BrianKrebs

Yikes!

"CloudNordic has told customers to consider all of their data lost following a ransomware infection that encrypted the large Danish cloud provider's servers and "paralyzed CloudNordic completely," according to the IT outfit's online confession.

"The intrusion happened in the early-morning hours of August 18 during which miscreants shut down all of CloudNordic's systems, wiping both company and customers' websites and email systems. Since then, the IT team and third-party responders have been working to restore punters' data — but as of Tuesday, it's not looking great."

https://www.theregister.com/2023/08/23/ransomware_wipes_cloudnordic/

Criminals go full Viking on CloudNordic, wipe all servers and customer data

IT outfit says it can't — and won't — pay the ransom demand

The Register
Aug 24, 2023 at 12:53pmWeb
Show threadBrianKrebsAug 24, 2023

This also is terrifying:

CloudNordic says its "best estimate" is that the infection happened as servers were being moved from one datacenter to another.

Some of the machines were apparently infected before the move, and during the transfer servers that had been on separate networks were all connected to CloudNordic's internal network. This gave the intruders access to both the central administrative systems, storage, replication backup system and secondary backups, all of which they promptly encrypted for extortion.

Show threadPusher Of Pixels (old account)Aug 24, 2023
@briankrebs that seems quasi like plugging a USB drive that's been sitting in your parking lot.
Show threadDebabrata Bhattacharya || SE || 💉💉💉Aug 24, 2023
@briankrebs New fear unlocked
Show threadpenguin42Aug 24, 2023
@briankrebs Hmm so was that actually being infected during transit, or was it that a previously infected machine got moved onto an important network? I can imagine something like a suspicious customer machine having been left off to be wiped in a corner, and then someone moves a pile of machines to a new site, wires them all up and they get a default vlan or something.
Show threadFritz AdalisAug 24, 2023
@briankrebs
Flat networks are fine!
Show threadBrianKrebsAug 24, 2023
Been saying this forever: If they can deploy spam bots or infostealer bots in your network w/out your knowing, they can just as easily deploy wipers. And we may soon be coming to an era when not paying a ransom means not just having all your data posted on some victim shaming site, but also getting all systems wiped.
Show threadRobin StephensonAug 24, 2023
@briankrebs yes; I long thought that a slow & steady data _swapper_ would be apocalyptically destructive—hard to spot and renders point in time backups useless
Show threadDragon-sided DAug 24, 2023
@aglet @briankrebs
This is the cyber equivalent of slow-spreading biological weapons with a 99.99% lethality rate.
Show threadKrupoAug 27, 2023
@aglet @briankrebs oh thank you for the fresh nightmare fuel.
Show threadNKTAug 24, 2023
@briankrebs There's no reason they couldn't wipe social media accounts before deleting/spamming phishing links too, to further ruin reputation, too - something like deadnaming or doxing someone that would get a huge negative online reaction, at a time when the company needs all hands dealing with the first crisis, would be terrible.
Show threadprozakAug 24, 2023
@briankrebs well, to be fair, hack to wipe “tradition” has been there since ever, thats basically what the radical hacking scene did in the 90s :)
Show threadPeoriaBummerAug 24, 2023
@briankrebs You know this beat better than anyone. Why aren’t any of these crews monetizing blackmail? In all this data, there is presumably a ton of compromising information. Why not target a few wealthy people with blackmail?
Show threadBrianKrebsAug 24, 2023
@PeoriaBummer A form of this is quite common. They will research the board members, how much insurance they have, which investors might be spooked easily, and some ransom groups are known to start contacting these people and turning the screws that way. I would consider that a form of blackmail.
Show threadPeoriaBummerAug 24, 2023
@briankrebs Thanks for the reply! That’s fascinating and answers a question that’s been nagging at me for years. Much appreciated!
Show threadhoangduAug 24, 2023
@briankrebs
Show threadWhere Chuck once stood, only I will remain.Aug 24, 2023
@briankrebs Amen. That is almost verbatim the executive report I gave recommending DR focus when the war in Ukraine started. "Shelve the discussion about cyberinsurance. You could have cheap, full indemnity but it makes no difference if an adversary disappears everything and the org has no good recovery strategy or capability. The money can't salvage that."
Show threadKrupoAug 27, 2023
@briankrebs I've been advocating offline backups of material stored in the cloud and this reinforces this argument.
Show threadForrest BrownAug 24, 2023
@briankrebs Holy shit! I wonder how many customers that affects? Never heard of this company before.
Show threadBrianKrebsAug 24, 2023
@frrstbrwn Um, I think all of them. :(
Show threadForrest BrownAug 24, 2023
@briankrebs Oops, I should have phrased that question better. How many customers did they have?
Show threadBill Kelly (he/him)Aug 24, 2023
@briankrebs backups? even old ones?
Show threadPatrick SchmitzAug 24, 2023

@briankrebs Everything has gone south for Nordic

Worst case scenario for a cloud provider. Not only losing all your clients' data but also the trust of those, and future, clients. This is game over for them.

Show threadchidi_anagonyeAug 24, 2023

@briankrebs

This is why I am against organizations putting everything in the "cloud". It isn't magic or even a guarantee. You can't sue and get money from a company that doesn't have any. Even if this happened to Amazon, not even Amazon has enough money to pay out the damages to all of their customers.

Sure, they might have more resources to hire talent, but even that is no guarantee they hire good talent.

Lastly, big player means big target for organized crime and state actors.

Show threadMaybeMyMonkeysAug 24, 2023
@briankrebs I guess neither CloudNordic or their customers believe in offsite backups.
Show threadJoe ❌👑Aug 24, 2023
@MaybeMyMonkeys @briankrebs My guess is that they have backups which are now encrypted or wiped as well, because the backups are accessible from the servers that are being backed up.
Show thread10tothe22Aug 24, 2023

@not2b @MaybeMyMonkeys @briankrebs

This!

Show threadAlexanderMarsAug 24, 2023
@not2b @MaybeMyMonkeys @briankrebs so I guess no one does regular physical offline backups anymore?
Show threadThomas A. FrederiksenAug 24, 2023
@MaybeMyMonkeys @briankrebs They apparently did have backups. On servers that were presumably on the same network and which were also hit. So backups, but not really…
Show threadJames Guthrie 🏴󠁧󠁢󠁳󠁣󠁴󠁿Aug 24, 2023
@briankrebs oooof, that's a bad one
Show threadHansvRAug 24, 2023
@briankrebs Another reminder that "The Cloud" is a fancy name for someone else's computer.
Show threadTaylorAug 24, 2023
@briankrebs I used to work at a small cloud company that went public and reading this story scared the heck out of me. Can only imagine how my former co-workers are feeling today
Show threadSpaceLifeFormAug 24, 2023

@briankrebs

Old man yells at clouds

Manage your own kit.

Show threadJulie WebgirlAug 24, 2023

@briankrebs

So...... no back ups...

#infosec

Show threadFrank VerhoevenAug 24, 2023
@briankrebs Real Vikings don’t need no stinkin’ offsite backups!!1!