November 2016 – SurfWatch Labs, Inc.

Weekly Cyber Risk Roundup: Adult Friend Finder’s Massive Breach and Securing IoT Devices

Distributed denial-of-service (DDoS) attacks were once again among the most discussed cybercrime events of the week as discussion around the Marai botnet continued and a handful of Russian banks were targeted with attacks powered by compromised Internet-of-Things (IoT) devices. The week also saw one of the largest data breaches ever as the Adult Friend Network was hacked and the details of 412 million accounts were compromised.

The information compromised in the Adult Friend Finder hack dates back 20 years, according to LeakedSource, and includes email addresses, passwords stored in either plain visible format or SHA1, dates of last visits, browser information, IP addresses and site membership status. Accounts for a variety of sites were infected: 339 million Adult Friend Finder accounts, 62 millions Cams.com accounts, 7 million Penthouse.com accounts, 1.4 million Stripshow.com accounts and 1.1 million iCams.com accounts.

This is the second time Adult Friend Network has been hacked in 18 months. In May 2015 almost four million users had their personal details leaked by hackers.

It’s not clear who was ultimately behind the recent hack. A researcher going by the name revolver posted screenshots of a Local File Inclusion vulnerability being exploited on Adult Friend Finder in October and threatened to “leak everything,” but he said he was not behind the breach. Friend Finder Networks vice president and senior counsel, Diana Ballou did say that the company identified and fixed “a vulnerability that was related to the ability to access source code through an injection vulnerability.” The breach is the second largest of the year in terms of the number of customer accounts compromised — behind only Yahoo, which affected more half a billion accounts.

Other trending cybercrime events from the week include:

More large data breaches: Casino Rama Resort in Ontario recently announced the theft of a variety of data including IT information, financial reports, security incident reports, Casino Rama Resort email, patron credit inquiries, collection and debt information, vendor information, and contracts and employee information such as performance reviews, payroll data, terminations, social insurance numbers and dates of birth. A man hacked into the website of the Indian state of Kerala’s government’s civil supplies department, stole information on all of 8,022,360 of Kerala’s Public Distribution System beneficiaries and their family members, and then uploaded that information to Facebook. Recruitment firm Michael Page may have had as much as 30GB of data exposed when it was published to a publicly exposed website, according to researcher Troy Hunt. Hunt said multinational consulting and outsourcing firm Capgemini was behind the exposed data.

Retail woes both criminal and accidental: A&M has announced a payment card breach affecting customers who shopped at Annie Sez, Afaze, Mandee, Sirens and Urban Planet locations between November 2015 and August 2016. Australian discount department store Big W is apologizing to customers after a technical issue led to a small number of customers having the first stage of the online checkout process pre-populated with the personal information of another customer.

More ransomware attacks and payments: The office of Robert J. Magnon at Seguin Dermatology is informing patients of a September ransomware attack that likely accessed protected health information. The Lansing Board of Water & Light acknowledged it paid a $25,000 ransom after an employee opened an infected attachment and the resulting ransomware infection shut down the board’s accounting systems, email systems and phone lines.

Hacktivist attacks and sentences: A hacking group known as “Amn3s1a Team” claims to have stolen internal documents, source code and other information from the file-sharing site Mega.nz. ZDNet examined an 800-megabyte archive of source code — which appears to be related to its instant messenger service Megachat, the site’s Chrome browser extension, and a private RSA key. A 22-year-old Tennessee man and member of the NullCrew hacking collective has been sentenced to 45 months in prison for his role in hacking Bell Canada. Canadian prosecutors said the hackers exfiltrated million of files from Bell Canada, and the man posted about 12,700 customer logins and passwords and Tweeted a link to the data. A hacker going by the Twitter handle @CyberZeist announced that he had hacked the Windham County Sheriff’s Office, posted the stolen database on Pastebin, and was even offering to give away backdoor access.

Cybercrime goes virtual: A group of hackers wrote software that tricked Electronic Arts’ servers into thinking that thousands of FIFA soccer matches had been completed in order to “mine” FIFA coins, and that virtual currency was then sold via black market sites for millions of dollars in profits, according to a recently unsealed FBI indictment.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

Cyber Risk Trends From the Past Week

For the second week in a row, most sectors saw a decline in their overall SurfWatch Labs’ cyber risk scores. The financials sector saw the biggest drop and is now at its lowest score of all of 2016 after steadily declining throughout October.

Much of the discussion around cyber risk over the past month has been focused on issues related to DDoS attacks and Internet-connected devices. The most discussed new cybercrime event of the past week, by far, was the DDoS attacks against at least five of Russia’s largest banks. Reports indicate that the attacks were carried out over a two-day period and generally lasted for one hour each, although one attack lasted for almost 12 hours. The attacks were powered by around 24,000 compromised IoT devices across 30 countries, and Sberbank said the attacks were among the most powerful the bank had seen.

The concern around IoT devices has also led the Department of Homeland Security to release its Strategic Principles for Securing the Internet of Things (IoT), which is designed as “a first step to motivate and frame conversations about positive measures for IoT security among IoT developers, manufacturers, service providers, and the users who purchase and deploy the devices, services, and systems.” The document contains six principles that would “dramatically improve the the security posture of IoT,” and those principles are meant to be adapted and applied as needed.

In addition, the document outlines four key areas of effort going forward:

Coordinate across federal departments and agencies to engage with IoT stakeholders and jointly explore ways to mitigate the risks posed by IoT.
Build awareness of risks associated with IoT across stakeholders.
Identify and advance incentives for incorporating IoT security.
Contribute to international standards development processes for IoT.

“We recognize the efforts underway by our colleagues at other federal agencies, and the work of private sector entities to advance architectures and institute practices to address the security of the IoT,” DHS wrote “This document is a first step to strengthen those efforts by articulating overarching security principles. But next steps will surely be required.”

Recent Campaigns Highlight Evolving Social Engineering Tactics

Over the past month, researchers have observed several new phishing campaigns that demonstrate a more sophisticated and targeted approach to social engineering by threat actors.

For example, on Monday Trustwave wrote about the Carbanak gang targeting the hospitality and restaurant sectors. The actors began the attack by using public tools such as LinkedIn to find the names of company department heads or other key employees. Then they called the organization’s customer service line and claim that they were having difficulties with the online registration system and ask to send the information via email. They would spend a significant amount of time on the phone with the employee — often dropping those researched names in order to build trust — until the employee eventually opened the malicious Word document attached in the email.

Finally, the organization would be infected with malware capable of stealing system information, taking desktop screenshots, and downloading additional tools such as point-of-sale malware.

Targeted Social Engineering Becomes Less Direct

Other threat actors are shifting towards similarly indirect paths of compromise — beginning their attacks with a message, or several messages, designed to build trust before attempting to cause harm. This is the case with recent business email compromise (BEC) scams, which the FBI has repeatedly warned is a growing problem for organizations.

“In most cases, a BEC scam attempts to portray an email or request as being urgent, placing pressure on the recipient to act fast without asking questions,” SurfWatch Labs noted in a blog post about the FBI’s July alert. “The email is often sent from a legitimate looking source — such as a high-ranking company official or a bank that works with the company — which further eliminates questions from the recipient.”

However, Symantec recently warned that BEC scams had shifted to a less urgent approach. Instead, most BEC scams now begin with a simple introductory message before requesting a fraudulent wire transfer, as this email exchange demonstrates:

An actor using an informal introduction before going on to a more traditional wire transfer request, as shown by Symantec.

In June, shortly before the FBI’s last BEC warning, just 20 percent of BEC emails began by inquiring about the recipient’s availability — with the rest directly requesting a wire transfer, according to Symantec. By October, 60 percent of the emails began with the more indirect approach of inquiring about the recipient’s availability.

A Look at SurfWatch Labs’ Threat Intelligence Data

Warnings of targeted attacks like the ones described above have led to spear phishing being the most common practice tag related to social engineering over the past 90 days, according to SurfWatch Labs’ data.

A wide variety of industry groups have been tied to spear phishing threats over the period. However, the most talked about cybercrime stories of the past month may have been the hacking and publication of emails from the Democratic National Committee and Hillary Clinton’s campaign chairman John Podesta, as well as what role those breaches had in shaping the recent US presidential election.

In those cases, the leaks have been tied to spear phishing emails from Russian hacking group Fancy Bear, one of the most prominent hacking groups related to spear phishing over the past 90 days, behind only Peter Romar, a 37-year-old Syrian national who recently pled guilty to his role in the Syrian Electronic Army.

Those Fancy Bear attacks used a particular tactic: the use of shortened URLs. As Esquire’s Thoma Rid wrote explained, those shortened URLs both tricked users into clicking malicious links at an alarming rate and, ultimately, helped researchers uncover the actors behind those targeted attacks:

To manage so many short URLs, Fancy Bear had created an automated system that used a popular link-shortening service called Bitly. The spear-phishing emails worked well—one in seven victims revealed their passwords—but the hackers forgot to set two of their Bitly accounts to “private.” … Between October 2015 and May 2016, the hacking group used nine thousand links to attack about four thousand Gmail accounts, including targets in Ukraine, the Baltics, the United States, China, and Iran. … Among the group’s recent breaches were the German parliament, the Italian military, the Saudi foreign ministry, the email accounts of Philip Breedlove, Colin Powell, and John Podesta—Hillary Clinton’s campaign chairman—and, of course, the DNC.

These breaches highlight some of the ways in which social engineering has continued to affect organizations across all sectors and how new techniques are incorporated in order to make it harder for individuals to detect suspicious activity.

That’s why training and awareness is often touted as the most important and cost effective step in combating social engineering, as we noted in a prior social engineering blog. Having the proper tools and training, along with up-to-date threat intelligence to inform them of the latest threats, can help organizations and their employees provide a better front line of defense against the evolving techniques used by threat actors.

Weekly Cyber Risk Roundup: Services Get Disrupted and Hacking Elections

Distributed denial-of-service (DDoS) attacks and other incidents leading to service interruption have been widely discussed in the cybersecurity community ever since the October attack against DNS provider Dyn. This past week saw Marai-driven attacks that reportedly knocked out Internet access for the entire county of Liberia; however, security researchers such as Brian Krebs noted that those news articles may have exaggerated the facts as there is little evidence “anything close to a country-wide outage” occurred as a result of the attack.

“While it is likely that a local operator might have experienced a brief outage, we have no knowledge of a national Internet outage and there are no data to [substantiate] that,” Daniel Brewer, general manager for the Cable Consortium of Liberia, told Krebs.

Nevertheless, concerns around DDoS attacks remain high, and some have speculated that the attacks against Liberia and others may be test runs for a larger attack in the future.

In other service interruption news, two apartment buildings located in Lappeenranta, Finland, and managed by facilities services company Valtia had the systems that controlled central heating and warm water circulation disabled by a DDoS attack. The systems tried rebooting the main control circuit in response to the attack, the CEO of Valtia said, and this was repeated in an endless loop resulting in the heat not working for the properties. Also, a unspecified malware infection caused three UK hospitals to cancel operations, outpatient appointments and diagnostic procedures for three days while staff access to patient records was restored. According to The Sun, approximately 3,300 patients at hospitals in Grimsby, Scunthorpe and Goole were affected. The attacks led to a high-severity alert being issued to National Health Service providers reminding “all users of the need for proactive measures to reduce the likelihood of infection and minimise the impacts of any compromise.”

Other trending cybercrime events from the week include:

Fraud and financial loss continue: Tesco Bank said the widespread criminal activity that led to the halting of online transactions has been narrowed down to £2.5 million in losses across 9,000 accounts – a drop from the 20,000 accounts previously reported. Sentinel Hotel is notifying customers of a breach after reports of unauthorized charges on guests payment cards led to the discovery of malware on a point-of-sale terminal. City of El Paso officials revealed the city was scammed out of more than $3 million via a phishing attack. The city has recovered about half of the money. A ransomware infection recently locked up several government systems in Madison County, Indiana, and county commissioners voted to pay the extortion demands in order to regain control of those systems.

Poor security leads to potential breaches: Researchers discovered that 128 car dealership systems were being backed up to a central location without any encryption or security, potentially exposing the personal information of both customers and employees. Cisco is warning job applicants that information on the Cisco Professional Careers mobile website may have been exposed as a result of an incorrect security setting following system maintenance. Newfoundland and Labrador’s privacy commissioner is ordering Eastern Health to examine controls around employees logging out of accounts after an incident in which a doctor failed to log out of Meditech patient information software and patient information was accessed and printed by an unknown person.

More breaches and data dumps: Two hackers claim to have used SQL injection to steal personal information from seven Indian High Commission websites and published the stolen databases in a Pastebin post. Anonymous Italia has defaced several police websites and leaked 70 megabytes of data presumably stolen from the databases of the Sindacato Autonomo Polizia Penitenziaria’s blog and its official monthly magazine. Integrity Transitional Hospital, based in Texas, recently reported a health data hacking incident that potentially affects the information of more than 29,000 patients.

Cybercrime leads to arrests: A man has been arrested for compromising more than a thousand university email accounts and then using that access to further compromise other social media and online accounts. The man allegedly accessed one university’s password reset utility approximately 18,640 different times between October 2015 and September 2016 and successfully changed the passwords for 1,035 unique accounts. An employee of Lex Autolease Limited pleaded guilty to selling the personal information of hundreds of customers to a third party. A 19-year old hacker plead guilty to creating and running the Titanium Stresser booter service, which has been used in more than 1.7 million DDoS attacks worldwide.

Cyber Risk Trends From the Past Week

Most industry sectors saw a slight decline in their SurfWatch Labs’ cyber risk scores this week. The biggest story of late, naturally, was the U.S. presidential election, and now that it is over, pundits from both sides are reflecting on how their candidates managed to win or lose the race. That examination includes the role that cybersecurity, hacking and data leaks may have played in the outcome.

In fact, back in August we posed that very question: would 2016 be the first presidential campaign ultimately swung by information obtained in a data breach? The answer remains uncertain. What is certain is that cyber-issues were put front-and-center in a way we have never seen in any other presidential election.

For example, in the days leading up to the election, WikiLeaks published 8,000 more leaked emails from the Democratic National Committee, dubbed #DNCLeak2. That dump came after a previous release of 20,000 emails from the DNC as well as 50,000 emails from Hillary Clinton aide John Podesta. The effect of those stolen emails being steadily leaked — and other cyber-issues such as Clinton’s personal email server — may be impossible to quantify, but they likely contributed in some way to nearly 60 percent of voters who perceived Clinton as a dishonest and untrustworthy candidate.

WikiLeaks founder Julian Assange wrote an election day post defending his actions and stating that publishing the stolen emails was not an attempt to influence the outcome of the election.

“We publish material given to us if it is of political, diplomatic, historical or ethical importance and which has not been published elsewhere,” Assange wrote. “At the same time, we cannot publish what we do not have. To date, we have not received information on Donald Trump’s campaign, or Jill Stein’s campaign, or Gary Johnson’s campaign or any of the other candidates that fulfills our stated editorial criteria.”

Clearly, Assange is saying if WikiLeaks did have information on other political candidates then that information would be made public as well — as it has in the past with the release hundreds of thousands of emails related to the government of Turkey. WikiLeaks claims to be non-partisan, but other threat actors do have a biased agenda and those actors are likely to be emboldened by the success of this year’s election-related hacks.

As Wired wrote: “For Russia, [Trump’s win] will also be taken as a win for the chaos-injecting tactics of political hacks and leaks that the country’s operatives used to meddle in America’s election — and an incentive to try them elsewhere. … That Russia perceives those operations as successful, experts say, will only encourage similar hacks aimed at shifting elections and sowing distrust of political processes in Western democracies, particularly those in Europe.”

Those efforts are already underway, researchers have noted, with at least a dozen European organizations being targeted by groups linked to the Russian state since that hacks against the DNC. Whether this election was ultimately swayed by breaches and other cyber-issues may be up for debate, but what is clear is that political and advocacy organizations are actively being targeted and that threat actors will likely try to influence future elections across the globe to align with their goals.

Controlling What You Can Control: Using the Threat Triangle to Gain Focus

With cyber-attacks on the rise and organizations looking for more effective ways to fend off malicious actors, cyber threat intelligence has emerged as a buzzword in cybersecurity. Unfortunately, some of the information being marketed as cyber threat intelligence isn’t backed up by much actual intelligence; rather, it’s just another threat feed to be added to the already large pile of data that needs to be evaluated.

Part of the problem with good threat intelligence, I recently wrote, is that it’s time consuming. Effective cyber threat intelligence shouldn’t just add to the ever-growing list of concerns facing your organization, it should provide actionable insight into how to best focus security resources to achieve solutions. Evaluating those specific threats, determining their relevance and coming up with practical solutions unique to your organization is hard work.

There are many ways to evaluate threats, but I tend to revert to my Navy training when thinking about the cybersecurity of our customers. Our rules of engagement dictated evaluating threats from three avenues: the capability, intent and opportunity to cause harm.

Taken individually, each has seen an overall increase over the past few years. Taken together, the add up to what Europol recently characterized as the relentless growth of cybercrime.

Let’s briefly take a look at each pillar:

Capability of Threat Actors: As SurfWatch Labs noted in its recent report, officials have estimated that the bulk of the cybercrime-as-a-service economy may be powered by as few as 200 individuals, yet those services can put sophisticated cybercrime tools at the fingertips of a vast pool of actors. Europol agreed, writing in its report that “the boundaries between cybercriminals, Advanced Persistent Threat (APT) style actors and other groups continue to blur.” Clearly the capability of threat actors continues to evolve, putting more organizations at higher risk.

Intent of Threat Actors: Cybercrime tends to be driven by either profit or the desire to cause harm to an organization. The growth of dark web marketplaces, the widespread adoption of successful tactics such as ransomware, and the increased focus on cybercrime by the media, government officials and regulators has widened actors’ abilities to monetize cybercrime and directly impact an organization’s brand and bottom line.

Opportunity for Threat Actors: A recent study found that 89 third-party vendors access a typical company’s IT system each week. In addition, the technology footprint of organizations continues to grow as more as-a-service solutions are implemented to increase productivity and more digital services are offered to customers. This provides threat actors with an expanding number of avenues that can be exploited — some of which are not directly under your control.

Despite this widely reported growth in the capability, intent and opportunity of threat actors, many individuals still feel as though they will never be targeted. A study released last month from the National Institute of Standards and Technology found that many people still hold the view that cybercrime will never happen to them and that data security is someone else’s responsibility. People feel overwhelmed by cyber threats, and as a result, they engage in risky behavior.

Simplifying Security, Control What You Can Control

The good news is that out of those three aspects used to evaluate cyber threats, organizations essentially have control over only one: opportunity. The capability and intent of threat actors are largely external to your organization; however, a real and measurable impact can be made when it comes to limiting the opportunities for cyber-attacks.

Unfortunately, many organizations have not done enough to close the opportunity window on cyber-attacks. That was a central theme of SurfWatch Labs mid-year report: despite claims of “sophisticated” attacks, the bulk of cybercrime observed has exploited well-known attack vectors. Europol’s September report also found that organizations were not helping themselves — in many cases providing ample opportunity for cybercriminals to exploit.

“A large part of the problem relates to poor digital security standards and practice by businesses and individuals,” Europol noted. “A significant proportion of cybercrime activity still involves the continuous recycling of relatively old techniques, security solutions for which are available but not widely adopted.”

This brings us back to the importance of evaluated cyber threat intelligence. Cyber threat intelligence should directly address that opportunity and provide solutions to close — or at least to severely limit — cybercriminal avenues of attack. What vulnerabilities are being actively exploited in your industry? What social engineering techniques are being leveraged in similar campaigns? How are threat actors monetizing the information and what is the potential impact if our organization faces a similar breach?

The answers to questions like these are a large part of the hard work that is the intelligence portion of cyber threat intelligence. Those answers can help to shine a light on paths that may significantly reduce your organization’s potential cyber risk.

Cyber threat intelligence, if done right, can help to limit the opportunity for threat actors to cause harm. This renders their capability less capable and their intent harder to pull off — at least against your organization.

Yahoo and Others Face Cybercrime-Related Brand Damage

A month after announcing one of the largest data breaches ever, Yahoo is continuing to deal with the subsequent fallout and reputation damage related to that massive cyber theft.

On September 22, Yahoo confirmed that information associated with at least 500 million user accounts was stolen. The day after that breach announcement, Yahoo saw a 474 percent rise in online mentions, according to social media monitoring company BrandWatch — 70 percent of which were negative. Since then there’s been an ongoing swirl of negativity surrounding Yahoo’s breach — from lawsuits to concerned regulators to potential lost users — and that has led to reports that Verizon may either push for as much as a $1 billion reduction in its pending $4.8 billion agreement to buy Yahoo or back out of the deal altogether.

The negativity around the Yahoo brand due to its breach poses a difficult-to-answer question: just how much damage does a cyber-attack actually have on the bottom line of a company?

Difficulty of Tracking Brand Damage

Tracking brand damage directly tied to a cyber incident is a difficult prospect; however, there does appear to be at least one correlation. A survey conducted by SANS for a December 2015 paper, Cleaning Up After a Breach Post-Breach Impact: A Cost Compendium, found that “the breaches receiving the most media attention also suffered the greatest loss in brand/reputation.”

Which comes first in that chicken-or-egg scenario is up for debate, but SurfWatch Labs’ data suggests that, for the most part, it’s the scope and potential damage of breaches that drive the media coverage, not the other way around.

The Yahoo breach is one of the most talked about cybercrime events of the year.

A quick glance at the list of the year’s top trending cybercrime events, based on the number of CyberFacts collected by SurfWatch Labs, shows that the most-discussed targets generally line up with the most widespread and impactful breaches: the Philippines Commission on Elections, LinkedIn, the Democratic National Committee, Yahoo and, more recently, targets of major DDoS attacks.

Other High-Profile Incidents Damage Brands

Like Yahoo, Wells Fargo is dealing with similar ongoing brand issues after reports of employees fraudulently opening more than two million customer accounts dominated several news cycles last month. A survey of 1,500 bank customers by management consultancy firm cg42 found that negative perceptions of Wells Fargo had spiked from 15 percent before the scandal to 52 percent afterwards. Likewise, the number of prospects that were very or extremely likely to consider doing business with Wells Fargo has plummeted from 21 percent to just three percent.

“The short and medium term outlook for Wells Fargo is gloomy, and the fallout from the scandal will impact the bank’s bottom line for years to come,” the report stated.

Wells Fargo is attempting to stem the tide with a new advertising campaign that promises, among other things, to begin proactively notifying customers of new accounts that are opened in their names. That campaign follows the firing of thousands of employees and the resignation of CEO John Stumpf.

Similar resignations have followed other high-profile breaches this year, most notably the breach at the Democratic National Committee, which lead to the resignations of chairwoman Debbie Wasserman Schultz, chief executive Amy Dacey, chief financial officer Brad Marshall and communications director Luis Miranda.

The brand damage from a cyber-attack can also move down to the supply chain, as we noted last week with XiongMai Technologies, a Chinese electronic company that makes products used in many of the Internet-connected DVRs and cameras tied to the massive DDoS attacks against Krebs On Security, OVH and Dyn. XiongMai said on Monday that it would issue a recall of some of its U.S. products. That recall notice also threatened legal action against individuals and organizations who “defame” the company with “false statements,” but the threat of legal action has been described by some as simply a face-saving PR effort by a company that’s used to operating behind the scenes and selling its white-labeled products to other brands.

Extent of Yahoo Fallout Uncertain

If the Yahoo breach will have a direct impact on its acquisition by Verizon is yet to be seen. Verizon’s general counsel Craig Silliman told Reuters and other reporters two weeks ago that the incident could trigger a clause in the deal that says Verizon can withdraw if a new event “reasonably can be expected to have a material adverse effect on the business, assets, properties, results of operation or financial condition of the business.”

“I think we have a reasonable basis to believe right now that the impact is material and we’re looking to Yahoo to demonstrate to us the full impact,” Silliman said, adding that Verizon needed to obtain “significant information” before making a final decision.

Like cg42 noted about Wells Fargo, the effects of a major cyber incident can take years to fully play out, and even then, it can be difficult to attribute some of the years-long business trends directly back to one cybercrime event.

One takeaway worth noting is that many of the major cybercrime stories that remain in the spotlight each year contain a similar thread: the lack of proactively addressing cyber risk. That seemingly cavalier attitude around cybersecurity is frequently cited by both data breach litigation and government and private regulators — and it will often prolong the a negative story with hearings, lawsuits and a string of news stories that continue to cause brand damage long after the initial incident occurred.

Weekly Cyber Risk Roundup: Latest Breaches and Enhanced Security Standards

The massive distributed denial-of-service (DDoS) attack that disrupted websites and services on October 21 was the focal point of a large portion of cybercrime discussion last week. As we noted in a previous post, the attack against DNS provider Dyn has led to widespread concern about insecure Internet-connected devices and calls for government agencies to get involved in order to ensure those devices are secured against future attacks.

According to some reports, the DDoS attack may have surpassed one terabyte per second of traffic; however, the latest analysis from Dyn indicates that the botnet behind the attack may have been much smaller than the initial reports of “millions.”

“It appears the malicious attacks were sourced from at least one botnet, with the retry storm providing a false indicator of a significantly larger set of endpoints than we now know it to be,” wrote Scott Hilton, EVP of products at Dyn. “We are still working on analyzing the data but the estimate at the time of this report is up to 100,000 malicious endpoints. We are able to confirm that a significant volume of attack traffic originated from Mirai-based botnets.”

Other trending DDoS news includes the Syrian Cyber Army claiming responsibility for attacks against Belgian news organizations. The DDoS attacks made several news websites inaccessible or extremely slow, including De Standaard, Het Nieuwsblad, Gazet van Antwerpen, Het Belang van Limburg and RTFB. In another case of ideological hacktivism, Martin Gottesfeld, 32, was indicted for his role in DDoS attacks against Boston Children’s Hospital (BCH) and the Wayside Youth and Family Support Network. Gottesfeld admitted to his involvement in #OpJustina in a written editorial, saying that the attack against BCH was designed to interfere with a fundraiser in order to cause maximum financial damage. Finally, The Guardian is reporting that financial institutions in London are stockpiling bitcoins in the event extortionists target them with powerful DDoS attacks.

Other trending cybercrime events from the week include:

Payment card breaches announced: Danish payment processor Nets is warning of a payment card breach that appears to be tied to a foreign-based Internet retailer and is advising banks to block up to 100,000 cards in order to prevent fraudulent transactions. A data breach at Hitachi Payment Services, which manages ATM network processing for Yes Bank, is suspected to be the cause of recent fraud that has led to banks in India either replacing or asking customers to change security codes on 3.25 million debit cards. A pro-Donald Trump super PAC known as Great America PAC has mistakenly published the credit card numbers and expiration dates of 49 donors. Last month the same super PAC exposed 336 donors’ email addresses and phone numbers.

Data breaches continue, both large and small: A Red Cross Blood Service database of 1.28 million donor records going back to 2010 was accidentally published to a webserver by a third-party contractor. A hacker known as Peace told Motherboard he hacked Adult FriendFinder and obtained a database of 73 million users, and another hacker known as Revolver or 1×0123 posted screenshots appearing to show he had access to the website’s infrastructure. A Ukrainian hacker group known as CyberJunta has released more than a gigabyte of emails stolen from the office of Russian politician Vladislav Surkov. Baystate Health is notifying about 13,000 patients that their personal information may have been compromised due to a phishing attack that was designed to look like an internal memo. Virgin Media potentially exposed the personal information of up to 50,000 people applying for jobs. Rocky Mountain Credit Union in Montana notified 135 of its members that their personal information may have been accidentally exposed due to an undisclosed security issue discovered on the website customers use to upload documents related to mortgage applications. The University of Santa Clara’s Office of Marketing and Communications had internal documents stolen and leaked to the student newspaper due to an employee leaving his or her username and password in plain site at a workstation.

Update on cybercrime charges and arrests: The Booz Allen Hamilton contractor who was arrested for the possession of classified NSA materials allegedly had documents dating back to 1996 that were marked either “secret” or “top secret,” according to recent court filings. In total, investigators have seized more than 50 terabytes of information and thousands of pages of documents. Celebgate hacker Ryan Collins, 36, of Lancaster, Pennsylvania, was sentenced to 18 months in prison for using phishing emails designed to steal Apple and Google credentials and then using those stolen credentials to hack into more than 100 accounts. Authorities said there is no evidence that Collins was responsible for the leak of nude celebrity photographs tied to the hack. Yevgeniy Nikulin, the Russian man who was arrested in connection with the 2012 LinkedIn breach, has also been indicted for his alleged role in the breaches at Dropbox and Formspring, according to documents unsealed on Friday.

Note: Dyn, by far the top trending new target, is not shown in the chart below in order to make the other targets more readable.

Cyber Risk Trends From the Past Week

The Financials sector’s cyber risk score peaked in early October, reaching its highest level since February 2016. Since then, it has steadily declined for most of the month — until the past week. This week’s rise in cyber risk score (+2.2%) was the biggest increase of any sector over the period.

Part of that may be tied to the recent payment card breaches highlighted above, which began at online retailers and other providers before moving to directly impact banks. For example, the chief executive of National Payments Corp of India said that the spike in reported fraud that led to advising banks to replace cards was tied to a possible compromise of one of the payment switch provider’s systems. Sources told Reuters that the issue stemmed from a breach in systems of Hitachi Payment Services, which is currently investigating the matter.

That interconnectivity of the Financials sector has led to concerns from government agencies, and the the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corporation recently issued a joint proposal on enhanced cyber risk management standards to address those concerns.

“Due to the interconnectedness of the U.S. financial system, a cyber incident or failure at one interconnected entity may not only impact the safety and soundness of the entity, but also other financial entities with potentially systemic consequences,” the proposal stated. “The enhanced standards would be designed to increase covered entities’ operational resilience and reduce the potential impact on the financial system in the event of a failure, cyber-attack, or the failure to implement appropriate cyber risk management.”

The proposal addresses five categories of cyber standards: cyber risk governance; cyber risk management; internal dependency management; external dependency management; and incident response, cyber resilience, and situational awareness.

According to the proposal, “The agencies are considering establishing a two-tiered approach, with the proposed enhanced standards applying to all systems of covered entities and an additional, higher set of expectations, or ‘sector-critical standards,’ applying to those systems of covered entities that are critical to the financial sector.”

The enhanced standards would apply to certain entities with total consolidated assets of $50 billion or more on an enterprise-wide basis, they added. Comments on the proposal are open until January 17, 2017.