Weekly Cyber Risk Roundup: Equifax Fallout and Widespread Bluetooth Vulnerabilities

Equifax continued to dominate cybersecurity discussion over the last week as security researchers, government officials, lawyers, and the media have continued to ask questions around the fallout related to the massive breach, which affects 143 million consumers in the U.S. as well as others across the globe.

2017-09-15_ITT

Equifax confirmed that the actors behind the breach exploited an Apache Struts vulnerability (CVE-2017-5638). The Apache Software Foundation noted that vulnerability was made public and a patch was issued for it on March 7, more than two months before the initial “mid-May” comprise at Equifax.

“In conclusion, the Equifax data compromise was due to their failure to install the security updates provided in a timely manner,” the foundation wrote in a blog post.

To add to the company’s woes, researchers discovered that an online portal for Argentinian employees to manage credit report disputes had, among other issues, the ridiculously easy-to-guess username and password combination of “admin” and “admin” — potentially leaking the sensitive information of those in Argentina and possibly other Latin American countries.

In addition, the FTC, which has opened an investigation into the breach, is warning consumers to be on the lookout for scams involving Equifax imposters and advising consumers to never give information to anyone who calls unprompted and claims to be from the company. Visa and Mastercard are also sending confidential alerts to U.S. financial institutions regarding the 209,000 payment card numbers that were also stolen in the breach. Brian Krebs reported that it appears those stolen payment cards are, ironically, tied to people signing up for credit monitoring service through Equifax. Finally, the breach has prompted Elizabeth Warren and 11 other Democratic senators to introduce a bill to give consumers the ability to freeze their credit for free.

2017-09-15_ITTGroups

Other trending cybercrime events from the week include:

  • Notable data breaches: The website canoe.ca said that the personal information of one million Canoe site users was compromised by a breach that affected databases containing records from 1996 to 2008. Children’s Hospital Colorado is notifying 3,400 patients that their information may have been compromised due to an employee’s email account being accessed by an unauthorized party on July 11. Donors of the Somerville House Foundation, which is responsible for running the elite school in Australia, were warned that a former employee had copied over their data to a personal hard drive.
  • Organizations expose data: Individuals who used translate.com may have had sensitive data they submitted made public and discoverable via search engines. Researchers and media have found a variety of sensitive data that was submitted to the site being leaked, including email exchanges, sensitive company documents, personal information, and more. Translate.com said, “there was a clear note on our homepage stating: ‘All translations will be sent to our community to improve accuracy’ and that ‘some of these requests were indexed by search engines such as Google and Microsoft at that time.’” The personal information of 593,328 Alaskan voters was exposed due to a misconfigured CouchDB database by Minnesota-based software company Equals3, which licensed the data from TargetSmart.
  • Ransomware incidents: Hackers were able to gain access to the communications system for Schuyler County via a brute-force attack, and as a result some enhanced 911 features were disrupted. Officials said that the county is rebuilding all of its files and servers following the attack, indicating that there may have been some sort of ransomware attack or other destructive malware. A ransomware infection has disrupted the Butler County, Kansas, computer system for several days and forced paperwork to be filled out by hand, the county sheriff said.
  • Arrests and legal actions: The Russian cybercriminal Roman Seleznev pleaded guilty to his role in the 2008 hack of RBS Worldpay and cashing out $2,178,349 associated with five hacked debit card numbers. Artur Sargsyan, the owner of the file-sharing website Sharebeast.com, has pleaded guilty to one felony count of copyright infringement related to the website, which facilitated the unauthorized distribution and reproduction of over one billion copies of copyrighted works. A North Carolina man who goes by the moniker “D3F4ULT” and was a member of the “Crackas With Attitude” hacking group has been sentenced to five years in prison for hacking government computer systems and the online accounts of government officials. A Texas man was sentenced to 27 months in prison for hacking and damaging 13 servers operated by the healthcare facility Centerville Clinic, Inc., as well as engaging in a scheme to defraud the facility using its purchase card to order merchandise from staples after resigning from his role as a systems administrator. The U.S. Treasury department issued sanctions against 11 entities and individuals tied to Iran, including some actors who are accused of launching DDoS against against U.S. financial institutions between 2011 and 2013.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-09-15_ITTNew

Cyber Risk Trends From the Past Week

2017-09-15_RiskScoresSecurity researchers are advising people to ensure their Bluetooth connections are turned off when not in use after the discovery of a series of vulnerabilities that can be used to compromise billions of Bluetooth-enabled devices.

The eight vulnerabilities, dubbed “BlueBorne,” were first reported by Armis Labs and “are the most serious Bluetooth vulnerabilities identified to date,” according to a company spokesperson.

“BlueBorne allows attackers to take control of devices, access corporate data and networks, penetrate secure ‘air-gapped’ networks, and spread malware to other devices,” the researchers wrote in a paper detailing the vulnerabilities. “The attack does not require the targeted device to be set on discoverable mode or to be paired to the attacker’s device. In addition, the targeted user is not required to authorize or authenticate the connection to the attacker’s device.”

As an Armis spokesperson told Bleeping Computer, one example of an attack could be a malicious actor simply walking into a bank carrying weaponized code on a Bluetooth-enabled device in order to infect other devices and gain a foothold on a previously secured network. In addition to the paper, Armis has uploaded videos showing how the BlueBorne attacks work across various devices.

Four of the vulnerabilities affect Android (CVE-2017-0781, CVE-2017-0782, CVE-2017-0783, and CVE-2017-0785), two affect Linux (CVE-2017-1000251 and CVE-2017-1000250), one affects iOS (CVE-2017-14315), and one affects Windows (CVE-2017-8628). Ars Technica reported that the Windows vulnerability was patched in July, Google provided device manufacturers with a patch in August, Linux maintainers will likely release a patch soon, and iOS version 10 is not affected by the vulnerability.

Author: Jeff Peters

SurfWatch Labs editor and host of SurfWatch Labs Cyber Chat podcast. Focused on using threat intelligence and data visualization in order to bring cybercrime to life and help make organizations safer.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s