Weekly Cyber Risk Roundup: Massive Leaks Expose CIA Secrets and Alleged Spam Operation

The week’s top trending cybercrime story was WikiLeaks’ release of more than 8,000 documents related to the U.S. Central Intelligence Agency. The dump, called “Vault 7,” contains information on the CIA’s hacking tools and methods and is “the largest ever publication of confidential documents on the agency,” according to WikiLeaks.

2017-03-11_ITT.png“Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized ‘zero day’ exploits, malware remote control systems and associated documentation,” WikiLeaks wrote in a press release. “This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.”

The leak has led to widespread reports on the CIA’s hacking capabilities, including tools to compromise Windows, OS X, iOS, and Android devices; ways to circumvent popular antivirus programs; an exploit that uses a USB stick to turn smart TVs into bugging devices; and efforts to infect vehicle control systems. The U.S. is investigating the source of the leaks, which a CIA spokesperson described as deeply troubling and “designed to damage the intelligence community’s ability to protect America against terrorists and other adversaries.”

WikiLeaks said it carefully reviewed the published documents and has avoided “the distribution of ‘armed’ cyberweapons until a consensus emerges on the technical and political nature of the CIA’s program and how such ‘weapons’ should analyzed, disarmed and published.” On Thursday, WikiLeaks founder Julian Assange held a press conference where he said WikiLeaks would give technology companies “exclusive access” to the details of the exploits so that they could patch any software flaws; however, Thomas Fox-Brewster of Forbes reported that as of Saturday morning companies such as Google and Microsoft had yet to receive those technical details from WikiLeaks.

2017-03-11_ITTGroups

Other trending cybercrime events from the week include:

  • Verifone investigating data breach: Verifone, the largest maker of credit card terminals used in the U.S., is investigating a breach after being alerted in January by Visa and MasterCard that malicious actors appeared to have been inside of Verifone’s network since mid-2016, a source told KrebsOnSecurity. “According to the forensic information to-date, the cyber attempt was limited to controllers at approximately two dozen gas stations, and occurred over a short time frame,” Verifone wrote in a statement to Brian Krebs. “We believe that no other merchants were targeted and the integrity of our networks and merchants’ payment terminals remain secure and fully operational.”
  • TalkTalk responds to scam center report: Two days after the BBC reported on an industrial-scale Indian scam call center targeting TalkTalk customers, the UK-based Internet service provider temporarily banned TeamViewer and other similar remote control software programs over security issues related the scammers. Teamviewer said that it is “in extensive talks to find a comprehensive joint solution to better address this scamming issue.”
  • Tax information continues to be targeted: Daytona State College is notifying employees that their W-2 information may have been stolen after some employee W-2 statements were discovered being sold on cybercriminal markets. A glitch in Rhode Island’s Department of Human Services’ computer system resulted in more than 1,000 people receiving tax forms with the wrong information. Malicious actors are sharing concerns about government efforts to combat tax fraud, as well as tips on how those protections can be circumvented, on various dark web forums.
  • Organizations face extortion demands: Since the U.S. presidential election, at least a dozen progressive groups have faced extortion attacks where malicious actors search organizations’ emails for embarrassing details and then threaten to release that information if blackmail demands ranging from $30,000 to $150,000 are not paid. A Florida man was charged with intentionally damaging computers that hosted a San Diego software company’s website. The Pennsylvania Senate Democratic Caucus computer system was shut down after a ransomware infection made the system inaccessible to caucus members and employees. Fake extortion demands and empty threats are on the rise as cybercriminals capitalize on the growing number of ransom-related attacks.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-03-11_ITTNew

Cyber Risk Trends From the Past Week

2017-03-11_RiskScoresNearly every week researchers discover new data breaches due to publicly exposed databases that require no authentication, and this past week insecure Rync backups exposed the entire operation of River City Media (RCM), providing a rare glimpse inside what security researcher Chris Vickery described as “a massive, illegal spam operation.”

The discovery led to a months-long investigation as MacKeeper Security Research Center, CSO Online, and Spamhaus came together to examine the data, which included everything from Hipchat logs to accounting details to infrastructure planning and more. Vickery said that there are enough spreadsheets, hard drive backups, and chat logs leaked to fill a book, and both CSO Online and MacKeeper have already teased future stories peeling back additional layers of the operation.

But perhaps the most alarming discovery — along with details of  abusive scripts and techniques that have been forwarded to Google, Microsoft, Apple, and others — is a database of nearly 1.4 billion email accounts combined with real names, user IP addresses, and often physical address. Those email lists are used by RCM, which masquerades as a legitimate marketing firm, to send up to a billion emails a day, much of which can be classified as spam, according to the researchers.

On Thursday RCM issued a press release addressing the “numerous false and defamatory” statements made by the researchers and news outlets. The company said that the researchers did not find RCM’s “confidential and proprietary information through an unprotected rsync backup” and that if the researchers had contacted them prior to publication “they would have realized that a number of the statements in their articles were false and easily disprovable.” However, the press release did not provide an alternative explanation for how the researchers accessed the data, and Vickery said the company was not alerted since “it was decided that we should approach law enforcement and the affected companies (like Microsoft and Yahoo) before making any attempts at contacting the spammers directly.”

“What was legal and illegal isn’t for me to decide,” said Vickery. “But there are plenty of logs where they discuss illegal scripts and research into basically attacking mail servers and tricking the mail servers into doing things that would be against the law.”

Expect additional information to be reported in the coming weeks as the researchers and reporters comb through all of the data that was exposed.

Author: Jeff Peters

SurfWatch Labs editor and host of SurfWatch Labs Cyber Chat podcast. Focused on using threat intelligence and data visualization in order to bring cybercrime to life and help make organizations safer.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s