Weekly Cyber Risk Roundup: Adult Friend Finder’s Massive Breach and Securing IoT Devices

Distributed denial-of-service (DDoS) attacks were once again among the most discussed cybercrime events of the week as discussion around the Marai botnet continued and a handful of Russian banks were targeted with attacks powered by compromised Internet-of-Things (IoT) devices. The week also saw one of the largest data breaches ever as the Adult Friend Network was hacked and the details of 412 million accounts were compromised.

2016-11-17_ITT.pngThe information compromised in the Adult Friend Finder hack dates back 20 years, according to LeakedSource, and includes email addresses, passwords stored in either plain visible format or SHA1, dates of last visits, browser information, IP addresses and site membership status. Accounts for a variety of sites were infected: 339 million Adult Friend Finder accounts, 62 millions Cams.com accounts, 7 million Penthouse.com accounts, 1.4 million Stripshow.com accounts and 1.1 million iCams.com accounts.

This is the second time Adult Friend Network has been hacked in 18 months. In May 2015 almost four million users had their personal details leaked by hackers.

It’s not clear who was ultimately behind the recent hack. A researcher going by the name revolver posted screenshots of a Local File Inclusion vulnerability being exploited on Adult Friend Finder in October and threatened to “leak everything,” but he said he was not behind the breach. Friend Finder Networks vice president and senior counsel, Diana Ballou did say that the company identified and fixed “a vulnerability that was related to the ability to access source code through an injection vulnerability.” The breach is the second largest of the year in terms of the number of customer accounts compromised — behind only Yahoo, which affected more half a billion accounts.

2016-11-17_groups

Other trending cybercrime events from the week include:

  • More large data breaches: Casino Rama Resort in Ontario recently announced the theft of a variety of data including IT information, financial reports, security incident reports, Casino Rama Resort email, patron credit inquiries, collection and debt information, vendor information, and contracts and employee information such as performance reviews, payroll data, terminations, social insurance numbers and dates of birth. A man hacked into the website of the Indian state of Kerala’s government’s civil supplies department, stole information on all of 8,022,360 of Kerala’s Public Distribution System beneficiaries and their family members, and then uploaded that information to Facebook. Recruitment firm Michael Page may have had as much as 30GB of data exposed when it was published to a publicly exposed website, according to researcher Troy Hunt. Hunt said multinational consulting and outsourcing firm Capgemini was behind the exposed data.
  • Retail woes both criminal and accidental: A&M has announced a payment card breach affecting customers who shopped at Annie Sez, Afaze, Mandee, Sirens and Urban Planet locations between November 2015 and August 2016. Australian discount department store Big W is apologizing to customers after a technical issue led to a small number of customers having the first stage of the online checkout process pre-populated with the personal information of another customer.
  • More ransomware attacks and payments: The office of Robert J. Magnon at Seguin Dermatology is informing patients of a September ransomware attack that likely accessed protected health information. The Lansing Board of Water & Light acknowledged it paid a $25,000 ransom after an employee opened an infected attachment and the resulting ransomware infection shut down the board’s accounting systems, email systems and phone lines.
  • Hacktivist attacks and sentences: A hacking group known as “Amn3s1a Team” claims to have stolen internal documents, source code and other information from the file-sharing site Mega.nz. ZDNet examined an 800-megabyte archive of source code — which appears to be related to its instant messenger service Megachat, the site’s Chrome browser extension, and a private RSA key. A 22-year-old Tennessee man and member of the NullCrew hacking collective has been sentenced to 45 months in prison for his role in hacking Bell Canada. Canadian prosecutors said the hackers exfiltrated million of files from Bell Canada, and the man posted about 12,700 customer logins and passwords and Tweeted a link to the data. A hacker going by the Twitter handle @CyberZeist announced that he had hacked the Windham County Sheriff’s Office, posted the stolen database on Pastebin, and was even offering to give away backdoor access.
  • Cybercrime goes virtual: A group of hackers wrote software that tricked Electronic Arts’ servers into thinking that thousands of FIFA soccer matches had been completed in order to “mine” FIFA coins, and that virtual currency was then sold via black market sites for millions of dollars in profits, according to a recently unsealed FBI indictment.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2016-11-17_ittnew

Cyber Risk Trends From the Past Week

For the second week in a row, most sectors saw a decline in their overall SurfWatch Labs’ cyber risk scores. The financials sector saw the biggest drop and is now at its lowest score of all of 2016 after steadily declining throughout October.

2016-11-17_risk

Much of the discussion around cyber risk over the past month has been focused on issues related to DDoS attacks and Internet-connected devices. The most discussed new cybercrime event of the past week, by far, was the DDoS attacks against at least five of Russia’s largest banks. Reports indicate that the attacks were carried out over a two-day period and generally lasted for one hour each, although one attack lasted for almost 12 hours. The attacks were powered by around 24,000 compromised IoT devices across 30 countries, and Sberbank said the attacks were among the most powerful the bank had seen.

The concern around IoT devices has also led the Department of Homeland Security to release its Strategic Principles for Securing the Internet of Things (IoT), which is designed as “a first step to motivate and frame conversations about positive measures for IoT security among IoT developers, manufacturers, service providers, and the users who purchase and deploy the devices, services, and systems.” The document contains six principles that would “dramatically improve the the security posture of IoT,” and those principles are meant to be adapted and applied as needed.

In addition, the document outlines four key areas of effort going forward:

  1. Coordinate across federal departments and agencies to engage with IoT stakeholders and jointly explore ways to mitigate the risks posed by IoT.
  2. Build awareness of risks associated with IoT across stakeholders.
  3. Identify and advance incentives for incorporating IoT security.
  4. Contribute to international standards development processes for IoT.

“We recognize the efforts underway by our colleagues at other federal agencies, and the work of private sector entities to advance architectures and institute practices to address the security of the IoT,” DHS wrote “This document is a first step to strengthen those efforts by articulating overarching security principles. But next steps will surely be required.”

Author: Jeff Peters

SurfWatch Labs editor and host of SurfWatch Labs Cyber Chat podcast. Focused on using threat intelligence and data visualization in order to bring cybercrime to life and help make organizations safer.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s