
Ransomware Forces Two Chemical Companies to Order ‘Hundreds of New Computers’ - jbegley
https://motherboard.vice.com/en_us/article/8xyj7g/ransomware-forces-two-chemical-companies-to-order-hundreds-of-new-computers
======
matt2000
This is an honest question: The vast majority of malware targets Windows, so
how is it acceptable security practice to run Windows as your company's main
operating system?

There is a second question as to whether Windows is still inherently more
susceptible to these kinds of attacks (I would guess the answer is yes), but
that's kind of irrelevant. The threat exists, why wouldn't you just use Macs
or Chromebooks or whatever else? Basically _anything_ other than Windows? Even
in the case where you have Windows-only business critical software, just run
it in a VM on something else.

~~~
l24ztj
I'd say desktop Linux is more insecure than Windows, and the only reason we
don't see malware is that nobody uses it. So if high profile targets, like
energy companies, started using Linux on the desktop, it may end up being
worse than Windows.

~~~
ejstronge
> I'd say desktop Linux is more insecure than Windows, and the only reason we
> don't see malware is that nobody uses it. So if high profile targets, like
> energy companies, started using Linux on the desktop, it may end up being
> worse than Windows.

What's the basis for your assertion?

At the level of systems we're discussing, a Windows installation would be
operated by experienced Windows administrator. Thus the appropriate comparison
group for Linux would be something like a university-run supercomputing
cluster. We don't often hear of these being taken over for ransom.

~~~
l24ztj
I said desktop, not server.

I don't have any basis, just what I expect. Windows has been fuzzed and
reverse engineered to the moon and back. Desktop Linux? I doubt it.

~~~
penagwin
You do know that "desktop linux" and "server linux" are the same thing, just
with different default programs and configuration styles?

I'd agree that yes, distros meant for desktop usage have less secure defaults,
but that's not necessarily to say they're "less secure" if you understand how
you're using them.

~~~
l24ztj
No, they are not the same thing in their USE, which is exactly the point I'm
making.

I trust nginx, sshd, postgres, postfix, etc. much more than I trust the gnome
file manager, evince, dbus, pulse.

For every exploit that nginx currently has, there probably are a thousand
lurking in gnome's file roller.

~~~
SmellyGeekBoy
But Gnome runs as the currently logged in user, right? So the worst damage it
can do would be to files that that user has write permissions on (ie, not
system files).

Unless your entirely hypothetical scenario involves privilege escalation
vulnerabilities, which I'll admit aren't unheard of in Linux but are fairly
rare and usually patched within hours when they are discovered.

~~~
daeken
This is the case with the vast majority of Windows malware as well. System
files aren't important; sure, you need them to run the system, but it's not
like you can't reinstall. The issue is damage to user-owned files, no matter
which OS you're talking about.

------
Waterluvian
Our teams use Macs, windows, and Linux as a natural result of what they're
doing: selling, moneying, managing, designing, c#ing, ROSing, etc.

Makes me think that heterogeneity is a natural mitigator to issues like this
and maybe should be embraced where possible.

~~~
mistrial9
Anecdote: In the 90s California, there was a chemical science research
company, perhaps formed in the late 70s. Many scientists there had PhDs or
quality Master in Chemistry, and they set out to write software to support the
drug discovery, pesticide and industrial chemicals industry. The company was
well-managed, and it grew. Into the 90s, the Macintosh computer got a lot of
attention for graphics, while Windows was stuck at 3.x, and many of the
scientists had DEC associations.

So the company had a plural, cross-platform code base in C for some of its
core IP. Scientists may not write the best code, but they can write a lot of
it, so the core libraries grew and grew.

In the 1997 or so time, Internet grows, VAX declines, Windows improves and
pushes hard. The senior management are being tempted by the huge (at the time)
money for valuation. Someone decides to take the Microsoft point of view.

There was a "global rollout" effort conceived and implemented, to switch
_every working piece of code to Windows_ , backed by fanfare and the sort of
content-less cheerleading you find at an ordinary school.. matching t-shirts
and good looking people there to "help" you with the transition (!) to port
the code ! There was tons of it, there were build chains, there was network
code. But it was the MONEY at the top, and the relentless pressure from
Microsoft and affiliates, directly, at golf courses and at hotels and at the
airport and in the money meetings, that greased the wheels to _decide_ for
everyone, that Windows was the standard, end of story.

Many working, carefully built products, were retired, and the team management
was required to change over or else be retired also. The change happened.
Within a few years (before 2000) the entire company was sold to Elsivier for
three-digit millions.

postscript - a small few senior scientists did find Java when it was released,
and led an effort to port certain things to Java. The web was a cacophony, and
Java might have over-represented itself as far as a web-GUI and also backend.
No news about the fate of that, but it was a minority effort, amongst a few
who had discretionary budgets to allocate for that.

------
pavel_lishin
> CEO Jack Boss

Talk about your nominative determinism.

------
tedunangst
> Among the measures taken, Boss wrote that the Momentive is giving some
> employees new email accounts because their old ones are still inaccessible.
> The company notes that it is using a new domain—momentiveco.com for new
> email addresses rather than momentive.com.

That seems excessive.

~~~
SpikeDad
Guessing they're not competent enough to purge their email systems of the
original malware attachments nor have procedures sufficient to keep new
computers from being re-encrypted.

New email domain means old emails aren't accessible.

------
SpikeDad
Um huh? How could ransomware break computers? Perhaps their data is gone but
formatting and reinstalling Windows isn't feasible?

~~~
Crosseye_Jack
Depends on the level of trust you place into the compromised systems and your
threat model.

Basically they are going down the "nuke it from orbit" route, lets say they
miss a system that reinfects the rest somehow.

As for formatting windows, sadly these days that is no longer enough to be
sure with a "well crafted" malware. Lets take the industry favourite laptop
tracking platform CompuTrace (now named Lo-Jack iirc).

The BIOS/UEFI Module that is its heart is a small EXE that gets executed by
windows on every boot (Just like the Superfish incident, though that did use a
diff way to get executed on windows launch, lo-jack gets executed by windows,
superfish replaced a file that would get executed).

In Lo-Jack case its a small dropper exe that then fetches the real tracking
payload once the laptop connects to the internet but it can be (iirc) tricked
into downloading and running any exe it likes with system priv's. A BIOS flash
of a fixed BIOS is the only "fix".

But in my past I've had fun injecting stuff into and modifying BIOS's (Mainly
just to unlock extra options or remove whitelists for wifi cards) and most
BIOS/UEFI's these days can be flashed from within Windows. Sure to save
bricking the machine you would need to get the correct BIOS for that machine
but if a company puts in a purchase order for 100 office machines they are not
going to differ too much.

If you have a payload running on a machine you could call home with its
motherboard make, model and revision. Download the bios from the vendor,
inject a payload into it, send it back to the machine, have the machine flash
it in the background and using the same methods Superfish / Jo-Jack use have
malware that persists though a format or even a replacement of the drive.

I'm sure we have already seen malware using these techniques already in the
wild. Signed BIOS updates will protect to some degree but their have been a
fair few cases of being able to bypass the sig check (which is often only done
during the the read of the bios before the flash takes place).

Is it overkill? is it paranoia? Probably. It might just be simply the case
that the machines were due to be replaced at some point in the near future
anyway so 2 birds, one stone.

EDIT: It might of not been Lenovo's use of superfish that was installed via
bios on reinstall of Windows, but their own bloatware. It replaced Microsoft's
copy of autochk.exe with its own that installs other pieces of Lenovo
software. After the shit hit the fan in that case, Lenovo quickly issued BIOS
Updates to remove the "feature". But it goes to show how abusing the Windows
Platform Binary Table can be used to inject unwanted software into a system.

~~~
rovyko
Is flashing the BIOS and reformatting the machine sufficient to remove any
virus that we know of currently? Or are there other hidden components that
need to be cleared?

~~~
amelius
Not sure. Who knows what hides inside Intel ME.

~~~
colejohnson66
If you’re worried about what’s in the Intel ME, then you wouldn’t buy another
Intel or AMD

~~~
Crosseye_Jack
(at least on intel, I’ve no looked into it on AMD’s side) Intel ME can be
neutered. On newer gen’s doing so can be as simple as setting of a single
flag. On older systems you can rip so much of it out that all it can do is
bring up the CPU.

I would say you can still be concerned by IntelME (as it has been shown to be
exploitable) but still purchase Intel/AMD. I mean who else you going to
purchase from if you want an affordable x86 system?

ARM is getting more mainstream (in the laptop/desktop/server world.) and we
now have fairly decently powerfully desktop/laptop arm powered machines we
could actually dev on but the ARM world is still filled with binary blobs
needed to get the cpu started.

Power9 has a ton of open source but the CPU’s are not. RISC-V is promising but
still pricey as hell atm.

Just saying, you can be worried about ME but in a place where you are stuck
with it.

------
so_tired
What do they do with the infected laptops?

Sell them on ebay after an insufficient wipe?

Rise and repeat.

------
ourmandave
Maybe it was time to replace all those Windows XP machines anyway?

------
MagicPropmaker
I'd go one step further. I'd fire the employees who brought it into the
company.

