Weekly Cyber Risk Roundup: More Extortion and Marijuana Retailers’ Woes

Extortion continues to dominate the cybercrime headlines in 2017 with the week’s top two trending targets being the successful ransom at Los Angeles Valley College and continued extortion attempts around MongoDB databases.

It was less than a year ago that Hollywood Presbyterian Medical Center became a national news story by paying a $17,000 ransomware demand so that staff could regain access to infected computers. A year later those types of stories are no longer unique; they’re routine. Los Angeles Community College District’s recent decision to pay a $28,000 ransom after an infection “disrupted many computer, online, email and voice mail systems” is just the latest of example.

“It was the assessment of our outside cybersecurity experts that making a payment would offer an extremely high probability of restoring access to the affected systems, while failure to pay would virtually guarantee that data would be lost,” the district said in a FAQ, echoing the sentiments of many other organizations who’ve decided to pay ransoms. “The District has a cybersecurity insurance policy to address these specific types of cyber intrusions and it was activated during this incident. While much time will pass before this matter is resolved, we have already availed ourselves of the resources provided by the policy, including assistance of cybersecurity experts.”

In addition, the ongoing issue of insecure MongoDB databases being stolen, deleted and subsequently extorted continues to rack up thousands of new potential victims, including Princeton University. Researchers Victor Gevers and Niall Merrigan have been tracking the various victims and ransom demands as threat actors compete to have the most up-to-date ransom notes. The problem, Merrigan told KrebsOnSecurity, is that with so many actors the victims may not know who actually has the stolen data. Merrigan advises victims not to pay unless they have proof that the extortionists actually have the files being ransomed. Lastly, it appears some of those actors have now shifted towards ElasticSearch servers, with more than 3,000 victims as of Monday morning.

Other trending cybercrime events from the week include:

• Another week of large-scale breaches: Mobile phone hacking company Cellebrite was breached and 900 GB of data was compromised, including customer information, databases and a vast amount of technical data regarding Cellebrite’s products. E-Sports Entertainment Association (ESEA) was hacked last December and a database containing information on 1.5 million players was stolen. The actor also attempted to extort the company for $100,000, but ESEA refused to pay. Three brokers who left the commercial real estate firm Avison Young used external hard drives to “downloaded massive amounts of data,” including client and financial information, market intelligence and strategic plans, according to a complaint filed by the firm.

• More accidental data exposure: A MongoDB database belonging to Sanrio, the company behind Hello Kitty, was misconfigured and exposed to the public in 2015, and a copy of that database has recently surfaced online. Approximately 3.3 million Hello Kitty fans are affected, including 186,261 records related to individuals under the age of 18. Canadian plastic surgery company SpaSurgica exposed the detailed medical histories of thousands of patients due to an unprotected remote synchronization (rsync) service, according to MacKeeper researchers. The files contained medical histories, personal information, and intimate before and after pictures of breast augmentation and other surgeries. An email sent by Ball State University’s retention office to students on academic probation accidentally contained an Excel spreadsheet of 59 students on probation for the spring semester rather than planned attachment about upcoming academic help sessions.

• Cyber-attack leads to another blackout: The December 2016 blackout in Ukraine was due to a cyber-attack, and it is connected to a similar attack in 2015, as well as hacks at the national railway system, several government ministries and a national pension fund. The head of ISSP, a Ukrainian company investigating the incident, said that the recent attack against a Ukrainian utility was a “more complex” and “much better organized” version of the 2015 attack. He also said that the different cybercriminal groups that worked together appeared to be testing techniques that could be used elsewhere in the world.

• Other breach announcements: Outdated data management software led to the leak of financial information for at least 2,000 Taipei City Government employees, city officials said. A November data breach at TwoPlusTwo poker forum exposed the personal information of its users, and the stolen data was subsequently offered for sale on the Internet. Fraudulent login attempts were made to Spreadshirt partner accounts using previously compromised credentials with the goal of redirecting payments by changing the Paypal payout address. Dozens of Israeli soldiers had their smartphones hacked by Hamas militants impersonating attractive women. Italian police have arrested two siblings for allegedly hacking into thousands of email accounts using a customized malware known as “EyePyramid” and then using the stolen information to make investments. The Susan M. Hughes Center recently notified HHS of an August ransomware infection that affected 11,400 patients’ information.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

Cyber Risk Trends From the Past Week

As SurfWatch Labs noted in its annual report, organizations are increasingly struggling with third-party and supply chain cybercrime.

This issue was highlighted once again this past week as a cyber-attack at MJ Freeway,  a popular software platform used by marijuana retailers, disrupted operations at 1,000 retailers across 23 states. A full week after the initial attack the company is still working to restore some level of services to many of its clients. A full recovery may take several weeks, Jeannette Ward, director of data and marketing for MJ Freeway, told Marijuana Business Daily.

The motivations behind the attack are unclear, but the attack appears to be aimed at corrupting the company’s data, not stealing it.

“Attackers took down both MJ Freeway’s production and backup servers, causing an outage for all of our clients,” MJ Freeway CEO Amy Poinsett said in a video uploaded on Saturday, “Current analysis shows the attackers did not extract any client or patient data and did not view any patient data thanks to encryption measures we had in place.”

However, she added that “the damage from the attack is extensive” and the company is currently trying to call customers individually to move them to alternate MJ Freeway sites, which is taking more time than she would like. A number of stores had to temporarily close due to the outage, and those that remained open have had to deal with lengthy lines and customer complaints as manual transactions increased the time for each sale.

As SurfWatch Labs noted in its 2016 Cyber Trends Report, the percentage of targets publicly associated with third-party cybercrime nearly doubled from the second half of 2015 to the second half of 2016.

“SurfWatch Labs analysts contribute this third-party growth to the expanding ecosystem of partners and suppliers that provide various products and services,” the report stated. “Cybercrime is increasingly interconnected, and the effects of one data breach or cyber-attack are difficult to isolate and contain.”

That appears to be the case with MJ Freeway.