Jeff Peters

Weekly Cyber Risk Roundup: Yahoo Breach Expands, Equifax Grilled, Another NSA Insider

Yahoo and Equifax were both back in the news this week due to new details emerging around their respective data breaches, including Yahoo revising the number of affected accounts to three billion and Equifax’s former CEO being grilled before Congress.

Yahoo had previously stated that its 2013 data breach affected one billion user accounts, which made it the most widespread data breach in history. On Tuesday Verizon Communications, which acquired Yahoo for $4.48 billion in June, tripled the number of impacted accounts to include all three billion of Yahoo’s users accounts. The breach was particularly egregious not only because of its size, but because it involved sensitive information such as the security questions and answers and backup email addresses used to recover accounts. Yahoo’s massive 2013 breach is in addition to a separate, previously disclosed breach that affected 500 million Yahoo accounts in 2014.

This week also saw the congressional testimony of Equifax’s former CEO Richard Smith. Smith said the breach was due to a combination of “both human error and technology failures” around implementing an Apache Struts patch made available on March 6, which was not patched for months despite a policy stating patches occur within a 48-hour time period. The testimony was met with harsh criticism from some lawmakers. For example, Sen. Elizabeth Warren (D-Mass.) questioned the entire business model of Equifax, claiming that the company has no incentive to protect consumer data and highlighting various avenues through which the company is making “millions of dollars off its own screwup.” Warren said that Equifax may “actually come out ahead” financially in regards to its breach, which affects 145 million people.

Despite the ongoing fallout, the IRS renewed a $7.25 million contract with Equifax to use its services to verify taxpayer identities. The contract drew major criticism; however, IRS Deputy Commissioner Jeffrey Tribiano said it was a necessary “stop gap” so millions of taxpayers did not lose access to their transcripts.

Other trending cybercrime events from the week include:

Newly announced data breaches: Auburn Eye Care Associates of California was hacked by TheDarkOverlord and thousands of patients records were stolen from its electronic health record system. Cabrillo Community College District said that it discovered unauthorized access to a server containing a database with student orientation information. The Online Traffic School said that customer information was compromised due to an individual gaining unauthorized access to part of its network. Northwestern Mutual Life Insurance Company said that customer information was compromised due to a financial advisor falling for a scam that led to a malicious actor gaining remote access to a desktop computer multiple times. The law firm Clark Hill had its systems accessed by Chinese hackers and sensitive documents related to Chinese dissident Guo Wengui were subsequently released on Twitter. Phoenix Inn Suites is the latest hotel to issue a breach notification tied to the Sabre Hospitality Solutions SynXis Central Reservations system.

Organizations expose data: A misconfigured database that collected data on activity on a number of NFL-related domains such as the National Football League Players Association’s website exposed the data of 1,133 NFL players and agents. The database also included a ransom message from February 2017 similar to the ones targeting other Elasticsearch servers earlier this year — indicating that the data was accessed by cybercriminals. FlexShopper said a database containing payment and other customer information may have been exposed on the internet for several days. National Bank of Canada said that 400 customers had their personal information exposed due to a website glitch. Graton Resort and Casino, Kenco, and North Carolina A&T State University all announced breaches related to inadvertently disclosing sensitive customer, employee, and student data via email attachments.

Other notable incidents: U.S. government officials believe that the personal cellphone of chief of staff John Kelly was compromised, and the compromise may date back to December 2016. The R6DB gaming service, which provides statistics for Rainbow Six Siege gamers, said that an automated bot breached its PostgreSQL installation and wiped the database then demanded a ransom payment. Etherparty said it had to shut down its website for 90 minutes after discovering a fraudulent contribution address on the site just an hour after the ICO for its FUEL token went live. The City of Englewood said that it was hit with a ransomware infection. The UK National Lottery and Kazakhstan banks reported service disruptions due to DDoS attacks.

Arrests and legal actions: A federal indictment alleges that a former Hewlett-Packard Enterprise Corp. employee intentionally caused damage to Oregon’s Medicaid Management Information System (MMIS) after being laid off, resulting in an eight-hour loss of functionality for the system. The former principal of Seven Peaks School in Oregon is being sued for allegedly downloading thousands of private documents related to the students and staff, including psychological evaluations of students.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

Cyber Risk Trends From the Past Week

On Thursday, The Wall Street Journal reported that the Russian government was able to steal highly classified NSA material from an NSA contractor who removed the classified material and put it on his home computer without the NSA’s knowledge.

The sources said that the breach, which occurred in 2015, was first discovered in the spring of 2016 and included details about how the NSA penetrates foreign computer networks, code it used for such spying, and details on how the NSA defends networks inside the U.S.

Sources told the WSJ that the hackers appear to have used the antivirus software created by Russia-based Kaspersky Lab in order to identify the files on the contractor’s computer. The paper also reported that it is the first known incident of the popular antivirus software being exploited by Russian hackers to conduct espionage against the U.S. government.

Kaspersky Lab said it “has not been provided any information or evidence substantiating this alleged incident, and as a result, we must assume that this is another example of a false accusation.”

The alleged NSA breach provides some insight into reports that the FBI has been urging private companies throughout the year to discontinue using Kaspersky products due to intelligence that indicated the company is an unacceptable threat to national security. In addition, the Department of Homeland security issued a directive in September ordering federal agencies to take actions to ultimately remove Kaspersky-related products from government computers.

The breach also appears to be separate from the incidents involving NSA contractor Harold T. Martin III, who hoarded large quantities of sensitive NSA data and hacking tools in his home, and TheShadowBrokers, a group that is best known for the April 2017 release of stolen NSA exploits such as EternalBlue, among others. As we noted in our August blog, officials have not linked TheShadowBrokers to Martin’s insider theft, and it appears the same can be said of the newly reported NSA breach. However, this new incident now makes two recent insiders who have successfully taken highly confidential NSA data home — and at least one case of that data then being successfully targeted by foreign hackers once it was in a less secure environment.

How to Organize and Classify Different Aspects of Cyber Threat Intelligence

Over the past few years, cyber threat intelligence has matured to cover many different aspects of business. What threat intelligence is and how people view and define it can vary quite a bit depending on the vendor providing the intelligence, the business unit consuming that intelligence, the deliverables expected of the intelligence, and the ultimate cyber risk management goals of the organization.

The evolution of threat intelligence has generally been a good thing for organizations, but it has also made it more difficult to wrap one’s head around the concept — particularly for those new to the subject. SurfWatch Labs chief security strategist Adam Meyer recently created a threat intelligence mind map to help show the different areas of threat intelligence and how they all tie together for organizations.

“It’s meant to give the individual looking at it kind of an overview of what cyber threat intelligence is,” said Meyer, who came on the latest Cyber Chat podcast to discuss the mind map and associated whitepaper. “If I was to start a cyber threat intelligence program, these are the components of what that program would be — at the high level.”

Adam Meyer’s threat intelligence mind map.

Meyer said he was looking to standardize some of the resources that have already been published in the intelligence community and other thought leadership, as well as bring together some important parts of threat intelligence that weren’t always discussed, such as the people and process behind intelligence.

For example, early adopters of threat intelligence often begin with the mindset of collect, collect, collect, Meyer said, but all that raw data doesn’t necessarily translate into better security.

“Their eyes glaze over and they start realizing, ‘While how am I supposed to process all this information now, and not only process it in general, but how do I process it in a timely fashion; how do I put context around it’ — all those people-and-process-centric type of things,” Meyer said.

As SurfWatch Labs noted in its recent whitepaper on the mind map, the starting point for most organizations should be strategic threat intelligence.

Download the free whitepaper, “How Cyber Threat Intelligence Fits Into Your Security Program”

“Strategic cyber threat intelligence can help to answer many of the big-picture cyber risk questions facing organizations,” the paper noted. “Those answers can help to inform every other aspect of an organization’s threat intelligence operation and help ensure that cybersecurity efforts and investments and aligning with business priorities.”

Meyer echoed that sentiment.

“Basically, it’s looking at who is the decision maker and why do they care,” Meyer said. “Your intelligence should be driving the answer to that question.”

With those high-level questions answered, organizations can dive more deeply into other interconnected areas of the mind map, and those risk areas — whether it’s technology or fraud or supply chains or other risk concerns — will likely continue to blend together in the future, Meyer said.

“There seems to be an increase in awareness of needing to bring things together, which is what drove me to create the mind map.”

For more on the using the Threat Intelligence Mind Map, download the whitepaper or listen to our Cyber Chat Podcast with Adam Meyer below:

Weekly Cyber Risk Roundup: Deloitte Breached and More Possible Supply Chain Attacks

Deloitte, one the world’s “big four” accounting firms, was the week’s top trending new cybercrime target after it was reported that the firm experienced a breach that compromised some of its clients’ information.

The Guardian reported that Deloitte clients’ information was compromised after a malicious actor gained access to the firm’s global email server through an administrator account that did not have two-step verification enabled.

Six Deloitte clients have been informed of the breach, which was first discovered in March 2017 and may have dated back to October 2016. The Guardian was told that an estimated five million emails could have been accessed by the hackers since emails to and from Deloitte’s 244,000 staff were stored in the Azure cloud service; however, Deloitte said the number of emails that were at risk is “very small fraction of the amount that has been suggested.”

Shortly after The Guardian story broke, Brian Krebs reported that a source close to the Deloitte investigation said the company’s breach involves the compromise of all administrator accounts at the company, that it’s “unfortunate how we have handled this and swept it under the rug,” and that “it wasn’t a small amount of emails like reported.” The source also said that investigators identified several gigabytes of data being exfiltrated and that Deloitte is not sure exactly how much data was taken.

Additionally, The Register reported that what appeared to be a collection of Deloitte’s corporate VPN passwords, user names, and operational details were found within a public-facing GitHub-hosted repository; that a Deloitte employee uploaded company proxy login credentials to his public Google+ page; and that Deloitte has “loads” of internal and potentially critical systems unnecessarily facing the public internet with remote-desktop access enabled.

Other trending cybercrime events from the week include:

Ransomware continues: Montgomery County, Alabama officials said the county paid 9 bitcoins ($37,000) in ransom to regain access to its files after a SamSam ransomware infection disrupted services at the Montgomery County District Attorney’s Office. Officials said they had backups in place, but that the off-site backup servers were nearing capacity, along with some other issues. San Ysidro School District said it was infected with ransomware that affected emails and some shared files and demanded $18,000 in ransom. However, the school did not pay the ransom as it had a backup in place. The Arkansas Oral & Facial Surgery Center is notifying patients of a July 26 ransomware infection that made inaccessible imaging files such as x-rays, document attachments, and all electronic patient data related to visits within three weeks prior to the infection.
Other extortion attacks: Malicious actors are using compromised iCloud credentials along with Find My iPhone to lock users computers with a passcode and then demand a ransom to unlock the device. Mac Rumors reported that the attack can bypass two-factor authentication since Apple allows users to access Find My iPhone without requiring two-factor authentication in the event that the user’s only trusted device is missing. A group using the name Phantom Squad is believed to have sent extortion emails to thousands of companies threatening DDoS attacks on September 30 unless a 0.2 bitcoin ($720) ransom is paid. SMART (“Sports Medicine and Rehabilitation Therapy”) Physical Therapy in Massachusetts said that TheDarkOverlord accessed data stored in Patterson PTOS software, and TheDarkOverlord shared the stolen database of 16,428 patient records with databreaches.net, which confirmed the breach. TheDarkOverlord went public with the breach after a failed ransom attempt.
New point-of-sale breaches: The fast-food chain Sonic said it is investigating a possible payment card breach at its stores, and security blogger Brian Krebs reported that the incident may be tied to a batch of five million fresh payment cards being offered for sale on the stolen credit card shop known as Joker’s Stash. Whole Foods said that some of the taprooms and full table-service restaurants in its grocery stores experienced a point-of-sale breach. The breach did not affect credit cards used at the store’s main checkout systems as those use a different point-of-sale system.
Other notable incidents: The Toms River police department said that 3,7000 individuals had their information compromised due to a data breach. Fresno Unified School District said that the personal information of 53 employees, retirees, and their dependents was found in the possession of multiple individuals arrested by the Gilroy and Clovis police departments. Signator Investors is notifying customers that an unknown third party gained unauthorized access to some client records. The Brown Armstrong financial consultancy firm is warning that fraudulent tax returns were filed under some of its client’s names. A lawyer at the law firm Wilmer, Cutler, Pickering, Hale and Dorr inadvertently leaked PepsiCo privileged information by email to a Wall Street Journal reporter. The federal government notified 21 states that they were the target of hacking related to the 2016 presidential election.

Cyber Risk Trends From the Past Week

Last week we noted the malicious version of CCleaner that was downloaded approximately 2.27 million times appeared to have been an espionage campaign designed to gain access to the networks of at least 18 tech firms.

This week Morphisec, the firm that discovered the backdoored version of CCleaner, said that there may be other similar attacks leveraging common applications that have been compromised in an attempt to gain access to even more corporate networks.

The company’s chief technology officer Michael Gorelik said that it is currently investigating historical “false positive” reports in an attempt to discover evidence if other applications have been backdoored. Gorelik said that he believes there were other supply chain attacks like the CCleaner one, and that the initial findings of the investigation were “very interesting.”

As SurfWatch Labs has previously noted, supply chains have proven to be one of the more difficult aspects for organizations to defend against, and malicious actors have shifted their attacks towards weak points in the supply chain to exploit the interconnected nature of organizations. For example, the June spread of WannaCry, perhaps the year’s most widely reported cyber incident, was tied to infections from the updater process for tax accounting software created by the Ukrainian company MEDoc.

The issues around CCleaner and MEDoc have been widely reported, but there are numerous other example of smaller-scale incidents that regularly occur. For example, last month npm, which describes itself as “the world’s largest software registry,” said that it removed more than 40 malicious packages after discovering an actor going by the name “hacktask” had published them with similar names to popular npm packages in an attempt to trick users into downloading them. In addition, popular Android apps, WordPress plugins, and other widely used products are frequently compromised to deliver various types of malware.

The researchers looking into supply chain attacks similar to CCleaner have not yet announced any other potential compromises, but organizations should keep an eye on the story to see if any discoveries occur in the coming weeks regarding applications being compromised to gain access to corporate networks.

Sonic Investigates Breach, 5 Million Cards For Sale on Cybercriminal Market

The fast-food chain Sonic said yesterday that it is investigating a possible payment card breach at its stores, and security blogger Brian Krebs reported that the incident may be tied to a batch of five million fresh payment cards being offered for sale on the stolen credit card shop known as Joker’s Stash.

Sonic said its payment card processor informed the company last week of unusual activity regarding cards used at its stores. Krebs reported that two sources purchased a handful of payment cards from the batch of five million credit and debit cards listed on Joker’s Stash, and those sources said the stolen cards had all been recently used at Sonic locations.

A Sonic spokesperson said that the breach investigation is still in its early stages and it is unclear how many of the company’s nearly 3,600 locations may have been impacted.

2017-09-27_SonicBreachJokersStash — Cybercriminal markets like Joker’s Stash often allow the filtering of stolen payment cards based on various options such as location, which allows malicious actors to target affluent areas or to buy cards located near them so that fraudulent transactions are harder to detect.

“It remains unclear whether Sonic is the only company whose customers’ cards are being sold in this particular batch of five million cards at Joker’s Stash,” Krebs wrote. “There are some (as yet unconfirmed) indications that perhaps Sonic customer cards are being mixed in with those stolen from other eatery brands that may be compromised by the same attackers.”

Fast food chains have been at the center of some of the most impactful and widely discussed payment card breaches over the past several years. In July 2016, Wendy’s announced that more than 1,000 stores were affected by point-of-sale malware, leading the fast-food chain to become the top trending company tied to a payment card breach last year. Likewise, Arby’s point-of-sale breach is the top trending consumer goods payment card breach of 2017, and other major restaurant chains such as Chipotle and Shoney’s have announced similar breaches this year.

2017-09-27_ConsumerGoodITT — Arby’s is the top trending consumer good target associated with payment card cybercrime so far this year, although it remains to be see how impactful the Sonic breach will be.

An interesting breach announcement trend in 2017 is the attempt to obfuscate the total number of breached locations behind clunky websites that divide the affected locations into searches not just by state, but by city. Case in point, the breach lookup webpage provided by Arby’s, which mimics the cumbersome and now-defunct webpage set up by InterContinental Hotels Group (IHG) for its recent breach. The IHG website divided the affected locations across hundreds of individual cities, and that tool, along with the news that IHG would update the list as more hotels confirmed breaches, meant frequent travelers had to comb through numerous searches repeatedly in order to find out if they were impacted by a single breach.

The Wendy’s breach, which affected franchise locations serviced by a third-party payment provider, was particularly painful for financial institutions as some locations were re-compromised after initially clearing the malware — leading to customer payment cards having to be re-issued multiple times. The Arby’s breach, by contrast, was caused by malware placed on systems inside corporate stores rather than franchise locations.

It’s unclear at this point which Sonic stores were affected, but the a 2016 report to stockholders said that 3,212 of the company’s 3,557 locations are franchised. The company also announced in 2014 that it was rolling out a new point-of-sale system and proprietary point-of-personalized service technology based on a Micros Oracle platform. In April 2017 it was reported that the update had made its way to 77 percent of Shoney’s locations.

Weekly Cyber Risk Roundup: SEC, Illicit Trading and CCleaner Industrial Espionage

The U.S. Securities and Exchange Commission (SEC) was the week’s top trending new cybercrime target following the announcement that a data breach compromised sensitive data that may have “provided the basis for illicit gain through trading.” SEC chairman Jay Clayton said the commission learned last month that an incident “previously detected” in 2016 may have led to the illicit trading.

“Specifically, a software vulnerability in the test filing component of our EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information,” Clayton said in a statement.

EDGAR — which is an acronym for electronic data gathering, analysis, and retrieval — contains millions of filings from companies. The investigation is ongoing, but it is likely that any insider trading due to the breach would have occurred between the period when company filings were made and when those filings were released to the public. The SEC breach echoes, on a smaller scale, the insider trading scheme for which a Ukrainian hacker was sentenced to prison earlier this year. That scheme revolved around the theft of 150,000 news releases from Business Wire, Marketwired, and PR Newswire between February 2010 and August 2015, which led to more than $100 million in illegal profits.

Reuters said it had viewed a confidential report stating that the U.S. Department of Homeland Security detected five “critical” weaknesses on the SEC’s computers as of January 23. In addition, the Government Accountability Office warned in July that the SEC was “at unnecessary risk of compromise” because of deficiencies in its information systems. Reuters also reported that new SEC reporting rules start to come into effect in December that require funds to confidentially file monthly, rather than quarterly, portfolio holdings with the SEC. The breach has unnerved investor groups such as the Investment Company Institute, which wants the SEC to answer cybersecurity concerns before the SEC begins collecting additional sensitive data.

Other trending cybercrime events from the week include:

TheDarkOverlord threatens violence: Flathead County in Montana closed 30 schools for several days following a breach and ransom letter that claimed to come from TheDarkOverlord and hinted at physical violence, as well as threats against individual families that leveraged the school’s electronic directory. Databreaches.net wrote that “the Flathead case is not the first case where TheDarkOverlord has contacted its victims by phone or SMS to threaten them or deliver obscenity-laden messages.”
Organizations expose more data: Researchers discovered an Amazon AWS S3 bucket belonging to Viacom that contained “a vast array of internal access credentials and critical data that could be used to cause immense harm to the multinational corporation’s business operations.” Researchers discovered an Amazon AWS S3 bucket with more than half a million records belonging to the automobile tracking company SVR Tracking. The Office of the Australian Information Commissioner is investigating the exposure of the financial information of customers of Amazing Rentals. The British supermarket chain Iceland exposed customer information on its home delivery confirmation sheets, which also contained an IP address that led to a insecure login portal for Iceland’s scheduling system. Premier Medical Associates said that 900 patients that submitted information via the “Contact Us” portion of its website had that data compromised due to search engines retrieving the submissions.
New data breaches: OurMine gained access to Vevo’s media storage servers and leaked 3.12TB of company data. Bulletproof 360 is notifying customers that their payment information may have been compromised due to the discovery of unauthorized code on its website’s checkout page. TD Ameritrade said “unauthorized code” led to the breach of customer information. LiteBit is notifying users that their personal information was accessed in an attack that targeted a supplier and a LiteBit server. Cornerstone Business and Management Solutions said that it discovered an unauthorized account on a server and that the data of Certified Medical Supplies patients was compromised. Irish National Teachers’ Organization said that more than 30,000 teachers had their personal information compromised due to hackers gaining access to its online learning portal. TRUEbenefits, ABB, Inc., Morehead Memorial Hospital in North Carolina, and AU Medical Center all announced breaches due to compromised employee email accounts.
Other notable incidents: Montgomery County in Alabama said that a ransomware infection locked up computer systems and disrupted some county services. PeaceHealth Southwest Medical Center is notifying 1,969 patients that their protected health information was unnecessarily accessed by an employee. A Georgia man was found guilty of inserting malicious code known as a “logic bomb” into a national-level computer program responsible for handling pay and personnel actions for nearly 200,000 U.S. Army reservists. An Arizona man was sentenced to four years of federal probation for making changes to a company website that prevented the company’s employees from using their email accounts, redirecting the company’s homepage to a blank page, demanding $10,000 to return everything to normal, and then redirecting the company’s homepage to a pornographic website when it refused to pay the ransom.

Cyber Risk Trends From the Past Week

Last week the developer of CCleaner announced that approximately 2.27 million users of CCleaner downloaded a legitimately signed version of the utility containing malicious code. Shortly thereafter, it was reported that the spreading of a backdoored version of CCleaner appears to have been an espionage campaign designed to gain access to the networks of at least 18 tech firms.

The malicious version of CCleaner was available on the site from August 15 to September 12, said Piriform, which was recently acquired by Avast, and affected customers with the 32-bit version of the v5.33.6162 of CCleaner and the v1.07.3191 of CCleaner Cloud. The compromised code could have resulted in “the transmission of non-sensitive data (computer name, IP address, list of installed software, list of active software, list of network adapters) to a 3rd party computer server in the USA.”

Researchers found evidence that the actors attempted to filter their collection of compromised victim machines to find computers inside the networks of tech firms, such as Intel, Google, Microsoft, Akamai, Samsung, Sony, VMware, HTC, Linksys, D-Link, Cisco, and more. In about half of the cases, the actors behind the attack successfully compromised a machine within the company’s network and used that to install another piece of malware likely intended for industrial espionage. The researchers also noted that the list of targets discovered was likely modified throughout the month-long campaign, so there may be additional companies that were targeted besides the 18 that were identified.

“These findings also support and reinforce our previous recommendation that those impacted by this supply chain attack should not simply remove the affected version of CCleaner or update to the latest version, but should restore from backups or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also any other malware that may be resident on the system,” Cisco researchers wrote.

Weekly Cyber Risk Roundup: Equifax Fallout and Widespread Bluetooth Vulnerabilities

Equifax continued to dominate cybersecurity discussion over the last week as security researchers, government officials, lawyers, and the media have continued to ask questions around the fallout related to the massive breach, which affects 143 million consumers in the U.S. as well as others across the globe.

Equifax confirmed that the actors behind the breach exploited an Apache Struts vulnerability (CVE-2017-5638). The Apache Software Foundation noted that vulnerability was made public and a patch was issued for it on March 7, more than two months before the initial “mid-May” comprise at Equifax.

“In conclusion, the Equifax data compromise was due to their failure to install the security updates provided in a timely manner,” the foundation wrote in a blog post.

To add to the company’s woes, researchers discovered that an online portal for Argentinian employees to manage credit report disputes had, among other issues, the ridiculously easy-to-guess username and password combination of “admin” and “admin” — potentially leaking the sensitive information of those in Argentina and possibly other Latin American countries.

In addition, the FTC, which has opened an investigation into the breach, is warning consumers to be on the lookout for scams involving Equifax imposters and advising consumers to never give information to anyone who calls unprompted and claims to be from the company. Visa and Mastercard are also sending confidential alerts to U.S. financial institutions regarding the 209,000 payment card numbers that were also stolen in the breach. Brian Krebs reported that it appears those stolen payment cards are, ironically, tied to people signing up for credit monitoring service through Equifax. Finally, the breach has prompted Elizabeth Warren and 11 other Democratic senators to introduce a bill to give consumers the ability to freeze their credit for free.

Other trending cybercrime events from the week include:

Notable data breaches: The website canoe.ca said that the personal information of one million Canoe site users was compromised by a breach that affected databases containing records from 1996 to 2008. Children’s Hospital Colorado is notifying 3,400 patients that their information may have been compromised due to an employee’s email account being accessed by an unauthorized party on July 11. Donors of the Somerville House Foundation, which is responsible for running the elite school in Australia, were warned that a former employee had copied over their data to a personal hard drive.
Organizations expose data: Individuals who used translate.com may have had sensitive data they submitted made public and discoverable via search engines. Researchers and media have found a variety of sensitive data that was submitted to the site being leaked, including email exchanges, sensitive company documents, personal information, and more. Translate.com said, “there was a clear note on our homepage stating: ‘All translations will be sent to our community to improve accuracy’ and that ‘some of these requests were indexed by search engines such as Google and Microsoft at that time.’” The personal information of 593,328 Alaskan voters was exposed due to a misconfigured CouchDB database by Minnesota-based software company Equals3, which licensed the data from TargetSmart.
Ransomware incidents: Hackers were able to gain access to the communications system for Schuyler County via a brute-force attack, and as a result some enhanced 911 features were disrupted. Officials said that the county is rebuilding all of its files and servers following the attack, indicating that there may have been some sort of ransomware attack or other destructive malware. A ransomware infection has disrupted the Butler County, Kansas, computer system for several days and forced paperwork to be filled out by hand, the county sheriff said.
Arrests and legal actions: The Russian cybercriminal Roman Seleznev pleaded guilty to his role in the 2008 hack of RBS Worldpay and cashing out $2,178,349 associated with five hacked debit card numbers. Artur Sargsyan, the owner of the file-sharing website Sharebeast.com, has pleaded guilty to one felony count of copyright infringement related to the website, which facilitated the unauthorized distribution and reproduction of over one billion copies of copyrighted works. A North Carolina man who goes by the moniker “D3F4ULT” and was a member of the “Crackas With Attitude” hacking group has been sentenced to five years in prison for hacking government computer systems and the online accounts of government officials. A Texas man was sentenced to 27 months in prison for hacking and damaging 13 servers operated by the healthcare facility Centerville Clinic, Inc., as well as engaging in a scheme to defraud the facility using its purchase card to order merchandise from staples after resigning from his role as a systems administrator. The U.S. Treasury department issued sanctions against 11 entities and individuals tied to Iran, including some actors who are accused of launching DDoS against against U.S. financial institutions between 2011 and 2013.

Cyber Risk Trends From the Past Week

Security researchers are advising people to ensure their Bluetooth connections are turned off when not in use after the discovery of a series of vulnerabilities that can be used to compromise billions of Bluetooth-enabled devices.

The eight vulnerabilities, dubbed “BlueBorne,” were first reported by Armis Labs and “are the most serious Bluetooth vulnerabilities identified to date,” according to a company spokesperson.

“BlueBorne allows attackers to take control of devices, access corporate data and networks, penetrate secure ‘air-gapped’ networks, and spread malware to other devices,” the researchers wrote in a paper detailing the vulnerabilities. “The attack does not require the targeted device to be set on discoverable mode or to be paired to the attacker’s device. In addition, the targeted user is not required to authorize or authenticate the connection to the attacker’s device.”

As an Armis spokesperson told Bleeping Computer, one example of an attack could be a malicious actor simply walking into a bank carrying weaponized code on a Bluetooth-enabled device in order to infect other devices and gain a foothold on a previously secured network. In addition to the paper, Armis has uploaded videos showing how the BlueBorne attacks work across various devices.

Four of the vulnerabilities affect Android (CVE-2017-0781, CVE-2017-0782, CVE-2017-0783, and CVE-2017-0785), two affect Linux (CVE-2017-1000251 and CVE-2017-1000250), one affects iOS (CVE-2017-14315), and one affects Windows (CVE-2017-8628). Ars Technica reported that the Windows vulnerability was patched in July, Google provided device manufacturers with a patch in August, Linux maintainers will likely release a patch soon, and iOS version 10 is not affected by the vulnerability.

Dark Web Markets, Equifax Breach Raise Authentication Concerns

The recent Equifax breach once again has the whole nation talking about cybercrime — and the widespread fraud and identity theft likely to follow in the wake of 143 million compromised consumers. Identity theft is a major concern for individuals, but as SurfWatch Labs chief security strategist Adam Meyer noted, malicious actors spring boarding off of breached information to authenticate as legitimate users is perhaps a more significant concern when it comes to organizations.

Meyer’s thoughts echo the findings of SurfWatch Labs’ recent whitepaper, which found that malicious actors tend to be focused on authentication when it comes to fraud on dark web markets and cybercriminal forums.

Downloaded the full whitepaper, “Fraud and the Dark Web”

The most observed type of dark web fraud in 2017 is account fraud, which has accounted for more than a quarter (25.2%) of all the fraud-related activity observed on the dark web this year. That includes a wide variety of different accounts that can be accessed with stolen customer credentials, including:

online accounts for banking and financial services;
online store accounts, as both buyers and sellers;
accounts tied to monthly subscriptions or other recurring services;
accounts related to the growing number of digital cryptocurrencies;
and more.

By comparison, credit card fraud, which is what many consumers may associate with the dark web, has only accounted for 16.7% of the activity so far this year.

The focus on this more indirect fraud — the buying, selling, and trading of access to accounts connected to payment information or services — is driven by both the huge growth in the number of online accounts and the weak authentication that so often accompanies those accounts.

The Equifax breach has simply exacerbated those authentication concerns to the point where outlets like Wired and The Verge are writing that we may need a “fundamental reassessment in how, and why, we identify ourselves” and that it may be “time to burn it all down and start over.” SurfWatch Labs analysts, along with many other researchers, have been warning for years that the pool of forever-compromised information is continuing to grow deeper and cause more issues for business unprepared to deal with that reality.

What can organizations do to protect themselves? Unfortunately, that is not a one-size-fits-all answer.

“Collectively, organizations lose billions of dollars to fraud-related cybercrime every year,” the whitepaper noted. “Individually, how each organization should address the problem of fraud can vary greatly depending their unique risk footprints.”

However, there are some general best practices that all businesses should keep in mind when it comes to combating fraud, such as:

Continuous monitoring of malicious actors: Dark web markets, paste sites, social media, and other communication channels are often used to leak stolen data and discuss cyber threats. Organizations should have a way to monitor any leaks or threats that may directly affect their customers, employees, or supply chain. In addition, organizations should stay abreast of any changes in the cybercriminal tactics, techniques, and procedures being used by malicious actors so that they can adapt their cyber defenses.
Discourage the the use of weak or already compromised passwords: Consumers have a growing number of accounts that are either tied to financial information or able to be easily monetized by cybercriminals, and consumers’ poor password habits are frequently exploited by malicious actors. NIST recommends advising users against passwords that have been previously breached, and in August 2017 security researcher Troy Hunt provided a list of 320 million compromised passwords that organizations can implement to encourage the use of more secure passwords as they see fit.
Encourage two-factor authentication: With so much fraud centered on compromised accounts, having an additional layer of authentication can greatly reduce the chances of those accounts being compromised. Organizations may be reluctant to create additional steps in the login process, but there is an expanding number of secondary authentication options available with varying levels of security and usability.
Prioritize and take action against the most impactful threats: In 2014, FICO reported that the average duration of a physically compromised ATM or POS device was 36 days. In 2016, that dropped to just 11 days – and the average number of payment cards affected by a single compromise was cut in half. Implementing training and systems to consistently address the most common and impactful threats facing your organization can have a significant impact in reducing fraud.

In addition to our whitepaper on Fraud and the Dark Web, SurfWatch Labs will also be hosting a webinar on Wednesday, September 20 from 1-2 PM ET.

Cyber Fraud: How it Happens and What You Can Do

The webinar will feature a discussion around cyber fraud, including an in-depth examination of the “Anatomy of Fraud,” what intel can be gathered from Dark Web markets and forums, and recommended courses of action to proactively mitigate the risk of fraud as well as how to effectively respond if fraud occurs.

Weekly Cyber Risk Roundup: Equifax Criticized Over Breach and Energy Sector Companies Compromised

Last Thursday, Equifax announced a data breach affecting 143 million individuals. The breach, which compromised sensitive personal information such as Social Security numbers and driver’s license numbers, is not just the most impactful breach that occurred over the past week, it may be the most significant breach we see in all of 2017.

As SurfWatch Labs chief security strategist Adam Meyer noted, the impact of the Equifax breach will likely continue to ripple outward and affect individuals and organizations far beyond the near term. After all, the Social Security numbers and dates of birth that were stolen in the breach are static identifiers that range from difficult to impossible to change. Meyer also noted that malicious actors excel at snowballing information and could potentially use the leaked data as a springboard to circumvent knowledge-based authentication services, such as those that are offered by Equifax.

Equifax’s response to the breach has also drawn criticism on a variety of fronts. Bloomberg reported that three senior Equifax executives sold nearly $1.8 million worth of shares in the days following the breach, which was first discovered on July 29. Brian Krebs called the breach response a “dumpster fire” for a variety of reasons, including a tool that Equifax said potential victims could use to see if they are affected being “completely broken” and concerns around a now-modified terms of service clause that initially appeared to force victims to waive future class action rights in exchange for signing up for identity theft services. The New York Times reported that the 10-digit PINs being provided to those that choose to pay to freeze their credit files are not as secure as one would expect. Finally, The Hill reported that numerous members of Congress and states attorneys general have already launched investigations and are demanding further explanations from Equifax.

Other trending cybercrime events from the week include:

Notable data breaches: The Latin American social network Taringa said that hackers have stolen the usernames, email addresses, and MD5-hashed passwords of nearly 29 million users. The state government of Western Australia has ordered an urgent review of the state’s TAFE cyber security systems after the information of 13,000 students was compromised when an unauthorized user gained access to the TAFE’s IT system on two separate occasions. The Community Memorial Health System in Ventura, California, is notifying 959 patients that their personal information may have been compromised due to an employee’s email account being accessed following a phishing email. The Alaska Office of Children’s Services said that malware was found on two computers and that more than 500 individuals may have had their personal information stolen as a result. The Hong Kong jobs website cpjobs.com said that an unauthorized third party was able to gain access to user data and passwords. A customer of the DDoS-for-hire service TrueStresser claims to have hacked the company and released what appears to be legitimate company data.
Organizations exposed data: Researchers discovered more than 600GB of sensitive data exposed via two insecure Amazon S3 buckets that appear to be connected to the global communication software and service provider BroadSoft, Inc. Much of the internal development data apparently saved by Broadsoft engineers related to Time Warner Cable. Researchers discovered a misconfigured CouchDB database connected to MoneyBack that exposed the passports, IDs, and other personal details of thousands of travelers to Mexico. Researchers discovered an unsecured Amazon Web Services S3 data storage bucket that contained 9,402 resumes and application forms submitted for positions with North Carolina-based private security firm TigerSwan. An email error led to those who preordered Essential phones receiving the personal details of other customers, including copies of driver’s licenses.
Another wave of MongoDB ransoms: Attacks against insecure MongoDB instances surged recently as three groups of hackers wiped approximately 26,000 MongoDB databases and left ransom notes saying the data would be restored for between 0.05 and 0.15 bitcoin, or as much as $650. The researchers said that few organizations have paid the ransom.
Other notable incidents: WikiLeaks has published a series of documents related to the CIA’s Protego project, which WikiLeaks described as “a PIC-based missile control system that was developed by Raytheon.” Verrit, an online hub that includes information for Hillary Clinton backers to share, recently went offline after experiencing a “pretty significant and sophisticated” cyber-attack, the site’s creator said. The UK’s National Fraud & Cyber Crime Reporting Center is warning that students are being targeted with a phishing scam that claims their Student Loans Company accounts have been suspended due to incomplete information.

Cyber Risk Trends From the Past Week

Security researchers are once again warning that the energy sector is the target of increased cyber-attacks. Symantec said that it has observed increased activity from the actors behind the Dragonfly 2.0 campaign and that there are strong indicators of recent attacks against organizations in the U.S., Turkey, Switzerland, and elsewhere.

Like the original Dragonfly campaign, which ran from 2011 to 2014, the new campaign uses a combination of malicious emails, watering hole attacks, and Trojanized software to gain access to victim networks, the researchers said in a report.

“The original Dragonfly campaigns now appear to have been a more exploratory phase where the attackers were simply trying to gain access to the networks of targeted organizations,” Symantec wrote. “The Dragonfly 2.0 campaigns show how the attackers may be entering into a new phase, with recent campaigns potentially providing them with access to operational systems, access that could be used for more disruptive purposes in future.”

Symantec researcher Eric Chien told Wired that there were more than 20 cases of hackers successfully gaining access to targeted companies’ networks and that the intruders had gained operational access to a handful of companies, including several in the U.S. and at least one in Turkey.

He warned that “there’s nothing left standing in the way [of sabotage] except the motivation of some actor out in the world.”

Impact of Massive Equifax Breach Will Likely Ripple Into the Future

On Thursday, the consumer credit reporting agency Equifax announced a massive data breach affecting 143 million U.S. consumers, and today several actors on the dark web and Twitter are claiming to have the data for sale.

Equifax said the breach was caused by a website application vulnerability that provided malicious actors access to sensitive data from mid-May through when the intrusion was detected on July 29. That data includes the theft of consumers’ Social Security numbers, dates of birth and addresses, as well as the credit card numbers of 209,000 consumers, dispute documents with personal identifying information for another 182,000 consumers, and an unreported number of driver’s license numbers. In addition, the company said that “limited personal information for certain UK and Canadian residents” was also compromised.

Breach Causes Authentication Concerns

In addition to being one of the largest breaches of recent memory, the type of information that was stolen is a treasure trove for cybercriminals looking to carry out fraudulent activities in the future. As SurfWatch Labs chief security strategist Adam Meyer noted, the type of information that Equifax holds is often used for authentication purposes as well.

“You will see plenty of commentary regarding tax and various banking fraud scenarios, but there is one area that concerns me more, and that is the credit-based identity space,” Meyer said, referring to the types of questions that are pulled from consumers’ credit reports for knowledged-based authentication. “While full credit report information has not been disclosed as being compromised, it is possible that what has been compromised can still help with that authentication process. When you call a help desk for a transaction, what do they use to authenticate you? Name, address, Social Security numbers — all the same information that was just breached on a massive scale.”

Meyer also noted that if malicious actors could leverage this information to get even more data and answer more knowledge-based authentication questions, it could be a problem for organizations.

“Aside from the obvious impacts of PII being leveraged as it has in the past, I am worried that this particular breach has an impact to a utilized authentication stack that many organizations and federal agencies use to combat their own forms of fraud that are all integrated,” Meyer said. “These are services that support employment verification, social services verification, identity proofing as they call it. The strength in this authentication is the fact that only the user should know this information when challenged; however, with this breach approximately 60 percent of the working age U.S. population’s PII could be out there and available to use [by malicious actors] to potentially authenticate [as those users].”

Actors Claim to Have Equifax Data

SurfWatch Labs’ team of analysts has observed several actors claiming to be in possession of the breached Equifax data, although we do not have much confidence in their legitimacy at this point.

One website on the dark web is threatening to publish all of the stolen data except credit card information if they don’t receive 600 bitcoins (approximately $2.6 million) in ransom by September 15.

A likely scam website on the dark web alleging to have the Equifax database and demanding a ransom from Equifax.

“Equifax executives sold 3 million dollars in shares taking advantage of their insider information after the attack,” the actors behind the site wrote in justifying their exorbitant ransom demand.

However, Bloomberg reported that the shares sold by three senior executives several days following the breach totalled $1.8 million and that the executives said they were not aware of the breach at the time of the sale.

In addition, researchers have also discovered other users claiming to have data for sale, such as this Twitter user. However, we again caution that this sale is likely not legitimate.

2017-09-08_Equifax2 — A Twitter user claiming to have the Equifax data for sale.

Scams on the Horizon

Those claiming to have the data so far may well be scams, but that should come as no surprise. As we noted last week about Hurricane Harvey scams, malicious actors will attempt to exploit any event or news story that grabs the attention of a large group of people. With 143 million people affected by the incident, scammers who gain access to the breached data will have an enormous group of engaged victims that they can exploit through emails, phone calls and other social engineering means in the coming days, weeks and months. In fact, those scammers may already have enough data to open fraudulent accounts, lines of credit, or carry out other forms of identity theft.

In addition, the data could be used to add legitimacy to a number of other scams.

For example, one could easily imagine a simple scam where malicious actors impersonate Equifax representatives enrolling victims in identity theft services and gain credibility by providing actual Social Security numbers and driver’s license numbers to “confirm” victims’ identities — before using that gained trust to pivot to other scam opportunities.

Leaked Data Could Lead to Additional Incidents

It’s also worth stressing, yet again, that there is no right to be forgotten in the cybercriminal world. As we noted in our 2016 Cyber Trends Report, once your data is exposed, it will likely forever remain in the cybercriminal domain. With this new Equifax breach, the pool of compromised information that can be leveraged by malicious actors grows deeper and the ripple effect of that breach will likely widen to impact more organizations in the future.

In addition, as Meyer noted, Equifax offers authentication services that include knowledge-based authentication, and the leaked Social Security numbers, driver’s license numbers and other sensitive information could be used a stepping stone in further breaches, he warned.

“My worry is that with this information a malicious actor could authenticate to a service like this using the already disclosed information [from the Equifax breach] and with just some public information sleuthing and maybe a good guess or two could answer the credit report follow up questions and likely pass go more often than not, especially when there is 145 million records available,” Meyer said.

Equifax has provided a website with more information about the breach, as well the ability to check to see if you are affected and to receive a future date to enroll in an identity protection service. It’s worth noting that Equifax is requiring consumers enter both their last name and the last six digits of their Social Security number to enroll, rather than the typical last four digits — reinforcing the idea that as more data gets leaked, proper authentication becomes more difficult.

As Meyer said, “With this I get the constant sense of déjà vu, maybe it is breach fatigue, or maybe it’s the fact that we all should never have to pay for credit monitoring again in our lifetime because our PII has been breached so many times.”

Talking the Preparedness Cycle and Reducing Cyber Risk with Andy Jabbour

Many organizations are struggling with how to best manage and mitigate the array of cyber risks they are facing. Those growing number of risks — from deliberate threats such as ransomware, data theft and social media hacking to non-deliberate risks such as poorly trained employees or issues that spread through the supply chain — can be challenging to quantify, prioritize and prepare against.

But don’t despair, said Andy Jabbour, the co-founder and managing director of Gate 15, there is hope. Andy recently wrote a series of blogs outlining how the Preparedness Cycle, which is often used to prepare for traditional threats, can also be implemented to help organizations prepare for cyber threats.

“The preparedness cycle has been around for quite a long time now and it has been used by the Department of Homeland Security, FEMA, and other federal, state, and local government agencies as part of managing the preparedness process,” Jabbour said during a recent Cyber Chat Podcast about his blog series. “The idea of applying it towards cyber risk is maybe something people don’t necessarily think about right away, but it certainly applies very well.”

As Jabbour noted in his eight-part blog series (linked below), a key part of successfully overcoming the impacts of incidents, including cyber incidents, is taking the time to properly prepare. Building a flexible, multi-year plan that addresses all stages of the Preparedness Cycle can help to provide the focus, thought and structure needed to begin tackling cyber risks in a more thoughtful and organized way, Jabbour said.

The Preparedness Cycle includes five general steps for organizations to work through when it comes to addressing their cyber risks (for an overview of the process, start with Jabbour’s Introduction to the Preparedness Cycle):

2017-09-05_PreparednessCycle — Source: FEMA

“No one has time to tackle every threat or to build a plan for every potential situation that may arise, so you need to build adaptable plans that work on addressing the most important risks,” Jabbour said. “We can’t do all of it, but we can do some, and if we’re smart we can try to put some things together to get the most bang for our buck — in both our training and our exercises.”

For more on the using the Preparedness Cycle to help manage your organization’s cyber risk, read the blog series above or listen to our Cyber Chat podcast.