Weekly Cyber Risk Roundup: Unique Cyber-Attacks and Insider Theft

Yahoo remained as the top trending cybercrime target due to a data breach affecting more than a billion accounts. The breach is so large that regulators such as the FTC and SEC are facing uncharted territory when it comes to potential fines or other consequences related to the incident, Vice News reported.  

2016-12-23_ITT.pngLooking beyond the ongoing Yahoo story, there were several unique cybercrime-related events worth noting from the past week.

For starters, a data breach at Kia and Hyundai aided in the physical theft of dozens of cars, Israeli police said. Criminals were able to use the stolen data to make car keys for luxury cars and steal those cars directly from the owners’ homes. The three men who were arrested allegedly looked for the registration numbers on Kia and Hyundai models and then used those number along with stolen anti-theft protection numbers and other codes to make keys for each specific car. Once the keys were made they would visit the owners homes — the information was also in the stolen data — to steal the vehicles and then sell them on the Palestinian car market.

Another interesting story is the recent sudden shutdown of a power distribution station near Kiev, which left the northern part of the city without electricity. Vsevolod Kovalchuk, the acting chief director of Ukrenergo, told Reuters that the outage was likely due to an external cyber-attack. The outage amounted to 200 megawatts of capacity, which is about a fifth of Kiev’s nighttime energy consumption.

If definitively tied to a cyber actor, the incident would be the second time in a year that a Ukrainian power outage was attributed to a cyber-attack. The December 2015 outage at Prykarpattyaoblenergo has been frequently cited as the first power outage directly tied to a cyber-attack.


Other trending cybercrime events from the week include:

  • Education Information Compromised: Online learning platform Lynda.com is notifying its 9.5 million users of a data breach after a database was accessed that contained users’ contact information, learning data and courses viewed. The Columbia County School District in Georgia confirmed it was the victim of a data breach after an external actor accessed a server containing confidential employee information such as names, Social Security numbers and dates of birth. A malware infection at Summit Reinsurance Services may have compromised the information of 1,000 current and former employees at Black Hawk College, as well as those employees’ dependents. The University of Nebraska-Lincoln notified approximately 30,000 students that their names and ID numbers may have been compromised when a server hosting a math placement exam was breached.
  • More Healthcare Data Breaches: Community Health Plan of Washington is notifying 381,534 people that their information may have been compromised due to a vulnerability in the computer network of NTT Data, which provides the nonprofit with technical services. East Valley Community Health Center in California is notifying patients of a Troldesh/Shade ransomware infection on a server containing patient information. The server contained 65,000 insurance claims from the past six years, which included names, dates of birth, home addresses, medical record numbers, health diagnosis codes and insurance account numbers. A number of employees allegedly attempted to access the medical records of Kayne West during his recent week-long stay at the UCLA Medical Center.
  • OurMine Continues to Hijack Popular Accounts: The hacking group known as “OurMine” managed to hijack the Twitter accounts of both Netflix and Marvel on Wednesday. The group posted its usual message about how they were just testing security, along with their contact information.
  • DDoS Attacks Used to Protest New Law in Thailand: Thai government websites were hit with DDoS attacks in protest of a new law that restricts internet freedom. The websites of the Defense Ministry, Ministry of Digital Economy and Society, the Prime Minister’s Office, and the Office of the National Security Council were all targeted. In addition, a hacker going by the name “blackplans” posted screenshots of documents allegedly stolen from government websites.
  • Other breach announcements: A May 2016 phishing incident led to 108 employees of L.A. County handing over their email credentials, resulting in a data breach affecting 756,000 individuals. A hacker going by “1×0123” claims to have hacked PayAsUGym and is attempting to sell a database of information on 305,000 customers. A database backup from the forum of digital currency Ethereum was stolen after a malicious actor socially engineered access to a mobile phone number and gained access to accounts. About 350 Ameriprise clients had their investment portfolios exposed due to an advisor synchronizing data between between his home and work and neither drive requiring a password. The Bleacher Report announced a data breach affecting an unknown number of users who signed up for accounts on its website. The U.S. Election Assistance Commission (EAC) acknowledged a potential intrusion after a malicious actor was spotted selling information related to an unpatched SQL injection vulnerability.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.


Cyber Risk Trends From the Past Week

2016-12-23_riskSeveral stories from the past week once again highlighted the problem of malicious insiders stealing intellectual property and taking that stolen data directly to company rivals in order to give those rivals a leg up on the competition.

The first case involves India’s Quatrro Global Services, which recently filed a complaint with local police accusing two former employees of stealing a customer database and using that database to open a rival remote support company, MS Care Limited.

The employees left Quatrro Global Services in late 2014 and early 2015 and opened the rival company in January 2016. The complaint alleges the database was “used to derive unlawful commercial benefit by accessing our customers, leading to our commercial loss while gaining unauthorised access to our customer’s personal information, which could be used for unlawful purposes.”

A separate case involves David Kent, 41, who recently pleaded guilty to stealing more 500,000 user resumes from Rigzone.com, a company that he sold in 2010, and then using the stolen data to boost the membership of his new oil and gas networking website, Oilpro. According to the complaint, Rigzone’s database was hacked twice, and its members were subsequently solicited to join Oilpro. After building up the membership base in this manner, Kent then tried to sell the Oilpro website by stating that it had grown to 500,000 members through traditional marketing methods.

As SurfWatch Labs noted in October, insider threats are one of the most difficult challenges facing organizations. A recent survey of 500 security professionals from enterprise companies found that one in three organizations had experienced an insider data breach within the past year and that more than half of respondents believe that insider threats have become more frequent over the past year.

SurfWatch Labs data confirms those security professionals worry, having collected data on more than 240 industry targets publicly associated with the “insider activity” tag over the past year.

Cybersecurity Budgets: Does More Money Equal More Secure?

I’ve read report after report showing that security budgets were increasing, yet the number of breaches at companies of all sizes also continues to climb. This leads me to believe that somewhere there is a breakdown in how cybersecurity programs are being run — where allocating more spend and focus on cybersecurity oftentimes does NOT actually produce better outcomes.

There is an abundance of information out there that backs this up — this isn’t just me pontificating. Here are some highlights:

On security budgets increasing:

On cybersecurity issues increasing:

I think this can all be summed up best in a report by Morgan Stanley from this summer called Cyber Security: Time for a Paradigm Shift, where they stated:

“Companies are spending more to safeguard their digital assets, but cybercrimes are still growing in frequency and severity. What’s needed now isn’t more security, but better security.”

Now to be clear, this is not meant to serve as a doom and gloom piece. Certainly, there are pockets of goodness here and there and a lot of people are working hard on many good efforts, but holistically, the state of cyber security still has a long road ahead of it. And the question becomes how can we ensure that as we spend more effort and budget on cybersecurity, that we are at the very least impacting the cybersecurity outcome in a similar level of uptick?

I recognize that my own observation is just my perception, which is based on what I personally read and do each day. As such I wanted to get some additional input from my peers, so I did some crowdsourcing through LinkedIn:

We all see the news reports regarding how security budgets are increasing each year but yet for some reason nothing ever seems to get better. Why is that? I have my own specific thoughts on the question but wanted to share and see if anyone had an answer of their own.”

A wide range of opinions followed as to why cybersecurity continues to be a challenge and where we as a community need to focus our efforts.  The responses (summarized and paraphrased) to date have been interesting to say the least:

  • A handful of opinions appeared to point some attribution to cybersecurity vendors. My interpretation of those comments is that the vendor-driven FUD has generated a sense of urgency for organizations to purchase specific solutions and therefore fatten the vendor pockets — or at a minimum create a very complex marketplace which presents a challenge to those trying to navigate it.
  • Several opinions revolved around the idea that although budgets have risen, the volume and sophistication of threats are either out-pacing or out-maneuvering those security professionals who are trying bring more resources to bear.  
  • A handful of opinions appeared to state that security departments are underfunded and have an uphill battle for additional resources as security is generally viewed as a cost center as opposed to a revenue generator. Additionally, one individual stated that a potential area to look at is what budget is being used to cover past investments, therefore allowing fewer resources to be applied to emerging risks and in turn giving the appearance or possibility of a gap.
  • Poor leadership was mentioned several times, with comments stating that there are those that promote waste and will buy any new flashy thing that hits the street and that ensures that investments are not as strategic as touted to be.
  • I also had a few individuals who seem to disagree with the question and stated I was irresponsible or I was performing a disservice for even asking such a thing.  

The crux of all the input, with the exception of few outliers, revolves around a more simplified question of are we allocating “resources” to all the proper areas? Well, I think the answer to this really depends on your reality, which is ultimately your perception based on your experiences.

Everything you see or hear or experience in any way at all is specific to you. You create a universe by perceiving it, so everything in the universe you perceive is specific to you.” – Douglas Adams

I raise the perception/reality point to highlight that the responses to my Linkedin question are based on individuals’ experiences. Some folks have worked for or alongside poor leaders, have had poor experiences with vendors, or have had to do the budget defense drills. Some apparently don’t even see an issue and took offense to the question. These perceptions are also what drive a lot of these research reports that I listed above. Many of these are survey-based and while the survey structure and questions I am sure follow best practices for research processes, these surveys are being answered by people whose perceptions are their own reality.

My perception is based on my current role as head of the SurfWatch threat analyst team and from my previous role as CISO for a major transportation authority as well as a similar position for a DoD entity, where I tried to take an outcome-based model as much as reason dictates. Outcomes can be measured, they can be defended, and they can give you insight. Theoretically, if I apply more resources to a given defined problem the outcomes should change in some manner either good or bad. If the outcome does not change after putting more focus on that area, then I am going to start questioning a few things:

  1. Was the problem defined correctly?
  2. Was the problem measured correctly?
  3. Were the resources applied correctly?

Following these three key questions are a few more that hopefully prompt you to think about changing your perception/reality:

Problem Definition: The Art of The Plausible

  1. Do you use some type of analytical process to identify threats to your organization? And I don’t mean you base it off of news chatter, I mean you use a defined set of analytic inputs and analysis to determine what is true and what is not.
  2. If you have, have you analyzed what an actor’s capabilities and intentions are?
  3. If you do know what their capabilities and intentions are, have analyzed their tactics, techniques and procedures?

Problem Measurement: The Art of The Possible

  1. Have you observed using both internal and external data collection efforts any indications of previously defined threats or new undefined threats?
  2. What is your false positive rate for observing defined and undefined threats? Meaning you detected a threat, but investigation determined the threat to be untrue.
  3. What is your false negative rate? Meaning you did not detect a threat and post incident analysis determined the threat to be true.

Resources Applied To The Problem: The Art of Reality

  1. If you lead a cyber program, do you have a list of defined products and services that you deliver to the organization?
  2. Do you know what the exact budget allocation for labor and material is for every single one of those products and services?
  3. Have you defined policy, process and procedures for each one of those products and services?
  4. Can you identify what products and services specifically are applied to a defined threat?

The bottom line here is I believe that security spend is increasing and that many people and organizations are working hard and doing good things. But I also believe that we do not use intelligence enough to help define the problem area. If we can measure the problem, we know what resource to apply to it to change an outcome for the better. Instead, generally speaking we as a community deploy capabilities based on what we perceive to be the problem and hope that the outcome does not change for the worse.

As a former CISO, I have personally used intelligence-driven, analytical processes to identify what is true and then apply resources to address the “known knowns.” It takes diligence and determination, but by leveraging intel to drive our cybersecurity strategy, we can start to see a light at the end of what can be a long, dark tunnel.

Weekly Cyber Risk Roundup: Largest Breach Ever and Law Firm Lawsuits

On Wednesday, Yahoo announced a data breach that affects more than one billion user accounts. The intrusion, which Yahoo believes occurred in August 2013, comes just months after the company announced a separate breach involving “at least 500 million user accounts.” The new breach was discovered after law enforcement received Yahoo data from a third party. The compromised information includes names, email addresses, telephone numbers, dates of birth, MD5-hashed passwords, and some encrypted or unencrypted security questions and answers.

2016-12-16_ITT.pngAs The New York Times noted, the breach gives Yahoo the distinction of having the largest ever data breach – on two separate occasions.

It also appears that the intruders were able to use stolen source code to forge cookies, which allowed the malicious actors to gain access to some users’ accounts without needing a password.

Yahoo said those forged cookies have been invalidated, along with any unencrypted security questions and answers. Yahoo did not make clear how many unencrypted security questions and answers were stolen, but users who used those same questions and answers on other sites may face increased risk around those accounts being compromised in the future.

The newly announced breach has also led to more speculation about the potential impact on Yahoo’s pending $4.8 billion deal to be acquired by Verizon. Sources told Reuters that Verizon is looking for “major concessions” from Yahoo, and Verizon reiterated that it would “review the impact of this new development before reaching any final conclusions” about proceeding with the deal.

The incident may also have an affect on the size of Yahoo’s user base. Reuters reported that several cybersecurity experts and bodies such as Germany’s Federal Office for Information Security are now advising Yahoo users to consider abandoning the service for email providers that may be more secure.


Other trending cybercrime events from the week include:

  • Russian hacking put front-and-center: U.S. intelligence officials have “a high level of confidence” that Russian President Vladimir Putin was personally involved in the effort to interfere with the presidential election. Officials told ABC News that Russian hackers targeted as many as two email systems associated with the Republican National Committee, but the incidents didn’t raise the same level of concern as similar attacks against the DNC because the systems had long been unused. Germany’s domestic intelligence agency reported that Russia is trying to destabilize German society via targeted cyber-attacks against political parties and disinformation campaigns.  The head of the Swedish Military Intelligence and Security Service said that Russian hacking is a “serious threat” that may “influence democratic decision-making.”
  • Insiders cause more cyber headaches: The February 2016 theft at Bangladesh Bank was aided by five low to mid-level employees who were negligent and careless but not directly involved in the crime, according to a Bangladesh government-appointed panel. Hong Kong officials have arrested 29 current and former employees across five financial institutions for alleged bribery and sharing of confidential customer information. A two-year investigation found that lax privacy procedures at the Ohio Department of Rehabilitation and Correction contributed to a $422,000 scheme that used prisoners’ identities to apply for federal student loans. An employee of Banner Boswell Hospital in Arizona has been arrested for allegedly stealing patients’ credit card information and using that information to buy items online.
  • More DDoS attacks amid arrests: A series of DDoS attacks aimed at disrupting updates about the pro-Russian separatist conflict brought down the websites for Ukraine’s Finance Ministry and State Treasury. Nearly three dozen users of “booter” services were arrested in a global effort dubbed “Operation Tarpit,” a law enforcement campaign aimed at weakening demand for cybercrime-for-hire services and raising awareness of the risks of engaging in cybercrime.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.


Cyber Risk Trends From the Past Week

2016-12-16_riskThe past week saw several legal developments involving both past breaches and possible future lawsuits.

Ruby Corp, the operator of AshleyMadison, has agreed to pay $1.6 million to settle state and Federal Trade Commission charges related to its massive July 2015 data breach. The total fine was $17.5 million, but the remaining portion was suspended based on Ruby Corp.’s inability to pay.

“I recognize that it was a far lower number frankly than I would have liked,” FTC Chairwoman Edith Ramirez said on a conference call with reporters. “We want them to feel the pain. We don’t want them to profit from unlawful conduct. At the same time, we are not going to seek to put a company out of business.”

The settlement also requires the implementation of a comprehensive data-security program, including third-party assessments.

Another interesting story of note is a lawsuit that was recently filed against the Chicago-based law firm Johnson & Bell that alleges the firm failed to protect confidential customer information. According to the lawyer that filed the case, it is the first class action lawsuit against a law firm over inadequate data security measures. The same lawyer previously said he had identified a total of 15 firms lacking basic security measures that may be targeted by lawsuits, although the others have not yet been publicly named.

The Johnson & Bell lawsuit was filed back in April 2016; however, it only recently became public and moved to arbitration. Although the complaint does not claim that any data was actually stolen, it alleges that the firm put clients at risk due to using an out of date time-entry system, a VPN that was prone to man-in-the-middle attacks, and an email system that was vulnerable to the DROWN attack.

As SurfWatch Labs noted in our whitepaper, Flipping the Script: Law Firms Hunted by Cybercriminals, law firms are attractive targets for malicious actors as they often have weaker security than the clients they represent. Breaches may also be especially damaging for law offices as confidentiality is at the core of the legal process and law firms often have access to valuable data.

2017 Cyber Forecast: Blackmail Using Media and Sensitive Data Will Grow

The end of the year is drawing nearer, and with that comes a handful of traditions: family gatherings, eggnog by the fire, and everyone’s annual list of cybersecurity “predictions.” While it’s a bit semantic, I’m personally not a big fan of the term “predictions.” As someone who lives in the intel world, it’s more about looking at the data and making forecasts using probabilities. In all of the cyber threat intelligence that we provide our customers, we include a confidence level based on what we’re seeing and the probability of that threat impacting a specific customer.

I start out with the above just to level set the rest of this blog (and the next several blogs around 2017 cyber forecasts). When it comes to identifying trends and making a forecast on probability of what threats make waves in 2017, based on the success of ransomware attacks I have moderate confidence that we will see growth of more traditional extortion-related cybercrime.

SurfWatch Labs has seen a steady growth in the number of targets publicly associated with extortion, blackmail and ransoms over the past few years, and we expect that number to rise even higher in the coming year.

Extortion-related crimes are on the rise (note: 2H 2016 data includes intelligence collected through December 7).

One of the best and most recent examples of malicious actors using extortion is the hacking group known as TheDarkOverlord, which has breached, attempted to extort and then publicly shamed a variety of organizations over the second half of 2016.

The latest incident is the November breach of Gorilla Glue. TheDarkOverlord claimed to have stolen more than 500 GB of data, including research and development material, intellectual property, invoices and more. The group then offered Gorilla glue its signature “business proposition.” As we wrote in a SurfWatch Labs blog earlier this year, the proposition is simple: pay the blackmail or face further data leaks and public shaming. After what TheDarkOverlord described as “a moderate dispute” with Gorilla Glue over payment — we’re guessing Gorilla Glue refused to pay — TheDarkOverlord shared a 200 MB cache of files with the media to help spread the story.

The evolving use of the media is actually one of the more interesting tactics used by TheDarkOverlord and other successful extortion groups this past year. Extortionists have referenced news coverage in their demands, prompted users to research past victims, and impersonated cybercriminals with established media coverage — all in an effort to lend credibility to their threats.

For example, back in April CloudFlare reported that a group using the “Armada Collective” name was blackmailing businesses with an extortion email that read, in part:

We are Armada Collective.


Your network will be DDoS-ed starting [date] if you don’t pay protection fee – 10 Bitcoins @ [Bitcoin Address].

If you don’t pay by [date], attack will start, yours service going down permanently price to stop will increase to 20 BTC and will go up 10 BTC for every day of attack.

This is not a joke.

The link in the email led to a Google search of the group, allowing victims to quickly see that some security researchers had described Armada Collective as a “credible threat.” Except the attackers were not part the original Armada Collective. They were copycats simply exploiting the original group’s already established name. As CloudFlare later discovered, there was not “a single incident where the current incarnation of the Armada Collective has actually launched a DDoS attack.” Despite the lack of follow through, the group managed to extort hundreds of thousands of dollars from the victims.

Leveraging the media in that manner is something the SurfWatch analyst team has observed more frequently over the past year. However, news outlets and victims are starting to become more skeptical of claims. That’s one of the reasons threat actors such as TheDarkOverlord have evolved their tactics to establish a more direct and somewhat dysfunctional “relationship” with the media. Bloggers and news outlets get access to a direct source of stolen data that can help help generate headlines. Extortion groups receive the platform necessary to incite worry in the partners and consumers of the victim organization, adding pressure to pay extortion demands.

With cybercrime events seeing more mainstream coverage each year and extortion proven to be a successful, low-effort tactic, expect that dysfunctional relationship to continue to develop in the coming year. Extortion has proven particularly useful when it comes to the theft of sensitive customer data as it provides multiple additional ways for a threat actor to monetize information. If the victim organization doesn’t provide immediate compensation via an extortion payment, individual customers may then become targets of blackmail — sometimes years into the future.

Adultery site Ashley Madison announced its data breach in the summer of 2015, but individuals exposed in that breach were still being sent blackmail letters and emails nearly a year later. Some victims reported that when they didn’t pay, the blackmailers then followed through on their threats by sending letters about the individuals’ alleged infidelity to family, friends, and workplaces.

More recently, hackers stole customer information from Valartis Bank Liechtenstein and were reportedly threatening individual customers — including politicians, actors and high net worth individuals — that their personal information will be leaked if they do not pay 10 percent of their account balances in ransom.

These extortion and blackmail attempts are not nearly as prevalent as ransomware, but they follow the same principle of quick and easy monetization via the victims themselves. The past year has proven that the media can be successfully used as a tactic to better extort both organizations and individuals, particularly when it comes to sensitive information that may lead to brand damage or embarrassment. That trend will likely grow in 2017 as threat actors look to take advantage of every avenue when attempting to monetize future data breaches.

Weekly Cyber Risk Roundup: Another Botnet and the Gamification of Cybercrime

Botnets were once again front-and-center this past week as new developments were announced by security researchers, malicious actors and government officials.

2016-12-09_ITT.pngTo start, CloudFlare observed a ten-day long series of distributed denial-of-service (DDoS) attacks that have generated as much as 400 Gbps in traffic, sparking fears of yet another massive botnet that can disrupt organizations. The attacks “are not coming from the much talked about Mirai botnet,” the researchers wrote. “They are using different attack software and are sending very large L3/L4 floods aimed at the TCP protocol.”

Following that announcement, the hacker known as BestBuy, who had previously begun advertising a Marai-based DDoS service, claimed to have taken control of 3.2 million routers. He told Motherboard that a server he set up automatically connects to vulnerable routers and pushes a malicious firmware update to them. “They are ours, even after reboot. They will not accept any new firmware from [Internet Service Provider] or anyone, and connect back to us every time :),” he said in an online chat. “Bots that cannot die until u throw device into the trash.”

If true, those developments are certainly worrisome for organizations like Deutsche Telecom, the UK Postal Office, TalkTalk, and Kcom ISP – all of which have seen customer outages due to attempted Marai infections – not to mention the businesses that may be targeted with DDoS attacks from all those compromised devices.

One piece of good news on the botnet front: the cybercriminal network known as Avalanche was dismantled in what authorities are describing as the largest-ever use of sinkholing to combat botnet infrastructures. Europol said that the four-year investigation with global partners resulted in over 800,000 domains being seized, sinkholed or blocked. Although exact calculations are difficult, monetary losses associated with attacks conducted over the Avalanche network are estimated to be in the hundreds of millions of dollars worldwide.


Other trending cybercrime events from the week include:

  • Massive thefts announced: Technical trade secrets were stolen from ThyssenKrupp, one of the world’s largest steel makers, in what the company described as a “massive cyber attack.” The theft occurred at the steel production and manufacturing plant design divisions, the company said. Two billion rubles ($31 million) was stolen from banking clients that hold accounts at Russia’s central bank, according to a bank spokesperson. The hackers attempted to steal approximately five billion rubles, but the bank managed to recover some of the money. Reuters reported that hackers broke into accounts at the bank by faking a client’s credentials, citing a report issued by the bank.
  • Ransomware updates: The ransomware attack that affected about 900 computers at the San Francisco Municipal Transportation Agency cost the agency an estimated $50,000 in lost fares due to passengers being unable to pay. Ransomware behind the infection that caused an NHS hospital trust to shut down systems and cancel 2,800 patient appointments in early November has been confirmed as Globe2. Allegheny County district attorney Stephen Zappala Jr. admitted that his office was hit in January 2015 and that the office paid nearly $1,400 in ransom. The announcement came after several victims of the Avalanche network were revealed via court documents.
  • Malicious insiders face consequences: A former computer support technician employed at Experian subsidiary Hotwire.com pleaded guilty to accessing the emails of executives and using that non-public information to illegally profit from trading Expedia stock. The man accessed documents and emails on the devices of the Chief Financial Officer and the Head of Investor Relations. A former employee of Internet service provider Pa Online was sentenced to 24 months in prison and ordered to pay $26,000 in restitution for hacking into Pa Online’s network after being fired and installing malware that caused files and directories to be erased and the network to crash.
  • Third-party breaches: More than 43,000 Indian patient pathology reports, including those of HIV patients, were left publicly exposed by Health Solutions. Security researcher Troy Hunt said the information is now removed from public view after a lengthy process to track down and motivate those behind the leak and that the incident appears to be the result of shockingly poor security. A breach of a contractor’s email account exposed the information of individuals who participated in the U.S. Olympic Committee’s 100-Days Out event in April 2016. Members of the Scotland Supporters Club were sent phishing emails from the Scottish Football Association’s official email account after a third-party email database was compromised.
  • Other data breaches: An Intranet server for South Korea’s cyber command was contaminated with malware, and the attack appears to have come from North Korea, the South Korean military said. An official said that some military documents had been hacked, including confidential information, but that they have yet to determine the full extent of the leak. Around 420,000 customers may have had their personal information leaked due to a data breach at an online store run by IPSA, a subsidiary of Japanese cosmetics maker Shiseido. A University of Wisconsin–Madison law school database was breached, resulting in 1,213 applicants having their names and Social Security numbers compromised.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.


Cyber Risk Trends From the Past Week


One of the more interesting developments over the past week is the new tactics being used by malicious actors in order to spread malware and encourage cyber-attacks. For example, a new ransomware called “Popcorn Time” is encouraging victims to spread ransomware by offering them options when it comes to decrypting their files. They can go the usual route of paying the 1 bitcoin ransom, or they can go the “nasty way” and infect other users in order to avoid payment.


“Send the link below to other people, if two or more people will install this file and pay, we will decrypt your files for free,” the malware authors wrote. This is the first time SurfWatch Labs has observed ransomware developers using the tactic of leveraging victims in order to intentionally spread the malware.

Another interesting cybercriminal tactic is being used by a DDoS collaboration service called “Surface Defense.” A set of Turkish hackers is using gamification to encourage others to attack political organizations are not in line with Turkey’s government. They provide a point system for attacks, rewards that can be earned, and a live scoreboard. Rewards include cybercriminal tools such as click-fraud bots and the Sledgehammer DDoS tool. Two dozen organizations are being targeted by the gamified-DDoS service, including the German Christian Democratic Party, The People’s Democratic Party of Turkey, the Armenian Genocide Archive, and the Kurdistan Workers Party. Users can also suggest new targets.

Malicious actors are continuing to experiment with new ways to expand their reach. It is difficult to judge how successful these types of tactics will be, but expect other actors to incorporate similar features in the future if they are proven to be successful.

Weekly Cyber Risk Roundup: Shamoon is Back and Marai Problems Continue

The European Commission is the top trending cybercrime target over the past two weeks after experiencing a distributed denial-of-service attack (DDoS) that brought down Internet access for several hours over two separate periods, making it difficult for employees to work, a staff member told Politico.

2016-12-02_ITT.pngHowever, the most impactful event from the period is the campaign that targeted organizations in Saudi Arabia with the Shamoon malware and wiped the hard drives of thousands of computers. The campaign targeted six organizations, resulting in extensive damage at four of them. People familiar with the investigation told Bloomberg that thousands of computers were destroyed at the headquarters of Saudi’s General Authority of Civil Aviation and that office operations came to a halt for several days after critical data was erased. Among the other targets were the Saudi Central Bank and several unnamed government agencies.

Saudi authorities said evidence suggests Iran is to blame. The attackers used the exact same Shamoon malware that hit Saudi Aramco in 2012 and destroyed 35,000 computers, according to people familiar with the investigation. Ars Technica noted that Shamoon attempts to spread across networks by turning on file sharing and attempting to connect to common network file shares. In addition, the attackers used stolen credentials hard-coded into the malware.

Shamoon is made up of three components. The dropper component determines whether to install a 32-bit or 64-bit version of the malware. The wiper component uses RawDisk, the same driver that was used against Sony Pictures in 2014. The communications component was not used in this attack as the malware was configured with the IP of


Other trending cybercrime events from the week include:

  • Another week of “oops” breaches: Security researcher Chris Vickery discovered a file repository for Allied-Horizontal exposed to the Internet and requiring no authentication that contained sensitive information related to explosives. Confidential police files on 54 terrorist cases were copied onto a staffer’s private storage device that was connected to the Internet without a password. The U.S. Department of Housing and Urban Development accidentally made the personal information of almost 600,000 individuals temporarily available to the public via its website.
  • Individuals and organizations face blackmail: Hackers have allegedly stolen data from Valartis Bank Liechtenstein and are threatening individual customers that they will leak their stolen information to financial authorities and the media if they do not pay ransom demands. The hacking group known as TheDarkOverlord said they gained access to Dropbox and email accounts for Gorilla Glue and stole 500 GB of information, including intellectual property and product designs. TheDarkOverlord said they offered the company “a handsome business proposition,” which is the group’s way of saying they demanded ransom.
  • Ransomware disrupts organizations: The computer systems of the San Francisco Municipal Transportation Agency were infected with ransomware, and the actor behind the attack demanded $73,000 in ransom. Passengers unable to pay fares due to locked machines were temporarily given free rides. Bigfork School District in Montana recently experienced a ransomware infection due to a malicious email attachment, but the district said it would not pay any ransom demands. Computers at Carleton University in Canada were infected with ransomware, bringing research to a halt. The attackers asked for around $39,000 to decrypt the data.
  • Business-to-business cybercrime: Gaming company Zynga is suing two former employees over the theft of “extremely sensitive” information, which was then allegedly taken to rival company Scopely. James Frazer-Mann, a 35-year-old former operator of Elite Loans, was sentenced by a UK court for hiring a hacker to DDoS his former company’s competitors and the website of the Consumer Action Group.
  • More data breaches announced: The Madison Square Garden Company announced a point-of-sale data breach affecting customers who used payment cards to purchase food and merchandise at Madison Square Garden, the Theater at Madison Square Garden, Radio City Music Hall, Beacon Theater and Chicago Theater. The Navy was notified by Hewlett Packard that the names and Social Security numbers of more than 130,000 sailors were compromised. An unauthorized party gained access to a Michigan State University server containing personal information on 400,000 individuals, but only 449 of those records are confirmed to have been accessed. The hacker behind the data breach at Casino Rama has uploaded a five gigabyte file containing more than 14,000 documents to a torrent website. UK Telecom company Three announced a data breach after cybercriminals were able to gain access to its upgrade system using authorized logins.The sensitive personal information of 17,000 students was compromised in a data breach at Erasmus University in the Netherlands.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past two weeks. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.


Cyber Risk Trends From the Past Week

Over the past two weeks, most industry sectors have seen an increase in their SurfWatch Labs’ cyber risk scores. The IT sector, once again, has the highest overall score. That is due, in part, to ongoing worry over DDoS attacks tied to Marai and other botnets compromised of Internet-of-Things devices.


Around 900,000 customers of Deutsche Telekom had their service disrupted due to external actors trying and failing to infect routers with malware, the company said. The attack caused crashes or restrictions on approximately four to five percent of all routers. Thousands of KCOM customers also lost their Internet access due to routers being targeted in a cyber-attack. KCOM issued a statement about the incident:

“We have now identified that the root cause of the problem was a cyber attack that targets a vulnerability in certain broadband routers, causing them to crash and disconnect from the network. The only affected router we have supplied to customers is the ZyXel AMG1302-T10B. The vast majority of our customers are now able to connect to and use their broadband service as usual.”

Researchers have identified other companies that use routers made by ZyXel and may be vulnerable to similar attacks, including Irish telecom operator Eir and Vodafone Group Plc in Britain.

Two hackers have since claimed credit for the attack against Deutsche Telekom and apologized for the outage. They were trying to enlist those routers in a growing Marai botent, which they claim is now the most powerful Marai-based botnet. One of the hackers told Motherboard the botnet included over a million devices; however, other researchers have estimated that number to be around 400,000.

The hackers, going by the name BestBuy and Popopret, are advertising a DDoS service powered by their new botnet with attacks allegedly ranging up to 700 Gbps.

Source: BleepingComputer

Popopret told BleepingComputer that the price for a two-week long attack using 50,000 bots — and an attack duration of one hour along with a 5-10 minute cooldown time between attacks — is approximately $3000-$4,000. BestBuy reported similarly high fees, telling Motherboard that a similar attack using 600,000 bots would cost $15,000-$20,000.

It is unclear exactly how many devices the group controls at the moment, but it is clear that various groups are competing to infect and retain control over a growing number of Internet-connected devices.

San Francisco Muni Refuses Extortion Demands, But Many Others Choose to Pay

The San Francisco Municipal Transportation Agency (SFMTA) is continuing to deal with the fallout from a Friday ransomware attack that affected 900 office computers and led to passengers getting free rides as ticket machines were taken offline. The agency has since restored systems from a backup, and fares have been running as normal since Sunday; however, the actor behind the attack is still threatening to release 30GB of data if the 100 bitcoin ransom ($75,000) is not paid by tomorrow.

The actor, going by the name Andy Saolis, has refused to provide media outlets with a sample of the stolen data in order to verify the alleged theft, and SFMTA said that its ongoing investigation has not discovered that any data exfiltration took place.

“[N]o data was accessed from any of our servers,” the agency said in a statement. “The SFMTA has never considered paying the ransom. We have an information technology team in place that can restore our systems, and that is what they are doing.”

Many Organizations Choose to Pay

While SFMTA has decided not to pay the ransom, other organizations targeted by the same threat actor have been successfully extorted. A security researcher who gained access to an email account used by Andy Saolis said that the hacker had extorted at least $140,000 in bitcoins from victim organizations over the past few months, including 63 bitcoins (around $45,000) from a U.S.-based manufacturing firm. The emails also show that this past Sunday another company, China Construction of America Inc., paid 24 Bitcoins (around $17,500) to decrypt 60 servers infected with the same strain of ransomware, known as HDDCryptor or Mamba.

In addition to the attacks described above, SurfWatch Labs has collected, evaluated and analyzed data pertaining to dozens of other targets associated with extortion over the past month.

Facebook is the top trending target tied to ransomware and extortion due to recent attacks known as ImageGate.

The top trending ransomware story over the past 30 days is the newly discovered attack vector known as ImageGate, which is infecting numerous users with Locky ransomware via Facebook and LinkedIn by exploiting a misconfiguration that forces victims to download a malicious image file. It’s unclear how many of those victims have paid the ransom, but a variety of other organizations have publicly confirmed making ransom payments recently:

  • The Lansing Board of Water & Light recently acknowledged it paid a $25,000 ransom after an employee opened an attachment that led to a ransomware.
  • A $28,000 ransom was paid after an infection locked up several government systems in Madison County, Indiana and the county’s insurance carrier advised payment.
  • The New Jersey Spine Center paid an undisclosed amount after CryptoWall encrypted all electronic medical records and the most recent system backup, as well as disabled the phone system.
  • Cloud service provider VESK said that it paid £18,600 after being infected with a strain of the Samas DR ransomware

Government Agencies Continue to Warn of Threat

Despite the many public incidents of late, the vast majority of ransomware attacks are believed to go unreported. That’s why in September the FBI urged victims to report infections regardless of the outcome. The FBI also warned of cybercriminals shifting tactics to target servers in order to receive larger ransoms.

“Actors engaging in this targeting strategy are also charging ransoms based on the number of host (or servers) infected,” the FBI warned. “This recent technique of targeting host servers and systems could translate into victims paying more to get their decryption keys, a prolonged recovery time, and the possibility that victims will not obtain full decryption of their files.”

Tags such as HDDCryptor, Locky and unauthorized server access are trending in SurfWatch Labs’ data due to recent ransomware attacks.

In November, the Federal Trade Commission also warned organizations that it may investigate certain ransomware incidents.

“[I]n some cases, a business’ inability to maintain its day-to-day operations during a ransomware attack could deny people critical access to services like health care in the event of an emergency,” wrote Ben Rossen, an attorney at the FTC. “Thus, a company’s failure to update its systems and patch vulnerabilities known to be exploited by ransomware could violate Section 5 of the FTC Act.”

The Department of Health and Human Services issued a similar statement over the summer, warning that in most cases a ransomware infection would qualify as a reportable “breach”:

The presence of ransomware (or any malware) on a covered entity’s or business associate’s computer systems is a security incident under the HIPAA Security Rule. …

When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.

As the FBI noted, new ransomware variants are emerging regularly and global ransomware infections continue to grow. Organizations need to ensure they have a plan in place to deal with this threat.

SurfWatch Labs’ Recommend Courses of Action

A large percentage of ransomware is spread via social engineering techniques; therefore, SurfWatch Labs advises customers that user education around tactics such as spear phishing is the best method to prevent these kinds of attacks. In addition, having data that is backed up and can be restored is often the quickest and cheapest way to get operations back up and running. Organizations should make regular backups that are not stored on local machines or connected through network shares.

Other ransomware prevention tips include:

  • Antimalware software configured to scan all email attachments will help catch most malicious attachments. All settings that allow the documents to download and open directly should also be disabled.
  • General users should be restricted from administrator-level permissions on their local machines, unless specifically required. Limiting this privilege could lessen the impact of ransomware.
  • The ‘vssadmin’ utility should be removed unless it is justifiably required to be on the system. This will not stop the encryption from occurring, but could assist with recovering key files from a machine that has been affected if the system’s shadow copy files are left intact.
  • It’s recommended that Remote Desktop Protocol (RDP) be disabled as this can exploited by certain ransomware types.
  • Since HDDCryptor creates a suspicious set of files, using Host Intrusion Prevention (HIPS) software can help detect this activity.
  • All Macros in MS Office programs should be disabled to ensure no accidental activation of an infected document. Users should be made aware not to activate macros on documents that are unverified.
  • When possible, segmenting networks by role and criticality may prevent the spread of the malware itself or limit the extent of the network is impacted when a device is compromised.
  • Keep operating systems, software, and antivirus protections patched and up to date.