September 2017 – SurfWatch Labs, Inc.

Sonic Investigates Breach, 5 Million Cards For Sale on Cybercriminal Market

The fast-food chain Sonic said yesterday that it is investigating a possible payment card breach at its stores, and security blogger Brian Krebs reported that the incident may be tied to a batch of five million fresh payment cards being offered for sale on the stolen credit card shop known as Joker’s Stash.

Sonic said its payment card processor informed the company last week of unusual activity regarding cards used at its stores. Krebs reported that two sources purchased a handful of payment cards from the batch of five million credit and debit cards listed on Joker’s Stash, and those sources said the stolen cards had all been recently used at Sonic locations.

A Sonic spokesperson said that the breach investigation is still in its early stages and it is unclear how many of the company’s nearly 3,600 locations may have been impacted.

2017-09-27_SonicBreachJokersStash — Cybercriminal markets like Joker’s Stash often allow the filtering of stolen payment cards based on various options such as location, which allows malicious actors to target affluent areas or to buy cards located near them so that fraudulent transactions are harder to detect.

“It remains unclear whether Sonic is the only company whose customers’ cards are being sold in this particular batch of five million cards at Joker’s Stash,” Krebs wrote. “There are some (as yet unconfirmed) indications that perhaps Sonic customer cards are being mixed in with those stolen from other eatery brands that may be compromised by the same attackers.”

Fast food chains have been at the center of some of the most impactful and widely discussed payment card breaches over the past several years. In July 2016, Wendy’s announced that more than 1,000 stores were affected by point-of-sale malware, leading the fast-food chain to become the top trending company tied to a payment card breach last year. Likewise, Arby’s point-of-sale breach is the top trending consumer goods payment card breach of 2017, and other major restaurant chains such as Chipotle and Shoney’s have announced similar breaches this year.

2017-09-27_ConsumerGoodITT — Arby’s is the top trending consumer good target associated with payment card cybercrime so far this year, although it remains to be see how impactful the Sonic breach will be.

An interesting breach announcement trend in 2017 is the attempt to obfuscate the total number of breached locations behind clunky websites that divide the affected locations into searches not just by state, but by city. Case in point, the breach lookup webpage provided by Arby’s, which mimics the cumbersome and now-defunct webpage set up by InterContinental Hotels Group (IHG) for its recent breach. The IHG website divided the affected locations across hundreds of individual cities, and that tool, along with the news that IHG would update the list as more hotels confirmed breaches, meant frequent travelers had to comb through numerous searches repeatedly in order to find out if they were impacted by a single breach.

The Wendy’s breach, which affected franchise locations serviced by a third-party payment provider, was particularly painful for financial institutions as some locations were re-compromised after initially clearing the malware — leading to customer payment cards having to be re-issued multiple times. The Arby’s breach, by contrast, was caused by malware placed on systems inside corporate stores rather than franchise locations.

It’s unclear at this point which Sonic stores were affected, but the a 2016 report to stockholders said that 3,212 of the company’s 3,557 locations are franchised. The company also announced in 2014 that it was rolling out a new point-of-sale system and proprietary point-of-personalized service technology based on a Micros Oracle platform. In April 2017 it was reported that the update had made its way to 77 percent of Shoney’s locations.

Weekly Cyber Risk Roundup: SEC, Illicit Trading and CCleaner Industrial Espionage

The U.S. Securities and Exchange Commission (SEC) was the week’s top trending new cybercrime target following the announcement that a data breach compromised sensitive data that may have “provided the basis for illicit gain through trading.” SEC chairman Jay Clayton said the commission learned last month that an incident “previously detected” in 2016 may have led to the illicit trading.

“Specifically, a software vulnerability in the test filing component of our EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information,” Clayton said in a statement.

EDGAR — which is an acronym for electronic data gathering, analysis, and retrieval — contains millions of filings from companies. The investigation is ongoing, but it is likely that any insider trading due to the breach would have occurred between the period when company filings were made and when those filings were released to the public. The SEC breach echoes, on a smaller scale, the insider trading scheme for which a Ukrainian hacker was sentenced to prison earlier this year. That scheme revolved around the theft of 150,000 news releases from Business Wire, Marketwired, and PR Newswire between February 2010 and August 2015, which led to more than $100 million in illegal profits.

Reuters said it had viewed a confidential report stating that the U.S. Department of Homeland Security detected five “critical” weaknesses on the SEC’s computers as of January 23. In addition, the Government Accountability Office warned in July that the SEC was “at unnecessary risk of compromise” because of deficiencies in its information systems. Reuters also reported that new SEC reporting rules start to come into effect in December that require funds to confidentially file monthly, rather than quarterly, portfolio holdings with the SEC. The breach has unnerved investor groups such as the Investment Company Institute, which wants the SEC to answer cybersecurity concerns before the SEC begins collecting additional sensitive data.

Other trending cybercrime events from the week include:

TheDarkOverlord threatens violence: Flathead County in Montana closed 30 schools for several days following a breach and ransom letter that claimed to come from TheDarkOverlord and hinted at physical violence, as well as threats against individual families that leveraged the school’s electronic directory. Databreaches.net wrote that “the Flathead case is not the first case where TheDarkOverlord has contacted its victims by phone or SMS to threaten them or deliver obscenity-laden messages.”
Organizations expose more data: Researchers discovered an Amazon AWS S3 bucket belonging to Viacom that contained “a vast array of internal access credentials and critical data that could be used to cause immense harm to the multinational corporation’s business operations.” Researchers discovered an Amazon AWS S3 bucket with more than half a million records belonging to the automobile tracking company SVR Tracking. The Office of the Australian Information Commissioner is investigating the exposure of the financial information of customers of Amazing Rentals. The British supermarket chain Iceland exposed customer information on its home delivery confirmation sheets, which also contained an IP address that led to a insecure login portal for Iceland’s scheduling system. Premier Medical Associates said that 900 patients that submitted information via the “Contact Us” portion of its website had that data compromised due to search engines retrieving the submissions.
New data breaches: OurMine gained access to Vevo’s media storage servers and leaked 3.12TB of company data. Bulletproof 360 is notifying customers that their payment information may have been compromised due to the discovery of unauthorized code on its website’s checkout page. TD Ameritrade said “unauthorized code” led to the breach of customer information. LiteBit is notifying users that their personal information was accessed in an attack that targeted a supplier and a LiteBit server. Cornerstone Business and Management Solutions said that it discovered an unauthorized account on a server and that the data of Certified Medical Supplies patients was compromised. Irish National Teachers’ Organization said that more than 30,000 teachers had their personal information compromised due to hackers gaining access to its online learning portal. TRUEbenefits, ABB, Inc., Morehead Memorial Hospital in North Carolina, and AU Medical Center all announced breaches due to compromised employee email accounts.
Other notable incidents: Montgomery County in Alabama said that a ransomware infection locked up computer systems and disrupted some county services. PeaceHealth Southwest Medical Center is notifying 1,969 patients that their protected health information was unnecessarily accessed by an employee. A Georgia man was found guilty of inserting malicious code known as a “logic bomb” into a national-level computer program responsible for handling pay and personnel actions for nearly 200,000 U.S. Army reservists. An Arizona man was sentenced to four years of federal probation for making changes to a company website that prevented the company’s employees from using their email accounts, redirecting the company’s homepage to a blank page, demanding $10,000 to return everything to normal, and then redirecting the company’s homepage to a pornographic website when it refused to pay the ransom.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

Cyber Risk Trends From the Past Week

Last week the developer of CCleaner announced that approximately 2.27 million users of CCleaner downloaded a legitimately signed version of the utility containing malicious code. Shortly thereafter, it was reported that the spreading of a backdoored version of CCleaner appears to have been an espionage campaign designed to gain access to the networks of at least 18 tech firms.

The malicious version of CCleaner was available on the site from August 15 to September 12, said Piriform, which was recently acquired by Avast, and affected customers with the 32-bit version of the v5.33.6162 of CCleaner and the v1.07.3191 of CCleaner Cloud. The compromised code could have resulted in “the transmission of non-sensitive data (computer name, IP address, list of installed software, list of active software, list of network adapters) to a 3rd party computer server in the USA.”

Researchers found evidence that the actors attempted to filter their collection of compromised victim machines to find computers inside the networks of tech firms, such as Intel, Google, Microsoft, Akamai, Samsung, Sony, VMware, HTC, Linksys, D-Link, Cisco, and more. In about half of the cases, the actors behind the attack successfully compromised a machine within the company’s network and used that to install another piece of malware likely intended for industrial espionage. The researchers also noted that the list of targets discovered was likely modified throughout the month-long campaign, so there may be additional companies that were targeted besides the 18 that were identified.

“These findings also support and reinforce our previous recommendation that those impacted by this supply chain attack should not simply remove the affected version of CCleaner or update to the latest version, but should restore from backups or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also any other malware that may be resident on the system,” Cisco researchers wrote.

Weekly Cyber Risk Roundup: Equifax Fallout and Widespread Bluetooth Vulnerabilities

Equifax continued to dominate cybersecurity discussion over the last week as security researchers, government officials, lawyers, and the media have continued to ask questions around the fallout related to the massive breach, which affects 143 million consumers in the U.S. as well as others across the globe.

Equifax confirmed that the actors behind the breach exploited an Apache Struts vulnerability (CVE-2017-5638). The Apache Software Foundation noted that vulnerability was made public and a patch was issued for it on March 7, more than two months before the initial “mid-May” comprise at Equifax.

“In conclusion, the Equifax data compromise was due to their failure to install the security updates provided in a timely manner,” the foundation wrote in a blog post.

To add to the company’s woes, researchers discovered that an online portal for Argentinian employees to manage credit report disputes had, among other issues, the ridiculously easy-to-guess username and password combination of “admin” and “admin” — potentially leaking the sensitive information of those in Argentina and possibly other Latin American countries.

In addition, the FTC, which has opened an investigation into the breach, is warning consumers to be on the lookout for scams involving Equifax imposters and advising consumers to never give information to anyone who calls unprompted and claims to be from the company. Visa and Mastercard are also sending confidential alerts to U.S. financial institutions regarding the 209,000 payment card numbers that were also stolen in the breach. Brian Krebs reported that it appears those stolen payment cards are, ironically, tied to people signing up for credit monitoring service through Equifax. Finally, the breach has prompted Elizabeth Warren and 11 other Democratic senators to introduce a bill to give consumers the ability to freeze their credit for free.

Other trending cybercrime events from the week include:

Notable data breaches: The website canoe.ca said that the personal information of one million Canoe site users was compromised by a breach that affected databases containing records from 1996 to 2008. Children’s Hospital Colorado is notifying 3,400 patients that their information may have been compromised due to an employee’s email account being accessed by an unauthorized party on July 11. Donors of the Somerville House Foundation, which is responsible for running the elite school in Australia, were warned that a former employee had copied over their data to a personal hard drive.
Organizations expose data: Individuals who used translate.com may have had sensitive data they submitted made public and discoverable via search engines. Researchers and media have found a variety of sensitive data that was submitted to the site being leaked, including email exchanges, sensitive company documents, personal information, and more. Translate.com said, “there was a clear note on our homepage stating: ‘All translations will be sent to our community to improve accuracy’ and that ‘some of these requests were indexed by search engines such as Google and Microsoft at that time.’” The personal information of 593,328 Alaskan voters was exposed due to a misconfigured CouchDB database by Minnesota-based software company Equals3, which licensed the data from TargetSmart.
Ransomware incidents: Hackers were able to gain access to the communications system for Schuyler County via a brute-force attack, and as a result some enhanced 911 features were disrupted. Officials said that the county is rebuilding all of its files and servers following the attack, indicating that there may have been some sort of ransomware attack or other destructive malware. A ransomware infection has disrupted the Butler County, Kansas, computer system for several days and forced paperwork to be filled out by hand, the county sheriff said.
Arrests and legal actions: The Russian cybercriminal Roman Seleznev pleaded guilty to his role in the 2008 hack of RBS Worldpay and cashing out $2,178,349 associated with five hacked debit card numbers. Artur Sargsyan, the owner of the file-sharing website Sharebeast.com, has pleaded guilty to one felony count of copyright infringement related to the website, which facilitated the unauthorized distribution and reproduction of over one billion copies of copyrighted works. A North Carolina man who goes by the moniker “D3F4ULT” and was a member of the “Crackas With Attitude” hacking group has been sentenced to five years in prison for hacking government computer systems and the online accounts of government officials. A Texas man was sentenced to 27 months in prison for hacking and damaging 13 servers operated by the healthcare facility Centerville Clinic, Inc., as well as engaging in a scheme to defraud the facility using its purchase card to order merchandise from staples after resigning from his role as a systems administrator. The U.S. Treasury department issued sanctions against 11 entities and individuals tied to Iran, including some actors who are accused of launching DDoS against against U.S. financial institutions between 2011 and 2013.

Cyber Risk Trends From the Past Week

Security researchers are advising people to ensure their Bluetooth connections are turned off when not in use after the discovery of a series of vulnerabilities that can be used to compromise billions of Bluetooth-enabled devices.

The eight vulnerabilities, dubbed “BlueBorne,” were first reported by Armis Labs and “are the most serious Bluetooth vulnerabilities identified to date,” according to a company spokesperson.

“BlueBorne allows attackers to take control of devices, access corporate data and networks, penetrate secure ‘air-gapped’ networks, and spread malware to other devices,” the researchers wrote in a paper detailing the vulnerabilities. “The attack does not require the targeted device to be set on discoverable mode or to be paired to the attacker’s device. In addition, the targeted user is not required to authorize or authenticate the connection to the attacker’s device.”

As an Armis spokesperson told Bleeping Computer, one example of an attack could be a malicious actor simply walking into a bank carrying weaponized code on a Bluetooth-enabled device in order to infect other devices and gain a foothold on a previously secured network. In addition to the paper, Armis has uploaded videos showing how the BlueBorne attacks work across various devices.

Four of the vulnerabilities affect Android (CVE-2017-0781, CVE-2017-0782, CVE-2017-0783, and CVE-2017-0785), two affect Linux (CVE-2017-1000251 and CVE-2017-1000250), one affects iOS (CVE-2017-14315), and one affects Windows (CVE-2017-8628). Ars Technica reported that the Windows vulnerability was patched in July, Google provided device manufacturers with a patch in August, Linux maintainers will likely release a patch soon, and iOS version 10 is not affected by the vulnerability.

Dark Web Markets, Equifax Breach Raise Authentication Concerns

The recent Equifax breach once again has the whole nation talking about cybercrime — and the widespread fraud and identity theft likely to follow in the wake of 143 million compromised consumers. Identity theft is a major concern for individuals, but as SurfWatch Labs chief security strategist Adam Meyer noted, malicious actors spring boarding off of breached information to authenticate as legitimate users is perhaps a more significant concern when it comes to organizations.

Meyer’s thoughts echo the findings of SurfWatch Labs’ recent whitepaper, which found that malicious actors tend to be focused on authentication when it comes to fraud on dark web markets and cybercriminal forums.

Downloaded the full whitepaper, “Fraud and the Dark Web”

The most observed type of dark web fraud in 2017 is account fraud, which has accounted for more than a quarter (25.2%) of all the fraud-related activity observed on the dark web this year. That includes a wide variety of different accounts that can be accessed with stolen customer credentials, including:

online accounts for banking and financial services;
online store accounts, as both buyers and sellers;
accounts tied to monthly subscriptions or other recurring services;
accounts related to the growing number of digital cryptocurrencies;
and more.

By comparison, credit card fraud, which is what many consumers may associate with the dark web, has only accounted for 16.7% of the activity so far this year.

The focus on this more indirect fraud — the buying, selling, and trading of access to accounts connected to payment information or services — is driven by both the huge growth in the number of online accounts and the weak authentication that so often accompanies those accounts.

The Equifax breach has simply exacerbated those authentication concerns to the point where outlets like Wired and The Verge are writing that we may need a “fundamental reassessment in how, and why, we identify ourselves” and that it may be “time to burn it all down and start over.” SurfWatch Labs analysts, along with many other researchers, have been warning for years that the pool of forever-compromised information is continuing to grow deeper and cause more issues for business unprepared to deal with that reality.

What can organizations do to protect themselves? Unfortunately, that is not a one-size-fits-all answer.

“Collectively, organizations lose billions of dollars to fraud-related cybercrime every year,” the whitepaper noted. “Individually, how each organization should address the problem of fraud can vary greatly depending their unique risk footprints.”

However, there are some general best practices that all businesses should keep in mind when it comes to combating fraud, such as:

Continuous monitoring of malicious actors: Dark web markets, paste sites, social media, and other communication channels are often used to leak stolen data and discuss cyber threats. Organizations should have a way to monitor any leaks or threats that may directly affect their customers, employees, or supply chain. In addition, organizations should stay abreast of any changes in the cybercriminal tactics, techniques, and procedures being used by malicious actors so that they can adapt their cyber defenses.
Discourage the the use of weak or already compromised passwords: Consumers have a growing number of accounts that are either tied to financial information or able to be easily monetized by cybercriminals, and consumers’ poor password habits are frequently exploited by malicious actors. NIST recommends advising users against passwords that have been previously breached, and in August 2017 security researcher Troy Hunt provided a list of 320 million compromised passwords that organizations can implement to encourage the use of more secure passwords as they see fit.
Encourage two-factor authentication: With so much fraud centered on compromised accounts, having an additional layer of authentication can greatly reduce the chances of those accounts being compromised. Organizations may be reluctant to create additional steps in the login process, but there is an expanding number of secondary authentication options available with varying levels of security and usability.
Prioritize and take action against the most impactful threats: In 2014, FICO reported that the average duration of a physically compromised ATM or POS device was 36 days. In 2016, that dropped to just 11 days – and the average number of payment cards affected by a single compromise was cut in half. Implementing training and systems to consistently address the most common and impactful threats facing your organization can have a significant impact in reducing fraud.

In addition to our whitepaper on Fraud and the Dark Web, SurfWatch Labs will also be hosting a webinar on Wednesday, September 20 from 1-2 PM ET.

Cyber Fraud: How it Happens and What You Can Do

The webinar will feature a discussion around cyber fraud, including an in-depth examination of the “Anatomy of Fraud,” what intel can be gathered from Dark Web markets and forums, and recommended courses of action to proactively mitigate the risk of fraud as well as how to effectively respond if fraud occurs.

Weekly Cyber Risk Roundup: Equifax Criticized Over Breach and Energy Sector Companies Compromised

Last Thursday, Equifax announced a data breach affecting 143 million individuals. The breach, which compromised sensitive personal information such as Social Security numbers and driver’s license numbers, is not just the most impactful breach that occurred over the past week, it may be the most significant breach we see in all of 2017.

As SurfWatch Labs chief security strategist Adam Meyer noted, the impact of the Equifax breach will likely continue to ripple outward and affect individuals and organizations far beyond the near term. After all, the Social Security numbers and dates of birth that were stolen in the breach are static identifiers that range from difficult to impossible to change. Meyer also noted that malicious actors excel at snowballing information and could potentially use the leaked data as a springboard to circumvent knowledge-based authentication services, such as those that are offered by Equifax.

Equifax’s response to the breach has also drawn criticism on a variety of fronts. Bloomberg reported that three senior Equifax executives sold nearly $1.8 million worth of shares in the days following the breach, which was first discovered on July 29. Brian Krebs called the breach response a “dumpster fire” for a variety of reasons, including a tool that Equifax said potential victims could use to see if they are affected being “completely broken” and concerns around a now-modified terms of service clause that initially appeared to force victims to waive future class action rights in exchange for signing up for identity theft services. The New York Times reported that the 10-digit PINs being provided to those that choose to pay to freeze their credit files are not as secure as one would expect. Finally, The Hill reported that numerous members of Congress and states attorneys general have already launched investigations and are demanding further explanations from Equifax.

Other trending cybercrime events from the week include:

Notable data breaches: The Latin American social network Taringa said that hackers have stolen the usernames, email addresses, and MD5-hashed passwords of nearly 29 million users. The state government of Western Australia has ordered an urgent review of the state’s TAFE cyber security systems after the information of 13,000 students was compromised when an unauthorized user gained access to the TAFE’s IT system on two separate occasions. The Community Memorial Health System in Ventura, California, is notifying 959 patients that their personal information may have been compromised due to an employee’s email account being accessed following a phishing email. The Alaska Office of Children’s Services said that malware was found on two computers and that more than 500 individuals may have had their personal information stolen as a result. The Hong Kong jobs website cpjobs.com said that an unauthorized third party was able to gain access to user data and passwords. A customer of the DDoS-for-hire service TrueStresser claims to have hacked the company and released what appears to be legitimate company data.
Organizations exposed data: Researchers discovered more than 600GB of sensitive data exposed via two insecure Amazon S3 buckets that appear to be connected to the global communication software and service provider BroadSoft, Inc. Much of the internal development data apparently saved by Broadsoft engineers related to Time Warner Cable. Researchers discovered a misconfigured CouchDB database connected to MoneyBack that exposed the passports, IDs, and other personal details of thousands of travelers to Mexico. Researchers discovered an unsecured Amazon Web Services S3 data storage bucket that contained 9,402 resumes and application forms submitted for positions with North Carolina-based private security firm TigerSwan. An email error led to those who preordered Essential phones receiving the personal details of other customers, including copies of driver’s licenses.
Another wave of MongoDB ransoms: Attacks against insecure MongoDB instances surged recently as three groups of hackers wiped approximately 26,000 MongoDB databases and left ransom notes saying the data would be restored for between 0.05 and 0.15 bitcoin, or as much as $650. The researchers said that few organizations have paid the ransom.
Other notable incidents: WikiLeaks has published a series of documents related to the CIA’s Protego project, which WikiLeaks described as “a PIC-based missile control system that was developed by Raytheon.” Verrit, an online hub that includes information for Hillary Clinton backers to share, recently went offline after experiencing a “pretty significant and sophisticated” cyber-attack, the site’s creator said. The UK’s National Fraud & Cyber Crime Reporting Center is warning that students are being targeted with a phishing scam that claims their Student Loans Company accounts have been suspended due to incomplete information.

Cyber Risk Trends From the Past Week

Security researchers are once again warning that the energy sector is the target of increased cyber-attacks. Symantec said that it has observed increased activity from the actors behind the Dragonfly 2.0 campaign and that there are strong indicators of recent attacks against organizations in the U.S., Turkey, Switzerland, and elsewhere.

Like the original Dragonfly campaign, which ran from 2011 to 2014, the new campaign uses a combination of malicious emails, watering hole attacks, and Trojanized software to gain access to victim networks, the researchers said in a report.

“The original Dragonfly campaigns now appear to have been a more exploratory phase where the attackers were simply trying to gain access to the networks of targeted organizations,” Symantec wrote. “The Dragonfly 2.0 campaigns show how the attackers may be entering into a new phase, with recent campaigns potentially providing them with access to operational systems, access that could be used for more disruptive purposes in future.”

Symantec researcher Eric Chien told Wired that there were more than 20 cases of hackers successfully gaining access to targeted companies’ networks and that the intruders had gained operational access to a handful of companies, including several in the U.S. and at least one in Turkey.

He warned that “there’s nothing left standing in the way [of sabotage] except the motivation of some actor out in the world.”

Impact of Massive Equifax Breach Will Likely Ripple Into the Future

On Thursday, the consumer credit reporting agency Equifax announced a massive data breach affecting 143 million U.S. consumers, and today several actors on the dark web and Twitter are claiming to have the data for sale.

Equifax said the breach was caused by a website application vulnerability that provided malicious actors access to sensitive data from mid-May through when the intrusion was detected on July 29. That data includes the theft of consumers’ Social Security numbers, dates of birth and addresses, as well as the credit card numbers of 209,000 consumers, dispute documents with personal identifying information for another 182,000 consumers, and an unreported number of driver’s license numbers. In addition, the company said that “limited personal information for certain UK and Canadian residents” was also compromised.

Breach Causes Authentication Concerns

In addition to being one of the largest breaches of recent memory, the type of information that was stolen is a treasure trove for cybercriminals looking to carry out fraudulent activities in the future. As SurfWatch Labs chief security strategist Adam Meyer noted, the type of information that Equifax holds is often used for authentication purposes as well.

“You will see plenty of commentary regarding tax and various banking fraud scenarios, but there is one area that concerns me more, and that is the credit-based identity space,” Meyer said, referring to the types of questions that are pulled from consumers’ credit reports for knowledged-based authentication. “While full credit report information has not been disclosed as being compromised, it is possible that what has been compromised can still help with that authentication process. When you call a help desk for a transaction, what do they use to authenticate you? Name, address, Social Security numbers — all the same information that was just breached on a massive scale.”

Meyer also noted that if malicious actors could leverage this information to get even more data and answer more knowledge-based authentication questions, it could be a problem for organizations.

“Aside from the obvious impacts of PII being leveraged as it has in the past, I am worried that this particular breach has an impact to a utilized authentication stack that many organizations and federal agencies use to combat their own forms of fraud that are all integrated,” Meyer said. “These are services that support employment verification, social services verification, identity proofing as they call it. The strength in this authentication is the fact that only the user should know this information when challenged; however, with this breach approximately 60 percent of the working age U.S. population’s PII could be out there and available to use [by malicious actors] to potentially authenticate [as those users].”

Actors Claim to Have Equifax Data

SurfWatch Labs’ team of analysts has observed several actors claiming to be in possession of the breached Equifax data, although we do not have much confidence in their legitimacy at this point.

One website on the dark web is threatening to publish all of the stolen data except credit card information if they don’t receive 600 bitcoins (approximately $2.6 million) in ransom by September 15.

A likely scam website on the dark web alleging to have the Equifax database and demanding a ransom from Equifax.

“Equifax executives sold 3 million dollars in shares taking advantage of their insider information after the attack,” the actors behind the site wrote in justifying their exorbitant ransom demand.

However, Bloomberg reported that the shares sold by three senior executives several days following the breach totalled $1.8 million and that the executives said they were not aware of the breach at the time of the sale.

In addition, researchers have also discovered other users claiming to have data for sale, such as this Twitter user. However, we again caution that this sale is likely not legitimate.

2017-09-08_Equifax2 — A Twitter user claiming to have the Equifax data for sale.

Scams on the Horizon

Those claiming to have the data so far may well be scams, but that should come as no surprise. As we noted last week about Hurricane Harvey scams, malicious actors will attempt to exploit any event or news story that grabs the attention of a large group of people. With 143 million people affected by the incident, scammers who gain access to the breached data will have an enormous group of engaged victims that they can exploit through emails, phone calls and other social engineering means in the coming days, weeks and months. In fact, those scammers may already have enough data to open fraudulent accounts, lines of credit, or carry out other forms of identity theft.

In addition, the data could be used to add legitimacy to a number of other scams.

For example, one could easily imagine a simple scam where malicious actors impersonate Equifax representatives enrolling victims in identity theft services and gain credibility by providing actual Social Security numbers and driver’s license numbers to “confirm” victims’ identities — before using that gained trust to pivot to other scam opportunities.

Leaked Data Could Lead to Additional Incidents

It’s also worth stressing, yet again, that there is no right to be forgotten in the cybercriminal world. As we noted in our 2016 Cyber Trends Report, once your data is exposed, it will likely forever remain in the cybercriminal domain. With this new Equifax breach, the pool of compromised information that can be leveraged by malicious actors grows deeper and the ripple effect of that breach will likely widen to impact more organizations in the future.

In addition, as Meyer noted, Equifax offers authentication services that include knowledge-based authentication, and the leaked Social Security numbers, driver’s license numbers and other sensitive information could be used a stepping stone in further breaches, he warned.

“My worry is that with this information a malicious actor could authenticate to a service like this using the already disclosed information [from the Equifax breach] and with just some public information sleuthing and maybe a good guess or two could answer the credit report follow up questions and likely pass go more often than not, especially when there is 145 million records available,” Meyer said.

Equifax has provided a website with more information about the breach, as well the ability to check to see if you are affected and to receive a future date to enroll in an identity protection service. It’s worth noting that Equifax is requiring consumers enter both their last name and the last six digits of their Social Security number to enroll, rather than the typical last four digits — reinforcing the idea that as more data gets leaked, proper authentication becomes more difficult.

As Meyer said, “With this I get the constant sense of déjà vu, maybe it is breach fatigue, or maybe it’s the fact that we all should never have to pay for credit monitoring again in our lifetime because our PII has been breached so many times.”

Talking the Preparedness Cycle and Reducing Cyber Risk with Andy Jabbour

Many organizations are struggling with how to best manage and mitigate the array of cyber risks they are facing. Those growing number of risks — from deliberate threats such as ransomware, data theft and social media hacking to non-deliberate risks such as poorly trained employees or issues that spread through the supply chain — can be challenging to quantify, prioritize and prepare against.

But don’t despair, said Andy Jabbour, the co-founder and managing director of Gate 15, there is hope. Andy recently wrote a series of blogs outlining how the Preparedness Cycle, which is often used to prepare for traditional threats, can also be implemented to help organizations prepare for cyber threats.

“The preparedness cycle has been around for quite a long time now and it has been used by the Department of Homeland Security, FEMA, and other federal, state, and local government agencies as part of managing the preparedness process,” Jabbour said during a recent Cyber Chat Podcast about his blog series. “The idea of applying it towards cyber risk is maybe something people don’t necessarily think about right away, but it certainly applies very well.”

As Jabbour noted in his eight-part blog series (linked below), a key part of successfully overcoming the impacts of incidents, including cyber incidents, is taking the time to properly prepare. Building a flexible, multi-year plan that addresses all stages of the Preparedness Cycle can help to provide the focus, thought and structure needed to begin tackling cyber risks in a more thoughtful and organized way, Jabbour said.

The Preparedness Cycle includes five general steps for organizations to work through when it comes to addressing their cyber risks (for an overview of the process, start with Jabbour’s Introduction to the Preparedness Cycle):

2017-09-05_PreparednessCycle — Source: FEMA

“No one has time to tackle every threat or to build a plan for every potential situation that may arise, so you need to build adaptable plans that work on addressing the most important risks,” Jabbour said. “We can’t do all of it, but we can do some, and if we’re smart we can try to put some things together to get the most bang for our buck — in both our training and our exercises.”

For more on the using the Preparedness Cycle to help manage your organization’s cyber risk, read the blog series above or listen to our Cyber Chat podcast.

Weekly Cyber Risk Roundup: Instagram Bug May Affect Millions and FDA Recalls Vulnerable Pacemakers

Instagram was among the week’s top trending cybercrime targets due to both the company confirming a bug that may have leaked some users’ personal information and a malicious actor claiming that he is selling the personal data of six million Instagram users.

On August 28, Instagram’s most popular user, Selena Gomez, had her account hacked and used to spread nude photographs from 2015 of her ex-boyfriend Justin Bieber. Two days later, Instagram warned that a bug in the Instagram API had been used to steal some high-profile users’ personal information — which may have contributed to the Gomez account takeover.

“We recently discovered that one or more individuals obtained unlawful access to a number of high-profile Instagram users’ contact information — specifically email address and phone number — by exploiting a bug in an Instagram API,” the company said. “At this point we believe this effort was targeted at high-profile users so, out of an abundance of caution, we are notifying our verified account holders of this issue.”

However, that same day a malicious actor claiming to have scraped the personal data of six million Instagram users contacted Ars Technica and told the outlet that he or she was selling the data in a searchable website for $10 per query. The actor claimed to have learned of the vulnerability used to scrape the data in an IRC discussion — suggesting that the bug confirmed by Instagram may have a wider scope of impact than initially thought. An Instagram representative said company officials are aware of the claim and are investigating it. Researchers said the 10,000-record sample provider by the actor appears to be legitimate. Until Instagram clarifies the extent of the bug and the subsequent breach of personal information, Instagram users should assume that their associated email addresses and phone numbers may in the hands of malicious actors.

Other trending cybercrime events from the week include:

Numerous ransomware announcements: NHS Lanarkshire hospitals were disrupted by a Bitpaymer ransomware infection that resulted in the staff bank and telephone systems going offline, as well as the rescheduling of appointments. An employee of the German state parliament of Saxony-Anhalt opened a malicious attachment in a spear phishing email, leading to a ransomware infection that media said “crippled” the state parliament’s network. Dorchester School District 2 in South Carolina announced it paid $2,900 via its insurance coverage after 25 of the 65 servers for the district’s computer network were infected with ransomware. Medical Oncology Hematology Consultants, PA in Delaware said that a ransomware infection affected 19,203 patients. The Indiana accounting firm Whitinger & Company notified clients of a data breach and ransomware attack.

Insiders lead to lawsuits, data breaches: Allstate Insurance has filed a lawsuit against Ameriprise Financial accusing the company of attempting to steal confidential information by encouraging Allstate agents to create contact lists and download client data to use in soliciting clients once they quit and get hired at Ameriprise. Tewksbury Hospital in Massachusetts discovered unauthorized employee access to patients’ medical records that dated back to 2003 and is attempting to notify affected individuals that their information was compromised.

Organizations expose data: Researchers discovered an insecure backup device belonging to the London-based Bell Lomax Agency that exposed thousands of documents related to the company and its literary clients. MacKeeper researchers said anyone could access the documents, which included the Agency’s Quickbooks accounting files, archive email boxes, financial data, expenses, administrative details, royalties, and client details for 2014-2015. Major League Lacrosse is notifying all players that their information was accidentally available online due a link on its website that pointed to a spreadsheet containing data on every player in the league.

Other notable incidents: There have been multiple attacks against South Korean cryptocurrency exchanges, financial technology companies, and startups that use blockchain technology. CeX is notifying two million registered website customers that their information may have been accessed by an unauthorized third party. MacEwan University said that it was the victim of an $11.8 million wire transfer fraud after a series of fraudulent emails convinced university staff to change electronic banking information for one of the university’s major vendors. Swedish web hosting company Loopia said that hackers accessed parts of its customer database, including customer contact information and encrypted passwords. Zazzle is warning customers that their accounts may have been compromised due to brute-force attacks and is prompting customers to choose new passwords. Oklahoma City’s Tower Hotel is the latest in a growing number of hotels to announce being impacted by the breach of the Sabre Hospitality Solutions SynXis Central Reservations system. The hacking group OurMine used a domain spoofing attack to redirect visitors of WikiLeaks website to a page created by the group.

Cyber Risk Trends From the Past Week

The FDA has approved a firmware update for certain Abbott (formerly St. Jude’s) pacemakers to address cybersecurity vulnerabilities — essentially ordering a recall to correct the issues present in 465,000 implanted RF-enabled cardiac pacemakers.

“The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical’s RF-enabled implantable cardiac pacemakers and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user (i.e. someone other than the patient’s physician) to access a patient’s device using commercially available equipment,” the FDA wrote in safety communication. “This access could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing.”

The firmware update follows a series of high-profile news stories regarding St. Jude dating back to 2016 when the healthcare cybersecurity company MedSec teamed up with the short selling firm Muddy Waters to disclose — and ultimately profit from — several remotely executable flaws in St. Jude pacemakers and defibrillators. A lawsuit, government alerts, and a January 2017 patch that many claimed fell short followed (the timeline is summarized well in this article from CSO Online).

The firmware update requires an in-person patient visit with a health care provider and takes approximately 3 minutes to complete. After installing the update, any device attempting to communicate with the implanted pacemaker must provide authorization to do so. The FDA asks affected patients to consult with their physicians about any risks associated with receiving the firmware update, which has “a very low risk of an update malfunction.”

In 2016, the FDA issued recommendations to manufacturers for continued monitoring, reporting, and remediation of medical device cybersecurity vulnerabilities.