Thursday, May 2, 2024

Vogon Today

Selected News from the Galaxy

StartMag

What Acn and experts say about the hacker attack

1 year ago babelfish

What Acn and experts say about the hacker attack

The National Cybersecurity Agency has detected a "massive attack", based on the use of already existing ransomware, against "several dozen systems" across Italy. The responsibilities of companies, the opinion of experts and the note from Palazzo Chigi

The hacker attack targeted thousands of computer servers from European countries such as France, Finland and Italy to North America, Canada and the United States.

The alarm came yesterday afternoon from the National Cybersecurity Agency (Acn): the Computer security incident response team (Csirt) Italy – the body responsible for monitoring incidents and intervening in the event of attacks – has discovered that the hackers got into the action through an "already circulating ransomware" that targets VMware ESXi servers. The latter has already "compromised" dozens of national systems.

As explained by the Csirt, the manufacturer had already identified and remedied the vulnerability in February 2021. However, not everyone using the currently affected systems has fixed it. Targeted servers, if not patched, i.e. the appropriate "fixes", can open the door to hackers busy exploiting it.

But why if the server vulnerability was known and fixed as early as February 2021, was it still left uncovered?

"We've been leaving the doors open every night for 2 years, only this weekend someone noticed it and said it around" Matteo Flora, digital entrepreneur and online reputation expert, commented on Twitter . "Speaking in IT terms, it is a geological era", remarks Gerardo Costabile, CEO of DeepCyber ​​(Maggioli Group) and president of the Italian Digital Forensics Association (Iisfa).

"And three days ago the French Cert (the Cyber ​​Alarm Response Center, ed ) had launched the alert: it was more or less ignored and this fact is of a disconcerting gravity", Corrado Giustozzi, a popularizer underlines to Corriere della Sera and cybersecurity expert, partner of Rexilience.

In the meantime, after the meeting held this morning by the undersecretary with the delegation for Cybersecurity Alfredo Mantovano, with the director of the ACN Roberto Baldoni and the director of Dis Elisabetta Belloni, Palazzo Chigi announced that "in Italy no institution or primary company that operates in critical sectors for national security has been hit", adding that there is no "evidence that leads aggression to a state subject or a hostile state".

All the details.

THE HACKER ATTACK ON VMWARE ESXI SERVERS

On the evening of February 4, the Csirt detected the exploitation of the vulnerability "CVE-2021-21974" in the 'VMware ESXi.

In particular, this vulnerability (already remedied by the vendor in February 2021), concerns systems exposed on the internet that offer virtualization services based on the VMWare ESXi product, and has a high impact, estimated by the technical community as "high/orange risk" ( 70.25/100). However, it is not excluded that other vulnerabilities can also be exploited by malicious actors. And the targeted servers, if lacking the appropriate fixes, "can open the doors to hackers busy exploiting it in these hours after the strong growth of attacks recorded over the weekend".

The exploitation of the vulnerability, explains the Agency, "allows in a subsequent phase to carry out ransomware attacks that encrypt the affected systems making them unusable until a ransom is paid for the decryption key".

THE FRENCH FIRST TO NOTICE THE HACKER ATTACK

The first to notice the attack were the French, probably due to the large number of infections recorded on the systems of some providers in that country.

“On the related campaign, the French Computer Emergency Response Team (Cert-Fr) has published a security advisory, available in the references section, which highlights the related details. From the analyzes carried out, the campaign is also directed towards national subjects” explains the National Cybersecurity Agency.

Subsequently, the wave of attacks moved to other countries including Italy. At the moment there are a few thousand compromised servers all over the world, from France to Finland, from Canada to the United States up to our country where, according to what has been ascertained so far, dozens of companies have already encountered malicious activity against them .

THE SUMMARY OF PIERGUIDO IEZZI

This is “a campaign targeting VMware ESXi servers exposed on the Internet and vulnerable to CVE-2021-21974. The two conditions (specific system out of date and exposed on the internet) were the opportunity for cybercriminals to attempt and gain access to systems. As often happens, there was a mass scan in search of these objects displayed on the internet” Pierguido Iezzi, CEO of Swascan, explained to Rai News 24 .

THE STATEMENT OF THE DIRECTOR OF THE POSTAL POLICE

First of all "there was evidence of a leak and it would have been necessary to repair it immediately", highlighted the director of the postal police, Ivano Gabrielli in La Stampa .

“However, individual IT managers are now being warned. The attack, as reported by France, exploits that vulnerability I mentioned. In the next few days we will go and check what happened here too”, added Gabrielli.

MATTEO FLORA'S COMMENT

In fact, the community of cyber experts downsizes the scope of the attack in the face of the sensationalist tones of the Italian press with respect to a threat already known on the international scene. And it brings up the liability of companies whose servers were vulnerable for two years even though the fix was available.

“True there is a new wave of ransomware attacks using a vulnerability in that software, but we are talking not about something unknown and unexpected, but about criminals using a flaw FOUND AND FIXED AT THE END OF FEBRUARY 2021 (CVE-2021-21974 )” underlines Matteo Flora, digital entrepreneur and online reputation expert.

“So basically TWO YEARS AGO, only apparently nobody bothered to patch. Here, rather than warning of a threat, it is the chronicle of a death foretold. And if you have a laundry, YOU DESERVE IT. And you have to die badly,” commented Flora.

AND THAT OF ANDREA CHITTARO

For Andrea Chittaro, Senior Vice President Global Security & Cyber ​​Defense of Snam, "everything appears in the wake of a non-emergency dialectic"

“A simple VA and patching probably fixed the problem originally. On Sunday afternoon some news agencies relaunched the news with a certain emphasis. Several experts, including Matteo Flora, immediately tried to frame the problem in its proper scope", commented Chittaro on Linkedin.

“At the moment, as far as we know, a few dozen servers in Italy are compromised. The positive thing that can be read in all this is that a community of corporate security professionals took immediate action, pooling knowledge and skills. And I think this is the only truly comforting figure” concluded the Snam manager.

STEFANO ZANERO'S ANALYSIS ON THE HACKER ATTACK

So with regard to the flaw in the Vmware platform — also used by system analysts to manage internet services — the responsibility falls on the companies.

"The companies concerned, a few thousand in the world, used outdated and exposed systems, i.e. vulnerable to problems known for a couple of years", specified the cybersecurity expert and associate professor of computer security at the Politecnico di Milano Stefano Zanero, speaking this morning at the #Edicolaperta press review, held by journalists from the IT sector, Marco Lorusso and Nicoletta Boldrini, filmed by Ansa .

Furthermore, “It is a recurring scenario. In 2022, 3,500 ransomware were reported in the United States alone, about ten a day. What stands out in the eye of the analyzes is that, at least 2,000 attacks occurred over the weekend, linked to ransomware launched by a group of cybercriminals who may have devised a new method to evade the defenses of the targeted victims.

STEFANO FRATEPIETRO'S COMMENT

“Let's talk about CVE-2021-21974, with patch available from February 23, 2021! TWO YEARS AGO! The real news is that there are still companies that publish an ESXi server directly on the Internet. Those who deserve a documentary to understand the reasons for this masochistic choice” commented Stefano Fratepietro, CEO of Tesla Consulting and Chief Information Security Officer – Be Shaping the Future on his Linkedin profile .

THE COMPANIES INVOLVED

According to Zanero, in Italy it is possible to estimate twenty to thirty companies theoretically involved, of which five more in the last few hours, with the virus which, if established, blocks systems and demands a ransom to get them back: "In percentage terms, it is something really low compared to the amount of active businesses. Let's take advantage of these moments to accelerate the culture of information security, without excessive alarmism".

EXPERT GIUSTOZZI'S COMMENT ON THE HACKER ATTACK

So “There is an endless chain of sloppiness and disinterest for not having made the necessary updates… And what's more, the software in question can only be attacked if exposed on the Internet, which should be avoided. I'm not saying whoever is in trouble went looking for them but they certainly didn't move in time with the countermeasures” bitterly says Corrado Giustozzi, popularizer and cyber-security expert, to Corriere della Sera .

THE NOTE FROM PALAZZO CHIGI AFTER THE SUMMIT OF THE HACKER ATTACK

Meanwhile, Palazzo Chigi announces at the end of this morning's summit that "during the first reconnaissance activities carried out by Acn, together with the Postal Police, no evidence has emerged that leads to aggression by a state entity or similar to a hostile state; instead the action of cybercriminals is likely, demanding the payment of a 'ransom'”.

The note adds that "The work that ACN and the Postal Police are carrying out in these hours is also that of identifying all potentially vulnerable subjects, in order to limit the negative effects that could arise not only for their IT systems, but also for the population (think of the repercussions relating to the blocking of the ASL system)".

A DPCM COMING FOR REGIONS-ACN CONNECTION

Furthermore, “The Government, following up on the provisions of Legislative Decree no. 82/2021, will promptly adopt a DPCM to link the fundamental prevention work of the Regions with ACN".

OPENING OF THE INSTITUTIONAL TABLE

At the same time, "the Agency itself will set up a periodic discussion table with all the public and private structures that provide critical services for the nation, starting with the Ministries and credit and insurance institutions" concluded Palazzo Chigi.

GIUSTOZZI: "RULES LIKE THOSE FOR KIDNAPPINGS IN THE 70'S ARE NECESSARY"

But these measures may not be enough.

“Preaching good things is useless, because they are not done. There is still a resounding ignorance in companies and in the Public Administration on information security, which too many people see not as a strategic component for the very survival of these realities, but as something similar to light bulbs to be replaced or elevators to be fixed" Corrado Giustozzi added to Corriere .

Therefore “we need a regulation that cannot be ignored, as has been done for anti-seismic, fire prevention or public health regulations. And rules such as those for kidnappings in the 1970s would be needed, which forbid or make it difficult for those affected to pay the ransoms, in order not to feed the vicious circle” concluded Giustozzi.

This is a machine translation from Italian language of a post published on Start Magazine at the URL https://www.startmag.it/innovazione/cyber-cosa-dicono-gli-esperti-attacco-hacker/ on Mon, 06 Feb 2023 12:27:37 +0000.