Was this ransomware?
How did the ransomware attack happen?
The investigation is ongoing and will take time to complete. Alongside our internal security team, we have engaged a leading cyber defense firm to investigate. The investigation is ongoing and is in its early stages.
There is no ransomware attack. Technically speaking, it’s not possible for ransomware to perform an attack. If you get infected by ransomware, you’re at fault. You’re the one to blame for. Why?
- You missed to install updates, when they where released.
- You do not have your infrastructure hardened as it should.
- You rely on or use software which is outdated/unsupported or is a piece of crap, which should not be used at all.
- You did not hire professionals — for whatever reason; most likely because they are not willing to work for low wages.
- You have no idea about the technology you use or even how it works. Still you insist on using it.
- You open unknown attachments in mails from unknown sources.
- You think you’re talking to Microsoft when getting a call from India with someone telling you to download this and execute that. And then you just do it.
- You’re the one who actively installs malware on you computer and then run around screaming that someone broke into your system.
Do you see the problem now? It’s not ransomware. Never. It’s you and only you.
The US agricultural machinery company AGCO has been the victim of an attack. The group also includes the Fendt subsidiary in the Allgäu region. Thousands of employees are affected by the outage.
At the tractor manufacturer Fendt, the assembly lines are currently at a standstill in Marktoberdorf and other factories in Germany. The majority of the 4000 employees of the manufacturer in the Bavarian town can not work, reported the Allgäuer Zeitung on Monday. Production and assembly at the industrial plant are affected, it said. There are neither parts out nor in, also the administration is partially paralyzed. The cause is a hacker attack on the U.S. parent company AGCO, which was discovered on Thursday and has an impact on production facilities worldwide.Source: Heise
Ransomware is not an attack. It’s the failure of the management to hire highly qualified IT experts, get out of their way, and let them do their job.
Network Security Services (NSS) is Mozilla’s widely used, cross-platform cryptography library. When you verify an ASN.1 encoded digital signature, NSS will create a VFYContext structure to store the necessary data. This includes things like the public key, the hash algorithm, and the signature itself.
The maximum size signature that this structure can handle is whatever the largest union member is, in this case that’s RSA at 2048 bytes. That’s 16384 bits, large enough to accommodate signatures from even the most ridiculously oversized keys.
Okay, but what happens if you just….make a signature that’s bigger than that?
Well, it turns out the answer is memory corruption. Yes, really.
The untrusted signature is simply copied into this fixed-sized buffer, overwriting adjacent members with arbitrary attacker-controlled data.
Source: Project Zero
Researchers at DevOps platform JFrog demonstrated how an integer overflow flaw (CVE-2021-40346) can be abused to perform HTTP request smuggling attacks that bypass any access control lists (ACLs) defined in HAProxy.
Contingent on front- and back-end server configurations, attacks could also potentially see adversaries hijack user sessions, access or modify sensitive data, or exploit reflected XSS (cross-site scripting) vulnerabilities without user interaction, according to JFrog.Source: The Daily Swig
The Federal Ministry of the Interior is calling for personal data to be retained without a cause, with verified data from all citizens who communicate on the Internet via messenger or e-mail.Source: Netzpolitik
Can someone please explain Mr Seehofer how the Internet works and why his idea is stupid and dangerous? Such incompetence and cognitive dissonance is no longer funny, and he should resign immediately.
Germany has evolved from the rule of law to the police state to the state of the secret service. The police are now allowed to lock up “dangerous people” for an unlimited period of time without doing anything or even being accused of anything.
The state is allowed to bug your apartment, has unrestrained access to your cell phone data, is investigating and using your DNA against you.
And when they’re done with it, they’ll also ask for back doors in your communication devices.
The only thing that’s a bit annoying at the moment is that you have to notify the victim afterwards. But no worry. Even that is being abolished.
OpenSSH is great. I like it. But the version that comes bundled with Windows 10 sucks. Setup is pretty easy and straight forward. But due to the way access is handled in Windows (e.g., by ACLs) and the fact that it (the Linux/Unix version as well for obvious reasons) does not support links which point to resources outside of the chrooted environment, it’s rather useless for my purposes.
I’d like to have an OpenSSH based solution where I’m able to work with virtual file-systems for chrooted environments just like FTP, and without the need to create a bunch of otherwise useless users in the operating system. Oh, I have such wonderful memories of the Gene6 FTP server. That was a truly great product. Unfortunately, it’s development ceased in 2019 and their website is broken.
Well, yes, I know that it’s not the way how SSH works. But for chrooted environments which are mainly used as SFTP it would actually make sense. Like, somehow a portable installation of OpenSSH. That would be pretty nice.
Some days ago GitHub received a DMCA complain from the RIAA to remove youtube-dl due to copyright violations. The youtube-dl website is still online and I mirrored the files to my website just in case.
Now, due to a bug in GitHub – known for a long time – it’s possible to add files to other users’ repositories without modifying the checkout. You can’t change the current hash, but when adding files a new hash is created and you can link to that exact hash in order to get the files. Very neat!
So, long story short, that’s exactly what someone did.
BigBlueButton is a free web-based video conferencing software that lately got quite popular, largely due to Covid-19. Earlier this year I did a brief check on its security which led to an article on Golem.de (German). I want to share the most significant findings here.
BigBlueButton has a feature that lets a presenter upload a presentation in a wide variety of file formats that gets then displayed in the web application. This looked like a huge attack surface. The conversion for many file formats is done with Libreoffice on the server. Looking for ways to exploit server-side Libreoffice rendering I found a blog post by Bret Buerhaus that discussed a number of ways of exploiting such setups.
One of the methods described there is a feature in Opendocument Text (ODT) files that allows embedding a file from an external URL in a text section. This can be a web URL like https or a file url and include a local file.
This directly worked in BigBlueButton. An ODT file that referenced a local file would display that local file. This allows displaying any file that the user running the BigBlueButton service could access on the server. A possible way to exploit this is to exfiltrate the configuration file that contains the API secret key, which then allows basically controlling the BigBlueButton instance. I have a video showing the exploit here.
Source: Hanno’s Blog
I never understood why you need to include external files or webpages in such a document and I can’t even think of a use-case why this is a great idea, unless you want to fuck up things.
Here’s the PoC, in case you’re interested.