Hacker attack on the Lazio Region: let's be clear

Hacker attack on the Lazio Region: let's be clear

Hacker attack on the Lazio Region

The Lazio region suffered a ransomware attack that disabled the region's computer systems, including the registration portal for COVID-19 vaccinations. The attack started between Saturday 31 July and Sunday 1 August, encrypted every file in the regional data center and interrupted the institutional computer network.

“In the night between Saturday and Sunday - writes Nicola Zingaretti, President of the Region Lazio - the Lazio Region suffered a first cyber attack of criminal origin. We don't know who is responsible and their goals. [...] The attack blocked almost all files in the data center. The vaccination campaign continues normally for all those who have booked. Vaccine reservations are currently suspended for the next few days. The system is currently shut down to allow internal verification and to avoid the spread of the virus introduced with the attack. ”

Although hacking groups specializing in the development and dissemination of ransomware are known for data theft, the Lazio Region affirms that the sensitive data of the institutions and the inhabitants are safe. The interruption caused a sensation above all for having blocked the health portal "Salute Lazio", a platform necessary for vaccinating against COVID-19.

Flag of the Lazio Region. Source: Wikimedia Commons, public domain We remind you that, in these days, the Government is defining the certification system for the vaccine passport (the so-called “Green Pass”). The adoption of this certification system, necessary for some recreational and closed activities since Friday 6 August, has led to a new surge in vaccination requests. The vaccinated population of Lazio is about 70%, while the vaccine doses administered are about 96%. Regional institutions fear that the ransomware attack could lead to an interruption of COVID-19 online vaccination.

"There is a powerful hacker attack on the regional Ced. The systems are all disabled including the entire Salute Lazio portal and the vaccine network. All defense and verification operations are underway to avoid embezzlement. Vaccination operations could be delayed ”, is what emerged in a press release from the Region, released hot. However, there seems to have been no interruption of the appointments set before the attack. According to subsequent declarations by the Lazion Region, the online registration system will be back active in a short time.

The assumptions about the attack

According to different sources, the ransomware attack on the Lazio Region would be been brought about by a ransomware virus. But, contrary to the first statements, it would not be an attack organized by some group. The first investigations carried out by the Regional Health Councilor, Alessio Amato, and told by the same in a video interview for Repubblica, reveal that the attack seems to have arisen from the use of an employee in smart working.

According to the commissioner, the attack started "from the violation of a user of an employee in smartworking" and the criminals "hit at a particular moment, when the level of attention is lowered", as at the end working day. This first violation, which could also be the result of a carelessness that led the employee to download the attachment of some malicious email, would have allowed the ransomware to spread among connected computers, hitting regional data backups and encrypting them. "The access keys to the Ced, the system that manages health data, building practices and many other services to the citizen have been changed. It is a situation that creates profound unease. ”

Bleeping Computer has published a screenshot of an alleged negotiation page between the Lazio Region and a group of cybercriminals, RansomEXX. According to the US newspaper, the attack follows the modalities of this group of hackers. The page warns, as in other cases of ransomware, that the Region must pay a ransom to decrypt the files. Currently, the authors of the ransomware have not submitted any official ransom note.

The image opens with a "Hello, Lazio!" and warns the Region that the files have been encrypted. The ransom note also includes a link to a private page on the dark web, from which it is believed that one can negotiate with the creators of the ransomware to recover the decrypted files. Although the ransom note does not indicate any group, according to Bleeping Computer the posted Onion URL would be associated with a site of the RansomEXX group.

Screenshot of the alleged ransom note. Source: Bleeping Computers, Bleeping Computer® LLC. https://www.bleepingcomputer.com/news/security/ransomware-attack-hits-italys-lazio-region-affects-covid-19-site/ Remember that the RansomEXX negotiation pages are "unique" for each victim: as the ransomware steals data during the attack, that information is picked up by the negotiation page. In particular the page reports the amount of stolen data and the screenshots of some files.

In this case Bleeping Computer's widespread negotiation page shows no indication that RansomEXX actually stole the data. According to an Italian cybersecurity researcher and expert, JAMESWT, there is evidence that the attack on the Lazio region was instead caused by the LockBit 2.0 ransomware. In both cases, the attack would have been caused by a trivial human error (and one that anyone among us could commit, out of fatigue or inattention).

How LockBit 2.0 works

LockBit recurs to the “Ransomware as a Service” (RaaS) model: it means that developers provide their customers with the infrastructure and malware, receiving a share of the ransom for decrypting the files. Attacking the victim's network is the responsibility of the purchaser of the service, and when it comes to distributing ransomware over the network, LockBit has designed an innovative technology that has been extensively described by Kaspersky experts.

Later that cybercriminals gain access to the network and reach the domain controller - a dynamic that promptly occurred in the attack on the Lazio region - they run their malware on the same controller. This creates new user group policies, which are then automatically distributed to each device on the network. The policies imposed by LockBit 2.0 first disable the security software integrated into the operating system and, at the same time, perform scheduled tasks on all Windows devices to launch the ransomware executable.

According to researcher Vitali Kremez, LockBit 2.0 uses the Windows Active Directory API to query Lightweight Directory Access Protocol (LDAP) for a list of computers connected to the same network. At this point, LockBit 2.0 bypasses user account control (UAC) and runs silently, without triggering any alarms on encrypted devices. According to Kasperky, LockBit 2.0 would be the first mass ransomware to spread by targeting user group policies.

Photo credit - depositphotos .com

What is RansomEXX

According to the hypothesis of Bleeping Computer, however, the attack is due to software developed by the hacker group RansomEXX.

Although it appears the group did not intend to attack the Lazio region directly, its history of successful attacks on high-profile targets - including Brazil's government networks, the Texas Department of Transportation (TxDOT), Konica Minolta, IPG Photonics and the Ecuadorian CNT - constitute more than enough experience to put Italian institutions in difficulty.

The RansomEXX attacks follow dynamics similar to those outlined by LockBit 2.0, although diffusion does not resort to innovative methods such as alteration of user group rules. RansomEXX ransomware hacks a network using vulnerabilities or stolen credentials, and then spreads through interconnected devices.

Senate Chamber of the Italian Republic (Palazzo Madama). Source: Wikimedia Commons, CC BY-SA 4.0

The consequences of the attack on the Lazio Region

At the moment it is not possible to establish how long the Lazio Region services will be back online. Cyber ​​attacks are an open problem in Italy, not only due to the vulnerability of the IT systems of the institutions - often very deficient also in terms of UI and stability for the users themselves. According to the President of the Region, the situation should be re-established in about 72 hours.

The Minister of the Interior Luciana Lamorgese spoke to Copasir, speaking of the "resurgence" of cyber criminal activities that "in recent months has affected both public and private activities, noting the need to act urgently to raise the level of security, the resilience of IT systems and the education of operators ". In the meantime, the Rome Public Prosecutor's Office has launched a series of investigations, also in collaboration with the FBI and European Interpol. In addition, in recent months, the Government has been pushing for the establishment of a National Cybersecurity Agency, aimed precisely at preventing and intervening in the event of a hacker attack on institutions: the official, thanks to what happened in the Lazio Region, should reach brief.

We believe it is necessary to intervene also and above all on the computer education of Italians. Too often, inattention is noted and basic preventive measures are not adopted in the use of the network, both for business and recreational purposes. Buying an effective antivirus suite, running it and updating it frequently is only the first step: care must also be taken in normal online browsing and reading emails, learning to distinguish frauds, scams and spam that can damage our device (and more). To learn more, we suggest you consult our guide to the best antivirus.

The purchase and use of a complete and effective antivirus suite is now necessary and indispensable. Find the best solutions on Amazon.

Powered by Blogger.