Weekly Cyber Risk Roundup: Another Ethereum Heist and FBI Warns Against Kaspersky Lab

Cryptocurrency theft was the week’s top trending cybercrime story as malicious actors were able to capitalize yet again on an upcoming Ethereum initial coin offering (ICO) to steal approximately $500,000 worth of Ether — this time from investors in the cryptocurrency platform Enigma.

2017-08-25_ITT

Enigma said that malicious actors managed to compromise the enigma.co domain, its Slack channel, and certain email lists. The actors then posted messages via the compromised channels claiming that the platform was offering a “pre-sale” of tokens ahead of next month’s official ICO.

Enigma CEO Guy Zyskind said the attack “joins a long list of other similar attacks plaguing the crypto-community.” For example, just last month there were three different multi-million dollar Ethereum heists: $34 million was stolen due to a bug in the code of the Parity Ethereum client and $10 million and $8.4 million were stolen during the ICOs of Coindash and Veritaseum.

“We want to make sure that no one in our community that was a victim to this well-coordinated phishing attack is financially hurt,” Zyskind said in a blog post. “We will restore funds to everyone that lost money in this recent scam attempt after our token sale concludes.”

With four large Ethereum thefts over just the past month, it is clear that malicious actors have found a new — and relatively simple — way to capitalize on the excitement of Ethereum investors. Similar attacks will likely occur in the future as malicious actors play copycat and attempt to capitalize on other ICOs for a quick payday.

2017-08-25_ITTGroups

Other trending cybercrime events from the week include:

  • Hacktivist and political leaks: Web hosting provider DreamHost had its services disrupted by a DDoS attack on Wednesday. It’s unclear who orchestrated the attack, but DreamHost was recently involved in several politically-charged news stories. The Anonymous-affiliated group AnonOps leaked the private cell phone numbers and email addresses of 22 Republican congressmen in an effort to get individuals to urge their members of Congress to condemn President Trump’s recent statements surrounding Charlottesville and push for his impeachment. The hacking group known as “Fancy Bear” released information related to doping in FIFA, including email exchanges between FIFA and representatives of anti-doping agencies, files showing the number of players using illegal substances, and therapeutic use exemption data, which gives athletes medical permission to take banned substances.
  • Healthcare-related breaches: A hacker claiming to represent Anonymous said he gained access to a database of NHS patient data managed by SwiftQueue and downloaded over 11 million records, but SwiftQueue said that its database only contains records for 1.2 million individuals and that its initial investigation suggests only 32,501 “lines of administrative data” have been accessed. MJHS Home Care is notifying patients that an employee email account was compromised due to a phishing incident and that patient information may have been exposed. The Institute for Women’s Health in Texas is notifying patients of the discovery of a keylogger on its network. Salina Family Healthcare Center is notifying patients that their personal information may have been compromised due to a June 18 ransomware infection. St. Mark’s Surgical Center is notifying patients of a April 13 ransomware infection that may have compromised their personal information.
  • Carbon Black says bug affected 10 customers: Cybersecurity company Carbon Black said that 10 of its customers were potentially impacted by a corner-case bug that may have resulted in some miscategorized files being uploaded to a third-party, cloud-based scanner. The bug was introduced in Cb Response sensor versions 5.2.7+ and 6.0.4+ from April 2017 or later, the company said, and required a series of other conditions in order to be triggered.
  • Other notable incidents: A database that appears to be associated with the online group hotel room booking service Groupize was found exposed on the Internet. The researchers who discovered the exposed database said it contained many hotel documents, including service agreements, earnings, and details about commissions, which allowed them to see “exactly how the discount hotel business model works in detail.” The City of Oceanside, California, has suspended its online utility bill payment system over concerns that the system may have been breached after multiple users reported that they received unauthorized charges on their payment cards. The hacking group OurMine hijacked the Twitter and Facebook accounts of Sony’s PlayStation Network (PSN) and claims to have a stolen PSN database; however, media outlets reported that there does not appear to be any evidence as of yet supporting the claims of a breached PSN database.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-08-25_ITTNew

Cyber Risk Trends From the Past Week

2017-08-25_RiskScoresIn July, the U.S. government removed the Russia-based Kaspersky Lab from two lists of approved government vendors, and recently it was revealed the the FBI has been warning private organizations to stop using Kaspersky products as well.

The FBI has been briefing private companies on the threat since the beginning of the year, citing intelligence that claims to show the company is an unacceptable threat to national security, officials told CyberScoop. The FBI has prioritized briefing organizations in the energy sector and those that use ICS and SCADA systems, as well as large tech companies.

The officials claim that Kaspersky has deep and active relationships with Russian intelligence and have highlighted multiple specific accusations of wrongdoing, sources told CyberScoop.

Kaspersky denied the allegations, with a representative saying that the company is “caught in the middle of a geopolitical fight” and “has never helped, nor will help, any government in the world with its cyber-espionage or offensive cyber efforts.”

CyberScoop reported that organizations using ICS and SCADA systems have been relatively cooperative and that some have already moved forward and signed deals with Kaspersky competitors. However, those in the tech space don’t have the same sense of urgency and have been less receptive to the FBI’s recommendations.

In addition, Reuters reported that a defense spending policy bill from the Senate Armed Services Committee was recently amended to prohibit the U.S. Defense Department from using Kaspersky software platforms because the company “might be vulnerable to Russian government influence.”

Author: Jeff Peters

SurfWatch Labs editor and host of SurfWatch Labs Cyber Chat podcast. Focused on using threat intelligence and data visualization in order to bring cybercrime to life and help make organizations safer.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s