Computers & Electronics

Acer Falls Victim To $50 Million Ransomware Attack

  • Last Updated:
  • Mar 22nd, 2021 2:21 pm
14 replies
Deal Expert
Jun 15, 2011
42464 posts
6776 upvotes
@anabioz

Looking forward to hearing your thoughts on this from both a technical and non technical stand point.

In addition to posting the link, let’s get an actual discussion going too. :)
Blanka
Deal Expert
Mar 23, 2009
19404 posts
5473 upvotes
Toronto
20% discount! - This belongs in the Hot Deals forum.
Deal Expert
Aug 22, 2011
35609 posts
21668 upvotes
Center of Universe
Microsoft should be on the hook for 50%.
I'm surprised OEM software companies such as Microsoft are not more accountable for their vulnerabilities.
Deal Expert
User avatar
Apr 16, 2001
15812 posts
2405 upvotes
vkizzle wrote: Microsoft should be on the hook for 50%.
I'm surprised OEM software companies such as Microsoft are not more accountable for their vulnerabilities.
If they were made liable, there wouldn't be any software companies. Or network companies.

Take away is when MS is shitting their pants and tells you to install a patch, do it ASAP.
Automatic down-votes: D-Link, TP-Link, Newegg, Canada Computers, any Chinese-owned cellphone, laptop or IoT device.
Deal Expert
Aug 22, 2011
35609 posts
21668 upvotes
Center of Universe
JAC wrote: If they were made liable, there wouldn't be any software companies. Or network companies.

Take away is when MS is shitting their pants and tells you to install a patch, do it ASAP.
Oh, there will... ones that aren't pushing it down our throats with vulnerabilities.
[OP]
Deal Addict
Aug 4, 2007
1852 posts
865 upvotes
djemzine wrote: @anabioz

Looking forward to hearing your thoughts on this from both a technical and non technical stand point.

In addition to posting the link, let’s get an actual discussion going too. :)
Absolutely, I am waiting for the actual investigation to be complete to have evidence of an entry into their environment and the execution path. There is mention of the recent Microsoft Exchange Vulnerabilities ( https://krebsonsecurity.com/2021/03/at- ... -software/ ) , which indeed still poses a global risk to many organizations.

However, that was supposed to be patched in the recent 'patch tuesday' - https://krebsonsecurity.com/2021/03/mic ... 1-edition/ .

I say let's reconvene once we have more technical details around this.
Deal Expert
User avatar
Apr 16, 2001
15812 posts
2405 upvotes
vkizzle wrote: Oh, there will... ones that aren't pushing it down our throats with vulnerabilities.
Heh, name one. ;)
Automatic down-votes: D-Link, TP-Link, Newegg, Canada Computers, any Chinese-owned cellphone, laptop or IoT device.
Deal Expert
Aug 22, 2011
35609 posts
21668 upvotes
Center of Universe
JAC wrote: Heh, name one. ;)
I'll get back to you on that.
My company develops proprietary software for our customers... going to dig into the legals.
Member
Dec 6, 2020
399 posts
377 upvotes
JAC wrote: If they were made liable, there wouldn't be any software companies. Or network companies.
Every industry claims the same thing when faced with the prospects of not being able to offload their externalities onto the public. The tech sector, however, is the only industry that enjoys near complete immunity from liability from selling defective products. Every other industry copes with regulations and/or liability risks. The tech sector should be no different.

Software is mature enough that most security flaws discovered now are not the result of completely unknown attack vectors but rather are the result of software vendors choosing not to follow sound software engineering practices. Vendors choose to cut corners because immunity from liability gives them an incentive to pursue profit over customer safety. Change the incentives and software would become far more secure overnight.

The only cost would be that various tech CEOs could afford fewer houses and fewer absurd hobbies. That's a reasonable price to pay in exchange for the tech sector's victims/customers not needing to spend millions to manage the risks of software vendors selling defective products.
Deal Addict
Nov 24, 2013
1484 posts
828 upvotes
Toronto
Some "flaws" are intentional to assist intelligence services.
Deal Guru
User avatar
Mar 12, 2005
10077 posts
2030 upvotes
Victoria
I'm also not convinced that any software can be 100% full proof? Just as there are clever people writing the program, there are other clever people trying to break it down? Is it possible in tech land for anything to be 100% full proof? I'm sure companies could do better, but 100% fullrpoof I'm not so sure.
Deal Expert
Jun 15, 2011
42464 posts
6776 upvotes
@JAC @vkizzle @middleofnowhere @lpin14 @zod Good posts so far, but let's discuss the technical aspect of things about the actual strain itself.

From signs of any lateral movement, persistence, behaviour of the malware/ransomware binary, etc. In addition by the group, there is a safe mode encryption as well: https://www.bleepingcomputer.com/news/s ... tion-mode/

Also Exchange Servers are targeted by a new strain now: https://www.bleepingcomputer.com/news/s ... ansomware/
Blanka
Moderator
User avatar
Aug 20, 2009
8283 posts
3233 upvotes
vkizzle wrote: Microsoft should be on the hook for 50%.
I'm surprised OEM software companies such as Microsoft are not more accountable for their vulnerabilities.
As @JAC said, there are software vulnerabilities disclosed all of the time across the industry. Just last week there a 10 year security vulnerability in the Linux kernel was disclosed. It's an industry wide problem, I'm not sure liability is the answer but certainly the incentive needs to be better practices.

This is also why IT and security need to be taken more seriously. Companies often look at IT as a black hole where money goes out and doesn't return but this is a really short sighted approach. IT is the department that allows the rest of the company to operate and make money. Security hardening, patch schedules, employee rotations, backup/disaster recovery planning all need to be constantly monitored and updated. Process improvement needs to happen every year. Companies too often force IT on ever decreasing budgets and increasing time constraints with less employees.
Software is mature enough that most security flaws discovered now are not the result of completely unknown attack vectors but rather are the result of software vendors choosing not to follow sound software engineering practices. Vendors choose to cut corners because immunity from liability gives them an incentive to pursue profit over customer safety. Change the incentives and software would become far more secure overnight.
Yeah, good points here too.
[OP]
Deal Addict
Aug 4, 2007
1852 posts
865 upvotes
I like the engagement in this thread, but what I am seeing is the blame being directed towards the software vendors who provide business solutions.

@lpin14 you mentioned that:
Some "flaws" are intentional to assist intelligence services.
That is simply untrue and should never be perceived as such - this is a major security risk.

What is true however is that there could be some undocumented backdoor(s) in a form of service accounts or services used for maintenance or recovery (break-the-glass scenarios), we have seen this very recently with Cisco and Huawei solutions recently.

What does need to change is a broader adoption of secure coding guidelines, very well documented by OWASP (https://owasp.org/www-pdf-archive/OWASP ... ide_v2.pdf). Each company is responsible for their own security posture and can create security-first programs including and not limited to do regular penetration tests involving offensive and defensive exercises.

In the case of Acer, who is a constant target in the attempts to compromise supply-chains, they do have security controls implemented, but potentially were exploited by an ATP long before who were able to gain persistent foothold after exchange servers have been patched. We have yet to see more details once the investigation concludes - but we have to be wary of these treats becoming more and more sophisticated.

Rather than blaming the software vendors, we have to invest more into education and adhere to a more stringent security controls in each organization. Reduce convenience and implement protocols that will alert abnormal activity and significantly reduce damage if a part of infrastructure is compromised. Persistent, highly privileged access is a high-risk and a lucrative target for perpetrators and whether we like it or not - user education is far more important than we think when it comes to cyber security.

Remember, cybersecurity is a responsibility of EVERY employee, don't put it on the shoulders of cyber security professionals who are hired 'to do their jobs', it is far beyond simply installing an IDS and IPS on the premise.

PS. Acer might be the latest victim to fall victim of the carefully crafted ransomware, but far not the last and that may not even be the last of it - imagine compromising their software servers that push updates for drivers, bios, firmware and gaining persistent administrative access
via bootloader or other means and having horizontal access all of their desktops/laptops/hardware they deploy. (NOTE: Solarwinds).

The lesson here is - no software is 100% secure and nor will it ever be unfortunately. Each patch that is introduced to improve, fix or correct behaviour will potentially introduce other bugs and/or vulnerabilities. Each company should have their own processes to test for vulnerabilities to improve their security posture, regardless of whether or not the vendor has done so already. You also have to account for integrations done with other systems to facilitate business logic - that on its own can pose a risk as breaking the logic can trigger unexpected behaviour yielding unauthorized access as an example.

And if the argument is - the company does not allocate enough budget for that - compare that to the reputation impact, regulatory violations and other security related requirements that can come at a hefty fine.

Top