September 2016 – SurfWatch Labs, Inc.

Weekly Cyber Risk Roundup: Executives Scrutinized Over Cyber-Issues

What’s Everyone Talking About? Trending Cybercrime Events

Yahoo was the week’s top trending cybercrime target as the fallout of a breach affecting more than 500 million accounts continues to play out. CEO Marissa Mayer has faced intense scrutiny from lawmakers and others over the handling of the company’s cybersecurity.

A Wednesday New York Times article citing a group of current and former employees painted a picture of Mayer as a CEO that often clashed with the security side of the organization over spending and refused to take action in several instances – including rejecting an automatic reset of user passwords after discovering a breach.

“Employees say the move was rejected by Ms. Mayer’s team for fear that even something as simple as a password change would drive Yahoo’s shrinking email users to other services,” the Times wrote.

A group of senators issued a letter to Mayer calling the two-year gap between the initial breach and announcement of the breach “unacceptable.” Sen. Mark Warner is also urging the Securities and Exchange Commission to investigate whether Yahoo properly informed investors of its data breach after reports surfaced indicating that Mayer was aware of the breach as early as July of this year.

“Yahoo has been engaged in an effort to sell its Internet business, including the unit affected by the breach, to Verizon since at least July 25, 2016, yet Yahoo reportedly did not inform Verizon of the breach until September 20, 2016,” Sen. Warner wrote in a letter to the SEC. “More puzzlingly, the company noted in a proxy statement as recently as September 9, 2016 that, ‘To the knowledge of Seller, there have not been any incidents of, or third party claims alleging, (i) Security Breaches, unauthorized access or unauthorized use of any of Seller’s or the Business Subsidiaries’ information technology systems.’”

Mayer isn’t the only CEO to come under fire from lawmakers this week. Wells Fargo CEO John Strumpf has become the butt of jokes on late night talk shows after being publicly lambasted by members of the House Financial Services Committee over the bank fraudulently opening more than 2 million customer accounts without their knowledge. Sen. Elizabeth Warren has repeatedly called for Strumpf to resign, and Rep. Michael Capuano said yesterday that Stumpf is “clearly and unequivocally guilty” of a range of crimes related to the scheme, including conspiracy to commit fraud, conspiracy to commit identity theft and racketeering. The backlash led to Wells Fargo announcing this week that Strumpf and former head of community banking Carrie Tolstedt would not receive a total of $60 million in unvested equity awards.

In addition to angry lawmakers, a group of former employees is suing the company, saying that they were forced to choose between either committing fraud by opening unauthorized accounts or losing their job. That lawsuit adds to a growing list of lawsuits that have filed against both Wells Fargo and Yahoo.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart above.

Cyber Risk Trends From the Past Week

The financials sector was among the biggest risers in cyber risk this week as its SurfWatch Labs’ cyber risk score rose nearly 5.7 percent compared to the previous week. Much of that was driven by chatter on the Dark Web and data leaks such as the one impacting California investment bank WestPark Capital.

On Sunday, a hacker or group of hackers known as TheDarkOverlord released about 20 files allegedly stolen from WestPark Capital after an unsuccessful ransom attempt against the company. They also claimed other groups were using their name to perform attacks in a Pastebin post.

The “signature” business proposal referenced in the Pastebin post is likely similar to the series of extortion attempts the group made earlier this year against various healthcare organizations. TheDarkOverlord has frequently used the media and leaked samples of stolen data to build up a reputation as a legitimate threat and to put pressure on victim companies in hopes that they will decide to pay the group’s ransom demands.

This is the first instance SurfWatch Labs has observed TheDarkOverlord targeting financial organizations, but – if the group’s Pastebin post is to be believed – the media attention is leading to copycats using both TheDarkOverlord’s name and extortion methods. Similar attacks may occur in the future.

Other trending cybercrime events from the week include:

State-Sponsored Actors Target Government: Data breaches previously attributed to nation-state actors trying to de-legitimize the outcome of the upcoming U.S. elections have widened. Law enforcement officials now believe about 10 state election databases have had their systems probed or breached, and the FBI is reaching out to some Democratic Party staffers to investigate possible hacking into cell phones. However, despite all the attention on state-sponsored actors, a new SurfWatch Labs report noted that hacktivists tend to make up the bulk of government-related cyber-attacks, such as the Monte Melkonian Cyber Army leaking data claiming to be from Azerbaijani military, police and bank servers this week.

Employees Continue to Cause Data Breaches: A former Verizon Wireless technician pleaded guilty to using Verizon computer systems to access call records and locations of customers and then sending that information to a private investigator. Congressman Mike Honda is suing Ro Khanna, the man he’s running against in the November 2016 election, over a former intern allegedly stealing thousands of donors’ information from an old Dropbox account years after his access should have been revoked. A former employee of Alberta Hospital Edmonton inappropriately accessed the records of 1,309 patients over an 11+ year period. A former employee of Mastic Beach village impersonated the chief of police and illegally accessed information on 488 Mastic Beach residents. Sensitive Medicare information on Australian citizens was uploaded to the Internet several months ago, potentially putting patients at risk. A software update to the Alberta College of Paramedics’ (ACP) navigation portal led to a security breach.

Hackers Cause Plenty of Data Breaches Too: A hacker said he downloaded more than 2.2 million email addresses and plaintext passwords from social hangout site i-Dressup and that the entire database of 5.5 million entries could be stolen using an SQL injection attack. The entire Florida Bar Association database appears to have been stolen including email addresses, phone numbers, fax numbers, mailing addresses and more, according to databreaches.net. NZME, a media company in New Zealand, said that details of competition entrants may have been accessed due to a cyber-attack on a third-party cloud server. Software company Jive is asking some users of its task management software Producteev to reset their passwords after an August data breach that exposed some email addresses and passwords.

Worry Over Terrorism and Hacking: A hacker who helped to publish a “kill list” of 1,300 U.S. military and other government personnel has been sentenced to 20 years in prison. “This case represents the first time we have seen the very real and dangerous national security cyber threat that results from the combination of terrorism and hacking,” said Assistant Attorney General Carlin.

Hacktivists Use Automated Tools, Growing Reach to Target Government Organizations

Despite recent media attention surrounding nation-state hackers infiltrating government organizations and attempting to influence elections, the bulk of government-related cybercrime tends to be driven by less sophisticated and more ideologically-motivated campaigns carried out by hacktivist actors, according to a new report from SurfWatch Labs.

govriskchart — Government sector risk scores compared to the average for all sectors over the past year.

Government is the third most active sector when it comes to cybercrime, behind only information technology and consumer goods, and more than a third of the government CyberFacts collected by SurfWatch Labs this year have been related to hacktivist activity — far more than any other sector.

“The global reach of the Internet and social media along with the relative anonymity of cyber-attacks has provided hacktivists with a larger platform than ever to share their message, recruit new actors, and ultimately impact organizations,” noted the report, Cybercrime Gets Political: Automated Tools and Growing Reach Empowers Hacktivists.

It continued: “As a result, the most common cybercrime story in the government sector has involved websites and data being targeted by hacktivist groups resulting in service downtime, website defacement, and various types of information being stolen and publicly leaked.”

government-atep-4 — SurfWatch Labs’ data shows that hacktivists have been the top trending actor category across many different government subgroups so far this year – in some cases appearing in more than two-thirds of CyberFacts.

Hacktivist-driven data breaches are not a new problem for the government sector. In 2013, the FBI warned that anonymous hacktivists using Adobe exploits were able to infiltrate agencies such as the U.S. Army, the Department of Energy, and the Department of Health and Human Services in order to steal sensitive information.

“It is a widespread problem that should be addressed,” the 2013 alert stated.

Three years later, hacktivists remain as a top source of government-sector data breaches.

2016-09-27-govbreachactors — Hacktivists are the top trending known actor group associated with government data breaches so far in 2016.

Government agencies across the world have been targeted by hacktivists using well-known attack vectors such as SQL injections, social engineering and stolen credentials.

For example:

Shortly after Anonymous Philippines defaced the COMLEC website in protest of “questions and controversies” surrounding the country’s electoral process, LulzSec Pilipinas posted the entire COMLEC database online. The incident has been described as the largest government-related data breach in history – affecting more than 55 million people.
A hacker supporting Palestine published the names and personal information of FBI and Department of Homeland Security employees. The hacker said he first compromised the email account of a Department of Justice employee. Then he socially engineered access to the portal by pretending to be a new employee. Finally, he was able to find databases of employee information on the DOJ intranet.
The Anonymous #OpAfrica campaign led to several breaches including a one terabyte dump of information from Kenya’s Ministry of Foreign Affairs and International Trade. Kenya’s Ministry of Information and Communications Technology cabinet secretary Joseph Mucheru said the information was stolen due to a phishing attack that duped employees into clicking a link to change their credentials, which provided the hacktivist access to email accounts.
A hacker known as Hanom1960 breached several government agencies – including the Costa Rica Ministry of Culture and Foreign Affairs, the Columbia Ministry of Information Technologies and Communications, and Columbia’s Ministry of National Education – and subsequently leaked information on various government employees. “I see many mistakes in [their IT] systems,” the hacker told news outlets. “It is something that does not concern governments.”

Hacktivists are often characterized as graffiti artists or vandals that simply deface websites and cause other nuisance-level problems for organizations.

Those types of attacks are common, with SurfWatch Labs’ data showing that website downtime and website defaced are the most popular effects of hacktivism; however, the threats from hacktivists go beyond those simple attacks.

According to the report:

“Government officials noted in 2015 that the bulk of the cybercrime-as-a-service economy may be powered by as few as 200 individuals, yet those services put traditional cybercrime tools such as malware, botnets and DDoS attacks at the fingertips of a vastly larger pool of actors. … This trend, along with the large number of federal, state and local government agencies across the world, the global reach of hacktivist actors, and a never-ending series of political causes means that hacktivists have the ability, reach and will to cause harm to government organizations on a level never before seen.”

Hacktivists don’t have the resources of state-sponsored actors, but they are much more open about their attacks — often using public channels to coordinate attacks, gain media attention and recruit other actors to the campaign.

“This chatter can lead to valuable threat intelligence around what types of organizations are being targeted, how those attacks are impacting organizations and, ultimately, what can be done to better protect your organization,” the report concludes. “Monitoring hacktivist chatter and utilizing external cyber threat intelligence, along with your own internal data, can help to paint a full picture of the cyber risks facing your organization, determine what assets are at greatest risk, and inform where cyber defense efforts should be focused in the future.”

For more information, download the full report, Cybercrime Gets Political: Automated Tools and Growing Reach Empowers Hacktivists.

Learning from Cybercriminals: Using Public Tools for Threat Intelligence

Effective cyber threat intelligence is largely about gaining proper context around the risks facing your organization. As SurfWatch Labs chief security strategist Adam Meyer recently wrote, there are three pillars when it comes to evaluating those cyber threats: capability, intent and opportunity.

The first two, the capability and intent of threat actors, are mostly external aspects that you have no control over, but the third pillar, the opportunity for actors to exploit your organization, is something that can be controlled, evaluated and improved upon.

Malicious actors are relentless when it comes to finding information on that opportunity, and organizations need to use that same relentlessness when searching for potential weaknesses in their cybersecurity, according to a recent report from SurfWatch Labs.

“Knowing where attackers get their information and how they use it is an important piece of your overall cybersecurity strategy,” noted the paper, Top Sources of Information for Cyber Criminals: Where the Bad Guys Go to Conduct Research on Their Targets.

Over the past few months on this blog, we’ve profiled some of the top cyber threats and items for sale on various dark web marketplaces, but not all malicious activity occurs on this “underground web.” Much of it can be found wide out in the open — using simple tools and services that are available to anyone. Here are the top three public websites and tools used by malicious actors, as described in the paper, and how they can help those actors find the opportunity to attack your organization.

1. Shodan

Shodan was originally launched in 2009 by developer John Matherly and bills itself as “the world’s first search engine for Internet-connected devices.” This simple idea has grown from a basic list of IPs and ports to maps showing where devices are located to screenshots taken from these devices (including webcams, unsecured servers and workstations). The original focus for Matherly’s scans was to highlight the growing problem of the “Internet of Things,” but his research also uncovered industrial control systems, wide open computer systems, unsecured security cameras and more.

Researchers using Shodan frequently find publicly-exposed data that leads to breach notifications. Just one example is MacKeeper security researcher Chris Vickery discovering personal information from child tracking platform uKnowKids earlier this year.

“One of the uKnowKids databases was configured for public access, requiring no level of authentication or password and providing no protection at all for this data,” Vickery wrote. “There’s no way for me to know for sure how long this data was exposed to the public internet, although the information collected by Shodan.io suggests that the database had been up for at least 48 days.”

uKnowKids CEO Steve Woda reacted by describing Vickery as a hacker whose method “puts customer data and intellectual property at risk.” However, malicious actors can just as easily utilize Shodan to find opportunity for attacks.

As SurfWatch Labs’ paper summarized: “If it’s online, Shodan will find it. The lesson to be learned from this site, without a doubt, is secure something before it goes online.”

2. VirusTotal

VirusTotal describes itself as “a free service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware.” But that simple tagline masks a deeper set of capabilities.

Security researchers have previously suspected that malicious actors use VirusTotal as a tool to help test and hone malware before sending it out in the wild, and in 2014 researcher Brandon Dixon confirmed those suspicions by discovering several hacking groups using the tool, including two nation-state groups.

Dixon said nation-state actors using a free online service to fine-tune their attacks was ironic and unexpected, but that speaks to the usefulness of VirusTotal.

“The power behind VirusTotal is how it adds and saves the metadata and behaviors of the files it analyzes,” noted SurfWatch Labs’ paper. “You can use the domain search to look at the IP history of the domain and get the current WHOIS for the domain, but VirusTotal will also show you a list of every time it detected something malicious on the site, as well as list all of the samples that attempted to communicate with the searched for domain.”

In addition to organizations using VirusTotal to help identify if they’ve been previously targeted, VirusTotal should be seen as a baseline site that can be used for detecting and analyzing suspicious and malicious files.

3. Your Own Company Website

The best way to get information about a particular company is often directly from the source: your own company website. Company websites can provide a treasure trove of information that can be leveraged by attackers to target a specific organization. This includes names of VIPs, email addresses of company executives and other employees, photographs, links to LinkedIn profiles and other social media, and more.

But beyond the surface level, there may be even more valuable information, as the paper explained:

Are you hosting any PDFs for people to download? Word documents, or PowerPoint presentations? Did you remember to remove potential metadata from those documents that could potentially contain additional names, email addresses, usernames, or software versions of the program used to create it? Some pretty simple Google searches (just type “site:yourpublicsite.com filetype:pdf” into the google search box) can reveal much more information that you may not have been aware you were “leaking.”

These types of leaks can lead to costly data breaches.

Free tools and services such as the ones described above provide malicious actors with valuable insight into the opportunity for cyber-attacks, and they are certainly one of the first places those actors turn to gather information on your organization. To make matters worse, all of this information can be discovered with minimal effort or expertise.

The good news is that those same tools can be used to gather cyber threat intelligence and to ensure that you are performing the same level of diligence as the threat actors who are trying to harm your organization.

Download SurfWatch Labs Top Sources of Information for Cyber Criminals: Where the Bad Guys Go to Conduct Research on Their Targets for more information.

Weekly Cyber Risk Roundup: Yahoo One of Many New Data Breaches

The past week has been full of various data breach announcements that have flown mostly under the radar. One exception is the breach at the World Anti-Doping Agency (WADA). New batches of information on Olympic athletes continue to be leaked, and the Entertainment sector’s cyber risk score has steadily risen to reflect those leaks. Another exception, and one of the biggest data breach stories of the year, is Thursday’s announcement from Yahoo that 500 million users had their information stolen in late 2014 by alleged state-sponsored hackers.

The theft includes names, email addresses, phone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers.

The New York Times described the Yahoo breach as “the biggest known intrusion of one company’s computer network.” U.S. Sen. Richard Blumenthal said that if claims that Yahoo knew about the breach since August are true, taking two months to inform users is “a blatant betrayal of their users’ trust.” Sen. Mark Warner is using the incident to push for the adoption of a uniform data breach notification standard.

The Yahoo breach is just the latest example of years-old breaches that have come to light in recent months and affected tens or, in Yahoo’s case, hundreds of millions of individuals. The already massive list of potentially exposed passwords continues to grow, making good password hygiene more important than ever. But the Yahoo breach highlights another nagging problem: the use of static, knowledge-based authentication questions.

From Yahoo’s announcement:

“We invalidated unencrypted security questions and answers so they cannot be used to access an account. … Change your password and security questions and answers for any other accounts on which you used the same or similar information used for your Yahoo account.”

Except unlike passwords, static-based questions cannot be changed. How do you change your mother’s maiden name, your favorite teacher, or the name of your first pet? Fake answers can be used – and they are more secure – but what percentage of people will actually take that extra step?

A February survey from password manager LastPass indicates the majority of people are still reusing passwords. Fifty-nine percent of respondents said they reuse passwords across multiple services and 61% said they are more likely to share work passwords than personal passwords.

Organizations need to be aware of recent credential breaches, inform and train users about the threat, and ensure that password policies and procedures reflect the current level of risk surrounding compromised credentials.

What’s Everyone Talking About? Trending Cybercrime Events

In addition to the highly-publicized data breaches from Yahoo and WADA, many other companies made data breach announcements over the past week.

Some of those apparent breaches are sparse on details – such as the FBI seizing computers at Camden County Courthouse in Missouri or office supplies firm AF Smith taking its Apple website offline after fears of a payment card breach – however, many of this week’s announcements showcased the various ways in which data breach can occur.

Data breaches were caused by:

Unauthorized access: Codman Square Health Center is notifying patients of a data breach after an unauthorized individual accessed information through the New England Healthcare Exchange Network. Mobile review site MoDaCo said a data breach of 875,000 accounts likely occurred by way of a compromised administrator account. A Florida man has been arrested on charges of hacking into computers operated by the Linux Kernel Organization and the Linux Foundation using compromised credentials. A Kennesaw State University student used a professor’s account to hack into the school’s system to change grades and steal personal information. Police also discovered the usernames and passwords of at least 36 faculty members in a notebook in his home. The Pokemon battle simulator Pokemon Showdown was breached and the hacker was able to steal a database dump by compromising administrator’s credentials via social engineering and then using a privilege escalation vulnerability.

Improper court filings: WakeMed Health and Hospitals has been ordered by a federal judge to notify thousands of patients that their personal and medical information was disclosed in court filings over a six-year period. Most of WakeMed’s bankruptcy claims were filed by now-retired employee Valeria Soles. In court testimony, Soles said she had no training and no supervision with regard to filing claims and that no one else in her department knew how to file bankruptcy claims.

Missing devices: The University of Ottawa is investigating the disappearance of an external hard drive containing the personal information of approximately 900 students. According to CBC News, the hard drive was used to back up personal information on students with physical or learning disabilities or mental health issues that applied for special academic accommodations.

Employee error: The recent leak of NSA hacking tools by a group known as Shadow Brokers is suspected to have originated with an employee or contractor who made the mistake three years ago. The theory is that tools were left on a remote computer during an operation and that Russian hackers eventually found them.

Third parties: A data breach at the payroll service used by Oconee County, South Carolina, led to 230 county employees not receiving their scheduled direct deposits. The investigation is ongoing and the source of the breach is currently unknown.

Cybercriminal hackers: Hackers claim to have stolen a database from Australian point-of-sale vendor H&L Australia, and the alleged 14.1 gigabytes of data along with an active backdoor to the company’s network was apparently offered for sale more than two months ago.

In addition to the data breaches listed above, SurfWatch Labs also collected data on many different companies tied to cyber-attacks and illegal trading over the past week. Some of those newly seen targets are shown in the chart below.

Closing the C-Suite Knowledge Gap with Cyber Threat Intelligence

I spend my work days digging through SurfWatch Labs’ cybercrime data and writing blogs and reports on the latest cyber threat intelligence trends, so it should come as no surprise that among my friends and family, I’ve become the “cybersecurity guy.”

In fact, many of those same people in my personal life would be happy to shove everything “cyber” in a box and put it far out of sight to never deal with again. Because of this, I’m not shocked when I read the latest studies about those in the C-suite having that same attitude — such as 90 percent of corporate executives saying they cannot read a cybersecurity report.

I have a confession to make myself: I’m not much of a technical IT guy either.

I view myself as more of a business analyst, and through that lens, the separation of cyber risk and business risk doesn’t make much sense. My sister getting Craigslist messages trying to dupe her out of money is no different than the scammers on the street pitching their elaborate stories in person. Likewise, a competitor stealing employee credentials in order to access valuable intellectual property isn’t much different than the paper-driven corporate espionage that existed before the Internet.

It’s the same risk, just in a different medium. If anything, the main difference is in volume. Actors halfway across the globe can target your organization, and expanding digital supply chains means there is a growing number of attack vectors and an ever-changing list of exploits that can be used to steal that information.

You may not be an expert on a specific threat or a risk out of the box, but that’s where cyber threat intelligence can help. With the right intelligence you can make more informed decisions that can dramatically improve your cybersecurity and resiliency.

screenshot-1474406400130 — Dashboard of Consumer Goods risk from SurfWatch Threat Analyst

I’m reminded of a famous quote attributed to Socrates: “The only true wisdom is in knowing you know nothing.” Cyber threat intelligence is the wisdom that although individually we may know nothing, collectively we have great knowledge that can be leveraged.

Much has been written about cybercrime-as-a-service model and the way that malicious actors leverage past successes and individual expertise to create more effective tools and tactics. Cyber threat intelligence is about having that same effective and coordinated approach to risk management that the bad actors have when it comes to trying to exploit cyber risk.

The cybersecurity conversation has come a long way over the past few years, but what’s still missing from many organizations is that coordinated approach to cybersecurity — one that begins at the board of directors and goes down to the newest employee. As we previously noted, a proactive strategy backed by an engaged C-suite and board of directors has been shown to reduce the growth of cyber-attacks and data breaches.

It’s easy to berate the clueless executive, but I try to imagine them with the same level of knowledge that I once had — before I first picked up the phone, began interviewing cybersecurity experts, and had all of this cyber threat data at my fingertips.

We don’t all have to be experts. There are plenty of experts out there already. What those organizations need is a way to harness that collective knowledge, to compare that external data against their own internal intelligence, and to have that cyber threat information presented in an ongoing, easy-to-understand manner.

When customers ask our analysts about new threats or use our threat intelligence to improve their organization’s cybersecurity, we’re all working together to better defend against malicious actors by focusing resources on the threats that directly impact each organization. That collaboration and sharing of knowledge is what cyber threat intelligence is all about.

Weekly Cyber Risk Roundup: Ransomware Ups the Ante and Other Headlines

Three of this week’s top four trending industry targets centered around DDoS attacks. Linode, which made last week’s roundup over reported DDoS attacks, was targeted once again. The cloud hosting company has seen DDoS attacks throughout the month, with the latest attack coming on September 13, according to company logs. Additionally, Brian Krebs’ website was hit with DDoS attacks after his reporting on the booter service VDoS led to the arrest of two young Israeli men who allegedly ran the cybercrime-as-a-service operation.

Trending new data breaches and cyber-attacks recently observed in SurfWatch Labs’ data are shown below.

Noteworthy cybercrime events from the past week include:

Variety of New Breaches Reported: Dutch news sources are reporting that hackers have stolen 22 gigabytes of data from municipal servers in Almelo, though at the moment it is unclear what data may have been compromised. London-based VoIP Talk is emailing customers about a potential breach after discovering “attempts to exploit vulnerabilities in our infrastructure to obtain customer data.” The paid-to-click site ClixSense suffered a data breach in which a hacker exposed 2.2 million subscriber identities and put another 4.4 million up for sale. The Exile Mod gaming forum website was hacked and the personal details of nearly 12,000 users was posted online by a group going by the name “Expl.oit.” EurekAlert!, which is used to distribute scientific press releases, temporarily shut down their website after a breach compromised usernames and passwords and two embargoed news releases were prematurely released. The personal information of 29 Olympic athletes has been stolen from the World Anti-Doping Administration. Finally, a data breach at Regpack, an online enrollment platform serving the private education industry, has led to 324,000 people having personal information exposed.
More Extortion Attacks: A hacker attempted to extort Bremerton Housing Authority in Washington for 6 bitcoins (around $3,700) after gaining access to its website and stealing a database of 1,100 client names and the last four digits of Social Security numbers. University Gastroenterology in Rhode Island is notifying patients of a data breach after what sounds like a ransomware attack. In its notification letter, it wrote that an unauthorized individual had gained access to an electronic file storage system from Consultants in Gastroenterology, which it acquired in 2014, and “encrypted several files.”
Political Parties Continue to be Targeted: State Democratic Party officials are being breached and impersonated by hackers, according to a warning from the Association of State Democratic Chairs. The message urged recipients to avoid searching the leaked DNC information posted by WikiLeaks due to concerns over malware being embedded in the links. Additionally, a “serious misconfiguration” on Donald Trump’s website exposed the resumes of prospective interns, according to security researcher Chris Vickery.
Stolen Laptops Continue: M Holdings Securities, a subsidiary of M Financial Holdings, had a password-protected laptop with information on 20,000 clients stolen from the trunk of an employee’s car on July 29. Roughly 2,000 of those clients had Social Security numbers potentially compromised. U.S. Healthworks began notifying 1,400 patients of a data breach earlier this month after a laptop and the laptop’s password were stolen from an employee.

Other Noteable Cyber Risk News

This week saw little movement among most sectors’ overall cyber risk scores. Other Organizations – which includes groups such as political parties, schools, and charities – saw the week’s biggest rise in risk, up 1.6%.

Ransomware was at the forefront of much of the week’s cybercrime news. CBC News reported that a school board and a support group for cancer patients, both in Canada, were infected with the Zepto ransomware, and the actor behind the attack demanded $20,000 in payment to decrypt the files. Those high prices may become more commonplace, the FBI warned in an alert published on Thursday. Recent ransomware variants have been seen targeting vulnerable business servers rather than individual users, and the actors behind these targeted attacks have been upping their ransom demands as the data they encrypt grows more valuable.

“This recent technique of targeting host servers and systems could translate into victims paying more to get their decryption keys, a prolonged recovery time, and the possibility that victims will not obtain full decryption of their files,” the alert warns. “Recent victims who have been infected with these types of ransomware variants have not been provided the decryption keys for all their files after paying the ransom, and some have been extorted for even more money after payment.”

The FBI isn’t the only government agency warning of the threat. In July, the Department of Health and Human Service stated that PHI being encrypted by ransomware qualifies as a “breach” in most circumstances, and FTC chairwoman Edith Ramirez warned this week that “a company’s unreasonable failure to patch vulnerabilities known to be exploited by ransomware might violate the FTC Act.”

It’s worth taking a moment to review this week’s advice on combatting ransomware from the FBI alert:

Regularly back up data and verify the integrity of those backups. Backups are critical in ransomware incidents; if you are infected, backups may be the best way to recover your critical data.
Secure your backups. Ensure backups are not connected to the computers and networks they are backing up. Examples might include securing backups in the cloud or physically storing them offline. It should be noted, some instances of ransomware have the capability to lock cloud-based backups when systems continuously back up in real-time, also known as persistent synchronization.
Scrutinize links contained in e-mails and do not open attachments included in unsolicited e-mails.
Only download software – especially free software – from sites you know and trust. When possible, verify the integrity of the software through a digital signature prior to execution.
Ensure application patches for the operating system, software, and firmware are up to date, including Adobe Flash, Java, Web browsers, etc.
Ensure anti-virus and anti-malware solutions are set to automatically update and regular scans are conducted.
Disable macro scripts from files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full Office Suite applications.
Implement software restrictions or other controls to prevent the execution of programs in common ransomware locations, such as temporary folders supporting popular Internet browsers, or compression/decompression programs, including those located in the AppData/LocalAppData folder.

Tracking the exact number of ransomware victims is difficult, the FBI said, since many attacks go unreported. The FBI is urging victims to report ransomware incidents regardless of the outcome so that they can better understand who is behind the attacks and how they operate.

Short Selling Vulnerabilities Latest in String of Stock Market Manipulation

Medical device company St. Jude filed a lawsuit yesterday against Muddy Waters and MedSec Holdings over a “false” report about cybersecurity issues in St. Jude’s cardiac devices. The August report caused the company’s stock to drop more than ten percent on the heels of those allegations and raised questions around a pending $25 billion deal to be acquired by Abbott Laboratories.

The heart of the issue is that MedSec Holdings, which discovered the alleged flaws, did not disclose them to St. Jude; rather, they took their findings to short-selling firm Muddy Waters in order to short St. Jude stock and turn a profit from the public disclosure.

MedSec contacted Muddy Waters with the proposal to short St. Jude stock after spending 18 months doing research and not generating any revenue, CEO Justine Bone said. Money made from shorting the stock will help finance development of secure medical device technology.

In its lawsuit, St. Jude said, “This insidious scheme to try to frighten and confuse patients and doctors by publicly disseminating false and unsubstantiated information in order to gain a financial windfall and thereby cause investors to panic and drive the St. Jude stock price down must by stopped and defendants must be held accountable so that such activity will not be incentivized and repeated in the future.”

The public battle has been at the center of an ongoing debate over the past two weeks — once again putting the issue of manipulating the stock market via cyber front and center.

Malicious Actors Profit From Stock Market

It’s no secret that malicious actors seek similar types of non-public information that can be used to leverage big profits in the stock market.

Perhaps the most famous recent case involves the theft of press releases from various newswire services. According to an August 2015 complaint filed by the Securities Exchange Commission (SEC), hackers gained access to the services, stole more than 100,000 press releases for publicly traded companies, and then used that information – often quarterly or annual earnings data – to reap over $100 million in unlawful profits.

As we noted in our 2015 Cyber Risk Report, the hackers worked with a network of traders to capitalize on the window between when a draft of a press release was provided and when it was made available to the public. In some instances that window was only a few minutes, but having that knowledge was extremely profitable, as the SEC complaint demonstrated.

2h2015_sec — By using non-public earnings information, the network of traders listed above were able to generate millions of dollars in profits through illegal trades.

Additionally, last summer reports of the hacking group Fin4 breaking into corporate email accounts to steal mergers and acquisitions data sparked the SEC to approach companies about possible breaches.

“The SEC is interested because failures in cybersecurity have prompted a dangerous, new method of unlawful insider trading,” John Reed Stark, a former head of Internet enforcement at the SEC, told Reuters.

Other cybercriminals have used less sophisticated methods to manipulate stock prices.

In July Gery Shalon, 32, and Ziv Orenstein, 41, were extradited from Israel and pled not guilty to charges that included a breach at JPMorgan Chase, which authorities described as the “largest theft of customer data from a U.S. financial institution in history.” The stolen contact information was used to send deceptive communications in order to inflate stock prices, a practice known as pump and dump.

First, they would execute prearranged manipulative trades to cause the stock’s price to rise small amounts on successive days. Then they would send spam emails — sometimes millions a day — touting the stock. Finally, after artificially pumping up the price, they would dump their shares of the stock for huge profits.

A New White-Hat Shorting Strategy

While cyber-experts have long-pointed to the massive profits criminals can make from combining cyber-attacks with strategies such as shorting, the move towards white-hat hackers doing the same thing has created some concern.

MedSec CEO Justine Bone said she knows the approach they used will lead to criticism, but that it was the most powerful way to inflict pain on St. Jude over the company’s “negligent level of attention to cybersecurity.”

Although many companies have implemented bug bounties in an effort to encourage researchers and other hackers to disclose vulnerabilities in a responsible manner, those programs often don’t come with big payouts or spur the change desired by the person who disclosed the bug. Those players may attempt to copy the MedSec strategy — resulting in more profits and more public pressure to respond to alleged vulnerabilities. That gives yet another reason for investors to be concerned over potential cyber issues.

Medical device consultants Billy Rios and Jonathan Butts told Bloomberg that traders were clearly blindsided and scrambling over this new idea, having been inundated with requests from hedge funds, short sellers and other investors about the Muddy Waters report.

“This is almost like The Big Short,” Butts said. “Someone saw something that nobody else did.”

POS Breaches: Bankrupting Small Businesses and Impacting the Supply Chain

There’s a popular cybercrime statistic that has been vexing me for years, and if you read cybersecurity news regularly, I’m sure you’ve seen it cited a few dozen times as well:

60% of small businesses close their doors within six months of a cyber-attack.

I’ve always been skeptical of that bold statistic. As Mark Twain wrote in his autobiography, attributing the now famous quote to British Prime Minister Benjamin Disraeli, “There are three kinds of lies: lies, damned lies and statistics.” Sixty percent is incredibly high (and what percent of these companies would have failed anyway, cyber-attack or not?); nevertheless, I’ve always wanted to find the source of that data and delve into the stories behind that number.

I’ve largely failed on both of those fronts over the past few years.

First, the statistic is most often attributed in some vague way to either the National Cyber Security Alliance or the U.S. House Small Business Subcommittee on Health and Technology. In fact, National Cyber Security Alliance executive director Michael Kaiser did quote that statistic before the House Small Business Subcommittee on Health and Technology in December 2011, but he was actually citing a Business Insider article from three months prior. The Business Insider article is similarly vague, saying only that “about 60 percent of small businesses will close shop within six months of an attack” — but providing no other context to back up that assertion.

Second, my repeated attempts to find small businesses that have failed due to cyber-attacks — and are willing talk publicly about those failures — have come up mostly empty.

When Breaches Lead to Bankruptcy

All of this serves as a backdrop to the recent conviction of Roman Valerevich Seleznev, aka Track2, 32, of Vladivostok, Russia. Seleznev was convicted on August 25 of 38 counts related to hacking point-of-sale systems and stealing payment card information. According to trial testimony, Seleznev’s scheme led to more than $169 million in losses across 3,700 financial institutions.

Perhaps most interesting — at least when it comes to my ongoing quest to chronicle small businesses being put out of business by cybercrime — was this tidbit from the Department of Justice press release:

Many of the businesses [targeted by Seleznev] were small businesses, some of which were restaurants in Western Washington, including the Broadway Grill in Seattle, which was forced into bankruptcy following the cyber assault.

According to the indictment, Seleznev and others used automated techniques such as port scanning to identify vulnerable retail point-of-sale systems that were connected to the Internet and then infect those systems with malware.

“[Seleznev and others] hacked into, installed malware on, and stole credit card track data from, hundreds of retail businesses in the Western District of Washington and elsewhere,” the indictment stated. “[They] stole, in total, over two million credit card numbers, many of which they then sold through their dump shop websites … generating millions of dollars of illicit profits.”

Seattle’s iconic The Grill on Broadway was one of those small businesses to be hit by point-of-sale malware in 2010. The incident, along with other issues inherited from previous owners, led to the restaurant being closed in 2013.

“It became a target of a credit card number harvesting scheme that claimed a number of businesses on Broadway as victims,” the Seattle Gay Scene wrote at the time of the closing. “Several years of missed software updates played a significant role in the incident and [owner Matthew] Walsh and his team discovered this fact only a few months after purchasing the business. The effects were devastating to The Grill, generating massive amounts of negative publicity and drastically reduced revenue at the restaurant.”

The resources required to stay afloat were simply too much.

“In spite of what it may seem, we’re a very small business,” Walsh said. “We don’t have endless financial resources to keep us afloat like a chain restaurant or large corporation could.”

Recent Supply Chain Issues Affect POS Systems

The conviction of Seleznev over stolen payment card information and the re-emergence of The Grill on Broadway’s story comes during the same month that several point-of-sale vendors, including Oracle MICROS, have announced potential compromises — and a series of retailers and hotels have subsequently published data breach notifications.

Those breaches haven’t been explicitly connected, but several of the hotels to recently announce breaches have previously confirmed using MICROS products.

For example, Millennium Hotels & Resorts (MHR), which recently announced a data breach affecting food and beverage point-of-sale systems at 14 hotels, said it was notified by a third-party service provider about “malicious code in certain of its legacy point of sale systems, including those used by MHR.”

“The third party is a significant supplier of PoS systems to the hotel industry,” a spokesperson responded when SurfWatch Labs inquired about problems stemming from the supply chain. “It is aware of these issues. We are not disclosing the name.”

However, in 2008 MICROS Systems, now owned by Oracle, announced that Millennium Hotels & Resorts would be using MICROS “as the standard food and beverage point-of-sale solution for its 14 Millennium Hotel properties located in the United States” — so it’s possible there’s some connection between the breaches.

The same Russian group that hit MICROS has targeted at least five other cash-register providers, according to Forbes’ Thomas Fox-Brewster. Investigations are ongoing, but as we noted in our recent report, cybercrime is increasingly interconnected and compromises can quickly move down the supply chain, affecting everyone from small businesses to large enterprises.

If that 60% statistic is true, even partially, then it begs the question: will these recent breaches in the point-of-sale supply chain lead to more shuttered doors in the future?

And will we hear those businesses’ stories if it does happen? Or will they just become another vague statistic that we all continue to reference?