Jeff Peters

San Francisco Muni Refuses Extortion Demands, But Many Others Choose to Pay

The San Francisco Municipal Transportation Agency (SFMTA) is continuing to deal with the fallout from a Friday ransomware attack that affected 900 office computers and led to passengers getting free rides as ticket machines were taken offline. The agency has since restored systems from a backup, and fares have been running as normal since Sunday; however, the actor behind the attack is still threatening to release 30GB of data if the 100 bitcoin ransom ($75,000) is not paid by tomorrow.

The actor, going by the name Andy Saolis, has refused to provide media outlets with a sample of the stolen data in order to verify the alleged theft, and SFMTA said that its ongoing investigation has not discovered that any data exfiltration took place.

“[N]o data was accessed from any of our servers,” the agency said in a statement. “The SFMTA has never considered paying the ransom. We have an information technology team in place that can restore our systems, and that is what they are doing.”

Many Organizations Choose to Pay

While SFMTA has decided not to pay the ransom, other organizations targeted by the same threat actor have been successfully extorted. A security researcher who gained access to an email account used by Andy Saolis said that the hacker had extorted at least $140,000 in bitcoins from victim organizations over the past few months, including 63 bitcoins (around $45,000) from a U.S.-based manufacturing firm. The emails also show that this past Sunday another company, China Construction of America Inc., paid 24 Bitcoins (around $17,500) to decrypt 60 servers infected with the same strain of ransomware, known as HDDCryptor or Mamba.

In addition to the attacks described above, SurfWatch Labs has collected, evaluated and analyzed data pertaining to dozens of other targets associated with extortion over the past month.

2016-12-01_extortion — Facebook is the top trending target tied to ransomware and extortion due to recent attacks known as ImageGate.

The top trending ransomware story over the past 30 days is the newly discovered attack vector known as ImageGate, which is infecting numerous users with Locky ransomware via Facebook and LinkedIn by exploiting a misconfiguration that forces victims to download a malicious image file. It’s unclear how many of those victims have paid the ransom, but a variety of other organizations have publicly confirmed making ransom payments recently:

The Lansing Board of Water & Light recently acknowledged it paid a $25,000 ransom after an employee opened an attachment that led to a ransomware.
A $28,000 ransom was paid after an infection locked up several government systems in Madison County, Indiana and the county’s insurance carrier advised payment.
The New Jersey Spine Center paid an undisclosed amount after CryptoWall encrypted all electronic medical records and the most recent system backup, as well as disabled the phone system.
Cloud service provider VESK said that it paid £18,600 after being infected with a strain of the Samas DR ransomware

Government Agencies Continue to Warn of Threat

Despite the many public incidents of late, the vast majority of ransomware attacks are believed to go unreported. That’s why in September the FBI urged victims to report infections regardless of the outcome. The FBI also warned of cybercriminals shifting tactics to target servers in order to receive larger ransoms.

“Actors engaging in this targeting strategy are also charging ransoms based on the number of host (or servers) infected,” the FBI warned. “This recent technique of targeting host servers and systems could translate into victims paying more to get their decryption keys, a prolonged recovery time, and the possibility that victims will not obtain full decryption of their files.”

Tags such as HDDCryptor, Locky and unauthorized server access are trending in SurfWatch Labs’ data due to recent ransomware attacks.

In November, the Federal Trade Commission also warned organizations that it may investigate certain ransomware incidents.

“[I]n some cases, a business’ inability to maintain its day-to-day operations during a ransomware attack could deny people critical access to services like health care in the event of an emergency,” wrote Ben Rossen, an attorney at the FTC. “Thus, a company’s failure to update its systems and patch vulnerabilities known to be exploited by ransomware could violate Section 5 of the FTC Act.”

The Department of Health and Human Services issued a similar statement over the summer, warning that in most cases a ransomware infection would qualify as a reportable “breach”:

The presence of ransomware (or any malware) on a covered entity’s or business associate’s computer systems is a security incident under the HIPAA Security Rule. …

When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.

As the FBI noted, new ransomware variants are emerging regularly and global ransomware infections continue to grow. Organizations need to ensure they have a plan in place to deal with this threat.

SurfWatch Labs’ Recommend Courses of Action

A large percentage of ransomware is spread via social engineering techniques; therefore, SurfWatch Labs advises customers that user education around tactics such as spear phishing is the best method to prevent these kinds of attacks. In addition, having data that is backed up and can be restored is often the quickest and cheapest way to get operations back up and running. Organizations should make regular backups that are not stored on local machines or connected through network shares.

Other ransomware prevention tips include:

Antimalware software configured to scan all email attachments will help catch most malicious attachments. All settings that allow the documents to download and open directly should also be disabled.
General users should be restricted from administrator-level permissions on their local machines, unless specifically required. Limiting this privilege could lessen the impact of ransomware.
The ‘vssadmin’ utility should be removed unless it is justifiably required to be on the system. This will not stop the encryption from occurring, but could assist with recovering key files from a machine that has been affected if the system’s shadow copy files are left intact.
It’s recommended that Remote Desktop Protocol (RDP) be disabled as this can exploited by certain ransomware types.
Since HDDCryptor creates a suspicious set of files, using Host Intrusion Prevention (HIPS) software can help detect this activity.
All Macros in MS Office programs should be disabled to ensure no accidental activation of an infected document. Users should be made aware not to activate macros on documents that are unverified.
When possible, segmenting networks by role and criticality may prevent the spread of the malware itself or limit the extent of the network is impacted when a device is compromised.
Keep operating systems, software, and antivirus protections patched and up to date.

Weekly Cyber Risk Roundup: Adult Friend Finder’s Massive Breach and Securing IoT Devices

Distributed denial-of-service (DDoS) attacks were once again among the most discussed cybercrime events of the week as discussion around the Marai botnet continued and a handful of Russian banks were targeted with attacks powered by compromised Internet-of-Things (IoT) devices. The week also saw one of the largest data breaches ever as the Adult Friend Network was hacked and the details of 412 million accounts were compromised.

The information compromised in the Adult Friend Finder hack dates back 20 years, according to LeakedSource, and includes email addresses, passwords stored in either plain visible format or SHA1, dates of last visits, browser information, IP addresses and site membership status. Accounts for a variety of sites were infected: 339 million Adult Friend Finder accounts, 62 millions Cams.com accounts, 7 million Penthouse.com accounts, 1.4 million Stripshow.com accounts and 1.1 million iCams.com accounts.

This is the second time Adult Friend Network has been hacked in 18 months. In May 2015 almost four million users had their personal details leaked by hackers.

It’s not clear who was ultimately behind the recent hack. A researcher going by the name revolver posted screenshots of a Local File Inclusion vulnerability being exploited on Adult Friend Finder in October and threatened to “leak everything,” but he said he was not behind the breach. Friend Finder Networks vice president and senior counsel, Diana Ballou did say that the company identified and fixed “a vulnerability that was related to the ability to access source code through an injection vulnerability.” The breach is the second largest of the year in terms of the number of customer accounts compromised — behind only Yahoo, which affected more half a billion accounts.

Other trending cybercrime events from the week include:

More large data breaches: Casino Rama Resort in Ontario recently announced the theft of a variety of data including IT information, financial reports, security incident reports, Casino Rama Resort email, patron credit inquiries, collection and debt information, vendor information, and contracts and employee information such as performance reviews, payroll data, terminations, social insurance numbers and dates of birth. A man hacked into the website of the Indian state of Kerala’s government’s civil supplies department, stole information on all of 8,022,360 of Kerala’s Public Distribution System beneficiaries and their family members, and then uploaded that information to Facebook. Recruitment firm Michael Page may have had as much as 30GB of data exposed when it was published to a publicly exposed website, according to researcher Troy Hunt. Hunt said multinational consulting and outsourcing firm Capgemini was behind the exposed data.

Retail woes both criminal and accidental: A&M has announced a payment card breach affecting customers who shopped at Annie Sez, Afaze, Mandee, Sirens and Urban Planet locations between November 2015 and August 2016. Australian discount department store Big W is apologizing to customers after a technical issue led to a small number of customers having the first stage of the online checkout process pre-populated with the personal information of another customer.

More ransomware attacks and payments: The office of Robert J. Magnon at Seguin Dermatology is informing patients of a September ransomware attack that likely accessed protected health information. The Lansing Board of Water & Light acknowledged it paid a $25,000 ransom after an employee opened an infected attachment and the resulting ransomware infection shut down the board’s accounting systems, email systems and phone lines.

Hacktivist attacks and sentences: A hacking group known as “Amn3s1a Team” claims to have stolen internal documents, source code and other information from the file-sharing site Mega.nz. ZDNet examined an 800-megabyte archive of source code — which appears to be related to its instant messenger service Megachat, the site’s Chrome browser extension, and a private RSA key. A 22-year-old Tennessee man and member of the NullCrew hacking collective has been sentenced to 45 months in prison for his role in hacking Bell Canada. Canadian prosecutors said the hackers exfiltrated million of files from Bell Canada, and the man posted about 12,700 customer logins and passwords and Tweeted a link to the data. A hacker going by the Twitter handle @CyberZeist announced that he had hacked the Windham County Sheriff’s Office, posted the stolen database on Pastebin, and was even offering to give away backdoor access.

Cybercrime goes virtual: A group of hackers wrote software that tricked Electronic Arts’ servers into thinking that thousands of FIFA soccer matches had been completed in order to “mine” FIFA coins, and that virtual currency was then sold via black market sites for millions of dollars in profits, according to a recently unsealed FBI indictment.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

Cyber Risk Trends From the Past Week

For the second week in a row, most sectors saw a decline in their overall SurfWatch Labs’ cyber risk scores. The financials sector saw the biggest drop and is now at its lowest score of all of 2016 after steadily declining throughout October.

Much of the discussion around cyber risk over the past month has been focused on issues related to DDoS attacks and Internet-connected devices. The most discussed new cybercrime event of the past week, by far, was the DDoS attacks against at least five of Russia’s largest banks. Reports indicate that the attacks were carried out over a two-day period and generally lasted for one hour each, although one attack lasted for almost 12 hours. The attacks were powered by around 24,000 compromised IoT devices across 30 countries, and Sberbank said the attacks were among the most powerful the bank had seen.

The concern around IoT devices has also led the Department of Homeland Security to release its Strategic Principles for Securing the Internet of Things (IoT), which is designed as “a first step to motivate and frame conversations about positive measures for IoT security among IoT developers, manufacturers, service providers, and the users who purchase and deploy the devices, services, and systems.” The document contains six principles that would “dramatically improve the the security posture of IoT,” and those principles are meant to be adapted and applied as needed.

In addition, the document outlines four key areas of effort going forward:

Coordinate across federal departments and agencies to engage with IoT stakeholders and jointly explore ways to mitigate the risks posed by IoT.
Build awareness of risks associated with IoT across stakeholders.
Identify and advance incentives for incorporating IoT security.
Contribute to international standards development processes for IoT.

“We recognize the efforts underway by our colleagues at other federal agencies, and the work of private sector entities to advance architectures and institute practices to address the security of the IoT,” DHS wrote “This document is a first step to strengthen those efforts by articulating overarching security principles. But next steps will surely be required.”

Recent Campaigns Highlight Evolving Social Engineering Tactics

Over the past month, researchers have observed several new phishing campaigns that demonstrate a more sophisticated and targeted approach to social engineering by threat actors.

For example, on Monday Trustwave wrote about the Carbanak gang targeting the hospitality and restaurant sectors. The actors began the attack by using public tools such as LinkedIn to find the names of company department heads or other key employees. Then they called the organization’s customer service line and claim that they were having difficulties with the online registration system and ask to send the information via email. They would spend a significant amount of time on the phone with the employee — often dropping those researched names in order to build trust — until the employee eventually opened the malicious Word document attached in the email.

Finally, the organization would be infected with malware capable of stealing system information, taking desktop screenshots, and downloading additional tools such as point-of-sale malware.

Targeted Social Engineering Becomes Less Direct

Other threat actors are shifting towards similarly indirect paths of compromise — beginning their attacks with a message, or several messages, designed to build trust before attempting to cause harm. This is the case with recent business email compromise (BEC) scams, which the FBI has repeatedly warned is a growing problem for organizations.

“In most cases, a BEC scam attempts to portray an email or request as being urgent, placing pressure on the recipient to act fast without asking questions,” SurfWatch Labs noted in a blog post about the FBI’s July alert. “The email is often sent from a legitimate looking source — such as a high-ranking company official or a bank that works with the company — which further eliminates questions from the recipient.”

However, Symantec recently warned that BEC scams had shifted to a less urgent approach. Instead, most BEC scams now begin with a simple introductory message before requesting a fraudulent wire transfer, as this email exchange demonstrates:

An actor using an informal introduction before going on to a more traditional wire transfer request, as shown by Symantec.

In June, shortly before the FBI’s last BEC warning, just 20 percent of BEC emails began by inquiring about the recipient’s availability — with the rest directly requesting a wire transfer, according to Symantec. By October, 60 percent of the emails began with the more indirect approach of inquiring about the recipient’s availability.

A Look at SurfWatch Labs’ Threat Intelligence Data

Warnings of targeted attacks like the ones described above have led to spear phishing being the most common practice tag related to social engineering over the past 90 days, according to SurfWatch Labs’ data.

A wide variety of industry groups have been tied to spear phishing threats over the period. However, the most talked about cybercrime stories of the past month may have been the hacking and publication of emails from the Democratic National Committee and Hillary Clinton’s campaign chairman John Podesta, as well as what role those breaches had in shaping the recent US presidential election.

In those cases, the leaks have been tied to spear phishing emails from Russian hacking group Fancy Bear, one of the most prominent hacking groups related to spear phishing over the past 90 days, behind only Peter Romar, a 37-year-old Syrian national who recently pled guilty to his role in the Syrian Electronic Army.

Those Fancy Bear attacks used a particular tactic: the use of shortened URLs. As Esquire’s Thoma Rid wrote explained, those shortened URLs both tricked users into clicking malicious links at an alarming rate and, ultimately, helped researchers uncover the actors behind those targeted attacks:

To manage so many short URLs, Fancy Bear had created an automated system that used a popular link-shortening service called Bitly. The spear-phishing emails worked well—one in seven victims revealed their passwords—but the hackers forgot to set two of their Bitly accounts to “private.” … Between October 2015 and May 2016, the hacking group used nine thousand links to attack about four thousand Gmail accounts, including targets in Ukraine, the Baltics, the United States, China, and Iran. … Among the group’s recent breaches were the German parliament, the Italian military, the Saudi foreign ministry, the email accounts of Philip Breedlove, Colin Powell, and John Podesta—Hillary Clinton’s campaign chairman—and, of course, the DNC.

These breaches highlight some of the ways in which social engineering has continued to affect organizations across all sectors and how new techniques are incorporated in order to make it harder for individuals to detect suspicious activity.

That’s why training and awareness is often touted as the most important and cost effective step in combating social engineering, as we noted in a prior social engineering blog. Having the proper tools and training, along with up-to-date threat intelligence to inform them of the latest threats, can help organizations and their employees provide a better front line of defense against the evolving techniques used by threat actors.

Weekly Cyber Risk Roundup: Services Get Disrupted and Hacking Elections

Distributed denial-of-service (DDoS) attacks and other incidents leading to service interruption have been widely discussed in the cybersecurity community ever since the October attack against DNS provider Dyn. This past week saw Marai-driven attacks that reportedly knocked out Internet access for the entire county of Liberia; however, security researchers such as Brian Krebs noted that those news articles may have exaggerated the facts as there is little evidence “anything close to a country-wide outage” occurred as a result of the attack.

“While it is likely that a local operator might have experienced a brief outage, we have no knowledge of a national Internet outage and there are no data to [substantiate] that,” Daniel Brewer, general manager for the Cable Consortium of Liberia, told Krebs.

Nevertheless, concerns around DDoS attacks remain high, and some have speculated that the attacks against Liberia and others may be test runs for a larger attack in the future.

In other service interruption news, two apartment buildings located in Lappeenranta, Finland, and managed by facilities services company Valtia had the systems that controlled central heating and warm water circulation disabled by a DDoS attack. The systems tried rebooting the main control circuit in response to the attack, the CEO of Valtia said, and this was repeated in an endless loop resulting in the heat not working for the properties. Also, a unspecified malware infection caused three UK hospitals to cancel operations, outpatient appointments and diagnostic procedures for three days while staff access to patient records was restored. According to The Sun, approximately 3,300 patients at hospitals in Grimsby, Scunthorpe and Goole were affected. The attacks led to a high-severity alert being issued to National Health Service providers reminding “all users of the need for proactive measures to reduce the likelihood of infection and minimise the impacts of any compromise.”

Other trending cybercrime events from the week include:

Fraud and financial loss continue: Tesco Bank said the widespread criminal activity that led to the halting of online transactions has been narrowed down to £2.5 million in losses across 9,000 accounts – a drop from the 20,000 accounts previously reported. Sentinel Hotel is notifying customers of a breach after reports of unauthorized charges on guests payment cards led to the discovery of malware on a point-of-sale terminal. City of El Paso officials revealed the city was scammed out of more than $3 million via a phishing attack. The city has recovered about half of the money. A ransomware infection recently locked up several government systems in Madison County, Indiana, and county commissioners voted to pay the extortion demands in order to regain control of those systems.

Poor security leads to potential breaches: Researchers discovered that 128 car dealership systems were being backed up to a central location without any encryption or security, potentially exposing the personal information of both customers and employees. Cisco is warning job applicants that information on the Cisco Professional Careers mobile website may have been exposed as a result of an incorrect security setting following system maintenance. Newfoundland and Labrador’s privacy commissioner is ordering Eastern Health to examine controls around employees logging out of accounts after an incident in which a doctor failed to log out of Meditech patient information software and patient information was accessed and printed by an unknown person.

More breaches and data dumps: Two hackers claim to have used SQL injection to steal personal information from seven Indian High Commission websites and published the stolen databases in a Pastebin post. Anonymous Italia has defaced several police websites and leaked 70 megabytes of data presumably stolen from the databases of the Sindacato Autonomo Polizia Penitenziaria’s blog and its official monthly magazine. Integrity Transitional Hospital, based in Texas, recently reported a health data hacking incident that potentially affects the information of more than 29,000 patients.

Cybercrime leads to arrests: A man has been arrested for compromising more than a thousand university email accounts and then using that access to further compromise other social media and online accounts. The man allegedly accessed one university’s password reset utility approximately 18,640 different times between October 2015 and September 2016 and successfully changed the passwords for 1,035 unique accounts. An employee of Lex Autolease Limited pleaded guilty to selling the personal information of hundreds of customers to a third party. A 19-year old hacker plead guilty to creating and running the Titanium Stresser booter service, which has been used in more than 1.7 million DDoS attacks worldwide.

Cyber Risk Trends From the Past Week

Most industry sectors saw a slight decline in their SurfWatch Labs’ cyber risk scores this week. The biggest story of late, naturally, was the U.S. presidential election, and now that it is over, pundits from both sides are reflecting on how their candidates managed to win or lose the race. That examination includes the role that cybersecurity, hacking and data leaks may have played in the outcome.

In fact, back in August we posed that very question: would 2016 be the first presidential campaign ultimately swung by information obtained in a data breach? The answer remains uncertain. What is certain is that cyber-issues were put front-and-center in a way we have never seen in any other presidential election.

For example, in the days leading up to the election, WikiLeaks published 8,000 more leaked emails from the Democratic National Committee, dubbed #DNCLeak2. That dump came after a previous release of 20,000 emails from the DNC as well as 50,000 emails from Hillary Clinton aide John Podesta. The effect of those stolen emails being steadily leaked — and other cyber-issues such as Clinton’s personal email server — may be impossible to quantify, but they likely contributed in some way to nearly 60 percent of voters who perceived Clinton as a dishonest and untrustworthy candidate.

WikiLeaks founder Julian Assange wrote an election day post defending his actions and stating that publishing the stolen emails was not an attempt to influence the outcome of the election.

“We publish material given to us if it is of political, diplomatic, historical or ethical importance and which has not been published elsewhere,” Assange wrote. “At the same time, we cannot publish what we do not have. To date, we have not received information on Donald Trump’s campaign, or Jill Stein’s campaign, or Gary Johnson’s campaign or any of the other candidates that fulfills our stated editorial criteria.”

Clearly, Assange is saying if WikiLeaks did have information on other political candidates then that information would be made public as well — as it has in the past with the release hundreds of thousands of emails related to the government of Turkey. WikiLeaks claims to be non-partisan, but other threat actors do have a biased agenda and those actors are likely to be emboldened by the success of this year’s election-related hacks.

As Wired wrote: “For Russia, [Trump’s win] will also be taken as a win for the chaos-injecting tactics of political hacks and leaks that the country’s operatives used to meddle in America’s election — and an incentive to try them elsewhere. … That Russia perceives those operations as successful, experts say, will only encourage similar hacks aimed at shifting elections and sowing distrust of political processes in Western democracies, particularly those in Europe.”

Those efforts are already underway, researchers have noted, with at least a dozen European organizations being targeted by groups linked to the Russian state since that hacks against the DNC. Whether this election was ultimately swayed by breaches and other cyber-issues may be up for debate, but what is clear is that political and advocacy organizations are actively being targeted and that threat actors will likely try to influence future elections across the globe to align with their goals.

Yahoo and Others Face Cybercrime-Related Brand Damage

A month after announcing one of the largest data breaches ever, Yahoo is continuing to deal with the subsequent fallout and reputation damage related to that massive cyber theft.

On September 22, Yahoo confirmed that information associated with at least 500 million user accounts was stolen. The day after that breach announcement, Yahoo saw a 474 percent rise in online mentions, according to social media monitoring company BrandWatch — 70 percent of which were negative. Since then there’s been an ongoing swirl of negativity surrounding Yahoo’s breach — from lawsuits to concerned regulators to potential lost users — and that has led to reports that Verizon may either push for as much as a $1 billion reduction in its pending $4.8 billion agreement to buy Yahoo or back out of the deal altogether.

The negativity around the Yahoo brand due to its breach poses a difficult-to-answer question: just how much damage does a cyber-attack actually have on the bottom line of a company?

Difficulty of Tracking Brand Damage

Tracking brand damage directly tied to a cyber incident is a difficult prospect; however, there does appear to be at least one correlation. A survey conducted by SANS for a December 2015 paper, Cleaning Up After a Breach Post-Breach Impact: A Cost Compendium, found that “the breaches receiving the most media attention also suffered the greatest loss in brand/reputation.”

Which comes first in that chicken-or-egg scenario is up for debate, but SurfWatch Labs’ data suggests that, for the most part, it’s the scope and potential damage of breaches that drive the media coverage, not the other way around.

The Yahoo breach is one of the most talked about cybercrime events of the year.

A quick glance at the list of the year’s top trending cybercrime events, based on the number of CyberFacts collected by SurfWatch Labs, shows that the most-discussed targets generally line up with the most widespread and impactful breaches: the Philippines Commission on Elections, LinkedIn, the Democratic National Committee, Yahoo and, more recently, targets of major DDoS attacks.

Other High-Profile Incidents Damage Brands

Like Yahoo, Wells Fargo is dealing with similar ongoing brand issues after reports of employees fraudulently opening more than two million customer accounts dominated several news cycles last month. A survey of 1,500 bank customers by management consultancy firm cg42 found that negative perceptions of Wells Fargo had spiked from 15 percent before the scandal to 52 percent afterwards. Likewise, the number of prospects that were very or extremely likely to consider doing business with Wells Fargo has plummeted from 21 percent to just three percent.

“The short and medium term outlook for Wells Fargo is gloomy, and the fallout from the scandal will impact the bank’s bottom line for years to come,” the report stated.

Wells Fargo is attempting to stem the tide with a new advertising campaign that promises, among other things, to begin proactively notifying customers of new accounts that are opened in their names. That campaign follows the firing of thousands of employees and the resignation of CEO John Stumpf.

Similar resignations have followed other high-profile breaches this year, most notably the breach at the Democratic National Committee, which lead to the resignations of chairwoman Debbie Wasserman Schultz, chief executive Amy Dacey, chief financial officer Brad Marshall and communications director Luis Miranda.

The brand damage from a cyber-attack can also move down to the supply chain, as we noted last week with XiongMai Technologies, a Chinese electronic company that makes products used in many of the Internet-connected DVRs and cameras tied to the massive DDoS attacks against Krebs On Security, OVH and Dyn. XiongMai said on Monday that it would issue a recall of some of its U.S. products. That recall notice also threatened legal action against individuals and organizations who “defame” the company with “false statements,” but the threat of legal action has been described by some as simply a face-saving PR effort by a company that’s used to operating behind the scenes and selling its white-labeled products to other brands.

Extent of Yahoo Fallout Uncertain

If the Yahoo breach will have a direct impact on its acquisition by Verizon is yet to be seen. Verizon’s general counsel Craig Silliman told Reuters and other reporters two weeks ago that the incident could trigger a clause in the deal that says Verizon can withdraw if a new event “reasonably can be expected to have a material adverse effect on the business, assets, properties, results of operation or financial condition of the business.”

“I think we have a reasonable basis to believe right now that the impact is material and we’re looking to Yahoo to demonstrate to us the full impact,” Silliman said, adding that Verizon needed to obtain “significant information” before making a final decision.

Like cg42 noted about Wells Fargo, the effects of a major cyber incident can take years to fully play out, and even then, it can be difficult to attribute some of the years-long business trends directly back to one cybercrime event.

One takeaway worth noting is that many of the major cybercrime stories that remain in the spotlight each year contain a similar thread: the lack of proactively addressing cyber risk. That seemingly cavalier attitude around cybersecurity is frequently cited by both data breach litigation and government and private regulators — and it will often prolong the a negative story with hearings, lawsuits and a string of news stories that continue to cause brand damage long after the initial incident occurred.

Weekly Cyber Risk Roundup: Latest Breaches and Enhanced Security Standards

The massive distributed denial-of-service (DDoS) attack that disrupted websites and services on October 21 was the focal point of a large portion of cybercrime discussion last week. As we noted in a previous post, the attack against DNS provider Dyn has led to widespread concern about insecure Internet-connected devices and calls for government agencies to get involved in order to ensure those devices are secured against future attacks.

According to some reports, the DDoS attack may have surpassed one terabyte per second of traffic; however, the latest analysis from Dyn indicates that the botnet behind the attack may have been much smaller than the initial reports of “millions.”

“It appears the malicious attacks were sourced from at least one botnet, with the retry storm providing a false indicator of a significantly larger set of endpoints than we now know it to be,” wrote Scott Hilton, EVP of products at Dyn. “We are still working on analyzing the data but the estimate at the time of this report is up to 100,000 malicious endpoints. We are able to confirm that a significant volume of attack traffic originated from Mirai-based botnets.”

Other trending DDoS news includes the Syrian Cyber Army claiming responsibility for attacks against Belgian news organizations. The DDoS attacks made several news websites inaccessible or extremely slow, including De Standaard, Het Nieuwsblad, Gazet van Antwerpen, Het Belang van Limburg and RTFB. In another case of ideological hacktivism, Martin Gottesfeld, 32, was indicted for his role in DDoS attacks against Boston Children’s Hospital (BCH) and the Wayside Youth and Family Support Network. Gottesfeld admitted to his involvement in #OpJustina in a written editorial, saying that the attack against BCH was designed to interfere with a fundraiser in order to cause maximum financial damage. Finally, The Guardian is reporting that financial institutions in London are stockpiling bitcoins in the event extortionists target them with powerful DDoS attacks.

Other trending cybercrime events from the week include:

Payment card breaches announced: Danish payment processor Nets is warning of a payment card breach that appears to be tied to a foreign-based Internet retailer and is advising banks to block up to 100,000 cards in order to prevent fraudulent transactions. A data breach at Hitachi Payment Services, which manages ATM network processing for Yes Bank, is suspected to be the cause of recent fraud that has led to banks in India either replacing or asking customers to change security codes on 3.25 million debit cards. A pro-Donald Trump super PAC known as Great America PAC has mistakenly published the credit card numbers and expiration dates of 49 donors. Last month the same super PAC exposed 336 donors’ email addresses and phone numbers.

Data breaches continue, both large and small: A Red Cross Blood Service database of 1.28 million donor records going back to 2010 was accidentally published to a webserver by a third-party contractor. A hacker known as Peace told Motherboard he hacked Adult FriendFinder and obtained a database of 73 million users, and another hacker known as Revolver or 1×0123 posted screenshots appearing to show he had access to the website’s infrastructure. A Ukrainian hacker group known as CyberJunta has released more than a gigabyte of emails stolen from the office of Russian politician Vladislav Surkov. Baystate Health is notifying about 13,000 patients that their personal information may have been compromised due to a phishing attack that was designed to look like an internal memo. Virgin Media potentially exposed the personal information of up to 50,000 people applying for jobs. Rocky Mountain Credit Union in Montana notified 135 of its members that their personal information may have been accidentally exposed due to an undisclosed security issue discovered on the website customers use to upload documents related to mortgage applications. The University of Santa Clara’s Office of Marketing and Communications had internal documents stolen and leaked to the student newspaper due to an employee leaving his or her username and password in plain site at a workstation.

Update on cybercrime charges and arrests: The Booz Allen Hamilton contractor who was arrested for the possession of classified NSA materials allegedly had documents dating back to 1996 that were marked either “secret” or “top secret,” according to recent court filings. In total, investigators have seized more than 50 terabytes of information and thousands of pages of documents. Celebgate hacker Ryan Collins, 36, of Lancaster, Pennsylvania, was sentenced to 18 months in prison for using phishing emails designed to steal Apple and Google credentials and then using those stolen credentials to hack into more than 100 accounts. Authorities said there is no evidence that Collins was responsible for the leak of nude celebrity photographs tied to the hack. Yevgeniy Nikulin, the Russian man who was arrested in connection with the 2012 LinkedIn breach, has also been indicted for his alleged role in the breaches at Dropbox and Formspring, according to documents unsealed on Friday.

Note: Dyn, by far the top trending new target, is not shown in the chart below in order to make the other targets more readable.

Cyber Risk Trends From the Past Week

The Financials sector’s cyber risk score peaked in early October, reaching its highest level since February 2016. Since then, it has steadily declined for most of the month — until the past week. This week’s rise in cyber risk score (+2.2%) was the biggest increase of any sector over the period.

Part of that may be tied to the recent payment card breaches highlighted above, which began at online retailers and other providers before moving to directly impact banks. For example, the chief executive of National Payments Corp of India said that the spike in reported fraud that led to advising banks to replace cards was tied to a possible compromise of one of the payment switch provider’s systems. Sources told Reuters that the issue stemmed from a breach in systems of Hitachi Payment Services, which is currently investigating the matter.

That interconnectivity of the Financials sector has led to concerns from government agencies, and the the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corporation recently issued a joint proposal on enhanced cyber risk management standards to address those concerns.

“Due to the interconnectedness of the U.S. financial system, a cyber incident or failure at one interconnected entity may not only impact the safety and soundness of the entity, but also other financial entities with potentially systemic consequences,” the proposal stated. “The enhanced standards would be designed to increase covered entities’ operational resilience and reduce the potential impact on the financial system in the event of a failure, cyber-attack, or the failure to implement appropriate cyber risk management.”

The proposal addresses five categories of cyber standards: cyber risk governance; cyber risk management; internal dependency management; external dependency management; and incident response, cyber resilience, and situational awareness.

According to the proposal, “The agencies are considering establishing a two-tiered approach, with the proposed enhanced standards applying to all systems of covered entities and an additional, higher set of expectations, or ‘sector-critical standards,’ applying to those systems of covered entities that are critical to the financial sector.”

The enhanced standards would apply to certain entities with total consolidated assets of $50 billion or more on an enterprise-wide basis, they added. Comments on the proposal are open until January 17, 2017.

DDoS Attacks Dominate News, Spark Calls for Regulation

Last week’s massive distributed denial-of-service (DDOS) attacks, which made popular websites and services inaccessible to users across the East Coast and elsewhere, has since led to widespread concern about insecure Internet-connected devices and calls for government agencies to get involved in order to ensure those devices are secured against future attacks.

In fact, the attack against DNS provider Dyn, which happened just six days ago, has already become the most talked about target tied to “service interruption” in all of 2016, according to SurfWatch Labs’ data.

Friday’s DDoS attack against Dyn is concerning for several reasons. First, reports have claimed the attack reached 1.2 terabytes per second. If true, that would make it the largest DDoS attack ever. Second, Dyn confirmed yesterday that the Mirai botnet was a primary source of malicious attack traffic. The source code for that botnet was made public earlier this month, and last week Level 3 Threat Research Labs said that the number of Marai bots it had observed had more than doubled since the code was released. Finally, some researchers have claimed the attack was carried out by amateur hackers, not sophisticated state-sponsored or financially-motivated actors.

That combination suggests that more attacks like the one against Dyn will occur in the future, adding to a trend that SurfWatch Labs has observed throughout the year of increased evaluated intelligence around the service interruption tag.

The number of CyberFacts collected by SurfWatch Labs related to “service interruption” has steadily increased throughout the year, peaking with last week’s attack against Dyn.

The Marai-driven attacks have also put one company as the face of the Internet-of-Things problem, unfairly or not: XiongMai Technologies.

XiongMai Technologies is a Chinese electronic company that makes products used in a variety of brands, including DVRs and cameras tied to the recent DDoS attacks. XiongMai said on Monday that it would issue a recall of some of its U.S. products, although it’s unclear how successful that recall will be.

Like Yahoo, Wells Fargo and other companies tied to major cyber incidents this year, XiongMai Technologies and manufacturers of Internet-connected devices have now moved onto the radar of politicians and regulators. On Wednesday, Virginia Sen. Mark Warner sent letters to the Federal Communications Commission, Federal Trade Commission and the Department of Homeland Security’s National Cybersecurity & Communications Integration Center about his “growing concern” over the “unprecedented” volume of DDoS attacks driven by the Marai botnet exploiting connected devices.

“[O]ver 500,000 connected devices were vulnerable to Mirai because of an exploitable component from a single vendor’s management software,” Warner wrote. “Manufacturers today are flooding the market with cheap, insecure devices, with few market incentives to design the products with security in mind, or to provide ongoing support.”

The letter continued: “DDoS attacks can be powerful tools for censorship, criminal extortion, or nation-state aggression. Tools such as Mirai source code, amplified by an embedded base of insecure devices worldwide, accomplish more than isolated nuisance; these are capabilities – weapons even – that can debilitate entire ranges of economic activity.”

Warner provided a list of questions on how to potentially deal with the issue of insecure Internet-connected devices, including ways to make consumers more aware of the risk, trying to work with ISPs to designate insecure devices and deny them connections to their networks, and establishing and enforcing minimal technical security standards.

“I am interested in a range of expert opinions and meaningful action on new and improved tools to better protect American consumers, manufacturers, retailers, Internet sites and service providers,” Warner said.

Being thrust into the spotlight is an unusual situation for XiongMai, a company whose brand tends to remain behind the curtain of its “white label” products, which are sold and then incorporated into other brands’ offerings. Accurately gauging the potential fallout to companies such as XiongMai is difficult, but it’s safe to say that no company wants to be referenced, even indirectly, as the poster child for “cheap, insecure” devices. However, the recent DDoS attacks powered by the Marai botnet — against Krebs on Security, OVH and now Dyn — are quickly on their way to becoming the most discussed cybersecurity stories of 2016, and XiongMai and other manufacturers of connected devices are along for that ride.

Weekly Cyber Risk Roundup: Massive Data Dumps and More Insider Breaches

After a short period without seeing any new mega breach announcements, the past two weeks has seen several massive data dumps totaling more than 130 million records. In last week’s roundup, we mentioned a hacker going by the Twitter handle “0x2Taylor” who released 58 million records claiming to be stolen from an unsecured database. That leak has been attributed to Modern Business Solutions, but the company did not responded to numerous news outlets or sites that reached out to them about the breach.

It was also recently announced that gaming company Evony was hacked in June 2016 and more than 33 million user records were stolen. The compromised records contained usernames, email addresses, passwords, IP addresses and other internal data. LeakedSource said the passwords were stored using unsalted MD5 hashing and that they had already cracked “most” of the passwords.

On Thursday, a massive data breach was announced affecting Weebly, a popular web-hosting service featuring a drag-and-drop website builder. That breach included more than 43 million user records containing usernames, email addresses, passwords and IP addresses. The good news, LeakedSource wrote, was that the company actually responded to its notification attempts and “did not have [its] head buried deeply in the sand” like other companies it has attempted to notify of late. Also, the compromised passwords were stored using uniquely salted Bcrypt hashing. That’s good because as a hosting provider the breach not only affected tens of millions of users, but also tens of millions of websites.

As our Mid-Year 2016 Cybercrime Trends report noted, the credentials stolen/leaked tag appeared in 12.7% of the negative CyberFacts collected by SurfWatch Labs in the first half of 2016, a rise from 8.3% in 2015. A quick look at the updated data shows that since that report, that number has risen once again to 13.3% — driven, in part, by the more than 130 million records compromised in these three data breaches.

Other trending cybercrime events from the week include:

WikiLeaks, government leaks, dominate news: On Monday WikiLeaks tweeted that the Internet link for founder Julian Assange was intentionally severed by Ecuador. Ecuador later confirmed it was behind the interference due to WikiLeaks’ decision to publish documents affecting the U.S. election and Ecuador’s desire to not meddle in the election processes. That hasn’t stopped the ongoing leak of emails from Hillary Clinton’s campaign manager John Podesta, which was brought up several times during Wednesday’s presidential debate. Executive director of the North Carolina GOP Dallas Woodhouse is the latest official to have his email hacked. In this case it was used to send phishing emails to all of his contacts with a link to a fake Dropbox file titled “GOP-financial_Document.pdf.”

Financial information continues to be targeted: Axis Bank in India is investigating a cyber intrusion after being notified by Kaspersky Lab of a potential breach. Approximately 1,000 members of One Nevada Credit Union had their payment card information stolen via ATM skimming devices, and at least one member had $5,000 stolen due to the incident. Noble House Hotels & Resorts announced a point-of-sale breach affecting payment cards used at its Teton Mountain Lodge & Spa and Hotel Terra properties. According to the company’s press release, only customers who used their cards between September 5 and September 6 of this year were impacted.

Researcher’s computer infected, data stolen: A researcher at the University of Toyama’s Hydrogen Isotope Research Center had research data and personal information stolen from a personal computer after clicking on an attachment claiming to be questions from a student. Japanese news sources said that “huge volumes” of data were transmitted while the computer was infected. The data affected mostly included research that was either already published or slated to be published, as well as the email addresses of 1,500 people. The individual whose device was compromised was researching tritium, a radioactive isotope of hydrogen that may one day be used for fuel in nuclear fusion reactors.

More data breaches announced: CalOptima announced that 56,000 of its members may have had their personal information compromised when an employee downloaded their information onto a personal, unencrypted USB drive. Australian event management company Pont3 announced its third-party external electronic mailing account was accessed without authorization resulting in some participant, volunteer and associated information being stolen. redBus, an inter-city bus ticketing service founded in India, is investigating a possible data breach after being alerted of a potential intrusion; however, the company said it has not been able to conclusively establish a data breach.

Russian man tied to LinkedIn breach: A Russian man that was arrested by Czech police is connected to the 2012 data breach at LinkedIn, the company said on Wednesday, although officials have not publicly confirmed the connection. Russian news agency TASS indicated that Russia would fight any attempts to extradite the man to the U.S.

Cyber Risk Trends From the Past Week

After several weeks of steady or dropping cyber risk scores, this week saw a consistent rise in risk across most sectors. Nine out of twelve sectors saw an uptick in cyber risk score when compared to the previous week, with Utilities (+10.9%) and Healthcare (+9.7%) seeing the biggest change. Government and Other Organizations experienced a rise of more than 6%, in part due to the many cyber-attacks and leaks tied to the U.S. presidential election.

Another reason for that rise is a steady trickle of small-scale data breaches tied to groups such as education and healthcare facilities. In a recent blog, we highlighted the difficult and growing problem of malicious insiders, but as that blog noted, the majority of insider incidents are unintentional errors committed by employees, vendors and third parties.

We saw several such news stories this past week:

Katy Independent School District in Texas experienced a data breach affecting 78,000 students after a third-party that works with the district’s student data management system accidentally copied student information and uploaded it to a security software application used by 29 other school districts.

Nearly 700 users of Vermont’s online health insurance marketplace had their information inadvertently exposed due to a subcontractor mishandling their data and making it publicly accessible. WEX Health was hired by Vermont to perform payment processing for the insurance exchange, and Samanage, a subcontractor for WEX Health, made a data file publicly accessible for nearly two months.

St. Joseph Health agreed to a settlement with the U.S. Department of Health and Human Services, Office for Civil Rights over accidentally making electronic protected health information publicly accessible on the Internet from February 2011 until February 2012.

This week’s stories highlight the variety of ways a data breach can occur from ill-trained employees and contractors along with other poor risk management strategies.

In the case of Katy Independent School District, an employee for SunGard K-12 mistakenly copied a file containing Katy ISD data into a standard installation pack for an information security software application. In the case of St. Joseph Health, a server that was purchased to store files included a file sharing application whose default settings allowed anyone with an Internet connection to access them. St. Joseph Health did not examine it or modify it after implementation, HHS wrote in a press release, leading to the ePHI of 31,800 individuals being compromised. That mistake cost St. Joseph a payment of $2,140,500 and the adoption of a comprehensive corrective action plan in order to settle potential HIPAA violations.

Those incidents, along with our previous blog on malicious insiders, serves as an important reminder that many data breaches do not come from outside the organization; rather, they come from within.

Malicious Insiders Remain a Difficult and Growing Problem

Earlier this month, the Department of Justice unsealed a criminal complaint against a contractor for the National Security Agency, alleging the theft of highly classified information. Like Edward Snowden in 2013, Harold Thomas Martin III, 51, of Glen Burnie, Maryland, worked for Booz Allen Hamilton and is accused of exploiting his insider access in order to remove classified files.

According to the complaint, search warrants executed in August discovered stolen documents, digital files and government property in Martin’s residence and vehicle. Six of the classified documents contained sensitive intelligence dating back to 2014.

“These documents were produced through sensitive government sources, methods and capabilities, which are critical to a wide variety of national security issues,” the DOJ wrote. “[The] documents are currently and properly classified as Top Secret, meaning that unauthorized disclosure reasonably could be expected to cause exceptionally grave damage to the national security of the U.S.”

A second case of insider theft at the NSA in three years has once again raised the issue of malicious insiders and the challenges of preventing employees, vendors and other third-parties from causing a major data breach.

Growing Concern Around Insider Activity

Defense is just one of many groups rightfully concerned about insider threats. A recent survey of 500 security professionals from enterprise companies found that one in three organizations had experienced an insider data breach within the past year. In addition, 56 percent of those security professionals said that insider threats have become more frequent over the past 12 months.

Since January 2016, SurfWatch Labs has collected data on more than 180 industry targets associated with the “insider activity” tag. Of those, Healthcare Facilities and Services is the top trending group with 35 total targets, followed by Software with 18 total targets.

Not all data breaches caused by insiders are intentional. In fact, the majority of insider breaches are caused by a combination of employee errors, negligence, lost devices or other unintentional disclosures, according to SurfWatch Labs’ data.

The more malicious “employee data theft” tag is tied to less than one-fifth of all the targets associated with insider activity.

However, there is growing concern around that small percentage of malicious insiders — particularly those who may be using their knowledge and access to sell information anonymously on the dark web.

As Verizon’s Data Breach Investigations Report noted, insider activity is among the most difficult issues to detect. Nearly half of the insider incidents evaluated by Verizon took months to discover, and more than a fifth of the incidents took years.

That concern is amplified by the ease in which insiders can monetize their access to sensitive information due to the growing popularity of dark web markets and anonymous digital currencies such as bitcoin — a concern shared by many in law enforcement. In September, Europol announced the creation of a working group designed to look into the those currencies, which the agency said is “already transforming the criminal underworld.”

“Europol, INTERPOL, and the Basel Institute on Governance are concerned about the seriousness of these threats and note the increasing use of new kinds of currencies,” Europol wrote in a press release. “To trace assets transferred, laundered, exchanged or stored through the use of cryptocurrencies poses new and distinctive challenges to investigators and prosecutors, as does the seizure and confiscation of the proceeds of crime in cryptocurrencies.”

Financial gain remains the primary motivator for insiders, according to Verizon. Thirty-four percent of insider breaches are profit-driven, followed by espionage, which accounts for a quarter of insider breaches.

Monitoring Cybercriminal Channels

It’s unclear exactly how the NSA discovered its recent insider theft, so it’s hard to judge the extent of which the agency’s post-Snowden security reforms may have aided in identifying Martin’s alleged theft — or what lessons, if any, can be extrapolated to help protect other organizations.

In addition to monitoring employees and creating a positive corporate culture to minimize disgruntled employees, as Verizon suggested, organizations can also benefit from monitoring dark web markets and cybercriminal forums for any signs of yet-to-be detected breaches.

For example, SurfWatch Labs recently observed a user of a dark web forum claiming to have insider access at a money transfer company, and in June, Brian Krebs shared a screenshot of an insider at Guitar Center boasting that the fraud he or she was proposing would “have no way of coming back to me.”

“I currently have approvals and passwords that allow me to manually enter CC [credit cards] at the registers of Guitar Center, Bypassing the usual 3 code verify,” the insider wrote. “I also have physical access to the server room and I am looking to exploit this with the help of some seriously skilled people.”

The fact that a disgruntled employee or contractor can go unnoticed, in many cases for years, while monetizing stolen information via anonymous cryptocurrencies is a scary thought for many organizations, particularly since a significant percentage of insider attacks are carried by low-level employees.

“When their roles were classified in the incident, almost one third [of insiders] were found to be end users who have access to sensitive data as a requirement to do their jobs,” Verizon noted. “Only a small percentage (14%) are in leadership roles (executive or other management), or in roles with elevated access privilege jobs such as system administrators or developers (14%). The moral of this story is to worry less about job titles and more about the level of access that every Joe or Jane has (and your ability to monitor them).”

Monitoring for insider threats, either within an organization or via external sites, may not stop a breach that has already happened, but it can help to shorten the discovery so that it is not going on for years, as is often the case.

Weekly Cyber Risk Roundup: More POS Breaches and the Rise of Destructive Attacks

Massive distributed denial-of-service attacks and data breaches remained front and center in SurfWatch Labs’ cybercrime data this week as old attacks against Brian Krebs, OVH, Yahoo and others continued to be heavily discussed. But looking beyond those headline-grabbing stories, the data also reflects a surge in reports of stolen payment card information.

On Tuesday, University of Central Florida police announced they were able to tie a recent surge in fraud reports to malware on the systems of AD Food Services, which operates Asian Chao, Huey Magoo’s and the Corner Café in the Student Union.

On Wednesday, luggage and handbag company Vera Bradley announced a breach affecting retail stores. Law enforcement notified the company of a potential issue on September 15, and it was discovered that payment cards used at store locations between July 25, 2016, and September 23, 2016, may have been affected.

On Thursday, it was reported that Dutch developer Willem de Groot discovered skimming scripts on more than 6,000 online stores running vulnerable versions of the Magneto ecommerce platform. The active operation is adding 85 stores each day, and de Groot estimates that the number of stolen cards is in the hundreds of thousands.

In addition, American 1 Credit Union in Michigan announced last week that it is temporarily blocking payments to all Wendy’s franchise locations due to ongoing fraud issues. Community members are reporting fraudulent activity on newly issued payment cards used at Wendy’s, suggesting that the malware issue may be ongoing for the fast-food chain. Like other credit unions, American 1 Credit Union reported its total losses related to the Wendy’s data breach are growing beyond the losses incurred from the 2014 Home Depot breach.

Other trending cybercrime events from the week include:

TheDarkOverlord extortion demands continue: Peachtree Orthopedic Clinic in Atlanta is notifying patients of a data breach after discovering unauthorized access into its computer system. After the clinic’s announcement, the actor known as TheDarkOverlord leaked documents allegedly stolen from the clinic and announced they had another 543,879 records containing personal and health information. Athens Orthopedic Clinic, another victim of TheDarkOverlord, confirmed that TheDarkOverlord demanded nearly $400,000 in ransom for the stolen patient data and threatened to call patients and publicly name the company if the clinic didn’t comply with the extortion demands.

Another massive breach reported: A hacker going by the name “0x2Taylor” has released 58 million records claiming to be stolen from Modern Business Systems (MBS), which offers in-house data management and monetization solutions to companies. MBS has not publicly confirmed the data breach, but researchers have confirmed that MBS was running an unsecured MongoDB database as the hacker suggested. The hacker also shared a screenshot indicating he or she has another database containing 258 million rows of data.

Beware of social engineering: An employee that clicked on a link that appeared to be for a Dropbox file led to a hacker targeting a customer of garden furniture company Gaze Burvill and requesting payment of £7,148 to a fraudulent bank account. Australian not-for-profit health fund CBHS said an unnamed third party has been breached and is warning customers to be on the lookout for phishing emails. The Clinton Foundation is warning that donors are being targeted with phishing messages. Indian police are investigating about 700 people over a scam where workers posed as IRS officials and duped U.S. citizens out of tens of millions of dollars. A Connecticut man has been charged with stealing login credentials from users of Dark Web marketplaces using a combination phishing pages and port forwarding and then using those credentials to steal bitcoins.

Effective backups thwart ransomware: Hutchinson Community Foundation was infected with ransomware on September 19, but it was able to fully recover the data from backups without paying a ransom. Nevertheless, the foundation is notifying donors, vendors and other stakeholders that information may have been compromised during the attack.

Hackers continue to target U.S. political figures: The Twitter account of Hillary Clinton’s campaign chief, John Podesta, was hijacked and used to urge followers to vote for Donald Trump. In addition, screenshots circulating online suggest that Podesta’s iCloud account may have been compromised. Users on 4chan claimed that Podesta’s iCloud password, which was published by WikiLeaks, was still working; however, WikiLeaks said that it made sure the credentials were changed.

Cyber Risk Trends From the Past Week

SurfWatch Labs industry risk scores remained fairly stable. Other Organizations (+0.8%) – which includes groups such as education, advocacy and political parties – was the only sector to see a noticeable increase in risk score compared to the previous week.

Nation-state hacking remains one of the most talked about cyber risks, and that discussion grew more intense as the U.S. presidential elections moved into the final month. On Friday, the U.S. formally accused the Russian government of orchestrating the recent attacks against the Democratic National Committee and others in an effort “to interfere with the U.S. election process.” A statement from director of national intelligence James Clapper and the Department of Homeland Security said that they believe only Russia’s senior-most officials could have authorized the hacking efforts. That public accusation was followed by promises of a “proportional” response against Russia; however, White House Press Secretary Josh Earnest added that ““it is unlikely that our response would be announced in advance.”

The U.S. isn’t the only country facing nation-state espionage. A Wednesday report from the Australian Cyber Security Centre said the 2015 hacking of the Australian Bureau of Meteorology’s network was carried out by foreign adversaries. That attack compromised government systems and led to the theft of sensitive documents, and after the attack officials estimated it would cost millions of dollars to plug the related security holes. The report also said that the attacks demonstrate a willingness of actors to use disruptive and destructive measures when targeting organizations.

That destructive nature is demonstrated by the April 2015 attack on France’s TV5Monde. A recent investigation linked the incident to the Russian hacking group APT 28 and revealed that the attack, which knocked 12 channels off the air, was designed to destroy the TV network. The attack turned out to be more sophisticated than initially reported, with the network first being infiltrated in January 2015 in order to conduct reconnaissance on the way TV5Monde broadcast TV signals. Seven points of entry were used, including a Netherlands-based company that supplied the remote-controlled cameras used in the network’s studios. According to the BBC, the attackers then fabricated malware designed to corrupt and destroy the Internet-connected hardware that controlled the TV station’s operations.

“It’s the worst thing that can happen to you in television,” Yves Bigot, the director-general of TV5Monde told the BBC. “We were a couple of hours from having the whole station gone for good.”

These attacks, ranging from influencing elections to destroying TV networks, are believed to be carried out by nation-states or other advanced actors who are increasingly using those disruptive and destructive tactics to achieve their goals – and with the U.S. promising retaliatory attacks, we can expect to see more such attacks in the near future.