Google Deletes a Customer's Cloud Servers...Not Good

UniSuper, a $125 billion retirement fund, is upset.

I’m not one to stir up trouble, but we have a serious problem that needs to be addressed. An Illinois judge ruled that tacos and burritos are “Mexican-style sandwiches.” Nope, nuh uh, no. Don’t get me wrong, I love a good taco or burrito, but I’m sorry, it’s not a sandwich.

Now that I’m craving some delicious guac let’s dig into what’s happening in the cyber world. Today, we’re covering:

  • The FBI takes down a major hacking forum…again.

  • Google deletes a $125 billion retirement fund’s servers and says sorry.

  • New return to office argument…it’s funding North Korea’s nuclear missile program.

-Jason

Spotlight
BreachForums, Take the Hint!

It’s never a good day for hackers when the FBI has a dedicated webpage for people to submit complaints against your online services. This is the case for the hackers who operate BreachForums, a clear web (available with your browser) marketplace that cybercriminals use to buy, sell, and trade malware, hacking tools, stolen data, and other contraband.

BreachForums is no stranger to the FBI. The cyber marketplace was born after Europol took down RaidForums and arrested its operators. RaidForums, which operated from 2015 to February 2022, was one of the largest hacking forums at the time, reaching nearly 58,000 monthly posts at its peak.

In March 2022, 21-year-old Conor Fitzpatrick, aka pompompurin, opened BreachForums for business to fill the void RaidForums’ demise created. We know the admin’s name because the FBI arrested him a year later, in March 2023. Although BreachForums was only operational for a year, it reached nearly 31,000 monthly posts.

Not taking the hint, Baphomet, a second BreachForums administrator, picked up the reigns after the seizure and launched a new version of BreachForums last year. The ShinyHunters group joined the ranks of BreachForum administrators to help manage the reborn site. BreachForums v2 reached over 32,000 monthly posts until the FBI arrested Baphomet and seized the site again this week.

Now, some would say I dabble in cyber security. So I will do Shiny a solid here because they’re just not picking up the clues that the FBI is laying down…

THE FBI DOESN’T LIKE YOU!!! Take the f’ing hint and go away!

Kela reports that active BreachForum members are already discussing setting up another version. Meanwhile, ShinyHunters have claimed to have regained control of the seized domain and are starting a new Telegram group for the community.

Do we need to try a blimp next time?

Deep Dive
Your Retirement Savings = 🌬️ Poof 🌬️ 

Surprise Magic GIF by Nickelodeon

Gif by nickelodeon on Giphy

It’s a gray and rainy day outside. You sit down and sip your morning coffee. Damn it! You burned your mouth. You should have added more creamer. As you nurse your burned lips, you open your laptop to check your 401K account like a responsible adult but the website is down…great, a second-degree coffee burn, and now you don’t know what’s going on with your retirement savings.

If you were one of UniSuper’s half-million customers, this wouldn't be an entirely made-up story. UniSuper manages over $125 billion in retirement funds for Australia.

The “how” of this story is, well, ridiculous.

Google accidentally deleted UniSuper’s cloud account, which deleted hundreds of virtual machines, databases, and applications. Poof, just gone.

Ummm..WTF!? Time to panic??

Needless to say, UniSuper was pissed. The issue was raised to Thomas Kurian, Google Cloud’s CEO, who commented on the issue in a joint press release with UniSuper.

…the disruption arose from an unprecedented sequence of events whereby an inadvertent misconfiguration during provisioning of UniSuper’s Private Cloud services ultimately resulted in the deletion of UniSuper’s Private Cloud subscription.

Thomas Kurian, Google Cloud CEO

I know what you’re thinking. Isn’t Cloud supposed to be better at disaster recovery? The short answer is “yes.” But you need to know how it works. The major cloud providers offer different hosting regions located worldwide. Standard disaster recovery protocols in the cloud say to use separate regions where the data is hosted, allowing one region to go offline and the other region to take control.

For example, many US organizations will host their primary services in the East region and have a disaster recovery site in the West region. This helps if an outage happens in one region.

Google offers a Private cloud that can be hosted in a single zone (for non-production uses) or a stretched private cloud, which includes the data being stored in two regions. That stretched cloud sounds great for redundancy, but it’s tied to a single private cloud subscription…you can see where we’re going here…

We don’t know exactly what happened, but we do know that UniSuper’s Google private cloud was deleted. There are ways to delete a private cloud for legitimate reasons. Taking the Google Cloud CEO’s comment on the “misconfiguration,” it’s possible that someone gave a bad command that permanently deleted UniSuper’s account. We don’t know who was responsible or how this happened, but it happened.

Like that one, maybe two, times your Mom dropped you as a baby, Google said the issue was a “one-of-a-kind” occurrence that should not have happened, but they have taken measures to ensure it doesn’t happen again.

UniSuper had one saving grace. They had an available backup from another service provider. Those backups minimized data loss and played a critical role in restoring services. If they didn’t have that they likely would still be offline. And, we can only wonder what it would mean for users’ retirement funds…and this wasn’t even a cyber attack. Just a “misconfiguration.”

Let that thought settle in as the indigestion begins. And no, you can’t blame the tacos which aren’t a sandwich.

News
What Else is Happening?

📰 Russian hackers defaced hundreds of Newsquest news websites. Newsquest is the second-largest publisher of newspapers in Britian. The scale of the attacks suggests that the hackers targeted a centralized content management system (CMS) used to manage the content of all the websites.

🎥 A Korean cybersecurity expert was sentenced to prison after hacking into 400K smart home “wallpad” cameras used to operate home security cameras and other smart home devices. Things got weird when he sold videos and pictures of people living and…umm…partaking in fun adult activities…in the privacy of their homes. This is a good reminder to make sure you have a unique password and MFA on any home cameras in your house.

🇳🇴 Have you noticed how many zero-day vulnerabilities have popped up in VPN devices over the last few years? Well, Norway has. And they’ve had enough of it. Norway is urging their businesses to switch from SSL VPNs to IPsec IKEv2 (these are just network protocols that encrypt traffic). This is bad information on Norway’s part because while SSL VPNs are impacted, the VPN device itself is being targeted, not the SSL protocol. Instead, you should focus on shifting to zero-trust technologies that remove the need for a VPN device in the first place.

🤖 Chinese nation-state hackers have started targeting American AI companies across private industry, academia, and government. This is unsurprising as China has long focused its cyber operations on stealing data to strengthen its research and development efforts.

💊 Healthcare continues to be a target of ransomware attacks. The latest victim is MediSecure, an Australian electronic prescription company. They are working with the Australian National Cyber Security Coordinator to respond to the incident. Thankfully for Australia, it’s not near the impact of Change Healthcare in the USA.

☢️ Here’s some unsolicited advice: Don’t support North Korea’s nuclear ballistic missile program. Advice that a 49-year-old Arizona-based woman should have followed to avoid serving the rest of her life in prison. The woman stole the identities of American citizens to enable North Koreans to gain lawful employment as remote IT workers for Fortune 500 companies. She created a “laptop farm” consisting of 79 laptops in her home that the North Korean workers remotely accessed to work their full-time IT jobs.

If you enjoyed this, forward it to a fellow cyber nerd.

If you’re that fellow cyber nerd, subscribe here.

See you next week!

p.s. this week, my wife told me about Finley, who holds the world record for most tennis balls held in a dog’s mouth. Who’s a good boy!?

Finley, a very good boy and Gusiness World record holder.

Reply

or to participate.