Tag Archive for: Shuts

Cyberattack shuts down major US gas pipeline

/in


A fuel pipeline right-of-way, like a wide, grassy path, stretches into the distance, through a forest. A yellow sign in the foreground alerts people to the presence of the petroleum pipeline.

Colonial Pipeline’s overall system is the US’ biggest, covering more than 5,500 miles and carrying more than 100 million gallons of fuel a day, the company says.


Colonial Pipeline

A cyberattack has taken down the main pipeline that carries gasoline to the US East Coast, the pipeline’s operator said Friday, further raising concern about how vulnerable critical systems are to hacking assaults.

Colonial Pipeline, which operates pipes that carry refined petroleum products like gas, diesel, jet fuel, home heating oil and fuel for the military, said in a statement that it’s taken “certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems.”

If the disruption doesn’t last beyond a few days, it likely won’t cause many problems, due to local supplies of gas that typically get replenished via the pipeline about once a week, The Wall Street Journal reported, likening the situation to pipeline shutdowns that occur during hurricanes. Still, the shutdown increases alarm about cyberattacks on key systems.

It’s unclear whether criminal hackers or a nation-state is behind the attack, the Journal reported. Colonial said it’s contacted “law enforcement and other federal agencies” and engaged a “leading, third-party cybersecurity firm” to investigate.

The attack involved ransomware, Colonial said in an updated statement Saturday. In such schemes, attackers use code to seize control of a computer system and then demand money to unlock it. The worldwide WannaCry ransomware attacks in 2017, for instance, locked up computer systems at hospitals, banks and phone companies.

But assaults like the one…

Source…

Google shuts down a hacking operation being conducted by ally of the US government

/in


Two of Google’s anti-hacking teams uncovered and unilaterally took down a malware distribution operation that was being run by an undisclosed US ally, according to a report last Friday in MIT Technology Review.

The report, written by the publication’s cybersecurity senior editor Patrick Howell O’Neill, says that the Google teams—Project Zero and Threat Analysis Group—“caught an unexpectedly big fish recently: an ‘expert’ hacking group exploiting 11 powerful vulnerabilities to compromise devices running iOS, Android, and Windows.”

O’Neill also wrote that MIT Tech Review “has learned that the hackers in question were actually Western government operatives actively conducting a counterterrorism operation” and that Google’s decision to shut down and publicly expose the hack caused internal divisions and “raised questions inside the intelligence communities of the United States and its allies.”

Google’s office in Toronto, Canada (Wikipedia photo)

Google’s Project Zero specializes in finding what are known among cybersecurity experts as zero-day vulnerabilities, i.e., flaws in software that developers are aware of but have not yet been able to fix. These unintended weaknesses are called zero-day because they can be exploited by cybercriminals and hackers while developers have “zero days” to patch the software.

According to Google’s website, the Threat Analysis Group is responsible for countering targeted and government-backed hacking against the company’s products and users. Much of TAG’s previous actions have been taken against “influence operations” reported to have government backing from North Korea, Russia or China, for example.

The hacks in question were discovered by Google’s teams as far back as February 2020 and were reported on in a blog post published by Project Zero on March 18. The post entitled, “In-the-Wild Series: October 2020 0-day discovery,” detailed seven instances of zero-day exploits within Apple, Google and Samsung browsers running on iOS, Windows and Android operating systems.

Source…

Lakehead University shuts down campus network after cyberattack

/in


Canadian undergraduate research university Lakehead has been dealing with a cyberattack that forced the institution earlier this week to cut off access to its servers.

The school’s services, including its website, have been down since Tuesday, with personnel shutting down computers on the Thunder Bay and Orillia campuses to stop the attack from spreading.

Services still down

In a communication on Thursday, Lakehead University provided some details about the attack saying that it was aimed at its file share servers. The school did not disclose the nature of the incident, though.

“As soon as Lakehead’s Technology Services Centre (TSC) became aware of the potential threat to our servers, TSC removed all access to them,” the University said.

An investigation is underway, trying to determine what servers and information have been impacted by the security incident. Until the assessment completes, “all information used and stored on our file share servers will be inaccessible, and on-campus computers will not be available for use.”

The University recommends anyone that kept credential sets in documents on its file sharing system or on a campus office computer to change their passwords as a precaution.

While this is a sensible recommendation in case of a breach, the fact that the attack spread to campus office computers may indicate a ransomware attack. However, as previously mentioned, the University has not disclosed the nature of the attack or its extent.

At this point, school officials have not said if the attack impacted personal or financial information handled by the University.

Academic performance affected

Lakehead University has canceled all its events, including webinars and virtual Thunder Bay and Orillia campus tours scheduled for this Friday.

Because all the services are down, some students could not communicate with their instructors, get their academic calendar, use the library, submit papers or payments with a deadline.

In a tweet on Friday, Lakehead University offered a possible solution for students, faculty, and staff to get email access. This method does not work in all cases, though. The school said that if the login information is available in the…

Source…

Ziggy ransomware shuts down and releases victims’ decryption keys

/in


Decryptor

The Ziggy ransomware operation has shut down and released the victims’ decryption keys after concerns about recent law enforcement activity and guilt for encrypting victims.

Over the weekend, security researcher M. Shahpasandi told BleepingComputer that the Ziggy Ransomware admin announced on Telegram that they were shutting down their operation and would be releasing all of the decryption keys.

Shut down announcement by Ziggy admin
Shut down announcement by Ziggy admin

In an interview with BleepingComputer, the ransomware admin said they created the ransomware to generate money as they live in a “third-world country.”

After feeling guilty about their actions and concerns over recent law enforcement operations against Emotet and Netwalker ransomware, the admin decided to shut down and release all of the keys.

Today, the Ziggy ransomware admin posted a SQL file containing 922 decryption keys for encrypted victims. For each victim, the SQL file lists three keys needed to decrypt their encrypted files.

SQL file containing Ziggy decryption keys
SQL file containing Ziggy decryption keys

The ransomware admin also posted a decryptor [VirusTotal] that victims can use with the keys listed in the SQL file.

Ziggy ransomware decryptor
Ziggy ransomware decryptor

In addition to the decryptor and the SQL file, the ransomware admin shared the source code for a different decryptor with BleepingComputer that contains offline decryption keys.

Ransomware infections use offline decryption keys to decrypt victims infected while not being connected to the Internet or the command and control server was unreachable.

Source code for different Ziggy ransomware decryptor
Source code for different Ziggy ransomware decryptor

The ransomware admin also shared these files with ransomware expert Michael Gillespie who told BleepingComputer that Emsisoft would be releasing a decryptor soon.

“The release of the keys, whether voluntarily or involuntarily, is the best possible outcome. It means past victims can recover their data without needing to pay the ransom or use the dev’s decryptor, which could contain a backdoor and/or bugs. And, of course, it also means there’s one less ransomware group to worry about.”

“The recent arrest of individuals associated with the Emotet and Netwalker operation could be causing some actors to get cold feet. If so, we…

Source…