Off the Kuff Rotating Header Image

malware

TxDOT hit with ransomware

Not great.

Texas’ transportation agency has become the second part of the state government to be hit by a ransomware attack in recent days.

On Thursday, someone hacked into the Texas Department of Transportation’s network in a “ransomware event,” according to a statement the department posted on social media Friday.

The departments’ website says some features are unavailable due to technical difficulties, but it is not clear what functions were affected by the attack. Agency officials did not respond to emailed questions Sunday.

[…]

Upon detecting the hack, staff at the transportation department “immediately” isolated the affected parts of the network and “shut down further unauthorized access,” according to the statement. James Bass, the department’s executive director, said his staff is “working to ensure critical operations continue during this interruption.″ The hacks follow a ransomware attack of unprecedented size that hit more than 20 local governments in Texas last summer.

See here for more on the attack on the court system’s website. In 2019, there was a coordinated attack on the systems of multiple small cities and counties.

I can’t find much in the way of news on this, so here’s TxDOT’s statement, via Twitter:

Maybe these two attacks are unconnected – there’s not enough information, such as what type of ransomware was involved and what the vector for it was, for me to take a guess – but the fact that there were two such attacks in a short period of time on two state systems sure seems suspicious to me. If I were at the state Department of Information Resources, I would be very busy, and more than a little concerned, right now. KXAN, CBS DFW, and Bleeping Computer have more.

Ransomware attack on state court system

Not great.

Websites for the Texas court system were still down Monday after a ransomware attack late last week left the network temporarily disabled, according to the Office of Court Administration.

Officials discovered the breach early Friday and quickly shut down sites and disabled servers to contain it, the office said in a statement. The hack did not impact e-filing and other services, many of which have been transferred to the cloud in recent years, according to the office.

“At this time, there is no indication that any sensitive information, including personal information, was compromised,” the office said. It added that websites for local trial courts are still available online.

The office said it detected the breach early and has refused to pay any ransom. While the courts have moved increasingly to remote hearings amid the coronavirus pandemic, the attack was unrelated, according to the office.

Officials have not said when the system will be back online, but they have set up a temporary website and are working with law enforcement and the Texas Department of Information Resources to investigate the attack.

As the story notes, this is not the first time that Texas governmental entities have been targeted by ransomware. The first thing that TDIR will need to figure out is whether this was actually targeted, or just a crime of opportunity, perhaps the result of someone opening a phishing email. If you follow this sort of news, you know that ransomware attacks are on the increase around the world; here’s a prominent recent example. I’m sure the system will recover from this, and good for the OCA if they detected it quickly. We just need to up our vigilance and defensive measures to stay on top of this.

“Coordinated cyberattack” on several Texas cities

That doesn’t sound good.

Twenty-three Texas towns have been struck by a “coordinated” ransomware attack, according to the state’s Department of Information Resources.

Ransomware is a type of malicious software, often delivered via email, that locks up an organization’s systems until a ransom is paid or files are recovered by other means. In many cases, ransomware significantly damages computer hardware and linked machinery and leads to days or weeks with systems offline, which is why it can be so costly to cities.

According to a weekend update by the Texas DIR, the attacks started Friday morning and though the locations aren’t named, “the majority of these entities were smaller local governments.”

Texas Governor Greg Abbott ordered a “Level 2 Escalated Response” on Friday following the incident, according to a statement from Governor’s Office deputy press secretary Nan Tolson. This response level, determined by the state’s Department of Emergency Management, is part of a four-step response protocol, and is one step below the highest level of alert, level 1 or “emergency.”

According to state emergency management planning guide, this means “the scope of the emergency has expanded beyond that which can be handled by local responders. Normal state and local government operations may be impaired.”

In addition to the state and local agencies assisting with the response, “Governor Abbott is also deploying cybersecurity experts to affected areas in order to assess damage and help bring local government entities back online,” Tolson said.

This NPR story has more details.

The Federal Bureau of Investigation and state cybersecurity experts are examining the ongoing breach, which began Friday morning and has affected mostly smaller local governments. Officials have not disclosed which specific places are affected.

Investigators have also not yet identified who or what is behind the attack that took the systems offline, but the Texas Department of Information Resources says the evidence so far points to “one single threat actor.”

Elliott Sprehe, a spokesman for the department, said he was “not aware” of any of the cities having paid the undisclosed ransom sought by hackers. He said the areas impacted are predominantly rural. The department initially put the number of cities attacked at 23.

Two cities so far have come forward to say their computer systems were affected. Officials in Borger in the Texas Panhandle, said the attack has affected city business and financial operations. Birth and death certificates are not available online, and the city can’t accept utility payments from any of its 13,25o residents. “Responders have not yet established a time-frame for when full, normal operations will be restored,” city officials said.

[…]

Experts say that while government agencies have increasingly been hit by cyberattacks, simultaneously targeting nearly two dozen cities represents a new kind of cyberassault.

“What’s unique about this attack and something we hadn’t seen before is how coordinated attack this attack is,” said threat intelligence analyst Allan Liska. “It does present a new front in the ransomware attack,” he said. “It absolutely is the largest coordinated attack we’ve seen.”

Liska’s research firm, Recorded Future, has found that ransomware attacks aimed at state and local government have been on the rise, finding at least 169 examples of hackers breaking into government computer systems since 2013. There have been more than 60 already this year, he said.

The city of Keene, near Fort Worth, was also hit, and their Mayor said the attack came via their IT provider, as these small towns outsource that task since they don’t have sufficient resources to do it themselves. This is a real problem that’s going to keep happening, and we really should put more money and effort into fighting against it at a state and national level. Good luck to all involved in cleaning up the mess. A more recent statement from the Texas DIR is here, and the Star-Telegram, the Chron, and the Trib have more.

Mobile payments

Austin is a hot spot for the hot new thing in retail technology.

Mobile payments technology is gathering steam across the country, but Austin is one of the hot spots, both for deployment of new technology and for development of new software for payment systems and payment processing.

Dozens of merchants have affiliated with Square Inc., a well-funded startup based in San Francisco that is winning over smaller merchants with lower credit card processing fees.
Other companies in the field are coming here because of the tech talent base. Mozido, an ambitious payments startup, moved from Dallas to Austin early this year, drawn by better recruiting prospects.

“There is a lot of talent and energy here,” said company founder Michael Liberty. “It seemed like all the good young engineers in mobile who we wanted to recruit either lived here or aspired to live here.”

Brent Warrington, CEO of SecureNet Payments Systems, a payments processing company, moved the company headquarters and its technology development hub to Austin last year from Maryland to tap into the talent pool.

Warrington, a payments industry veteran, said the mobile payments industry is starting to take off after years of more talk than action. “There have been more changes in the payments industry in the last year than I have seen in the previous 15 years of my career,” he said.

Isis, a big joint venture of three mobile carriers, is using Austin as one of two pilot markets for its mobile payments service. The company has brought 1,000 merchant locations on board in Central Texas since the middle of last year and presently is adding about 100 a month. The company is working with Austin’s Mutual Mobile on some software development projects. It is using Gemalto, a big European digital security provider with operations in Austin, for its Trusted Service Manager security.

And PayPal, a veteran of online payments, is adding new workers in California and Austin as it focuses on making mobile payments the starting point for its new software development. The company was recruiting new talent during the recent South by Southwest festivals. The PayPal Austin development center, which is run in conjunction with its parent eBay Inc., employs about 650 people.

A newcomer to town is Visa Inc., a global payments giant, that is building a big software development center on Research Boulevard. The project, which expects to employ nearly 800 people within five years, received approval for state and local incentives late last year. Visa hasn’t spelled out publicly what the Austin development center will be working on, but part of its assignment is expected to be mobile payments.

Other payments companies in town include: Starmount Inc., which develops mobile point-of-sale software for retailers; Bypass Lane, which creates mobile payments systems for public venues and campuses; and Tabbed Out, which develops mobile software for settling tabs at restaurants and bars.

Analyst David Schropfer with New York-based Luciano Group rates Austin among the top cities in the world for mobile payments, taking into consideration the Isis pilot program here and the companies doing software development and market development here.

“Austin is a snapshot into what will happen in the rest of the country and the rest of the world in mobile payments,” he said. “I would put Austin among the top five cities in the world in terms of focus and attention that people are giving to it and the companies that are there.”

Gartner Group, a major tech consulting firm, estimates that global mobile payments will more than triple over the next three years, expanding to an estimated $617 billion. That sounds like a lot, but it compares with estimates that global retail sales will reach $20 trillion by 2017.

The key factor behind the optimistic forecasts is the public’s fascination with smartphones, which are fast becoming the dominant form of cellphone being sold worldwide with an estimated 722 million shipped last year. International Data Corp., another tech consulting firm, expects the number of smartphones shipped annually will double to 1.5 billion over the next four years. Keep in mind that there are presently about 7 billion people on the planet.

It’ll be very interesting to see how this shakes out. I can’t imagine that the market will ultimately support more than maybe two or three mobile payment technologies. People aren’t going to load up multiple apps on their smartphones, and vendors won’t want to bother with systems that their customers don’t use. Will established players like Visa and PayPal suck all the oxygen out of this space, or will the upstarts steal their thunder and become big boys and girls themselves? Place your bets, y’all.

One cannot talk about new technology without also talking about security for this new technology.

Payments industry executives say the technology is good and getting better. But security experts say the swift growth of smartphone use inevitably is going to attract fraud. And as more consumers use their mobile phones as payment devices, the potential risks can increase.

Dallas-based NQ Mobile, the leader in security software for smartphones, says it saw more than 65,000 new malware threats released worldwide in 2012, up from 24,000 the year before. Malware and phony app sites can direct unsuspecting phone users to sites where they give up sensitive personal information, such as bank account passwords.

“It is a real problem, and it is growing,” said Gavin Kim, chief commercial officer of the company. “Smartphone sales are booming, and they are becoming a much more targeted device by hackers.”

The company sells software that can identify mobile phone apps sites and protect users against malware and viruses.

Interest in the mobile phone security software is growing, but the company estimates that only about 8 percent of the mobile market actually uses security products on phones.

Certainly, the threat of malware is there for smartphones – it’s a huge growth opportunity for the bad guys, especially if smartphones become popular for making payments. The back end is likely the bigger target, but I presume that the PCI DSS standard would still apply to mobile payment systems. But threats aren’t limited to just software these days. It’s just a matter of time before there’s a vulnerability in mobile payment systems. Doesn’t mean you should avoid them, just that as with all other things related to computing that you be aware of the risks and take steps to mitigate them.

Check your DNS

Your computer may be infected with a virus that will cause it to lose connectivity to the Internet in July.

For computer users, a few mouse clicks could mean the difference between staying online and losing Internet connections this summer.

Unknown to most of them, their problem began when international hackers ran an online advertising scam to take control of infected computers around the world. In a highly unusual response, the FBI set up a safety net months ago using government computers to prevent Internet disruptions for those infected users. But that system is to be shut down.

The FBI is encouraging users to visit a website run by its security partner, http://www.dcwg.org, that will inform them whether they’re infected and explain how to fix the problem. After July 9, infected users won’t be able to connect to the Internet.

Most victims don’t even know their computers have been infected, although the malicious software probably has slowed their web surfing and disabled their antivirus software, making their machines more vulnerable to other problems.

Last November, the FBI and other authorities were preparing to take down a hacker ring that had been running an Internet ad scam on a massive network of infected computers.

“We started to realize that we might have a little bit of a problem on our hands because … if we just pulled the plug on their criminal infrastructure and threw everybody in jail, the victims of this were going to be without Internet service,” said Tom Grasso, an FBI supervisory special agent. “The average user would open up Internet Explorer and get ‘page not found’ and think the Internet is broken.”

So what they did was install a couple of servers to provide correct DNS lookups to the affected computers, but in July those servers will be shut off and anyone relying on them will not be able to surf. You can go to http://www.dcwg.org to check and see if you’re one of the infected ones and get cleaned up if you are.

FBI officials said they organized an unusual system to avoid any appearance of government intrusion into the Internet or private computers. And while this is the first time the FBI used it, it won’t be the last.

“This is the future of what we will be doing,” said Eric Strom, a unit chief in the FBI’s Cyber Division. “Until there is a change in legal system, both inside and outside the United States, to get up to speed with the cyber problem, we will have to go down these paths, trail-blazing if you will, on these types of investigations.”

Now, he said, every time the agency gets near the end of a cyber case, “we get to the point where we say, how are we going to do this, how are we going to clean the system” without creating a bigger mess than before.

Keep an eye on this, because something like it is sure to happen again soon.