This article is more than 1 year old
American insurance giant CNA reportedly pays $40m to ransomware crooks
Plus: Stalkerware even more scummy and ExifTool needs patching
In brief CNA Financial, the US insurance conglomerate, has apparently paid $40m to ransomware operators to gets its files back.
In March the business revealed it had been hit by an extensive Phoenix Locker infection; this strain of malware was developed by Russian scam artists calling themselves Evil Corp, which may have links to Russian intelligence.
All CNA systems are now back up and running though it appears that the company didn't manage this themselves and instead coughed up a widely reported $40m to the extortionists for the means to decrypt the scrambled files.
"CNA is not commenting on the ransom, but the company did consult and share intelligence with the FBI and OFAC [US Treasury's Office of Foreign Assets Control] regarding the cyber incident and the threat actor’s identity," a spokesperson told The Register.
"CNA followed all laws, regulations, and published guidance, including OFAC’s 2020 ransomware guidance, in its handling of this matter. Due diligence efforts concluded that the threat actor responsible for the attack is a group called Phoenix. Phoenix is not on any prohibited party list and is not a sanctioned entity."
In other words: CNA wouldn't be forbidden from doing a deal with the Phoenix crew, jus' sayin'.
Luckily for CNA and its customers, an analysis of the ransomware code suggests it doesn't steal data for later ransom, but instead simply locks it. However, banking mega-millions for a single attack is only going to encourage further intrusions.
Solarwinds CEO says sorry, again
As part of his ongoing apology tour, Solarwinds CEO Sudhakar Ramakrishna appeared at the 2021 RSA Conference this week to assure security professionals that his head of security Tim Brown was still in place and hadn't been scapegoated. "We don't like to flog people for failures; he's highly competent and committed," the chief exec said.
Too bad the previous CEO Kevin Thompson didn't feel the same way, who in February blamed an intern for the infamous solarwinds123 password leak during a House committee hearing.
“What happened at the congressional hearings is not what we are about and is not what we are about,” said Ramakrishna. “We have learned from that and I want to reset it here by saying that we are a safe environment.”
Ramakrishna said he learned of the hack on December 12, his birthday, and a month before he officially took over as CEO. He said he had been urged not to take the job, but instead offered to stand down for a while and let the current chief exec run the cleanup operation to ensure continuity.
Oddly though, his half-hour keynote contained almost no technical details at all. Remember when RSA used to be a hardcore security conference? We do, and we miss it.
Stalkerware use surging and the code sucks
The creepy code used to spy on partners or other victims, is not only on the rise but could also be very bad for your digital health.
An analysis by ESET boffin Lukas Stefanko showed Android stalkerware apps are still a growing market, with use of the software seemingly up 48 per cent in 2020, despite them being kinda banned by Google and others after a successful campaign by the Electronic Frontier Foundation.
But such scummy apps are also very poorly written. Stefanko analyzed 86 Android stalkerware applications and found 58 had serious security issues. After contacting the makers as per responsible disclosure, only six fixed the holes, seven promised to do so, one decided it couldn't be bothered, and 44 didn't even reply.
"The research should serve as a warning to potential future clients of stalkerware to reconsider using software against their spouses and loved ones, since not only is it unethical, but also might result in revealing the private and intimate information of their spouses and leave them at risk of cyberattacks and fraud," he concluded.
ExifTool users need to get patching
If your web application, or other software, uses ExifTool to process user-submitted images, it's time to update to fix a security hole:
Anyone using ExifTool make sure to update to 12.24+ as CVE-2021-22204 can be triggered with a perfectly valid image (jpg, tiff, mp4 and many more) leading to arbitrary code execution! pic.twitter.com/VDoybw07f5— William Bowling (@wcbowling) April 24, 2021
William Bowling explained that Perl code can be injected into ExifTool and executed, via a malicious processed file, and it is easy to exploit. Worse, from a security standpoint, multiple image formats are at risk.
Thankfully it's now patched but considering how many people use the code, and the ease of infiltration, it's worth checking to make sure everything's updated.
So, so much cyber-crime
An unfortunate milestone were reached this week, with the FBI's Internet Crime Complaint Center (IC3) recording its sixth million gripe about online scumbags, the fastest rise in its more-than-20-year history
“On one hand, the number holds some positive news. People know how to find us and how to report an incident,” said IC3 Chief Donna Gregory. “But on the other hand these numbers indicate more people are being affected by online crimes and scams.”
The top three complaints to the consumer reporting service were phishing, non-payment/non-delivery scams, and online extortion. But when it comes to losing money, business email compromises, romance scammers, and investment fraudsters cause the most damage.
We're told the situation is getting rapidly worse: the latest million complaints have come in just the last 14 months and the trend is accelerating. ®