A White House Request, Billions of Stolen Passwords and Another Infrastructure Attack

The first half of 2021 has been a dangerous time for business networks, and it’s not getting any better.  In the last two weeks, 8.4 billion stolen passwords were posted online, a ransomware attack shut down 20% of US beef and pork slaughterhouses, and the White House reached out to the entire businesses community to emphasize the fast-growing threat of cybercrime.

White House Asks Businesses to Take Ransomware Seriously

Amidst all the news about ransomware targeting water systems, gas pipelines and food supply chains, it’s easy to forget about the 99% of ransomware attacks that aren’t aimed at critical infrastructure.  Attacks on small and mid-sized businesses don’t generate many headlines, but they do generate hundreds of millions of dollars in revenue for ransomware gangs.

All of that revenue is funding a rapid escalation of attacks leading the White House to release a letter from the National Security Council’s chief cybersecurity advisor pleading with business executives to take ransomware seriously.

“All organizations must recognize that no company is safe from being targeted by ransomware, regardless of size or location,” Anne Neuburger said. “To understand your risk, business executives should immediately convene their leadership teams to discuss the ransomware threat and review corporate security posture and business continuity plans to ensure you have the ability to continue or quickly restore operations.”  [Read more at Bleeping Computer]

Largest-Ever Stolen Password List Posted Online

The latest example of just how many hacked passwords are floating around online is the “RockYou2021” password list.  This list, which was just posted to the Dark Web this week, includes 8.4 billion passwords compiled from many, many network breaches over the years.  If any of your users are still using one of the passwords on this list, it’s definitely time to change it.

While it’s probably not a great idea to download the list of stolen passwords yourself, websites such as “Have I Been Pwned?” will let you know if your passwords are on breached password lists.  (Google’s Chrome web browser will check this as well.)

Just don’t type your password into a site that claims to check passwords against dark web lists! It’s sometimes hard to tell whether a “password checker” website is legitimate or a scam – and if it’s a scam, your password will get stolen as soon as you type it in.  Instead, search by username or email address.  [Read more at Yahoo! News]

Meatpacker JBS Attacked, Colonial Gas Ransom Payment (Mostly) Recovered

This month’s first systemically-important ransomware target is JBS, the largest meatpacking company in the world.  The company (which is based in Brazil but controls about 20% of US beef and pork slaughtering capacity) was hit with ransomware on May 30th and was forced to shut down most meatpacking operations in the US for several days.  The company paid an $11 million ransom and was able to resume operations a few days later.

Last month’s Colonial Pipeline hack also received a major news update.  The White House, sensing that ransomware targeting critical infrastructure could quickly become a near-weekly event, has pulled out all the stops in its response to these types of attacks.  It was ultimately able to recover over 80% of the bitcoin paid to the hackers by Colonial – an exceedingly rare event that required the FBI to hunt down the private key of the digital wallet used to store the currency.

It’s the first of many signals that, while the FBI can’t pursue every ransomware lead, the White House is acutely aware of the chaos that the future holds if every attack on critical infrastructure yields millions of dollars in immediate windfall for cybercriminals.  [Read More at Fast Company]

Google Serving Up Malware in Ads

If you’re wondering who pays those astronomical Google AdWords fees, the newest answer is cybercriminals.

Despite Google’s best efforts, multiple paid ads are linking to malware posing as apps such as AnyDesk, Dropbox and Telegram.  These ads are paid for by cybercriminals, but Google doesn’t know that, so it’s returning these ads in search results for those apps.  While Google scans ad links for malware, it can’t detect the malware in these links because it is heavily “obfuscated”.  (If you’ve ever put a small present inside multiple nested boxes to trick the recipient into thinking they’re getting something large, you’ve got a pretty good idea of how the hackers are pulling this off.)

The programs posing as messaging and file-sharing apps are actually malware packages that steal credit card numbers, saved credentials and physical location information from web browsers and other software on the device.  Apparently, cybercriminals making so much money by stealing this information that it’s profitable to build elaborate landing pages, camoflauge the software from Google’s malware scans,  and to pay Google for every single click they get.  [Read more at Threatpost]