LockBit claims attack on California's Department of Finance

LockBit claims attack on California's Department of Finance 

December 13, 2022 04:24 PM

LockBit claims attacks on California's Department of Finance

The Department of Finance in California has been the target of a cyberattack now claimed by the LockBit ransomware gang.

An investigation has been started by the California Cybersecurity Integration Center (Cal-CSIC), a group of state and federal agencies dedicated to protecting against cyber threats.

Ongoing investigation

California Governor’s Office of Emergency Services has confirmed that the Department of Finance has been affected by a cyber incident but did not provide too many details.

“The intrusion was proactively identified through coordination with state and federal security partners. Upon identification of this threat, digital security and online threat-hunting experts were rapidly deployed to assess the extent of the intrusion and to evaluate, contain and mitigate future vulnerabilities” - California’s Office of Emergency Services

It is unclear how much damage the hackers did or how they managed to breach the department. However, the state of California says that state funds remained unaffected by the attack.

LockBit claims 75GB of stolen files

On Monday, the LockBit ransomware gang posted on their leak site that they had breached the Department of Finance of the state of California and stole databases, confidential data, financial documents, and IT documents.

To prove their claim, the hackers published a few screenshots of files they allegedly exfiltrated from the systems of the Department of Finance in California.

LockBit sets deadline for California Department of Financing 

The hackers also posted a screenshot of the directories and the number of files stored. The properties dialog shows a count of over 246,000 files in more than 114,000 folders amounting to 75.3GB of data.

LockBit’s data leak site shows a counter to get paid by December 24, threatening to publish all the files unless they get their ransom.

The builder that allows generating an encryptor and decryptor for LockBit ransomware was leaked in September by a disgruntled operator.

A week after that, a new group calling themselves BlooDy Ransomware Gang started using it in attacks against a Ukrainian entity.

In October, a 33-year-old Russian national suspected to be connected to the LockBit ransomware gang was arrested in Ontario, Canada. He is believed to have deployed the ransomware on critical infrastructure and large industrial organizations.

At the time, Europol said that the individual is a "high-value target due to his involvement in numerous high-profile ransomware cases," demanding between €5 to €70 million from the victims.

LockBit operators are typically focusing on extorting large companies and are among the most active on the big-money ransomware scene.

Among the LockBit victims…

The gang is financially driven and is the first one to introduce a bug bounty program, offering rewards of up to $1 million for vulnerabilities in their websites, locker, and new ideas ?///?

About Us - Terms of Use - Privacll>)ll/ Computer® LLC - All Rights Reserved

Securing Linux Servers: Hardening a Linux Server

How to Secure a Linux Server

Here are some useful tips & tricks to secure your Linux system. Hopefully these tips & tricks will help you to secure your Linux server.

What is system hardening?

To improve the security level of a system, we take different types of measures. This could be the removal of an existing system service or uninstall some software components.

System hardening is the process of doing the ‘right’ things. The goal is to enhance the security level of the system. There are many aspects to securing a system properly. Yet, the basics are similar for most operating systems. So the system hardening process for Linux desktop and servers is that that special.

Core principles of system hardening

If we would put a microscope on system hardening, we could split the process into a few core principles. These include the principle of least privilege, segmentation, and reduction.

Principe of least privilege

The principle of least privileges means that you give users and processes the bare minimum of permission to do their job. It is similar to granting a visitor access to a building. You could give full access to the building, including all sensitive areas. The other option is to only allow your guest to access a single floor where they need to be. The choice is easy, right?

Examples:

• When read-only access is enough, don’t give write permissions
• Don’t allow executable code in memory areas that are flagged as data segments
• Don’t run applications as the root user, instead use a non-privileged user account

Segmentation

The next principle is that you split bigger areas into smaller ones. If we look at that building again, we have split it into multiple floors. Each floor can be further divided into different zones. Maybe you visitor is only allowed on floor 4, in the blue zone. If we translate this to Linux security, this principle would apply to memory usage. Each process can only access their own memory segments.

Reduction

This principle aims to remove something that is not strictly needed for the system to work. It looks like the principle of least privilege, yet focuses on preventing something in the first place. A process that does not have to run, should be stopped. Similar for unneeded user accounts or sensitive data that is no longer being used.

System hardening steps

Overview of hardening steps

1. Install security updates and patches
2. Use strong passwords
3. Bind processes to localhost
4. Implement a firewall
5. Keep things clean
6. Security configurations
7. Limit access
8. Monitor your systems
9. Create backups (and test!)
10. Perform system auditing

1. Physical System Security
Configure the BIOS to disable booting from CD/DVD, External Devices, Floppy Drive in BIOS. Next, enable BIOS password & also protect GRUB with password to restrict physical access of your system.

2. Disk Partitions
It’s important to have different partitions to obtain higher data security in case if any disaster happens. By creating different partitions, data can be separated and grouped. When an unexpected accident occurs, only data of that partition will be damaged, while the data on other partitions survived. Make sure you must have following separate partitions and sure that third party applications should be installed on separate file systems under /opt.

/
/boot
/usr
/var
/home
/tmp
/opt


3. Minimize Packages to Minimize Vulnerability
Do you really want all sort of services installed?. It’s recommended to avoid installing useless packages to avoid vulnerabilities in packages. This may minimize risk that compromise of one service may lead to compromise of other services. Find and remove or disable unwanted services from the server to minimize vulnerability. Use the ‘chkconfig‘ command to find out services which are running on runlevel 3.

# /sbin/chkconfig --list |grep '3:on'
Once you’ve find out any unwanted service are running, disable them using the following command.

# chkconfig serviceName off
Use the package manager such as “yum” or “apt-get” tools to list all installed packages on a system and remove them using the following command.

# yum -y remove package-name
# sudo apt-get remove package-name

4. Check Listening Network Ports
With the help of ‘netstat‘ networking command you can view all open ports and associated programs. As I said above use ‘chkconfig‘ command to disable all unwanted network services from the system.

# netstat -tulpn

5. Use Secure Shell(SSH)
Telnet and rlogin protocols uses plain text, not encrypted format which is the security breaches. SSH is a secure protocol that use encryption technology during communication with server.

Never login directly as root unless necessary. Use “sudo” to execute commands. sudo are specified in /etc/sudoers file also can be edited with the “visudo” utility which opens in VI editor.

It’s also recommended to change default SSH 22 port number with some other higher level port number. Open the main SSH configuration file and make some following parameters to restrict users to access.

# vi /etc/ssh/sshd_config
Disable root Login
PermitRootLogin no
Only allow Specific Users
AllowUsers username
Use SSH Protocol 2 Version Protocol 2



6. Keep System updated
Always keep system updated with latest releases patches, security fixes and kernel when it’s available.

# yum updates
# yum check-update

7. Lockdown Cronjobs
Cron has it’s own built in feature, where it allows to specify who may, and who may not want to run jobs. This is controlled by the use of files called /etc/cron.allow and /etc/cron.deny. To lock a user using cron, simply add user names in cron.deny and to allow a user to run cron add in cron.allow file. If you would like to disable all users from using cron, add the ‘ALL‘ line to cron.deny file.

# echo ALL >>/etc/cron.deny


8. Disable USB stick to Detect
Many times it happens that we want to restrict users from using USB stick in systems to protect and secure data from stealing. Create a file ‘/etc/modprobe.d/no-usb‘ and adding below line will not detect USB storage.

install usb-storage /bin/true
9. Turn on SELinux
Security-Enhanced Linux (SELinux) is a compulsory access control security mechanism provided in the kernel. Disabling SELinux means removing security mechanism from the system. Think twice carefully before removing, if your system is attached to internet and accessed by the public, then think some more on it.

SELinux provides three basic modes of operation and they are.

Enforcing: This is default mode which enable and enforce the SELinux security policy on the machine.
Permissive: In this mode, SELinux will not enforce the security policy on the system, only warn and log actions. This mode is very useful in term of troubleshooting SELinux related issues.
Disabled: SELinux is turned off.
You can view current status of SELinux mode from the command line using ‘system-config-selinux‘, ‘getenforce‘ or ‘sestatus‘ commands.

# sestatus
If it is disabled, enable SELinux using the following command.

# setenforce enforcing
It also can be managed from ‘/etc/selinux/config‘ file, where you can enable or disable it.

10. Remove KDE/GNOME Desktops
There is no need to run X Window desktops like KDE or GNOME on your dedicated LAMP server. You can remove or disable them to increase security of server and performance. To disable simple open the file ‘/etc/inittab‘ and set run level to 3. If you wish to remove it completely from the system use the below command.

# yum groupremove "X Window System"
11. Turn Off IPv6
If you’re not using a IPv6 protocol, then you should disable it because most of the applications or policies not required IPv6 protocol and currently it doesn’t required on the server. Go to network configuration file and add followings lines to disable it.

# vi /etc/sysconfig/network
NETWORKING_IPV6=no
IPV6INIT=no

Monitoring your system

After you take steps to prevent intrusion, you need to set up a monitoring system to detect whether an attack against your server has taken place. If you're alerted to an attack, you're better prepared to handle it. Tripwire (see Related topics) alerts you to unauthorized activity that takes place with system files on your server. Use Logwatch (see Related topics) to create reports you can analyze.

Tripwire

Tripwire sets up a baseline of normal system binaries for your computer. It then reports any anomalies against this baseline through an email alert or through a log. Essentially, if the system binaries have changed, you'll know about it. If a legitimate installation causes such a change, no problem. But if the binaries are altered as a result of a Trojan horse-type installation, you have a starting point from which to research the attack and fix the problems.

1. To install and configure Tripwire through the command line, type the following command and then press Enter:
   
   

   1	sudo aptitude install tripwire

2. Choose Yes to all of the questions during the installation.
   You may be asked to create a passphrase. If you are, make note of it for future use.
3. When you reach the screen shown in Figure 1, Tripwire has been installed. Click OK.
   

   Tripwire installation complete

https://www.tecmint.com/linux-server-hardening-security-tips/

https://www.cyberciti.biz/tips/linux-security.html

https://www.computerworld.com/article/3144985/linux-hardening-a-15-step-checklist-for-a-secure-linux-server.html

https://linux-audit.com/linux-server-hardening-most-important-steps-to-secure-systems/

https://www.linode.com/docs/security/securing-your-server/

https://www.ibm.com/developerworks/linux/tutorials/l-harden-server/index.html

https://www.linuxjournal.com/content/simple-server-hardening

A good Linux distribution for older computers?

Afriend asked me for a recommendation about a good Linux distribution. What he wrote was this:

".at home I'm a total Apple head. I have an old Toshiba laptop that I loaded Ubuntu on but its too old to keep up anymore. I also have a desktop HP that I bought about 7 years ago and recently Microsoft has decided to lock up Windows 10 for some reason. I'm done with them. How can I get a book disk that will load up Ubuntu as the OS and go from there? A related question would be: Do I need to have a hardwire keyboard and mouse to get this to work? Since wireless bluetooth stuff probably won't work unless there's associated drivers I'm speculating I need to get some basic USB gear. Thoughts?"

My reply:
I have Lubuntu 18.04 running on an older  Intel Core2 w/ 2 Gb RAM. It has wifi and ethernet drivers, pretty good graphics, and runs Ubuntu "lite" (Lubuntu). It just works. Bluetooth drivers are already on Lubunu and most Linux distros. I check out Distrowatch.com for the latest and greatest. Your choices are almost endless, for a small footprint, try Puppy and Damn Small Linux. I used PCLinuxOS for a while, I like the control panel they have. Download the ISO and burn it to a USB stick with YUMI, LiLi USB Creator, or WinToUSB. You can try them as a "Live" enviroment without installing and see if  you like the interface. If you  have any questions, feel  free to IM me. Peace.

The Emergency Boot USB Disk

The Emergency Boot USB Disk

The Emergency Boot USB disk allows you to boot up in case your computer is having a bad day.

Here is a picture of the desktop of The Emergency Boot USB Disk

Recently I've been working on the Emergency Boot USB disk. This is a product I started 10 years ago as the Emergency Boot CD. It has evolved and now I put my current software build on USB disks. USB 3.0 disks now have much better transfer rates, as well as much more storage capacity.

The concept is fairly simple: it's a tool that allows you to boot your PC in case it's unable to start whether it's because of file corruption, viruses, hard drive failure or other mishaps. The scenario is pretty typical: your computer won't boot up or it endlessly loops during boot up and never completes loading the Operating System. I've been doing computer support for around twenty years so I know what is going on under the hood of Microsoft Windows. The most typical causes of failure is corrupted Windows files, viruses or malware infecting your computer, bad sectors on a hard drive, or complete hardware failure.

The Emergency Boot USB allows you to boot up regardless of the condition of the hard drive. You're able to scan for viruses and remove them, backup all your files and folders to an medium like a  external hard drive, a cloud account at Apple iCloud, Box.Com, Google Drive, and Microsoft OneDrive.

It includes software to create an image of the hard drive and save it. In case of  hardware failure you can restore the image onto a new hard drive with all of your application software, Documents, and Operating System intact. It features software applications to create a disk image and file backup, password reset, disk repair, disk defragmentation, virus scanning and file recovery. These are the tools I use on a daily basis and have used them on dozens of client computers of all types like Acer, Asus, Compaq, Dell, Levono,  Hewlett-Packard and the standard everyday clone PC.

These will be available for sale on a USB 3.0 fast high-speed drive, the highest quality USB stick available. As a base platform I'm using Windows 10 PE in a 32 bit environment on a 16 Gb (GigaByte) USB disk. In addition to that I am bundling dozens of other software packages from antivirus programs, graphics editors and viewers, text editors and Internet browsers and utilities. The release date is May. I will be listing all the software programs and will include an instruction manual.

I will be making this available soon on my eBay store.

https://youtu.be/hrnwvfvZ208

Skillz

):

Remote Systems Management

Solaris/Linux Operating System

Server Configuration Management

Performance Management

Capacity Planning

Capacity and Performance Reporting

Operational Support

Security Management

Patch Management

Asset Management

Audit responsibilities

Change management

Incident and Problem management, including Root Cause Analysis

Disaster Recovery testing support

Maintenance of lab and development environments

 

WARNING SIGNS THAT YOUR COMPUTER IS INFECTED!

Beware the signs of a potentially malware-infested PC:

Slower-than-usual performance

Lots of pop-ups, and other weird issues.

It’s possible your system has been infected by a virus, spyware, or malware.

This happens every day: You’re working on your computer and start noticing annoying pop-ups displayed on your computer. And, it takes too long for your files or computer apps to load. 
You wait and wait . You might ask yourself:

 “Does my computer have a virus?”

Unfortunately, the answer might be “yes” and your computer could be already compromised with viruses or malware that are slowing down its activity and performance.

This is one of the signs that show your PC might suffer from a malware infection. There are more of them you need to be aware of and understand, so you can quickly take action.

I will show you the warning signs of a malware infection and what can you do about it.

“My computer applications run slow lately and it takes longer than usual to start”

If you’re dealing with this, it could indicate the presence of viruses on your computer. It’s frustrating to try to use a slow computer. It is a known fact that one of the malware’s main symtoms is to slow down your operating system, whenever you’re navigating on the Internet or simply accessing your local applications.

Scenario 2: “I keep getting annoying ads that are opening randomly or strange messages on my computer’s screen”

Unexpected pop-ups which appear on your screen are a typical sign of a malware infection on your computer. This form of malware is known as spyware and is designed to collect and steal users’ sensitive data without their knowledge.

The main issue is created not only by the numerous pop-up windows that affect your Internet browsing but also because it is quite difficult to remove them from the system.

These pop-ups are not only frustrating, but they usually come bundled with other concealed malware threats and could be far more destructive for our systems. They could be disguised as legitimate programs and actually track your web browsing data or monitor your online activity to collect passwords and other personal information.

We strongly recommend to NEVER CLICK on a suspicious pop-up!

Try one of these free spyware removal tools to get rid of those annoying pop-ups or strange messages.

Here is an article with the best FREE anti-virus and anti-spyware tools available. 

For malware infection: run a complete scan on the system with a good antivirus product.

Also, to better keep your computer away from malicious threats, make sure you use these security measures:

Do not click on pop-up windows

Don’t answer unsolicited emails or messages

Be very careful when you are trying to download free applications from various websites.

Scenario 3: “My laptop keeps crashing when I do XYZ..

It simply freezes, then a blue screen shows up”

It crashes many times and got that popular BSOD (Blue Screen of Death).

Then it restarts and says that Windows was recovering from an unexpected shutdown. This also may be a malware issue.

My recommendation is to run an anti-virus product, preferably from a bootablr CD, DVD, or USB key. Use an automated cleaning session using a specialized program like CC Cleaner which is free and will  automatically scan missed and unused registry keys while doing a backup of your data before the actual cleaning.

First of all, install the CCleaner program, click the Registry icon (as displayed in the image below), select the items you want to delete, then Scan for issues and a list of potential issues will be generated. After the scanning is done, you can review the list and click on Fix selected issues to solve the outstanding Registry issues. You will be asked to backup changes.

 “My homepage has changed and I don’t remember doing it myself”
If you noticed this unusual behavior or a new toolbar showing out of nowhere, or you’ve been redirected to a different web address than the one you’ve initially accessed, they could be signs of a malware infection. It usually happens when you visit a website and you accidentally click on a link or a pop-up window. This triggers the unwanted software to download and install on your device. Its effects are not only annoying, but also malicious. 

What to do? Run a complete scan with your security software as soon as possible. Why? Because these type of threats don’t go away easily.

It is also important to rely on another layer of security on top of antivirus to better fight against online threats and proactively block them. If your programs or your system crash constantly or the infamous BSOD (Blue Screen of Death) appears regularly, it’s a clear warning that your system is not working properly and you should look into it.