someone that stole a few hundred thousand dollars is going to be much lower priority than a hunt for a killer.
Not at all suggesting they have morals. I'm suggesting it makes business sense to avoid targeting hospitals. Because people will come after you much harder if you do that too often.
If the NSA starts deploying the TAO against ransomware crews, the crews are going to have a much MUCH harder time actually making money.
Was robin hood coldhearted? I certainly don't mean to suggest any ransomware group has motivations that noble, but I don't think you can generally say that
Absolutely.
Theft is violence and it's morally wrong no matter the circumstances.
It doesn't matter if you're stealing a piece of bread not to starve, if you're stealing the money to save the lives of orphans, to help the homeless or pay for hospitals.
It doesn't matter if you're an individual, a dictator's army or a democratically elected government.
Doesn't mean it's morally wrong. Robin Hood was taking back and returning what was stolen from peasants by the Sheriff (and other nobles) by overtaxation and straight up "this is mine now" antics. These were people that had no right to what they were taking. If beat the crap out of the guy I ran down after he stole my garden gnome that's justice of a sort.
Are you arguing that stealing bread to not starve is cold-hearted? That attitude may not he illegal, but it is way more cold-hearted than stealing bread to prevent starvation.
As for the comparison to Robin Hood, that would only be apt if the ransomware only targeted exploitative companies and gave the money back to the victims of those companies.
>Worse than that still, imagine one of your affiliates is stupid enough to target inside Russia. You need to keep the Russians happy or all of a sudden trial or extradition become likely outcomes.
I heard (and it might be just people making stuff up) that if you had cyrilic anything in your PC some ransomware would avoid you entirely, now, that's probably false but I am interested in knowing how would they avoid infecting russian computers.
Remember the amazing/terrible hacker movie Swordfish?
You just described it. Maybe now other world powers need their own domestic equivalents. Or if they already do, then something that’s a bit more overt.
> Cyber criminals using a ransomware-as-a-service scheme have been spotted complaining that the group they rent the malware from could be using a hidden backdoor to grab ransom payments for themselves.
That's hilarious. You'd think they'd know better than to trust code they did not write...
Note that REvil is the group behind the Colonial Pipeline hack that took down gas supplies down the eastern seaboard earlier this year. They were taken offline by (presumably) the U.S. intelligence services shortly after that hack.
It's interesting that a.) they're back and b.) a secret backdoor that allows REvil to override their affiliates and restore access themselves is found shortly afterwards. Particularly since REvil, in the immediate aftermath of Colonial Pipeline, before they were shut down, sent out a message to their affiliates forbidding any attacks on governments or critical infrastructure. An alternative explanation is that they cut a deal with the CIA where they are allowed to continue to operate in exchange for instituting a backdoor and handing over the keys to major Western governments, such that if they hit any "politically embarrassing" targets, the government can override the affiliate and restore operations.
Keep your friends close and your enemies closer. It's often smarter to co-opt an adversary than it is to shut them down entirely.
>> An alternative explanation is that they cut a deal with the CIA where they are allowed to continue to operate in exchange for instituting a backdoor
CIA would demand a cut of the revenue as well. It should be appalling that anyone would think this is a possibility but sadly I do not put anything past US Federal Agencies anymore
This happens with scammers a lot from what I've seen. I watch Jim Browning and it's interesting to see how often a scammer will say "No, that other person was trying to scam you, do not talk to them, only talk to us" when they see evidence of a previous scam.
usually these affiliates do the actual hacking themselves. They simply outsource the payload development.
They aren't necessarily script kiddies. Outsourcing your non-core work is just efficient. It's good business.
That this model is breaking is good news! It means that the efficiencies that trust allows are eroding in the ecosystem.
I can't imagine professionals capable of hacking useful targets having problems writing a script that encrypts some files with a public key and needs a private key to be unlocked.
Like with most things it's not as simple as it looks from the outside. Malware payloads need to exist undetected by whatever system they've been deployed to which by itself is an ever changing cat and mouse game that requires a different knowledge set than simply gaining access to said system.
If you have a second computer you're willing to accidentally mess up and require a wipe + reinstall, I recommend you experiment a bit and try writing your own malware or playing with some open source variations floating around. It can teach a lot to see from the attacker's perspective.
So where is the back door I wonder. In the actual payload that gets deployed to the victim's device? Or in some backend part of the ransomware software?
I would put it in the key generation algorithm used for the encryption. If that algorithm was somehow backdoored (like the dual-ec curve, or just by (assymertically) encrypting the key and putting it in the identifier. Then the RaaS could just use the backdoor to recover the key.
There exist a few products targeted at enterprises that attempt to detect suspicious patterns of encrypting files at the OS and/or backup level and flag that if it happens.
I wouldn't describe that as the "best" defense though, it's an "earlier warning system" but not early enough to prevent damage. You've already been hacked, the criminals have already exfiltrated all the data they can, have already installed whatever backdoors they are going to, and have even already started preventing you from accessing some of your own data. (That doesn't mean earlier warning doesn't help, and it's probably worthwhile, but it's a component in a broader last line of defense system that you never want to use in the first place).
The best defense is not getting hacked in the first place, and not letting malware spread when you do. If you are a big enough target that the "detect ransomware" solutions are remotely affordable you should hire some experts on this topic, but think about things like good phishing training, good firewalls, good software engineering, keeping everything entirely up to date, and so on and so forth.
Backups help (a lot!) but are not the cure all that people like to pretend they are. Apart from all the other damage hackers do apart from deleting things, hackers do attempt to delete backups too, and sometimes they succeed.
(Disclaimer: I use to work on one of these products)
1. File history preservation. We use Dropbox Paper, which preserves file history - if someone were to delete all of our documents we could recover them.
This is harder to do for production data, which may take up petabytes of space. Archiving out the data in big chunks can help here (we back up our kafka data to S3, for example, and the exporter will do that in batches).
You can also enable object versioning on those S3 buckets or prevent deletion/ mutation of objects. Another good idea is to use a uuid in the key name so that they can't be guessed.
2. Remove all forms of lateral movement. Move to a 'zero trust' system. Ransoming one machine is not worthwhile, attackers need to own a lot of your network if they want to monetize. They usually do this by traversing over as many machines as possible.
None of our systems can communicate with each other in corporate environments, and there's no remote execution protocols like SSH in our production environment (between servers). All access is explicitly authenticated and authorized.
There's lots of other good defenses but IMO if you do these two things you're in a very good place.
I wouldn't recommend "backups" generically. It's hard to do backups well and safely. (1) is technically a backup, but it's how the system works normally, it isn't some separate backup system that never gets tested. Backups are also very expensive, whereas zero trust is cheap.
>>> Backups are also very expensive, whereas zero trust is cheap.
In reality the inverse is almost always true unless you are setting up a company from the start to be Zero Trust
Implantation of Zero Trust on an existing network and existing company with establish business processes that depend on a non-zero trust network well that can be very expensive to implement.
Also as we move forward in time with better and better immutable backup technologies the cost of the doing proper backups comes done.
Finally with modern Ransomware it is not just about the encrypted data, it is about data exfiltration as well. This is where the Zero Trust model come in, to prevent exfiltration.
At the end of the day Zero Trust and Backup are 2 different things, used for different purposes, Having Zero Trust does not mean you can forego backup. Having proper backups immutable does not mean can forego Zero Trust.
True, I'm making an assumption that a company is young. For older companies it'll be years to move to zero trust - although, once you do, it's "free". Backups are pretty costly and that cost never goes away.
I didn't say it was one or the other, I recommended both.
> Backups are also very expensive, whereas zero trust is cheap.
Could you elaborate on this? I would have thought that they are at least in the same ball-park. I work at a large software company and we have a lot of internal systems one has access to. You have to harden your AD, you have to be very careful with single-sign on, etc. I'd bet, if I could compromise the machine of one of our employees I could do a lot of lateral movement. You must not only harden the production machine, you need to harden everything in the supply chain for those machines.
I'm making a big assumption, which is that the company is young and starting to think about security. I'm not sure what you want me to elaborate on though. Backups have a very literal cost - storage, maintenance, etc. Zero trust is just a paradigm, it's no more expensive than any other approach, it's just an architectural choice.
I don't think compromising our machines would be easy, nor do I Think lateral movement would be easy, but there's still more that we can do.
Yeah, for protecting against ransomware, the computers you are backing-up must not have permission to write in your backups, and the place you are writing your backups on must not have the same security flaws as them.
Both offline media and well configured S3 can do. Although, I'd personally bet much more on my capacity of configuring a server than S3. Anyway, you can't go wrong with offline. The one thing you can't have is a NAS where your computers directly write the data.
I favor cloud storage here since you can configure write-only storage pools (without delete, or at least with versioning). Whereas "offline" backups must come online for new copies, and that's a window for infection of the hosting file system, barring well-configured snapshots or the like. Also it can be your second location for the "three copies, two locations" rule of thumb, especially if you are an SMB with only one physical space.
(The opposite plays here, too. If everything you have is in the cloud, you should keep local backups.)
We are using borg to backup our Servers and each Server has its own user in the backupsystem, that allows to execute only the backup command in append mode, so an infected server can not destroy its backups.
There’s no evidence to suggest it’s happening here, but I wonder how effective it is to disrupt ransomware activity by making the community distrust each other.
Very good point. Any type of disruption is beneficial. Especially when you start screwing over your affiliates.
It’s has been proven that affiliates are the main reason ransomware has been so successful. Piss off your affiliates and now you no longer have incoming victims/targets.
I just upvoted for the headline, clickbaited by the article complaining about crooks complaining about other crooks.
I wonder if there is a name for this?
See right through your C2, seize it, so you see how we move.
also
I don't watch TV - I sit back - and watch cowrie
hijack a box - patch the hole - like howdy
- its me - ya new best friend
show me the way that you planned to get these ends
Snakes in the grass stay on my toes
credentials contained within all these SQL rows
no time for these hoes
So what you gotta say to me?
I need new information, f** all your old queries
I'm planted like raspberries,
Pycharm's filled with adversaries,
static build, f** your external libraries.
I worked(*) with a credit-card scammer who brought in a software for creating "yes-cards": Cloned Creditcards that had corrupted chip and pin settings(See https://www.zeit.de/2016/05/kreditkarten-banken-betrug-siche..., sorry its only in german).
It was unheard of at the time that you could do this. So we set up a test to clone a credit card of ours. The kicker was, the software didn't work when you disconnected the computer it ran on from the internet. Security mechanism from the creator? Nope, it turns out after tracing/dissassembly it sent the data from the cards to a third party to sell it.
Our informant was first confused, then outraged. No honor amongs thieves!
(*) journalistically!