Ransomware – Unauthorized access to Fujifilm servers
fujifilm.comTheir cloud storage is down, and ironically their ransomware protection service AirGap. https://datastorage-na.fujifilm.com/stop-ransomware/
Does anyone know the details of their AirGap service?
Taking services/networks offline is common during incident response management so it might be indicative of them taking appropriate action rather than them being knocked off-line.
Let’s hope their service lives up to the marketing.
I hope it's something like that:
> Their cloud storage is down
That's why I never trust "non-cloud" companies with cloud storage, because you never know if they suddenly don't want to do it anymore, or in this case get hacked because of incompetencies.
Funny, because I always think of Amazon is as a "non-cloud" company, especially when most think of it as a place to shop. Of course, I know it's not.
Seriously though, fujifilm is a conglomerate and known for their pivots. If they did not reinvent themselves, the would have been joining Kodak.
This is actually somewhat true at all major cloud companies. Google, Microsoft and Amazon all have very limited usage of their own commercial cloud services among engineering teams.
I'm not sure about Google, but at MS we absolutely use our own cloud heavily. sometimes there's big legacy stuff, but nowadays most of that has gone onto Azure under the hood. I've heard Amazon is much the same way.
the only exception I can really think of is infrastructure that you need to recover from disasters, which isn't on Azure for obvious bootstrapping reasons.
Until I was at Microsoft a few years ago there was always a struggle to get internal teams to use Azure. There were constant talks to get O365 and Bing (so, the bulk of internet-facing servers) on Azure, but nothing never materialized. I have heard Google is a lot worse in this regard.
Lots of folk (not solely non-technical) treat cloud sync as a backup - when often it’s not. Can’t comment on Fujitsi’s offering.
In any case it should only be one of the three copies of your data.
Anecdotally, photographers - especially professional ones , take backups quite seriously. I’ve often read good blogposts written by them on how to backup your images. And I believe the 3-2-1 rule originally came from a photographer Peter Krogh.
I wonder how many times ransomware has gotten into Google/Amazon's employees laptops?
Having 100k employees, most of whom have admin access to their own machines (cos developer) has got to make it almost impossible to stop it happening.
I have a friend who works at G that told me shortly after he started working there, he accidentally typed some portion of his password into another website, at which point his laptop immediately locked down and he was forced to change his password before doing anything else.
Are you implying Google had his password stored in reversible form?
This is what OP is talking about:
https://chrome.google.com/webstore/detail/password-alert/noo...
And yes, it does store a hash of the password on the local machine, although I suspect it's only a 32 bit hash or something so you can't 'crack' it to recover the original password.
Nothing about the comment that you replied to would require them to store their password in "reversible form"
> some portion of his password
Doing a partial string match on a password would effectively require it in reversible form. Even if you hashed all the possible substrings of the password, it would be trivial to brute force given all the hashes of the same string with one extra character on the end...
But OP was mistaken - the tool Google uses only alerts if the entire password is typed. Meaning that OP's friend was careless with password hygiene. As is nearly every new Google employee.
Maybe they keylog and incrementally hash everything including password subset? Seems implausible.
If there's ransomware on an employees's laptop you simply throw it away and give them another one. And have them go through a lot of security training after.
Assuming they were the weakness. It might be that patching velocity was the reason the laptop became infected. Where I work that is managed via patch management software not the end-user.
I'm the only person in my company with any IT knowledge. I'm a developer, not an IT expert. These stories terrify me. I have no mandate or time to work on our security.
What would you do to protect your company. I have limited backups but we would be done with systems down for days.
Report this to your manager and make it clear (using reports from cases, such as those ransomware cases) that you need to invest right away in security and a backup process you trust.
Absolute correct, be honest with downtime include worst and best cases, extend those to non IT-Matters and let your Manager take over the responsibility if nothing changes.
And this: https://www.usenix.org/system-administrators-code-ethics
Identify data assets that are important to you and back them up and work out recovery objectives in advance. This may sound complicated at first but follow this to get you started:
https://docs.borgbase.com/strategy/
Also a tool like borg [1] will help you ‘do backups right’. If you’re on Windows maybe checkout restic [2].
Next, make sure you patch software as unpatched software may contain vulnerabilities which can be exploited by a threat actor. Quicker is better and automating this allows audit, consistency, and expediency.
If you’re on MacOS check out RansomWhere from objective-see : https://objective-see.com/products/ransomwhere.html
Educate users so they are aware of the risks of opening emails from people they do not know and how to identify potential phishing.
Various anti malware/anti virus software can be used in conjunction with the above but cannot be relied on by itself - defence in depth.
Also you shouldn’t feel this is all your responsibility. Try and raise this business risk with the powers that be. See if you can not only get a company mandate but also maybe obtain someone with more expertise?
If they scare you now, just wait a few months or years until we see some massive breaches of Google, Facebook and Amazon data. It's possible the 'cloud-storage' model is a house of cards, because it may be the case that the whole thing collapses after a sufficiently high percent of the public experiences a financially-, socially- or career-devastating leak.These stories terrify me.If you are only one with IT knowledge there it is already your responsibility - in case of ransomware or some disaster you can be hold responsible. Of course all depends on your contract, potential loses, managers mood and managers need to cover their asses.
Good news: looks like your position makes you kind of manager yourself - you, to some degree, can influence and even demand things. And for sure your responsibility is to communicate state of business to the upper chain.
Or maybe just make critical systems off the internets :>
Please note that backups aren't a good measure against ransomware, unless you do them absolutely correctly.
The problem is that ransomware will encrypt your files, rendering them useless, but they still end up in encrypted form in your backup.
Almost every backup system I've seen will keep multiple versions of the file around with decreasing frequency as time progresses, ie one for every day of last week, every sunday of the last month, the first of every month for the last year, etc. That way if you get hit by ransomware, you can restore to a point in time where you are (fairly) sure no infection was present yet. Nothing is perfect, but this does give a decent amount of protection for "most" important files as they tend not to change that often. For things that do change often like databases, different strategies may be needed.
So long as the compromised system isn’t able to access and alter any historic backups.
Things like zfs snapshots or append-only backups help protect your backups by not permitting this.
Yes, but if your system is hacked, then any application (including your backup software) might "see" the file as unencrypted.
Yes? Some of your backups will be the encrypted version of the file. As long as your system remains hacked it is useless to restore anything. You will first need to purge every disk in your organisation and reinstall everything from scratch (depending on the sophistication of the ransomware, maybe just buy new disks altogether), THEN restore from a version that is good.
Yes, but backing up from an infected system is probably not a good idea. Better to mount the drives on a different system, and backup from there.
That's why you use WORM Tapes and versioned files if its really important data.
> What would you do to protect your company.
How big is the company? If the company is big enough then it should really have an infrastructure manager or similar who is directly responsible for this sort of thing, rather than relying on seconding the dev team into managing IT.
When we were a team of five plus the owner and I gave up on getting time+budget to properly setup off-site backups, I ended up spending a weekend hacking together something with ssh+rsync to the machine under my desk at home for key data (the source repos, email, etc.) basically replicating what I did for my home data (backing up to an external site). I can't recommend this. It no doubt breaks many data protection rules. But I wasn't comfortable with the idea that my job would be entirely gone if the building burned down overnight and we lost what would be needed to restore operation. I was protecting me, not the company at that point. Luckily when we were in the process of being bought and due diligence audits came around, backup & DR concerns were taken a bit more seriously and I did get the time allocated to do something better.
> I have limited backups but we would be done with systems down for days.
Make a case to management that these attacks are not targetted at the big companies, they just happen to catch them in the net and we hear about them because they are big companies. The bots out there infecting sites will get into anywhere they can, and the blackmailers are more than happy to have many small marks instead of a few big ones. You are a target as much as Fuji or Garmin are. That case should list how long it would take to get operational again (refreshed infrastructure, restored data) if you paid for decryption and if you didn't (which in your case might be "it'll never happen" currently). Make a recommended plan and list what the restore time is for that if you had to rebuild everything. Break the restore time into essentials (what you need to support current clients) and everything else (what you need to continue new work and chase new clients).
Also include in your plan time to regularly test your backups and arrange some automated tests of key parts.
That, other than taking matters into your own hands in your own time which is as likely to get you slapped as it is to get you thanked, is all you can do. If they don't take these matters seriously, consider if you can get a job with a company that does (you'll have to if the worst happens anyway so consider planning this to be your personal DR plan even if you don't want to jump ship now).
I suppose the best is to outsource, we have such offers in one of my businesses for example: https://yourlabs.org/secops/
News is reporting its Qbot. They must be on a Windows version < 8.1 as Qbot is nothing new and is detected by Win Defender
https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclo...
An update : https://www.fujifilm.com/jp/en/news/hq/6642#
And another one bites the dust!
Hmm but why target such a well known company? It's almost guaranteed that they will not pay to save face, no?
> It's almost guaranteed that they will not pay to save face, no?
No. Lots of big names will payout ransoms, that's why it works. [0]
[0] https://heimdalsecurity.com/blog/ransomware-payouts-of-2020/
Companies these days just “contract external security consultant” for exact amount of ransom + fees aka ask the perp for a receipt for tax purposes
Ahh right! I remember reading about this somewhere
they WILL pay to save face
Didn't Garmin pay a ransom? Which is more well known?
Garmin more well known than Fuji?! In what world?!
My personal life certainly. I'm well aware of both companies, but what do Fuji do that is as recognisable to many of the general public as the watch on their wrist or the mapping device in their car? Some might own a Fuji brand camera, printer or other device, might put fujifilm brad paper in their printer, etc, but they probably aren't significantly aware of the rest of the business. I'd wager that the average person on the street is more aware of Garmin.
Some older people will probably have Fujifilm burned into their cortex because they made a lot of very popular film types for cameras back in the day, and if you were just somewhat serious about taking photos, film type was a big deal. At least I guess that's why it feels like that to me, too, even though it's definitely no longer true.
Probably in This world
https://trends.google.com/trends/explore?date=all&q=%2Fm%2F0...
Wow, you can see the big spike in Garmin interest when they got hacked in July 2020.
In the world of GPS equipment I guess.