October 2016 – SurfWatch Labs, Inc.

DDoS Attacks Dominate News, Spark Calls for Regulation

Last week’s massive distributed denial-of-service (DDOS) attacks, which made popular websites and services inaccessible to users across the East Coast and elsewhere, has since led to widespread concern about insecure Internet-connected devices and calls for government agencies to get involved in order to ensure those devices are secured against future attacks.

In fact, the attack against DNS provider Dyn, which happened just six days ago, has already become the most talked about target tied to “service interruption” in all of 2016, according to SurfWatch Labs’ data.

Friday’s DDoS attack against Dyn is concerning for several reasons. First, reports have claimed the attack reached 1.2 terabytes per second. If true, that would make it the largest DDoS attack ever. Second, Dyn confirmed yesterday that the Mirai botnet was a primary source of malicious attack traffic. The source code for that botnet was made public earlier this month, and last week Level 3 Threat Research Labs said that the number of Marai bots it had observed had more than doubled since the code was released. Finally, some researchers have claimed the attack was carried out by amateur hackers, not sophisticated state-sponsored or financially-motivated actors.

That combination suggests that more attacks like the one against Dyn will occur in the future, adding to a trend that SurfWatch Labs has observed throughout the year of increased evaluated intelligence around the service interruption tag.

The number of CyberFacts collected by SurfWatch Labs related to “service interruption” has steadily increased throughout the year, peaking with last week’s attack against Dyn.

The Marai-driven attacks have also put one company as the face of the Internet-of-Things problem, unfairly or not: XiongMai Technologies.

XiongMai Technologies is a Chinese electronic company that makes products used in a variety of brands, including DVRs and cameras tied to the recent DDoS attacks. XiongMai said on Monday that it would issue a recall of some of its U.S. products, although it’s unclear how successful that recall will be.

Like Yahoo, Wells Fargo and other companies tied to major cyber incidents this year, XiongMai Technologies and manufacturers of Internet-connected devices have now moved onto the radar of politicians and regulators. On Wednesday, Virginia Sen. Mark Warner sent letters to the Federal Communications Commission, Federal Trade Commission and the Department of Homeland Security’s National Cybersecurity & Communications Integration Center about his “growing concern” over the “unprecedented” volume of DDoS attacks driven by the Marai botnet exploiting connected devices.

“[O]ver 500,000 connected devices were vulnerable to Mirai because of an exploitable component from a single vendor’s management software,” Warner wrote. “Manufacturers today are flooding the market with cheap, insecure devices, with few market incentives to design the products with security in mind, or to provide ongoing support.”

The letter continued: “DDoS attacks can be powerful tools for censorship, criminal extortion, or nation-state aggression. Tools such as Mirai source code, amplified by an embedded base of insecure devices worldwide, accomplish more than isolated nuisance; these are capabilities – weapons even – that can debilitate entire ranges of economic activity.”

Warner provided a list of questions on how to potentially deal with the issue of insecure Internet-connected devices, including ways to make consumers more aware of the risk, trying to work with ISPs to designate insecure devices and deny them connections to their networks, and establishing and enforcing minimal technical security standards.

“I am interested in a range of expert opinions and meaningful action on new and improved tools to better protect American consumers, manufacturers, retailers, Internet sites and service providers,” Warner said.

Being thrust into the spotlight is an unusual situation for XiongMai, a company whose brand tends to remain behind the curtain of its “white label” products, which are sold and then incorporated into other brands’ offerings. Accurately gauging the potential fallout to companies such as XiongMai is difficult, but it’s safe to say that no company wants to be referenced, even indirectly, as the poster child for “cheap, insecure” devices. However, the recent DDoS attacks powered by the Marai botnet — against Krebs on Security, OVH and now Dyn — are quickly on their way to becoming the most discussed cybersecurity stories of 2016, and XiongMai and other manufacturers of connected devices are along for that ride.

Weekly Cyber Risk Roundup: Massive Data Dumps and More Insider Breaches

After a short period without seeing any new mega breach announcements, the past two weeks has seen several massive data dumps totaling more than 130 million records. In last week’s roundup, we mentioned a hacker going by the Twitter handle “0x2Taylor” who released 58 million records claiming to be stolen from an unsecured database. That leak has been attributed to Modern Business Solutions, but the company did not responded to numerous news outlets or sites that reached out to them about the breach.

It was also recently announced that gaming company Evony was hacked in June 2016 and more than 33 million user records were stolen. The compromised records contained usernames, email addresses, passwords, IP addresses and other internal data. LeakedSource said the passwords were stored using unsalted MD5 hashing and that they had already cracked “most” of the passwords.

On Thursday, a massive data breach was announced affecting Weebly, a popular web-hosting service featuring a drag-and-drop website builder. That breach included more than 43 million user records containing usernames, email addresses, passwords and IP addresses. The good news, LeakedSource wrote, was that the company actually responded to its notification attempts and “did not have [its] head buried deeply in the sand” like other companies it has attempted to notify of late. Also, the compromised passwords were stored using uniquely salted Bcrypt hashing. That’s good because as a hosting provider the breach not only affected tens of millions of users, but also tens of millions of websites.

As our Mid-Year 2016 Cybercrime Trends report noted, the credentials stolen/leaked tag appeared in 12.7% of the negative CyberFacts collected by SurfWatch Labs in the first half of 2016, a rise from 8.3% in 2015. A quick look at the updated data shows that since that report, that number has risen once again to 13.3% — driven, in part, by the more than 130 million records compromised in these three data breaches.

Other trending cybercrime events from the week include:

WikiLeaks, government leaks, dominate news: On Monday WikiLeaks tweeted that the Internet link for founder Julian Assange was intentionally severed by Ecuador. Ecuador later confirmed it was behind the interference due to WikiLeaks’ decision to publish documents affecting the U.S. election and Ecuador’s desire to not meddle in the election processes. That hasn’t stopped the ongoing leak of emails from Hillary Clinton’s campaign manager John Podesta, which was brought up several times during Wednesday’s presidential debate. Executive director of the North Carolina GOP Dallas Woodhouse is the latest official to have his email hacked. In this case it was used to send phishing emails to all of his contacts with a link to a fake Dropbox file titled “GOP-financial_Document.pdf.”

Financial information continues to be targeted: Axis Bank in India is investigating a cyber intrusion after being notified by Kaspersky Lab of a potential breach. Approximately 1,000 members of One Nevada Credit Union had their payment card information stolen via ATM skimming devices, and at least one member had $5,000 stolen due to the incident. Noble House Hotels & Resorts announced a point-of-sale breach affecting payment cards used at its Teton Mountain Lodge & Spa and Hotel Terra properties. According to the company’s press release, only customers who used their cards between September 5 and September 6 of this year were impacted.

Researcher’s computer infected, data stolen: A researcher at the University of Toyama’s Hydrogen Isotope Research Center had research data and personal information stolen from a personal computer after clicking on an attachment claiming to be questions from a student. Japanese news sources said that “huge volumes” of data were transmitted while the computer was infected. The data affected mostly included research that was either already published or slated to be published, as well as the email addresses of 1,500 people. The individual whose device was compromised was researching tritium, a radioactive isotope of hydrogen that may one day be used for fuel in nuclear fusion reactors.

More data breaches announced: CalOptima announced that 56,000 of its members may have had their personal information compromised when an employee downloaded their information onto a personal, unencrypted USB drive. Australian event management company Pont3 announced its third-party external electronic mailing account was accessed without authorization resulting in some participant, volunteer and associated information being stolen. redBus, an inter-city bus ticketing service founded in India, is investigating a possible data breach after being alerted of a potential intrusion; however, the company said it has not been able to conclusively establish a data breach.

Russian man tied to LinkedIn breach: A Russian man that was arrested by Czech police is connected to the 2012 data breach at LinkedIn, the company said on Wednesday, although officials have not publicly confirmed the connection. Russian news agency TASS indicated that Russia would fight any attempts to extradite the man to the U.S.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

Cyber Risk Trends From the Past Week

After several weeks of steady or dropping cyber risk scores, this week saw a consistent rise in risk across most sectors. Nine out of twelve sectors saw an uptick in cyber risk score when compared to the previous week, with Utilities (+10.9%) and Healthcare (+9.7%) seeing the biggest change. Government and Other Organizations experienced a rise of more than 6%, in part due to the many cyber-attacks and leaks tied to the U.S. presidential election.

Another reason for that rise is a steady trickle of small-scale data breaches tied to groups such as education and healthcare facilities. In a recent blog, we highlighted the difficult and growing problem of malicious insiders, but as that blog noted, the majority of insider incidents are unintentional errors committed by employees, vendors and third parties.

We saw several such news stories this past week:

Katy Independent School District in Texas experienced a data breach affecting 78,000 students after a third-party that works with the district’s student data management system accidentally copied student information and uploaded it to a security software application used by 29 other school districts.

Nearly 700 users of Vermont’s online health insurance marketplace had their information inadvertently exposed due to a subcontractor mishandling their data and making it publicly accessible. WEX Health was hired by Vermont to perform payment processing for the insurance exchange, and Samanage, a subcontractor for WEX Health, made a data file publicly accessible for nearly two months.

St. Joseph Health agreed to a settlement with the U.S. Department of Health and Human Services, Office for Civil Rights over accidentally making electronic protected health information publicly accessible on the Internet from February 2011 until February 2012.

This week’s stories highlight the variety of ways a data breach can occur from ill-trained employees and contractors along with other poor risk management strategies.

In the case of Katy Independent School District, an employee for SunGard K-12 mistakenly copied a file containing Katy ISD data into a standard installation pack for an information security software application. In the case of St. Joseph Health, a server that was purchased to store files included a file sharing application whose default settings allowed anyone with an Internet connection to access them. St. Joseph Health did not examine it or modify it after implementation, HHS wrote in a press release, leading to the ePHI of 31,800 individuals being compromised. That mistake cost St. Joseph a payment of $2,140,500 and the adoption of a comprehensive corrective action plan in order to settle potential HIPAA violations.

Those incidents, along with our previous blog on malicious insiders, serves as an important reminder that many data breaches do not come from outside the organization; rather, they come from within.

Malicious Insiders Remain a Difficult and Growing Problem

Earlier this month, the Department of Justice unsealed a criminal complaint against a contractor for the National Security Agency, alleging the theft of highly classified information. Like Edward Snowden in 2013, Harold Thomas Martin III, 51, of Glen Burnie, Maryland, worked for Booz Allen Hamilton and is accused of exploiting his insider access in order to remove classified files.

According to the complaint, search warrants executed in August discovered stolen documents, digital files and government property in Martin’s residence and vehicle. Six of the classified documents contained sensitive intelligence dating back to 2014.

“These documents were produced through sensitive government sources, methods and capabilities, which are critical to a wide variety of national security issues,” the DOJ wrote. “[The] documents are currently and properly classified as Top Secret, meaning that unauthorized disclosure reasonably could be expected to cause exceptionally grave damage to the national security of the U.S.”

A second case of insider theft at the NSA in three years has once again raised the issue of malicious insiders and the challenges of preventing employees, vendors and other third-parties from causing a major data breach.

Growing Concern Around Insider Activity

Defense is just one of many groups rightfully concerned about insider threats. A recent survey of 500 security professionals from enterprise companies found that one in three organizations had experienced an insider data breach within the past year. In addition, 56 percent of those security professionals said that insider threats have become more frequent over the past 12 months.

Since January 2016, SurfWatch Labs has collected data on more than 180 industry targets associated with the “insider activity” tag. Of those, Healthcare Facilities and Services is the top trending group with 35 total targets, followed by Software with 18 total targets.

Not all data breaches caused by insiders are intentional. In fact, the majority of insider breaches are caused by a combination of employee errors, negligence, lost devices or other unintentional disclosures, according to SurfWatch Labs’ data.

The more malicious “employee data theft” tag is tied to less than one-fifth of all the targets associated with insider activity.

However, there is growing concern around that small percentage of malicious insiders — particularly those who may be using their knowledge and access to sell information anonymously on the dark web.

As Verizon’s Data Breach Investigations Report noted, insider activity is among the most difficult issues to detect. Nearly half of the insider incidents evaluated by Verizon took months to discover, and more than a fifth of the incidents took years.

That concern is amplified by the ease in which insiders can monetize their access to sensitive information due to the growing popularity of dark web markets and anonymous digital currencies such as bitcoin — a concern shared by many in law enforcement. In September, Europol announced the creation of a working group designed to look into the those currencies, which the agency said is “already transforming the criminal underworld.”

“Europol, INTERPOL, and the Basel Institute on Governance are concerned about the seriousness of these threats and note the increasing use of new kinds of currencies,” Europol wrote in a press release. “To trace assets transferred, laundered, exchanged or stored through the use of cryptocurrencies poses new and distinctive challenges to investigators and prosecutors, as does the seizure and confiscation of the proceeds of crime in cryptocurrencies.”

Financial gain remains the primary motivator for insiders, according to Verizon. Thirty-four percent of insider breaches are profit-driven, followed by espionage, which accounts for a quarter of insider breaches.

Monitoring Cybercriminal Channels

It’s unclear exactly how the NSA discovered its recent insider theft, so it’s hard to judge the extent of which the agency’s post-Snowden security reforms may have aided in identifying Martin’s alleged theft — or what lessons, if any, can be extrapolated to help protect other organizations.

In addition to monitoring employees and creating a positive corporate culture to minimize disgruntled employees, as Verizon suggested, organizations can also benefit from monitoring dark web markets and cybercriminal forums for any signs of yet-to-be detected breaches.

For example, SurfWatch Labs recently observed a user of a dark web forum claiming to have insider access at a money transfer company, and in June, Brian Krebs shared a screenshot of an insider at Guitar Center boasting that the fraud he or she was proposing would “have no way of coming back to me.”

“I currently have approvals and passwords that allow me to manually enter CC [credit cards] at the registers of Guitar Center, Bypassing the usual 3 code verify,” the insider wrote. “I also have physical access to the server room and I am looking to exploit this with the help of some seriously skilled people.”

The fact that a disgruntled employee or contractor can go unnoticed, in many cases for years, while monetizing stolen information via anonymous cryptocurrencies is a scary thought for many organizations, particularly since a significant percentage of insider attacks are carried by low-level employees.

“When their roles were classified in the incident, almost one third [of insiders] were found to be end users who have access to sensitive data as a requirement to do their jobs,” Verizon noted. “Only a small percentage (14%) are in leadership roles (executive or other management), or in roles with elevated access privilege jobs such as system administrators or developers (14%). The moral of this story is to worry less about job titles and more about the level of access that every Joe or Jane has (and your ability to monitor them).”

Monitoring for insider threats, either within an organization or via external sites, may not stop a breach that has already happened, but it can help to shorten the discovery so that it is not going on for years, as is often the case.

Weekly Cyber Risk Roundup: More POS Breaches and the Rise of Destructive Attacks

Massive distributed denial-of-service attacks and data breaches remained front and center in SurfWatch Labs’ cybercrime data this week as old attacks against Brian Krebs, OVH, Yahoo and others continued to be heavily discussed. But looking beyond those headline-grabbing stories, the data also reflects a surge in reports of stolen payment card information.

On Tuesday, University of Central Florida police announced they were able to tie a recent surge in fraud reports to malware on the systems of AD Food Services, which operates Asian Chao, Huey Magoo’s and the Corner Café in the Student Union.

On Wednesday, luggage and handbag company Vera Bradley announced a breach affecting retail stores. Law enforcement notified the company of a potential issue on September 15, and it was discovered that payment cards used at store locations between July 25, 2016, and September 23, 2016, may have been affected.

On Thursday, it was reported that Dutch developer Willem de Groot discovered skimming scripts on more than 6,000 online stores running vulnerable versions of the Magneto ecommerce platform. The active operation is adding 85 stores each day, and de Groot estimates that the number of stolen cards is in the hundreds of thousands.

In addition, American 1 Credit Union in Michigan announced last week that it is temporarily blocking payments to all Wendy’s franchise locations due to ongoing fraud issues. Community members are reporting fraudulent activity on newly issued payment cards used at Wendy’s, suggesting that the malware issue may be ongoing for the fast-food chain. Like other credit unions, American 1 Credit Union reported its total losses related to the Wendy’s data breach are growing beyond the losses incurred from the 2014 Home Depot breach.

Other trending cybercrime events from the week include:

TheDarkOverlord extortion demands continue: Peachtree Orthopedic Clinic in Atlanta is notifying patients of a data breach after discovering unauthorized access into its computer system. After the clinic’s announcement, the actor known as TheDarkOverlord leaked documents allegedly stolen from the clinic and announced they had another 543,879 records containing personal and health information. Athens Orthopedic Clinic, another victim of TheDarkOverlord, confirmed that TheDarkOverlord demanded nearly $400,000 in ransom for the stolen patient data and threatened to call patients and publicly name the company if the clinic didn’t comply with the extortion demands.

Another massive breach reported: A hacker going by the name “0x2Taylor” has released 58 million records claiming to be stolen from Modern Business Systems (MBS), which offers in-house data management and monetization solutions to companies. MBS has not publicly confirmed the data breach, but researchers have confirmed that MBS was running an unsecured MongoDB database as the hacker suggested. The hacker also shared a screenshot indicating he or she has another database containing 258 million rows of data.

Beware of social engineering: An employee that clicked on a link that appeared to be for a Dropbox file led to a hacker targeting a customer of garden furniture company Gaze Burvill and requesting payment of £7,148 to a fraudulent bank account. Australian not-for-profit health fund CBHS said an unnamed third party has been breached and is warning customers to be on the lookout for phishing emails. The Clinton Foundation is warning that donors are being targeted with phishing messages. Indian police are investigating about 700 people over a scam where workers posed as IRS officials and duped U.S. citizens out of tens of millions of dollars. A Connecticut man has been charged with stealing login credentials from users of Dark Web marketplaces using a combination phishing pages and port forwarding and then using those credentials to steal bitcoins.

Effective backups thwart ransomware: Hutchinson Community Foundation was infected with ransomware on September 19, but it was able to fully recover the data from backups without paying a ransom. Nevertheless, the foundation is notifying donors, vendors and other stakeholders that information may have been compromised during the attack.

Hackers continue to target U.S. political figures: The Twitter account of Hillary Clinton’s campaign chief, John Podesta, was hijacked and used to urge followers to vote for Donald Trump. In addition, screenshots circulating online suggest that Podesta’s iCloud account may have been compromised. Users on 4chan claimed that Podesta’s iCloud password, which was published by WikiLeaks, was still working; however, WikiLeaks said that it made sure the credentials were changed.

Cyber Risk Trends From the Past Week

SurfWatch Labs industry risk scores remained fairly stable. Other Organizations (+0.8%) – which includes groups such as education, advocacy and political parties – was the only sector to see a noticeable increase in risk score compared to the previous week.

Nation-state hacking remains one of the most talked about cyber risks, and that discussion grew more intense as the U.S. presidential elections moved into the final month. On Friday, the U.S. formally accused the Russian government of orchestrating the recent attacks against the Democratic National Committee and others in an effort “to interfere with the U.S. election process.” A statement from director of national intelligence James Clapper and the Department of Homeland Security said that they believe only Russia’s senior-most officials could have authorized the hacking efforts. That public accusation was followed by promises of a “proportional” response against Russia; however, White House Press Secretary Josh Earnest added that ““it is unlikely that our response would be announced in advance.”

The U.S. isn’t the only country facing nation-state espionage. A Wednesday report from the Australian Cyber Security Centre said the 2015 hacking of the Australian Bureau of Meteorology’s network was carried out by foreign adversaries. That attack compromised government systems and led to the theft of sensitive documents, and after the attack officials estimated it would cost millions of dollars to plug the related security holes. The report also said that the attacks demonstrate a willingness of actors to use disruptive and destructive measures when targeting organizations.

That destructive nature is demonstrated by the April 2015 attack on France’s TV5Monde. A recent investigation linked the incident to the Russian hacking group APT 28 and revealed that the attack, which knocked 12 channels off the air, was designed to destroy the TV network. The attack turned out to be more sophisticated than initially reported, with the network first being infiltrated in January 2015 in order to conduct reconnaissance on the way TV5Monde broadcast TV signals. Seven points of entry were used, including a Netherlands-based company that supplied the remote-controlled cameras used in the network’s studios. According to the BBC, the attackers then fabricated malware designed to corrupt and destroy the Internet-connected hardware that controlled the TV station’s operations.

“It’s the worst thing that can happen to you in television,” Yves Bigot, the director-general of TV5Monde told the BBC. “We were a couple of hours from having the whole station gone for good.”

These attacks, ranging from influencing elections to destroying TV networks, are believed to be carried out by nation-states or other advanced actors who are increasingly using those disruptive and destructive tactics to achieve their goals – and with the U.S. promising retaliatory attacks, we can expect to see more such attacks in the near future.

Fraudsters Exploit Hurricane Matthew to Create More Victims

Hurricane Matthew is over — having been officially downgraded on Sunday — and a clearer picture of the aftermath has begun to emerge. More than 1,000 people were killed by the hurricane, including at least 35 in the United States. Although the storm has moved out to sea, flooding continues here in the U.S., and in Haiti, which was hit hardest by the storm, officials are warning of the possibility of starvation and the spread of Cholera.

With the world’s attention focused on the natural disaster, cybercriminals are once again capitalizing on the devastation with a wave of phishing attacks and other scams. The South Carolina Emergency Management Division is warning Hurricane Matthew victims to be wary of any emails, phone calls and text messages — as well as scams impersonating one of the thousands of disaster workers expected to travel to the state.

US-CERT is also warning of deceptive donation requests that attempt to steal financial information from those who wish to help the victims.

As US-CERT noted, this type of activity commonly occurs after natural disasters. Cybercriminals are always looking for new individuals to target, and national disasters provide a large bucket of concerned people that can potentially be exploited.

Similar warnings were issued following:

August flooding in Louisiana, which led to concern over fraudulent charity requests that attempt to steal personal and banking information or infect devices with malware.
The May wildfire in Alberta, Canada, which forced 90,000 people to evacuate and led to individuals impersonating evacuees and using fake websites and Go Fund Me pages to mimic disaster relief programs.
April floods in Texas, which FEMA warned would likely lead to scammers impersonating building contractors, FEMA employees, and volunteer groups in order to steal sensitive personal information.

“Fraud is an unfortunate reality in post-disaster environments,” said National Insurance Crime Bureau CEO Joe Wehrle in a press release warning of Hurricane Matthew rebuilding scams. “The last thing victims of disaster need is to be victimized again.”

As SurfWatch Labs noted earlier this year, social engineering is one of the most difficult problems related to cybersecurity. It’s also one of the most common tags in SurfWatch Labs’ cybercrime data.

2016-10-12_socialengineering — Email phishing remains the most common form of social engineering due to the ease of targeting a large number of potential victims.

Social engineers often use a few simple and effective tactics in order to dupe their victims. These include having a simple backstory, appearing as though they belong and projecting authority.

One of the reasons cybercriminals capitalize on events such as Hurricane Matthew is that it is very easy for them to use that trifecta of tactics. The natural disaster provides an instant backstory that is immediately understood by a large number of people. People are expecting to see a wide variety of victims and volunteers both seeking and offering help, so its easy for fraudsters to appear as though they belong. Victims are expecting to have to deal with authority figures, making it easy to impersonate government officials, insurance agents or other disaster workers.

Some tips to help stay safe when it comes to social engineering include.

Never click on links or open attachments unless you know who sent it and what it is. Malicious email attachments and links are among the most common ways for cybercriminals to spread malware and steal information.
Never reply to emails, text messages, or pop-ups that ask for personal information.
Cybercriminals may use a combination of fraudulent emails and phone numbers to increase their appearance of authority. Always verify that communication is valid by contacting the organization directly before providing any sensitive information.
If donating to a charity, make sure it is one you know and trust. The FTC recommends checking out charities via the Better Business Bureau’s (BBB) Wise Giving Alliance, Charity Navigator, Charity Watch or GuideStar.

WADA, Presidential Election Highlight Threat of Data Being Altered

Last week the World Anti-Doping Agency (WADA) released an update about its investigation into the recent hack and subsequent leaks of Olympic Athletes’ confidential information, and one of the more interesting revelations was that some of the stolen data may have been manipulated prior to being leaked.

“WADA has determined that not all data released by Fancy Bear (in its PDF documents) accurately reflects ADAMS [Anti-Doping Administration and Management System] data,” the agency wrote in a blog post. “However, we are continuing to examine the extent of this as a priority and we would encourage any affected parties to contact WADA should they become aware of any inaccuracies in the data that has been released.”

WADA did not elaborate on which athletes’ data may have been altered or provide any other explanations for the discrepancies, but it does highlight a unique cybersecurity concern that has surfaced recently: threat actors manipulating stolen data in order to increase the fallout from a breach.

A History of Fake and Exaggerated Breaches

Hackers have a long history of re-purposing data in order to claim new attacks.

Just last week the actor known as Guccifer 2.0 posted a dump of data allegedly stolen from the Clinton Foundation, claiming that “it was just a matter of time to gain access to the Clinton Foundation server.” However, a variety of news outlets have since reported the data appears to be from a previous hack of the Democratic Congressional Campaign Committee and the Democratic National Committee — not the Clinton Foundation. Prior to that there was a Pastebin post alleging a “full database leak” at cryptocurrency exchange Poloniex. Once again, the company was quick to dispute the claim, posting on social media that the data was actually from another company’s breach a year prior.

Claims of fake or exaggerated data breaches are troublesome for organizations, but they’re not as insidious as the manipulation of legitimate data.

“Imagine trying to explain to the press, eager to publish the worst of the details in [leaked] documents, that everything is accurate except this particular email. Or that particular memo,” security blogger Bruce Schneier wrote last month. “It would be impossible. Who would believe you? No one.”

WikiLeaks, Sputnik News and Donald Trump

An example of this potential issue was highlighted yesterday through a combination of WikiLeaks, Russia’s Sputnik News, and Donald Trump. On Monday morning, WikiLeaks released 2,000 emails that appear to be from the account of Hillary Clinton’s campaign chairman, John Podesta. One of those emails was from Clinton ally Sidney Blumenthal and contained a Newsweek article about the Benghazi hearings. Sputnik News then incorrectly reported on the email — either intentionally or as a result of sloppy journalism — quoting the Newsweek article email as if it were Blumenthal’s own thoughts on the subject. Hours later, Donald Trump quoted that false Sputnik News article at a rally in Wilkes Barre, Pennsylvania, telling the crowd that Blumenthal said the “attack was almost certainly preventable” and that Blumenthal was “now admitting they could have done something about Benghazi.”

That falsehood could be the result of the miscommunication inherent in a game of telephone — from Podesta’s email to WikiLeaks to Sputnik News to Donald Trump to the booing crowd — or it could be, as the author of the original Newsweek article suggested, an intentional effort from Russia.

This is not funny. It is terrifying. The Russians engage in a sloppy disinformation effort and, before the day is out, the Republican nominee for president is standing on a stage reciting the manufactured story as truth. How did this happen? …

The Russians have been obtaining American emails and now are presenting complete misrepresentations of them—falsifying them—in hopes of setting off a cascade of events that might change the outcome of the presidential election.

It was just last week that Congressman Adam Schiff put forth this very idea in The New York Times. Russia could take already-stolen emails, alter them, and give the impression that one of the presidential candidates had done something outrageous or illegal, potentially altering the election.

The Blumenthal story was quickly corrected by viewing the source email on WikiLeaks, but what if the source itself had been altered? In a dump of 2000 legitimate-looking emails, who would believe that one email or one line within an email was altered.

As Schneier wrote: “No one.”

Tactic Beyond Nation-States?

The examples cited above have been extremely high-profile events. Leaked data tied to the Olympics or a presidential race faces a far higher level of journalistic scrutiny than an ordinary dump of company documents, communications or other internal data. For those breached organizations, proving that leaked data was altered may be more difficult, and it may prove harder still to spread news of that proof without a media echo chamber to amplify that message.

While altering data may not be the most profitable avenue for cybercriminal groups, not all threat actors are concerned about profits. Hacktivists could alter data to create a scandal for political purposes. Malicious insiders may manipulate leaked communications to embarrass an executive or otherwise harm their organization. Competitors may tweak stolen documents to damage their rivals’ reputation and steal customers.

Even those motivated by profit may find ways to incorporate data alteration into their toolset. Data destruction has quickly become a common tag in SurfWatch Labs’ cyber threat intelligence data due to the surge in ransomware infections in recent years, and actors who are demanding tens or hundreds of thousand of dollars in extortion are likely to use every tool available to them to push organizations towards paying ransoms.

Many of the stories related to altered data currently revolve around nation-states, but like everything in cybersecurity, copycats can be expected if it proves to be a successful tactic. It’s just one more cyber risk facing organizations — and one more reason to prioritize keeping your organization’s data safe from malicious actors.

Weekly Cyber Risk Roundup: Internet of Things Sparks Security Concerns

There has been growing concern around distributed denial-of-service (DDoS) attacks this week as the source code for the Internet-of-Things (IoT) driven botnet “Mirai” has been publicly released by a user on Hackforums. The Mirai botnet has been tied to the recent massive DDoS attack against Brian Krebs website and is made up of a growing number of Internet-connected devices.

The botnet includes a variety of compromised home and small office items such as routers, DVRs and security cameras – many of which use default usernames and passwords. The IoT devices are aimed at users often more concerned about convenience than security, and as Brian Krebs pointed out, even if users do take steps to secure devices by changing default credentials the malware may still spread.

Cybercriminal actors may use botnets like Marai to create more powerful DDoS attacks against industries that are traditionally vulnerable to extortion, such as gaming and ecommerce, but the Marai source code release also empowers actors looking to disrupt organizations for ideological or political reasons. For example, Newsweek alleged it was the victim of such an attack this week when its website was hit with a DDoS attack after publishing a story claiming that one of Donald Trump’s companies violated the Cuba trade embargo in 1998. In part due to that attack, consumer publishing was the most discussed industry group associated with cybercrime over the past seven days.

With Marai added to the growing list of free tools available to actors, expect to see more DDoS attacks like the ones against KrebsOnSecurity and Newsweek, which appear to be aimed at silencing or punishing critics.

Other trending cybercrime events from the week include:

Another week, another list of companies hit with ransomware: Cloud service provider VESK paid £18,600 after being infected with a new strain of the Samas DR ransomware. The New Jersey Spine Center paid an undisclosed amount after a July CryptoWall attack encrypted all electronic medical records and the most recent backup as well as disabled the phone system. The forest department of the state government of Kerala in India was infected with ransomware known as RSA-4096. Urgent Care Clinic of Oxford is notifying patients that their data may have been compromised by what appears to be a ransomware attack. A “glitch” after a ransomware attack led the Marin Healthcare District and Prima Medical Foundation to notify more than 5,000 patients that some of their medical data has been lost, even though they paid the ransom.

Data exposed through mistakes and flaws: C&Z Tech Limited acknowledged that a database of more than 1.5 million user records was exposed online, but said that the leak was from a test database; however, ZDNet disputes that claim, writing that their own verification of the data found “no reason to believe that this is test or dummy data.” Census data on 96,000 employees of the Australian federal government was downloaded nearly 60 times before being removed from official websites. A vulnerability discovered in the Charter Communications website could have exposed the personal information of customers. Customers of Ottawa marijuana dispensary chain Magna Terra Health Services had their email addresses exposed when an employee sent an email with 470 of their customers cc’d.

Alleged political dumps, both old and new: A hacker who goes by the name Guccifer 2.0 published an 860-megabyte file of donor information allegedly stolen from the Clinton foundation servers; however, a variety of news outlets have reported that the data appears to actually be from a previous hack of the Democratic Congressional Campaign Committee and the Democratic National Committee. Berat Albayrak, Turkey’s Energy Minister and son-in-law of President Erdoğan, is the week’s second highest trending new target (after Newsweek) on the heels of hacking group RedHack leaking 17 gigabytes of data, which the group said was stolen by discovering Albayrak’s mobile operating system, writing an exploit to steal his password, and gaining access to his iPad after several weeks of attempts.

More data breach announcements: Hutton Hotel is notifying customers of a payment card breach affecting guests who placed hotel reservations during the period from September 2012 to April 2015, as well as those who made purchases at the onsite food and beverage outlets from November 2015 to June 2016. Hackers gained access to computer systems at Wheeler & Egger, CPAs and used the information to fraudulently file 45 tax returns. Apria Healthcare, a provider of home respiratory services and other medical equipment, is notifying patients that an employee’s email account was compromised.

Out with the old hacktivists, in with the new: Federal authorities in Chicago have charged two suspected members of the hacking group Lizard squad for operating DDoS-for-hire websites. Although Lizard Squad has been quiet of late, other hacking groups continue to disrupt organizations. For example, OurMine defaced and deleted several articles on the BuzzFeed website in retaliation for a story claiming to have identified one of the group’s members as a Saudi teen called “Ahmad Makki.”

Insulin Pump Vulnerability and Other Advisories

The focus on IoT devices was prevalent throughout SurfWatch Labs’ data this week. In addition to all of the botnet-related discussion, Johnson & Johnson announced that a security vulnerability in its Animas OneTouch Ping insulin pump that could be exploited to overdose diabetic patients with insulin.

The Reuters story cited medical device experts who claim this is the first time a manufacturer has issued such a warning to patients about a cyber vulnerability in their devices; however, the company’s letter to patients described the risk as “extremely low.”

“It would require technical expertise, sophisticated equipment and proximity to the pump, as the OneTouch Ping system is not connected to the internet or to any external network,” the letter said.

The issue, which was discovered by Rapid7 researcher Jay Radcliffe, is that a hacker can spoof communications between a wireless remote control and the insulin pump since that communication is not encrypted. About 114,000 patients use the device in the United States and Canada.

The company said that if patients were concerned, they could stop potential attacks by discontinuing use of the wireless remote control and programming the pump to limit the maximum insulin dose. Johnson & Johnson said it first reviewed the vulnerability with the FDA, which issued draft guidance on managing cybersecurity vulnerabilities in medical devices in January.

Other noteworthy advisories and cybercrime news from the week include:

68 million stolen Dropbox credentials published online: The previously stolen database of more than 68 million user records has been published online by Thomas White on his I’m Cthulhu blog. Nearly half of the passwords are secured with the strong hashing function bcrypt, Motherboard wrote. The other half appear to use the older SHA-1 algorithm. The publication adds to the already massive list of now-public user credentials.

Vulnerability discovered in OpenJPEG: Cisco Talos researchers have disclosed a zero-day vulnerability in the jpeg2000 image file format parser as implemented in the OpenJpeg library. The vulnerability can lead to an attacker executing arbitrary code. “For a successful attack, the target user needs to open a malicious jpeg2000 file,” the researchers wrote. “The jpeg2000 image file format is mostly used for embedding images inside PDF documents and the OpenJpeg library is used by a number of popular PDF renderers making PDF documents a likely attack vector.”

Users report suspected malvertising on Spotify: Users of Spotify’s free desktop streaming service are reporting strange behavior that is suspected to be related to malvertising. “If you have Spotify Free open, it will launch – and keep on launching – the default internet browser on the computer to different kinds of malware/virus sites. Some of them do not even require user action to be able to cause harm,” wrote one user. “I have 3 different systems (computers) which are all clean and they are all doing this, all via Spotify – I am thinking it’s the Ads in Spotify Free. I hope this has been noticed and Spotify staff are fixing it – fast.”

TalkTalk fined £400,000 over data breach: The UK’s Information Commissioner’s Office (ICO) has issued a record £400,000 fine to TalkTalk over a data breach that “could have been prevented if TalkTalk had taken basic steps to protect customers’ information.” In October 2015, a hacker used SQL injection to access the personal data of 156,959 customers including their names, addresses, dates of birth, phone numbers and email addresses. In more than 15,000 cases, bank account details and sort codes were also compromised. “The data was taken from an underlying customer database that was part of TalkTalk’s acquisition of Tiscali’s UK operations in 2009,” the ICO said. “TalkTalk failed to properly scan this infrastructure for possible threats and so was unaware the vulnerable pages existed or that they enabled access to a database that held customer information.”

SurfWatch Labs collected data on a variety of cybercrime advisories over the past week. Some of the trending practice tags associated with those advisories are shown in the chart below.

Stolen Data, Extortion and the Media: A Look at TheDarkOverlord

After making headlines by targeting a number of healthcare organizations over the summer, the cybercriminal actor known as TheDarkOverlord re-emerged last week with a new victim: California investment bank WestPark Capital.

As we noted in last week’s cyber risk roundup, the leak of documents from WestPark Capital is the first time SurfWatch threat analysts have observed TheDarkOverlord targeting the financials sector. The approximately 20 documents leaked so far — several of which have been confirmed to be legitimate by various news sources — include items such as non-disclosure agreements, meeting agendas, contracts and more.

“WestPark Capital is a ‘full service investment banking and securities brokerage firm’ whose CEO, Richard Rappaport, spat in our face after making our signature and quite frankly, handsome, business proposal and so our hand has been forced,” TheDarkOverlord wrote on Pastebin.

TheDarkOverlord ended its post by reiterating a simple message to current and future victims: “pay up.”

TheDarkOverlord’s Signature “Business Proposal”

Like previous attacks from TheDarkOverlord, it appears that the actor first tried to quietly extort the victim company with stolen data, and like previous victims, WestPark Capital refused to pay the ransom. As a result of non-payment, TheDarkOverlord published a portion of the stolen data. This publication may serve several purposes for TheDarkOverlord. First, it generates media attention around the breach that can be used to pressure WestPark Capital into paying the ransom before more damage is done. Second, and perhaps more importantly, it helps establish TheDarkOverlord as a credible threat when it comes time to extort the next victim.

This tactic was noted by SurfWatch threat analysts back in July, when TheDarkOverlord’s targeting of healthcare organizations pushed the actor into the spotlight.

healthcare_database_cropped — TheDarkOverlord posted several stolen healthcare databases for sale on TheRealDeal Market this summer. The largest set of data was listed at 750 bitcoin, or nearly half a million dollars.

“There is suspicion that TheDarkOverlord is using the media to apply pressure to breached organizations to pay the actor’s extortion threats,” SurfWatch Labs wrote in a customer alert. “It is a plausible scenario that the actor’s true monetary motivation is to receive payment from breached organizations rather than sell the data openly on the Dark Web, especially at the high price the actor has set, which insinuates that the advertisements are primarily meant as a marketing tool.”

TheDarkOverlord has been particularly adept at generating media attention through a combination of high initial prices on the stolen data, leaking portions of that data, and being available to various news outlets in order to push the actor’s extortion agenda.

For example, one of the first databases the group put up for sale belonged to a healthcare organization in Farmington, Missouri. Several days later, after several news stories had identified the name of that organization as Midwest Orthopedic Clinton, TheDarkOverlord took to publicly shaming the victim.

“[Owner] Scott a. Vanness should have just paid up to prevent this leak from happening,” TheDarkOverlord told The Bitcoin News. “He can still salvage the rest of the records and save himself from other things that we have made him aware of.” When asked if there would be more data leaked from other companies, the contact wrote back, “If they do not pay yes.”

That message is similar to statements made recently towards WestPark Capital — essentially, pay the extortion or face further leaks and public shaming.

It’s unclear if any previous organizations have paid ransom demands to TheDarkOverlord, but the actor’s statements often appear aimed at addressing future victims.

For example, TheDarkOverlord warned companies in June via DeepDotWeb, “Next time an adversary comes to you and offers you an opportunity to cover this up and make it go away for a small fee to prevent the leak, take the offer.” In addition, TheDarkOverlord told Motherboard that the ransom would be “a modest amount compared to the damage that will be caused to the organizations when I decide to publicly leak the victims.”

Who is the TheDarkOverlord?

TheDarkOverlord portrays itself as a group of hackers — frequently using “we” and “us” in its latest posting; however, TheDarkOverlord has on occasion implied that one person was behind the decision making, as the Motherboard quote above indicates. It’s unclear if TheDarkOverlord is a group of actors or if the language is just another attempt to build up TheDarkOverlord brand as a wide-reaching cyber threat.

thedarkoverlordpastebin — From TheDarkOverlord’s recent Pastebin post on WestPark Capital.

TheDarkOverlord did say that other hackers recently exploited the group’s name in a data breach at St. Francis Health System.

This isn’t surprising as copycat actors often use already-established cybercriminal names. For example, earlier this year a string of attacks used the Armada Collective’s name to successfully extort companies with the threat of DDoS attacks. Actors looking to extort companies can leverage the well-known TheDarkOverlord name to make the threat appear more credible.

thedarkoverlordnote — Statement from alleged copycat actors, as shown on databreaches.net.

“Although we applaud the individuals for their successful breach (despite how boring SQL injection and the acquisition of non-PII data is) and clever act of pinning this against us, we do not appreciate the unauthorised use of our name,” TheDarkOverlord wrote. “Unlike some laughable and inadequate actors, we are not an ‘idea’ or a ‘collective’ and as such, one shouldn’t operate under our name in order to uphold one simple and easy to follow concept: Honour Among Thieves.”

TheDarkOverlord does have an interesting approach to extorting companies. Unlike the former Armada Collective’s DDoS attacks or the ongoing surge of ransomware attacks — which actually disrupts service and prevents customers or employees from accessing resources — TheDarkOverlord has relied on a more traditional blackmail approach of causing damage via stolen and leaked data.

At the moment it is unclear how successful that approach is when compared to more disruptive attacks, but if the group and its copycats continue to leverage this approach, one can assume that it must be a profitable avenue of attack.