June 2017 – SurfWatch Labs, Inc.

Weekly Cyber Risk Roundup: Million Dollar Extortion Payments and TheDarkOverlord Loses Credibility

Ransomware made headlines this past week due to several infections that disrupted business operations, as well as a million dollar extortion payment that was negotiated by South Korean web hosting firm Nayana after its servers were infected with Erebus Ransomware on June 10. Nayana said the payment was necessary to restore 150 servers and the 3,400 affected client websites, most of which were for small companies and startups.

The initial ransom demand was for 5 billion won ($4.4 million) in bitcoin, but the company managed to negotiate the payment down to 1.3 billion won ($1.1 million or 397.6 bitcoin). In a statement on the company’s website (Korean language) on Thursday, Nayana CEO Hwang Chilghong said he knows the company should not negotiate with hackers, but that the damage was too widespread and too many people would be harmed if the company did not pay the extortion.

WannaCry was also back in the news this week due to Honda Motor saying that plants in Japan, North America, Europe, China, and other regions were recently infected with the ransomware despite efforts to protect their networks following last month’s WannaCry outbreak. One location, a Sayama automobile plant located near Tokyo, was idled due to the infection. Authorities in Victoria, Australia also announced that 55 traffic and speed cameras were accidentally infected with WannaCry due to a maintenance worker using an infected USB stick. Local media reported that the police have decided to cancel 590 fines sent to road users caught by the WannaCry-infected cameras.

Other ransomware news includes Waverly Health Center in Iowa being infected with an unknown ransomware variant and having to shut down their IT systems for a period of time, and Proofpoint researchers saying that the ransomware infections recently reported at several UK universities were part of a larger malvertising campaign carried out by the AdGholas group that leveraged the Astrum Exploit Kit to spread Mole ransomware.

Other trending cybercrime events from the week include:

Massive voter database leaked: A database containing detailed information on 198 million U.S. voters and compiled by GOP political consultant Deep Root Analytics was left exposed to the Internet for 12 days. The information included data pulled from voter lists maintained by the RNC that was augmented by other sources such as social media sites. The leak includes data on some voters such as ethnicity, religion, contact information, and views on a variety of political issues. In addition, the data included proprietary information such as unique RNC identifiers for each voter.

POS breach discovered at The Buckle: The clothing store chain The Buckle announced that point-of-sale (POS) malware was discovered on some of its retail POS systems and that some payment cards used between October 28, 2016 and April 14, 2017 may have been affected. The Buckle believes that the malware did not collect data from all transactions or all POS systems for each day within that time period. The company also said that all stores had EMV technology enabled during the time that the incident occurred, which helped to limit the impact of the breach.

Services disrupted: The CyberTeam hacking group announced on Twitter that it was responsible for the outage that affected Skype on Monday and Tuesday. Microsoft has not confirmed the cause of the outage, but the service was reported down in multiple countries across Europe, as well as Japan, Singapore, India, Pakistan, and South Africa. Square Enix said that Final Fantasy XIV game servers were being repeatedly targeted by DDoS attacks from an anonymous third party.

More incidents tied to errors and glitches: The email addresses of registered consultancies of the UK government’s Cyber Essentials scheme were exposed due to a configuration error in the Pervade Software platform, according to the IASME Consortium, which runs the accreditation. The sensitive personal information of students was compromised when a staff member at the UK’s University of East Anglia “mistakenly” emailed a spreadsheet with confidential data to 320 American Studies students. A man used a glitch to steal more than £99,000 from the Clydesdale Yorkshire Bank last December when, for approximately one hour, the man’s account showed a credit balance even though he did not have any money.

Other notable incidents: Online banking service Ffrees notified its users that some of their personal information was “temporarily exposed” due to an “information security incident.” Virgin Media is advising more than 800,000 customers using the Super Hub 2 router to change both their network and router passwords if they are using the default passwords shown on the device’s attached sticker. Torrance Memorial Medical Center said a phishing attack compromised email accounts containing “work-related reports” and the personal data of patients. The latest batch of CIA documents released by WikiLeaks, dubbed “Brutal Kangaroo,” revolves around “a tool suite for Microsoft Windows that targets closed networks by air gap jumping using thumbdrives.” A joint law enforcement action known as the eCommerce Action 2017 led to the arrest of 76 professional fraudsters and members of Internet-based criminal networks across 26 countries.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

Cyber Risk Trends From the Past Week

Larson Studios, the family-owned audio post-production business that was hacked by TheDarkOverlord, has finally provided public comments about the December 2016 attack that led to the theft of a variety of unaired episodes from major studios. That incident led to leak of ten episodes of Netflix’s Orange is the New Black and eight episodes of ABC’s Steve Harvey’s Funderdome.

The takeaway from company president Rick Larson following the ordeal: “Don’t trust hackers.”

He learned that lesson after Larson Studios eventually paid TheDarkOverlord a $50,000 ransom as part of an agreement between the two to keep the breach private. However, a few months later the FBI told Larson Studios that TheDarkOverlord was attempting to extort the company’s clients with the stolen video, and the group then tried to publicly pressure Netflix and others into paying a ransom demand.

Why TheDarkOverlord would attempt to double-dip on the group’s ransom demand is somewhat puzzling. As SurfWatch Labs has noted in multiple blogs, the group has spent the past year carefully projecting an image of professionalism, framing its extortion demands as straightforward “business proposals” and using the media to try to spread the group’s message: pay up and everything will quietly go away. For example, in June 2016 when the group first began making headlines, TheDarkOverlord used the media to warn companies, “Next time an adversary comes to you and offers you an opportunity to cover this up and make it go away for a small fee to prevent the leak, take the offer.” They also warned that the ransom payment would be “a modest amount compared to the damage that will be caused” from a public leak. The group’s tone did not change when it came to extorting Netflix nearly a year later: “You’re going to lose a lot more money in all of this than what our modest offer was.”

It appears that after a full year of trying to build that image as a “trustworthy” extortionist, TheDarkOverlord has now lost its credibility — and, it should be noted, that credibility is what pushed companies like Larson Studios over the edge when deciding if the company should pay. As Rick Larson told Variety, previous media reports suggested that paying TheDarkOverlord actually worked.

TheDarkOverlord appears to be in damage control now, and the group is trying to regain that credibility by arguing that Larson Studios violated its agreement by contacting the FBI. The group also continues to leak data on other organizations, but hopefully those organizations will take heed of the message from Rick Larson to never put their trust in hackers — and it’s clear that now includes TheDarkOverlord.

Preparedness & Cyber Risk Reduction Part Four: Awareness and Operational Training

In our ongoing series on Preparedness & Cyber Risk Reduction, we’ve discussed an “Introduction to the Preparedness Cycle” and we’ve explored the topics of preparedness and operational planning, and organizing and equipping. In our sustained effort to reduce risk through proper preparedness, we’ll tackle the next critical step in the Preparedness Cycle — training.

To effectively support our efforts to reduce organizational risks — which we defined as the “potential for an unwanted outcome resulting from an incident, event, or occurrence, as determined by its likelihood and the associated consequences” — we want to ensure our personnel are properly trained. Obviously, an organization conducts a variety of types of training and not all is relevant to preparedness (though a lot does impact broader risk management, such as some of the training that may be delivered by Human Resources). The focus of this article is specifically on two types of training: Threat Awareness Training and Operational Training.

FEMA states that, “Training provides first responders, homeland security officials, emergency management officials, private and non-governmental partners, and other personnel with the knowledge, skills, and abilities needed to perform key tasks required by specific capabilities. Organizations should make training decisions based on information derived from the assessments, strategies, and plans developed in previous steps of the Preparedness Cycle.”

I agree with FEMA’s definition, but, regrettably, it is incomplete. Our approach is to certainly encourage Operational Training to arm personnel “with the knowledge, skills, and abilities needed to perform key tasks required by specific capabilities,” often relating to the plans, procedures, systems, and equipment we put in place in the previous steps of the Preparedness Cycle but, in addition to Operational Training, it is critical that personnel have a sound understanding of the threat environment. Our motto at Gate 15 is to apply a “threat-informed, risk-based approach to analysis, preparedness and operations.” To do that right, training needs to include efforts aimed at educating personnel on the varied threats they may encounter in the workplace (and perhaps more broadly). We consider that Threat Awareness Training.

Organizations face a wide array of threats to their operations, people, and facilities. With limited time and resources, training can’t address every threat. To help prioritize training activities and emphasis, leaders should apply a threat-informed but risk-based approach to planning, developing, and conducting training. That means understanding the threats, conducting a risk assessment, and prioritizing the greatest risks as primary areas of focus. In today’s environment, an organization, we’ll call it Acme Innovations, may conduct a risk assessment and determine that Acme’s greatest areas of concern are hostile events at the workplace, a severe earthquake, a significant data breach, and being infected with ransomware.

If you recall from Part Two of this series, we said that, ideally, organizations will have a Preparedness Champion who can help develop and maintain a multi-year training and exercise program. This program — informed by a prioritized risk assessment — should detail a training schedule and progressively challenging exercises over a few years’ period. Developing a multi-year preparedness program helps protect time and allows leaders to plan for and commit funding to support the activities. Even if the details of an event change, the time and resources will be there. In Part Two of this series we met Johnny, who it turns out, is Acme Innovations’ Preparedness Champion. Johnny’s multi-year preparedness program includes Acme’s preparedness priorities, focused on the four areas noted above. For this post, let’s focus on the concerns around ransomware.

Operational Training: Based on Acme Innovations’ preparedness priorities, Johnny’s multi-year preparedness program includes a deliberate approach to reduce the risks associated with the threat of ransomware. Johnny has worked with colleagues from across Acme Innovations to develop a Ransomware Response Plan, which they’ve included as an annex to the broader Acme Innovations Incident Management Playbook. The Plan includes specific actions for personnel to take upon identifying a possible ransomware infection. Those include immediate individual actions to take, who to report the incident to, what actions Acme’s security team and IT support teams are to take, key decisions and who is responsible for them, and other details developed through the process of Operational Planning. Over the next three months, Johnny and Acme’s corporate trainer are conducting training on that plan and the expected actions of all involved parties, to ensure Acme personnel understand their individual and team responsibilities in the event of a possible ransomware infection. At the end of the three-months, Johnny is leading a tabletop exercise with key leaders and responders to validate the plan and he wants everyone to know their roles and responsibilities ahead of time. But, wait – that’s the next part of this series!
Threat Awareness Training: While Johnny and the trainer are training the organization on how to respond to a possible ransomware incident, Johnny knows that ideally, Acme will avoid getting infected in the first place. So, Johnny has done his homework, he’s looked at some of the great online resources that address ransomware, and he’s working closely with Acme’s security team to better understand how ransomware works and how it may be delivered. With his colleagues, he’s developed a deliberate Threat Awareness Training Plan to educate Acme Innovations personnel on what ransomware is, how it can enter a network, what the implications of that are, how individuals can help to reduce the risk of infection, and other nuggets he’s learned through his discussions and research. With that, he’s excited as he starts implementing his plan and educating his coworkers! Once again, good job, Johnny!

As we noted in Part Three, FEMA describes the core capability cybersecurity as protecting, and if needed, restoring, “electronic communications systems, information, and services from damage, unauthorized use, and exploitation.” Johnny’s efforts are directly supporting that for Acme Innovations but Acme knows that their threats are more than just cybersecurity. We identified Acme’s concerns above but for your organization, whether your emphasis is on health issues – such as the impacts of a potential pandemic, or natural disasters – maybe annual spring flooding or perhaps you’re in an area that is more likely to experience high-impact hurricanes, or physical security threats – such as workplace violence, the same approach to training applies. Addressing your prioritized risk concerns, both Operational Training and Threat Awareness Training should be included in your multi-year preparedness program.

But, wait, we said above that we only have limited time and resources for training. How do we get all this done?!?! Well, different organizations will approach training, and all aspects of preparedness, differently and will allocate varying amounts of time for it. Some will choose to conduct annual training days, whereas others will approach things in smaller, more frequent iterations. Some will conduct all training with internal resources, whereas some may bring in professional trainers for some, or all, of the training. Different approaches will make more or less sense for different organizations and for different threat concerns. Hurricane training may be something your organization does on an annual basis, whereas ransomware training may come in the form of a quick update every couple weeks. It will be up to you to determine the approach that makes the most sense for your organization based on your understanding of the threats, your risk assessment, your priorities, and your available time and resources.

With cybersecurity, there is abundant information available online about the array of potential threats and easy-to-find examples of real incidents. There is also a lot of great information on how to conduct training. Yes, of course, our team at Gate 15 is happy to help you develop your multi-year preparedness program and to support your operational and threat awareness training (!) but you can leverage some great free resources to help inform and support your program as well.

What’s most important is that as an organization, you follow Acme’s example, assign a responsible champion and dedicate the necessary time to plan and conduct both operational and threat awareness training. As you progress through the Preparedness Cycle, each step builds and enhances the work of the previous step. Having effective plans, people, and equipment in place, it is vital that you give them the necessary training to understand the threats your organization is most concerned about, the risks those threats pose, and the actions you need them to take. This further enhances our preparedness and resilience, minimizing the impacts of incidents and facilitating a quick return to normal operations when they do occur. With a solid training program in place, we move onto the next step in the Preparedness Cycle. In the next installment we’ll address exercises, where we have the opportunity to test and validate all the good work we’ve done!

Weekly Cyber Risk Roundup: Industroyer Malware and Fines for Delayed Breach Notification

Ukrainian power utility Ukrenergo was back in the news as the top trending cybercrime target after researchers analyzed new samples of a destructive malware, dubbed “Win32/Industroyer,” which they said was likely used in the December 2016 attack against the Ukrainian power grid.

“Industroyer is a particularly dangerous threat, since it is capable of controlling electricity substation switches and circuit breakers directly,” ESET researchers wrote. “To do so, it uses industrial communication protocols used worldwide in power supply infrastructure, transportation control systems, and other critical infrastructure systems (such as water and gas).”

The Industroyer malware uses four payload components designed to gain control of switches and circuit breakers, with each component targeting a particular communication protocol: IEC 60870-5-101, IEC 60870-5-104, IEC 61850, and OLE for Process Control Data Access (OPC DA). The malware is notable as it “is capable of doing significant harm to electric power systems and could also be refitted to target other types of critical infrastructure.”

Hackers may have hidden in Ukrenergo’s IT network undetected for six months before carrying out their December 2016 attack, which led to a power blackout in Kiev that lasted a little over an hour. Although it’s not confirmed, it is “highly probable” that Industroyer was used in that incident. The Ukrenergo attack occurred a year after a similar attack against Prykarpattyaoblenergo, which caused approximately 230,000 people to lose power. Researchers have warned that both of those incidents in Ukraine could be tests for potential attacks against Western countries’ critical infrastructure facilities in the future.

Other trending cybercrime events from the week include:

FIN10 targeted mining companies and casinos: A financially-motivated hacking group known as FIN10 spent at least three years infiltrating computers at several unnamed Canadian mining companies and casinos, stealing sensitive data, and then holding it for ransom. According to researchers, the attacks targeted sensitive files such as corporate records, private communications, and customer information, and the ransom demands ranged between 100 and 500 bitcoin. The hackers were also able to essentially shut off the production systems of some mines or casinos that did not comply, making them unable to operate for a period of time.
Updates on previously disclosed attacks: The attackers behind the 2015 attack against TV5Monde conducted reconnaissance inside the TV5Monde network for three months before launching a sabotage operation that knocked multiple channels offline and compromised multiple social media accounts. France’s national cybersecurity agency said that the attackers used a compromised third-party account that allowed them to connect to the TV5Monde VPN and that once they were inside the network they used one of two camera-control servers as a beachhead for privilege escalation. The agency also noted that the attackers were able to create their own admin-level account in Active Directory and used the IT department’s wiki to gain information. GameStop is notifying an undisclosed number of online customers that their payment card details were stolen between August 10, 2016 and February 9, 2017. The breach was acknowledged by GameStop in April, but the company only recently began notifying affected customers. Cowboys Casino in Alberta said that data stolen from a breach last year has been posted online and that the hackers are threatening to post more data next week. WikiLeaks’ latest dump of CIA documents is CherryBlossum, a project that is focused on compromising wireless networking device.
Universities targeted: Southern Oregon University said it sent $1.9 million to a malicious actor impersonating Andersen Construction, a contractor that is working on the McNeal Pavilion and Student Recreation Center construction project. University College London said that a major ransomware attack occurred on June 14 and disrupted access to a number of users’ personal and shared drives for several days after UCL users visited a compromised website. Ulster University in Northern Ireland was infected with ransomware that affected a “significant number of file shares” due to a “zero day attack.” The initial attack occurred on June 14, and the university said it believes they are will be in a position to restore the file share service by late morning on June 19.
Other notable incidents: A database containing the personal information of 6 million users of online survey site CashCrate was stolen by hackers due to an apparent compromise of third-party forum software. A developer at Tata Consultancy Service in India posted the source code and internal documents for a number of unnamed financial institutions to a public GitHub repository. Italy’s data protection authority said that Wind Tre, the country’s biggest mobile operator in terms of mobile SIMs, must notify customers of a March 20 data breach that affected 5,118 customers. A hacker pleaded guilty to the 2014 theft of hundreds of user accounts from a U.S. military communications system, an intrusion that the Department of Defense said cost $628,000 to fix.

Cyber Risk Trends From the Past Week

New York’s attorney general Eric Schneiderman announced last Thursday that CoPilot Provider Support Services must pay $130,000 in penalties as well as reform its legal compliance program over violations related to delayed notification of a breach.

According to the attorney general, an October 2015 data breach of CoPilot’s website administration interface, PHPMyAdmin, allowed an unauthorized user to download reimbursement-related records for 221,178 patients, including their names, genders, dates of birth, addresses, phone numbers, and medical insurance card information. However, CoPilot did not begin formally notifying affected consumers until January 2017, more than a year after the incident occurred — an “unacceptable” violation of New York law.

“Although CoPilot asserted that the delay in providing notice was due to an ongoing investigation by law enforcement, the FBI never determined that consumer notification would compromise the investigation, and never instructed CoPilot to delay victim notifications,” New York’s attorney general wrote. “General Business Law § 899-aa requires companies to provide notice of a breach as soon as possible, and a company cannot presume delayed notification is warranted just because a law enforcement agency is investigating.”

In January, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) issued a $475,000 fine to Presence Health for similar reasons. OCR said that it was the agency’s first HIPAA settlement based on the untimely reporting of a breach of unsecured protected health information and that the settlement amount “balanced the need to emphasize the importance of timely breach reporting with the desire not to disincentive breach reporting altogether.”

That regulatory scrutiny may get more intense with the enforcement of the EU’s General Data Protection Regulation (GDPR) next year. The GDPR requires companies notify the appropriate authorities of a breach within 72 hours of discovery if that company collects, stores, or processes personal data for people residing in the EU. As SearchSecurity noted last month, that could force a change for the better when it comes to prompt breach notification by companies since the monetary penalties associated with violating the GDPR are much harsher than the current regulations.

Preparedness & Cyber Risk Reduction Part Three: Organize & Equip

In Parts One and Two of this blog series, “Introduction to the Preparedness Cycle,” we took a general look at threats, risks and preparedness, as well as a slightly deeper look into planning — both preparedness and operational planning — to minimize the likelihood and impacts of the undesired threats that have the potential to develop into disruptions and other “unwanted outcomes.” Such outcomes could impact organizations’ people, information, operations and/or facilities, and it is our goal to be ready and resilient — ideally preventing the incidents, but, more in some cases, minimizing their impacts and facilitating a quick return to normal operations.

One approach to supporting preparedness — which we defined as a continuous cycle of planning, organizing, training, equipping, exercising, evaluating, and taking corrective actions to support effective incident response — is to apply a deliberate process to reduce our risks. That deliberate process is the Preparedness Cycle. As we continue through that Cycle, we now move on to the next step in the process – Organizing and Equipping. I often feel like this step is an unloved child in the preparedness family — frequently glossed over as planning, training, and exercise usually get more attention. In reality, this step is critical and is more present in our day-to-day operations than the rest of the preparedness activities.

FEMA states that, “Organizing and equipping include identifying what competencies and skill sets people delivering a capability should possess and ensuring an organization possesses the correct personnel. Additionally, it includes identifying and acquiring standard and/or surge equipment an organization may need to use when delivering a specific capability.” And for our purposes, we’re focused on cybersecurity, which FEMA describes as the core capability focused on protecting “(and if needed, restore) electronic communications systems, information, and services from damage, unauthorized use, and exploitation.” There is absolutely no way we will succeed in achieving that core capability if we do not have the right people and equipment in place.

So where do we begin? Well let’s start with some reality checks and then let’s move on to ice cream, a far more enjoyable topic!

Reality Check #1: There is no silver bullet and no automated solution that will alone protect your network and information.
Reality Check #2: Intelligence and information — even deep web and dark web intelligence — are useless unless they are understood, analyzed and applied towards decision-making and action – primarily in the form of preparedness and operations.
Reality Check #3: No two organizations are the same. Some are alike — based on size, industry, clients, etc. — but they’re not the same. In most cases, their organization and equipment needs may also be alike, but not the same.
Reality Check #4: Security will require an appropriate blend of technology and human resources.

And an important note, when we speak to “equipment” here, for organizations looking to address their cybersecurity preparedness, it is not just hardware but also the software, technology and services we may apply towards our security operations.

With that – to ice cream! I’m a big fan of ice cream. Seventy-five percent of the reason I workout is probably to indulge in an extra scoop of delicious creamy heaven. I like almost every flavor and am open to nearly every topping – there are a lot of great combos I can enjoy! But for me, for my tastes, it is tough to beat three scoops of chocolate chip cookie dough ice cream coated with a generous portion of shredded Heath Bar and just the right amount of caramel and fudge. Oh, yes, that does it. But that’s me. You may be a chocolate or butter pecan person. Or a marshmallow or peanut butter sauce person. Maybe you like the combined flavor of strawberry ice cream with pineapple sauce on top. The potential combinations are endless and there are probably many that would be to your liking, but probably one or two you really, really like. And, over time, maybe your tastes change. Maybe a little more fudge. Maybe switch out the mint chocolate chip for pistachio … as your needs change, so too must your ice cream sundae!

And so it is with security. There are a lot of great tools and resources out there. Some awesome technology solutions and some great talent. But not all are right for you and your organization and those that work today, may not fit tomorrow as your organization, and the threat environment, change. As you try different things to get to know your likes and dislikes with your perfect sundae, so too must you sample and experiment with the right composition of human and technology resources for your cybersecurity in order to achieve the desired capabilities. And to the aforementioned idea that, organizing and equipping “includes identifying and acquiring standard and/or surge equipment an organization may need to use when delivering a specific capability,” we need to think of potential areas where we may need enhanced support. Perhaps if we suspect we have malware on our network or if we experience a data breach. Wherever we assess risks that we want to be able to operationally address (as opposed to something we’d accept and address via insurance, for example) and do not have the organic in-house capabilities, we need to be able to surge, with internal or external resources, to meet the potential situation.

In addition to our preferences, we also have to respect competing demands and requirements. Whether buying ice cream and groceries or security solutions and hiring talent, we have to respect the constraints of our budgets and choose smartly. I need to both eat and maintain security daily. Sometimes we can buy steak, sometimes we can’t. But we can eat. With security, maybe you can’t get that sophisticated phishing training service you wanted right now, but you can put together an in-house threat awareness program and threat identification and reporting incentive program. Maybe you can’t hire a malware analyst right now, but you can register with the FBI and submit issues into their iGuardian program or join your appropriate information sharing group and leverage their resources and capabilities. In organizing and equipping, as with all preparedness, we should start with basic steps and progress towards a desired endstate. Maybe the goal is a world-class security operations center with validated incident response capabilities. Great! But maybe that starts with some free, basic subscription services, portal registrations and hiring a junior analyst. How fast, and how robust, need to be based on your organization, your risk assessment, your available resources and your goals.

That being said, of course (!) you should consider SurfWatch Labs’ Threat Analyst and Cyber Advisor products and Gate 15’s support for your cyber exercise program … of course, of course, but you already knew that those were as critical to your security sundae as the ice cream itself!

The process of organizing and equipping – like all aspects of threat, risk and preparedness management, is continuous and needs to be regularly reassessed. As you continue into the Preparedness Cycle, as you run drills and more complex exercises to test your team and processes, and as you encounter real events and incidents, there will be numerous opportunities to document successes and opportunities for improvement. These should help you refine your people and processes, and your organization and equipment as well. But, before we get into exercises, we need to give our personnel effective training on the plans, procedures, systems, and equipment we have in place. And that will be the subject of the next installment in this series!

Weekly Cyber Risk Roundup: ‘Staggering’ Amount of Data Exposed and Hacks Lead to Fake News

Organizations are making it easy for cybercriminals by putting vast amounts of sensitive data at risk due to improper security configurations, various researchers recently warned, and this past week saw several new data breaches announced due to the public exposure of sensitive customer, patient, and other internal data.

The first warning came from Appthority, which said it discovered a “staggering amount” of leaked enterprise data from apps due to a vulnerability dubbed “HospitalGown.” The researchers said that almost 43 TB of data was found exposed across 1,000 apps due to the app developers’ failure to properly secure the backend servers with which the apps communicate and where sensitive data is stored. As a result, enterprises are leaving themselves open to data exfiltration, leakage of personal information, and potential ransom attempts, the researchers said.

In addition, John Matherly, the founder of Shodan, said that improperly configured HDFS-based servers are exposing over five petabytes of data. Matherly said he found that the smaller number of HDFS servers leak 200 times more data than MongoDB servers. He discovered 4,487 instances of HDFS-based servers exposing over 5,120 TB of data, whereas the 47,820 MongoDB servers leaked 25 TB of data. These warnings came as several organizations announced data breaches due to publicly exposing sensitive data:

A car dealership database has been publicly exposed for more than 140 days, exposing customer, vehicle, and sales details of more than 10 million car owners, including VIN numbers.
Victory Medical Center said patient information was discoverable via search engines dating back to 2013, and as a result around 2,000 patients had some of their personal information compromised.
A Cosmetic Institute in New South Wales exposed the sensitive personal information, including before-and-after photos, of more than 500 female patients after uploading their data to a publicly accessible index of the clinic’s website.

Other trending cybercrime events from the week include:

IP theft leads to extortion attempts: CD Projekt Red said that internal files such as documents connected to its upcoming game Cyberpunk 2077 were stolen by extortionists and that those files may be released to the general public as the company will not pay the ransom. TheDarkOverlord has leaked eight episodes of ABC’s unaired show “Steve Harvey’s Funderdome” on The Pirate Bay, following through on the group’s promise to release shows stolen from Hollywood-based post-production company Larson Studios late last year.
Variety of malicious actor arrested: A contractor at Pluribus International Corp. has been charged with leaking a top-secret National Security Agency document that describes Russian efforts to compromise the U.S. election. Chinese authorities have arrested 20 Apple employees for allegedly using the company’s internal computer system to gather and sell customers’ names, phone numbers, Apple IDs, and other data, which they sold as part of a scam worth more than 50 million yuan ($7.36 million). South Korean police have arrested a group of hackers that breached the hotel and guesthouse reservation app “Good Choice” in March and stole the personal data of more than 990,000 users. Two men were indicted for a $12 million identity theft scheme that involved thousands of victims, including students applying for financial aid. The men acquired personal identifying information of victims by either purchasing it or by obtaining the information through the Data Retrieval Tool on the Free Application for Federal Student Aid (FAFSA) website. A guidance counselor at Tryon Elementary School in North Carolina admitted to using information about some of his elementary school students in a $436,0000 Medicare scam.
Personal data transmitted insecurely: The Mississippi Division of Medicaid is notifying 5,220 individuals that their protected health information may have been exposed due to their information not being securely transmitted when online forms were submitted. HSBC Bermuda said the personal information of customers was compromised when the company sent an email to a small number of retail banking customers that included an attachment containing HSBC Bermuda customer data. The personal information of almost 13,000 employees of Public Services and Procurement Canada was exposed due to a spreadsheet with sensitive data being sent to 180 people in the department via unencrypted email.
Other notable incidents: Al Jazeera said that it faced a large-scale cyber-attack on Thursday against all of its systems, websites, and social media platforms. The University of Alaska is notifying 25,000 students, staff, and faculty members that their names and Social Security numbers were compromised due to a successful phishing attack in December 2016. The Maltese government has seen a significant increase in attacks believed to be carried out by Russian hacking groups in recent months — ever since Malta assumed the important position of presidency of Europe’s Council of Ministers in January. Since then, the Maltese government’s IT systems have seen a rise in phishing attacks, DDoS attempts, and malware on computer systems.

Cyber Risk Trends From the Past Week

Recent incidents have confirmed that malicious actors are using cyber-attacks and data leaks to both blatantly fabricate entire news stories and discreetly drop small pieces of fake information that can potentially have wide-reaching geopolitical implications.

For example, on May 24, a report appeared on the official Qatari news agency’s website describing a variety of statements made by the emir of Qatar, including tensions with U.S. President Donald Trump, a desire for friendship with Iran, and praise for both Hamas militants and the leader’s relationship with Israel.

The statements received widespread attention, but Qatari officials claimed they were false — a claim now backed by the FBI, which believes the fake news operation and subsequent diplomatic crisis was orchestrated by Russian officials. The New York Times described the incident as “the opening skirmish in a pitched battle among ostensible Gulf allies.” The Times also reported that the false comments led to Saudi Arabia and U.A.E. rallying dependent Arab states to cut off diplomatic relations, travel, and trade with Qatar, as well as the fracturing of the American-backed alliance against the Islamic State and Iran.

Other Russian-tied disinformation campaigns have been more subtle. Citizen Lab recently detailed a series of “tainted leaks” tied to documents stolen from journalist David Satter. Satter had his email account compromised in a targeted phishing attack in October 2016, and those emails were then selectively modified and “leaked” on the blog of CyberBerkut, a pro-Russian hacktivist group. The modified documents were designed to both cause the programs they examined to appear more subversive of Russia than they actually were as well as to discredit specific opposition individuals and groups critical of Russian President Putin and his confidants.

Both incidents are yet another example of how much impact a disinformation campaign mixed with a little bit of hacking can have on governments around the world. As the Times warned, “Any country can get in the game for the relatively low price of a few freelance hackers.”

Motivated actors could use similar tactics to impact specific organizations with tainted data leaks. A single fake email — or even a few lines modified in a legitimate email — could easily be slipped into a larger dump and then shared with news outlets. That could lead to a crisis similar to the one facing Qatar, where leaders are forced to defend themselves against statements that were never actually made before those statements spread far and wide.

TheDarkOverlord Targets Entertainment Sector with Leak of Unaired ABC Show

On Monday, the extortion group known as TheDarkOverlord released the first eight episodes of ABC’s soon-to-be-aired television show “Steve Harvey’s Funderdome” on the torrent site The Pirate Bay.

The leak of the ABC show follows a similar failed extortion attempt and subsequent leak of the first ten episodes of Netflix’s upcoming season of “Orange is the New Black” on April 28. At the time of the Netflix leak, TheDarkOverlord claimed to have stolen hundreds of gigabytes of unreleased and non-public media from a studio — including a total of 37 different film and TV titles. That leak was then tied to Larson Studios, an award-winning audio post-production studio in Hollywood.

As a result, Monday’s leak was likely not a surprise to ABC. TheDarkOverlord has been tweeting about the theft since late April and The New York Times reported that the FBI began notifying the affected companies of the theft a month before that.

Who is TheDarkOverlord?

There isn’t much known about TheDarkOverlord as the group is very careful about exposing information that could relate to its members’ identities. This actor is smart and calculated but also has become bolder and more arrogant as evidenced in communication with recent victims — as well as very recently even setting up a help desk like hotline.

2017-06-07_TheDarkOverlordTargets — There have been dozens of targets publicly tied to data theft and extortion by TheDarkOverlord over the past year.

“Time to play another round,” the group wrote in a Pastebin post announcing the leak on Monday. “We’re following through on our threats as we always do. We firmly believe that honesty and determination are the two most important factors of any business.”

The tone used by the group — both dismay that the “business” arrangement didn’t work out and a veiled threat to future victims — has become more prominent since TheDarkOverlord first began targeting healthcare organizations in June 2016.

Communication with TheDarkOverlord has shown that there is likely more than one member of the group; however, the language utilized on the group’s accounts suggests that a single member is responsible for the managing the Twitter promotions as it has a common syntax. Generally, healthcare organizations (the group’s primary targets) are under-secured and TheDarkOverlord is taking full advantage.

How TheDarkOverlord Attacks Organizations

TheDarkOverlord favors exploits that allow remote desktop control of a network. The group has also taken data acquired by other actors and exploited the clients found in these breached databases. This shows that TheDarkOverlord is not only proactive with its own targeting, but also opportunistic with regards to the sensitive data of any organization that the group comes across and can and take advantage of — as evidenced by the recent pivot from targeting healthcare organizations to those in the entertainment industry.

2017-06-07_TheDarkOverlordGroups — TheDarkOverlord initially appeared to to focus on targeting healthcare organizations, but the group has since targeted a variety of other industry groups.

In regards to the targeting of entertainment brands, TheDarkOverlord discovered what may have been a softer target in the form of the post-production company Larson Studios, which is part of several major entertainment brands’ supply chain. TheDarkOverlord claims that it was able to exfiltrate numerous unreleased (still under production) media to use as leverage, although the group has only leaked two shows thus far.

As TheDarkOverlord moves from entertainment brand to entertainment brand with its extortion efforts, the actor is learning what impacted brands are willing to pay (if anything), and the group is then releasing the media publicly in order to harm the targeted brand financially for not giving into demands. “Orange is the New Black” was leaked a full six weeks before its June 9 premiere data, and “Steve Harvey’s Funderdome” was leaked six days before its June 11 premiere. Targeted brands are likely following the impact of releasing the unaired shows very closely.

Furthermore, TheDarkOverlord has a unique relationship with the media. By garnering media attention, the group builds its reputation and applies pressure to the organizations it wishes to extort. There have been reports that TheDarkOverlord first contacts its exploited entity and demands a ransom. Once the entity refuses, the actor then lists the heathcare database on TheRealDeal Marketplace or releases entertainment media publicly and alerts the media to its presence.

Past activity has shown a slight shift in tactics as TheDarkOverlord has breached an organization and followed that up by sending the victim, along with particular media figures who request it, a sample of the data. By involving security reporters and bloggers, TheDarkOverlord lends credibility to its work while causing panic in consumers who might be associated with the breach. Consumers’ dissatisfaction will also add pressure to the extorted entities to provide ransom payment to the actor for the stolen data.

Weekly Cyber Risk Roundup: Chipotle and Kmart Announce POS Breaches

Payment card breaches were back in the news this week as both Chipotle and Kmart announced point-of-sale breaches affecting a number of locations.

The Chipotle incident, which was first disclosed on April 25, appears to be the larger of the two breaches. A recent company update on the breach said it now includes most of the company’s 2,250 locations. The restaurants were affected by point-of-sale malware for various periods of time between March 24 and April 18.

The infection was made worse by Chipotle’s decision not to adopt EMV payment technology due to concerns that the upgrades would “slow down customer lines,” according to a recent class-action lawsuit filed over the breach.

The Kmart investigation is currently ongoing, so it’s unclear how many of the company’s 735 locations are affected; however, it may be less impactful than a similar point-of-sale malware infection in 2014 since all of Kmart’s stores were EMV ‘Chip and Pin’ technology enabled during the time of the most recent breach, the company said in its press release.

“We believe certain credit card numbers have been compromised,” Kmart’s parent company Sears Holdings said in a statement. “Nevertheless, in light of our EMV compliant point-of-sale systems, which rolled out last year, we believe the exposure to cardholder data that can be used to create counterfeit cards is limited. There is also no evidence that kmart.com or Sears customers were impacted.”

Other trending cybercrime events from the week include:

Top Secret information exposed to public: Top Secret information related to the U.S. National Geospatial-Intelligence Agency (NGA), a combat support and intelligence agency housed within the Department of Defense (DoD), was exposed to the public via an unsecured Amazon Web Services “S3” bucket that required no credentials to gain access. Security researcher Chris Vickery and other Upguard researchers said the now-secured data set points to NGA contractors Booz Allen Hamilton (BAH) and industry peer Metronome. The data discovered included information that would ordinarily require a Top Secret-level security clearance from the DoD as well as plaintext credentials that granted administrative access to at least one data center’s operating system and what appeared to be Secure Shell (SSH) keys of a BAH engineer.
Healthcare breaches due to unauthorized sites, third-parties: Children’s Mercy said that patient information was compromised due to an unauthorized website operated by a physician that was created as an educational resource but did not have proper security controls in place. Adventist Health Tehachapi Valley said that 714 patients who used its vendor Fast Health to pay bills online to Tehachapi Valley Healthcare District and Adventist Health may have had their payment card details compromised due to unauthorized code on a server that was designed to capture payment card information.
Extortion attacks continue: A hacking group calling themselves “Tsar Team” has published more than 25,000 private photos and other personal data from patients of the Grozio Chirurgija clinic in Lithuania. The hackers broke into the servers of the cosmetic surgery clinic earlier this year and demanded ransoms from the clinic’s clients in more than 60 countries around the world. The blackmail ranged between €50 and €2,000 worth of bitcoin, authorities said, with nude photos, passport scans, and other sensitive data being used to ramp up the ransom demands. A hacking group known as “RavenCrew” has claimed responsibility for the hack of customer data from the ticketing platform Qnect and subsequent SMS messages that were sent to the company’s customers urging them to pressure co-founder Ryan Chen and chief technology officer Ruslan Starikov into paying the ransom. It’s believed the hackers may have exploited a security hole recently noticed by a customer.
Other notable breaches: OneLogin, a company that allows users to manage logins to multiple sites and apps all at once, announced it had experienced a breach that impacts all customers served by the company’s U.S. data center. Old Mutual said the personal information of “a relatively small group” of customers in South Africa was compromised due to unauthorized access to one of its systems. Camberwell High School in Melbourne announced a data breach due to a student gaining unauthorized access to the school management software Compass and accessing the personal information of families. The incident is similar to a breach at Blackburn High School involving the Compass system that occurred two weeks ago. Augusta University said that a phishing attack led to unauthorized access to faculty email accounts and that as a result less than one percent of patients had their personal information exposed.

Cyber Risk Trends From the Past Week

TheShadowBrokers continued to make headlines over its new subscription exploit service this past week. The hacking group said that it will release its first “dump” of planned monthly exploits and/or data to its subscribers in early July – for approximately $24,000.

Those who want to join the dump service must pay 100 ZEC (Zcash) by the end of June. The group said it has not yet decided what will be in its first dump, although it previously teased that such dumps could include:

web browser, router, and handset exploits and tools,
select items from newer Ops Disks, including newer exploits for Windows 10,
compromised network data from more SWIFT providers and central banks,
and compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs.

The group wrote that the monthly dump service is “for high rollers, hackers, security companies, OEMs, and governments.”

After TheShadowBrokers’ announcement, a crowdfunding campaign was started to help researchers and organizations purchase the upcoming July exploit dump; however, two days later the researchers behind the effort, England-based security researcher Matthew Hickey (aka Hacker Fantastic) and the French security researcher known as x0rz, cancelled the campaign citing legal reasons.

“What we tried with @hackerfantastic was a bet we could somehow get early access to help vendors and open-source software fix the bugs before any public release, that means making the 0days a little less toxic that it could have been if released (from 0day to 1day, still powerful but less efficient),” x0rz wrote. “I guess now we should only spectate what will happen next, like we did before. It’s unfortunate but that’s the way it ought to be.”

x0rz believes that TheShadowBrokers may still publicly release the dump because the group is “not here for the money and are really just seeking media coverage.” However, we’ll all have to wait until next month and see exactly what the group has to offer and – if it follows through on its promise – how damaging its monthly exploit and data dumps can potentially be for organizations.

Preparedness & Cyber Risk Reduction Part Two: Preparedness and Operational Planning

In part one of this blog series, “Introduction to the Preparedness Cycle,” we took a general look at threats, risks, and preparedness. Recognizing that there will be undesired threats that develop into disruptions and other “unwanted outcomes” impacting our organizations’ people, information, operations, and/or facilities, we want to be ready and resilient — ideally preventing the incidents, but more likely trying to minimize their impacts and facilitating a quick return to normal operations. To support that, we can apply a deliberate process of preparedness to address our threats, physical and cyber, and reduce our risks – the “potential for an unwanted outcome resulting from an incident, event, or occurrence, as determined by its likelihood and the associated consequences.”

We defined preparedness as a continuous cycle of planning, organizing, training, equipping, exercising, evaluating, and taking corrective actions to support effective incident response. This post addresses the first step – planning. There are actually two important aspects to planning – Preparedness Planning and Operational Planning — and ideally, an organization will do both.

Preparedness Planning

There are a number of ways to mitigate risks. In some instances, we assess the risk as low or the cost of mitigation as too much, and we decide not to do anything at all, accepting the risks and moving on. In some cases, we get insurance to help manage the potential consequences of an incident. In some cases, we determine to take preparedness actions to decrease risks. In those cases, preparedness – planning, as well as training and exercises – needs to be thought of like insurance in that you don’t pay insurance once and stop. You pay it month in and month out, use it or not. Same thing with preparedness. It needs to be scheduled and recurring. Plan for it, do it regularly, keep doing it. With our insurance bill, we plan for it, allocating time and resources to make sure we pay it. Again, with preparedness, we need to plan our activities and set aside the time and resources to conduct them.

Ideally, organizations will have a preparedness champion who can help develop and maintain a multi-year training and exercise program. This program – informed by a prioritized assessment of risks — should detail a training schedule and progressively challenging exercises over a few years’ period. Its not set in stone and needs to be flexible enough to be updated as threats evolve and risks are regularly reassessed. However, the near events should be locked in, with events further away scheduled, but tentative, pending confirmation or refinement. Developing a multi-year preparedness program helps protect time and allows leaders to plan for and commit funding to support the activities. Even if the details of an event change, the time and resources will be there.

In cyber preparedness, we may, for example, assess that our greatest risk is a significant data breach. And let’s say Johnny has been assigned as our Preparedness Champion. Johnny, taking his task seriously, investigates and finds that there is no plan for responding to a data breach. As such, he determines this is a priority. He talks to his leadership team and they determine that their goal is to have a validated process for responding to a data breach in 18 months. Wait, what — 18 months?!? Well, as with insurance, most of us don’t make one payment annually, we break it out over a manageable schedule and period of time. To be realistic, preparedness has to be approached similarly. Now, priority efforts may be addressed more aggressively, and some things taken much slower, but that is a decision that leaders need to weigh in on – informed by a sound understanding of the threat environment and based on a prioritized assessment of risks. For example, after the recent WannaCry outbreak, some leaders may be reassessing their patching processes and wanting to fast track and exercise new processes and procedures. Returning to our champion, Johnny develops a series of activities to plan, train staff, and exercise the data breach response plan, through a series of scheduled, progressive activities going from developing a plan, to conducting staff training, to a series of increasingly challenging exercises – a tabletop exercise, a drill, and a full-scale response – all completed within the specified 18-month period. Johnny documents his plan, gets leadership approval and resources, and executes, leading his team to the desired state of readiness by the required suspense. Good job, Johnny!

Operational Planning

This is the actual development of plans and procedures. There are different levels of planning and though they may sometimes be given different names, the four basic types of planning are: strategic, operational, tactical, and, contingency. Some may have additional steps, use different names, or stack them in a different order. For purposes of simplicity, we’re not going to address strategic planning, and for this discussion we’ll roll the rest up under operational planning – which in this context I mean as the development of plans and procedures. This is when the organization develops the plans and procedures that they will use to train their personnel and from which they will actually base their response actions. The National Incident Management System notes that, “All emergency management/response personnel and their affiliated organizations should develop procedures and protocols that translate into specific, action-oriented checklists for use during incident response operations.”

To develop his plans, procedures, and checklists, Johnny didn’t know where to start. So, he did the smart thing and looked for viable templates that he could work off, such as those provided by the Federal Trade Commission or the European Union Agency for Network and Information Security. He refined these plans to fit his organization, their people and capabilities. Along the way, Johnny also conducted several interviews to inform his draft plan. And, while we’re not at the part of this series addressing exercises yet, Johnny was. He even conducted a tabletop exercise to validate his draft plan! We’ll come back to that in part five of this series. When he was done, Johnny was able to provide his coworkers with a well thought out, validated data breach response plan and corresponding actionable checklists.

An important note, there are too many variables for any organization to address every possible threat or variation of an incident. In both physical and cybersecurity, and for pandemics and other threats — it is great to have detailed plans and protocols. However, no organization can get to a 100% solution for every situation. Having plans is important but so is building in flexibility and innovation. After hearing from some of the more experienced team members, Johnny developed a basic incident response plan, accepting that he and his co-workers would have to be able to adjust to the reality of events “on the ground.” Your plan is almost never going to be based on the exact situation you find yourself in. Plan well, be deliberate, but also be prepared for a little bit of backyard football, being able to make game time decisions when needed. Matt Stafford’s coaches don’t tell him to throw that sidearm ball, but sometimes, he has to adjust to get the ball in his receiver’s hands. Know the right form, but be ready to toss the sidearm when you have to.

In the next installment of this series, we’ll take a look at the next step in the Preparedness Cycle – organizing and equipping.