There has been growing concern around distributed denial-of-service (DDoS) attacks this week as the source code for the Internet-of-Things (IoT) driven botnet “Mirai” has been publicly released by a user on Hackforums. The Mirai botnet has been tied to the recent massive DDoS attack against Brian Krebs website and is made up of a growing number of Internet-connected devices.
The botnet includes a variety of compromised home and small office items such as routers, DVRs and security cameras – many of which use default usernames and passwords. The IoT devices are aimed at users often more concerned about convenience than security, and as Brian Krebs pointed out, even if users do take steps to secure devices by changing default credentials the malware may still spread.
Cybercriminal actors may use botnets like Marai to create more powerful DDoS attacks against industries that are traditionally vulnerable to extortion, such as gaming and ecommerce, but the Marai source code release also empowers actors looking to disrupt organizations for ideological or political reasons. For example, Newsweek alleged it was the victim of such an attack this week when its website was hit with a DDoS attack after publishing a story claiming that one of Donald Trump’s companies violated the Cuba trade embargo in 1998. In part due to that attack, consumer publishing was the most discussed industry group associated with cybercrime over the past seven days.
With Marai added to the growing list of free tools available to actors, expect to see more DDoS attacks like the ones against KrebsOnSecurity and Newsweek, which appear to be aimed at silencing or punishing critics.
Other trending cybercrime events from the week include:
- Another week, another list of companies hit with ransomware: Cloud service provider VESK paid £18,600 after being infected with a new strain of the Samas DR ransomware. The New Jersey Spine Center paid an undisclosed amount after a July CryptoWall attack encrypted all electronic medical records and the most recent backup as well as disabled the phone system. The forest department of the state government of Kerala in India was infected with ransomware known as RSA-4096. Urgent Care Clinic of Oxford is notifying patients that their data may have been compromised by what appears to be a ransomware attack. A “glitch” after a ransomware attack led the Marin Healthcare District and Prima Medical Foundation to notify more than 5,000 patients that some of their medical data has been lost, even though they paid the ransom.
- Data exposed through mistakes and flaws: C&Z Tech Limited acknowledged that a database of more than 1.5 million user records was exposed online, but said that the leak was from a test database; however, ZDNet disputes that claim, writing that their own verification of the data found “no reason to believe that this is test or dummy data.” Census data on 96,000 employees of the Australian federal government was downloaded nearly 60 times before being removed from official websites. A vulnerability discovered in the Charter Communications website could have exposed the personal information of customers. Customers of Ottawa marijuana dispensary chain Magna Terra Health Services had their email addresses exposed when an employee sent an email with 470 of their customers cc’d.
- Alleged political dumps, both old and new: A hacker who goes by the name Guccifer 2.0 published an 860-megabyte file of donor information allegedly stolen from the Clinton foundation servers; however, a variety of news outlets have reported that the data appears to actually be from a previous hack of the Democratic Congressional Campaign Committee and the Democratic National Committee. Berat Albayrak, Turkey’s Energy Minister and son-in-law of President Erdoğan, is the week’s second highest trending new target (after Newsweek) on the heels of hacking group RedHack leaking 17 gigabytes of data, which the group said was stolen by discovering Albayrak’s mobile operating system, writing an exploit to steal his password, and gaining access to his iPad after several weeks of attempts.
- More data breach announcements: Hutton Hotel is notifying customers of a payment card breach affecting guests who placed hotel reservations during the period from September 2012 to April 2015, as well as those who made purchases at the onsite food and beverage outlets from November 2015 to June 2016. Hackers gained access to computer systems at Wheeler & Egger, CPAs and used the information to fraudulently file 45 tax returns. Apria Healthcare, a provider of home respiratory services and other medical equipment, is notifying patients that an employee’s email account was compromised.
- Out with the old hacktivists, in with the new: Federal authorities in Chicago have charged two suspected members of the hacking group Lizard squad for operating DDoS-for-hire websites. Although Lizard Squad has been quiet of late, other hacking groups continue to disrupt organizations. For example, OurMine defaced and deleted several articles on the BuzzFeed website in retaliation for a story claiming to have identified one of the group’s members as a Saudi teen called “Ahmad Makki.”
SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.
Insulin Pump Vulnerability and Other Advisories
The focus on IoT devices was prevalent throughout SurfWatch Labs’ data this week. In addition to all of the botnet-related discussion, Johnson & Johnson announced that a security vulnerability in its Animas OneTouch Ping insulin pump that could be exploited to overdose diabetic patients with insulin.
The Reuters story cited medical device experts who claim this is the first time a manufacturer has issued such a warning to patients about a cyber vulnerability in their devices; however, the company’s letter to patients described the risk as “extremely low.”
“It would require technical expertise, sophisticated equipment and proximity to the pump, as the OneTouch Ping system is not connected to the internet or to any external network,” the letter said.
The issue, which was discovered by Rapid7 researcher Jay Radcliffe, is that a hacker can spoof communications between a wireless remote control and the insulin pump since that communication is not encrypted. About 114,000 patients use the device in the United States and Canada.
The company said that if patients were concerned, they could stop potential attacks by discontinuing use of the wireless remote control and programming the pump to limit the maximum insulin dose. Johnson & Johnson said it first reviewed the vulnerability with the FDA, which issued draft guidance on managing cybersecurity vulnerabilities in medical devices in January.
Other noteworthy advisories and cybercrime news from the week include:
- 68 million stolen Dropbox credentials published online: The previously stolen database of more than 68 million user records has been published online by Thomas White on his I’m Cthulhu blog. Nearly half of the passwords are secured with the strong hashing function bcrypt, Motherboard wrote. The other half appear to use the older SHA-1 algorithm. The publication adds to the already massive list of now-public user credentials.
- Vulnerability discovered in OpenJPEG: Cisco Talos researchers have disclosed a zero-day vulnerability in the jpeg2000 image file format parser as implemented in the OpenJpeg library. The vulnerability can lead to an attacker executing arbitrary code. “For a successful attack, the target user needs to open a malicious jpeg2000 file,” the researchers wrote. “The jpeg2000 image file format is mostly used for embedding images inside PDF documents and the OpenJpeg library is used by a number of popular PDF renderers making PDF documents a likely attack vector.”
- Users report suspected malvertising on Spotify: Users of Spotify’s free desktop streaming service are reporting strange behavior that is suspected to be related to malvertising. “If you have Spotify Free open, it will launch – and keep on launching – the default internet browser on the computer to different kinds of malware/virus sites. Some of them do not even require user action to be able to cause harm,” wrote one user. “I have 3 different systems (computers) which are all clean and they are all doing this, all via Spotify – I am thinking it’s the Ads in Spotify Free. I hope this has been noticed and Spotify staff are fixing it – fast.”
- TalkTalk fined £400,000 over data breach: The UK’s Information Commissioner’s Office (ICO) has issued a record £400,000 fine to TalkTalk over a data breach that “could have been prevented if TalkTalk had taken basic steps to protect customers’ information.” In October 2015, a hacker used SQL injection to access the personal data of 156,959 customers including their names, addresses, dates of birth, phone numbers and email addresses. In more than 15,000 cases, bank account details and sort codes were also compromised. “The data was taken from an underlying customer database that was part of TalkTalk’s acquisition of Tiscali’s UK operations in 2009,” the ICO said. “TalkTalk failed to properly scan this infrastructure for possible threats and so was unaware the vulnerable pages existed or that they enabled access to a database that held customer information.”
SurfWatch Labs collected data on a variety of cybercrime advisories over the past week. Some of the trending practice tags associated with those advisories are shown in the chart below.