Weekly Cyber Risk Roundup: Cloudflare Bug Discovered, Typos Lead to Theft

This week’s biggest story is the Cloudflare software bug discovered by Google researchers and disclosed Thursday that could have compromised private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data.

2017-02-24_ITT.png“The bug was serious because the leaked memory could contain private information and because it had been cached by search engines,” wrote John Graham-Cumming, the CTO of Cloudflare, which provides performance and security services to numerous major websites. “We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.”

The bug was discovered by researcher Tavis Ormandy on February 17, and the data leakage may date back to September 22. However, the greatest period of impact was between February 13 and February 18 “with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage,” the company said. Popular services such as Uber, 1Password, FitBit, OkCupid, and many more use Cloudflare. Uber told media outlets the impact on its customers is minimal since “very little Uber traffic actually goes through Cloudflare,” and 1Pass said the company “designed 1Password with the expectation that SSL/TLS can fail” exactly for these types of incidents.

Days before the public disclosure, Ormandy wrote: “I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We’re talking full HTTPS requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.” Then in another comment, “We’re still working on identifying data that needs to be purged from caches.”

As Wired reported, efforts to discover any leaked data that has been cached and not yet scrubbed “has become something of an internet-wide scavenger hunt.”

2017-02-24_ittgroups

Other trending cybercrime events from the week include:

  • Presidential campaign website defaced: A hacker going by the name “Pro_Mast3r” defaced a presidential campaign website for Donald Trump with a message that read, in part, “Peace From Iraq.” The hacker told Brian Krebs that he exploited a DNS misconfiguration to assume control of secure2.donaldjtrump.com.
  • New databases continue to be sold on the dark web: An actor using the name “Berkut” is selling a database of 950,000 user accounts for the website of the music festival Coachella that was allegedly stolen this month. Motherboard confirmed the legitimacy of the database, which contains email addresses, usernames, and hashed passwords. The $300 listing claims that 360,000 of the accounts are related to the main Coachella website and the other 590,000, which contain additional information such as IP addresses, are related to the message board.
  • Employees and students access sensitive data: Dignity Health St. Joseph’s Hospital and Medical Center is notifying approximately 600 patients that a part-time hospital employee viewed portions their medical records without a business reason between October 1, 2016, and November 22, 2016. An Ohio Department of Taxation employee was fired for accessing the confidential tax information of relatives and acquaintances dozens of times. A student of the South Washington County school district in Minnesota hacked into the district’s server and downloaded the data of more than 15,000 people to an external hard drive in January.
  • Cybercrime-related arrests and sentencing: On Wednesday, February 22, UK law enforcement announced the arrest of a 29-year old British man charged with suspicion of carrying out the cyber attack against Deutsche Telekom in November of last year, which impacted up to 900,000 customers of the ISP. SurfWatch Labs analysts have moderate confidence that this individual is the hacker known as “Bestbuy,” and additional researchers have said the actor also used the alias “Popopret.” A former systems administrator for Georgia-Pacific was sentenced to 34 months in prison and ordered to pay damages of more than $1 million after pleading guilty to remotely accessing the plant’s computer system and intentionally transmitting code and commands designed to cause significant damage to Georgia-Pacific and its operations.
  • Other cybercrime announcements:  The personal information of 55 million voters in the Philippines was compromised when a computer from the Office of the Election Officer in Wao, Lanao del Sur was stolen, but the data was encrypted using the AES-256 protocol. A spear phishing campaign against individuals in the Mongolian government used the popular remote access tool Poison Ivy as well as two publicly available techniques to evade AppLocker application whitelisting, four stages of PowerShell scripts to make execution difficult to trace, and decoy documents to minimize user suspicion. The Texas Department of Transportation said a breach of its automated administrative system affected a small number of employees whose information was compromised and potentially altered. Actress Emily Ratajkowski is the latest celebrity to have an iCloud account containing sensitive information hacked.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-02-24_ittnew

Cyber Risk Trends From the Past Week

2017-02-24_riskscoresThe Cloudflare bug can be traced back to a single character of code, which resulted in a buffer overrun, the company said.

“The Ragel code we wrote contained a bug that caused the pointer to jump over the end of the buffer and past the ability of an equality check to spot the buffer overrun,” Graham-Cumming said. “Had the check been done using >= instead of == jumping over the buffer end would have been caught.”

Cloudflare wasn’t the only company to face issues due to a single character. Zerocoin announced last Friday that a a typographical error of a single additional character in code allowed an attacker to create Zerocoin spend transactions without a corresponding mint, resulting in the creation of about 370,000 Zcoins. Zerocoin discovered the bug when it noticed the total mint transactions did not match up with the total spend transactions. All but around 20,000 of the Zcoins were completely sold for around 410 BTC in profit. “Despite the severity of the hack, we will not be forfeiting or blacklisting any coins,” Zerocoin wrote in an announcement. “Trading will resume once pools and exchanges have had time to update their code. A new release will be pushed out pretty soon.”

These types of small issues continue to cause major issues for organizations. This past week also saw reports that a database belonging to digital publisher Ziff Davis could have been exfiltrated due to a website configuration issue affecting itmanagement.com, potentially exposing 7.5 million records. The database contained names, phone numbers, employment details, and email and employer addresses, as well as contact information for users registered on other Ziff Davis properties. Contact information for anyone in the shared database could have been viewed by incrementing or decrementing a field in a URL belonging to one Ziff Davis publication, according to multiple researchers.

There was also the discovery that more than 1.4 million emails sent over Harvard Computer Society (HCS) email lists were found to be public, including emails divulging Harvard students’ grades, financial aid information, bank account numbers for some student organizations, advance copies of a final exam, answer keys to problem sets, and more – likely since the default setting for HCS list archives was public. In addition, New York’s Stewart International Airport publicly exposed 760GB of server backup data for over a year due a network storage drive, which was installed by a contracted third-party IT specialist, that contained several backup images of servers and was not password protected.

The week’s incidents are yet another reminder that a good portion of effective cyber hygiene revolves around looking inward at an organization’s technology, policies, and procedures and their associated cyber risk.

Author: Jeff Peters

SurfWatch Labs editor and host of SurfWatch Labs Cyber Chat podcast. Focused on using threat intelligence and data visualization in order to bring cybercrime to life and help make organizations safer.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s