Has anyone else had a ransomware attack post FIZZ

KillerBunny
KillerBunny Posts: 8 ✭✭

Never had a virus or malware issue in 20 years.

After switching to FIZZ, had a devastating attack on a local personal network only I use for work related things ( design) . By that I mean no browsing , no email or cracked software. The latest windows patches ...

This was an external botnet attack and fizz could not detect the attack or even detect the obvious signature of packets going out. Or actually help provide the logs for a specific period as the modem to my surprise does not provide logs. It can but fizz decided to take that function out.


I'm wondering if FIZZ is secure. I'm wondering if their firmware can be replaced with one which I know the contents.

I am fairly literate in that I do not have RDP ports open, reviewed the settings and added more security than the basic factory settings yet this still happened.

And how how do the rest feel about all 3 providers voting down a proposed responsibility on providing more security related to botnets earlier this year.

Anyways, I'm really frustrated. I am still in the forensic collection process but I just find it really really odd that I change providers and get hit in weeks.

Answers

  • Deh
    Deh Posts: 573 ✭✭

    It's the first time I hear some security related issues about fizz. I don't think your issue is related to your switch to Fizz, it could've been dormant inside your network for months or years.

  • Doomdrou
    Doomdrou Posts: 725 ✭✭

    An external botnet attack on the Fizz network would have contaminated many computers connected to Fizz, which doesn't seem to be the case by looking at the forum pages. This is strange. You mean none of your computers was logged in for emails or browsing at all times?

  • snow_code_ROZ9N
    snow_code_ROZ9N Posts: 95 ✭✭

    Fizz is secure enough.

  • Emporium
    Emporium Posts: 2,303 ✭✭

    Sorry to hear about what has happened.

    But the the issue is NOT with FIZZ, but rather the lack of security on YOUR network.

    Fizz provides you with a connection to the internet. And the only basic protection you have is the NAT provided by the modem (which is minimal). There is NO major firewall, and no other protection provided, or claimed to be provided. This is actually the case with MOST ISP out there. Most modems used by the majority of ISP do NOT keep any logs either (I'd be surprised if any residential services keep logs).

    I use the Fizz modem in Bridged mode (do not use it's router options), and I have my own OPNsense firewall installed as my router, will full IDS/IPS enabled with updated signatures. And the only port open to the outside world, is a single port, to be able to establish a VPN connection from the outside, into my network (to be able to connect home and check on my security cameras and other devices, when I am away from home). There is no other port open from the outside, in. By default all is closed.

    Everyone typically complains when an ISP tries to inspect packets, yet now we expect them to inspect them ?

    Hope you didn't lose any data. But a comprehensive backup schedule and procedure is key when you are dealing with critical data. Sometimes it takes a specific incident to get us to rethink our regular daily procedures.

    Good luck, and try to enjoy the Holidays. Be Safe.

  • Hello, I suggest you consider a setup less likely to be open to attack, such as a Linux distribution. It seems you and Emporium have covered other aspects of the topic.

  • KillerBunny
    KillerBunny Posts: 8 ✭✭


    That is correct. I do not use computers for email or browsing. Only one pc is connected to the internet for work that requires software authentication.

    The back up servers , are not online but at times connected to the internal network.

    I find it very odd that I have not had any issues in decades until changing to fizz. It is not proof but still troubling. I also know that there is no real Canadian agency that one can report these crimes so the amount of fizz users attacked would be widely not reported or even know. Fizz seems to have removed basic security features from their modems with their firmware.

    Their support cannot even do a basic security measure by renewing the ip lease using a different IP as I begin to analyze the attack , start to recover and potentially negotiate the Ransome.

    The fact that I do not use the internet for anything one could consider risky , no email or browsing except trusted sites for security updates and industry software authentication for my fireld of work to me is an obvious sign that the attack was initiated by typical botnet probing IP lists and finding vulnerabilities. I do all that on my phone , which is not on the network. I am paranoid by nature.

    The big 3 do not really seem to care about helping catalogue attacks let alone preventing them.

    Of big companies with actual it teams can fall prey , single users with average knowledge do not stand a chance once targeted.

    Perhaps someone might suggest a more secure modem to use a a bridge.


    Thanks for any help

  • KillerBunny
    KillerBunny Posts: 8 ✭✭

    Thank you. Yes it is unfortunate. I have been reading non stop and what makes me upset is that yes , I lost everything. Including my job. I have been reading about how the big 3 have voted down taking proactive measures to monitor botnet vectors of infection which would be do able. I think that this type of attack is really under reported and will only get worse.

  • kingTheod
    kingTheod Posts: 170 ✭✭
    edited December 2021

    "never had a malware/ virus issue in 20y"

    that's pretentious and likely not realistic statement I'm reading here !

    your system can be infected without your knowlegde. pretending you have been virus-free over 20y - a long period btw - sounds a bit a bravado and overconfidence in your skills (as good as they are 😉 )

    ransomware attacks mostly prop up after a phishing attack, often triggered by a user who open a malicious email then spread over your network to disrupt your systems availability (encrypting system). they may also exploit vulnerabilities on your system (hardware, software, OS, appliances,...) to take advantage and spread like fire for further damage, sometimes in stealth way (unaware)

    lack of security controls and mitigation may also facilitate attacks: fizz clients are unlikely to benefit enteprise-grade controls (consumer market)

    regarding botnets, they can perform so many things to disrupt your assets : Dos /DDoS to affect avalaibility; exploit system/software weaknesses to take over your computers and run attack on your behalf; steal data on valuable systems; execute payloads on your system with malicious intents etc....

    being a client for few years, fizz is a low-cost carrier. they focus on affordability and they actually deliver.

    their service used to be slugglish, going thru bumpy service (dropped calls, LTE unavailable, messages undelivered..) but they are now much better and reliable.

    however, i 've also found out some holes into their website : I forwarded details to the technical teams a year ago.

    website can still be buggy and behaves erratically (crash, unexpected codes unleashed, sign-out without reasons...)

    they are lots of room for improvments : basic authentication process, lack of multi-factor implementation, support for third party browsers; process for ordering phones really buggy (chat support had to escalate to technical team bc my order failed..)

    Bugs may highlight poor coding resulting in potential security flaws.

    facts are all canadian ISP (big or not) dont really pay attention on securing their clients : it's costly, eat up on their margin, require investments, and foremost, they are not directly impacted in case of major attacks (clients always bear the pain)...

  • KillerBunny
    KillerBunny Posts: 8 ✭✭

    Only stating facts. I haven't had a virus or any sort of malware disruption in 20 years. I suppose the old vectors were from email and using cracked software. Despite having a server farm , a love for technology , I do not go online except for the research on known webpages. Haven't even looked at porn in years. I have autism, I discovered that the internet has too many ways to distract and made an effort to stop multi tasking, and going online without a purpose. So no , it isn't bravado , it's just me getting rid of possible confounds. I stated it to point out that it is either just bad luck , perhaps a wave of ips that were random or maybe there was something to do with fizz.


    Windows has been making news with the vulnerabilities regarding RDP. I did have RDP enabled but did have the registry change the ports and banned any outside traffic to those ports. Just local internal RDP as I have many workstations and central servers.

    I think it is really just an issue that isp should start being more proactive. You do not need to do anything on your end to be a target. In hindsight, I could have used standard zero trust policies but again , I'm not an expert. I have an undergraduate in comp.sci but that is completely different than being a network security expert not to mention my field of work is music and if someone that is more careful than most can be attacked , well I can't imagine the average user stands a chance.

    Purchased a new router ( peplink) will be using a router vpn , will be doing alot of homework on how to make a server more resilient and hopefully will be back to work soon.

    I have been reading non stop about these attacks and it is both astonishing in terms of how sophisticated they are and horrific in terms of how you can lose everything.

    Ialso have a Russian friend who will do the negotiations to pay. I did manage to get the ram and raid card dumps and given that the encryption did not complete , I might be able to find both keys which will enable reverse engineering the master key before the exfiltration of the master. Have a friend helping with that.

  • KillerBunny
    KillerBunny Posts: 8 ✭✭

    Unfortunately the computers used for work stuff require windows or OSX and macs are just under powered so after owning only mac pro towers , was forced like most in my industry to move to PC and windows. I hate windows. And the software I use is just not available for Linux. I suppose i went with server 2016 as I am more familiar with windows but I so think the steps I could have taken on my end would have been missing either way.

    I have a 16 bay sas expander I might use for a offline freenas backup. But ya , one step at a time.

  • Sickboy
    Sickboy Posts: 105 ✭✭

    If fizz was the problem pretty sure we would have alot of post on it and even an email from them about it. Good luck on your end being hack sucks

  • Doomdrou
    Doomdrou Posts: 725 ✭✭

    I am very surprised to see this post coming up once again. It looks like you used the Fizz network as a business network, but Fizz has always been marketed as a customer/home provider. Maybe the protection is different in both kinds of networks and it is the reason why you were attacked.

  • Emporium
    Emporium Posts: 2,303 ✭✭

    I don't even see HOW you were "attacked" unless you visited some bizarre site and clicked on same links or left ports open. It is BAD practice to leave any ports open, unless you ABSOLUTELY need them. And if you do, you take the responsibility to protect yourself from being attacked on that port. Other possibility, is that you installed some pirated software, which some hack or keygen which installed some back door to open the door/port from the inside.

    Even a basic crappy $50 home internet router will use NAT, and not leave any open ports. Yes they can attack your router, and have it crash, but the odds of getting access to your router, and then using it to jump to one of your machines (without you making it easy by enabling port forwarding and stuff), is VERY slim, and you don't hold state secrets to make it worth the effort :) Enabling RDP, and port forwarding the RDP ports (regardless if using different ports), is the biggest security risk. Sorry, but that is security rule #1 :)

    IF you need access to your network while you are away from home, the easiest and simplest way, is to get a router that support and includes a VPN server on the router itself (most decent routers do, including ASUS, Netgear, pfsense based, etc..). Then while enabling VPN server on the router, you don't need to forward any ports. Only port open is the VPN port (1194 for OpenVPN or custom), and it does not even get redirected to any server, since the VPN server runs no the router itself and it does the authentication. Once you are authenticated (Certificate and password - to make it harder), then you would be effectively on your internal network, and have access to your network resources.

    The problem is NOT Fizz. They provide a network connection to the outside world and that they do. It is up to the end user to be a little more informed on how to keep their network protected, especially if they decide to go ahead and open ports inbound.

  • KillerBunny, it is not within my wheelhouse but have you considered running a Virtual Machine?