[HN Gopher] After Boeing declines to pay up, ransomware group le... ___________________________________________________________________ After Boeing declines to pay up, ransomware group leaks 45 GB of data Author : turtlegrids Score : 264 points Date : 2023-11-20 18:47 UTC (4 hours ago) (HTM) web link (www.itbrew.com) (TXT) w3m dump (www.itbrew.com) | strangattractor wrote: | Didn't a ransomware gang just renege on a deal and release the | data anyway. Seems like they are killing their own business | model. If company X cannot depend on the gang delivering why pay | in the first place. Boeing will have to pay for any fallout form | the data breach - why have the added expense of paying the | criminals for the privilege? | barryrandall wrote: | They do that all the time. The first ransom is to get the | decryption keys to the target's data, the second ransom is to | prevent them from publishing the decrypted data. | CivBase wrote: | If they're going to publish the data publicly, what do you | need decryption keys for? Seems like it's basically an all- | or-nothing deal to me. | contravariant wrote: | I think that's why you ransom the decryption key first. If | I understood correctly. | bretpiatt wrote: | Perspective as CEO of a backup and disaster recovery | company... | | A lot of folks now have ransomware protected backups for | critical data so they aren't paying for decryption keys. | | This has escalated to hack and release, the attackers are | now exfiltrating data and threatening to make it public in | addition to encrypting it on the host system. | sandworm101 wrote: | >> If they're going to publish the data publivally, what do | you need decryption keys for? | | Because they will publish the bad stuff, the stuff you | really don't want public, but likely withhold the boring | stuff, the stuff the business really needs to function. And | whatever they release might not be in the format that it | was taken. | barryrandall wrote: | They only tell you about the second extortion attempt after | the success of the first. As I understand it, each gang | operates differently, but most are consistent in their | approach (e.g. x will always double ransom, but y will | never). | asdfman123 wrote: | Tragedy of the commons. We need to establish a centralized | judicial system to identify and shut down bad ransomware | actors. | op00to wrote: | let's hold off on advocating for a New World Order just yet. | ceejayoz wrote: | I wonder if this counts as an ITAR violation on Boeing's part. | da_chicken wrote: | How do you figure that? | ceejayoz wrote: | There's almost certainly ITAR-subject data in a Boeing data | dump of this size; I'm curious as to whether not paying a | ransom counts as releasing it. | lesuorac wrote: | I'm more curious why failing to secure it doesn't count as | a ITAR violation. | hiharryhere wrote: | I doubt it. Here in Australia at least companies with large | gov contracts are prevented by gov policy from paying | ransoms. | ceejayoz wrote: | It wouldn't be the first catch-22 scenario caused by | conflicting laws. | tsujamin wrote: | Out of curiosity what's the source on that? AFAICS | there's no clear legislation restricting it (although a | lot of talk about such a bill in the future). It is in | standard contract terms? | brookst wrote: | I think ITAR covers exporting, which is necessarily | intentional. At least I'm not aware of any espionage victim | also being subject to ITAR prosecution. | annoyingnoob wrote: | In the case of ITAR, not exporting means limiting access | to US persons only. I suspect this could be a violation, | even if unintended. | dymk wrote: | Size of the dump means nothing, on one extreme it's a | single 45GB video file of a security camera looking at | nothing. | 2OEH8eoCRo0 wrote: | Being a Russian-linked cyber gang, anything sensitive in there | should be treated as public information now anyway. Why bother | paying then? | kh49 wrote: | The never ending cost of low quality outsourced digital | transformation. Pathetic how many large corps have been hit. And | tax payer has to foot the ever growing bill to investigate and | defend these useless orgs. | hnthrowaway0315 wrote: | Basically every large, traditional business is relying on some | offshore gig for certain key technical responsibilities. They | probably don't consider it the real key as they are cost | centers, but hey ransomewares are reminding them. | | It's not even just offshore. Some onshore consultancies are | really of agasp quality. | pid-1 wrote: | Is there any case of a company suffering significant | financial backlash due ransomware attacks? | | My current impression is: consumers don't care, regulators | don't care... so why should CEOs care? | hnthrowaway0315 wrote: | Yeah you have a good point. | rileyphone wrote: | Customers care if your business is in security, especially | b2b. Though the biggest downstream effects are probably | from security tightening making it more difficult to get | anything done. | | Source: my company was hit a couple months ago | dimitrios1 wrote: | I don't think in the case of airlines we have the option to | care. We are just kind of stuck with whatever the | government-backed airline oligarchy chooses to do. The | airlines would be the ones to have to care for it to | matter. When the 737-MAX crashes occurred many frequent | travelers, including myself, flat out refused to fly | 737-MAX even after we were given assurances by the | regulatory bodies. But after a while it just didn't matter. | Life goes on, your company will book you on the plane | that's the cheapest or part of their plan or whatnot, and | you just get stuck being a cog in the wheel again. | punkybr3wster wrote: | The MGM ransomware supposedly cost them $100mil | whatever1 wrote: | Is it a tax write off ? | newswasboring wrote: | This attack originated from an acquired company by Boeing. No | outsourced party seems to be involved. Am I missing something | in the article? | CatWChainsaw wrote: | "digital transformation" was such a hot buzzword too, and yet | the biggest market players don't want to spend enough to ensure | it goes well, apparently. | stillwithit wrote: | > And tax payer has to foot the ever growing bill... | | You might be put at ease to read all that debt is a | hallucination humanity has no obligation to pay. | | Also after decades in IT hearing about one lapse in security | after another (including entire iron mountain trucks being | robbed back in the day) yet society seems capable of shrugging | them off, it's hard to take the anxiety seriously. | | It's possible the CEOs are not the only people in IT inflating | the value of their contributions and ideas. | barbazoo wrote: | Are there any signs to suggest that this was being made | possible by "low quality outsourced" work? | legitster wrote: | I struggle to see how this business model would work in the first | place. They pay you and you pinky swear not to release it? All | you are doing by negotiating is to buy the victim time to harden | their systems. | | This sounds liked a failed ransomware attack. They encrypted the | systems - Boeing says "no thank you, we have backups". There were | no valuable zero-days to sell to GRU, so give a last ditch offer | to try to salvage something. | hnthrowaway0315 wrote: | I wouldn't be surprised if some ransomeware gangs are frontends | of national (in)security agencies. They don't care about | profits. Sure it's good to have some. | kramerger wrote: | Well, every time Boeing tried to bribe a country, someone | leaked emails and audio recordings from their secret | meetings. | | Usually we blame the Chinese, but in this case I think its a | toss between CIA and NSA. | | (I think I'm on some kind of list now) | | Edit: I am an idiot. I was thinking of Airbus, see | @perihelions comment below | perihelions wrote: | Which incident are you referring to? The NSA took credit | for hacking Airbus, but that's Boeing's _foreign | competitor_ --not Boeing. | | https://www.economist.com/special- | report/2003/06/12/airbuss-... | | - _" According to a European Parliament report, published | in 2001, America's National Security Agency (NSA) | intercepted faxes and phone calls between Airbus, Saudi | Arabian Airlines and the Saudi government in early 1994. | The NSA found that Airbus agents were offering bribes to a | Saudi official to secure a lion's share for Airbus in | modernising Saudi Arabian Airlines' fleet. The planes were | in a $6 billion deal that Edouard Balladur, France's then | prime minister, had hoped to clinch on a visit to see King | Fahd in January 1994. He went home empty-handed."_ | | - _" James Woolsey, then director of the Central | Intelligence Agency, recounted in a newspaper article in | 2000 how the American government typically reacted to | intelligence of this sort. "When we have caught you | [Europeans]...we go to the government you're bribing and | tell its officials that we don't take kindly to such | corruption," he wrote. Apparently this (and a direct sales | pitch from Bill Clinton to King Fahd) swung the aircraft | part of the deal Boeing's and McDonnell Douglas's way."_ | kramerger wrote: | You are correct. I think my brain was on a break while I | was writing that :) | bee_rider wrote: | I imagine at least some (probably many) of the engineers | who work for Boeing have a basically lawful-good/lawful- | neutral temperament and are just disgusted by things like | bribery. Maybe one of the parties in the conversation | leaked it, no intelligence agencies needed. | emodendroket wrote: | Why exactly would the CIA or NSA want to do that? Boeing | works so closely with the security apparatus they're | practically an unofficial member so I don't understand what | the motivation would be. | hnthrowaway0315 wrote: | It doesn't hurt to hack into any corporation. You never | know what kind of intelligence you might get out. There | are also considerations of different factions I guess. | jowea wrote: | For North Korea sure quite believable. Some links existing | also sound likely for the Russian gangs. | jasonwatkinspdx wrote: | It's an open secret that FSB et all work with ransomware | gangs. As long as they don't target Russian companies they | don't care what they do otherwise. So it's not so much | they're a front as they're in a sort of quasi officially | sanctioned middle ground. | r00fus wrote: | Digital privateers | terminous wrote: | https://en.wikipedia.org/wiki/Letter_of_marque | hnthrowaway0315 wrote: | Yeah. I'm also thinking about ways to "promote" malware | without getting impacted. | | Let's say some three digit agencies create sort of malware | distribution forums in the darknet. They make sure to only | broadcast to people who wants to play with malwares so the | net catches the "bad guys" mostly, except for a few curious | researchers or journalists maybe. Then they start to share | recent generarion malwares they created. They don't need to | distribute them by themselves because they already have the | CCC servers. Some malware gangs would eventually be the | frontend and start the distribution. | | In this way you not only distribute the malwares without | getting impacted, you also get to know the gangs so | whenever you want to catch a few fishes you just pull the | net. | | Once the darknet forum dies out or they need to wipe the | records, they would just leave and create a new one. | | Just my wild thought. | sofixa wrote: | As an example, the DarkSide malware (the one used against | the Colonial Pipeline) explicitly checks if it's running on | a computer in the CIS (Russia+countries nostalgic of the | Soviet Union / without a better choice) and exits. | sfink wrote: | privateers | beambot wrote: | > How North Korea's Hacker Army Stole $3 Billion in Crypto, | Funding Nuclear Program | | https://www.wsj.com/articles/how-north-koreas-hacker-army- | st... | nimih wrote: | > They don't care about profits. | | This isn't really true in general: intelligence agencies | often want access to funds with less/no oversight from (or to | skirt controls enacted by) other parts of the government. As | an example, that was the dynamic at the basis of the Iran- | Contra affair in the US. | RandallBrown wrote: | > They pay you and you pinky swear not to release it? | | Yes. If any of this information does end up getting leaked, it | kills the credibility of the ransomware group and they'll never | get paid again. Sort of mutually assured destruction. | | Now of course, most people don't really trust criminals anyway | so the business has a pretty strong bargaining position and I | believe many of the ransoms are negotiated way down. | tanelpoder wrote: | Wouldn't it be easy to just pick a new name for the | ransomware group then? | | (or do we need eBay-like "seller ratings" and customer | reviews for ransomware groups?) | ceejayoz wrote: | A no-name ransomware group is less likely to be trusted to | hold up their end of the bargain than one with an | established reputation. | | Didn't Silk Road have eBay-style ratings/reviews? | jeron wrote: | What good are the reviews? "5 stars, didn't leak data | after ransom paid" | barryrandall wrote: | It's more like, "Security Company X says this gang has | behaved predictably in their previous interactions." | csydas wrote: | SilkRoad was a dark web market, so the comparison from | the parent is a bit strange for me, but regarding your | comment on reviews, yes they're very important and for | the sites I've used, the reviews have been very reliable | and useful. | | My understand is that since it's a much more limited | market, access is very difficult even under normal | circumstances (not because of security but just because | dark web markets usually have awful performance for | various reasons), so it's a far different review | landscape than say shopping on Amazon, at least the ones | I have used. The markets themselves were fantastic about | refunds/conflict resolution, better than most normal | online shops. Reputation is key for basically everything | dark web, and the main actors in this space are | notoriously petty and bold towards anyone that makes it | harder to conduct business. | | I imagine it's very similar with Ransomware as there has | to be some reason for the targets of the attack to | believe paying the ransom is worth it, and anyone who | upsets that balance for the ransomware gangs unexpectedly | becomes rapidly unpopular, and usually a target for the | other gangs. It very much so is heavily relying on the | honor system, but it seems the groups are committed to | such a system. | yieldcrv wrote: | all the darknet markets have eBay style ratings, but for | the vendor and products purchased, not for reviews on | negotiating with a randomware group that weaponized it | | Silk Road was 10 years ago that would have been like the | smallest one ever since then, just curious why it is | referenced at all, and in such an odd way | | "I heard eBay has bulletin board like reviews" _you know | you can just go look, in a web browser_ "woah thats crazy | talk, I prefer 10 year old hearsay" | | anyway, they often have a separate forum where one could | ask more about a group | adolph wrote: | 5 star would hostage again | | Superhost for my datas | echelon wrote: | Amazing satire, but I shudder to think that's how | companies actually treat ransomware. | | All companies and governments should take the stance that | any randomwared or compromised data is now public. And if | they don't have the backups, then they should consider it | permanently lost. | | Write it off as a business loss and hire better ops | people. | dkjaudyeqooe wrote: | Govts should make funding ransomware groups a criminal | offense. The money likely going to RU and NK anyway. | red-iron-pine wrote: | Depends on what their SOP is. Attribution is hard but there | are a lot of really, really smart people trying really hard | to identify orgs by their TTPs. | | You can rebrand as CaTBUTT, or Indrik Spider 2.0, or | whatever, but if you're using some custom version of Mirai | they'll eventually tag your M.O. and the threat | intelligence briefings will reflect that. | | And then no ransom. | tanelpoder wrote: | Didn't think of that, thank you. | Exuma wrote: | What is Mirai? Can you re-explain what you said in plain | english? | not2b wrote: | You could have Googled it, but you can start with | https://en.wikipedia.org/wiki/Mirai_(malware) | barryrandall wrote: | They'd need to burn all their tools, techniques, and | practices for this kind of rebrand to be successful. | Jaepa wrote: | From what I understand there's a market for ransomware | negotiators, and reputation (and tooling) is very much a | thing that affects settled price. | | Understand: For the ransomer's point of view this is | another monday, albeit one where a big fish walked away. | FirmwareBurner wrote: | So there's honor among thieves. | ben_w wrote: | There's an iterated prisoner's dilemma, I wouldn't go as | far as calling that honour. | GuB-42 wrote: | That's fundamentally what honor is. | ben_w wrote: | The result may be the same, but I think honour requires a | state of mind where you do the "honourable" thing even if | nobody will know. | __MatrixMan__ wrote: | Agreed. Honor may have its roots in a prisoner's dilemma, | but you're not actually practicing it until you have | Stockholm syndrome. | barryrandall wrote: | Only to the extent that they derive value from being | perceived as consistent. | paulcole wrote: | My brother did this with lawn care and HVAC companies. The | first business lesson he learned was never name your | business after yourself. He was about 16 when he learned | this and ever since it's been like AAA Lawn Care or Aces | HVAC until he gets so many negative reviews he can't get | more business. | frandroid wrote: | So lesson of the story, avoid the AAA named companies | because they've been in the respawning business for a | long time | Tyr42 wrote: | Or at least the ZZZ corps if they made it that far down | the alphabet. | sfink wrote: | The lesson is that hiring "ZZZ Lawn Care" is a _really_ | bad idea. | paulcole wrote: | This was a plot point in The Accountant starring Ben | Affleck. | | He's a criminal who launders money through small | businesses he owns and the accounting firm he runs. He | names it ZZZ Accounting so it doesn't get a lot of calls | through people looking up accountants in phone book. | jstarfish wrote: | Nah, back in the old days A1 Locksmith or AAA Windshields | were just competing for top placement in the | (alphabetized) phone book. | | Look to Amazon for new ideas on DGA-derived names for | your fly-by-night business. | temporarara wrote: | Your brother is the hero this world deserves. And this is | why I generally trust only those small businesses who | have their full real name on display. | HeyLaughingBoy wrote: | You're assuming it's _their_ real name... | paulcole wrote: | When he was a teenager and had a business under his own | name he'd get in trouble sometimes because he'd close all | the deals himself then hire other kids to go out and do | the work. | | Some homeowners thought it was going to be him cutting | their lawns and would get upset because the contract said | he'd do it. So he'd just rip up the contract in front of | them and refuse to cut their lawn ever again. | | In Florida there were so many houses with lawns in so | many subdivisions he was always busy anyway. Plus he | liked getting into fights with adults. Win win, I guess. | mysterydip wrote: | Couldn't the ransomeware group just come back under another | alias to clean their slate? | rtkwe wrote: | If any group does it it kills the credibility new entrants | too so there's still incentives to not do it. | cjaybo wrote: | Are these rational actors who would even care about the | collective long term effects? Eg the same could be said | for drug dealers ripping off their customers, but that | still happens daily because they often prioritize short | term self interest over long term/collective concerns. | NegativeK wrote: | Many ransomware groups have learned that acting more like | a business results in higher payouts. They're not all | going to do it, but they have payment portals, | negotiators using professional language, attempts to | maintain reputation, etc. | | Obviously this behavior doesn't apply to all of them, but | it's a clear effort by some of them to immediately appear | more palatable to random IT worker, the execs, and the | lawyers who are watching the who process play out. | | And it also lines up with the fact that ransomware groups | have freaking HR departments to handle their employees. | galangalalgol wrote: | And Boeing could never know Airbus hadn't been given the | opportunity to buy the data, as they would never disclose | that. | rtkwe wrote: | It's not consistent across the broad category of criminal | for sure but they're probably not the most long term | oriented people as a rule now. Initial groups were more, | for a lack of a better word, professional about the | process with some groups even having a kind of tech | support for helping victims to make sure people would | believe they'd get their files back if they paid. Better | preparation on the corporate side and a democratization | of the tools to perform it has lead to some changes it | looks like where ransomware groups didn't exfiltrate | often before because it wasn't their main playbook. | csydas wrote: | Yes, mostly because the other actors are notoriously | vengeful and petty; ransomware gangs, dark markets, etc, | they don't just register complaints with each other, they | typically look to ensure the bad actors are removed from | the space entirely. | | regarding drug dealers, I wouldn't consider it a good | comparison. the actions of one dealer typically doesn't | affect others, they're just not that connected beyond | professional recognition/courtesy. If dealer A is | shorting their customers, dealer B absolutely wouldn't | care as why would they? they have no relationship, and | it'd probably mean the customers go to dealer B instead. | business will continue as usual even if one bad actor is | doing shitty stuff to their customers. | | with ransomware that is not the case -- if public opinion | overwhelmingly tells there's no sense in paying because | the ransomware gangs never follow their word, that | affects all the gangs, not just the bad actor. the gangs | already have a hard enough argument to make as to why the | targets should pay so anything that frustrates that | further is frowned upon. | callalex wrote: | By that logic, illicit food and drugs wouldn't have a | problem of being cut with fillers. A tragedy of the | commons doesn't really reign in the behavior of criminal | organizations. | micromacrofoot wrote: | a clean slate also means rebuilding reputation | legitster wrote: | Data ransoms have existed for a long time before "ransomware" | was even really a thing - there's just never been a market | for ransoms for the "stolen" data. Once it's out you can't | put that genie back in the bottle. | | The reason ransomware worked was you didn't have to trust the | group long-term - just enough to give you a copy of your data | back. | | It's the difference between you making a copy of my car keys | and stealing them. Yes, I will pay for "a" key back - I only | have to trust you enough to hand it over. | jowea wrote: | I wonder why they don't make into a recurring payment instead | of a one time deal. Turn it into an iterated game theory | game. | timeon wrote: | RaaS | augustulus wrote: | more risk of exposure presumably | kspacewalk2 wrote: | >credibility of the ransomware group | | Hilarious. | waynesonfire wrote: | It's your naive comment that I find hilarious. it's a | business like any other that puts food on peoples plates. | in fact, a mature business with a deep and sophisticated | industry. it benefits all participants when everyone | behaves reliably and predictably. These aren't amateurs. | JohnFen wrote: | > it kills the credibility of the ransomware group | | There are people who consider these groups credible?? The | world really has gone insane. | dkjaudyeqooe wrote: | > it kills the credibility of the ransomware group | | There are review sites for ransomware groups? | | "honored promise not to disclose, didn't gloat or taunt, | would pay again, 10/10" | arnvald wrote: | Not sure about review sites, but there are companies | specializing in ransomware negotiations on behalf of the | victims and they can advise not to pay a group that is | known to release the data anyway | barryrandall wrote: | They also help their clients to determine whether or not | anything valuable was taken. 40 GB of travel | documentation and approvals, parking garage logs, or call | center workstation images isn't worth much. Paying a | ransom might require board approval, whereas a security | incident that doesn't impact the stock price probably | won't even require board notice. | hot_gril wrote: | Either way, seems like something that a government or | other actor could mess with, thus making it harder for | hackers to profit. | miohtama wrote: | I am sure there are discreet nation state buyers, like Russia | and China, who are happily to use the information without | causing an incident. Russia does not even need to ask, as | most ransomware gangs operate under the blessing of Putin. | justsomehnguy wrote: | [citation needed] | | At least for 'most'. | bastawhiz wrote: | > it kills the credibility of the ransomware group and | they'll never get paid again | | I don't buy it. There's nothing to stop the group from | rebranding themselves. The company has no proof nobody else | got a copy of the data. And the group could simply hang onto | the data, extort a bunch of money from other companies, then | start back at the beginning and demand even more (knowing | that the data is worth _at least_ what was already paid for | it). | sofixa wrote: | > I don't buy it. There's nothing to stop the group from | rebranding themselves | | Apart from the fact that nobody would pay them if they have | no reputation. | raincole wrote: | Then how did they get "reputation" from the first place? | Quite chicken and egg problem, right? | hot_gril wrote: | By starting with smaller ransoms. Same way any new | business gets off the ground without rep, it's not easy | or very profitable at first. | tshaddox wrote: | Surely that can't be completely true. The reputation has | to be bootstrapped somehow. | mvkel wrote: | Meh. They don't knowingly release it. But they could | certainly continue to try to sell the data on the black | market to competitors, etc, which the competitor would never | disclose. | ibejoeb wrote: | LockBit just did a sort of collective bargaining with | affiliate groups that resulted in guidance for setting | initial ransom amounts and rules restricting discounts about | 50%. | willseth wrote: | You'd think that, but in practice these ransomware groups are | pretty reliable, and actually many rasomees have remarked on | how good the customer service is! Their ability to make money | is dependent on them maintaining a reputation for being in the | business for money, not lulz, and tmk the pinky swears are | typically upheld. | jameson wrote: | > in practice these ransomware groups are pretty reliable | | Hard to say... | | You're effectively trusting the liar they wont lie again | | Its possible they leak it to high profile customers without | publicly announcing it | | Business should make decision assuming the data will be | leaked eventually regardless of random paid or not | | Perhaps only thing business can assume is the data wont be | publicly released in short amount of time | emodendroket wrote: | You could say the same about any "ransom"-based business, | really. Kidnappers could decline to release the kidnapped | person after they get their money. | JohnFen wrote: | And they often do. | matthewdgreen wrote: | That's why you secret share the data across six Intel SGX | instances using software that only reveals the plaintext if it | doesn't receive a blockchain-based payment after 30 days. (No, | nobody does this. But they could!) | adriancr wrote: | why would anyone trust the data is only on those instances? | matthewdgreen wrote: | Because you write your ransomware to encrypt to a hardcoded | set of public keys that include an SGX attestation from | those instances. This can be verified forensically and the | unencrypted plaintext never leaves the victim organization. | crotchfire wrote: | ...and then Intel will simply have their HSM sign the | cheat-code firmware for the EPIDs of those six chips. | | Trust isn't all-or-nothing. When I ride a bus I'm | trusting the driver with my life, but I wouldn't trust | them to babysit my kids. | | Mutability is deniability. I don't trust hardware | companies with that. And I don't have to, either. | | Stop hawking this SGX snakeoil. Except maybe to | ransomware authors, who deserve what they'll get. | matthewdgreen wrote: | Intel could presumably help the ransomware authors bypass | SGX protections but that'd be dumb. They might have some | capability to trace attestations to a specific | motherboard but I doubt any sophisticated ransomware | group will be foiled by this. | adriancr wrote: | > hardcoded set of public keys that include an SGX | attestation from those instances. | | You mean: | | 1. generate a public/private key in enclave | | 2. generate attestation from SGX enclave with public key | hash. | | 3. seal the public/private key somewhere so it can be | reused later, otherwise pc restart or app failures / no | data. | | 4. publish source code that generates mrenclave somewhere | that can be audited. | | 5. encrypt in place and assume remote trusts you when you | say data was only exfiltrated encrypted or not at all. | | Now, 5 is the problem i mentioned. Why would anyone trust | that data was not exfiltrated unencrypted and copied a | few times. | | > and the unencrypted plaintext never leaves the victim | organization. | | You also mentioned this to be fair. Why would this be | trusted? | | 6. Release data if no payment on bitcoin. | | SGX enclaves do not have magic trusted access to network | to get bitcoin payments data. | | It can be man in the middled or fooled by omission by who | controls machibe. | | So key can be releases by feeding it bad data (payment | was not done and time expired - release to the world). | | There's also the problem that attestation might lead to | the originating group if cpu is identifiable. | jasonfarnon wrote: | What benefit is it to the ransomware group to release the data? | They may be sloppy or careless with their data (like their | victims) but I don't see a for-profit/non-ideological ransom | group reneging and intentionally leaking the data. And plenty | of reasons eg repeat actors to do their best not to. | | Actually I'm often surprised that many ransomers/hostage-takers | go through with their threats when they don't get their | demands. The only reason I can see them doing it is if | reputation matters to them for future negotiations. more than | the risks from the greater liabilities they incur by going | through with the threats. | michaelt wrote: | The benefit would be getting paid a second time, by | extracting a second ransom. | | It doesn't have to be the whole group; perhaps one guy | decides to branch out on his own, and grabs the data on his | way out the door. | jasonfarnon wrote: | You mean "yeah we were lying yesterday about this same | thing, but we're telling the truth right now" type of | negotiation? Has that ever worked for ransoms (of any kind) | anywhere? | ars wrote: | The US should make it illegal to pay ransom, with a penalty of | prison for anyone paying a ransom or authorizing payment. | | The purpose of the law is that now ransomware gangs will be less | likely to target US companies because companies are unlikely to | risk paying them. | ironmagma wrote: | It's maybe already illegal[1][2]. | | That doesn't stop companies from paying for it. If you're a | hospital, you're weighing breaking the letter of the law with | killing a bunch of people. | | [1] https://www.gma-cpa.com/technology-blog/paying-ransom-on- | a-r... | | [2] https://cbs12.com/news/cbs12-news-i-team/hospital- | ransomware... | gregwebs wrote: | Paying ransomware is not in any way illegal in the United | States. Making payments to sanctioned entities (ransomware or | otherwise) is. If companies go to their insurer, etc, they | will probably get help to do the compliance to check to see | if the payment requested would go to an OFAC sanctioned | entity or not. | bee_rider wrote: | Is the duty to make sure you know you aren't paying to a | sanctioned entity, or is it to not know whether or not you | are? | | Given the sources of many of these attacks, one should | reasonably assume they are likely to be doing business with | a sanctioned entity, right? | gregwebs wrote: | There isn't necessarily a way to know who you are | actually dealing with. Maybe in some cases there might be | some information to figure this out to some degree. But | normally the only information that is certain is where | the payment is going. Which is just a bitcoin wallet | address. | bee_rider wrote: | If you aren't a hospital, you are helping the ransomware | gangs amortize the cost of their R&D. Thus directly helping | those who hit hospitals, and, as a result, contributing to | those deaths. | ploum wrote: | -- If you don't give me 10k$, I will tell the authorities that | you have paid a ransom of 100k$. -- Ok, here's the money. -- | Thanks. If you don't give me 10k$ more, I will tell the | authorities about our previous deal. | phpisthebest wrote: | No I did not pay a ransom, I paid a 7 figure consulting fee to | a cyber security company not based in the US, who somehow | magically resolved the issue for us... | smith7018 wrote: | There are instances where that doesn't make sense. For example, | there was that plastic surgery office that got hacked a couple | weeks ago. I get why they think it's better to at least try to | prevent such private information from getting out. making it | illegal to pay the ransom means that every patients' medical | history and pre/post op photos would be leaked. That's a | nightmare. | carabiner wrote: | When Boeing can't match the salaries of Seattle tech companies, | this is what happens. | klyrs wrote: | Speaking as a native Seattleite with multiple friends and | family at the company, Boeing stopped being a Seattle company | in 1997. | jmbwell wrote: | TIL: Although Boeing still has manufacturing facilities in | the Seattle area, they moved their HQ from Seattle to Chicago | in 1997. | klyrs wrote: | To rephrase: As McDonnell Douglas was crumpling under the | ineptitude of its management, Boeing merged with McDonnell | Douglas, keeping Boeing's name and McDonnell Douglas's | management. | massysett wrote: | The classic joke here is that McDonnell Douglas bought | Boeing with Boeing's money. | carabiner wrote: | Moved HQ from Chicago to DC area last year. | 1-6 wrote: | Sounds like the future of Tesla / SpacefleetX | kramerger wrote: | Is there anything "useful" in this dump? | | The article mentions citrix and emails, but that could be | anything | dmix wrote: | Useful to whom? Email dumps and other data could be useful for | further breaches and attacks against personnel. I'm sure their | infosec will be going through everything but they could miss | stuff and personal information is exploitable for fraud even | with awareness. | | Govs like China and aircraft/defense competitors to Boeing | probably got a goldmine if they didn't already have their own | access. Boeing does plenty of NATSEC and space stuff. | steponlego wrote: | Now that it's out there somebody will doubtless download it and | check it out eventually. Stuff that goes onto the Internet | rarely goes away. | whatever1 wrote: | Like how can one download so many files from a company network | and no alarm is set off ? What do the useless IT departments set | up? Just employee spyware ? | GartzenDeHaes wrote: | Let's say you have 6TB a day going through your perimeter | firewall. It's kind of hard to pick out a 40GB stream(s) on | HTTPS going to some US cloud provider. | JoblessWonder wrote: | I mean, depending on the data type... 45GB isn't really all | that much. They probably have 45GB individual CAD files... | | Now, if it is 2,000,000 text files totaling 25gb, then that is | harder to explain away. | | (I just read the article and saw that it deals with a vendor we | use daily... so... great news.) | bunabhucan wrote: | I remember an engineer telling me the physical drawings for | the 747 weighed ten times as much as the plane itself. | Invictus0 wrote: | 1000 sheets of paper weighs 10 lbs, the 747 weighs 910,000 | lbs, so there were 91 million sheets of paper describing | the 747? Does not seem accurate | avar wrote: | The 747 has around 6 million individual parts, 15 sheets | of paper per part doesn't seem unreasonable. | | Just detailed schematics of a given plastic knob in the | cockpit should take at least a few pages, nevermind | something more complex or critical like turbine blades. | 38321003thrw wrote: | Construction drawings are not done on A4. Typical drafted | drawing is uses handful of ft by ft range, say 3x4. So | that should give ~2 orders of mag less sheets. Does | 10,000 sheets of drafting paper sound more reasonable? | | Internet says 747 has 6,000,000 parts, half of which are | fasteners. So 3m individual components. "171 miles" of | wiring. Blah blah. I can easily see 10k drawings to cover | that beast, soup to nuts. | buildsjets wrote: | 3x4 is about right, but the original 747 drawings were | not drawn on paper, they were inked on thick thermal and | humidity stable mylar. Some detail parts may have been | defined multiple (up to a half dozen) E sized (36"x48") | mylars. Then there were separate drawings for each | assembly of detail parts. Then there was all the | manufacturing planning and detailed work instructions to | fabricate each level of assembly. Then there is all the | documentation associated with lab qualification testing | prior to flight. I have personally authorized qual test | reports in excess of 3000 pages, where ~100 pages was my | content and the rest was all backup data. | ajcp wrote: | If the FileShare server itself was compromised one could mount | it in a way that wouldn't show leakage, or just image the thing | and bork the original. | | Otherwise you could have a crawler that just traverses the | FileShare and makes duplicates at a rate slower than what would | look like BAU traffic. Given that most enterprise network | shares host a TON of legitimate batch dump/upload file traffic | it might be easy to skate by. | lgeorget wrote: | We don't know how and over how much time the data was | exfiltrated. | cyrnel wrote: | So many of the security monitoring tools that purport to detect | things like that only work if the attacker is brainless. Modern | networks are complex enough where a clever attacker (like a | professional ransomware gang) can make malicious traffic look | like any other traffic. | | Unless this was just a public S3 bucket, there was probably | some lateral movement involved, and I'd say time/money would be | better spent reducing that particular risk in the future. | demondemidi wrote: | I just had to download a 69 GB database to my laptop of CAD | design files (mostly libraries). I'm glad I have 1 Gbit | download speeds, but peers aren't so lucky. Granted, if IT saw | remote employees downloading TBs of data it should really raise | red flags. | jstarfish wrote: | Sadly, this is pretty routine for us (not Boeing). Every | goddamn day we have somebody plugging in a USB stick and | copying 1-20 GB of data to it. We see similar volumes | "accidentally" uploaded to iCloud whenever someone syncs their | work laptop to their personal iCloud account. | | We watch it happen. We have the tools to stop it. But we're not | empowered to use them, for the exact same reasons that led to | Equifax's fuckup-- we're not allowed to do anything that might | impact production/pursuit of new revenue. | | Lately, I'm not convinced this is even the "wrong" approach. | Espionage was not invented alongside the Internet. If we build | a Thing and it's the only Thing we sell, data concerning it | will inevitably be stolen by someone in some way. But if we | iterate on it fast enough, the value of older versions leaked | diminishes. We're in the market of building and selling a | moving target. | | It also creates an inflated volume of data. You can't just | break in, grab "the_flag.zip" and run like hell-- you have to | exfiltrate a fuckton of data, make sense of it, and carve | something usable from it. Like, checking binaries into a git | repo makes the size bloom, but it doesn't add a proportionate | amount of "value" to stealing that repo. It's padded with | drafts and garbage. | cryptonector wrote: | You need to disallow all USB devices not on an approved list, | which must all be keyboards and mice and nothing more. | lokar wrote: | I worked somewhere that filled all the usb ports with | epoxy. They maintained a large stock of ps/2 keyboards and | mice. | barryrandall wrote: | > Like how can one download so many files from a company | network and no alarm is set off ? | | Slowly, hidden among legitimate traffic, and indirectly. For | example, most companies don't notice 100 kb/sec increases in | DNS traffic, slight increases in web server image sizes, or | changes to server MOTDs. | ThinkBeat wrote: | My memory is not the greatest and simple Google searches are not | helping right now. | | Have there ever been massive problems from one of these leaks for | the targeted company? | | I seem to remember quite a lof of similar leaks over the past two | years where the market and public shrug it off. | | Clearly 45gig is a lot. I would think if there was a major | horrible thing to find that Boeing would have paid the ransom | (and told no one). | | Will it have any real negative consequences for Boeing? | | It is a black mark against them that they were vulnerable. I | guess it is favorable point for many that they didn't pay. | 1-6 wrote: | The moment a company pays good money, that legitimizes the | hacking group and emboldens them to keep going. You can't trust | that they'll not leak even after they get paid. | freedude wrote: | 45GB of data could be like a dozen employees' or less Outlook PST | files. For this to be astounding we would need to know the | quality of the data. Otherwise it is a bunch of hype and hoopla. | campbel wrote: | You better pay up or we'll delete all of Marge and Victors | email backups! | augustulus wrote: | we should be careful making the assumption that this is all the | data they exfiltrated. this could easily just be the first | tranche to prove that they're serious | SahAssar wrote: | Can we stop using disk size as a measure of leaked data? | | There are bluray movies larger than this leak and there are files | smaller than 10kb a lot more critical in most businesses. | | It'd be nice if there was some sort of scale for data leaks like | (just spitballing here): | | 1. Leak destroys all core company functions (crypto-exchange | leaks all wallet keys, CA leaks all root keys and becomes banned | from all trust stores, etc.) | | 2. Leak causes regulatory issues criminal enough to shut down | company | | 3. Leak severely hinders core company functions (deploy keys for | a cloud computing SaaS are deleted which stops all new | deployments until all infra is reconfigured) | | 4. Leak severely looses company competitive advantages (new | products leak that are replicable by competitors) | | 5. Leak causes severe PR disaster | | 6. Leak shows embarrassing internal company communication without | any of the above | tyingq wrote: | Would be nice, but there would quite a lot of analysis needed | to be able to determine any of that. Which you can't start | until the file is public. | SahAssar wrote: | Sure, but instead of saying "Boeing leaked 45GB" it would say | "Boeing leaked files of undetermined severity". | | The disk size does not matter, and when the severity was | actually determined it would show up in the headlines as | "Boeing leak determined to be a level 3 leak" instead of just | being "That boeing leak 5 months ago was kinda bad". | | Either way, listing the size says very little. | xcv123 wrote: | These are journalists publishing breaking news. They are | not autistic IT professionals. | | Relevant quote from the article: "I haven't gone over the | whole data set but Boeing emails and a few others stand out | as useful for those with malicious intent" | SahAssar wrote: | Journalists are almost never deep experts of the fields | they report on (although I hope well versed), but given | the tools to report the news in a way that is more | understandable to the public I think they will use them. | | Both journalists and the public need a better way to | understand how different breaches affect them. | xcv123 wrote: | As someone wrote earlier, they won't know the severity | until it is analyzed. That could take a long time. Days | or weeks. This is just the breaking news. Also what | incentive does anyone have to waste their free time | analyzing the data and issuing a report to you after this | headline that the general public will not give a shit | about a few days later? | SahAssar wrote: | I'm not saying to delay the report. I'm saying to not | headline the size of the leak unless it has some sort of | significance. If the severity is later known report that | as news. | | If anything this would create two stories where there now | is one, so journalists would not have less or later to | report. | vinaypai wrote: | > They are not autistic IT professionals. | | What does autism have to do with having the professional | integrity to understand what it is you're writing about | before publishing sensational claims? | rebolek wrote: | I believe that Boeing already did than analysis and | determined it's #6. | tyingq wrote: | At this point, I think there's quite a lot of "breach | fatigue" now where the general public doesn't care about | these stories. It's just "oh, I guess I get another year of | free identity theft services". | cvoss wrote: | Well, first, I'd expect Boeing already had some idea of the | scope of what was compromised simply by investigating their | own systems. After all, they knew enough to declare there was | no impact on flight safety. | | And second, even if a company has no idea of the scope, the | hackers would somehow want to prove at least privately what | the scope was, else their threat is not as manipulative as it | could be. On the other hand, the hackers can't credibly bluff | and inflate the scope too far beyond reality because the | company can just say "prove it or I don't believe you and I | won't pay." And the hackers want to get paid. | | It's a business deal after all. A really crappy one involving | criminals. But at the end of the day, the company must have | already assessed the value of the leak in order to reach a | decision. | tyingq wrote: | >I'd expect Boeing already had some idea of the scope of | what was compromised | | I've seen companies say this sort of thing with high | confidence. But that seems hard to me, assuming some level | of administrative access was breached. | porompompero wrote: | Nice, it sounds to me similar to the earthquake Richter scale. | ssss11 wrote: | You're describing a risk matrix. What level of risk does this | data hold for the company. | | I think that is a good way of measuring it. | msmith wrote: | This sounds like how we use a CVSS score to gauge the severity | of software vulnerabilities. | | Maybe the world needs a standardized place to catalog and rank | all the data breaches that have been disclosed. | FridgeSeal wrote: | Because half the time companies can't be trusted to even admit | there's a leak, let alone the severity of it. | | Groups that leak are likely to want to inflate the severity of | the leak to ensure they get paid. | | The larger a leak, the higher the probability there's sensitive | information in there, and the better opportunities/more time | attackers had to exfiltrate it. | SahAssar wrote: | Agreed, but journalists need a better way to communicate. | Saying 45GB sounds like a lot of emails to a technical person | and nothing to someone who bought a bargain-bin 64GB USB | memory stick the other day and filled it with a single HD | movie. | | The info says nothing, it conveys nothing. Even skipping the | size and saying it leaked "emails" says more in the headline | than the size. | | A single video recording of an all-hands meeting could fill | that size but it could also be emails containing the keys for | accessing a large part of DOD. | dylan604 wrote: | Or at least say what the 45GB (for this example) of data | compromises. As you say, if it were video files, that would add | up pretty quick, but if it were 45GB of emails, then that's a | hellalotuvdata. That would be the equivalent of a hostile law | firm dumping a truck load of banker boxes on a smaller law firm | to bury the lede. | | Kind of like saying I have 10. 10 what? As my math/science | teachers always said, don't forget to include your units. | phasnox wrote: | "After Boeing declines to pay up, ransomware group releases | DEFCON 3 leak" | | Could be the alternative headline. | fishtacos wrote: | I was working (very recently, during the 5000+ companies that | were hacked via some what I presume were zero day hacks) for an | MSP. 600 GB of data were exfiltrated from a law firm with | several terabytes of storage of customer data kept due to data | retention laws. | | They asked for almost a million USD. FBI got involved, | everything was restored from backups (thankfully, a month loss | of digitalized work, and absolutely nothing was given to the | ransomware group. | | To your point, there are severe regulatory issues that have to | be addressed due to the exfiltration. I no longer work for | them, so I don't know the extent of their cost in 1. notifying | affected clients and 2. providing credit protection coverage | due to leaking of personal data. | _visgean wrote: | This happened now, you can't assess right now any of these | statements. | ForkMeOnTinder wrote: | For me the disk size is interesting because it tells me how | long I'd have to wait if I wanted to download the leak myself, | which I do from time to time. (not downloading this one though) | incahoots wrote: | I'm at an en-passe here, on the one hand I think Boeing sucks as | it's primary business is now hyper focused for defense purposes. | On the other, ransomware generally hurts companies and | municipalities that generally don't deserve it. | | Boeing, Lockheed Martin, Facebook, etc...deserve it | verandaguy wrote: | Nit: it's an impasse, not an en-passe. | justrealist wrote: | > Boeing sucks as it's primary business is now hyper focused | for defense purposes | | This is a childish 2000s take. The world is rougher, Pax | Americana is over, we need effective defense contractors | because the world is full of assholes. Grow up. | mach5 wrote: | its rougher because of america, not in spite of it. its a | self-reinforcing feedback loop. implying you are the grown up | in the room because you are 'realist' about this or whatever | is a classic dimwit take. | justrealist wrote: | Let me guess, Russia invaded Ukraine to eradicate the US | biolabs breeding nazi GMO mosquitos. | cscurmudgeon wrote: | Yep, so true. Before 1776 there were no wars and the world | was deaf due to sound overload from globally synchronized | Khumbaya singing. | phpisthebest wrote: | No this is a very 2023 take, everything has to be looked at | from the lens of the Oppressor vs oppressed narrative, and | since America, the great satan, is always the "oppressor", | America is always bad and must be opposed | | Any company that helps support America is also bad and most | be opposed | | Any person that that does not view America as bad is a bigot | alt-right extremist and must be opposed | | That is the state of politics for 2023, and anyone born after | the year 1990 or so | gist wrote: | A writer contacted me about my thoughts (unrelated and separate | from this event) about how the disclosure of vulnerabilities and | methods of hacking (of all types and in almost all situations) | aids bad actors vs. helps companies protect their systems (by | knowing vulnerabilities that are often so obscure they would | reasonably never be exploited). | | Point is what is the upside of disclosure (I think) vs. the | downside. Nobody is suggesting no disclosure but the writer | seemed to think that the security industrial complex has | lawmakers believing that everything should be open and there | should be constant white hat hacking which seems to feed and | benefit the security industry. | | I am curious if anyone has a thought on this topic. ___________________________________________________________________ (page generated 2023-11-20 23:00 UTC)