iNSYNQ Ransom Attack Began With Phishing Email

09
Aug 19

iNSYNQ Ransom Attack Began With Phishing Email

A ransomware outbreak that hit QuickBooks cloud hosting firm iNSYNQ in mid-July appears to have started with an email phishing attack that snared an employee working in sales for the company, KrebsOnSecurity has learned. It also looks like the intruders spent roughly ten days rooting around iNSYNQ’s internal network to properly stage things before unleashing the ransomware. iNSYNQ ultimately declined to pay the ransom demand, and it is still working to completely restore customer access to files.

Some of this detail came in a virtual “town hall” meeting held August 8, in which iNSYNQ chief executive Elliot Luchansky briefed customers on how it all went down, and what the company is doing to prevent such outages in the future.

A great many iNSYNQ’s customers are accountants, and when the company took its network offline on July 16 in response to the ransomware outbreak, some of those customers took to social media to complain that iNSYNQ was stonewalling them.

“We could definitely have been better prepared, and it’s totally unacceptable,” Luchansky told customers. “I take full responsibility for this. People waiting ridiculous amounts of time for a response is unacceptable.”

By way of explaining iNSYNQ’s initial reluctance to share information about the particulars of the attack early on, Luchansky told customers the company had to assume the intruders were watching and listening to everything iNSYNQ was doing to recover operations and data in the wake of the ransomware outbreak.

“That was done strategically for a good reason,” he said. “There were human beings involved with [carrying out] this attack in real time, and we had to assume they were monitoring everything we could say. And that posed risks based on what we did say publicly while the ransom negotiations were going on. It could have been used in a way that would have exposed customers even more. That put us in a really tough bind, because transparency is something we take very seriously. But we decided it was in our customers’ best interests to not do that.”

Luchansky did not say how much the intruders were demanding, but he mentioned two key factors that informed the company’s decision not to pay up.

“It was a very substantial amount, but we had the money wired and were ready to pay it in cryptocurrency in the case that it made sense to do so,” he told customers. “But we also understood [that paying] would put a target on our heads in the future, and even if we actually received the decryption key, that wasn’t really the main issue here. Because of the quick reaction we had, we were able to contain the encryption part” to roughly 50 percent of customer systems, he said.

Luchansky said the intruders seeded its internal network with MegaCortex, a potent new ransomware strain first spotted just a couple of months ago that is being used in targeted attacks on enterprises. He said the attack appears to have been carefully planned out in advance and executed “with human intervention all the way through.”

“They decided they were coming after us,” he said. “It’s one thing to prepare for these sorts of events but it’s an entirely different experience to deal with first hand.”

According to an analysis of MegaCortex published this week by Accenture iDefense, the crooks behind this ransomware strain are targeting businesses — not home users — and demanding ransom payments in the range of two to 600 bitcoins, which is roughly $20,000 to $5.8 million.

“We are working for profit,” reads the ransom note left behind by the latest version of MegaCortex. “The core of this criminal business is to give back your valuable data in the original form (for ransom of course).”

Luchansky did not mention in the town hall meeting exactly when the initial phishing attack was thought to have occurred, noting that iNSYNQ is still working with California-based CrowdStrike to gain a more complete picture of the attack.

But Alex Holden, founder of Milwaukee-based cyber intelligence firm Hold Security, showed KrebsOnSecurity information obtained from monitoring dark web communications which suggested the problem started on July 6, after an employee in iNSYNQ’s sales division fell for a targeted phishing email.

“This shows that even after the initial infection, if companies act promptly they can still detect and stop the ransomware,” Holden said. “For these infections hackers take sometimes days, weeks, or even months to encrypt your data.”

iNSYNQ did not respond to requests for comment on Hold Security’s findings.

Asked whether the company had backups of customer data and — if so — why iNSYNQ decided not to restore from those, Luchansky said there were backups but that some of those were also infected.

“The backup system is backing up the primary system, and that by definition entails some level of integration,” Luchansky explained. “The way our system was architected, the malware had spread into the backups as well, at least a little bit. So [by] just turning the backups back on, there was a good chance the the virus would then start to spread through the backup system more. So we had to treat the backups similarly to how we were treating the primary systems.”

Luchansky said their backup system has since been overhauled, and that if a similar attack happened in the future it would take days instead of weeks to recover. However, he declined to get into specifics about exactly what had changed, which is too bad because in every ransomware attack story I’ve written this seems to be the detail most readers are interested in and arguing about.

The CEO added that iNSYNQ also will be partnering with a company that helps firms detect and block targeted phishing attacks, and that it envisioned being able to offer this to its customers at a discounted rate. It wasn’t clear from Luchansky’s responses to questions whether the cloud hosting firm was also considering any kind of employee anti-phishing education and/or testing service.

Luchansky said iNSYNQ was about to restore access to more than 90 percent of customer files by Aug. 2 — roughly two weeks after the ransomware outbreak — and that the company would be offering customers a two month credit as a result of the outage.

Tags: , , , , , ,

You can skip to the end and leave a comment. Pinging is currently not allowed.

BlackHat 2019: An Urgent Call for “Public-Interest Technologists

If you had any lingering doubt that computer security and privacy are not public policy issues, just look at recent headlines with national politicians from both sides of the aisle calling for closer oversight of the technology industry.

With another national election looming – and no shortage of issues where technology and politics are increasingly linked –Washington and Silicon Valley still find themselves struggling to understand each other, according to noted technologist and Harvard Kennedy School Fellow, Bruce Schneier.

Schneier, who made his comments at the BlackHat 2019 conference, reached back six decades to quote the English novelist CP Snow who essentially described a fundamental misunderstanding between the scientific and human traditions in liberal societies as a kind of dialogue of the deaf with little understanding between them.

When Snow published his now-famous essay in 1959, Schneier said that wasn’t a major problem since, for the most part, technology and policy didn’t interact much with each other. “We had television and Tang,” he said.

Nowadays, though, computer security has become a public policy issue and he said that it’s no longer acceptable for technology and policy to be in different worlds.

“There’s a culture of technologists who build cool tools without regarding how they affect society and then there’s the world of policy…who will criticize technology without really understanding technology,” he said.

The reality is that technology now informs vital public policy issues ranging from election security to data privacy to critical infrastructure with little involvement of technologists in policy discussions.

“The internet is no longer a separate thing,” he said. “It’s part of everything.”

He described the widely-held belief within Silicon Valley that technology is politically neutral as “a perverse myth.”

“That’s not true,” he said. “Our work is deeply embedded in policy. All technology affects the world we live in.”

Warning of the consequences if the two sides drift ever farther apart, Schneier put out a call for the creation of what he described as “public-interest technologists.” These would be people from the technology industry who would be willing to work inside government, academia and NGOs in order to craft policy as well as bolster security to agencies and groups working in the broader public interest.

“Policy makers need to understand technology,” he said, adding that government discussions ought to be informed by the relevant technologies. “The reality is the opposite,” he said.

He drew an analogy with attorneys who specialize in public interest law, a branch of the legal profession that didn’t exist as late as the 1970s. But with the help of foundations willing to fund positions at organizations such as the NAACP or ACLU, interest in public law practice soared in subsequent years.

“20% of Harvard law grads go into public interest law,” Schneier said. “The number of

Harvard computer science grads going into public interest work is probably zero.

Not because they’re immoral but because the path probably doesn’t exist.”

The future is hurtling toward us with the emergence of new technologies like blockchain, the Internet of Things and 5G, he said, upping the pressure on legislators to formulate a new set of policy tools with the help of technologists.

“There’s a lot that technologists will have to say about how to save society in the next 80 years…because this is where the core issues of society will lie.”

“We have the expertise and it’s incumbent on us to help,” he added.

BlackHat 2019: Don’t Assume that 5G Networks Can’t Get Hacked

The next few years will see a veritable explosion in the number of connected devices running on super-fast 5G networks. The promise: a vastly improved internet experience than previous generations. And 5G is going to be so locked down that you won’t ever have to give security a thought ever again.

And if you believe that last line, I’ve got a bridge in Brooklyn that I’d like to sell to you.

What’s beyond argument is the proposition that the 5G cellular standard represents a significant break from the past. Internet Protocol is at the center of the network architecture and the applications that run on 5G networks. And whereas earlier generations only performed tasks sequentially, 5G promises considerably higher speeds and little to no latency.

“We know the hype that 5G has today,” said Altaf Shaik, a researcher from the Technical University of Berlin as he addressed a packed ballroom at Black Hat 2019 in Las Vegas on Wednesday. “It’s even bigger than this room.”

5G is “basically for machine communications,” according to Shaik. “Not just phones, but cars and smart homes, different way stations…millions of devices will be scattered around us.”

But with an estimated 18 billion IoT devices expected to be in use worldwide by 2022, the reliability of our mobile networks will assume ever greater importance. Experts like Shaik have reason to be concerned about potential vulnerabilities cropping up; unlike earlier networks that relied on centralized hardware-based functions, 5G’s distributed software-based systems are also potentially more risky.

Compared to previous network generations, Shaik agreed that network security is turning out to be more efficient in 5G and is “definitely better” than in previous generations, particularly when it comes to things like privacy, encryption and authentication. “Security has changed a lot and we should expect that security should be lot stronger in 5G than in 2G,” he said.

Still, he cautioned that vulnerabilities affect both operator infrastructures as well as end-user devices connected to 5G. He demonstrated to attendees how hackers can exploit vulnerabilities just by using low-cost hardware and software platforms.

He set up fake base stations to launch attacks against dozens of devices to discover identifying information about them, including the kind of operating systems they ran. That raises a red flag: If you can find out information about the device and the OS, Shaik said, “you can plan a targeted attack.”

Shaik said he was able to hack into 5G systems and modify settings, changing radio capabilities, removing frequency bands and disabling voice over LTE. In one test, he recounted being able to reduce the connection speed on an iPhone 8.