Weekly Cyber Risk Roundup: Kaspersky’s Alleged Espionage and SmartVista Bug Unpatched

The National Security Agency and Kaspersky Lab were once again among the week’s top trending targets due to continued reporting around Kaspersky’s alleged involvement in the 2015 theft of classified materials from the home computer of an NSA employee.

2017-10-14_ITT.png

As we noted last week, sources told the The Wall Street Journal that a contractor took the sensitive data home without the NSA’s knowledge, and the Russian government was able to then steal that information by leveraging the contractor’s use of antivirus software created by Kaspersky. However, the Washington Post subsequently reported that the individual in question was actually an employee in the NSA’s elite Tailored Access Operations division.

In addition, officials told the WSJ this week that Kaspersky’s antivirus software was modified to search for terms such as “top secret,” as well as the classified code names of U.S. government programs, in an operation that is broader and more pervasive than just the one hacked employee. That modification could not have been done without Kaspersky’s knowledge, an official told the paper. However, Kaspersky has continued to state that it “was not involved in, and does not possess any knowledge of, the situation in question.”

The New York Times reported that the U.S. was first made aware of the espionage campaign leveraging Kaspersky by Israeli intelligence officers who hacked into Kaspersky Labs in 2014. Those hackers, later dubbed Duqu 2.0, exploited up to three zero-days in order to spy on Kaspersky Lab technologies, ongoing research, and internal processes, Kaspersky wrote in 2015 after discovering the intrusion.

Officials told the WSJ that it remains unclear exactly how many other government computers or employees may have been targeted via Kaspersky software – or if any additional sensitive data was stolen.

2017-10-14_ITTGroups

Other trending cybercrime events from the week include:

  • Defense-related breaches: The Australian Signals Directorate said that a defense contractor had 30 gigabytes of data stolen, including data related to F-35 Joint Strike Fighters, the C-130 military transport aircraft, the new spy plane P-8 Poseidon, the smart bomb JDAM, and some Australian naval vessels. A breach of South Korea’s military network last year allowed North Korean hackers to access vast amounts of data, including classified wartime contingency plans jointly created by the U.S. and South Korea.
  • Payment card breaches: Irish retailer Musgrave is asking customers of SuperValu, Centra, and Mace to be on the lookout for fraudulent charges due to concerns that their payment card numbers and expiration dates may have been stolen. Hyatt Hotels is notifying customers that payment card information swiped and manually entered at the front desks of some locations may have been compromised. Hue.com and nononsense.com, and their parent company Kayser-Roth, are notifying customers of a payment card breach tied to third-party website order processor Aptos. Droege Computing Services said that a StampAuctionNetwork server was hacked and payment card information was compromised due to a breach that occurred through Droege’s main offices. Tommie Cooper and Cricut are notifying customers that payment information may have been stolen due to malware on the checkout portions of their websites.
  • Other data breaches: Accenture confirmed it exposed massive amounts of data across four unsecured cloud servers, including passwords and secret decryption keys. Disqus said that 17.55 million users had their information compromised due to a security breach affecting a database from 2012 that included information dating back to 2007. A security researcher discovered a vulnerability in T-Mobile’s website that allowed malicious actors to gain access to customers’ personal data as long as they had a correct phone number. The previously reported breach at Deloitte compromised a server that contained the emails of at least 350 clients, The Guardian reported. Catholic United Financial is notifying members of breach due to SQL injection attacks. Palo Alto High School officials warned that students’ personal information was breached and posted to a “rogue” website. SyncHR is notifying employees that it accidentally exposed their benefit information to other HR administrators and customers.
  • Other notable events: Nearly $60 million was stolen from Far Eastern International Bank in Taiwan using malware designed to generate fraudulent SWIFT messages. The bank said it has recovered the vast majority of the stolen funds, with only $500,000 still outstanding. A security bug in the music platform PledgeMusic allowed anyone to log into some users’ accounts using a correct email address along with an incorrect password or no password at all. The bug could have been exploited to make unauthorized payments and pledges to artists. David Kent, the founder of the networking website oilpro.com, was sentenced to one year and one day in prison for hacking into the database of competitor Rigzone, stealing information on over 700,000 customers, using that information to grow Oilpro, and then attempting to sell Oilpro with its inflated growth and stolen data to Rigzone.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-10-14_ITTNew

Cyber Risk Trends From the Past Week

2017-10-14_RiskScoresResearchers have published the details of a yet-to-be patched SQL injection vulnerability affecting BPC Banking Technologies’ SmartVista product suite after numerous reports of the bug went unanswered.

Exploiting the vulnerability requires authenticated access to the transactions portion of SmartVista front-end, the researchers said, and it can lead to the compromise of various  sensitive data depending on the level of access the BPC SmartVista user was granted. Researchers said the company has yet to respond to multiple vulnerability reports from Rapid7, CERT/CC in the U.S., and SwissCERT that date as far back as May 10.

BPC’s website states that the company has 188 customers across 66 countries, including “huge tier 1 banks, and both midsize and smaller companies.” The website also states that all of its solutions are delivered via the SmartVista product suite, which “handles all aspects of ATM management, billing, mobile and contactless payments, settlement, point of sale, card issuing and acquiring, microfinance and electronic payments processing.”

Rapid7 researchers said that an attacker could craft a series of true/false statements to brute-force query the database, allowing information from accessible tables to be exposed, such as usernames and passwords. Rapid7 program manager Samuel Huckins told Threatpost the company was hesitant to publish its findings due to the potential for financial and data loss, but it has not received any response from BPC or evidence of the vulnerability being patched across many months.

“After a certain point, we needed to move forward and make it public in the hope they see it and take action,” Huckins said. “This could impact a lot of their customers who may not be aware of this at all.”

The researchers advised users to contact BPC support for more details, to limit access to the management interface of SmartVista, and to regularly perform audits of successful and failed logins.

Author: Jeff Peters

SurfWatch Labs editor and host of SurfWatch Labs Cyber Chat podcast. Focused on using threat intelligence and data visualization in order to bring cybercrime to life and help make organizations safer.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s