Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Ransomware wipes out all CloudNordic servers and backups!
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Ransomware wipes out all CloudNordic servers and backups!

loayloay Member
edited August 2023 in News

Excerpt from the translated notice on the CloudNordic website:

For customers in CloudNordic
Unfortunately, during the night of Friday 18-8-2023 at 04 a.m., CloudNordic was exposed to a ransomware attack, where criminal hackers shut down all systems. Websites, e-mail systems, customer systems, our customers' websites, etc. Everything. A break-in that has paralyzed CloudNordic completely, and which also hits our customers hard.

Since we cannot and do not want to meet the financial demands of the criminal hackers for ransom, CloudNordic's IT team and external experts have been working hard to get an overview of the damage and what was possible to recreate.

Unfortunately, it has proved impossible to recreate more data, and the majority of our customers have thus lost all data with us. This applies to everyone we have not contacted at this time.

The hacking attack has been reported to the police.

Status
We are deeply affected by the situation, and are aware that the attack is also very critical for many of our customers. In addition to data, we also lost all our systems and servers and have had difficulty communicating. We have now re-established blank systems, e.g. name servers (without data), web servers (without data) and mail servers (without data).

...

What happened?
It is our best estimate that when servers had to be moved from one data center to another and despite the fact that the machines being moved were protected by both firewall and antivirus, some of the machines were infected before the move, with an infection that had not been actively used in the previous data center, and we had no knowledge that there was an infection.

During the work of moving servers from one data center to the other, servers that were previously on separate networks were unfortunately wired to access our internal network that is used to manage all of our servers.

Via the internal network, the attackers gained access to central administration systems and the backup systems.

Via the backup system, the attackers managed to gain access to:

All storage (data)

Replication backup system

Secondary backup system

The attackers succeeded in encrypting all servers' disks, as well as on the primary and secondary backup system, whereby all machines crashed and we lost access to all data.

No data breaches
The attack occurred by encrypting all disks for all virtual machines, and we have seen no evidence of a data breach. We have not seen the attackers have had access to the data content of the machines themselves, but to administration systems from which they could encrypt entire disks. Very large amounts of data were encrypted, and we have seen no signs that large amounts of data have been attempted to be copied out.

We deeply regret the situation and thank the many loyal customers who have been with us over the years.

Sincerely

CloudNordic

«1

Comments

  • yoursunnyyoursunny Member, IPv6 Advocate

    Yes, deadpooling with no doubt
    image

  • LeviLevi Member

    This is bancruptcy. Please press your disaster recovery button.

    Thanked by 3loay netomx MaxR
  • bethpbethp Member, Host Rep

    Read this on my news feed this morning, was happy I had never even heard of said company, but not sure if that is a good thing.

    Thanked by 2loay szymonp
  • SirFoxySirFoxy Member
    edited August 2023

    data

    Thanked by 1fluffernutter
  • Sorry to tell you, but none of that will help you if you get ransomed.

    Thanked by 1farsighter
  • SirFoxySirFoxy Member
    edited August 2023

    @sillycat said:

    Sorry to tell you, but none of that will help you if you get ransomed.

    "Anyways, we can't expect ransomware attacks to stop anytime soon. They won't.

    It's important to properly secure your servers, especially as a hosting provider. That's what you're paid for.

    Simple things like:

    • disabling root
    • encrypting disks
    • requiring SSH keys to log in
    • only allowing specific IPs to access your server
    • configuring firewalls like UFW

    Can help save your entire company from deadpool, or alternatively, your data from disappearing into a void of encrypted nothingness.

    At least configure external backups..."

    You can read the full article here on LowEndBox.

    Thanked by 1loay
  • loayloay Member

    @SirFoxy said: At least configure external backups...

    I was surprised there is no mention for backups.

    Thanked by 1SirFoxy
  • @loay said:

    @SirFoxy said: At least configure external backups...

    I was surprised there is no mention for backups.

    There was, they just intentionally left it out.

  • LeviLevi Member

    @SirFoxy said:

    @loay said:

    @SirFoxy said: At least configure external backups...

    I was surprised there is no mention for backups.

    There was, they just intentionally left it out.

    Aha, to encourage self-learning and think!

    Thanked by 1SirFoxy
  • ArkasArkas Moderator

    Excellent deadpool strategy. Fake a 'ransomeware attack', say sorry and exit.

  • goodbye random company

  • loayloay Member
    edited August 2023

    https://techcrunch.com/2023/08/23/cloudnordic-azero-cloud-host-ransomware/


    .. according to an identical notice on its website. CloudNordic and Azero are owned by Denmark-registered Certiqa Holding, which also owns Netquest, a provider of threat intelligence for telcos and governments.

  • TeoMTeoM Member

    Not the Nordic Cloud experts but idiots.

    How can you act so grossly negligent. Boy why you not make magnet backups????

  • MaxRMaxR Barred

    @Arkas said:
    Excellent deadpool strategy. Fake a 'ransomeware attack', say sorry and exit.

    I'm not sure that is a good exit strategy in Northern Europe, where the authorities check both data leaks of this size (GDPR) and bankruptcies.

    Thanked by 1sasslik
  • LeviLevi Member

    @MaxR said:

    @Arkas said:
    Excellent deadpool strategy. Fake a 'ransomeware attack', say sorry and exit.

    I'm not sure that is a good exit strategy in Northern Europe, where the authorities check both data leaks of this size (GDPR) and bankruptcies.

    Nothing to check, everything is encrypted by ransomware. Probably some skids playing.

  • ArkasArkas Moderator

    @LTniger said: Nothing to check, everything is encrypted by ransomware

    Exactly.

  • FlorinMarianFlorinMarian Member, Host Rep

    @TeoM said:
    Not the Nordic Cloud experts but idiots.

    How can you act so grossly negligent. Boy why you not make magnet backups????

    You have no idea how many things like this happen in this world.
    I worked for a company with an annual turnover of hundreds of thousands of euros that produced software for their clients but also hosted the respective applications.
    The scheme by which the infrastructure was thought was something like this: We have X OVH servers and Y Hetzner servers and we evenly distribute the applications in production so that server A is with a certain application in production and server B is a backup for server A but also has its own applications in production etc.
    I realized that if my SSH key or that of 2 other colleagues who had full access got into the hands of the wrong people, they could have deleted both the production applications and their backups and the company would effectively have remained as it was about which we were discussing, without anything. (even Gitlab was hosted internally)
    I suggested them to rent a special server for backups to be managed by another person with a separate SSH key and to pull backups from our servers to our servers.
    Guess what? Nothing has changed even today and the respective company increases its turnover from one day to the next, until one day.

    Thanked by 1yoursunny
  • jarjar Patron Provider, Top Host, Veteran

    You have to think eventually that these companies might not have all been idiots. I mean, maybe they all were. But I feel like I've had enough of laughing about it, and now I'm to the point where I just want to know how it happened so I can learn something from it.

    I'm also about to start working on an intended workflow and tutorials to help my customers backup their own data as they wish to do so, because as confident in my security as I may be, I have to wonder how many people got hit by events like this also thought the same. It's not about doubting my ability as much as it is being humbled by the idea that maybe I still have more to learn every day.

    Thanked by 2jfreak53 rafaelscs
  • Ransomware attackers should be shot in the face. Victims should refuse to pay and offer reward for finding the attackers.

    Thanked by 3sasslik JamesF sebkehl
  • jfreak53jfreak53 Member, Patron Provider

    @jar said:
    You have to think eventually that these companies might not have all been idiots. I mean, maybe they all were. But I feel like I've had enough of laughing about it, and now I'm to the point where I just want to know how it happened so I can learn something from it.

    I'm also about to start working on an intended workflow and tutorials to help my customers backup their own data as they wish to do so, because as confident in my security as I may be, I have to wonder how many people got hit by events like this also thought the same. It's not about doubting my ability as much as it is being humbled by the idea that maybe I still have more to learn every day.

    Good posture. I've always held the opinion in everything I do, and tell customers when they ask me if something is secure, "If it can be made, it can be hacked, period". Its simply a matter of time, money, and compute power, but everything out there can be hacked.

    If we take that posture when creating and implementing things, hence backups, backups, backups, and more backups, it should help to partially mitigate the risk. Just be prepared for the possibility I tell customers, prepare for the worst possible scenario, and work back from that point.

    Thanked by 3jar jlet88 rafaelscs
  • raindog308raindog308 Administrator, Veteran

    @loay said: It is our best estimate that when servers had to be moved from one data center to another and despite the fact that the machines being moved were protected by both firewall and antivirus, some of the machines were infected before the move, with an infection that had not been actively used in the previous data center, and we had no knowledge that there was an infection.

  • MaxRMaxR Barred
    edited August 2023

    @LTniger said:

    @MaxR said:

    @Arkas said:
    Excellent deadpool strategy. Fake a 'ransomeware attack', say sorry and exit.

    I'm not sure that is a good exit strategy in Northern Europe, where the authorities check both data leaks of this size (GDPR) and bankruptcies.

    Nothing to check, everything is encrypted by ransomware. Probably some skids playing.

    There are always signs after hacking.

    The internet providers are logging all internet traffic by law, and if you check 3. party websites, you will find traces that indicate passive footprinting.

    For example, there is a lot of snapshot activity on the Wayback Machine, which could mean that the hackers have used it to monitor their website. Maybe since 2020.

    Compare azero.dk (old website) vs azero.cloud (new website) on web.archive.org to see the difference between normal activity for a small website and the same website that might have been monitored passively.

  • NeoonNeoon Community Contributor, Veteran

    Another reason to pull backups instead of pushing them.
    Even if your System is fucked, your backups are fine.

  • netomxnetomx Moderator, Veteran

    @Neoon said:
    Another reason to pull backups instead of pushing them.
    Even if your System is fucked, your backups are fine.

    +10000000000000000000000000000

  • webiwebi Member

    That's the big pain👍

  • TeoMTeoM Member

    Now put yourself in the situation of all the customers, who knows if public services or people who have been there all their lives have made backups. Personally, I would not have backups of my emails and co.

    My life would be ruined, I almost fainted when I knew the NAS system was broken and hopefully the backups would work.

  • TeoMTeoM Member
    edited August 2023

    Deleted

  • TeoMTeoM Member

    No matter how much money it would cost if I knew that the attackers really had the password to decrypt all the data, I would have even sold my eggs to decrypt everything.

    After that, I would have gotten out of the business and most likely kicked myself.

  • TeoMTeoM Member

    @Neoon said:
    Another reason to pull backups instead of pushing them.
    Even if your System is fucked, your backups are fine.

    It doesn't matter if you pull or push.

    If your backup system uses the same ssh key or password that the other systems use, it doesn't matter.

    Also, in my opinion, the backup system should always be from another manufacturer who also deals with the subject.

    They use veeam and co. Have I read, what I just believe is this.

    Their backup system was also set up in vsphere and the attacker had access to the complete hypervisor, he encrypts the backup partitions and veaam is overridden.

    So my tip, always use a physical device for backups.

Sign In or Register to comment.