Sinclair TV disrupted by ransomware
TV broadcasts at Sinclair owned stations went down across the US on October 17th, in what was described as a technical issue at the time. Sinclair subsequently confirmed this was the result of a ransomware attack. The incident took down Sinclair’s internal corporate network, email servers, phone services, and the broadcasting systems of local TV stations. Because Sinclair IT networks were interconnected through the same Active Directory domain, the attack was able to impact a large number of stations. It’s unclear exactly how many stations were impacted, but The Record found tens of stations down throughout the day.
Water system proves easy target for ransomware
A joint cybersecurity advisory from the FBI, NSA, CISA, and the EPA disclosed that in March, July, and August seemingly unrelated ransomware organizations hit water and waste treatment facilities in Nevada, Maine, and California, respectively. These attacks led to file encryption at all sites, with one facility seeing a SCADA industrial equipment computer corrupted. The advisory cautioned this does not represent an uptick in cyber activity against the water system. Rather the advisory was sent to show that the possibility for disruption from even a small number of attacks means these systems should take a proactive security posture.
REvil shuts down… again
The Tor sites belonging to the REvil ransomware operation went offline, with REvil posting on the forum XSS it had its domains hijacked. The post said there was no sign of compromise to REvil’s servers but that it will shut down operations. Current REvil affiliates were told to contact the operators over the messaging app Tox for campaign decryption keys. This isn’t the first time REvil closed up shop. Soon after it conducted an attack against Kaseya earlier this year, REvil’s site’s went dark, only to reappear, apparently based on backups, in September.
BlackByte ransomware decryptor published
This ransomware strain was discovered by Trustwave, seemingly a typical double-extorsion scheme ransomware model, where files are exfiltrated then encrypted, with victims asked to pay to both unlock and not leak the information. However Trustwave noticed some “odd” behavior, and by “odd,” they mean amateurish. Notably, the wormable ransomware does not appear to have any capability to exfiltrate data, only encrypt it, meaning the second part of BlackByte’s double-extortion is all based on bluster. A more fundamental issue, the malware downloads and executes the same key to encrypt files in AES, rather than unique keys for each session, meaning to decrypt files, someone would only have to download the so-called “raw” key from the host, with the same key working for all attacks. Trustwave saved everyone some time and published a universal decryptor to GitHub.
Thanks to our episode sponsor, Tessian and the Human Layer Security Summit
Congress needs a word with Amazon
We previously covered a Reuter’s report on Amazon’s alleged program of copying products in India. Now a bipartisan group of five members of the US House Judiciary committee have sent a letter to Amazon CEO Andy Jassy, accusing Amazon of misleading or possibly lying to Congress about business practices. Amazon has until November 1st to provide a sworn response to clarify how it uses seller data to develop its own products, and requests all documents mentioned in the Reuter’s investigation. Amazon subsequently released a statement saying “its executives did not mislead the committee, and we have denied and sought to correct the record on the inaccurate media articles in question.”
41% of the time, it works every time
Researchers demonstrated that its possible to train a special-purpose deep-learning algorithm to guess a four-digit PIN 41% of the time, even if a user covers the number pad with their hands. This requires training the algorithm on the specific dimensions and key spacing for a given keypad. This is then trained to recognize pad presses and assign specific probabilities on a set of guesses. Camera placement and handedness of the users also can impact prediction. Increasing the number of digits in the PIN also impacts success, with 5-digit PINs guessed 30% of the time.
Treasury department issues report on ransomware payments
According to the report, the volume of suspected ransomware payments flagged by US financial institutions this year is on pace to nearly double 2020. Nearly $600 million in transactions were flagged with Suspicious Activity Reports filed with the government in the first six months of 2021. The Treasury also said it monitored $5.2 billion in bitcoin transactions as potential ransomware payments during the same period. New guidance from the Treasury was also issued with the report, urging organizations to be on guard for attacks and not pay ransoms, and opens the door to penalties and other punitive actions from the Office for Foreign Assets Control.
Microsoft fixes some AMD performance woes in Windows 11
We previously reported that Microsoft and AMD acknowledged that Windows 11 was causing performance loss with AMD Ryzen processors compared to Windows 10. Some of the performance issues were the result of increased L3 cache latency in Windows 11. A new Windows 11 test build in the beta and dev channels resolves the performance problem, reducing latency to previous levels. However it does not resolve an issue with “preferred” core thread scheduling seen in the new OS, which was also causing issues. This mainly impacted AMD CPUs with 8 or more cores, running in tighter thermal envelopes. Microsoft and AMD have pledged to have all issues resolved by the end of the month.