Weekly Cyber Risk Roundup – Page 2

Weekly Cyber Risk Roundup: More Payment Card Breaches and Dark Web Arrests

Payment card breaches were back in the news again this week as Forever 21 announced that it is investigating a point-of-sale breach (POS) at some of its stores, and several other organizations issued breach announcements related to stolen payment card data.

Forever 21 said that it received a report from a third party about potential unauthorized access to payment cards at some of the company’s stores, and the ongoing investigation is focusing on POS transactions made in stores between March 2017 and October 2017.

“Because of the encryption and tokenization solutions that Forever 21 implemented in 2015, it appears that only certain point of sale devices in some Forever 21 stores were affected when the encryption on those devices was not in operation,” the company wrote.

In addition, organizations continue to submit breach notification letters to various state attorneys general regarding the previously disclosed breach involving Sabre Hospitality Solutions SynXis Central Reservations system, including The Whitehall Hotel and JRK Hotel Group, both of which were impacted from August 10, 2016, through March 9, 2017. The Register also reported that Jewson Direct is notifying customers that their personal and payment card information may have been compromised due to the discovery of unauthorized code on its website. However, the company said the inclusion of card data in the notification was only “an advisory measure” as the investigation is ongoing.

The recent breaches, as well as other breaches such as Sonic, may have led to an increase in payment card fraud activity in the third quarter of 2017. Fraud activity is also expected to increase as consumers buy gift cards and other items over the holiday shopping season.

Other trending cybercrime events from the week include:

Organizations expose data: Researchers discovered a publicly exposed Apache Hive database belonging to ride-hailing company Fasten that contained the personal information of approximately one million users as well as detailed profiles of its drivers. A researcher said the Chinese drone maker DJI has exposed a variety of sensitive information via GitHub for up to four years, in addition to exposing customer information via insecure Amazon S3 buckets. Researchers discovered two insecure Amazon S3 buckets appearing to belong to the Australian Broadcasting Corporation’s commercial division, including information regarding production services and stock files. The Maine Office of Information Technology said that approximately 2,100 residents who receive foster care benefits had their personal information temporarily posted to a public website after an employee at contractor Knowledge Services uploaded a file containing their data to a free file-comparison website without realizing that the information would become publicly accessible. Dignity Health is notifying employees that some of their personal information was accidentally exposed to other employees.
Employee email accounts compromised: ClubSport San Ramon and Oakwood Athletic Club is notifying employees that their W2 and tax statements were sent to a malicious actor following a phishing attack impersonating an executive. ABM Industries Incorporated is notifying employees that their personal information may have been compromised due a phishing attack that led to multiple email accounts being compromised. Saris Cycling Group is notifying employees that their personal information may have been compromised due a phishing email that led to an employee email account being compromised.
Extortion-related attacks: The website of Cash Converters was hacked, and the actors behind the attack said they would release the data of thousands of UK consumers unless a ransom is paid. Little River Healthcare Central Texas is notifying patients of a ransomware attack that may have accessed their information and led to some data being irretrievably deleted when the clinic tried to restore the files. Far Niente Winery is notifying individuals of a ransomware attack that may have compromised their personal information.
Other notable incidents: A group associated with Anonymous hacked the email accounts of an employee of Italy’s Defence Ministry and a member of the Italian police and then published a variety of information allegedly obtained from those accounts. Officials from Catawba County, North Carolina, said that malware shut down a number of county servers and caused temporary interruptions in service, as well as a number of spam emails being sent to county residents. Gallagher NAC is notifying individuals that their personal information may have been compromised due to “a small amount of data” being stolen from a database between June 18 and September 19. CafeMom is notifying customers that email addresses and passwords used to create accounts prior to July 2011 were compromised “at some point in the past.” AppDirect said that a phisher has been impersonating members of the company’s human resources, recruiting, and sales teams on job sites, and several people have applied to those fake listings and received fake job offers.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

Cyber Risk Trends From the Past Week

Dark Web markets continued to make headlines this week as a key player in AlphaBay’s operations was charged and cyber-attacks against other still-active dark web marketplaces temporarily disrupted operations.

Federal prosecutors allege that Ronald L. Wheeler III, of Streamwood, Illinois, worked as a spokesperson for the now-shuttered Dark Web marketplace AlphaBay. AlphaBay had grown to become the largest-ever Dark Web marketplace before it, along with the popular Hansa Market, were taken offline by law enforcement this past summer.

Wheeler is accused of working alongside Alexandre Cazes, a 25-year-old Canadian who was alleged to be the owner of AlphaBay known as “Alpha02.” Cazes reportedly committed suicide in his Thai jail cell a week after being arrested in July.

The Associated Press reported that Wheeler has pleaded not guilty to the AlphaBay-related charges, but prosecutors allege that he worked with Cazes using the name “Trappy” to moderate the AlphaBay forum on reddit, mediate sales disputes, and provide other non-technical assistance to users.

As SurfWatch Labs previously reported, the downfall of AlphaBay and Hansa Market elevated Dream Market to the temporary king of the Dark Web. However, Dream Market other popular markets have been the target of DDoS attacks over the past few weeks, making the sites difficult to access for some users. Those attacks can delay purchases beyond the already congested list of pending Bitcoin transactions, which is slowing down both legitimate and criminal transactions.

Prior to being seized, AlphaBay had grown to accept multiple payment options, including Ethereum and Monero; however, Dream Market still only accepts Bitcoin, and that restriction may help push some users towards other markets that have more, and quicker, payment options as the Dark Web marketplace continues to evolve in AlphaBay’s absence.

Weekly Cyber Risk Roundup: Bad Rabbit’s Parallel Attack, Paradise Papers Fallout

October’s Bad Rabbit ransomware attacks were back in the news this week due to a report that a series of phishing attacks occurred at the same time as the Bad Rabbit outbreak, and the parallel attacks may have been carried out by the same group.

The discovery also suggests that Ukraine may have been a key target of the attacks, despite Russian victims being more heavily targeted by Bad Rabbit.

The phishing attacks targeted users of Russian-designed 1C software with emails that appeared to be from the developer, the head of the Ukrainian state cyber police told Reuters. 1C products, including accounting software, are widely used in Ukraine.

The official said that 15 companies reported they were compromised by the attack, and it is possible that more people or organizations may have been affected due to 1C software’s wide use. The official also said the main theory is that both the Bad Rabbit and 1C phishing attacks were carried out by the same perpetrators with the goal of getting remote and undetected access in order to steal financial and confidential information. 1C’s developers did not respond to Reuters’ requests for comment about the phishing attacks, but a Ukrainian distributor confirmed that its users were targeted and that it warned them to take extra precautions.

Some researchers have suggested that the Bad Rabbit attacks were carried out by the same group behind June’s NotPetya outbreak. The NotPetya attack leveraged a back door that had been inserted into the M.E.Doc accounting software, which Reuters reported is used by 80 percent of Ukrainian companies. The use of popular Ukrainian accounting software during both NotPetya and attacks potentially linked to Bad Rabbit is yet another shared connection between the two events.

Other trending cybercrime events from the week include:

Data breach announcements: Verticalscope, which manages popular Web discussion forums, confirmed that it discovered an intrusion that provided access to the individual website files of six websites. Tween Brands is notifying customers that their personal information may have been compromised due the discovery of unauthorized access to a server. HumanGood is notifying customers that their personal information may have been compromised due to unauthorized access at a third-party benefits coordination vendor. North American Title Company is notifying customers that their personal information may have compromised due to an employee’s email account being accessed by an unauthorized third party. Wilbraham, Lawler & Buba and the East Central Kansas Area Agency on Aging announced ransomware attacks that could have also compromised personal information.
Data exposed: WikiLeaks released the source code for an alleged CIA hacking tool called “Hive,” and the release is just the first in a new series, dubbed “Vault 8,” that is intended to publish the source code from the variety of hacking tools described in the series of “Vault 7” publications earlier this year. A flaw in the website of the Australian Securities and Investments Commission (ASIC) exposes the search records and purchased documents of users such as investigative journalists and finance industry professionals. The website of the Scottish Appropriate Adult Network, which works with mentally impaired individuals that need help with the justice system, was shut down after it was found to be exposing the personal information of about 50 people. Klinger Moving Company is notifying employees that their personal information was briefly exposed due to a file that was stored on a company server being browsable via search engines.
Other notable incidents: NIC Asia Bank said that malicious actors initiated $4.4 million worth of fraudulent money transfers via the SWIFT messaging system last month; however, the bank was able to recover all but $580,000 of the funds. The anime streaming service Crunchyroll said that intruders planted a fake homepage that pushed a malicious “CrunchyViewer” program to its viewers for several hours. Approximately 800 school websites hosted by SchoolDesk displayed a pro-ISIS video after the company was hacked and a file was injected that redirected those websites to the video. Valley Family Medicine said that two now-former employees printed a mailing list of 8,450 patient names and addresses and used the list to make postcards informing them of a new practice.
Legal actions: A Pennsylvania man has been indicted for illegal trading via more than 50 hacked online brokerage accounts, which caused the firms servicing the accounts to lose more than $2 million. A former Minnesota resident has been charged with purchasing a year’s worth of DDoS attacks against his former employer Washburn Computer Group, as well as the networks of the Minnesota Judicial Branch, Hennepin County, and several banks. The UK’s Information Commissioner’s Office is warning employees to obey strict privacy laws on the heels of a charity worker at Rochdale Connections Trust being prosecuted for sending spreadsheets containing the personal information of 183 people to his personal email address.

Cyber Risk Trends From the Past Week

The hack of a large cache of sensitive documents from the offshore law firm Appleby, which was first reported several weeks ago, has already begun to have potentially wide-reaching ramifications.

The International Consortium of Investigative Journalists (ICIJ), which also drove the reporting around the 2016 “Panama Papers” leak, has dubbed the new leak the “Paradise Papers.”

The Guardian reported that the now-exposed Appleby documents contain information related to numerous prominent individuals and organizations, such as Donald Trump’s commerce secretary Wilbur Ross, Queen Elizabeth II and Prince Charles, associates of Canadian Prime Minister Justin Trudeau, social media platforms Twitter and Facebook, corporations Apple and Nike, a variety of wealthy private individuals, and hundreds more.

Appleby reiterated this week that the theft of its data was not a leak by an insider, but “a serious criminal act” carried out “by an intruder who deployed the tactics of a professional hacker.” The company has previously stated that it had “thoroughly and vigorously investigated the allegations” from the ICIJ and was “satisfied that there is no evidence of any wrongdoing, either on the part of ourselves or our clients.”

The BBC reported that although the 2016 Panama Papers were larger is size, the way the Paradise Papers “lifts the lid on sophisticated, upper-end offshore dealings” is unprecedented. For example, Gabriel Zucman, a professor of economics at the University of California, Berkeley, wrote in The New York Times that $70 billion, or close to 20 percent of all U.S. corporate tax revenue, is lost every year due to shifting corporate profits to tax havens.

The ICIJ and nearly 100 media groups are continuing to dig through the 13.4 million documents spanning seven decades that make up the Paradise Papers. The BBC said the papers include 6.8 million documents related to the Appleby breach, 6 million documents from corporate registries in mostly Caribbean jurisdictions, and a smaller amount from the Singapore-based international trust and corporate services provider Asiaciti Trust.

Dozens more stories related to the Paradise Papers will likely be published in the near future, although it remains to be seen what political, economic, or reputational fallout will accompany the organizations and individuals impacted by the leak.

Weekly Cyber Risk Roundup: Spain-Catalonia Conflict Goes Digital, Russian Hacking Revealed

The Spanish government was the week’s top trending cybercrime target due to a series of distributed denial-of-service (DDoS) and other attacks that were orchestrated by the hacktivist group Anonymous.

The Anonymous’ campaign against the Spanish government comes on the heels of Catalonia’s recent referendum on independence. As Miguel-Anxo Murado wrote in The New York Review last month, the multi-year independence movement finally came to a head in October as secessionists ignored both a ban placed on the vote by the Spanish Constitutional Court as well as the threat of police action and voted for independence.

That vote led to “mayhem,” Murado wrote, resulting in almost nine hundred people being injured throughout Catalonia as Spanish police confronted protesters and stormed polling stations in order to seize the ballot boxes. On Sunday, Reuters reported that Spain had issued arrest warrants for ex-Catalonia leader Carles Puigdemont and four associates due to rebellion and sedition charges related to the push for recession.

The independence movement has also been accompanied by what one Washington Post editorial described as “The great Catalonian cyberwar of 2017.” According to the Post, Spanish courts and authorities have in the past few months ordered telecom companies to shut down websites pertaining to the vote and forced Google Play to remove an app related to the referendum.

Scattered cyber-attacks have occurred as the issue unfolded over the past couple months; however, attacks ramped up towards the end of October as Anonymous groups on Twitter and elsewhere urged others to join the #FreeCatalonia campaign, which resulted in numerous organizations being targeted with DDoS attacks, website defacements, and other low-level malicious activity.

Other trending cybercrime events from the week include:

Extortion attacks: TheDarkOverlord said it hacked the customer database of Hollywood production studio Line 204, and the group is threatening to leak the company’s internal client data, which includes contracts, files, invoices, and more. The group told media outlets that it will leak the data if it does not receive an unspecified ransom, a threat the group has made to numerous other hacked organizations. A malicious actor has released the personal information of 29 University of the Fraser Valley students and is threatening to release more data if the school does not pay a $30,000 ransom.
Data leaked: Information related to 46.2 million Malaysian mobile phone numbers that was taken from Malaysian telephone companies and mobile virtual network operators in 2014 has leaked, and the data appears to have been traded among multiple malicious actors. An unnamed third party contractor for government agencies, a bank, and a utility exposed the details of 48,270 Australian employees due to a publicly accessible Amazon S3 bucket.
Third-party-related breaches: Malicious actors used information apparently stolen in another breach to create Iowa Public Employees Retirement Systems accounts for individuals who had never created one, and they used those accounts to steal pension checks by redirecting them to different bank accounts. Kimberly-Clark is notifying a “small number” of customers that their personal information may have been compromised due to attacks that targeted registered accounts using a list of credentials leaked in other data breaches not related to the company. Midland County in Texas said a third-party payment system used to pay fines may have been compromised resulting in an undisclosed number of individuals having their payment card information stolen.
Other data breaches: North Korean hackers were likely behind an April 2016 hack of Daewoo Shipbuilding & Marine Engineering that led to the theft of sensitive documents. Catholic Charities for the Diocese of Albany said that the personal information of clients and some employees was compromised due to hackers gaining access to a server. The certified public accountants Chiorini, Hunt & Jacobs are notifying customers that their personal information may have been compromised due to three email accounts being accessed. The Union Labor Life Insurance Company is notifying customers that their information may have been compromised when an unauthorized third-party briefly gained access to an employee’s email account and used that account to send spam messages that contained PDF documents with links to malicious sites.
Other notable incidents: Numerous art galleries confirmed they were targeted by business email compromise scams that hijacked email communications and requested payment details be changed in order to steal amounts up to £1 million. T-Mobile said it has called all of the few hundred customers targeted by malicious actors with attempts to “swap” the victims’ SIM cards and impersonate them. An unspecified cyber attack at the Oklahoma Corporate Commission led to its network being shut down for a week. A former University of Iowa student used keyloggers to steal credentials, access 250 student and faculty accounts, and then change his grades and access his exams early.

Cyber Risk Trends From the Past Week

The investigation into Russia’s alleged election-related hacking brought several new developments this past week.

For starters, the Wall Street Journal reported that the Justice department has identified at least six members of the Russian government connected to the Democratic National Committee (DNC) hack, and evidence is being assembled to potentially bring official charges against those individuals next year. The WSJ said that dozens of others may have played a role in the hack; however, it is possible prosecutors may wait to identify some or all of those involved until Special Counsel Robert Mueller’s ongoing investigation into alleged Russian hacking is complete.

The Mueller investigation has already resulted in several indictments as well as a guilty plea for lying to the FBI from George Papadopoulos, who served as a foreign policy advisor for the Trump campaign. The guilty plea has some overlap with the hacked emails, as court documents state that an overseas professor Papadopoulos met with multiple times “told him about the Russians possessing ‘dirt’ on then-candidate Hillary Clinton in the form of ‘thousands of emails.’”

A Sunday report from the Associated Press lays out the timeline of Russia’s hacking attempts, and that campaign appears to have begun with phishing emails sent to a list of email addresses tied to staffers of Hillary Clinton’s 2008 campaign. Most of those emails bounced back, but one of those staffers who had also joined the 2016 campaign ended up clicking on multiple phishing links — possibly providing the attackers with a fresh batch of email addresses to target. More than a dozen democrats were ultimately hacked, including John Podesta. One of Podesta’s hacked emails was the first document published by Guccifer 2.0, although it was altered. Guccifer 2.0 airbrushed the word “CONFIDENTIAL” onto the document and claimed the document came from the DNC rather than Podesta in order to entice reporters.

APT28, the group tied to the hacks, had wide-reaching targets far beyond the U.S. election, the AP reported. The group targeted the gmail accounts of 4,700 users spread across 116 countries, including Ukrainian officers, Russian opposition figures, U.S. defense contractors, and thousands of others of interest to the Kremlin. In the U.S. the targets included diplomatic and military officials; defense contractors such as Boeing, Raytheon, and Lockheed Martin, some republicans, and more than 130 democratic party workers.

Weekly Cyber Risk Roundup: Bad Rabbit Halted, Law Firm Breach Raises Questions

The week’s top trending event was the outbreak of Bad Rabbit ransomware, which quickly spread across Russia and Eastern Europe before most of the infrastructure behind the attack was taken offline hours later.

Bad Rabbit was largely spread via watering hole attacks using compromised news media websites that prompted users to install a fake “Flash Update.” Symantec reported that the vast majority of infection attempts occurred in Russia within the first two hours of the malware’s appearance, but there were also infection attempts observed in Japan, Bulgaria, Ukraine, the U.S., and other countries.

The malware used an SMB component as well as the “Mimikatz” tool, along with some hard-coded default usernames and passwords, to attempt to spread laterally across a network after infection. It was later discovered that the malware also leveraged the leaked NSA exploit EternalRomance in a way that was “very similar to the publicly available Python implementation of the EternalRomance exploit” used by NotPetya (or Nyeta) malware.

“The BadRabbit exploit implementation is different than the one in Nyetya, although it is still largely based on the EternalRomance exploit published in the ShadowBrokers leak,” Cisco researchers wrote. “We can be fairly confident that BadRabbit includes an EternalRomance implementation used to overwrite a kernel’s session security context to enable it to launch remote services, while in Nyetya it was used to install the DoublePulsar backdoor.”

Those infected with Bad Rabbit were directed to a Tor payment page and presented with a countdown timer for when the ransom demand would increase, starting at 0.05 bitcoin (around $280). The Register reported that various researchers have found that recovering infected machines appeared difficult, but not impossible.

Other trending cybercrime events from the week include:

TheDarkOverlord targets surgery clinic: TheDarkOverlord said it has stolen terabytes of data from London Bridge Plastic Surgery, including sensitive photos and information on some high-profile clients. “We have TBs [terabytes] of this shit. Databases, names, everything,” a representative from The Dark Overlord told The Daily Beast. “There are some royal families in here.” The clinic confirmed that it was likely breached and said it has launched an investigation into the stolen data.
Cryptocurrency-related cybercrime: A phishing scam impersonating MyEtherWallet managed to trick several users into handing over the passwords to their wallets, and as a result approximately $16,000 was stolen. Coinhive, which provides websites with a JavaScript miner, said that its Cloudflare account was hijacked due to the use of an insecure password and lack of two-factor authentication, and as a result the attacker was able to steal hashes from users. Coincafe said that an unauthorized third party gained access to a system that was decommissioned in 2014 containing customers’ personal information, and the third party then contacted some of those customers and said they would erase their compromised data for a fee. The website for the new cryptocurrency Bitcoin Gold was taken offline by a DDoS attack.
Updates on previously disclosed breaches: Whole Foods said its payment card breach affected nearly 100 locations. U.S. Cellular said an investigation into automated attacks against online user accounts in June revealed that the incident also exposed bank account and routing numbers. West Music, which operates westmusic.com and percussionsource.com, is the latest company to notify customers of a payment card breach tied to third-party payment processor Aptos. Alliance College-Ready Public Schools said they are one of multiple school districts and charter networks affected by a vulnerability that exposed information from the school data platform Schoolzilla. The NSA contractor tied to the leak of confidential hacking tools allegedly disabled his antivirus and infected his computer with malware when installing a pirated version of Microsoft Office.
Other notable events: A contractor lost control of a Dell customer support website designed to help customers restore their data and computers to their factory default state, and the hijacked website may have been used to push malware while it was compromised. Researchers discovered two publicly exposed MongoDB databases belonging to Tarte Cosmetics that contained the personal information of nearly two million customers. FirstHealth of the Carolinas, which has more than 100 physical locations, said that a WannaCry variant forced the shutdown of its network to prevent the malware from spreading. Memory4Less is notifying customers that their personal information may have compromised due to an unauthorized user installing malware on its network between November 2016 and September 2017. LightHouse Management Services and the Iowa Department of Human Services announced employee email account breaches. COL Financial Group said it has experienced a “possible breach.” Two websites run by the Czech Statistical Office that reported the results of the country’s parliamentary elections were temporarily taken offline by DDoS attacks.

Cyber Risk Trends From the Past Week

The offshore law firm Appleby said that client data was stolen last year, and the International Consortium of Investigative Journalists (ICIJ), which obtained the hacked data, has contacted the firm over allegations of wrongdoing and says it plans on publishing a series of stories related to the breach.

Business Insider reported that the law firm’s super-rich clients are “bracing themselves for the exposure of their financial secrets.” The incident has echoes of the 2016 “Panama Papers” leak, which involved the Panama-based law firm Mossack Fonseca and has led to numerous consequences around the globe — including the resignation of prime ministers in Iceland and Pakistan, and calls for the impeachment of Ukraine’s president.

It is unclear at the moment what fallout, if any, may occur due the breach at Bermuda-based Appleby, and it is important to note that the company said in a statement that it has found no evidence of wrongdoing.

“We are disappointed that the media may choose to use information which could have emanated from material obtained illegally and that this may result in exposing innocent parties to data protection breaches,” the company said. “Having researched the ICIJ’s allegations we believe they are unfounded and based on a lack of understanding of the legitimate and lawful structures used in the offshore sector.”

However, there have already been reports that leak has led to renewed scrutiny of Glencore Plc’s acquisition of Katanga Mining Ltd., which runs copper and cobalt mines in Congo, and claims that aircraft buyers may have used Isle of Man for abusive Value Added Tax (VAT) avoidance.

Appleby’s clients include FTSE 100 and Fortune 500 companies, and the breach serves as a reminder that law firms are often the target of malicious actors due to the combination of sensitive documents they hold along with the potentially weaker security inherent in some third parties. Additional documents and reporting related to the Appleby breach will likely be published throughout the coming months.

Weekly Cyber Risk Roundup: DDoS Attacks Hit Sweden, Researchers Warn of ROCA

The Swedish Transportation Administration and other related agencies were among the week’s top trending cybercrime targets due to a series of distributed denial-of-service (DDoS) attacks that led to services being disrupted earlier this month.

The DDoS attacks against the Swedish Transportation Administration affected all of its web-based systems, including the IT system that manages train orders, the administration’s email system, Skype, and its website. Officials said the disruption, which led to the driving of trains manually, resulted in the stoppage and delays of some trains.

A spokesperson for the administration said (Swedish) that the DDoS attacks targeted its internet service providers, TDC and DGC; however, the attacks appeared designed to disrupt the administration’s services.

The following day saw additional DDoS attacks against the website of Sweden’s Transport Agency, as well as public transport operators Västtrafik in western Sweden, which briefly crashed the operator’s ticket booking app and online travel planner.

The incident follows warnings from various DDoS mitigation providers about DDoS attacks. CDNetworks – which surveyed organizations in the UK, Germany, Austria, and Switzerland – found that more than half of the organizations were hit by DDoS attacks in the past year. A10 Networks warned that the number of organizations experiencing an average DDoS attack over 50 Gbps has quadrupled in the past two years. In addition, Incapsula researchers recently warned of a new “pulse wave” DDoS attack that provides an “easy way” for attackers to double their attack output. A Neustar report also found that DDoS attacks are frequently accompanied by other malicious activity, such as viruses, malware, ransomware, and lost customer data.

Other trending cybercrime events from the week include:

Large data leaks: The Republican phone polling firm Victory Phones had 223 GB worth of data stolen in what appears to be an attack against an unsecured MongoDB database that occurred in January 2017. The incident exposed data on hundreds of thousands of Americans who submitted donations to political campaigns. A researcher has discovered the personal information of millions of South Africans among a large dump of other data breaches. The data includes 30 million unique South African ID numbers, about 2.2 valid email addresses, and other personal information. We Heart It announced a data breach affecting 8 million accounts created between 2008 and November 2013.
Payment card breaches: Pizza Hut is warning that customers who used the company’s website or mobile app to place an order during a 28-hour period in early October may have had their information compromised. The online e-commerce platform Spark Pay is notifying customers of a payment card breach involving merchant websites after discovering malicious code on a server. Citizens Financial Group is notifying customers of an ATM skimming incident that occurred at a Citizens Bank ATM located in Cambridge, Massachusetts.
Other data breaches: Microsoft’s internal database for tracking bugs was hacked in 2013 revealing descriptions of critical and unfixed vulnerabilities for widely used software such a Windows. Transamerica Retirement Solutions is notifying some customers that it discovered unauthorized access to their retirement plan online account information due to the use of compromised third-party user credentials. Officials said the cryptocurrency exchange Bithumb was targeted with phishing emails containing malware and that led to the personal and financial information of at least 30,000 users being exposed. Chase Brexton Health Care is notifying 16,000 patients of a breach due to a phishing attack that led to the compromise of four employee email accounts and the attackers rerouting the victims’ paychecks to a bank account under their control. Namaste Health Care in Missouri is notifying approximately 1,600 patients of a ransomware infection that may have led to the attacker accessing their information. Rivermend Health is notifying 1,300 patients that their personal information may have been compromised due to a breach of an employee’s email account.
Other notable events: The British TV production firm Mammoth Company was hacked by North Korean hackers after reports the company was creating a TV show about a British nuclear scientist taken prisoner in North Korea. The attack did not cause any harm, but it did cause widespread alarm, the BBC reported. Domino’s Australia said that it is investigating a potential issue with a former supplier’s system after a number of customers received unauthorized spam emails. A University of Kansas student was expelled after using a keylogger device to steal faculty credentials and change his grades.

Cyber Risk Trends From the Past Week

Researchers have discovered a vulnerability, dubbed “ROCA” (CVE-2017-15361), in the cryptographic smartcards, security tokens, and other secure hardware chips manufactured by Infineon Technologies AG, and that vulnerability could allow an attacker to calculate the private portion of an RSA key.

The vulnerability is due to the way the Infineon Trusted Platform Module firmware “mishandles RSA key generation, which makes it easier for attackers to defeat various cryptographic protection mechanisms via targeted attacks,” the CVE states.

Chips manufactured as early as 2012 are affected by the vulnerability, the researchers said.

“The currently confirmed number of vulnerable keys found is about 760,000 but possibly up to two to three magnitudes more are vulnerable,” the researchers said. “We found and analyzed vulnerable keys in various domains including electronic citizen documents, authentication tokens, trusted boot devices, software package signing, TLS/HTTPS keys and PGP.”

Researchers said that malicious actors could feasibly use what’s known as a “practical factorization attack” against key lengths of up to 2048 bits, and if the attack is improved it could be used against 4096-bit RSA keys in the future. According to the researchers, the time and complexity cost associated with selected key lengths are:

512 bit RSA keys – 2 CPU hours (the cost of $0.06);
1024 bit RSA keys – 97 CPU days (the cost of $40-$80);
2048 bit RSA keys – 140.8 CPU years (the cost of $20,000 – $40,000).

If a vulnerable key is found, organizations should contact their device vendor for further advice, the researchers said. Forbes reported that Fujitsu, Google, HP, Lenovo, and Microsoft have all pushed out fixes for their relevant hardware and software. The researchers will present their full findings at the ACM Conference on Computer and Communications Security later this month.

Weekly Cyber Risk Roundup: Kaspersky’s Alleged Espionage and SmartVista Bug Unpatched

The National Security Agency and Kaspersky Lab were once again among the week’s top trending targets due to continued reporting around Kaspersky’s alleged involvement in the 2015 theft of classified materials from the home computer of an NSA employee.

As we noted last week, sources told the The Wall Street Journal that a contractor took the sensitive data home without the NSA’s knowledge, and the Russian government was able to then steal that information by leveraging the contractor’s use of antivirus software created by Kaspersky. However, the Washington Post subsequently reported that the individual in question was actually an employee in the NSA’s elite Tailored Access Operations division.

In addition, officials told the WSJ this week that Kaspersky’s antivirus software was modified to search for terms such as “top secret,” as well as the classified code names of U.S. government programs, in an operation that is broader and more pervasive than just the one hacked employee. That modification could not have been done without Kaspersky’s knowledge, an official told the paper. However, Kaspersky has continued to state that it “was not involved in, and does not possess any knowledge of, the situation in question.”

The New York Times reported that the U.S. was first made aware of the espionage campaign leveraging Kaspersky by Israeli intelligence officers who hacked into Kaspersky Labs in 2014. Those hackers, later dubbed Duqu 2.0, exploited up to three zero-days in order to spy on Kaspersky Lab technologies, ongoing research, and internal processes, Kaspersky wrote in 2015 after discovering the intrusion.

Officials told the WSJ that it remains unclear exactly how many other government computers or employees may have been targeted via Kaspersky software – or if any additional sensitive data was stolen.

Other trending cybercrime events from the week include:

Defense-related breaches: The Australian Signals Directorate said that a defense contractor had 30 gigabytes of data stolen, including data related to F-35 Joint Strike Fighters, the C-130 military transport aircraft, the new spy plane P-8 Poseidon, the smart bomb JDAM, and some Australian naval vessels. A breach of South Korea’s military network last year allowed North Korean hackers to access vast amounts of data, including classified wartime contingency plans jointly created by the U.S. and South Korea.
Payment card breaches: Irish retailer Musgrave is asking customers of SuperValu, Centra, and Mace to be on the lookout for fraudulent charges due to concerns that their payment card numbers and expiration dates may have been stolen. Hyatt Hotels is notifying customers that payment card information swiped and manually entered at the front desks of some locations may have been compromised. Hue.com and nononsense.com, and their parent company Kayser-Roth, are notifying customers of a payment card breach tied to third-party website order processor Aptos. Droege Computing Services said that a StampAuctionNetwork server was hacked and payment card information was compromised due to a breach that occurred through Droege’s main offices. Tommie Cooper and Cricut are notifying customers that payment information may have been stolen due to malware on the checkout portions of their websites.
Other data breaches: Accenture confirmed it exposed massive amounts of data across four unsecured cloud servers, including passwords and secret decryption keys. Disqus said that 17.55 million users had their information compromised due to a security breach affecting a database from 2012 that included information dating back to 2007. A security researcher discovered a vulnerability in T-Mobile’s website that allowed malicious actors to gain access to customers’ personal data as long as they had a correct phone number. The previously reported breach at Deloitte compromised a server that contained the emails of at least 350 clients, The Guardian reported. Catholic United Financial is notifying members of breach due to SQL injection attacks. Palo Alto High School officials warned that students’ personal information was breached and posted to a “rogue” website. SyncHR is notifying employees that it accidentally exposed their benefit information to other HR administrators and customers.
Other notable events: Nearly $60 million was stolen from Far Eastern International Bank in Taiwan using malware designed to generate fraudulent SWIFT messages. The bank said it has recovered the vast majority of the stolen funds, with only $500,000 still outstanding. A security bug in the music platform PledgeMusic allowed anyone to log into some users’ accounts using a correct email address along with an incorrect password or no password at all. The bug could have been exploited to make unauthorized payments and pledges to artists. David Kent, the founder of the networking website oilpro.com, was sentenced to one year and one day in prison for hacking into the database of competitor Rigzone, stealing information on over 700,000 customers, using that information to grow Oilpro, and then attempting to sell Oilpro with its inflated growth and stolen data to Rigzone.

Cyber Risk Trends From the Past Week

Researchers have published the details of a yet-to-be patched SQL injection vulnerability affecting BPC Banking Technologies’ SmartVista product suite after numerous reports of the bug went unanswered.

Exploiting the vulnerability requires authenticated access to the transactions portion of SmartVista front-end, the researchers said, and it can lead to the compromise of various sensitive data depending on the level of access the BPC SmartVista user was granted. Researchers said the company has yet to respond to multiple vulnerability reports from Rapid7, CERT/CC in the U.S., and SwissCERT that date as far back as May 10.

BPC’s website states that the company has 188 customers across 66 countries, including “huge tier 1 banks, and both midsize and smaller companies.” The website also states that all of its solutions are delivered via the SmartVista product suite, which “handles all aspects of ATM management, billing, mobile and contactless payments, settlement, point of sale, card issuing and acquiring, microfinance and electronic payments processing.”

Rapid7 researchers said that an attacker could craft a series of true/false statements to brute-force query the database, allowing information from accessible tables to be exposed, such as usernames and passwords. Rapid7 program manager Samuel Huckins told Threatpost the company was hesitant to publish its findings due to the potential for financial and data loss, but it has not received any response from BPC or evidence of the vulnerability being patched across many months.

“After a certain point, we needed to move forward and make it public in the hope they see it and take action,” Huckins said. “This could impact a lot of their customers who may not be aware of this at all.”

The researchers advised users to contact BPC support for more details, to limit access to the management interface of SmartVista, and to regularly perform audits of successful and failed logins.

Weekly Cyber Risk Roundup: Yahoo Breach Expands, Equifax Grilled, Another NSA Insider

Yahoo and Equifax were both back in the news this week due to new details emerging around their respective data breaches, including Yahoo revising the number of affected accounts to three billion and Equifax’s former CEO being grilled before Congress.

Yahoo had previously stated that its 2013 data breach affected one billion user accounts, which made it the most widespread data breach in history. On Tuesday Verizon Communications, which acquired Yahoo for $4.48 billion in June, tripled the number of impacted accounts to include all three billion of Yahoo’s users accounts. The breach was particularly egregious not only because of its size, but because it involved sensitive information such as the security questions and answers and backup email addresses used to recover accounts. Yahoo’s massive 2013 breach is in addition to a separate, previously disclosed breach that affected 500 million Yahoo accounts in 2014.

This week also saw the congressional testimony of Equifax’s former CEO Richard Smith. Smith said the breach was due to a combination of “both human error and technology failures” around implementing an Apache Struts patch made available on March 6, which was not patched for months despite a policy stating patches occur within a 48-hour time period. The testimony was met with harsh criticism from some lawmakers. For example, Sen. Elizabeth Warren (D-Mass.) questioned the entire business model of Equifax, claiming that the company has no incentive to protect consumer data and highlighting various avenues through which the company is making “millions of dollars off its own screwup.” Warren said that Equifax may “actually come out ahead” financially in regards to its breach, which affects 145 million people.

Despite the ongoing fallout, the IRS renewed a $7.25 million contract with Equifax to use its services to verify taxpayer identities. The contract drew major criticism; however, IRS Deputy Commissioner Jeffrey Tribiano said it was a necessary “stop gap” so millions of taxpayers did not lose access to their transcripts.

Other trending cybercrime events from the week include:

Newly announced data breaches: Auburn Eye Care Associates of California was hacked by TheDarkOverlord and thousands of patients records were stolen from its electronic health record system. Cabrillo Community College District said that it discovered unauthorized access to a server containing a database with student orientation information. The Online Traffic School said that customer information was compromised due to an individual gaining unauthorized access to part of its network. Northwestern Mutual Life Insurance Company said that customer information was compromised due to a financial advisor falling for a scam that led to a malicious actor gaining remote access to a desktop computer multiple times. The law firm Clark Hill had its systems accessed by Chinese hackers and sensitive documents related to Chinese dissident Guo Wengui were subsequently released on Twitter. Phoenix Inn Suites is the latest hotel to issue a breach notification tied to the Sabre Hospitality Solutions SynXis Central Reservations system.

Organizations expose data: A misconfigured database that collected data on activity on a number of NFL-related domains such as the National Football League Players Association’s website exposed the data of 1,133 NFL players and agents. The database also included a ransom message from February 2017 similar to the ones targeting other Elasticsearch servers earlier this year — indicating that the data was accessed by cybercriminals. FlexShopper said a database containing payment and other customer information may have been exposed on the internet for several days. National Bank of Canada said that 400 customers had their personal information exposed due to a website glitch. Graton Resort and Casino, Kenco, and North Carolina A&T State University all announced breaches related to inadvertently disclosing sensitive customer, employee, and student data via email attachments.

Other notable incidents: U.S. government officials believe that the personal cellphone of chief of staff John Kelly was compromised, and the compromise may date back to December 2016. The R6DB gaming service, which provides statistics for Rainbow Six Siege gamers, said that an automated bot breached its PostgreSQL installation and wiped the database then demanded a ransom payment. Etherparty said it had to shut down its website for 90 minutes after discovering a fraudulent contribution address on the site just an hour after the ICO for its FUEL token went live. The City of Englewood said that it was hit with a ransomware infection. The UK National Lottery and Kazakhstan banks reported service disruptions due to DDoS attacks.

Arrests and legal actions: A federal indictment alleges that a former Hewlett-Packard Enterprise Corp. employee intentionally caused damage to Oregon’s Medicaid Management Information System (MMIS) after being laid off, resulting in an eight-hour loss of functionality for the system. The former principal of Seven Peaks School in Oregon is being sued for allegedly downloading thousands of private documents related to the students and staff, including psychological evaluations of students.

Cyber Risk Trends From the Past Week

On Thursday, The Wall Street Journal reported that the Russian government was able to steal highly classified NSA material from an NSA contractor who removed the classified material and put it on his home computer without the NSA’s knowledge.

The sources said that the breach, which occurred in 2015, was first discovered in the spring of 2016 and included details about how the NSA penetrates foreign computer networks, code it used for such spying, and details on how the NSA defends networks inside the U.S.

Sources told the WSJ that the hackers appear to have used the antivirus software created by Russia-based Kaspersky Lab in order to identify the files on the contractor’s computer. The paper also reported that it is the first known incident of the popular antivirus software being exploited by Russian hackers to conduct espionage against the U.S. government.

Kaspersky Lab said it “has not been provided any information or evidence substantiating this alleged incident, and as a result, we must assume that this is another example of a false accusation.”

The alleged NSA breach provides some insight into reports that the FBI has been urging private companies throughout the year to discontinue using Kaspersky products due to intelligence that indicated the company is an unacceptable threat to national security. In addition, the Department of Homeland security issued a directive in September ordering federal agencies to take actions to ultimately remove Kaspersky-related products from government computers.

The breach also appears to be separate from the incidents involving NSA contractor Harold T. Martin III, who hoarded large quantities of sensitive NSA data and hacking tools in his home, and TheShadowBrokers, a group that is best known for the April 2017 release of stolen NSA exploits such as EternalBlue, among others. As we noted in our August blog, officials have not linked TheShadowBrokers to Martin’s insider theft, and it appears the same can be said of the newly reported NSA breach. However, this new incident now makes two recent insiders who have successfully taken highly confidential NSA data home — and at least one case of that data then being successfully targeted by foreign hackers once it was in a less secure environment.

Weekly Cyber Risk Roundup: Deloitte Breached and More Possible Supply Chain Attacks

Deloitte, one the world’s “big four” accounting firms, was the week’s top trending new cybercrime target after it was reported that the firm experienced a breach that compromised some of its clients’ information.

The Guardian reported that Deloitte clients’ information was compromised after a malicious actor gained access to the firm’s global email server through an administrator account that did not have two-step verification enabled.

Six Deloitte clients have been informed of the breach, which was first discovered in March 2017 and may have dated back to October 2016. The Guardian was told that an estimated five million emails could have been accessed by the hackers since emails to and from Deloitte’s 244,000 staff were stored in the Azure cloud service; however, Deloitte said the number of emails that were at risk is “very small fraction of the amount that has been suggested.”

Shortly after The Guardian story broke, Brian Krebs reported that a source close to the Deloitte investigation said the company’s breach involves the compromise of all administrator accounts at the company, that it’s “unfortunate how we have handled this and swept it under the rug,” and that “it wasn’t a small amount of emails like reported.” The source also said that investigators identified several gigabytes of data being exfiltrated and that Deloitte is not sure exactly how much data was taken.

Additionally, The Register reported that what appeared to be a collection of Deloitte’s corporate VPN passwords, user names, and operational details were found within a public-facing GitHub-hosted repository; that a Deloitte employee uploaded company proxy login credentials to his public Google+ page; and that Deloitte has “loads” of internal and potentially critical systems unnecessarily facing the public internet with remote-desktop access enabled.

Other trending cybercrime events from the week include:

Ransomware continues: Montgomery County, Alabama officials said the county paid 9 bitcoins ($37,000) in ransom to regain access to its files after a SamSam ransomware infection disrupted services at the Montgomery County District Attorney’s Office. Officials said they had backups in place, but that the off-site backup servers were nearing capacity, along with some other issues. San Ysidro School District said it was infected with ransomware that affected emails and some shared files and demanded $18,000 in ransom. However, the school did not pay the ransom as it had a backup in place. The Arkansas Oral & Facial Surgery Center is notifying patients of a July 26 ransomware infection that made inaccessible imaging files such as x-rays, document attachments, and all electronic patient data related to visits within three weeks prior to the infection.
Other extortion attacks: Malicious actors are using compromised iCloud credentials along with Find My iPhone to lock users computers with a passcode and then demand a ransom to unlock the device. Mac Rumors reported that the attack can bypass two-factor authentication since Apple allows users to access Find My iPhone without requiring two-factor authentication in the event that the user’s only trusted device is missing. A group using the name Phantom Squad is believed to have sent extortion emails to thousands of companies threatening DDoS attacks on September 30 unless a 0.2 bitcoin ($720) ransom is paid. SMART (“Sports Medicine and Rehabilitation Therapy”) Physical Therapy in Massachusetts said that TheDarkOverlord accessed data stored in Patterson PTOS software, and TheDarkOverlord shared the stolen database of 16,428 patient records with databreaches.net, which confirmed the breach. TheDarkOverlord went public with the breach after a failed ransom attempt.
New point-of-sale breaches: The fast-food chain Sonic said it is investigating a possible payment card breach at its stores, and security blogger Brian Krebs reported that the incident may be tied to a batch of five million fresh payment cards being offered for sale on the stolen credit card shop known as Joker’s Stash. Whole Foods said that some of the taprooms and full table-service restaurants in its grocery stores experienced a point-of-sale breach. The breach did not affect credit cards used at the store’s main checkout systems as those use a different point-of-sale system.
Other notable incidents: The Toms River police department said that 3,7000 individuals had their information compromised due to a data breach. Fresno Unified School District said that the personal information of 53 employees, retirees, and their dependents was found in the possession of multiple individuals arrested by the Gilroy and Clovis police departments. Signator Investors is notifying customers that an unknown third party gained unauthorized access to some client records. The Brown Armstrong financial consultancy firm is warning that fraudulent tax returns were filed under some of its client’s names. A lawyer at the law firm Wilmer, Cutler, Pickering, Hale and Dorr inadvertently leaked PepsiCo privileged information by email to a Wall Street Journal reporter. The federal government notified 21 states that they were the target of hacking related to the 2016 presidential election.

Cyber Risk Trends From the Past Week

Last week we noted the malicious version of CCleaner that was downloaded approximately 2.27 million times appeared to have been an espionage campaign designed to gain access to the networks of at least 18 tech firms.

This week Morphisec, the firm that discovered the backdoored version of CCleaner, said that there may be other similar attacks leveraging common applications that have been compromised in an attempt to gain access to even more corporate networks.

The company’s chief technology officer Michael Gorelik said that it is currently investigating historical “false positive” reports in an attempt to discover evidence if other applications have been backdoored. Gorelik said that he believes there were other supply chain attacks like the CCleaner one, and that the initial findings of the investigation were “very interesting.”

As SurfWatch Labs has previously noted, supply chains have proven to be one of the more difficult aspects for organizations to defend against, and malicious actors have shifted their attacks towards weak points in the supply chain to exploit the interconnected nature of organizations. For example, the June spread of WannaCry, perhaps the year’s most widely reported cyber incident, was tied to infections from the updater process for tax accounting software created by the Ukrainian company MEDoc.

The issues around CCleaner and MEDoc have been widely reported, but there are numerous other example of smaller-scale incidents that regularly occur. For example, last month npm, which describes itself as “the world’s largest software registry,” said that it removed more than 40 malicious packages after discovering an actor going by the name “hacktask” had published them with similar names to popular npm packages in an attempt to trick users into downloading them. In addition, popular Android apps, WordPress plugins, and other widely used products are frequently compromised to deliver various types of malware.

The researchers looking into supply chain attacks similar to CCleaner have not yet announced any other potential compromises, but organizations should keep an eye on the story to see if any discoveries occur in the coming weeks regarding applications being compromised to gain access to corporate networks.

Weekly Cyber Risk Roundup: SEC, Illicit Trading and CCleaner Industrial Espionage

The U.S. Securities and Exchange Commission (SEC) was the week’s top trending new cybercrime target following the announcement that a data breach compromised sensitive data that may have “provided the basis for illicit gain through trading.” SEC chairman Jay Clayton said the commission learned last month that an incident “previously detected” in 2016 may have led to the illicit trading.

“Specifically, a software vulnerability in the test filing component of our EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information,” Clayton said in a statement.

EDGAR — which is an acronym for electronic data gathering, analysis, and retrieval — contains millions of filings from companies. The investigation is ongoing, but it is likely that any insider trading due to the breach would have occurred between the period when company filings were made and when those filings were released to the public. The SEC breach echoes, on a smaller scale, the insider trading scheme for which a Ukrainian hacker was sentenced to prison earlier this year. That scheme revolved around the theft of 150,000 news releases from Business Wire, Marketwired, and PR Newswire between February 2010 and August 2015, which led to more than $100 million in illegal profits.

Reuters said it had viewed a confidential report stating that the U.S. Department of Homeland Security detected five “critical” weaknesses on the SEC’s computers as of January 23. In addition, the Government Accountability Office warned in July that the SEC was “at unnecessary risk of compromise” because of deficiencies in its information systems. Reuters also reported that new SEC reporting rules start to come into effect in December that require funds to confidentially file monthly, rather than quarterly, portfolio holdings with the SEC. The breach has unnerved investor groups such as the Investment Company Institute, which wants the SEC to answer cybersecurity concerns before the SEC begins collecting additional sensitive data.

Other trending cybercrime events from the week include:

TheDarkOverlord threatens violence: Flathead County in Montana closed 30 schools for several days following a breach and ransom letter that claimed to come from TheDarkOverlord and hinted at physical violence, as well as threats against individual families that leveraged the school’s electronic directory. Databreaches.net wrote that “the Flathead case is not the first case where TheDarkOverlord has contacted its victims by phone or SMS to threaten them or deliver obscenity-laden messages.”
Organizations expose more data: Researchers discovered an Amazon AWS S3 bucket belonging to Viacom that contained “a vast array of internal access credentials and critical data that could be used to cause immense harm to the multinational corporation’s business operations.” Researchers discovered an Amazon AWS S3 bucket with more than half a million records belonging to the automobile tracking company SVR Tracking. The Office of the Australian Information Commissioner is investigating the exposure of the financial information of customers of Amazing Rentals. The British supermarket chain Iceland exposed customer information on its home delivery confirmation sheets, which also contained an IP address that led to a insecure login portal for Iceland’s scheduling system. Premier Medical Associates said that 900 patients that submitted information via the “Contact Us” portion of its website had that data compromised due to search engines retrieving the submissions.
New data breaches: OurMine gained access to Vevo’s media storage servers and leaked 3.12TB of company data. Bulletproof 360 is notifying customers that their payment information may have been compromised due to the discovery of unauthorized code on its website’s checkout page. TD Ameritrade said “unauthorized code” led to the breach of customer information. LiteBit is notifying users that their personal information was accessed in an attack that targeted a supplier and a LiteBit server. Cornerstone Business and Management Solutions said that it discovered an unauthorized account on a server and that the data of Certified Medical Supplies patients was compromised. Irish National Teachers’ Organization said that more than 30,000 teachers had their personal information compromised due to hackers gaining access to its online learning portal. TRUEbenefits, ABB, Inc., Morehead Memorial Hospital in North Carolina, and AU Medical Center all announced breaches due to compromised employee email accounts.
Other notable incidents: Montgomery County in Alabama said that a ransomware infection locked up computer systems and disrupted some county services. PeaceHealth Southwest Medical Center is notifying 1,969 patients that their protected health information was unnecessarily accessed by an employee. A Georgia man was found guilty of inserting malicious code known as a “logic bomb” into a national-level computer program responsible for handling pay and personnel actions for nearly 200,000 U.S. Army reservists. An Arizona man was sentenced to four years of federal probation for making changes to a company website that prevented the company’s employees from using their email accounts, redirecting the company’s homepage to a blank page, demanding $10,000 to return everything to normal, and then redirecting the company’s homepage to a pornographic website when it refused to pay the ransom.

Cyber Risk Trends From the Past Week

Last week the developer of CCleaner announced that approximately 2.27 million users of CCleaner downloaded a legitimately signed version of the utility containing malicious code. Shortly thereafter, it was reported that the spreading of a backdoored version of CCleaner appears to have been an espionage campaign designed to gain access to the networks of at least 18 tech firms.

The malicious version of CCleaner was available on the site from August 15 to September 12, said Piriform, which was recently acquired by Avast, and affected customers with the 32-bit version of the v5.33.6162 of CCleaner and the v1.07.3191 of CCleaner Cloud. The compromised code could have resulted in “the transmission of non-sensitive data (computer name, IP address, list of installed software, list of active software, list of network adapters) to a 3rd party computer server in the USA.”

Researchers found evidence that the actors attempted to filter their collection of compromised victim machines to find computers inside the networks of tech firms, such as Intel, Google, Microsoft, Akamai, Samsung, Sony, VMware, HTC, Linksys, D-Link, Cisco, and more. In about half of the cases, the actors behind the attack successfully compromised a machine within the company’s network and used that to install another piece of malware likely intended for industrial espionage. The researchers also noted that the list of targets discovered was likely modified throughout the month-long campaign, so there may be additional companies that were targeted besides the 18 that were identified.

“These findings also support and reinforce our previous recommendation that those impacted by this supply chain attack should not simply remove the affected version of CCleaner or update to the latest version, but should restore from backups or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also any other malware that may be resident on the system,” Cisco researchers wrote.

Weekly Cyber Risk Roundup: Equifax Fallout and Widespread Bluetooth Vulnerabilities

Equifax continued to dominate cybersecurity discussion over the last week as security researchers, government officials, lawyers, and the media have continued to ask questions around the fallout related to the massive breach, which affects 143 million consumers in the U.S. as well as others across the globe.

Equifax confirmed that the actors behind the breach exploited an Apache Struts vulnerability (CVE-2017-5638). The Apache Software Foundation noted that vulnerability was made public and a patch was issued for it on March 7, more than two months before the initial “mid-May” comprise at Equifax.

“In conclusion, the Equifax data compromise was due to their failure to install the security updates provided in a timely manner,” the foundation wrote in a blog post.

To add to the company’s woes, researchers discovered that an online portal for Argentinian employees to manage credit report disputes had, among other issues, the ridiculously easy-to-guess username and password combination of “admin” and “admin” — potentially leaking the sensitive information of those in Argentina and possibly other Latin American countries.

In addition, the FTC, which has opened an investigation into the breach, is warning consumers to be on the lookout for scams involving Equifax imposters and advising consumers to never give information to anyone who calls unprompted and claims to be from the company. Visa and Mastercard are also sending confidential alerts to U.S. financial institutions regarding the 209,000 payment card numbers that were also stolen in the breach. Brian Krebs reported that it appears those stolen payment cards are, ironically, tied to people signing up for credit monitoring service through Equifax. Finally, the breach has prompted Elizabeth Warren and 11 other Democratic senators to introduce a bill to give consumers the ability to freeze their credit for free.

Other trending cybercrime events from the week include:

Notable data breaches: The website canoe.ca said that the personal information of one million Canoe site users was compromised by a breach that affected databases containing records from 1996 to 2008. Children’s Hospital Colorado is notifying 3,400 patients that their information may have been compromised due to an employee’s email account being accessed by an unauthorized party on July 11. Donors of the Somerville House Foundation, which is responsible for running the elite school in Australia, were warned that a former employee had copied over their data to a personal hard drive.
Organizations expose data: Individuals who used translate.com may have had sensitive data they submitted made public and discoverable via search engines. Researchers and media have found a variety of sensitive data that was submitted to the site being leaked, including email exchanges, sensitive company documents, personal information, and more. Translate.com said, “there was a clear note on our homepage stating: ‘All translations will be sent to our community to improve accuracy’ and that ‘some of these requests were indexed by search engines such as Google and Microsoft at that time.’” The personal information of 593,328 Alaskan voters was exposed due to a misconfigured CouchDB database by Minnesota-based software company Equals3, which licensed the data from TargetSmart.
Ransomware incidents: Hackers were able to gain access to the communications system for Schuyler County via a brute-force attack, and as a result some enhanced 911 features were disrupted. Officials said that the county is rebuilding all of its files and servers following the attack, indicating that there may have been some sort of ransomware attack or other destructive malware. A ransomware infection has disrupted the Butler County, Kansas, computer system for several days and forced paperwork to be filled out by hand, the county sheriff said.
Arrests and legal actions: The Russian cybercriminal Roman Seleznev pleaded guilty to his role in the 2008 hack of RBS Worldpay and cashing out $2,178,349 associated with five hacked debit card numbers. Artur Sargsyan, the owner of the file-sharing website Sharebeast.com, has pleaded guilty to one felony count of copyright infringement related to the website, which facilitated the unauthorized distribution and reproduction of over one billion copies of copyrighted works. A North Carolina man who goes by the moniker “D3F4ULT” and was a member of the “Crackas With Attitude” hacking group has been sentenced to five years in prison for hacking government computer systems and the online accounts of government officials. A Texas man was sentenced to 27 months in prison for hacking and damaging 13 servers operated by the healthcare facility Centerville Clinic, Inc., as well as engaging in a scheme to defraud the facility using its purchase card to order merchandise from staples after resigning from his role as a systems administrator. The U.S. Treasury department issued sanctions against 11 entities and individuals tied to Iran, including some actors who are accused of launching DDoS against against U.S. financial institutions between 2011 and 2013.

Cyber Risk Trends From the Past Week

Security researchers are advising people to ensure their Bluetooth connections are turned off when not in use after the discovery of a series of vulnerabilities that can be used to compromise billions of Bluetooth-enabled devices.

The eight vulnerabilities, dubbed “BlueBorne,” were first reported by Armis Labs and “are the most serious Bluetooth vulnerabilities identified to date,” according to a company spokesperson.

“BlueBorne allows attackers to take control of devices, access corporate data and networks, penetrate secure ‘air-gapped’ networks, and spread malware to other devices,” the researchers wrote in a paper detailing the vulnerabilities. “The attack does not require the targeted device to be set on discoverable mode or to be paired to the attacker’s device. In addition, the targeted user is not required to authorize or authenticate the connection to the attacker’s device.”

As an Armis spokesperson told Bleeping Computer, one example of an attack could be a malicious actor simply walking into a bank carrying weaponized code on a Bluetooth-enabled device in order to infect other devices and gain a foothold on a previously secured network. In addition to the paper, Armis has uploaded videos showing how the BlueBorne attacks work across various devices.

Four of the vulnerabilities affect Android (CVE-2017-0781, CVE-2017-0782, CVE-2017-0783, and CVE-2017-0785), two affect Linux (CVE-2017-1000251 and CVE-2017-1000250), one affects iOS (CVE-2017-14315), and one affects Windows (CVE-2017-8628). Ars Technica reported that the Windows vulnerability was patched in July, Google provided device manufacturers with a patch in August, Linux maintainers will likely release a patch soon, and iOS version 10 is not affected by the vulnerability.