Weekly Cyber Risk Roundup: HBO Hackers Promise More Leaks and Dark Web Vendors Reuse Passwords

HBO was among the week’s top trending cybercrime targets as malicious actors claimed to have stolen 1.5 terabytes of company data and subsequently leaked upcoming episodes of “Ballers,” “Room 104,” “Insecure,” and the unaired comedy “Barry,” which is scheduled to air in 2018. The hackers also leaked the script for Sunday night’s episode of Game of Thrones before it aired, as well as the apparent personal information and account details of a senior HBO executive.

2017-08-04_ITT.png

In a separate incident, Sunday night’s episode of Game of Thrones was leaked several days early and spread via torrent sites due to an incident at distribution partner Star India, which published the episode early on its official website before removing it shortly thereafter.

The actors behind the HBO breach initially teased that more leaks were “coming soon.” Later, someone claiming to represent the group told The Hollywood Reporter that additional leaks would occur on Sunday; however, the contact then said the leaks would be delayed “because of some new buyers.”

“Some of HBO’s top competitors are negotiating with us for buying the dump,” the contact wrote in an email. “The deal are near to close. Poor HBO never rise again.”

As THR pointed out, it’s unlikely HBO’s direct rivals would purchase the stolen data. Variety reported that the hackers appeared to have accessed thousands of internal documents, employee data, and possibly internal corporate email. CEO Richard Plepler notified employees that the incident “resulted in some stolen proprietary information, including some of our programming.” However, CNN reported that HBO does not believe the company’s email system as a whole was compromised, despite THR’s contact alleging that they still have “full access to their webmails.”

2017-08-04_ITTGroups

Other trending cybercrime events from the week include:

  • Airlines issue warnings: Virgin America notified employees and contractors that their information may have been compromised due to a network intrusion first detected on March 13, 2017. The unauthorized access may have compromised the login credentials of approximately 3,120 employees and contractors, as well as the personal information of 110 employees. Malicious actors have leaked data allegedly tied to Spirit Airlines Free Spirit accounts after a failed extortion attempt against the airline. Spirit said that the actor attempted to extort the company using previously compromised email addresses and passwords from other data breaches. Canadian airline WestJet announced that the profile data of some WestJet Rewards members has been disclosed online by an unauthorized third party. WestJet did not indicate what data was leaked or how many customers were affected.
  • #LeakTheAnalyst operation targeting researchers: A hacking group going by the name “31337 Hackers” leaked data belonging to a security researcher working for FireEye’s breach investigation unit Mandiant, and the group also may have gained access to the researcher’s Hotmail, OneDrive, and LinkedIn accounts. The data appears to be stolen from the researcher’s personal computer, and there is “no evidence that FireEye or Mandiant systems were compromised,” FireEye said. The group said the leak is part of a larger operation that is targeting security researchers, dubbed “#LeakTheAnalyst.”
  • New data breaches: Health insurer Anthem said that 18,500 customers’ personal and medical information may have been compromised by an employee at LaunchPoint. The Daniel Drake Center for Post-Acute Care is notifying 4,721 patients that their information may have been compromised due to an employee accessing their medical records without authorization. Kaleida Health is notifying patients that their information may have been compromised due a phishing incident that allowed an unauthorized third party to gain access to a small number of Kaleida Health email accounts. Kids Pass said that the personal information of users could have been compromised by changing the URL of the activation code sent to new users in order to view other account holders’ data. An attacker managed to trick an employee at A9t9 into handing over the company’s Google developer account credentials and then pushed out a malicious version of the Copyfish Chrome extension.
  • More ransomware: An unnamed Canadian company paid $425,000 after a ransomware attack encrypted its production databases and backups. The intruders gained access due to spear phishing messages that were sent to six senior company officials. Northwest Rheumatology of Tucson is notifying patients that their information may have been compromised following a ransomware attack that occurred on April 10, 2017.
  • Arrests and sentences: The security researcher known as “Malwaretech,” who is best known for helping to stop the spread of the WannaCry malware, was arrested for allegedly creating and distributing the Kronos banking Trojan. A Seattle man has been arrested on charges of extorting multiple media companies with threats of DDoS attacks. A Russian citizen was sentenced to 46 months in prison for his role in infecting tens of thousands of computers with the Ebury malware.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-08-04_ITTNew

Cyber Risk Trends From the Past Week

2017-08-04_RiskScoresLaw enforcement continues to target activity on the dark web following the recent takedown of AlphaBay and Hansa Market, two of the three largest cybercriminal marketplaces on the dark web.

Those takedowns left Dream Market as the new king of the dark web; however, there has been speculation by its users that Dream Market may have been compromised by law enforcement as well — or at least that 16 vendor accounts on the site may have been compromised.

One of those 16 alleged vendors said that Dutch law enforcement had seized his or her vendor account and changed all of its information on the same night that Hansa Market was taken offline.

“I can clearly say that (at least) my account was seized by dutch LE,” the user wrote. “I think they came on it through my sillyness using same password on hansamarket. … I don’t think dreammarket itself is compromised, I only think the LE is trying to fuck the rest out of this community by using log-in informations from other markets.”

As Naked Security reported, there has been no confirmation from the Dutch police about the alleged takeover of Dream Market accounts, but it makes sense that authorities would exploit password reuse and lack of two-factor authentication by cybercriminals in order to further their reach into active dark web markets.

A recent survey (PDF) found that 81% of those in the U.S. reuse passwords across multiple online accounts — and this now includes dark web vendors too, if the Dream Market news is any indication. This reuse occurs despite the fact that password reuse and credential-stuffing attacks lead to numerous cases of account takeovers, data breaches, and other cybersecurity incidents each week.

It may be impossible to stop users from reusing passwords, but, as Troy Hunt noted, NIST recommends that organizations become proactive and block passwords that have been previously tied to data breaches in order to improve security. That’s why he’s released a list of 320 million previously compromised passwords for organizations to download for free and use to protect their systems.

“Use this data to do good things,” Hunt wrote. “Take it as an opportunity to not just reduce the risk to the service you’re involved in running, but also to help make people aware of the broader risks they face due to their password management practices.”

Author: Jeff Peters

SurfWatch Labs editor and host of SurfWatch Labs Cyber Chat podcast. Focused on using threat intelligence and data visualization in order to bring cybercrime to life and help make organizations safer.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s