The #Internet of #Storing #Ransomware

On the 28th December, two Romanian suspects were charged with hacking in the USA. They have been formally named as Mihai Alexandru Isvanca, 25, and Eveline Cismaru, 28.

Both suspects were arrested at Otopeni Airport in Bucharest on Dec. 15, 2017. However, given the nature of the charges, the details were not released until they were in US custody.

Isvanca and Cismaru are charged with hacking into 123 surveillance cameras belonging to the Washington DC Metropolitan Police Department (MPD) in January 2017. The surveillance cameras were used to store copies of the Cerber and dharma ransomware. The ransomware was then distributed via spam email. Over 179,000 email addresses were recovered by investigators. They have also identified a number of victims although they have not said how much money was paid to Isvanca and Cismaru.

Attack only discovered due to presidential inauguration
The affidavit containing the details of the offenses has also been made public. It names James Graham, Special Agent, US Secret Service as the investigating officer. It details the installation of the ransomware on the cameras and the spam email campaign. The details also disclose that each surveillance camera was controlled by a dedicated computer. These were part of the larger MPDC computer network and were connected to the Internet.

The attack was discovered by a member of the US Secret Service. USSS Special Agent Brian Kaiser had been given access to the camera network as part of the planning for President Trump’s inauguration. Kaiser was using RDP to connect to the different cameras. One camera had a number of open windows pointing to applications including the bulk email application Sendmail.

This led to several computers being seized and examined. Kaiser claims to have discovered email addresses and accounts used by the hackers. One of these was registered on IFUD.WS cyber-criminal forum. It turns out that one of the accused was trying to recruit people with access to RDP accounts who would then distribute the Cerber ransomware.

This is not a new approach with ransomware creators often using distributors and paying a percentage of the ransom. Both Petya and Mischa have been offered to distributors in the past.

The affidavit goes on to detail how the USSS and the FBI were able to track the two accused across a number of different email addresses and other programs. Some of the details were also identified by the National Crime Agency (NCA) in London as being used in an attack against one of the victims.

What does this mean?
This is an interesting case at several levels. The first is that it has been kept quiet for almost an entire year while the investigation was ongoing. The second is the detail around the investigation contained in the affidavit.

For many businesses, however, the use of the security cameras to store the ransomware and then launch the attacks should be a serious concern. This is a topic that has been discussed at hacking forums but there has been little in the way of real-world evidence it was happening.

There is also the risk that spam email campaigns will appear to come from the enterprise IP address. This can lead to a business being blacklisted. It could also result in the business being pulled into any investigation by law enforcement. All of this is reputational risk for the business and should be dealt with.

What this means is that IT departments must find ways to identify all the IoT devices owned by the business. They then need to take steps to lock them down and treat them as any other IT asset. As many provide remote access and storage, they need to ensure that they are monitored to prevent unauthorised access. This means regularly changing and updating passwords on them. They should also be decoupled from the main IT network to prevent any risk of cross-contamination.

. . . . . . . .

Leave a Reply