January 2017 – SurfWatch Labs, Inc.

Weekly Cyber Risk Roundup: DDoS Attacks Disrupt Services and SEC Probes Yahoo

A series of distributed denial-of-service (DDoS) attacks against financial institutions led to customers of Lloyds Banking Group experiencing intermittent outages over a 48-hour period and was the top trending cybercrime event over the past week.

The Guardian reported that the attacks hit Lloyds, Halifax and Bank of Scotland from January 11 to January 13. IBTimes reported that other unnamed lenders were targeted, but experienced no down time. Motherboard spoke to a hacker who claimed to be behind the attack and allegedly tried to ransom Lloyds over the incident. However, Lloyds issued a statement saying it was able to provide normal service for “the vast majority” of customers and that “only a small number” experienced any issues during the attack.

In other DDoS news, the ticketing systems for the Sundance Film Festival were taken offline due to a cyber-attack on January 21. “We have been subject to a cyberattack that has shut down our box office,” the festival tweeted. “Our artist’s voices will be heard and the show will go on.” According to The Hollywood Reporter, “although the festival was able to get its ticketing systems back online within an hour of the Saturday breach, multiple other denial-of-service (DDoS) attacks on Sundance’s IT infrastructure followed.”

Finally, the Korea Internet & Security Agency recently issued a report echoing concerns shared by other security professionals, including SurfWatch Labs Adam Meyer: expect DDoS attacks leveraging Internet-of-Things devices to rise in 2017. South Korea has recently faced political turmoil, and in December the country’s Constitutional Court began its first hearings on the impeachment of President Park Geun-hye. The agency report predicted that DDoS attacks may occur against key government agencies and social infrastructure-related facilities with the goal of stirring the political and social instability brought on by the impeachment proceedings and potential upcoming election. According to SurfWatch Labs’ data, government was the third highest trending sector related to DDoS attacks in 2016, behind only information technology and consumer goods.

Other trending cybercrime events from the week include:

Another year of W-2 breaches begins: Approximately 1,400 Campbell County Health employees had their W-2 information stolen when an employee fell for a phishing email impersonating a hospital executive. Eight Missouri school districts were targeted with identical phishing messages impersonating the superintendent and requesting employee W-2 information, and an employee at the Odessa School District fell for the scam and forwarded the information. The Argyle Independent School District in Texas and the Tipton County School District also reported breaches due to similar phishing emails.

Media outlets hit with political attacks: The Twitter accounts of BBC Northampton and The New York Times video were both hijacked and used to spread fake messages saying that President Donald Trump was injured in the arm by gunfire at his inauguration and that Russia was planning to attack the U.S. with missiles. Crescent Hill Radio WCHQ said its FM feed was hacked and a song titled “Fuck Donald Trump” was played on repeat for 15 minutes before the station could shut down the broadcast.

Exposed databases reveal sensitive data: Security researchers have found nearly 400,000 audio recordings belonging to VICI Marketing exposed to the Internet, and as many as 17,649 of those recordings include customer payment card numbers and private customer information. The other 375,368 audio recordings are “cold calls,” some of which contain personal information. A misconfigured database used by The Candid Board, a subscription website dedicated to images and video of women who appear unaware they are being recorded, led to the leak more than 178,000 members’ information. The source also said that he or she is in possession of “a large chunk of data from multiple boards operated by this group,” which IBTimes explained was in reference to another leaked database holding tens of thousands of records from a website called NonNudeGirls.

Arrests and charges: A former employee of First Niagara call center admitted to using his position to steal callers’ personal information and then using that information to transfer $15,492.59 from customer accounts to his own. An IT worker employed by the New York Police Department accessed personnel files of police officers and then attempted to sell that information to an undercover informant. A 32-year old Russian programmer suspected of developing the NeverQuest banking Trojan was arrested in Barcelona, according to Spanish authorities.

Other cybercrime announcements: A hacker gained access to a server for the National Aids Research Institute in India and was able to access an archive containing the results of dozens of HIV tests. Malware was found on computers at 21 locations of Bowlmor AMF, the world’s largest bowling center operator, leading to a point-of-sale breach. Cockrell Hill Police Department in Texas lost some digital videos and documents dating back to 2009 after ransomware encrypted the departments files and those encrypted files were then saved to the automatic backup system. Other breach announcements include the South Washington County School district in Minnesota, MultiCare Health System, Ohio State Veterinary Medical Center at Dublin, Catholic Charities of Baltimore, and Wisconsin Democratic Party websites.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

Cyber Risk Trends From the Past Week

The fallout over two massive data breaches at Yahoo continued this past week as it was reported that the Securities and Exchange Commission (SEC) opened an investigation into the timeline of Yahoo’s data breach disclosure and that the sale of Yahoo’s main web operations to Verizon has been delayed until the next quarter.

Sources told The Wall Street Journal that the SEC issued a request for documents from Yahoo in December and is looking into whether Yahoo’s breach disclosures may have violated civil securities laws. The investigation will likely focus on Yahoo’s 2014 data breach affecting 500 million users, which was announced in September 2016. Yahoo is said to have linked the 2014 breach to state-sponsored actors two years before the public disclosure. In December 2016 Yahoo disclosed a separate breach affecting more than one billion users.

The SEC has never brought a case against a company for failing to disclose a data breach, the Wall Street Journal reported, but experts said the SEC has been looking for a case to clarify guidance issued in 2011. That guidance requires the disclosure of material information about cybersecurity risks and incidents if it could affect investors, but what is “material” is still a question – a question that this case may potentially help answer.

Those two data breaches have led to speculation over the past few months of how they may impact Verizon Communication’s acquisition of Yahoo, which was valued at $4.83 billion last July. Yahoo said it is “working expeditiously” to finish the deal; nevertheless, the sale has been pushed back until next quarter.

“Yahoo has been an interesting process,” Verizon Chief Financial Officer Matt Ellis said in an interview last Tuesday with Bloomberg. “There’s been good progress, but we are still awaiting the final reports and therefore we haven’t reached any conclusions yet.”

Weekly Cyber Risk Roundup: Ransomware Disrupts Organizations and Massive Data Leaks

Extortion is once again the top trending cybercrime issue as concern continues around the theft, destruction and blackmail related to thousands of insecure MongoDB, Elasticsearch, CouchDB and Hadoop Distributed File System installations. While those stories led much of the past week’s discussion, there was also a steady stream of reports of organizations being infected with ransomware.

The most impactful, publicly known ransomware attack of late involves the St. Louis Public Library. The attack hit 700 computers across all 17 of the library’s locations on Thursday, forcing the library to temporarily stop all book borrowing. A $35,000 ransom demand was made, but the library said it will wipe its computer system rather than pay. Checkout service was restored to all locations on Saturday, according to the St. Louis Post Dispatch, and the library’s next priority is to restore service to the publicly available computers – although as of Sunday morning the library’s website stated that the “use of reservable computers is suspended.” A spokesperson said the criminals managed to infect a centralized computer server, which also disrupted the staff’s email system.

Other organizations to report disrupted services due to apparent ransomware attacks include Advanced Flexible Composites in Illinois, Valley Springs School District in Arkansas, and Kanawha County Schools in Virginia. Advanced Flexible Composites notified its customers that a January 17 hack of its computer system prevented the company from receiving emails and processing quote requests or orders. Not much information was provided about the attack; however, on the surface it sounds like a ransomware infection. Valley Springs School District’s superintendent said the school’s infection may lead to some information saved by teachers being lost such as lessons plans, curriculum and tests. Kanawha County Schools said that it was able to restore internal documents after its incident but that its website would take longer to bring back online.

Finally, the Delaware Department of Insurance is investigating an incident involving a ransomware infection and the unauthorized access of customer data at Summit Reinsurance Services and BCS Financial Corporation.

Other trending cybercrime events from the week include:

New type of SWIFT attack: Malicious actors compromised the SWIFT systems of three Indian banks and created fake trade documents that may have been used to raise finance abroad or facilitate dealings in banned items. “There was fraudulent duplication of trade documents like letters of credit (LC) and guarantees which the hackers may have or planning to encash with some offshore banks,“ a source told ET Tech. “It’s also possible that hackers did not present the fake LCs to raise funds but to carry out trade of prohibited or illegal commodities.”

Popeye’s point-of-sale breach: Point-of-sale malware was discovered at the restaurant chain Popeyes, and customers who used their payment cards at one of 10 infected locations between May 5, 2016, and August 18, 2016, likely had their information stolen, the company said in a press release. The ten locations include seven in Texas, two in North Carolina, and one in Georgia.

More employee and third-party breaches: Police in the Netherlands are alerting 20,000 potential victims about a man who worked at various companies as a website builder and used his position to insert a special script that allowed him to steal usernames and passwords. Online fashion store Showpo is suing a former employee and an online retailer over allegations the graphic designer exported a database of 306,000 customers from MailChimp and passed the information along to online retailer Black Swallow. Customers of the Victorian Game Management Authority in Australia had their personal information potentially exposed when the authority accidentally sent customer data to eight individuals who were renewing their game license. A third-party advertiser that promotes Canada’s Grey Eagle Resort and Casino was hacked and fake text messages were sent to the casino’s VIP members telling them the casino “will be closed for the remainder of January due to infestation and rodent problems.”

Healthcare-related breaches: TheDarkOverlord said it stole data from Little Red Door Cancer Services of East Central Indiana and attempted to extort the organization by threatening to release the data. CoPilot Provider Support Services announced a breach affecting approximately 220,000 individuals due to a database being illegally accessed in October 2015. Sentara Healthcare is notifying 5,454 vascular and thoracic patients that their medical information was compromised due to a breach at an unnamed third party. The orthopedics practice at The University of Maryland Faculty Physicians Inc. is notifying 1,500 patients that their information may have been accessed when an email account belonging to a physician assistant’s email account was hacked. Barts Health NHS Trust experienced a malware infection that led to taking numerous hard drives offline “as a precautionary measure” and using a manual backup for its computerized pathology results service.

Other announcements: Hackers targeted a laptop belonging to the special investigation team probing South Korean President Park Geun-hye’s political scandal. Current and former employees of Dracut Public Schools had their Social Security numbers and other personal information compromised due to an employee falling for a phishing attack. A Russian-language version of the series finale of Sherlock circulated online before the episode was broadcast. The forums of Clash of Clans developer Supercell and MrExcel, both of which use vBulletin, announced data breaches.

Cyber Risk Trends From the Past Week

Security researchers frequently discover private data being exposed to the Internet due to technical errors such as poorly secured data backups, and this past week several new incidents along those lines.

Chris Vickery’s discovery of multiple misconfigured Rsync instances at Canadian ISP KWIC appears to be truly massive potential breach, with CSO Online reporting that terabytes of information for all of its customers was exposed. The issue was fixed after the company was notified of the problem; however, it is unclear how long the information was available before the fix. The data exposed included credit card details, email addresses, passwords, names, home and business addresses, phone numbers, email backups, VPN details and credentials, internal KWIC backups, and more.

In last week’s roundup we noted that incorrectly configured databases exposed the data of 3.3 million Hello Kitty fans as well as thousands of patients of Canadian plastic surgery company SpaSurgica. The week before that data related to healthcare professionals deployed within the U.S. Military’s Special Operations Command (SOCOM) was exposed in a similar fashion. The week before that data belonging to Ameriprise clients was exposed due to an advisor synchronizing data between between his home and work and neither drive requiring a password.

This past week saw a similar story of a poorly configured backup drive. Interpreters Unlimited, a California-based translation and interpreter company, exposed thousands of sensitive documents due to an Internet-connected backup drive used by an IT manager that had no password protection and was online for four to six months. Files seen by ZDNet showed that the drive contained dozens of usernames, email addresses and passwords stored in plain text for the company’s infrastructure, including its website, hosted email and domain name servers, and remote desktop apps. The drive also contained the private data of clients and employees such as Social Security numbers and the amount of money translators earned.

The constant trickle of company, customer and employee data being leaked due to the poor practices of employees and partners should serve as a reminder for all organizations that data breaches often spring from mistakes made within the organization — not just external cybercriminals.

2017 Cyber Forecast: Threat Intel Will Play Major Role in Helping Organizations Manage Risk

There are a lot of cybersecurity trends to reflect on as we kick off the new year — the growth of ransomware and extortion, the emergence IoT-powered botnets, the evolving cybercriminal landscape — but I believe the biggest risk trend to watch in 2017 may revolve around how organizations react to dealing with those new threats as their attack surface continues to expand.

The digital presence of many companies has extended on a variety of fronts, including social media, customer engagement, marketing, payment transactions, partners, suppliers and more. That increased exposure clearly has benefits for organizations. However, it also makes it difficult for organizations to track, evaluate and take action against the constant barrage of the growing threats — many of which are at least one step removed from the direct control of internal security teams.

That theme was evident in SurfWatch Labs’ new report, Rise of IoT Botnets Showcases Cybercriminals’ Ability to Find New Avenues of Attack. Our threat intelligence analysts have observed and evaluated data connected to hundreds of incidents that emanated from outside of organizations’ walls over the past year, including:

accidental exposure of sensitive data by third-party vendors
shoddy cybersecurity practices causing breaches at vendors that house organizations’ data
vulnerabilities in software libraries or other business tools being exploited to gain access to an organization
vendor access being compromised to steal sensitive data
credentials exposed in third-party breaches causing new data breaches due to password reuse

It’s clear that organizations are struggling with these expanding threats. Not only are organizations at risk from threats trying to break down their front door, those threats are increasingly coming through side doors, back doors, windows — any opening that provides the path of least resistance. For example, a 2016 survey of more than 600 decision makers found that an average of 89 vendors accessed a company’s network each week and that more than three-quarters of the respondents believed their company will experience a serious information breach within the next two years due to those third parties.

SurfWatch Labs’ annual cyber threat report echoed that concern, finding that the percentage of targets publicly associated with third-party cybercrime nearly doubled from the second half of 2015 to the second half of 2016.

“Cybercrime is increasingly interconnected, and issues at one organization quickly moved through the supply chain to impact connected organizations in 2016,” the report noted. “That interconnectedness is evident in the growing pool of already compromised information being leveraged by threat actors, the expanding number of compromised devices and avenues to exploit compromised data, and the way in which data breaches and discovered vulnerabilities ripple outwards – sometimes several layers deep through multiple vendors – to touch unexpecting organizations.”

That interconnectedness is pushing organizations to try to gain more context around the growing number of threats so they can better prioritize actions. As I wrote in a previous blog, organizations are spending more money than ever around cybersecurity, yet they are not necessarily becoming more secure.

Cyber threat intelligence can help to peel back that layer of uncertainty and guide those tough cybersecurity decisions by answering questions such as:

What is the biggest cyber threat facing my organization and what steps can be taken to mitigate that risk?
Which threats are active within my industry and impacting similar organizations?
Have any vendors or suppliers suffered a data breach that may impact my organization in the future?
Is any information related to my organization being sold on the dark web?
Is my organization at risk from employee credentials exposed via third-party breaches?
What new and old vulnerabilities are currently being exploited by threat actors?
And other questions unique to your organization …

That context is what many decision makers say is lacking within their own organizations. Going back to that 2016 survey of key decision makers — more than half of them believed that threats around vendor access were not taken seriously and almost three quarters believed that the process of selecting a third-party vendor may overlook key risks.

A smart and thoughtful approach to cybersecurity that provides the necessary context can help to both shine a light on those new risks and filter out the excess chatter so your organization can focus on practical and relevant solutions that have an immediate impact on your cyber risk.

Cyber threat intelligence came a long way in 2016, but many organizations remain overwhelmed by the number of cyber threats and are continuing to experience data breaches. Expect the use of relevant and practical cyber threat intelligence to see continued growth in 2017 as organizations more to address their blind spots and more effectively manage their cyber risk.

Weekly Cyber Risk Roundup: More Extortion and Marijuana Retailers’ Woes

Extortion continues to dominate the cybercrime headlines in 2017 with the week’s top two trending targets being the successful ransom at Los Angeles Valley College and continued extortion attempts around MongoDB databases.

It was less than a year ago that Hollywood Presbyterian Medical Center became a national news story by paying a $17,000 ransomware demand so that staff could regain access to infected computers. A year later those types of stories are no longer unique; they’re routine. Los Angeles Community College District’s recent decision to pay a $28,000 ransom after an infection “disrupted many computer, online, email and voice mail systems” is just the latest of example.

“It was the assessment of our outside cybersecurity experts that making a payment would offer an extremely high probability of restoring access to the affected systems, while failure to pay would virtually guarantee that data would be lost,” the district said in a FAQ, echoing the sentiments of many other organizations who’ve decided to pay ransoms. “The District has a cybersecurity insurance policy to address these specific types of cyber intrusions and it was activated during this incident. While much time will pass before this matter is resolved, we have already availed ourselves of the resources provided by the policy, including assistance of cybersecurity experts.”

In addition, the ongoing issue of insecure MongoDB databases being stolen, deleted and subsequently extorted continues to rack up thousands of new potential victims, including Princeton University. Researchers Victor Gevers and Niall Merrigan have been tracking the various victims and ransom demands as threat actors compete to have the most up-to-date ransom notes. The problem, Merrigan told KrebsOnSecurity, is that with so many actors the victims may not know who actually has the stolen data. Merrigan advises victims not to pay unless they have proof that the extortionists actually have the files being ransomed. Lastly, it appears some of those actors have now shifted towards ElasticSearch servers, with more than 3,000 victims as of Monday morning.

Other trending cybercrime events from the week include:

Another week of large-scale breaches: Mobile phone hacking company Cellebrite was breached and 900 GB of data was compromised, including customer information, databases and a vast amount of technical data regarding Cellebrite’s products. E-Sports Entertainment Association (ESEA) was hacked last December and a database containing information on 1.5 million players was stolen. The actor also attempted to extort the company for $100,000, but ESEA refused to pay. Three brokers who left the commercial real estate firm Avison Young used external hard drives to “downloaded massive amounts of data,” including client and financial information, market intelligence and strategic plans, according to a complaint filed by the firm.

More accidental data exposure: A MongoDB database belonging to Sanrio, the company behind Hello Kitty, was misconfigured and exposed to the public in 2015, and a copy of that database has recently surfaced online. Approximately 3.3 million Hello Kitty fans are affected, including 186,261 records related to individuals under the age of 18. Canadian plastic surgery company SpaSurgica exposed the detailed medical histories of thousands of patients due to an unprotected remote synchronization (rsync) service, according to MacKeeper researchers. The files contained medical histories, personal information, and intimate before and after pictures of breast augmentation and other surgeries. An email sent by Ball State University’s retention office to students on academic probation accidentally contained an Excel spreadsheet of 59 students on probation for the spring semester rather than planned attachment about upcoming academic help sessions.

Cyber-attack leads to another blackout: The December 2016 blackout in Ukraine was due to a cyber-attack, and it is connected to a similar attack in 2015, as well as hacks at the national railway system, several government ministries and a national pension fund. The head of ISSP, a Ukrainian company investigating the incident, said that the recent attack against a Ukrainian utility was a “more complex” and “much better organized” version of the 2015 attack. He also said that the different cybercriminal groups that worked together appeared to be testing techniques that could be used elsewhere in the world.

Other breach announcements: Outdated data management software led to the leak of financial information for at least 2,000 Taipei City Government employees, city officials said. A November data breach at TwoPlusTwo poker forum exposed the personal information of its users, and the stolen data was subsequently offered for sale on the Internet. Fraudulent login attempts were made to Spreadshirt partner accounts using previously compromised credentials with the goal of redirecting payments by changing the Paypal payout address. Dozens of Israeli soldiers had their smartphones hacked by Hamas militants impersonating attractive women. Italian police have arrested two siblings for allegedly hacking into thousands of email accounts using a customized malware known as “EyePyramid” and then using the stolen information to make investments. The Susan M. Hughes Center recently notified HHS of an August ransomware infection that affected 11,400 patients’ information.

Cyber Risk Trends From the Past Week

As SurfWatch Labs noted in its annual report, organizations are increasingly struggling with third-party and supply chain cybercrime.

This issue was highlighted once again this past week as a cyber-attack at MJ Freeway, a popular software platform used by marijuana retailers, disrupted operations at 1,000 retailers across 23 states. A full week after the initial attack the company is still working to restore some level of services to many of its clients. A full recovery may take several weeks, Jeannette Ward, director of data and marketing for MJ Freeway, told Marijuana Business Daily.

The motivations behind the attack are unclear, but the attack appears to be aimed at corrupting the company’s data, not stealing it.

“Attackers took down both MJ Freeway’s production and backup servers, causing an outage for all of our clients,” MJ Freeway CEO Amy Poinsett said in a video uploaded on Saturday, “Current analysis shows the attackers did not extract any client or patient data and did not view any patient data thanks to encryption measures we had in place.”

However, she added that “the damage from the attack is extensive” and the company is currently trying to call customers individually to move them to alternate MJ Freeway sites, which is taking more time than she would like. A number of stores had to temporarily close due to the outage, and those that remained open have had to deal with lengthy lines and customer complaints as manual transactions increased the time for each sale.

As SurfWatch Labs noted in its 2016 Cyber Trends Report, the percentage of targets publicly associated with third-party cybercrime nearly doubled from the second half of 2015 to the second half of 2016.

“SurfWatch Labs analysts contribute this third-party growth to the expanding ecosystem of partners and suppliers that provide various products and services,” the report stated. “Cybercrime is increasingly interconnected, and the effects of one data breach or cyber-attack are difficult to isolate and contain.”

That appears to be the case with MJ Freeway.

Organizations Struggle with Third Party and Supply Chain Cybercrime, Says New Report

The past year saw organizations struggle with third-party issues as malicious actors shifted their tactics towards weak points in the supply chain and exploited the interconnected nature of cybercrime, according to a new report from SurfWatch Labs.

“One of the most telling statistics in all of SurfWatch Labs’ evaluated cyber threat data is the rise of CyberFacts related to third parties,” the report stated. “The second half of 2016 saw the percentage of targets publicly associated with third-party cybercrime nearly double compared to the same period in 2015. It is clear that malicious actors are looking for any opportunity to exploit poor cybersecurity practices, and the supply chain provides an abundance of opportunity for cybercriminals to do so.”

SurfWatch Labs annual threat intelligence report, Rise of IoT Botnets Showcases Cybercriminals’ Ability to Find New Avenues of Attack, was based on more than a hundred thousand CyberFacts collected against more than 6,000 targets – 4,066 targets publicly associated with cybercrime and an additional 2,395 observed being discussed on the dark web.

Cybercrime in 2016

Cybercrime is increasingly interconnected, the report noted, and the effects of a data breach or poor cyber hygiene at one organization often move through supply chains to impact other connected organizations. That was true when it came to the growing number of compromised Internet-of-Things devices, which we wrote about last week, and it was true for a number of other cybercrime events as well.

For example:

Previously stolen employee credentials were fed into remote access services in order to compromise new organizations.
Data stolen from one organization went on to have significant economic, political and reputational impact on other parties.
Threat actors used information obtained in previous attacks to establish trust and legitimacy in social engineering campaigns that lead to new data breaches.
Those new data breaches, some of them truly massive, led to even more private information entering the public domain.

That ripple effect was evident in many of the year’s top trending data breaches.

Breaches at Yahoo, LinkedIn and others collectively accounted for well over two billion passwords being fully or partially exposed, as well as the exposure of some users’ security questions and answers. The massive breach at Panamanian law firm Mossack Fonseca led to ongoing international probes as well as the Prime Minister of Iceland stepping down. The breach at the Democratic National Committee took center stage on the campaign trail as leaked emails and other cybersecurity issues helped to shape, in part, who would be the next president of the United States.

“The amount of private data circulating among cybercriminal groups combined with an environment in which organizations are providing more points of access for customers and employees means that many organizations are more exposed than ever,” the report stated.

Key trends and statistics from SurfWatch Labs’ 2016 cybercrime data include:

More cybercrime tied to third parties: SurfWatch Labs analysts contribute this third-party growth to the expanding ecosystem of partners and suppliers that provide various products and services. This business model requires a natural need to extend the “level of presence” of organizations by sharing or fully outsourcing the creation and management of sensitive data, increasing the chance of a compromise.
Compromised credentials surged: The amount of publicly exposed user credentials grew significantly in 2016. SurfWatch Labs collected data on more than 1,100 organizations associated with the “credentials stolen/leaked” tag across both public and dark web sources over the past year, up from 828 last year.
Healthcare led way for supply chain cybercrime: SurfWatch Labs collected data on more targets tied to third-party cybercrime in the healthcare facilities and services group than any other, although the numbers may be skewed due to more strict reporting requirements in the sector.
Infected IoT devices led to increased service interruption: Over the past two years, the “service interruption” tag has typically appeared in approximately 16% of the negative CyberFacts collected by SurfWatch Labs. However, that number jumped to more than 42% over the last half of the year due to growing concern around IoT-powered botnets such as Mirai.

To read the full, complimentary report, visit info.surfwatchlabs.com/reports/2016-cybercrime-trends-year-in-review. Join SurfWatch threat intelligence analysts for a webinar on January 11, 1pm ET for a discussion of the report findings.

Weekly Cyber Risk Roundup: Russian Hacking and New Extortion Campaigns

This week’s top trending cybercrime story is a hack that wasn’t: Vermont’s Burlington Electric Department. A December 30 Washington Post story falsely claimed that Russian threat actors had penetrated the U.S. power grid via the Vermont utility. That story has since been widely debunked, as the alleged international hacking incident was set off by a department employee simply checking his Yahoo email account. The employee’s actions triggered an alert, as it matched an IP address tied to indicators of compromise released by the Department of Homeland Security related to the alleged Russian hacking around the U.S. presidential election.

“We uploaded the indicators to our scanning system to look for the types of things specified,” Burlington Electric Department general manager Neil Lunderville told Fortune. “Then sometime on Friday morning, when one of our employees went to check email at Yahoo.com, our scanning system intercepted communications from that computer and an IP address listed in the indicators of compromise. When warned of that, we immediately isolated the computer, pulled it off the network, and alerted federal authorities.”

The incident involved a single computer not even connected to the grid control systems, he added.

The false story comes on the heels of a report issued by DHS and the FBI on Grizzly Steppe, the U.S. code name for the malicious cyber activity carried out by the Russian civilian and military intelligence services. That interference led President Barack Obama to sanction four Russian individuals and five Russian entities, as well as to order 35 Russian diplomats to leave the country and close two Russian compounds.

Intelligence officials testified before Congress on Thursday, and Director of National Intelligence James Clapper said that Russia’s role included hacking and the ongoing dissemination of “fake news.” Thursday also saw the resignation of former CIA director James Woolsey from Donald Trump’s transition team over what the Chicago Tribune described as “growing tensions over Trump’s vision for intelligence agencies.”

Other trending cybercrime events from the week include:

Bugs and mistakes expose sensitive data: A bug in Nevada’s website portal exposed the personal data of more than 11,700 medical marijuana dispensary applications. Data related to healthcare professionals deployed within the U.S. Military’s Special Operations Command (SOCOM) was publicly exposed due to an unprotected remote synchronization service tied to Potomac Healthcare Solutions, which provides healthcare workers to the U.S. government through Booz Allen Hamilton. More than 10,000 invites to collaborate on Box.com accounts or documents were indexed and discoverable on search engines, including some documents containing sensitive financial and proprietary company information. PakWheels, an automotive classified site in Pakistan, announced a data breach due to a vulnerability in outdated vBulletin forum software.

Payment card breaches: British multinational hotel company InterContinental Hotels Group (IHG) is investigating a possible payment card breach after being notified of fraud patterns observed on credit and debit cards used at some IHG properties in the U.S., particularly Holiday Inn and Holiday Inn Express hotels. Topps announced a data breach affecting payment card and other data entered by customers when placing orders via its website. The incident was discovered in October and affects orders made through the Topps website between approximately July 30, 2016, and October 12, 2016.

Defacements and downtime: The Google Brazil domain was unavailable for 30 minutes on Tuesday afternoon due to a DNS attack that directed visitors to a defacement page. The official website of the Philippine military was defaced on December 30 by a hacker with the online handle “Shin0bi H4x0r.”

Ransomware updates: A ransomware infection at Los Angeles Valley College blocked access to emails, voicemail and computer systems as the computers of as many as 1,800 full-time faculty and staff could be infected. Ransomware actors are calling education establishments and claiming to be from the Department of Education, Department for Work and Pensions, and telecoms providers in order to obtain the contact information of the head teacher or financial administrator to attempt a ransomware infection.

Other breach announcements: Northside Independent School District is notifying 23,000 current and former students and employees that their information may have compromised after an investigation of an August 2016 compromise of employee email accounts turned out to be a more widespread breach. The founder of KeepKey said his company email and phone were temporarily compromised on December 25, and the attacker reset accounts linked to the email address and was able to access several channels for a short period. Recent widespread electricity cuts across Istanbul have been attributed to a major cyber-attack, according to sources from the Energy Ministry. The New Hampshire Department of Health and Human Services is notifying 15,000 individuals that their personal information was exposed when a former patient at New Hampshire’s state psychiatric hospital posted information he had previously stolen to a social media website. The Organization for Security and Co-operation in Europe has recently confirmed that it was hit by a major cyber-attack in the first weeks of November when hackers managed to “compromise the confidentiality” of its IT network.

Cyber Risk Trends From the Past Week

Organizations once again are being blackmailed by threat actors who are either threatening to release stolen data or else holding data hostage unless a ransom payment is made.

TheDarkOverlord is continuing its well-established tactic of hacking, extorting and then dumping data on a variety of targets. According to databreaches.net, “TDO appears to have dumped pretty much everything of any significance from two of the previously disclosed victims companies, Pre-Con Products, LTD, and G.S. Polymers, Inc. Other entities whose data TDO dumped include PcWorks, L.L.C. (in Ohio), International Textiles & Apparel, Inc. in Los Angeles, and UniQoptics, L.L.C. in Simi Valley.”

A new extortion campaign is being carried out by an actor using the name “Harak1r1.” The hacker is hijacking insecure MongoDB databases, stealing the data, and replacing the data with a single table and record called “WARNING.” The actor then attempts to extort the victims to recover their data. Researchers said the campaign is ongoing and that between Tuesday and Wednesday the number of compromised databases rose from around 2000 to more than 3500. The actor requests a 0.2 bitcoin ransom payment for victims to regain access to the files, which at least 17 companies have paid. The actor appears to be manually selecting the targets based on databases that appear to contain important data, according to Victor Gevers, co-founder of GDI Foundation.

Interestingly, it appears that a second threat actor may be using the same tactic, but charging 0.5 bitcoin instead, according to a Wednesday tweet addressed to Gevers.

As of Saturday afternoon, the second bitcoin address had 11 bitcoin transactions totaling 3.31 bitcoins, so it is possible that more victims are making ransom payments.

2017 Cyber Forecast: The IoT Problem is Going to Get Worse

The new year is underway, and one of the biggest causes of concern carrying over into 2017 is the threat posed by the growing number of compromised Internet-of-Things (IoT) devices. As I stated in my previous cyber forecast blog on extortion, I prefer to base my “predictions” around actual intelligence and verifiable data. IoT-related security threats have been talked about for the past few years, but they have been relegated to the periphery of the cybercrime conversation due to the fact there wasn’t much threat data around real-world attacks. However, the second half of 2016 saw those concerns move front-and-center due to a series of incidents tied to the Mirai botnet:

In September, both KrebsOnSecurity and French hosting provider OVH were hit with massive DDoS attacks, reportedly hitting 620 Gbps attack and 1 Tbps in size.
Those attacks were quickly tied the Mirai botnet, the source code of which was subsequently released by a user on Hackforums.
A few weeks after the source code went public, DNS provider Dyn was hit with what appears to have been an even larger DDoS attack – causing major sites such as Twitter, Netflix, Reddit, Spotify and others to be disrupted across the U.S. and Europe.

Those attacks will certainly lead to increased scrutiny within the IoT marketplace both now and in the future, but in the meantime cybercriminals are focusing their attention on finding new ways to leverage the numerous vulnerable IoT devices for their own malicious purposes. The past few months have seen various hacking groups fighting to take control over their share of those compromised devices, as well as companies such as Deutsche Telekom and others suffering outages as those groups tried to expand their botnets by attempting to infect customers’ routers with Mirai. One group has even been observed selling IoT-powered DDoS services that claim to provide as much as 700 Gbps in traffic.

All of that activity has led to one of the clearest trends in SurfWatch Labs’ data over the past few months: an enormous rise in threat intelligence surrounding the “service interruption” category.

serviceinterruption_cfs — This chart from SurfWatch Labs’ 2016 Cyber Threat Trends Report shows a sharp increase in the amount of threat intelligence related to the service interruption category in Q4 2016.

“Over the past two years, the ‘service interruption’ tag has typically appeared in approximately 16% of the negative CyberFacts collected by SurfWatch Labs,” SurfWatch Labs noted in its annual cyber trends report, Rise of IoT Botnets Showcases Cybercriminals’ Ability to Find New Avenues of Attack. “However, that number jumped to more than 42% over the last half of the year due to growing concern around IoT-powered botnets such as Mirai.”

The problem of botnets powered by compromised IoT devices goes beyond just service interruption. It reflects many of the larger cybersecurity issues facing organizations in 2017:

an expanding number of vulnerable devices
the problem of default or easy-to-guess credentials
the difficulty of identifying vulnerabilities and patching them in a timely manner
questions of who along the supply chain is responsible for security
and issues outside your organization’s direct control that impact your cyber risk

Compromised IoT devices are a perfect example of the interconnectedness of cybercrime and how the poor security of one component by one manufacturer can led to hundreds of thousands of devices being vulnerable.

The sudden surge in concern around IoT devices reminds me of similar cyber risk discussions that have occurred around ICS/SCADA over the last few years. In both cases, the devices were often designed without cybersecurity in mind and those cybersecurity implications are now leading to serious potential consequences. However, unlike ICS/SCADA devices, IoT devices are primarily consumer focused. As we noted in the 2016 Cyber Trends Report, the potential of having multiple devices per household for any developed nation means that collectively these vulnerable devices are the largest digital footprint in the world not under proper security management.

DDoS attacks have always been a staple of cybercrime, but the expanding number of potentially compromised devices, along with cybercriminal tools designed to easily exploit those devices, has created growing concern around the tactic. Due to these concerns, I forecast with moderate confidence that IoT-driven botnets will affect a greater number organizations in 2017 as suppliers, manufacturers, regulators and the security community all continue to wrestle with this ongoing issue.