Some of the world’s top tech firms are backing a new industry task force focused on disrupting cybercriminal ransomware gangs by limiting their ability to get paid, and targeting the individuals and finances of the organized thieves behind these crimes.

In a 50-page report delivered to the Biden administration this week, top executives from Amazon, Cisco, FireEye, McAfee, Microsoft and dozens of other firms joined the U.S. Department of Justice (DOJ), Europol and the U.K. National Crime Agency in calling for an international coalition to combat ransomware criminals, and for a global network of ransomware investigation hubs.

The Ransomware Task Force urged the White House to make finding, frustrating and apprehending ransomware crooks a priority within the U.S. intelligence community, and to designate the current scourge of digital extortion as a national security threat.

The formation of the industry partnership comes just days after The Wall Street Journal broke the news that the DOJ was forming its own task force to deal with the “root causes” of ransomware. An internal DOJ memo reportedly “calls for developing a strategy that targets the entire criminal ecosystem around ransomware, including prosecutions, disruptions of ongoing attacks and curbs on services that support the attacks, such as online forums that advertise the sale of ransomware or hosting services that facilitate ransomware campaigns.”

According to security firm Emsisoft, almost 2,400 U.S.-based governments, healthcare facilities and schools were victims of ransomware in 2020.

“The costs of ransomware go far beyond the ransom payments themselves,” the task force report observes. “Cybercrime is typically seen as a white-collar crime, but while ransomware is profit-driven and ‘non-violent’ in the traditional sense, that has not stopped ransomware attackers from routinely imperiling lives.”

It is difficult to gauge the true cost and size of the ransomware problem because many victims never come forward to report the crimes. As such, a number of the task force’s recommendations focus on ways to encourage more victims to report the crimes to their national authorities, such as requiring victims and incident response firms who pay a ransomware demand to report the matter to law enforcement and possibly regulators at the U.S. Treasury Department.

Last year, Treasury issued a controversial memo warning that ransomware victims who end up sending digital payments to people already being sanctioned by the U.S. government for money laundering and other illegal activities could result in hefty fines.

Philip Reiner, executive director of the Institute for Security and Technology, said the reporting recommendations are one of several areas where federal agencies will likely need to dedicate more employees. For example, he said, expecting victims to clear ransomware payments with the Treasury Department first assumes the agency has the staff to respond in any kind of timeframe that might be useful for a victim undergoing a ransomware attack.

“That’s why we were so dead set in putting forward comprehensive framework,” Reiner said. “That way, Department of Homeland Security can do what they need to do, the State Department, Treasury gets involved, and it all needs to be synchronized for going after the bad guys with the same alacrity.”

Some have argued that making it illegal to pay a ransom is one way to decrease the number of victims who acquiesce to their tormentors’ demands. But the task force report says we’re nowhere near ready for that yet.

“Ransomware attackers require little risk or effort to launch attacks, so a prohibition on ransom payments would not necessarily lead them to move into other areas,” the report observes. “Rather, they would likely continue to mount attacks and test the resolve of both victim organizations and their regulatory authorities. To apply additional pressure, they would target organizations considered more essential to society, such as healthcare providers, local governments, and other custodians of critical infrastructure.”

“As such, any intent to prohibit payments must first consider how to build organizational cybersecurity maturity, and how to provide an appropriate backstop to enable organizations to weather the initial period of extreme testing,” the authors concluded in the report. “Ideally, such an approach would also be coordinated internationally to avoid giving ransomware attackers other avenues to pursue.”

The task force’s report comes as federal agencies have been under increased pressure to respond to a series of ransomware attacks that were mass-deployed as attackers began exploiting four zero-day vulnerabilities in Microsoft Exchange Server email products to install malicious backdoors. Earlier this month, the DOJ announced the FBI had conducted a first-of-its-kind operation to remove those backdoors from hundreds of Exchange servers at state and local government facilities.

Many of the recommendations in the Ransomware Task Force report are what you might expect, such as encouraging voluntary information sharing on ransomware attacks; launching public awareness campaigns on ransomware threats; exerting pressure on countries that operate as safe havens for ransomware operators; and incentivizing the adoption of security best practices through tax breaks.

A few of the more interesting recommendations (at least to me) included:

-Limit legal liability for ISPs that act in good faith trying to help clients secure their systems.

-Create a federal “cyber response and recovery fund” to help state and local governments or critical infrastructure companies respond to ransomware attacks.

-Require cryptocurrency exchanges to follow the same “know your customer” (KYC) and anti-money laundering rules as financial institutions, and aggressively targeting exchanges that do not.

-Have insurance companies measure and assert their aggregated ransomware losses and establish a common “war chest” subrogation fund “to evaluate and pursue strategies aimed at restitution, recovery, or civil asset seizures, on behalf of victims and in conjunction with law enforcement efforts.”

-Centralize expertise in cryptocurrency seizure, and scaling criminal seizure processes.

-Create a standard format for reporting ransomware incidents.

-Establish a ransomware incident response network.

Big-three consumer credit bureau Experian just fixed a weakness with a partner website that let anyone look up the credit score of tens of millions of Americans just by supplying their name and mailing address, KrebsOnSecurity has learned. Experian says it has plugged the data leak, but the researcher who reported the finding says he fears the same weakness may be present at countless other lending websites that work with the credit bureau.

Bill Demirkapi, an independent security researcher who’s currently a sophomore at the Rochester Institute of Technology, said he discovered the data exposure while shopping around for student loan vendors online.

Demirkapi encountered one lender’s site that offered to check his loan eligibility by entering his name, address and date of birth. Peering at the code behind this lookup page, he was able to see it invoked an Experian Application Programming Interface or API — a capability that allows lenders to automate queries for FICO credit scores from the credit bureau.

“No one should be able to perform an Experian credit check with only publicly available information,” Demirkapi said. “Experian should mandate non-public information for promotional inquiries, otherwise an attacker who found a single vulnerability in a vendor could easily abuse Experian’s system.”

Demirkapi found the Experian API could be accessed directly without any sort of authentication, and that entering all zeros in the “date of birth” field let him then pull a person’s credit score. He even built a handy command-line tool to automate the lookups, which he dubbed “Bill’s Cool Credit Score Lookup Utility.”

KrebsOnSecurity put that tool to the test, asking permission from a friend to have Demirkapi look up their credit score. The friend agreed and said he would pull his score from Experian (at this point I hadn’t told him that Experian was involved). The score he provided matched the score returned by Demirkapi’s lookup tool.

In addition to credit scores, the Experian API returns for each consumer up to four “risk factors,” indicators that might help explain why a person’s score is not higher.

For example, in my friend’s case Bill’s tool said his mid-700s score could be better if the proportion of balances to credit limits was lower, and if he didn’t owe so much on revolving credit accounts.

“Too many consumer finance company accounts,” the API concluded about my friend’s score.

The reason I could not test Demirkapi’s findings on my own credit score is that we have a security freeze on our files at the three major consumer credit reporting bureaus, and a freeze blocks this particular API from pulling the information.

Demirkapi declined to share with Experian the name of the lender or the website where the API was exposed. He refused because he said he suspects there may be hundreds or even thousands of companies using the same API, and that many of those lenders could be similarly leaking access to Experian’s consumer data.

“If we let them know about the specific endpoint, they can just ban/work with the loan vendor to block these requests on this one case, which doesn’t fix the systemic problem,” he explained.

Nevertheless, after being contacted by this reporter Experian figured out on its own which lender was exposing their API; Demirkapi said that vendor’s site now indicates the API access has been disabled.

“We have been able to confirm a single instance of where this situation has occurred and have taken steps to alert our partner and resolve the matter,” Experian said in a written statement. “While the situation did not implicate or compromise any of Experian’s systems, we take this matter very seriously. Data security has always been, and always will be, our highest priority.”

Demirkapi said he’s disappointed that Experian did exactly what he feared they would do.

“They found one endpoint I was using and sent it into maintenance mode,” he said. “But this doesn’t address the systemic issue at all.”

Leaky and poorly-secured APIs like the one Demirkapi found are the source of much mischief in the hands of identity thieves. Earlier this month, auto insurance giant Geico disclosed that fraudsters abused a bug in its site to steal drivers license numbers from Americans.

Geico said the data was used by thieves involved in fraudulently applying for unemployment insurance benefits. Many states now require drivers license numbers as a way of verifying an applicant’s identity.

In 2013, KrebsOnSecurity broke the news about an identity theft service in the underground that programmatically pulled sensitive consumer credit data directly from a subsidiary of Experian. That service was run by a Vietnamese hacker who’d told the Experian subsidiary he was a private investigator. The U.S. Secret Service later said the ID theft service “caused more material financial harm to more Americans than any other.”

Additional reading: Experian’s Credit Freeze Security is Still a Joke (Apr. 27, 2021)

In 2017, KrebsOnSecurity showed how easy it is for identity thieves to undo a consumer’s request to freeze their credit file at Experian, one of the big three consumer credit bureaus in the United States.  Last week, KrebsOnSecurity heard from a reader who had his freeze thawed without authorization through Experian’s website, and it reminded me of how truly broken authentication and security remains in the credit bureau space.

Dune Thomas is a software engineer from Sacramento, Calif. who put a freeze on his credit files last year at Experian, Equifax and TransUnion after thieves tried to open multiple new payment accounts in his name using an address in Washington state that was tied to a vacant home for sale.

But the crooks were persistent: Earlier this month, someone unfroze Thomas’ account at Experian and promptly applied for new lines of credit in his name, again using the same Washington street address. Thomas said he only learned about the activity because he’d taken advantage of a free credit monitoring service offered by his credit card company.

Thomas said after several days on the phone with Experian, a company representative acknowledged that someone had used the “request your PIN” feature on Experian’s site to obtain his PIN and then unfreeze his file.

Thomas said he and a friend both walked through the process of recovering their freeze PIN at Experian, and were surprised to find that just one of the five multiple-guess questions they were asked after entering their address, Social Security Number and date of birth had anything to do with information only the credit bureau might know.

KrebsOnSecurity stepped through the same process and found similar results. The first question asked about a new mortgage I supposedly took out in 2019 (I didn’t), and the answer was none of the above. The answer to the second question also was none of the above.

The next two questions were useless for authentication purposes because they’d already been asked and answered; one was “which of the following is the last four digits of your SSN,” and the other was “I was born within a year or on the year of the date below.” Only one question mattered and was relevant to my credit history (it concerned the last four digits of a checking account number).

The best part about this lax authentication process is that one can enter any email address to retrieve the PIN — it doesn’t need to be tied to an existing account at Equifax. Also, when the PIN is retrieved, Equifax doesn’t bother notifying any other email addresses already on file for that consumer.

Finally, your basic consumer (read: free) account at Experian does not give users the option to enable any sort of multi-factor authentication that might help stymie some of these PIN retrieval attacks on credit freezes.

Unless, that is, you subscribe to Experian’s heavily-marketed and confusingly-worded “CreditLock” service, which charges between $14.99 and $24.99 a month for the ability to “lock and unlock your file easily and quickly, without delaying the application process.” CreditLock users can both enable multifactor authentication and get alerts when someone tries to access their account.

Thomas said he’s furious that Experian only provides added account security for consumer who pay for monthly plans.

“Experian had the ability to give people way better protection through added authentication of some kind, but instead they don’t because they can charge $25 a month for it,” Thomas said. “They’re allowing this huge security gap so they can make a profit. And this has been going on for at least four years.”

Experian has not yet responded to requests for comment.

When a consumer with a freeze logs in to Experian’s site, they are immediately directed to a message for one of Experian’s paid services, such as its CreditLock service. The message I saw upon logging in confirmed that while I had a freeze in place with Experian, my current “protection level” was “low” because my credit file was unlocked.

“When your file is unlocked, you’re more vulnerable to identity theft and fraud,” Experian warns, untruthfully. “You won’t see alerts if someone tries to access your file. Banks can check your file if you apply for credit or loans. Utility and service providers can see your credit file.”

Sounds scary, right? The thing is — except for the part about not seeing alerts — none of the above statement is true if you already have a freeze on your file. A security freeze essentially blocks any potential creditors from being able to view your credit file, unless you affirmatively unfreeze or thaw your file beforehand.

With a freeze in place on your credit file, ID thieves can apply for credit in your name all they want, but they will not succeed in getting new lines of credit in your name because few if any creditors will extend that credit without first being able to gauge how risky it is to loan to you (i.e., view your credit file). It is now free to freeze your credit in all U.S. states and territories.

Experian, like the other consumer credit bureaus, uses their intentionally confusing “lock” terminology to frighten consumers into paying for monthly subscription services. A key selling point for these lock services is they can be a faster way to let creditors peek at your file when you wish to apply for new credit. That may or may not be true in practice, but consider why it’s so important for Experian to get consumers to sign up for their lock programs.

The real reason is that Experian makes money every time someone makes a credit inquiry in your name, and it does not want to do anything to hinder those inquiries. Signing up for a lock service lets Experian continue selling credit report information to a variety of third parties. According to Experian’s FAQ, when locked your Experian credit file remains accessible to a host of companies, including:

-Potential employers or insurance companies

-Collection agencies acting on behalf of companies you may owe

-Companies providing pre-screened credit card offers

-Companies that have an existing credit relationship with you (this is true for frozen files also)

-Personalized offers from Experian, if you choose to receive them

It is annoying that Experian can get away with offering additional account security only to people who pay the company a hefty sum each month to sell their information. It’s also amazing that this sloppy security I wrote about back in 2017 is still just as prevalent in 2021.

But Experian is hardly alone. In 2019, I wrote about how Equifax’s new MyEquifax site made it simple for thieves to lift an existing credit freeze at Equifax and bypass the PIN if they were armed with just your name, Social Security number and birthday.

Also in 2019, identity thieves were able to get a copy of my credit report from TransUnion after successfully guessing the answers to multiple-guess questions like the ones Experian asks. I only found out after hearing from a detective in Washington state, who informed me that a copy of the report was found on a removable drive seized from a local man who was arrested on suspicion of being part of an ID theft gang.

TransUnion investigated and found it was indeed at fault for giving my credit report to ID thieves, but that on the bright side its systems blocked another fraudulent attempt at getting my report in 2020.

“In our investigation, we determined that a similar attempt to fraudulently obtain your report occurred in April 2020, and was successfully blocked by enhanced controls TransUnion has implemented since last year,” the company said. “TransUnion deploys a multi-layered security program to combat the ongoing and increasing threat of fraud, cyber-attacks and malicious activity.  In today’s dynamic threat environment, TransUnion is constantly enhancing and refining our controls to address the latest security threats, while still allowing consumers access to their information.”

For more information on credit freezes (also called a “security freezes”), how to request one, and other tips on preventing identity fraud, check out this story.

If you haven’t done so lately, it might be a good time to order a free copy of your credit report from annualcreditreport.com. This service entitles each consumer one free copy of their credit report annually from each of the three credit bureaus — either all at once or spread out over the year.

What was the best news you heard so far this month? Mine was learning that KrebsOnSecurity is listed as a restricted competitor by Gartner Inc. [NYSE:IT] — a $4 billion technology goliath whose analyst reports can move markets and shape the IT industry.

Earlier this month, a reader pointed my attention to the following notice from Gartner to clients who are seeking to promote Gartner reports about technology products and services:

What that notice says is that KrebsOnSecurity is somehow on Gartner’s “non exhaustive list of competitors,” i.e., online venues where technology companies are not allowed to promote Gartner reports about their products and services.

The bulk of Gartner’s revenue comes from subscription-based IT market research. As the largest organization dedicated to the analysis of software, Gartner’s network of analysts are well connected to the technology and software industries. Some have argued that Gartner is a kind of private social network, in that a significant portion of Gartner’s competitive position is based on its interaction with an extensive network of software vendors and buyers.

Either way, the company regularly serves as a virtual kingmaker with their trademark “Magic Quandrant” designations, which rate technology vendors and industries “based on proprietary qualitative data analysis methods to demonstrate market trends, such as direction, maturity and participants.”

The two main subjective criteria upon which Gartner bases those rankings are “the ability to execute” and “completeness of vision.” They also break companies out into categories such as “challengers,” “leaders,” “visionaries” and “niche players.”

So when Gartner issues a public report forecasting that worldwide semiconductor revenue will fall, or that worldwide public cloud revenue will grow, those reports very often move markets.

Being listed by Gartner as a competitor has had no discernable financial impact on KrebsOnSecurity, or on its reporting. But I find this designation both flattering and remarkable given that this site seldom promotes technological solutions.

Nor have I ever offered paid consulting or custom market research (although I did give a paid keynote speech at Gartner’s 2015 conference in Orlando, which is still by far the largest crowd I’ve ever addressed).

Rather, KrebsOnSecurity has sought to spread cybersecurity awareness primarily by highlighting the “who” of cybercrime — stories told from the perspectives of both attackers and victims. What’s more, my research and content is available to everyone at the same time, and for free.

I rarely do market predictions (or prognostications of any kind), but in deference to Gartner allow me to posit a scenario in which major analyst firms start to become a less exclusive and perhaps less relevant voice as both an influencer and social network.

For years I have tried to corrupt more of my journalist colleagues into going it alone, noting that solo blogs and newsletters can not only provide a hefty boost from newsroom income, but they also can produce journalism that is just as timely, relevant and impactful.

Those enticements have mostly fallen on deaf ears. Recently, however, an increasing number of journalists from major publications have struck out on their own, some in reportorial roles, others as professional researchers and analysts in their own right.

If Gartner considers a one-man blogging operation as competition, I wonder what they’ll think of the coming collective output from an entire industry of newly emancipated reporters seeking more remuneration and freedom offered by independent publishing platforms like Substack, Patreon and Medium.

Oh, I doubt any group of independent journalists would seek to promulgate their own Non-Exclusive List of Competitors at Whom Thou Shalt Not Publish. But why should they? One’s ability to execute does not impair another’s completeness of vision, nor vice versa. According to Gartner, it takes all kinds, including visionaries, niche players, leaders and challengers.

On Aug. 13, 2020, someone uploaded a suspected malicious file to VirusTotal, a service that scans submitted files against more than five dozen antivirus and security products. Last month, Microsoft and FireEye identified that file as a newly-discovered fourth malware backdoor used in the sprawling SolarWinds supply chain hack. An analysis of the malicious file and other submissions by the same VirusTotal user suggest the account that initially flagged the backdoor as suspicious belongs to IT personnel at the National Telecommunications and Information Administration (NTIA), a division of the U.S. Commerce Department that handles telecommunications and Internet policy.

Both Microsoft and FireEye published blog posts on Mar. 4 concerning a new backdoor found on high-value targets that were compromised by the SolarWinds attackers. FireEye refers to the backdoor as “Sunshuttle,” whereas Microsoft calls it “GoldMax.” FireEye says the Sunshuttle backdoor was named “Lexicon.exe,” and had the unique file signatures or “hashes” of “9466c865f7498a35e4e1a8f48ef1dffd” (MD5) and b9a2c986b6ad1eb4cfb0303baede906936fe96396f3cf490b0984a4798d741d8 (SHA-1).

“In August 2020, a U.S.-based entity uploaded a new backdoor that we have named SUNSHUTTLE to a public malware repository,” FireEye wrote.

A search in VirusTotal’s malware repository shows that on Aug. 13, 2020 someone uploaded a file with that same name and file hashes. Premium VirusTotal users can see other files submitted by specific users, and several of those submitted by the same user over nearly two years include messages and files sent to email addresses for people currently working in NTIA’s information technology department.

The NTIA did not respond to requests for comment. But in December 2020, The Wall Street Journal reported that the NTIA was among multiple federal agencies that had email and files plundered by the SolarWinds attackers. “The hackers broke into about three dozen email accounts since June at the NTIA, including accounts belonging to the agency’s senior leadership, according to a U.S. official familiar with the matter,” The Journal wrote.

It’s unclear what, if anything, NTIA’s IT staff did in response to scanning the backdoor file back in Aug. 2020. But the world would not find out about the SolarWinds debacle until early December 2020, when FireEye first disclosed the extent of its own compromise from the SolarWinds malware and published details about the tools and techniques used by the perpetrators.

The SolarWinds attack involved malicious code being surreptitiously inserted into updates shipped by SolarWinds for some 18,000 users of its Orion network management software. Beginning in March 2020, the attackers then used the access afforded by the compromised SolarWinds software to push additional backdoors and tools to targets when they wanted deeper access to email and network communications.

U.S. intelligence agencies have attributed the SolarWinds hack to an arm of the Russian state intelligence known as the SVR, which also was determined to have been involved in the hacking of the Democratic National Committee six years ago. On Thursday, the White House issued long-expected sanctions against Russia in response to the SolarWinds attack and other malicious cyber activity, leveling economic sanctions against 32 entities and individuals for disinformation efforts and for carrying out the Russian government’s interference in the 2020 presidential election.

The U.S. Treasury Department (which also was hit with second-stage malware that let the SolarWinds attackers read Treasury email communications) has posted a full list of those targeted, including six Russian companies for providing support to the cyber activities of the Russian intelligence service.

Also on Thursday, the FBI, National Security Agency (NSA), and the Cybersecurity Infrastructure Security Administration (CISA) issued a joint advisory on several vulnerabilities in widely-used software products that the same Russian intelligence units have been attacking to further their exploits in the SolarWinds hack. Among those is CVE-2020-4006, a security hole in VMWare Workspace One Access that VMware patched in December 2020 after hearing about it from the NSA.

On December 18, VMWare saw its stock price dip 5.5 percent after KrebsOnSecurity published a report linking the flaw to NSA reports about the Russian cyberspies behind the SolarWinds attack. At the time, VMWare was saying it had received “no notification or indication that CVE-2020-4006 was used in conjunction with the SolarWinds supply chain compromise.” As a result, a number of readers responded that making this connection was tenuous, circumstantial and speculative.

But the joint advisory makes clear the VMWare flaw was in fact used by SolarWinds attackers to further their exploits.

“Recent Russian SVR activities include compromising SolarWinds Orion software updates, targeting COVID-19 research facilities through deploying WellMess malware, and leveraging a VMware vulnerability that was a zero-day at the time for follow-on Security Assertion Markup Language (SAML) authentication abuse,” the NSA’s advisory (PDF) reads. “SVR cyber actors also used authentication abuse tactics following SolarWinds-based breaches.”

Officials within the Biden administration have told media outlets that a portion of the United States’ response to the SolarWinds hack would not be discussed publicly. But some security experts are concerned that Russian intelligence officials may still have access to networks that ran the backdoored SolarWinds software, and that the Russians could use that access to affect a destructive or disruptive network response of their own, The New York Times reports.

“Inside American intelligence agencies, there have been warnings that the SolarWinds attack — which enabled the SVR to place ‘back doors’ in the computer networks — could give Russia a pathway for malicious activity against government agencies and corporations,” The Times observed.