Take our user survey and make your voice heard.
The requested article has expired, and is no longer available. Any related articles, and user comments are shown below.
© Copyright 2021 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed without permission.Ransomware hits AXA units in Asia, New Zealand public health provider
By CHALIDA EKVITTHAYAVECHNUKUL and NICK PERRY BANGKOK©2024 GPlusMedia Inc.
21 Comments
Login to comment
umbrella
Never pay the criminals. Just encourages more criminal attacks. We need top notch "anti hackers" to reverse whatever these criminals do.
Goodlucktoyou
They should attack selfish greedy multinational companies, not hospitals.
Cosmos1
We each of us have an identifying number for work and social welfare that is kept on file but we are in an age where these numbers could be scraped and we all get a new number . Yes I know that would be highly unpopular with everybody but what is the alternative .Pay the ransom or Do we all get a new Russian keyboard.
Mark
Time to head back to the good old Pencil and paper. LOL
Sven Asai
That is a little bit too cheap propaganda or at least also a bit questionable. Don’t you think, that someone capable of such sophisticated attacks on government institutions or multinational companies also is capable of letting it only look like an attack from the side that is the common rival or systemic enemy and easily covering own identity by everywhere available translation tools? Without real evidence of the computers or servers and IP tracing etc. any hacker group can be the suspect. In this case and considering the targets all in Southern Asia, I think it’s more something out of China or North Korea, the latter btw. very good at russian language, help and equipment from China. That would fit , probably, also considering political aspects behind, like sea conflicts there, for example. But of course, there are also quite capable IT criminals mainly in Eastern Europe, Russia, Brazil, Nigeria , Iran, and probably some other smaller spots, where they just could also quickly and luxuriously spend the received ransom money, for example Dubai, Tunis, Istanbul, some tax haven islands in the Caribbean or South Pacific and all such.
Tokyo Yokohama
They should start attacking mainstream left wing media outlets and their viewers, to counter their dirty tactics.
Furan
Every time I hear about companies being hit by ransomware, I immediately cringe. Even more so when there's critical infrastructure affected by this.
The IT(-Security) departments should never find a job in IT again after allowing this to happen to make an example out of anyone who dares downplay the importance of updates while thinking that "installing an Anti-Virus" is enough.
People always underestimate security and the people responsible rarely take their job seriously, this is why RaaS is such a successful business model.
WilliB
Tokyo Yokohama
No, not the viewers, they are just victims. Fwiw, I watch CNN regularly, it always interesting to catch up on the latest fake news.
Desert Tortoise
Those decisions are often not the IT departments calls to make. They are frequently grossly understaffed and their suggestions over ridden by bean counters in the front office. Without front line management taking cyber security to heart and enforcing good practices their advice and training often go in one ear and out the other. Every level of management has to reinforce best practices. Blaming it on the IT department might not be the right place to pin the blame. They may be liable, or they may have had the right solution but no one in management wanted to listen, or the usual complaint "it will cost too much". How much was that ransom?
Desert Tortoise
Companies like Fireeye are good enough to be on-line looking at the hackers as they are hacking through the camera on the hackers computer. They were good enough to be able to identify by name some of the PLA hackers in what they named Advanced Persistent Threat 1 (APT 1) in the course of helping commercial customers thwart their hacks of their systems. They even have photos of them and know their browsing habits. In one of their open source reports on Chinese espionage they even have videos of customers computer screens as the Chinese were intruding into their system. And this is just a commercial firm. The Governments cyber spooks have even more resources.
Cosmos1
Wizard Spyder "(spider}" operate from Russia
Paul
People who are ill to varying degrees, or in the dying phase of their lives will suffer much more because of these attacks which are 100% indefensible and the most cowardly form of harm being caused to completely innocent vulnerable citizens. Some people are so naive. Such hackers have zero political conscience. Try tell a person who has had their Cancer care suspended-indefinitely because of the attack on their Health service, about abstract political theorizing on hacking. Whatever one's individual political views, such attacks are despicable and the scum who are hacking health services are the lowest form of criminals. Morally they would make the average drug-dealer look like a saint.
Desert Tortoise
US Treasury and other agencies share cyber threat data with private firms when they have it. But as written today cyber security law is primarily concerned with preventing unauthorized access and data breaches that lead to the loss of financial information, personally identifiable information and personal medical records. Criminal sanctions are aimed primarily at the perpetrators of cyber crimes, not for failure to take specific security measures. Companies doing business with certain agencies of the US Government such as the FBI, DoS, DoE and DoD for example can be required to do specific things in terms of cyber security in order to be granted access to US Government IT systems. Beyond that the Federal Government has voluntary programs for firms that wish to improve their cyber security posture but they cannot dictate a firm employ specific measures. States sometimes have more stringent laws but those are mostly concerned with data security. Firms that fail to comply with these laws can face civil suits and in some cases civil penalties for failing to adequately protect data. But let's be real, no private firm is going to tolerate an arm of the US Government coming into their business and telling them they have to take specific security measures dictated to them by the US Government in their IT systems. The last time an Administration suggested this it was roundly shouted down by the Chamber of Commerce and other business groups. Former President Obama signed Executive Order r 13636, “Improving Critical Infrastructure Cybersecurity.” but the measures suggested within were and remain voluntary. You are also ignoring that firms in general do not wish to share information for legal and reputational reasons. There are contractual, statutory and regulatory restrictions on firms ability to share company data. Firms also fear information disclosed in good faith could be used by competitors to gain a competitive advantage.
Desert Tortoise
President Trump signed Executive Order 13800 "Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure" In the 2018 TRANSPORTATION SYSTEMS SECTOR ACTIVITIES PROGRESS REPORT which includes pipelines is the following:
"The private sector can voluntarily collaborate with the government to establish priorities and
coordinate activities related to Sector critical infrastructure security and resilience. Private sector
participation is essential to achieving optimal Sector effectiveness and efficiency. The private
sector has made significant strides in critical infrastructure security and resilience, often
implementing leading edge and innovative solutions. However, as a Sector, we have not fully
leveraged private sector expertise and resources to support achieving current goals and
expanding our reach to the most relevant security and resilience needs across all modes.
As owners and operators of a large portion of the Sector’s critical infrastructure, the private
sector is primarily responsible for critical infrastructure security and resilience. The private
sector conducts risk assessments, develops plans, implements risk management programs, and
conducts training and exercises to enhance critical infrastructure security and resilience. Going
forward, the Co-SSAs aim to fortify communication processes with private stakeholders and will
identify how they can better serve the needs of the private sector through support and resources
As I said, when it comes to private industry the government cannot force them to take specific measures. It can only offer guidance, "support and resources" as the report puts it and can only expect voluntary compliance.
Strangerland
It's always amazing when people take an extreme stance, while the very text of that stance shows they clearly lack the knowledge to be able to actually know what they are talking about.
IT security is an EXTREMELY complex system. And almost no IT department anywhere is properly staffed to do it right, as companies have not felt that it's important enough to spend on IT security. Since they can't see anything tangible from such expenses, they don't like spending on them. The result is these ransomware hacks. You can bet that once enough of these happen, security funding for IT departments will suddenly become a lot more appealing to companies. It's kind of like insurance - until people around you start getting bankrupted as a result of not having insurance, you aren't as likely to realize yourself just how important it is to have it, even when it feels like you're spending on nothing.
Desert Tortoise
I think popularity or lack thereof is the least of their worries. Imagine you are a health care system and you have just lost all of your patient data. The identifying number is not the crisis, it is the lack of those priceless medical records. Also imagine a health care provider now having to buy a new medical enterprise software package and populating it with the data for all of their patients and staff along with whatever medical history they can cobble together on each patient.
fxgai
Hmm, I wonder if that’s exactly how it goes.
I could use me some software that says my keyboard is a Russian one?
Furan
Au contraire, I do work in IT security and I take my job very seriously.
I'm going to be direct with you here, so please excuse my frankness.
It's funny how you call me out on a "lack of knowledge" while demonstrating the very same. When you have 3TB of sensitive data floating around your networks, you have no excuse if even a Kilobyte of it gets leaked.
You don't have to run 24/7 packet inspection surveillance package or expensive security solutions or hire a whitehat to be secure.
It starts with pretty easy steps that companies in most cases choose to ignore in favor of comfortability.
Taking inventory of your systems and the respective versions of the OS and software is neither complex nor hard. Updating your system in a timely manner is neither complex nor hard. (yes, even when you have to do testing on VMs beforehand so you don't break stuff) Segmenting your networks properly is neither complex nor hard. Restricting unneeded access and privileges is neither complex nor hard. Setting up guidelines on the use of removable media is neither complex nor hard. Schooling people on not executing malware can be hard, I admit. But the AVP on the client system should be the very last line of defense, especially for business-critical systems. Even if a client gets infected, it should not result in what we have here. There are many many other guidelines which are just as simple to implement.
When you get hacked because you use old software without further securing the network transitions around it, that's your fault. When your whole network gets compromised because of one client, that's your fault. When you use unencrypted protocols because "that's intranet" and then get important creds stolen because of it, that's your fault. How about 3TB of data being exfiltrated out of your network or people having access to your system for that long while going unnoticed? Or not employing any safety measures because "An AntiVirus is enough"? Can you tell me whose fault that would be?
Spoiler: It would be you and everybody else who was involved in the decision-making process.
People who try to relativize this blunder with "But it's not their fault because IT security is complex and nobody wants to invest into it anyways" should probably get into IT security for a few months to learn that this is nothing but a convenient excuse. A security suite doesn't make you secure. AVPs do not make you secure (in fact, they can even broaden the attack surface). And the cost point is completely moot, as getting hacked is much more expensive than getting security. Not to mention the loss of trust and integrity.
Nothing personally against you, but I do think that your way of thinking is part of the problem and should be amended.
Have a good day.
Strangerland
Hmm, I wonder if that’s exactly how it goes.
Probably. It is possible to detect keyboard language in various programming languages. Although, the article may be wrong, and the hackers may have used the OS language.
HR hires based on the budgets they are given. When they are not given enough of a budget, they cannot hire the elites, and bugs (that lead to security holes) suffer.
It's a dangerous stance you take, that everyone is responsible for everything. I've never met a programmer ever who didn't make a huge mistake at one point or another in their career. No one is perfect. No one. The lucky ones had their mistakes caught before they brought down a system, exposed significant customer data, or accidentally did something illegal.
As programmers are human, and humans are fallible, proper security means NOT just relying on your IT department, but also including 3rd party penetration testing to look for holes exactly like this.
Building the system is the responsibility of IT departments. Third party testing is a business decision that can only be recommended by IT departments that have staff with enough knowledge to know this, which requires a budget that doesn't only allow for hiring inadequate staff.
Furan
It is actually very possible and used by several legitimate programs as well. The check can be called by either CMD, PowerShell or another Windows API .
..
Yes, but it still makes it the company's fault. Moreover, not being an elite makes it OK to do a half-baked job that could endanger the business? Why should I, as a user, care about whether my data was leaked because of malice or because "they didn't know any better" or maybe because of some other arbitrary reason? The reality is that the circumstances don't matter. To not invest into security enough was the management's choice.
Moreover, you don't have to have a high budget to implement basic security policies that are proven to work by design. It just requires the people to actually do their job. Nothing more. It doesn't require a Harvard or Todai graduate to follow basic established procedure.
How would you like it if all the tires on your car fell off during a highway drive and you have a major accident with you barely surviving, just for the company to say "Sorry, mistakes happen. Nobody's perfect. ☆"
The leak of private data can also affect people, to the point of ruin and even death.
We're not talking about programmers or just about programmers letting 0days happen. We are talking about managers, administrators and network engineers who should have known how to better manage their systems. And even then, processes should be in place to circumvent these mistakes. I mean, I make mistakes, but not in a Prod environment. And much less in a way that jeopardizes data I am bound to protect by regulations and compliance standards. Attributing this to someone getting "lucky" is a slap in the face of every competent manager and everyone else who does it right.
Systems go down sometimes. For scenarios like this, you create test environments or redundancy of resources. In this day and age, providing and ensuring good availability is not really a challenge anymore.
So, I have to wish on a star to get lucky to not have my (maybe sensitive) data leaked or have the company not "accidentally" doing something illegal? Have you ever heard of the word "compliance" in regards to business practice? Anybody not being perfect or not knowing better doesn't exempt them from having to get good at their job.
And again, a statement that reeks of your opening accusation applying to yourself instead of me. Securing your company network and telling your programming department to implement DevOps security and do code review are two entirely different things. Sure, you may hire pentesters, but good luck finding pentesters who will guarantee your company won't get absolutely mauled in the future or be accountable for it. Whether it's the IT department or if you have a separate security department for this, security is first and foremost the company's responsibility.
It may be that the company was staffed and budgeted inadequately. But wouldn't that make it even worse for the user who placed its trust into the company to maintain the core tenets of trust in the first place?
Let me just reiterate that a widespread ransomware infection happens more because of carelessness than any other reason. It mostly all starts with one person who opened a file carelessly. The next steps are because of negligence of the IT infrastructure by the administrators, no matter how you try to spin it.
From an specialist's point of view, your stance is the dangerous one, especially if you are a person in a position of power in any business. I implore you to learn more about IT security and compliance, maybe watch some videos on both topics or read a book on security fundamentals. You will see that it's not that hard and expensive and literally anybody can do it.