Acer Falls Victim To $50 Million Ransomware Attack

@anabioz

Looking forward to hearing your thoughts on this from both a technical and non technical stand point.

In addition to posting the link, let’s get an actual discussion going too.

20% discount! - This belongs in the Hot Deals forum.

Microsoft should be on the hook for 50%.
I'm surprised OEM software companies such as Microsoft are not more accountable for their vulnerabilities.

vkizzle wrote: ↑ Microsoft should be on the hook for 50%.
I'm surprised OEM software companies such as Microsoft are not more accountable for their vulnerabilities.

If they were made liable, there wouldn't be any software companies. Or network companies.

Take away is when MS is shitting their pants and tells you to install a patch, do it ASAP.

JAC wrote: ↑ If they were made liable, there wouldn't be any software companies. Or network companies.

Take away is when MS is shitting their pants and tells you to install a patch, do it ASAP.

Oh, there will... ones that aren't pushing it down our throats with vulnerabilities.

djemzine wrote: ↑ @anabioz

Looking forward to hearing your thoughts on this from both a technical and non technical stand point.

In addition to posting the link, let’s get an actual discussion going too.

Absolutely, I am waiting for the actual investigation to be complete to have evidence of an entry into their environment and the execution path. There is mention of the recent Microsoft Exchange Vulnerabilities ( https://krebsonsecurity.com/2021/03/at- ... -software/ ) , which indeed still poses a global risk to many organizations.

However, that was supposed to be patched in the recent 'patch tuesday' - https://krebsonsecurity.com/2021/03/mic ... 1-edition/ .

I say let's reconvene once we have more technical details around this.

vkizzle wrote: ↑ Oh, there will... ones that aren't pushing it down our throats with vulnerabilities.

Heh, name one.

JAC wrote: ↑ Heh, name one.

I'll get back to you on that.
My company develops proprietary software for our customers... going to dig into the legals.

JAC wrote: ↑ If they were made liable, there wouldn't be any software companies. Or network companies.

Every industry claims the same thing when faced with the prospects of not being able to offload their externalities onto the public. The tech sector, however, is the only industry that enjoys near complete immunity from liability from selling defective products. Every other industry copes with regulations and/or liability risks. The tech sector should be no different.

Software is mature enough that most security flaws discovered now are not the result of completely unknown attack vectors but rather are the result of software vendors choosing not to follow sound software engineering practices. Vendors choose to cut corners because immunity from liability gives them an incentive to pursue profit over customer safety. Change the incentives and software would become far more secure overnight.

The only cost would be that various tech CEOs could afford fewer houses and fewer absurd hobbies. That's a reasonable price to pay in exchange for the tech sector's victims/customers not needing to spend millions to manage the risks of software vendors selling defective products.

Some "flaws" are intentional to assist intelligence services.

@JAC @vkizzle @middleofnowhere @lpin14 @zod Good posts so far, but let's discuss the technical aspect of things about the actual strain itself.

From signs of any lateral movement, persistence, behaviour of the malware/ransomware binary, etc. In addition by the group, there is a safe mode encryption as well: https://www.bleepingcomputer.com/news/s ... tion-mode/

Also Exchange Servers are targeted by a new strain now: https://www.bleepingcomputer.com/news/s ... ansomware/

vkizzle wrote: ↑ Microsoft should be on the hook for 50%.
I'm surprised OEM software companies such as Microsoft are not more accountable for their vulnerabilities.

As @JAC said, there are software vulnerabilities disclosed all of the time across the industry. Just last week there a 10 year security vulnerability in the Linux kernel was disclosed. It's an industry wide problem, I'm not sure liability is the answer but certainly the incentive needs to be better practices.

This is also why IT and security need to be taken more seriously. Companies often look at IT as a black hole where money goes out and doesn't return but this is a really short sighted approach. IT is the department that allows the rest of the company to operate and make money. Security hardening, patch schedules, employee rotations, backup/disaster recovery planning all need to be constantly monitored and updated. Process improvement needs to happen every year. Companies too often force IT on ever decreasing budgets and increasing time constraints with less employees.

Software is mature enough that most security flaws discovered now are not the result of completely unknown attack vectors but rather are the result of software vendors choosing not to follow sound software engineering practices. Vendors choose to cut corners because immunity from liability gives them an incentive to pursue profit over customer safety. Change the incentives and software would become far more secure overnight.

Yeah, good points here too.

I like the engagement in this thread, but what I am seeing is the blame being directed towards the software vendors who provide business solutions.

@lpin14 you mentioned that:

Some "flaws" are intentional to assist intelligence services.

That is simply untrue and should never be perceived as such - this is a major security risk.

What is true however is that there could be some undocumented backdoor(s) in a form of service accounts or services used for maintenance or recovery (break-the-glass scenarios), we have seen this very recently with Cisco and Huawei solutions recently.

What does need to change is a broader adoption of secure coding guidelines, very well documented by OWASP (https://owasp.org/www-pdf-archive/OWASP ... ide_v2.pdf). Each company is responsible for their own security posture and can create security-first programs including and not limited to do regular penetration tests involving offensive and defensive exercises.

In the case of Acer, who is a constant target in the attempts to compromise supply-chains, they do have security controls implemented, but potentially were exploited by an ATP long before who were able to gain persistent foothold after exchange servers have been patched. We have yet to see more details once the investigation concludes - but we have to be wary of these treats becoming more and more sophisticated.

Rather than blaming the software vendors, we have to invest more into education and adhere to a more stringent security controls in each organization. Reduce convenience and implement protocols that will alert abnormal activity and significantly reduce damage if a part of infrastructure is compromised. Persistent, highly privileged access is a high-risk and a lucrative target for perpetrators and whether we like it or not - user education is far more important than we think when it comes to cyber security.

Remember, cybersecurity is a responsibility of EVERY employee, don't put it on the shoulders of cyber security professionals who are hired 'to do their jobs', it is far beyond simply installing an IDS and IPS on the premise.

PS. Acer might be the latest victim to fall victim of the carefully crafted ransomware, but far not the last and that may not even be the last of it - imagine compromising their software servers that push updates for drivers, bios, firmware and gaining persistent administrative access
via bootloader or other means and having horizontal access all of their desktops/laptops/hardware they deploy. (NOTE: Solarwinds).

The lesson here is - no software is 100% secure and nor will it ever be unfortunately. Each patch that is introduced to improve, fix or correct behaviour will potentially introduce other bugs and/or vulnerabilities. Each company should have their own processes to test for vulnerabilities to improve their security posture, regardless of whether or not the vendor has done so already. You also have to account for integrations done with other systems to facilitate business logic - that on its own can pose a risk as breaking the logic can trigger unexpected behaviour yielding unauthorized access as an example.

And if the argument is - the company does not allocate enough budget for that - compare that to the reputation impact, regulatory violations and other security related requirements that can come at a hefty fine.