July 2017 – SurfWatch Labs, Inc.

Weekly Cyber Risk Roundup: UniCredit Breach and Two Swedish Officials Resign

The Italian bank UniCredit was among the week’s top trending cybercrime targets after the bank announced it had been the victim of two separate data breaches affecting approximately 400,000 customers who had taken out personal loans.

The first breach occurred between September and October 2016, and the second breach occurred between June and July 2017, UniCredit wrote it its press release. The breaches occurred “due to unauthorized access through an Italian third party provider” and resulted in personal information and international bank account numbers being compromised.

Bloomberg, which described the incident as “one of the biggest breaches of European banking security this year,” reported that both breaches were only discovered this past week.

Daniele Tonella, the CEO of UniCredit Business Integrated Solutions, said that while conducting checks the IT department discovered that some users from an external commercial partner were accessing client data. Tonella said the bank quickly moved to block the access and has since upgraded the system.

UniCredit said that it is investing €2.3 billion in upgrading and strengthening its IT systems as part of its “Transform 19” plan.

Other trending cybercrime events from the week include:

Payment card and bitcoin thefts announced: The Galt House Hotel is notifying patients that it discovered malware on its point-of-sale systems and that customers who used their cards at the hotel between December 21, 2016 and April 11, 2017 may have had their information compromised. Newcastle University is warning that a fake website is using its brand and duping students into handing over their payment card information and other personal details in order to sign up for fake courses. Police arrested a man who claims to have used malware to steal between $40 million and $50 million worth of bitcoin. According to court documents, the man said he wrote software that simulates the code used to create bitcoin wallets and then distributed that software via certain internet forums. The software would steal bitcoin keys by replacing other people’s wallets with the attacker’s wallets during transactions.

New ransomware announcements: The Groundlings Theatre said that an email containing a fake invoice led to a ransomware infection that encrypted 54,000 files. The company said it paid the £300 ransom demand to recover the files and that it should take about four weeks to fully recover all of them. Plastic Surgery Associates of South Dakota is notifying patients that their information may have been compromised due to a ransomware infection on February 12, 2017. The Women’s Health Care Group of PA said that malicious actors exploited a security vulnerability to gain access to its systems as far back as January 2017 and that led to a ransomware infection and the potential compromise of patient information.

More accidental disclosures: Sutton Council in the UK published an unredacted spreadsheet on its website that listed the names and payments issued to hundreds of individuals who received over £500 in benefits such as disability, adoption, fostering allowances, day care respite, and special needs education. BlueCross BlueShield of Tennessee said that 657 employers’ group benefit administrators were sent information meant for other companies due to a computer glitch. As a result, 2,100 individuals had their personal information compromised, including member names, dates of birth, plan type and coverage dates, and member identification numbers.

Other notable incidents: A dark web user is selling 40 million voter records from 9 different states and has hinted that he may possess records for an additional 20 to 25 states. More than 5.5 million Social Security numbers were stolen in the previously reported March 2017 data breach of America’s Job Link Alliance-TS. The University of Vermont Medical Center is notifying 2,300 patients that their information may have been compromised due to a phishing incident that led to an unauthorized third party gaining access to an employee email account. A North American casino had its Internet-connected fish tank compromised, and the attacker used that access to move laterally to other places in the network. The supermarket chain Loblaws said that a “small number of user accounts” were affected by “unauthorized online activity” and is asking users to reset passwords.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

Cyber Risk Trends From the Past Week

Two Swedish officials have resigned following criticism over a large data breach that may have compromised classified information as well as the sensitive personal data of citizens.

According to The New York Times, the breach was due to a lack of adequate safeguards being adopted when the Swedish government entered into an outsourcing agreement with IBM Sweden to manage vehicle registration and driver’s license databases back in April 2015. The nearly $100 million agreement lacked certain safeguards, the Times reported, which allowed unauthorized personnel at IBM subsidiaries in Eastern Europe to access large amounts of sensitive data such as details about Sweden’s infrastructure and the identities of people working undercover for the Swedish police and the Swedish security service.

Last Thursday, Swedish Prime Minister Stefan Löfven announced the resignation of Anders Ygeman, the Minister of Home Affairs, and Anna Johansson, the Minister of Infrastructure. Politico reported that Defense Minister Peter Hultqvist will not resign, despite demands from the opposition that he do so.

News of the leak first began to spread earlier this month after the Transport Agency’s former director general Maria Agren, who had been fired in January, was fined 70,000 Swedish krona ($10,700) for mishandling confidential information, The Sydney Morning Herald reported. Anders Thornberg, the head of Sweden’s security service, said that that while inadequately protected information must be considered breached, the data may not have been compromised due to that inadequate protection. However, Thornberg also said that the incident was “very serious because it could damage our operational business that we are conducting every day in order to protect Sweden.”

The Times reported that results from a preliminary investigation revealed at least three unauthorized people in the Czech Republic had full access to the sensitive databases.

Leaked Exploits Have Fueled Cybercrime So Far in 2017, Says New Report

Leaked exploits and increased cybercrime-as-a-service offerings — along with the expanding digital footprints of organizations — helped to fuel cybercrime in the first half of 2017, according to a mid-year threat intelligence report from SurfWatch Labs.

The global outbreaks of WannaCry and NotPetya have dominated headlines so far this year. Although vastly different from the record-setting, Marai-powered DDoS attacks that disrupted services in the second half of 2016, the report noted that those events share a similar root cause: leaked exploits and source code.

Download the report: “Leaked Exploits Fuel Cybercrime: State-Sponsored Exploits and Cybercriminal Services Empower Malicious Actors.”

“A year ago, our mid-year report showed the interconnectedness of cybercrime through extensive supply chain hacks and compromised IoT devices,” said Adam Meyer, chief security strategist, SurfWatch Labs. “Find one weak link and maximize it for all it’s worth was the name of the game then … and that still happens today with even more evidence of how the criminal ecosystem maximizes efforts through shared resources, skills for hire and, sometimes, outright theft.”

CF_Types — SurfWatch Labs collected data on close to 4,000 different industry targets in the first half of 2017 across a variety of categories. The main categories – data breaches, cyber-attacks, illegal trading, vulnerabilities, advisories, and legal actions – are shown in the chart above, with larger circles indicating more threat intelligence activity for that target.

The leaked exploits and data from the NSA and CIA have received the most attention, but there was a wide range of other malware and source code leaks that could have consequences for organizations moving forward, such as:

the sale of the Kraken source code used in MongoDB and ElasticSearch extortion attacks;
the release of the Nuclear Bot (NukeBot) banking Trojan’s source code;
the creation of the Android BankBot Trojan from a commercial Trojan’s leaked source code;
and reports that claimed various malicious actors used tools leaked from surveillance company HackingTeam or created by Israeli cyber arms dealer the NSO Group in targeted attacks.

Just last week researchers reported that attackers were using modifying versions of NukeBot to target banks in France and the U.S.

“Much like leaked personal data, once those vulnerabilities, exploits, and tools are exposed, they forever remain in the cybercriminal public domain,” SurfWatch Labs’ report noted. “[Events such as WannaCry and NotPetya] reaffirmed that the most dangerous data breaches often involve the theft of such tools and exploits – and the impact of that type of information being leaked can spread further, wider, and be more long-lasting than perhaps any other type of cyber incident.”

SurfWatch Labs collected cyber threat data from thousands of open and dark web sources and then categorized, normalized and measured it for impact based on our CyberFact information model.

Some notable takeaways from the mid-year threat intelligence report include:

WannaCry ransomware was the most talked about malware out of nearly 1,200 tags, accounting for 8.6% of all malware tags, followed by the Industroyer malware at 4.8%.
Crimeware trade was the most prevalent tag related to cybercrime practices as malicious actors continued to buy, sell, and trade tools on dark web markets and cybercriminal forums, as well as develop more cybercrime-as-a-service options.
The percentage of extortion-related activity observed in 2017 has more than doubled from 2015 levels and increased by more than 40% when compared to 2016 levels. More industry targets were publicly tied to ransomware and extortion over just the first half of 2017 than in all of either 2014, 2015, or 2016.
Cybercriminals expanded upon successful business email compromise (BEC) scams to implement more attacks. For example, more than 200 organizations reported W-2 data breaches due to phishing messages in the first half of 2017 – a rise from the 175 reported in 2016.
The percent of government cybercrime-related threat data collected by SurfWatch Labs more than doubled from the previous two periods (from 13% to nearly 27%), and government was the top trending overall sector for the time frame (followed by IT at 25% and consumer goods at 17%).
The CIA was the top trending cybercrime target of the period due a nearly weekly series of data dumps from WikiLeaks (followed by Microsoft, the NSA, Twitter, and England’s National Health Service).

“As we’ve repeatedly seen over the past few years, a major breach is rarely isolated, and information stolen or leaked from one organization can be leveraged to attack numerous other organizations,” Meyer said. “Whether it is personal information, credentials, intellectual property, or vulnerabilities and exploits, actors will build off of that hard work and the previous success of other actors by incorporating that information into new campaigns.”

Read the full, complimentary report: http://info.surfwatchlabs.com/cyber-threat-trends-report-1h-2017

Weekly Cyber Risk Roundup: Three Ethereum Heists and NotPetya Fallout Continues

The cryptocurrency Ethereum made numerous headlines this past week due to three separate multi-million dollar thefts: one due to a bug in the code of the Parity Ethereum client, one caused by a website hack that redirected funds meant for the Initial Coin Offering (ICO) of Coindash, and one tied to a hacker managing to steal VERI tokens during the ICO of Veritaseum.

The largest theft involved a bug found in the multi-signature wallet code used as part of Parity Wallet software, which led to 3 wallets being exploited and reports of more than 150,000 ETH (approximately $34 million) being stolen. As Parity noted, a total of 596 multi-sig wallets were vulnerable, but the vast majority of the funds in those wallets were commandeered by a group known as the White Hat Group in order to prevent the theft of an additional 377,000 ETH (approximately $85 million).

That theft followed an announcement from Coindash that an actor had managed to gain access to its official website during the company’s ICO and changed the text on the site to an ether wallet address likely controlled by the attacker — resulting in investors sending $10 million worth of Ether to the fraudulent address. The company’s developers said that “all CoinDash investors will get their tokens”; however, Coin Desk reported that individuals who made transactions after the website was shut down will not be compensated.

Finally, Veritaseum confirmed that a malicious actor stole $8.4 million worth of VERI tokens from the platform’s ICO on July 23. The attackers immediately resold the tokens during the “very sophisticated” attack. Not much was disclosed about the attack, but “there is at least one corporate partner that may have dropped the ball and be liable,” the company’s founder said.

Other trending cybercrime events from the week include:

More information exposed due to errors: Dow Jones & Company confirmed that at least 2.2 million customers had their data exposed due to an Amazon Web Services S3 bucket that was configured to allow any AWS “Authenticated Users” to download the data. In addition, the leak contained the details of 1.6 million entries in a suite of databases known as Dow Jones Risk and Compliance, a set of subscription-only corporate intelligence programs used largely by financial institutions for compliance with anti-money laundering regulations. Security researchers discovered an insecure database owned by the data services company DM Print that had 31,000 records, including administrative credentials for the database. With that information, anyone could access highly sensitive health information such as names, date of births, NIN numbers, addresses, investment data, and more. Travel company Flight Centre said that the personal information and customer passports “relating to some leisure customers in Australia was accidentally made available to a small number of potential third party suppliers for a short period of time.”

Insider breaches: An employee at Bupa copied and removed insurance information relating to 108,000 international insurance plans affecting 547,000 customers. The company said the data included names, dates of birth, nationalities, and some contact and administrative information. Detroit Medical Center is notifying 1,529 patients of a breach at a contracted staffing agency where an employee provided their information to unauthorized individuals. The breach occurred between March 2015 and May 2016. The Nova Scotia Health Authority said that 337 patients had their personal health information accessed inappropriately in two separate incidents involving six employees.

More energy sector warnings: The UK’s National Cyber Security Centre (NCSC) warned that state-sponsored actors are targeting the country’s energy sector and that “a number of Industrial Control System engineering and services organisations” have likely been compromised. The warnings followed similar alerts from U.S. agencies about hackers successfully targeting U.S. energy companies. While other sectors have been targeted, the focus of the attacks are engineering, industrial control, and water sector companies, the NCSC said.

Other notable incidents: Domain name registrar Gandi said that an unauthorized connection that occurred at one of the technical providers it uses to manage a number of geographic TLDs led to 751 domains having their traffic forwarded to a malicious site exploiting security flaws in several browsers. There were 22 breach incidents in the Veterans Administration’s monthly reports to Congress between May 2016 and June 7, 2017, and only one of those breaches received any media coverage at the time, according to data obtained via a Freedom of Information Act request by databreaches.net. A dark web vendor going by the name “dnu2k” is selling data tied to dadeschools.net, k12.wi.us, and other “freshly hacked emails.” The latest dump of CIA documents from WikiLeaks involves contractor Raytheon Blackbird Technologies providing “Proof-of-Concept ideas and assessments for malware attack vectors” to the agency.

Cyber Risk Trends From the Past Week

The picture of the damage cause by the NotPetya global outbreak in late June continues to crystallize as more companies reveal the details and fallout of their infections.

For starters, FedEx said that some of the damage caused by the NotPetya attack may be permanent, particularly when it comes to TNT Express B.V., which FedEx acquired in May 2016. Some of TNTs customers were “still experiencing widespread service and invoicing delays” nearly three weeks after the NotPetya infection, according to SEC documents filed by FedEx.

“We cannot yet estimate how long it will take to restore the systems that were impacted, and it is reasonably possible that TNT will be unable to fully restore all of the affected systems and recover all of the critical business data that was encrypted by the virus,” FedEx wrote in its filing. That filing listed more a dozen types of costs and damages potentially resulting from the incident — ranging from operational disruption to remediation to permanent customer loss to litigation.

In addition, the France-based Compagnie de Saint Gobain SA said that a preliminary assessment of the NotPetya infection estimated the incident would cost the company approximately 1% of first half sales. That equates to approximately €200 million as a result of the attack, The Street reported.

Earlier this month, The Guardian reported that Reckitt Benckiser, a British consumer goods company, may lose around €100 million due to NotPetya. In addition, Mondelez, the maker of Oreo cookies, said that the attack had disrupted shipping and invoicing during the last four days of the second quarter and that in a few markets the company had “permanently lost some of that revenue due to holiday feature timing.”

NotPetya may not have generated nearly as much extortion money as other ransomware — if that was even its intention to begin with — however, the global attack has proven quite impactful for numerous organizations so far. The second half of 2017 will likely see the total costs of the attack become more clear as other organizations reveal more details about how NotPetya affected their operations — and how the fallout from the attack has impacted the year’s financial projections.

AlphaBay and Hansa Brought Down by Basic Mistakes, Indictment Reveals

On Thursday morning, the Department of Justice, Europol, and Dutch authorities announced a coordinated law enforcement takedown of AlphaBay and Hansa Market, two of the three largest dark web marketplaces used to buy and sell illicit goods and services.

AlphaBay has been offline since July 5, the same day that founder Alexander Cazes was arrested in Bangkok and a week before his apparent suicide. With the dark web’s most popular marketplace suddenly unavailable, many users turned to Hansa, a market that touted its security-focused approach. Unfortunately for those users, Dutch law enforcement had seized control of Hansa on June 20 following the arrest of two administrators in Germany, and law enforcement has been covertly monitoring the market’s activity over the past month.

The dark web markets AlphaBay and Hansa Market were both taken down in a coordinated law enforcement effort that was announced Thursday morning.

As Europol noted, this joint effort against the two markets helped to “magnify the disruptive impact” of the operation.

“It meant the Dutch police could identify and disrupt the regular criminal activity on Hansa but then also sweep up all those new users displaced from AlphaBay who were looking for a new trading platform,” Europol wrote in its press release. “In fact they flocked to Hansa in their droves, with an eight-fold increase in the number of new members of Hansa recorded immediately following the shutdown of AlphaBay.”

Database trade is the top trending cybercrime practice associated with Hansa Market over the past year, according to SurfWatch Labs’ data.

With both AlphaBay and Hansa Market now out of the picture, Dream Market is the reigning leader, according to SurfWatch Labs’ threat intelligence data.

How Cazes was Caught and AlphaBay Taken Down

Cazes, who was also known as “Alpha02” or “Admin” on the market, founded AlphaBay in 2014 and ran the site along with a team of eight to 10 individuals, according the unsealed indictment. Over the two-and-a-half-year period the site was operational, AlphaBay grew to become the largest dark web market in history and collected tens of millions of dollars in commissions.

When AlphaBay was shuttered in early July, it had approximately 370,000 listings for sale across various categories such as fraud, drugs, counterfeit items, software and malware, and more.

However, Cazes made numerous mistakes while running AlphaBay that other malicious actors will be paying close attention to, said SurfWatch Labs chief security strategist Adam Meyer.

“As I read the indictment detailing the AlphaBay takedown in particular, I see a list of mistakes being disclosed by the operators of the market that will certainly be scrutinized by criminal elements in order to ensure they are not repeated in future efforts,” Meyer said. “In similar ways that malware instances are shared, tweaked and reused, those who operate illegal marketplaces — or have the desire to due to its profitability — are certainly taking detailed notes for future efforts.”

As the court documents noted:

Cazes’ personal email, “Pimp_Alex_91@hotmail.com,” was included in the header of an AlphaBay welcome email that was sent to new users in December 2014. The email was also included in the header of AlphaBay password recovery emails sent in late 2014.
Law enforcement then discovered the email address belonged to a Canadian-born man named Alexandre Cazes with a birthdate of October 19, 1991.
A December 2008 post on the online tech forum “http://www.commentcamarche.com” was subsequently found in which a user going by the name “Alpha02” posted information in French on how to properly remove a virus from a digital photo. That post included both the name “Alexandre Cazes” and the email “Pimp_Alex_91@hotmail.com.”
The email addresses was also tied to a PayPal account registered in Cazes’ name.
When Cazes was arrested, law enforcement discovered his laptop open and in an unencrypted state, as well as logged into the server that hosted the AlphaBay site. While searching the computer they found several open text files with passwords for the AlphaBay site and servers, which allowed law enforcement to seize all the information and cryptocurrency on those servers.

At the time of his arrest, a financial statement on Cazes’ computer put his net worth at $23,033,975. Cazes attempted to justify his wealth through a front company called EBX Technologies, but the indictment noted that the company’s website “is barely functional” and that the company’s bank records show “little to no business income or banking activity.”

What’s Next for the Dark Web?

Dark web market takedowns are significant, Meyer said, but they’re also a part of the now-established cycle of popular markets being disrupted by law enforcement or exit scams only to have new markets rise in their absence.

“While the law enforcement take down of AlphaBay and Hansa are certainly heavily impactful to underground merchants, rest assured new marketplaces will be established and new protocols will be implemented,” Meyer said.

It was just a little over a year ago that the then-number-two most popular market, Nucleus Market, suddenly went offline in an apparent exit scam, helping to bolster both AlphaBay’s and Hansa’s user base. With those two markets now gone, Dream Market has become the temporary king, but that will likely change in the coming months as new markets and new operators step in to fill the void — until the cycle repeats again.

Weekly Cyber Risk Roundup: Big Telecom Leaks and AlphaBay Goes Offline

Massive database leaks were once again among the week’s top trending cybercrime targets, including incidents involving U.S. Verizon customers, France’s Orange S.A, and India’s Reliance Jio Infocomm.

The Verizon leak was caused by a third-party engineer at NICE Systems and affected as many as 14 million U.S. customers. The engineer appears to have created a publicly available Amazon Web Services S3 bucket that logged customer call data for unknown purposes. As a result, personal information, account information, and Verizon account PIN codes were potentially exposed. A Verizon spokesperson acknowledged the breach, but said only 6 million customers had their data exposed by the incident.

In addition, French-language text files stored in the server show internal data from Paris-based telecommunications corporation Orange S.A., also a NICE Systems partner. However, the researchers said it “appears this internal Orange data is less sensitive.”

In addition, Reliance Jio Infocomm, an Indian telecom company with over 100 million subscribers, is investigating a potential incident after local news sites reported that names, telephone numbers and email addresses of Jio users were visible on a site called “Magicapk.” However, an initial investigation showed that Jio’s apps and websites were secure, ET Telecom reported. Last week the police brought in a suspect who was in possession of partial details of Jio subscribers, including their names, email IDs, alternate mobile phone numbers, and the dates of activation of SIM cards. That data may have been taken from a Jio retailer, since they have access to that type of subscriber data, the deputy commissioner of police for Navi Mumbai said.

Other trending cybercrime events from the week include:

More payment card breaches: A breach of Avanti Markets internal networks allowed malicious actors to push malware to self-checkout devices used in corporate break rooms, and as a result payment card information may have been compromised. Avanti said that it believes the malware was only active between July 2 and July 4 of this year. B&B Theatres, which operates 50 locations across seven states, discovered a point-of-sale breach that appears to date back two years. A recent alert estimated the window of exposure of the breach to be between April 2015 and April 2017. Real Estate Business Services (REBS) notified 1,033 California Association of Realtors members that their personal and payment card information may have been stolen when the online store they use was compromised with malware. The infection occurred between March 13 and May 15.

Medical information exposed: The County Commissioners Association of Pennsylvania (CAAP) said that the details of approximately 1,800 child welfare cases were exposed online by third-party vendor Avanco International. University of Iowa Health Care is notifying 5,292 patients that a limited set of their protected health information was “inadvertently saved in unencrypted files that were posted online through an application development site” and exposed for nearly two years. A former employee of the St. Charles Health System is accused of the unauthorized access and viewing of thousands of patient records.

More ransomware infections: Community Care of St. Catharines and Thorold in Ontario had its systems infected by NW4 ransomware, which demanded a $3,000 ransom payment. A Community Care spokesperson said that it backs up its data regularly so there was no need to pay the extortion. However, it still took nearly a week for Community Care to restore full access to its computers, and some data that was not captured in the most recent backup was lost. The dental office of Dr. Douglas Boucher, DDS, and Dr. Andrea Yaley, DDS, is notifying patients of a ransomware attack that may have compromised their patient information. The office said that its computer systems were believed to have been hacked around May 19, 2017, and on June 2 it received a ransomware notice. Records were restored from a backup; however, the office said the hacker did access its email system and may have accessed its patient dental health records.

Other notable incidents: A hacker going by the name Dhostpwned was able to use a PHP shell to compromise the dark web hosting provider Deep Hosting and said he obtained “the majority” of files and SQL databases on the server. An employee at the Australian Tax Office (ATO) published an ATO guide on how to hack mobile phones that included instructions on how to bypass passwords and obtain data even if the phone battery is depleted and it does not have a sim card. A Russian-born cybercriminal living in Los Angeles was sentenced to 110 months in prison for running a sophisticated scheme to steal and traffic sensitive personal and financial information in the online criminal underground.

Cyber Risk Trends From the Past Week

The dark web marketplace AlphaBay has been taken down in a law enforcement raid and one of the alleged leaders of the site has been found dead in his Thai prison cell in an apparent suicide.

(See “AlphaBay and Hansa Brought Down by Basic Mistakes, Indictment Reveals” for more information.)

As SurfWatch Labs has noted in the past, AlphaBay was by far the largest and most popular dark web marketplace before it suddenly went dark earlier this month, leading concerned users to speculate if its owners had either been arrested or performed an exit scam. It is not uncommon for dark web markets to disappear without notice. However, AlphaBay had built up a reputation for reliability and become the undisputed king of the dark web marketplaces over the past two years.

Alexandre Cazes, the man who committed suicide in his jail cell, is alleged to be the operator of AlphaBay known as “Alpha02.” U.S. authorities issued a warrant for Cazes arrest on June 30, and he was arrested in Bangkok on July 5, the Bangkok Post reported, the same day the dark web market suddenly went offline. Arrangements were being made for his return to the United States to face charges when Cazes reportedly used a towel to hang himself.

Wired reported that conservative estimates put AlphaBay’s daily transactions between $600,000 and $800,000 a day. With the site suddenly gone, a significant percentage of the cybercriminal ecosystem is now in search of a new home. That influx of traffic forced the dark web market Hansa to close its doors to new businesses due to “technical issues.” Users of Dream Market also reported issues accessing the site following AlphaBay’s takedown.

The next few months will certainly be an interesting time on the dark web as those users look for a new place to buy, sell, and trade their goods and services — and as the story and fallout around the takedown begin to take shape.

Weekly Cyber Risk Roundup: Cryptocurrency Wallets Emptied and a Dozen Power Plants Breached

Cryptocurrency theft was among the week’s top trending cybercrime practices due to users at both South Korean cryptocurrency exchange Bithumb and Classic Ether Wallet reporting that their digital currency wallets were emptied due to cyber-attacks.

Bithumb reported that one of its employees personal computers had been hacked in February 2017 and that the personal details of 31,800 Bithumb website users (about 3 percent of total users) had been compromised as a result. The stolen data included users’ names, mobile phone numbers, and email addresses. The exchange said there was no direct access to funds stored on the exchange; however, it appears the attackers were able to use the contact information to carry out phishing attacks against Bithumb users in order to obtain the one-time passwords needed to gain access those users’ funds.

One user reported losing as much as 1.2 billion won ($1.04 million) in the attack. Bithumb said shortly after the attack that it would pay up to 100,000 won ($87) to victims. Additional compensation will be available once individual losses are verified, the company said, but it is unclear if victims will be fully reimbursed.

Users of the Classic Ether Wallet also reported having their wallets emptied earlier this month. That theft appears to be due to a malicious actor managing to socially engineer the service’s German hosting provider 1&1 into handing over access to the domain. The actor then switched the site’s settings to direct the funds to his or her own malicious server. Multiple users who visited classicetherwallet.com and provided their private key while the site was in control of the fraudsters reported that they had their account emptied. Exact losses due to the incident is unclear, but some media outlets reported it could be nearly $300,000 worth of Ethereum Classic cryptocurrency.

Other trending cybercrime events from the week include:

Large databases exposed: Two databases containing the personal information of 3 million WWE fans were exposed to the Internet without requiring a username and password. The data included names, email and physical address, educational background, earnings, and ethnicity. UK car insurance company AA exposed the sensitive information of over 100,000 customers due to insecure database backups related to AA’s online store and never informed those customers of a breach, Motherboard reported. The database obtained by Motherboard included 117,000 unique email addresses, names, physical and IP addresses, details of purchases, and payment card information such as the last four digits of the card and its expiration date.

Insiders lead to extortion, theft: A former Dentons litigation associate in Los Angeles has been charged with extortion over allegedly demanding that his former law firm pay him $210,000 and give him a piece of artwork or else he would leak sensitive data to the Above the Law blog. According to court documents, the man accessed confidential information when one of the firm’s partners gave him access to his email while working a case. A crime analyst with the Smyrna Police Department was charged with 31 counts of computer theft over the alleged theft of information without authorization, including the driver’s licenses and mobile data of 28 victims.

Sabre confirms breach affecting multiple companies: Sabre said its investigation into a previously disclosed breach found that an unauthorized party was able to use compromised account credentials to gain access to payment card information and certain reservation information for a subset of hotel reservations processed through the SHS SynXis Central Reservations system. The breach occurred over a seven-month period from August 2016 to March 2017. Sabre said it notified partners and customers that use the reservations system, as well as some travel management companies and travel agencies that booked travelers that may have been affected. Sabre did not disclose the total number of individuals affected by the breach.

Other notable incidents: A Georgia men pleaded guilty to charges related to a BEC scam that defrauded Sedgwick County out of $566,000. Anonymous Bulgaria has leaked files from the Azerbaijan Embassy in Bulgaria that claim Silk Ways Airlines has carried tens of tons of heavy weapons and ammunition headed to terrorists under the cover of 350 diplomatic flights. Cove Family & Sports Medicine said that a ransomware infection encrypted medical records as well as a portion of its backup records. Walnut Place said that while it was investigating a previous ransomware infection it was affected by a second ransomware incident. Medicaid members in Indiana are being warned that their patient information was potentially accessible between February and May of 2017. Wooster-Ashland Regional Council of Governments said that its computer network as breached on May 26 and more than 200,000 records were compromised. The Simcoe County District School Board is warning parents of a potential privacy breach at Collingwood Collegiate Institute involving their email addresses and phone numbers.

Cyber Risk Trends From the Past Week

Russian state-sponsored hackers are responsible for recent cyber-intrusions into the business systems of U.S. nuclear power plants and other energy companies, government officials said. It is the first time Russian government hackers are known to have compromised the networks of U.S. nuclear plants, the officials added.

The statements followed a joint alert from the FBI and Homeland Security at the end of June that warned APT actors were targeting employees in the energy sector with phishing messages and watering hole attacks designed to harvest credentials that could be used to gain access to victims’ networks. The attackers were observed sending highly targeted messages to senior industrial control engineers containing fake resumes for control engineering jobs, as well as compromising websites commonly visited by their target victims and deploying man-in-the-middle attacks.

There is no evidence of any breaches or disruptions of the cores systems controlling operations at the plants, The Washington Post reported. Instead, the focus appears to be on systems dealing with business and administrative tasks, such as personnel. The New York Times reported that the joint DHS and FBI report concluded that the hackers appeared determined to map out computer networks — potentially with a goal of carrying out more destructive attacks in the future. Bloomberg reported that at least a dozen power plants had their networks breached by the APT actors, including the Wolf Creek nuclear facility in Kansas.

“There was absolutely no operational impact to Wolf Creek,” a spokeswoman for the nuclear plant said. “The reason that is true is because the operational computer systems are completely separate from the corporate network.”

However, as we’ve seen in attacks just this week, potentially compromised personnel and business data could be leveraged in future targeted phishing messages to gain more information or access — or to find a weak point or an individual that may be leveraged for future attacks.

Weekly Cyber Risk Roundup: Banks Threatened with DDoS Attacks and Researchers Investigate NotPetya

South Korean financial institutions dominated the week’s top trending targets due to a series of extortion demands that have threatened distributed denial-of-service (DDoS) attacks unless those institutions pay between 10 and 15 bitcoins ($24,000 to $36,000) in ransom each.

At least 27 financial institutions received the extortion demands from a group claiming to be the Armada Collective, including major banks, security companies, and the Korea Exchange, the Korea Joongang Daily reported. It is unclear if the group behind the threats is associated with the real Armada Collective, or if it is yet another group that is attempting to leverage the popular extortionists identity in order to gain credibility. In early 2016, a group was able to successfully extort more than $100,000 by threatening DDoS attacks under the Armada Collective name — but researchers concluded that specific threat was empty and the group never actually carried out any attacks — despite being profitable.

According to The Korea Times, the group carried out a small attack last Monday on the Korea Financial Telecommunications & Clearings Institute (KFTC), Suhyup Bank, DGB Daegu Bank, and JB Bank — with a promise of more powerful attacks to come in the future if the institutions do not pay their ransoms by the July 3 deadline. The DDoS attacks did not disrupt any services, the Times reported, and the small DDoS attack against KFTC last Monday lasted for only 16 minutes. Previous extortion campaigns have seen groups using a similar tactic of small DDoS attacks to prove they have some capability and lend credibility to their threats; however, the full capabilities of the group behind the most recent demands is unclear.

It is possible that the group is simply looking for easy blackmail targets following the recent $1.1 million dollar ransom payment that was made by South Korean web hosting firm Nayana. Researchers had previously speculated that the large ransom payment could lead to more South Korean organizations being targeted.

Other trending cybercrime events from the week include:

Attackers target government: Dozens of email accounts belonging to members of parliament and peers were breached during “a sustained and determined attack on all parliamentary user accounts in an attempt to identify weak passwords.” A hacker going by the name “Vigilance” said that he gained access to 23 state of Minnesota databases and was able to steal 1,400 email addresses and some corresponding “weakly encrypted” passwords. The hacker then published the information in protest of the police officer charged with killing Philando Castile being found not guilty. Multiple government websites were defaced with pro-ISIS propaganda and a logo saying the hack was carried out by “Team System DZ.”

Organizations expose more data: The personal information of 2,200 Aetna customers in Ohio and Texas was compromised due to their data being “inappropriately available for a period of time.” Corpus Christi Independent School District said that it is notifying 6,100 individuals that employee names and Social Security numbers from late 2016 through early 2017 were inadvertently made visible online. The Campbell River School District is warning parents and guardians of Timberline Secondary students that their personal information may have been “inappropriately accessed” due to a file being left on a shared drive that students and staff could access. Users of the UK government’s data dashboard, data.gov.uk, were asked to change their passwords after a file containing their names, email addresses, and hashed passwords was left publicly accessible on a third-party system.

Disgruntled employees harm employers: A Pennsylvania man has been sentenced to one year and one day in prison for hacking and damaging the IT networks of several water utility providers across the U.S. East Coast. A disgruntled employee led to a breach of Professional Counseling and Medical Associates’ electronic health records system. The FBI said a former employee of Transformations Autism Treatment Center tried to hack into the company’s computer system and steal the personal information of autistic children.

Other notable incidents: Internet radio service 8tracks said that a copy of its user database has been leaked, including usernames, email addresses, and SHA1-hashed passwords. The full leaked dataset includes around 18 million accounts. Information security consultant Paul Moore reported a data breach involving Kerv after he received both an email from an “anonymous” Kerv user that “had inside information which wouldn’t otherwise be available” and admin credentials from a Tor address. Acting State Supreme Court Justice Lori Sattler told police that she was scammed out of $1,057,500 when she responded to an email impersonating her real estate lawyer and wired the money to an account at the Commerce Bank of China. Two men who are suspected to be part of an international group that hacked into Microsoft’s network in early 2017 have been arrested by British police.

Cyber Risk Trends From the Past Week

One of the biggest stories that occurred last week was the spread of a ransomware/wiper malware known as NotPetya.

The outbreak was similar to May’s quick spread of the WannaCry ransomware, and those that were infected across the Ukraine, the UK, the Netherlands, India, Spain, Denmark, and elsewhere were shown a ransom demand asking for $300 in bitcoin along with contact details. However, various researchers quickly concluded that the intention behind the attack was likely disruption, not monetary gain.

Previous versions of similar ransomware like Petya used a personal infection ID that contained crucial information for the key recovery, Kaspersky explained in its analysis. However, the NotPetya malware uses randomly generated data in place of that personal key. That means that the attackers have little hope of actually recovering their data, even if they wanted to do so.

As Ars Technica noted, other researchers have come to similar conclusions about NotPetya. Matt Suiche of Comae Technologies concluded that the ransomware aspect of NotPetya may a have been a front to push the media narrative towards the attacker being an unknown cybercriminal group rather than a nation-state attacker with data destruction in mind.

The head of the Center for Cyber Protection within Ukraine’s State Service for Special Communications and Information Protection agreed with that assessment, saying “I think this [NotPetya malware] was directed at us” and that the event was definitely not a criminal attack, but likely a state-sponsored one carrying over from Ukraine’s ongoing cyberwar with Russia. That theory is not confirmed, but as SurfWatch Labs noted, “strong evidence points to the attack beginning with the hacking of the Ukrainian accounting software MeDoc where the automatic update feature was used to download the worm.”

Ukraine’s security service SBU announced that a number of international organizations are helping to investigate the NotPetya attacks and identify the culprits, so more information about the attacks will likely be announced in the near future.