A couple of probably dumb questions…
Alioth – how did that one get in? If via an inside job, or getting an employee to execute an attachment / dodgy jpeg, etc, then anything is possible; protection is almost impossible, especially as AV software won’t detect anything new. The only solution I know of is to dedicate a machine for external emails / IMs, and run everything in a VM, and throw away that VM periodically. Standard procedure for running any suspect executables. And of course the VM has no access to the company LAN…
Arj1 – is this relying on the Citrix client being thrown away after each session, so you get fresh code loaded each time? I like the one about bonuses 
Yes, definitely 2FA on any access to backups. This pilot shop didn’t do that; in fact they probably kept backups on the server, under the same OS.
The world is filling up with malicious people.
Peter wrote:
they probably kept backups on the server
The backups were stored in AWS S3 – a cloud filesystem if you wish. Unfortunately the key the server (hosted outside of AWS) was using to write the backups also had bucket deletion rights; once the attacker got access to that key the game was over.
Peter wrote:
Arj1 – is this relying on the Citrix client being thrown away after each session, so you get fresh code loaded each time? I like the one about bonuses Yes, definitely 2FA on any access to backups. This pilot shop didn’t do that; in fact they probably kept backups on the server, under the same OS.The world is filling up with malicious people.
Yes, it is kept in just one session – your binaries are shared with you read-only.
Bonuses – that thing helps! If you have this rule, then EVEN during the Christmas change freeze you get patching approvals! :)
Malicious – I’ve discovered that you have a few of those and a lot of lazy ones… Or the ones that fired all expensive personnel which could tell you what happens if you make some changes and people are still working are not even supposed to make those decisions – they are BAU support.
Ah! allegedly RBS outage some time ago…
PS: what was the English saying for when you don’t really know the consequences of your actions? “on a wing and prayer” ? Is that the right one?
wleferrand wrote:
The backups were stored in AWS S3 – a cloud filesystem if you wish. Unfortunately the key the server (hosted outside of AWS) was using to write the backups also had bucket deletion rights; once the attacker got access to that key the game was over.
Doh! (c) Homer
Peter wrote:
how did that one get in?
I don’t know – but I’d be willing to bet removable storage, which is a significant malware vector – in this case they weren’t the target of the malware, just collateral damage.
Removable media was how Iran’s centrifuges got compromised, despite being air-gapped. The second ever piece of malware written used removable storage (floppy discs). The first malware was actually internet based (the Morris worm).
wleferrand wrote:
Unfortunately the key the server (hosted outside of AWS) was using to write the backups also had bucket deletion rights; once the attacker got access to that key the game was over.
Ransomware attacker doesn’t even need access to the keys itself – it’s enough that they can encrypt the HD on the key-server.
And that is actually a weak link that is very hard to mitigate (at least if you don’t want to have unencrypted backups in the cloud or you require an admin to type in a AES256 key every time a backup is made or restored): You need to store the keys somewhere and when this somewhere is affected by the malware you are in trouble.
So even the most sophisticated backup strategy doesn’t reduce the risk at all! It just makes the data you need to protect against these risks significantly smaller (e.g. a 256 bit key rather than 1 TB of data) and therefore there might be easier mechanisms to protect them.
(it’s out of topic but boutique.aero wasn’t a ransomware attack – there never was a ransom. it was only about destroying the business).
Fly.garmin.com back up, though slow (well it never was fast, was it).
what was the English saying for when you don’t really know the consequences of your actions? “on a wing and prayer” ? Is that the right one?
I am not sure but that one sounds about right
it was only about destroying the business
Did they ever find out why?
Sometimes there is a specific motivation, sometimes not. For example EuroGA, and the airport database, are hit several times per second. All forums have enemies – it’s unavoidable – but I am sure most of these are doing it just for fun (China, Russia mostly). But Garmin? A disgruntled customer perhaps? And that French pilot shop? Maybe the same, or a competitor.
So even the most sophisticated backup strategy doesn’t reduce the risk at all!
That I don’t understand. For sure if an attacker is going to infiltrate your site and do damage over many months, then all your backups (well, those that are of any use) will be useless.
Peter wrote:
t was only about destroying the businessDid they ever find out why?
It’s a long story but there isn’t a definite answer (I don’t know if the official investigation is still going on or not). My personal opinion is that my friend got caught in a crossfire between his contractor and a subcontractor, but it’s only my opinion.
