Weekly Cyber Risk Roundup: Equifax Criticized Over Breach and Energy Sector Companies Compromised

Last Thursday, Equifax announced a data breach affecting 143 million individuals. The breach, which compromised sensitive personal information such as Social Security numbers and driver’s license numbers, is not just the most impactful breach that occurred over the past week, it may be the most significant breach we see in all of 2017.

2017-09-11_ITT

As SurfWatch Labs chief security strategist Adam Meyer noted, the impact of the Equifax breach will likely continue to ripple outward and affect individuals and organizations far beyond the near term. After all, the Social Security numbers and dates of birth that were stolen in the breach are static identifiers that range from difficult to impossible to change. Meyer also noted that malicious actors excel at snowballing information and could potentially use the leaked data as a springboard to circumvent knowledge-based authentication services, such as those that are offered by Equifax.

Equifax’s response to the breach has also drawn criticism on a variety of fronts. Bloomberg reported that three senior Equifax executives sold nearly $1.8 million worth of shares in the days following the breach, which was first discovered on July 29. Brian Krebs called the breach response a “dumpster fire” for a variety of reasons, including a tool that Equifax said potential victims could use to see if they are affected being “completely broken” and concerns around a now-modified terms of service clause that initially appeared to force victims to waive future class action rights in exchange for signing up for identity theft services. The New York Times reported that the 10-digit PINs being provided to those that choose to pay to freeze their credit files are not as secure as one would expect. Finally, The Hill reported that numerous members of Congress and states attorneys general have already launched investigations and are demanding further explanations from Equifax.

2017-09-11_ITTGroups

Other trending cybercrime events from the week include:

  • Notable data breaches: The Latin American social network Taringa said that hackers have stolen the usernames, email addresses, and MD5-hashed passwords of nearly 29 million users. The state government of Western Australia has ordered an urgent review of the state’s TAFE cyber security systems after the information of 13,000 students was compromised when an unauthorized user gained access to the TAFE’s IT system on two separate occasions. The Community Memorial Health System in Ventura, California, is notifying 959 patients that their personal information may have been compromised due to an employee’s email account being accessed following a phishing email. The Alaska Office of Children’s Services said that malware was found on two computers and that more than 500 individuals may have had their personal information stolen as a result. The Hong Kong jobs website cpjobs.com said that an unauthorized third party was able to gain access to user data and passwords. A customer of the DDoS-for-hire service TrueStresser claims to have hacked the company and released what appears to be legitimate company data.
  • Organizations exposed data: Researchers discovered more than 600GB of sensitive data exposed via two insecure Amazon S3 buckets that appear to be connected to the global communication software and service provider BroadSoft, Inc. Much of the internal development data apparently saved by Broadsoft engineers related to Time Warner Cable. Researchers discovered a misconfigured CouchDB database connected to MoneyBack that exposed the passports, IDs, and other personal details of thousands of travelers to Mexico. Researchers discovered an unsecured Amazon Web Services S3 data storage bucket that contained 9,402 resumes and application forms submitted for positions with North Carolina-based private security firm TigerSwan. An email error led to those who preordered Essential phones receiving the personal details of other customers, including copies of driver’s licenses.
  • Another wave of MongoDB ransoms: Attacks against insecure MongoDB instances surged recently as three groups of hackers wiped approximately 26,000 MongoDB databases and left ransom notes saying the data would be restored for between 0.05 and 0.15 bitcoin, or as much as $650. The researchers said that few organizations have paid the ransom.
  • Other notable incidents: WikiLeaks has published a series of documents related to the CIA’s Protego project, which WikiLeaks described as “a PIC-based missile control system that was developed by Raytheon.” Verrit, an online hub that includes information for Hillary Clinton backers to share, recently went offline after experiencing a “pretty significant and sophisticated” cyber-attack, the site’s creator said. The UK’s National Fraud & Cyber Crime Reporting Center is warning that students are being targeted with a phishing scam that claims their Student Loans Company accounts have been suspended due to incomplete information.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-09-11_ITTNew

Cyber Risk Trends From the Past Week

2017-09-11_RiskScoresSecurity researchers are once again warning that the energy sector is the target of increased cyber-attacks. Symantec said that it has observed increased activity from the actors behind the Dragonfly 2.0 campaign and that there are strong indicators of recent attacks against organizations in the U.S., Turkey, Switzerland, and elsewhere.

Like the original Dragonfly campaign, which ran from 2011 to 2014, the new campaign uses a combination of malicious emails, watering hole attacks, and Trojanized software to gain access to victim networks, the researchers said in a report.

“The original Dragonfly campaigns now appear to have been a more exploratory phase where the attackers were simply trying to gain access to the networks of targeted organizations,” Symantec wrote. “The Dragonfly 2.0 campaigns show how the attackers may be entering into a new phase, with recent campaigns potentially providing them with access to operational systems, access that could be used for more disruptive purposes in future.”

Symantec researcher Eric Chien told Wired that there were more than 20 cases of hackers successfully gaining access to targeted companies’ networks and that the intruders had gained operational access to a handful of companies, including several in the U.S. and at least one in Turkey.

He warned that “there’s nothing left standing in the way [of sabotage] except the motivation of some actor out in the world.”

Author: Jeff Peters

SurfWatch Labs editor and host of SurfWatch Labs Cyber Chat podcast. Focused on using threat intelligence and data visualization in order to bring cybercrime to life and help make organizations safer.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s