I bought an external drive of theirs a few years ago and they were so into selling me the cloud storage on the back of it. I'm glad that I'm old-fashioned enough to have most stuff stored locally on my mediocre home-build systems rather than the super-duper high performance cloud servers in a data center somewhere.
What mystifies me about ransomware attacks is how many targets don't notice that vast quantities of data are being systematically exfiltrated. I can see how it might be particularly difficult for a cloud provider (assuming the hackers didn't pull it all through a single set of credentials), but for many targets, any sort of unfamiliar outgoing data stream larger than a gigabyte ought to be suspicious.
> What mystifies me about ransomware attacks is how many targets don't notice that vast quantities of data are being systematically exfiltrated.
They are not necessarily so. Plenty of times the hackers just pretend they have a copy when in fact they don't. Also encryption 'in place' or overwriting data with noise doesn't do much other than a bunch of IO without any network traffic besides the initial commands.
Based on my experience with these ransomware actors (I've negotiated at least a couple per month since December), they definitely have the data they claim they have. Usually they only pull PDFs, Office docs, etc, so the entirety of their exfiltrated data for a large corp might only be 50-100GB.
That's a great idea! I do have a blog that I'm eventually going to re-invigorate with malware reverse engineering and probably some ransomware negotiation content.
Here's the site, although there's nothing relevant to this stuff on there yet:
One of the things I look at when doing tech DD on companies is whether or not there is exfiltration detection in place. The typical answer is 'what?'. Rarely does the counterparty know what it even is and even more rare that they have it set up.
For example, I once encountered some mongodb ransomware, which listed all databases and then dropped them one by one. Reading no data at all. But the message did claim to have downloaded the whole database.
> I can see how it might be particularly difficult for a cloud provider
It is really not, though. Unless they take it very slowly and to locations that are not suspicious. Even something like GuardDuty on AWS will flag 'interesting' traffic to new locations.
I know we already have open source IDS/IPS systems, but do we have something like GuardDuty we can run locally that would detect unusually large outbound traffic over a specific timeframe?
>how many targets don't notice that vast quantities of data are being systematically exfiltrated.
how many people do you know that is constantly monitoring their outbound traffic? hell, how many people do you know that even know what that means?
edit: do you mean corporate targets? if so, yeah, i'd expect a competent IT department to be monitoring that kind of activity. i was coming from the home user suffering the malware
<< hell, how many people do you know that even know what that means?
I will push it even one step further. I knew in an abstract and it was still not until I saw pihole visualizations that I changed my mind about a lot of things. It is one thing to know, but it is quite another to see it with your own peepers. It is a shame, because it means I might be not processing things fully when I consider them in an abstract.
> What mystifies me about ransomware attacks is how many targets don't notice that vast quantities of data are being systematically exfiltrated.
What is your understanding of ransomware? The point isn't to exfiltrate every byte of data, it's to encrypt it in-place (sabotage, not theft).
Is some data exfiltrated in some cases? Sure. I'd argue those are espionage cases masquerading as ransomware, and your question holds. But by design ransomware is supposed to fly under the radar.
Flagging data streams larger than a gigabyte is going to tag every high quality Microsoft teams call that goes on for longer than an hour. Also, sometimes I have to upload a disc image or docker image somewhere. I can’t imagine a company where you had to justify yourself every time that happened.
Most of the time the exfil doesn’t go to Russian IP space or anything like that. It goes to an S3 bucket controlled by the attacker, and looks exactly like backup or replication traffic.
Network-layer security devices are pretty useless in 2023. Everything is encrypted and everything talks to everything else as part of “normal” operations.
"However, since more than 6 months have passed with no patch or solution having been deployed, the researchers disclosed and published the vulnerability, which should (should) finally prompt WD to action on fixing the issue."
That's not very flattering, and if I used any of those products/software features (I have only bare, internal SAS drives, both spinning rust and SSD) I'd be really concerned.
Since I only use bare internal drives, I imagine I'm not at risk (although, I've had one or more of these drives for at least 7 or 8 years -- so if I was at risk, you'd think that would have happened already) from the vulnerabilities noted in the links you provided.
But I'll do some research (although I do try to keep track of such things and never heard anything about actual drive firmware -- rather than the NAS/cloud products -- being compromised.) anyway.
Thanks again for compiling these links and sharing them. Much appreciated!
What do they mean by "customer data"? Payment information and other PII, or real backup data from this cloud backup thing they have?
I only know of this "My Cloud" service which appears to be somehow linked to some NAS-like HDD offerings they have. I never really read about it because it is irrelevant to me, so I don't know if they also mirror the data in the cloud, or if the cloud gives the attacker remote access to these NAS disks and that they exfiltrated data this way, or something else.
Probably a lot based on the 10 terabyte number... and the SAP Backoffice... and that it took 5 days for them to come back up
Ah, the SAP Backoffice, the magical land where businesses store their most treasured data, and where hackers drool over the potential loot. The SAP Backoffice system is a complex beast, made up of several components, such as:
ERP (Enterprise Resource Planning) - The backbone of the operation, keeping track of everything from finances to supply chain management.
CRM (Customer Relationship Management) - The digital black book of customer interactions, preferences, and sales opportunities.
SRM (Supplier Relationship Management) - The hub that orchestrates the delicate dance between a business and its suppliers.
HCM (Human Capital Management) - The watchful eye over the company's most valuable asset: its people.
PLM (Product Lifecycle Management) - The puppet master pulling the strings of a product's journey from inception to obsolescence.
SCM (Supply Chain Management) - The maestro conducting the symphony of goods flowing from supplier to customer.
BI (Business Intelligence) - The all-knowing oracle that uncovers hidden insights from the vast sea of data.
The MyCloud hardware line allows you to setup a NAS and optionally expose it to the internet through their online credential service so that you can access the files from anywhere.
The data is not "in the cloud" per se, but the credentials and login portal are.
article mentions them "spidering into an azure tenant." Wonder if that's related to the azure multi tenancy misconfiguration that resulted in the Bing CMS being accessed that was brought up a few times here recently:
Fwiw, the finder here is not completely correct in their assertions. Locking the Bing CMS down to single tenancy would have meant that instead of the whole world having access, only about 180,000 Microsoft employees would have access. The actual number of people who should have access is about 50. Maybe 500 the way Bing is bloated. The problem here is that Bing CMS didn't implement the authorization half of authentication and authorization - they simply allowed all authenticated users to access all data. Multi-tenancy expands the scope, but it's not really clear what portion of the 25% of apps the finder surveyed that were multi-tenant similarly lack any authorization whatsoever.
I'm not saying it's literally the same attack, but the author of that Bing CMS bug identified the cause (misconfigured multi tenancy) and said up to 25% of Azure apps they scanned had this same vulnerability.
Do hackers ask for ransom as a single payment, or there is more of a scalable repeatable business model with recurring revenue? A subscription service seems convenient.
The hackers offer a lifetime licensing model for their ExtortionPro SaaS service. With a single convenient payment you can be guaranteed that your enterprise security and confidential information is in good hands. At least until the hacking group is acquired and they reposition their offering as a two year subscription.
> Do hackers ask for ransom as a single payment, or there is more of a scalable repeatable business model with recurring revenue? A subscription service seems convenient.
Given that in many cases they are more skilled than the actual cybersec folks in those companies, they should charge a fee to monitor their systems.
There's prior art for that business model. I'm told it was popular in Italy many years ago.
Pen testing is a thing even though I don’t know how attractive it is for hackers to do, full time. And probably black hat hacking is more rewarding in financial terms but also riskier.
I like that you’re discussing revenue streams. They also add social proof on the pricing page (“We blackmailed hospital xyz with success”) and play dopamine effects (“Play PasswordGuessr to unlock a file, or pay to unlock all files”). The infinite scroll is coming to show what your API keys have access to (highly addictive, look at all those bank transactions and, mmh, revenge pics with your ex).
If the hackers haven’t even figured out a business model to really scale out, maybe WD should just acquihire their firm. Not only do they get their data back, but they get a world-class red team to handle their customers’ security.
Sounds too expensive, and outside of WD’s core value proposition. What’s the value to the bottom line here? I’m just not seeing it. Time to buyback some stock!
Can anyone let me know whether the 10-terabyte number is 1024-base or 1000-base? Would it fit on the formatted capacity of a Western Digital WD101FZBX Black, for example...?
The rule here is read these numbers in whatever way benefits the manufacturer; i.e read it as base-1024 if bigger numbers look better and 1000 if they don't.
I would assume that 10TB of hacked data will not fit a 10TB Western Digital hard drive.
the article states they have not run any ransomware on the systems as of yet and they have maintained access. a backup wouldn't do much in this situation. it's not confirmed if the attackers are the cause of the service going offline and it should be presumed if they were they can take it down again.
>"Cut the crap, get the money, and let’s both go our separate ways. Simply put, let us put our egos aside and work to find a resolution to this chaotic scenario,” the hackers wrote.
This weirdly hilarious. Though I wonder how could you even handle such a negotiation, from WD's side?
Yeah, this is difficult. They'll probably have to settle this somehow. Otherwise, Alphv's likely going to work with some sources to create some sort of site to sell each users' content individually, assuming the exfiltrated data includes customer data.
Still highly likely that they'd be able to talk this rate down to something well below the 8 figures they're demanding.
I've been asking myself, why waste time setting up a NAS when there are cloud based alternatives for storing data. Then, news like this comes along and reminds me why.
Assuming the self-proclaimed vermin is operating from $mostly_defunct_state without risk of recourse, what would the arguments be against removing all internet routes to/from $mostly_defunct_state? (Yes, it's obvious that criminals can find ways out of that, please go deeper than that.)
Edit: Seems like the downvotes made me hit my rate limit of HN comments. Can't reply to any more comments; sorry. :(
No, we shouldn't arbitrarily cut off millions of people from communication because some westerners have bought into a new red scare. That's ridiculous and childish.
When that country is fomenting unrest in the west through various means utilizing the internet, why should the west allow themselves to remain at the mercy of these operations? Liberal principles should not be a suicide pact.
> fomenting unrest in the west through various means utilizing the internet
Various actors in the west have been manipulating narratives for decades. There are literally companies that provide astroturfing services to fossil fuel intetests and others.
But suddently people discover Russia is getting in on the action too, now its cause for panic?
>But suddently people discover Russia is getting in on the action too, now its cause for panic?
Yes, an adversary working against American and democratic interests is a cause for concern over and above the typical American and western profit-seekers.
Let me rephrase: we created the system where anyone and their dog can subvert the democratic process. Oil companies are doing it. Hackers are doing it. Random bloke down the pub and his dog too.
And someone had an expectation that adversaries will not take advantage of it?
The idea that this or that Big Bad state is fomenting significant unrest in the West is a false narrative manufactured to scapegoat from domestic mismanagement and distract from the fact that Washington hosts a massive global industry dedicated to destabilizing states, especially those Big Bad ones, via organizations like GEC, NED, USAGM, USAID, etc.
I don't think it is some big "Washington and the buddies" conspiracy theory, but something much simpler.
Fearmongering and doomer attitudes drive clicks for news publishers. Clicks drive money. Money drives their growth and influence. Which, in turn, drives more clicks.
And guess who is thrashing around in their desperate attempts to stop bleeding influence and money in the internet age? Traditional news media.
Not that difficult to see some clear examples of that either, like the recent bills in some countries trying to extort FB and Google to pay money for every news article shared on their platforms (for google it was in the form of the preview snippets, for fb it was in the form of users sharing links iirc).
Putin's disinformation tactics are well known and documented. There is certainly a question of how much of a causal factor they are as opposed to the pre-existing fissures in society. But it's not reasonable to act like this is all a false narrative manufactured by whomever.
This just isn't true. There is a well known and documented narrative that Trump is a Russian asset and Putin is puppeteering US politics and so on and so forth, but it doesn't match the evidence when you actually dig into it and abandon preconceived conclusions.
Russia doesn't have anything remotely like the global propaganda apparatus based in Washington. They do a lot of propaganda, sure, but they are small fries in comparison. They are investing in changing that, however.
This may be missing the purpose of Putin interference in western politics. He doesn't need to influence it in one specific direction or another. He only needs to turn it into a shit show. This is because his purpose is entirely to do with the domestic situation inside Russia. He needs western democracies to become shamblolic in order to perpetrate the myth that everything is fine in Russia, because democracy is a joke anyway, so no need to look behind the curtain.
The Russian propaganda machine is more about useful idiots than actual puppets. If you are doing something that creates divisions among their enemies, they try to encourage that, regardless of your ideological positions. In Soviet times, the useful idiots tended to be communists and environmentalists. These days, right-wing populists and conservative nationalists form a better target audience.
And when it comes to propaganda, it's good to remember that the US didn't win the cold war because it had a better propaganda machine. It won, because it had more substance behind the propaganda. As a kid in the 80s, I was exposed to blatant propaganda from both sides. The USSR fell, and I was left with an instinctive dislike to anything that suggests that America is somehow special. But I've never had any doubt of which side I would choose if I had to, because substance is ultimately more important than propaganda.
> And when it comes to propaganda, it's good to remember that the US didn't win the cold war because it had a better propaganda machine. It won, because it had more substance behind the propaganda.
How can you be so sure? Western propaganda was and is extremely potent since the Cold War. The West had Solzhenitsyn, rock stars and Hollywood, NYT to BBC, the cultural amplitude was unstoppable.
Meanwhile, USA was abandoning the gold standard and had leaders getting assassinated and embarking on insanely murderous wars of choice in Vietnam, Cambodia and Laos. What substance? Propaganda effectiveness is the main differentiator.
Because it wasn't difficult to see, even as a kid.
I'm from Finland, which was the USSR's favorite capitalist country. I went to the only school where everyone took Russian as the first foreign language. The Soviets had plenty of reasons to show us their best side, and they sure did try. We did school trips to the USSR before it fell, but as middle class kids, we could also travel around the West.
The thing is, no matter what imperialistic BS the Soviets and the Americans did, the Americans at least had the reality on their side. It was the little things that revealed it. Little things such as which countries had very favorable black market exchange rates for the currencies of the other side. Or where you could make money by smuggling everyday goods.
Putin's disinformation tactics in the west go far beyond anything specifically related to Trump. Putin's facebook ad buy and relationship to Cambridge Analytica is well known. So is Putin's playbook for fomenting unrest in Eastern Europe. It's some serious myopia to think Putin's relevance is entirely related to Trump.
I think you missed the part of the story where it turns out the "Russian election interference on social media" was cooked up by the Hillary campaign and liberal NGOs like the "Alliance for Securing Democracy" which made the infamous Hamilton 68 dashboard.
To be fair, most outlets never quite took the time to go back and admit they were spewing political oppo-fiction for years.
I don't think anyone is really disputing that there was an attempt, just saying that it's unlikely that $100000 in ad spend in an election with more than a billion in total spending made a difference. You can say "well 100 million people saw the ads" but as far as I can tell no one has ever even attempted to quantify if any of that influenced the results.
No one except the very two people I was responding to in this thread?
Also, not to get into a debate on the stale issue, but hypertargetted ad buys (Cambridge Analytica) in key districts can swing elections when they are decided by tens of thousands of votes in those districts. I find it endlessly fascinating that Putin et al understood our election system better than us. I guess he didn't have the luxury of motivated reasoning and reality distortion fields.
> I find it endlessly fascinating that Putin et al understood our election system better than us.
I think you’ve been brainwashed on this one. Local campaigns spend orders of magnitude more money and are run by extremely capable social media strategists. The IRA struggled with proper English grammar and mis-targeted their ads to staunch Republicans.
It was by all actual evidence an extremely shoddy effort run on a shoestring budget that made no difference at all.
Which when you look at the general competency level of Russia these days, I guess it’s par for the course.
For me the big takeaway isn’t arguing about political bygones. It’s that by and large, these boogeymen are entirely incompetent at what they purport to do, and don’t deserve a fraction of the hand-wringing that they seem to elicit.
They are hyped up boogeymen for political purposes. The reality is that they are poorly trained, underfunded, and entirely corrupt, and so the results of their efforts are predictably lame.
If you’re calling that article “utter nonsense” than I would completely agree!
That’s exactly the BS that was peddled back in the day that people like the NYT happily took home Pulitzers for, but where it turned out they spun it nearly out of whole cloth.
Actual research [1a] into the effect of such a meager ad buy showed not only were staunchly Republican voters the ones who predominantly saw the ads, but unsurprisingly it had no effect on their voting.
Looking back, it’s fair to say that on the order of 0-100 votes may have been changed by this “meddling”, for which the nation was subjected to years of breathless left-wing coverage.
It was, in short, a sham story and it’s well past time to be still be carrying water for such thoroughly debunked propaganda.
Personally, I buy much more into the theory that the fissures in society, are a result of infiltration by Marxists into academia, as was detailed by the Soviet defector and KGB agent Yuri Bezmenov. It's impossible to watch this interview and not tick the boxes.[1]
Putin is just the Russian leader who happens to be around when the fruits of those labours are paying off.
That's the wrong question. The right question is what did he lose because of that. And the answer is likely 'nothing'. So it's a free gain with zero downside, makes good sense to me.
Uhhhhhhh... real people live in those countries and might want to use his site? I'm not saying they are entitled to his service but the amount of irrational paranoia people have over port scans and SSH bruteforcing is truly phenomenal.
Nobody anywhere has an automatic right to use any service on the web. Half of Europe can't visit US sites because instead of complying with the law they decide to take it out on the citizens. That's fine by me. Corollary: it is also fine by me that parties that have weighed the ups and downs of serving certain countries have decided that the balance is in favor of blocking them outright.
Portscans and SSH bruteforcing are not necessarily the problem, but they can be preludes to a problem.
I did that as well. One benefit I got was learning that GeForce Now will store your PII on CCP controlled servers at nvidia.cn by default. This happened from the USA. I have never been able to come up with a non-conspiratorial reason as to why this choice was made.
I was able to get around this is by changing the login POST to use nvidia.com and everything worked just fine, and the ping to .com was obviously faster.
It is lightyears beyond dumb that this is even legal in the USA.
Would love to be talked down from this with a rational explanation.
Not the person you are replying to, but you are making an absolutely bad faith assumption here.
Is it that impossible for you to imagine that someone could be extremely apalled by the invasion of Ukraine and be fully in support of their side (i.e., being fully opposed to the Russian side), while at the same time standing for the principles of open internet and not believing in wholesale disconnecting entire countries?
Because that's my personal stance. I am fully on the side of Ukraine here, with no "ifs" or "buts", and I simultaneously don't believe in blackholing tens of millions of people like that being a good idea.
If MEGA is used repeatedly and almost exclusively by threat actors as an exfiltration point, and is unwilling to address legitimate concerns about their use across the web, why shouldn't every who isn't interested in using MEGA just block any connections to or from the service?
If a country is unwilling to make any effort to stop this criminal activity, why should individuals and organizations block them. They serve no benefit to the organizations exposing themselves.
North Korea doesn't use their own IPs to execute heists. They go on work trips to HK or Eastern China and set up a proxy chain that culminates with the iot lightbulb in your grandpa's garage as the exit node.
I'm going to take this opportunity to shill gost, an amazing tool (https://github.com/go-gost/gost). Can someone tell me why Go is so popular in Chinese dev circles?
Consumer routers are a shitshow when it comes to CVEs and updates. Someone who gets on an IoT device can often pivot to the router or something else vulnerable on the network. Also command and control and data theft can happen through different channels. Command and control typically has very low bandwidth requirements.
The argument would be that we want the Russian people to have access to Western news (and former independent Russian news sites that were forced to setup shop abroad e.g. [1]), to counter all the state fed propaganda.
Internet being global and free brings peace and understanding to the world, using it as a weapon is to accept defeat to the totalitarian regimes of yesteryear.
Let the $mostly_defunct_state die off with the rest of them without succumbing to their playbook.
China's internet is neither global nor free (and on the flip side, the global and free (mostly-free?) internet of the world is not generally accessible in China. That's not a particularly strong argument against the GP's point.
Ultimately, maybe not, but I finally dabbled in geolocation on a property that was receiving comment spam. I ended up eliminated 100%, not nearly 100%, actually 100% of the spam by blocking anonymous content from one country.
In another application I got rid of 90% of the flash wear on an IoT device by blocking a single country from a port.
A determined, targeted attack will go around a geoblock, but I have to reluctantly admit that it can be useful for the high volume attacks.
I'm guessing here but it seems that the majority of the world pursues cybercrime investigations with foreign victims at the same rate as Russia, which is about 0 (unless for some reason we're all just never hearing about this great computer crime police work in Africa/Latam). Several African countries can't even pay government employee salaries on time, are they really going to be sending records requests to Google or Yahoo or Binance, infiltrating underground forums, or developing informants? Nigeria in the best case hands off the BEC suspects to America but rarely does police work themselves.
Interpol regularly goes after cybercriminals, they do require local cooperation but that happens more and more frequently. But obviously there are still places where this isn't a priority.
1) if your threat model is blocking direct connections from countries you deem unworthy, then I don't even know where to begin unpacking levels of wrong here.
2) proxies exist, many of which are your "first world residential ip address" thanks to IoT in every toaster.
You are talking in a thread where OP called such countries “self-proclaimed vermin” and you’re parroting terrible and restrictive opsec practices.
No, it is not okay that many US websites decided to block access from EU instead of adopting a normal privacy policy, it is equally not okay to block access from whole regions of the world based on your prejudice, there are much better solutions.
What would this even accomplish? How would that solution generalize to other sources of hackers? It's the equivalent of going "hmm, they all seem to love using Aquafresh toothpaste, what if we banned it?"
it’s a bad idea that is only punishing persons who have nothing to do with what you’re trying to stop. as you said, it won’t even bother the actual criminals, so why punish people for actions that are not their own and not under their control? so they rise up and…get killed by an overbearing government? it would even strengthen the governments position likely as well as the will of the hackers and force the nation(s) in question to be even more dependent on their government and fearful of any disruption or protest.
information is and must continue to be a fundamental human right, and the internet is information. you basically doom an entire nation (or nations) to try to stop a small group of actors. this is the same thought process that has gotten the US into pointless wars and allowed awful law to be created all in the name of good.
making efforts to block the payment systems they use arguably is a more effective approach (which i am not recommending by any means, but if we want to be serious about this and lowering the reward for ransomware, crypto would be a far better target)
Like how the US impotently tried to destroy the Russian economy by fully weaponizing the USD, how did that work out? Not so great - all that served to do is begin the process of displacing the dollar as the world reserve. There is a point when your attempts to isolate a target only serve to further isolate yourself - and we are well past it.
i don't see why this was downvoted. It's entirely correct that the impact on the russian economy was far less than hoped for. One youtube documentary I saw stated -2% GDP, whereas the expected amount people wanted and expected was on the order of 20 to 30%. they go into quite a bit of detail on why this is the case. And USD, is well on track to be displaced in a few decades: central banks across the world are dumping dollars on average 6% of US dollar reserves per year (although this was already started abeit more slowly in 2008).
What mystifies me about ransomware attacks is how many targets don't notice that vast quantities of data are being systematically exfiltrated. I can see how it might be particularly difficult for a cloud provider (assuming the hackers didn't pull it all through a single set of credentials), but for many targets, any sort of unfamiliar outgoing data stream larger than a gigabyte ought to be suspicious.