Weekly Cyber Risk Roundup: Equifax Criticized Over Breach and Energy Sector Companies Compromised

Last Thursday, Equifax announced a data breach affecting 143 million individuals. The breach, which compromised sensitive personal information such as Social Security numbers and driver’s license numbers, is not just the most impactful breach that occurred over the past week, it may be the most significant breach we see in all of 2017.

2017-09-11_ITT

As SurfWatch Labs chief security strategist Adam Meyer noted, the impact of the Equifax breach will likely continue to ripple outward and affect individuals and organizations far beyond the near term. After all, the Social Security numbers and dates of birth that were stolen in the breach are static identifiers that range from difficult to impossible to change. Meyer also noted that malicious actors excel at snowballing information and could potentially use the leaked data as a springboard to circumvent knowledge-based authentication services, such as those that are offered by Equifax.

Equifax’s response to the breach has also drawn criticism on a variety of fronts. Bloomberg reported that three senior Equifax executives sold nearly $1.8 million worth of shares in the days following the breach, which was first discovered on July 29. Brian Krebs called the breach response a “dumpster fire” for a variety of reasons, including a tool that Equifax said potential victims could use to see if they are affected being “completely broken” and concerns around a now-modified terms of service clause that initially appeared to force victims to waive future class action rights in exchange for signing up for identity theft services. The New York Times reported that the 10-digit PINs being provided to those that choose to pay to freeze their credit files are not as secure as one would expect. Finally, The Hill reported that numerous members of Congress and states attorneys general have already launched investigations and are demanding further explanations from Equifax.

2017-09-11_ITTGroups

Other trending cybercrime events from the week include:

  • Notable data breaches: The Latin American social network Taringa said that hackers have stolen the usernames, email addresses, and MD5-hashed passwords of nearly 29 million users. The state government of Western Australia has ordered an urgent review of the state’s TAFE cyber security systems after the information of 13,000 students was compromised when an unauthorized user gained access to the TAFE’s IT system on two separate occasions. The Community Memorial Health System in Ventura, California, is notifying 959 patients that their personal information may have been compromised due to an employee’s email account being accessed following a phishing email. The Alaska Office of Children’s Services said that malware was found on two computers and that more than 500 individuals may have had their personal information stolen as a result. The Hong Kong jobs website cpjobs.com said that an unauthorized third party was able to gain access to user data and passwords. A customer of the DDoS-for-hire service TrueStresser claims to have hacked the company and released what appears to be legitimate company data.
  • Organizations exposed data: Researchers discovered more than 600GB of sensitive data exposed via two insecure Amazon S3 buckets that appear to be connected to the global communication software and service provider BroadSoft, Inc. Much of the internal development data apparently saved by Broadsoft engineers related to Time Warner Cable. Researchers discovered a misconfigured CouchDB database connected to MoneyBack that exposed the passports, IDs, and other personal details of thousands of travelers to Mexico. Researchers discovered an unsecured Amazon Web Services S3 data storage bucket that contained 9,402 resumes and application forms submitted for positions with North Carolina-based private security firm TigerSwan. An email error led to those who preordered Essential phones receiving the personal details of other customers, including copies of driver’s licenses.
  • Another wave of MongoDB ransoms: Attacks against insecure MongoDB instances surged recently as three groups of hackers wiped approximately 26,000 MongoDB databases and left ransom notes saying the data would be restored for between 0.05 and 0.15 bitcoin, or as much as $650. The researchers said that few organizations have paid the ransom.
  • Other notable incidents: WikiLeaks has published a series of documents related to the CIA’s Protego project, which WikiLeaks described as “a PIC-based missile control system that was developed by Raytheon.” Verrit, an online hub that includes information for Hillary Clinton backers to share, recently went offline after experiencing a “pretty significant and sophisticated” cyber-attack, the site’s creator said. The UK’s National Fraud & Cyber Crime Reporting Center is warning that students are being targeted with a phishing scam that claims their Student Loans Company accounts have been suspended due to incomplete information.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-09-11_ITTNew

Cyber Risk Trends From the Past Week

2017-09-11_RiskScoresSecurity researchers are once again warning that the energy sector is the target of increased cyber-attacks. Symantec said that it has observed increased activity from the actors behind the Dragonfly 2.0 campaign and that there are strong indicators of recent attacks against organizations in the U.S., Turkey, Switzerland, and elsewhere.

Like the original Dragonfly campaign, which ran from 2011 to 2014, the new campaign uses a combination of malicious emails, watering hole attacks, and Trojanized software to gain access to victim networks, the researchers said in a report.

“The original Dragonfly campaigns now appear to have been a more exploratory phase where the attackers were simply trying to gain access to the networks of targeted organizations,” Symantec wrote. “The Dragonfly 2.0 campaigns show how the attackers may be entering into a new phase, with recent campaigns potentially providing them with access to operational systems, access that could be used for more disruptive purposes in future.”

Symantec researcher Eric Chien told Wired that there were more than 20 cases of hackers successfully gaining access to targeted companies’ networks and that the intruders had gained operational access to a handful of companies, including several in the U.S. and at least one in Turkey.

He warned that “there’s nothing left standing in the way [of sabotage] except the motivation of some actor out in the world.”

Weekly Cyber Risk Roundup: Instagram Bug May Affect Millions and FDA Recalls Vulnerable Pacemakers

Instagram was among the week’s top trending cybercrime targets due to both the company confirming a bug that may have leaked some users’ personal information and a malicious actor claiming that he is selling the personal data of six million Instagram users.

2017-09-01_ITT.png

On August 28, Instagram’s most popular user, Selena Gomez, had her account hacked and used to spread nude photographs from 2015 of her ex-boyfriend Justin Bieber. Two days later, Instagram warned that a bug in the Instagram API had been used to steal some high-profile users’ personal information — which may have contributed to the Gomez account takeover.

“We recently discovered that one or more individuals obtained unlawful access to a number of high-profile Instagram users’ contact information — specifically email address and phone number — by exploiting a bug in an Instagram API,” the company said. “At this point we believe this effort was targeted at high-profile users so, out of an abundance of caution, we are notifying our verified account holders of this issue.”

However, that same day a malicious actor claiming to have scraped the personal data of six million Instagram users contacted Ars Technica and told the outlet that he or she was selling the data in a searchable website for $10 per query. The actor claimed to have learned of the vulnerability used to scrape the data in an IRC discussion — suggesting that the bug confirmed by Instagram may have a wider scope of impact than initially thought. An Instagram representative said company officials are aware of the claim and are investigating it. Researchers said the 10,000-record sample provider by the actor appears to be legitimate. Until Instagram clarifies the extent of the bug and the subsequent breach of personal information, Instagram users should assume that their associated email addresses and phone numbers may in the hands of malicious actors.

2017-09-01_ITTGroups

Other trending cybercrime events from the week include:

  • Numerous ransomware announcements: NHS Lanarkshire hospitals were disrupted by a Bitpaymer ransomware infection that resulted in the staff bank and telephone systems going offline, as well as the rescheduling of appointments. An employee of the German state parliament of Saxony-Anhalt opened a malicious attachment in a spear phishing email, leading to a ransomware infection that media said “crippled” the state parliament’s network. Dorchester School District 2 in South Carolina announced it paid $2,900 via its insurance coverage after 25 of the 65 servers for the district’s computer network were infected with ransomware. Medical Oncology Hematology Consultants, PA in Delaware said that a ransomware infection affected 19,203 patients. The Indiana accounting firm Whitinger & Company notified clients of a data breach and ransomware attack.
  • Insiders lead to lawsuits, data breaches: Allstate Insurance has filed a lawsuit against Ameriprise Financial accusing the company of attempting to steal confidential information by encouraging Allstate agents to create contact lists and download client data to use in soliciting clients once they quit and get hired at Ameriprise. Tewksbury Hospital in Massachusetts discovered unauthorized employee access to patients’ medical records that dated back to 2003 and is attempting to notify affected individuals that their information was compromised.
  • Organizations expose data: Researchers discovered an insecure backup device belonging to the London-based Bell Lomax Agency that exposed thousands of documents related to the company and its literary clients. MacKeeper researchers said anyone could access the documents, which included the Agency’s Quickbooks accounting files, archive email boxes, financial data, expenses, administrative details, royalties, and client details for 2014-2015. Major League Lacrosse is notifying all players that their information was accidentally available online due a link on its website that pointed to a spreadsheet containing data on every player in the league.
  • Other notable incidents: There have been multiple attacks against South Korean cryptocurrency exchanges, financial technology companies, and startups that use blockchain technology. CeX is notifying two million registered website customers that their information may have been accessed by an unauthorized third party. MacEwan University said that it was the victim of an $11.8 million wire transfer fraud after a series of fraudulent emails convinced university staff to change electronic banking information for one of the university’s major vendors. Swedish web hosting company Loopia said that hackers accessed parts of its customer database, including customer contact information and encrypted passwords. Zazzle is warning customers that their accounts may have been compromised due to brute-force attacks and is prompting customers to choose new passwords. Oklahoma City’s Tower Hotel is the latest in a growing number of hotels to announce being impacted by the breach of the Sabre Hospitality Solutions SynXis Central Reservations system. The hacking group OurMine used a domain spoofing attack to redirect visitors of WikiLeaks website to a page created by the group.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-09-01_ITTNew

Cyber Risk Trends From the Past Week

2017-09-01_RiskScoresThe FDA has approved a firmware update for certain Abbott (formerly St. Jude’s) pacemakers to address cybersecurity vulnerabilities — essentially ordering a recall to correct the issues present in 465,000 implanted RF-enabled cardiac pacemakers.

“The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical’s RF-enabled implantable cardiac pacemakers and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user (i.e. someone other than the patient’s physician) to access a patient’s device using commercially available equipment,” the FDA wrote in safety communication. “This access could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing.”

The firmware update follows a series of high-profile news stories regarding St. Jude dating back to 2016 when the healthcare cybersecurity company MedSec teamed up with the short selling firm Muddy Waters to disclose — and ultimately profit from — several remotely executable flaws in St. Jude pacemakers and defibrillators. A lawsuit, government alerts, and a January 2017 patch that many claimed fell short followed (the timeline is summarized well in this article from CSO Online).

The firmware update requires an in-person patient visit with a health care provider and takes approximately 3 minutes to complete. After installing the update, any device attempting to communicate with the implanted pacemaker must provide authorization to do so. The FDA asks affected patients to consult with their physicians about any risks associated with receiving the firmware update, which has “a very low risk of an update malfunction.”

In 2016, the FDA issued recommendations to manufacturers for continued monitoring, reporting, and remediation of medical device cybersecurity vulnerabilities.

Weekly Cyber Risk Roundup: Another Ethereum Heist and FBI Warns Against Kaspersky Lab

Cryptocurrency theft was the week’s top trending cybercrime story as malicious actors were able to capitalize yet again on an upcoming Ethereum initial coin offering (ICO) to steal approximately $500,000 worth of Ether — this time from investors in the cryptocurrency platform Enigma.

2017-08-25_ITT

Enigma said that malicious actors managed to compromise the enigma.co domain, its Slack channel, and certain email lists. The actors then posted messages via the compromised channels claiming that the platform was offering a “pre-sale” of tokens ahead of next month’s official ICO.

Enigma CEO Guy Zyskind said the attack “joins a long list of other similar attacks plaguing the crypto-community.” For example, just last month there were three different multi-million dollar Ethereum heists: $34 million was stolen due to a bug in the code of the Parity Ethereum client and $10 million and $8.4 million were stolen during the ICOs of Coindash and Veritaseum.

“We want to make sure that no one in our community that was a victim to this well-coordinated phishing attack is financially hurt,” Zyskind said in a blog post. “We will restore funds to everyone that lost money in this recent scam attempt after our token sale concludes.”

With four large Ethereum thefts over just the past month, it is clear that malicious actors have found a new — and relatively simple — way to capitalize on the excitement of Ethereum investors. Similar attacks will likely occur in the future as malicious actors play copycat and attempt to capitalize on other ICOs for a quick payday.

2017-08-25_ITTGroups

Other trending cybercrime events from the week include:

  • Hacktivist and political leaks: Web hosting provider DreamHost had its services disrupted by a DDoS attack on Wednesday. It’s unclear who orchestrated the attack, but DreamHost was recently involved in several politically-charged news stories. The Anonymous-affiliated group AnonOps leaked the private cell phone numbers and email addresses of 22 Republican congressmen in an effort to get individuals to urge their members of Congress to condemn President Trump’s recent statements surrounding Charlottesville and push for his impeachment. The hacking group known as “Fancy Bear” released information related to doping in FIFA, including email exchanges between FIFA and representatives of anti-doping agencies, files showing the number of players using illegal substances, and therapeutic use exemption data, which gives athletes medical permission to take banned substances.
  • Healthcare-related breaches: A hacker claiming to represent Anonymous said he gained access to a database of NHS patient data managed by SwiftQueue and downloaded over 11 million records, but SwiftQueue said that its database only contains records for 1.2 million individuals and that its initial investigation suggests only 32,501 “lines of administrative data” have been accessed. MJHS Home Care is notifying patients that an employee email account was compromised due to a phishing incident and that patient information may have been exposed. The Institute for Women’s Health in Texas is notifying patients of the discovery of a keylogger on its network. Salina Family Healthcare Center is notifying patients that their personal information may have been compromised due to a June 18 ransomware infection. St. Mark’s Surgical Center is notifying patients of a April 13 ransomware infection that may have compromised their personal information.
  • Carbon Black says bug affected 10 customers: Cybersecurity company Carbon Black said that 10 of its customers were potentially impacted by a corner-case bug that may have resulted in some miscategorized files being uploaded to a third-party, cloud-based scanner. The bug was introduced in Cb Response sensor versions 5.2.7+ and 6.0.4+ from April 2017 or later, the company said, and required a series of other conditions in order to be triggered.
  • Other notable incidents: A database that appears to be associated with the online group hotel room booking service Groupize was found exposed on the Internet. The researchers who discovered the exposed database said it contained many hotel documents, including service agreements, earnings, and details about commissions, which allowed them to see “exactly how the discount hotel business model works in detail.” The City of Oceanside, California, has suspended its online utility bill payment system over concerns that the system may have been breached after multiple users reported that they received unauthorized charges on their payment cards. The hacking group OurMine hijacked the Twitter and Facebook accounts of Sony’s PlayStation Network (PSN) and claims to have a stolen PSN database; however, media outlets reported that there does not appear to be any evidence as of yet supporting the claims of a breached PSN database.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-08-25_ITTNew

Cyber Risk Trends From the Past Week

2017-08-25_RiskScoresIn July, the U.S. government removed the Russia-based Kaspersky Lab from two lists of approved government vendors, and recently it was revealed the the FBI has been warning private organizations to stop using Kaspersky products as well.

The FBI has been briefing private companies on the threat since the beginning of the year, citing intelligence that claims to show the company is an unacceptable threat to national security, officials told CyberScoop. The FBI has prioritized briefing organizations in the energy sector and those that use ICS and SCADA systems, as well as large tech companies.

The officials claim that Kaspersky has deep and active relationships with Russian intelligence and have highlighted multiple specific accusations of wrongdoing, sources told CyberScoop.

Kaspersky denied the allegations, with a representative saying that the company is “caught in the middle of a geopolitical fight” and “has never helped, nor will help, any government in the world with its cyber-espionage or offensive cyber efforts.”

CyberScoop reported that organizations using ICS and SCADA systems have been relatively cooperative and that some have already moved forward and signed deals with Kaspersky competitors. However, those in the tech space don’t have the same sense of urgency and have been less receptive to the FBI’s recommendations.

In addition, Reuters reported that a defense spending policy bill from the Senate Armed Services Committee was recently amended to prohibit the U.S. Defense Department from using Kaspersky software platforms because the company “might be vulnerable to Russian government influence.”

Weekly Cyber Risk Roundup: Charlottesville Sparks Hacktivism and Controversy

The politics surrounding the “Unite the Right” rally and its counter-protests in Charlottesville spilled over into the cyber world this week as hacktivists took action against websites and a debate emerged around the ethics of hosting white nationalist websites as well as doxing individuals who attended the rally.

2017-08-18_ITT.png

Under the hashtag #OpDomesticTerrorism, hacktivists have urged DDoS attacks against white nationalist websites and posted leaks of some of those websites’ alleged members. In addition, the hacking group known as “New World Hackers” said it carried out a DDoS attack against the Charlottesville city website to “deliver our own version of justice to the KKK and government.”

Other individuals began to search through the many images of the “Unite the Right” rally in order to publicly identify those who attended the event. The man behind the Twitter account “Yes, You’re Racist” called on users to help identify the “nazis marching in #Charlottesville” so he could “make them famous.” However, not all the doxing attempts were accurate. For example, an assistant professor at the University of Arkansas was wrongly identified and said he eventually had to call the police due to numerous threats being made against him and his wife as well as their home addresses being posted online. The man behind the Twitter account said he’s received death threats over the doxing as well.

Technology companies were also brought into the debate. GoDaddy, Google, Cloudflare, Zoho, Sendgrid, and Discord all cut services to the Neo-Nazi website The Daily Stormer, USA Today reported. However, those actions led to a rebuke from the Electronic Frontier Foundation for private companies “decid[ing] who gets to speak and who doesn’t.”

2017-08-18_ITTGroups

Other trending cybercrime events from the week include:

  • HBO troubles continue: The hacking group OurMine temporarily hijacked several HBO social media accounts. In addition, the group of hackers that breached HBO in late July has continued to leak stolen episodes and other documents. Authorities also said that four current and former employees at Prime Focus Technologies, which handles Star India’s data, have been arrested on suspicion of leaking a Star India copy of the August 7 episode of Game of Thrones. Finally, a third-party vendor accidentally posted the August 20 episode of Game of Thrones on the HBO Nordic and HBO España platforms, and that episode was quickly pirated.
  • DDoS attacks make headlines: DDoS attacks against Blizzard disrupted services for several popular games, including Overwatch and World of Warcraft. The website of Ukraine’s national postal service Ukrposhta was the target of a two-day long DDoS attack that caused slowdowns and interruptions for the website and its services.
  • More ransomware infections: LG Electronics said that the self-service kiosks at some of its service centers were infected with ransomware, causing some access problems. The ransomware appears to have been identical to the WannaCry ransomware that made headlines in May, officials from the Korea Internet & Security Agency said. Pacific Alliance Medical Center said that a June 14 ransomware infection may have compromised the protected health information of patients.
  • Data inadvertently exposed: Voting machine supplier Election Systems & Software exposed the personal information of more than 1.8 million Illinois residents due to an insecure Amazon Web Services device. ES&S said the exposed server did not include “any ballot information or vote totals and were not in any way connected to Chicago’s voting or tabulation systems.” The Texas Association of School Boards notified some school district employees that a server containing their names and Social Security numbers “inadvertently became visible on the Internet.”
  • Other notable incidents: Surgical Dermatology Group in Alabama is notifying patients that their personal and healthcare information may have been compromised due to a breach at its cloud hosting and server management provider, TekLinks, Inc. City of Hope said that it is notifying patients that their medical information may have been compromised following an email phishing incident that led to four employee email accounts being compromised. OSHA has suspended access to its new Injury Tracking Application (ITA) after it was notified by the Department of Homeland Security of a potential breach of user information. The Scottish Parliament said it was the target of a brute force cyber-attack and members of parliament and staff with parliamentary email addresses were warned to make sure their passwords were as secure as possible. A former Columbia Sportswear information technology manager was charged with one count of computer fraud for allegedly accessing the company’s computer systems for more than two years after leaving the company.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-08-18_ITTNew

Cyber Risk Trends From the Past Week

2017-08-18_RiskScoresOne of the week’s most notable advisories involved the software vendor NetSarang and a backdoor dubbed “ShadowPad” that was shipped out with a July version of the company’s products.

“Regretfully, the Build release of our full line of products on July 18, 2017 was unknowingly shipped with a backdoor, which had the potential to be exploited by its creator,” NetSarang said in a statement. “The fact that malicious groups and entities are utilizing commercial and legitimate software for illicit gain is an ever-growing concern and one that NetSarang, as well as others in the computer software industry, is taking very seriously.”

The issue was first discovered by a financial institution partner of Kaspersky Lab — which described the backdoor as “one of the largest known supply-chain attacks” —  after discovering suspicious DNS requests originating on a system involved in the processing of financial transactions. Those requests were later discovered to be the result of a malicious module hidden inside a recent version of NetSarang software.

“If the attackers considered the system to be ‘interesting,’ the command server would reply and activate a fully-fledged backdoor platform that would silently deploy itself inside the attacked computer,” Kaspersky wrote. “After that, on command from the attackers, the backdoor platform would be able to download and execute further malicious code.”

That malicious module has been activated at least once in Hong Kong, but it is possible that other organizations have been infected, the researchers said. NetSarang said that the affected builds are Xmanager Enterprise 5.0 Build 1232, Xmanager 5.0 Build 1045, Xshell 5.0 Build 1322, Xftp 5.0 Build 1218, and Xlpd 5.0 Build 1220. Organizations using those builds should cease using the software until an update can be applied.

Weekly Cyber Risk Roundup: More HBO Leaks and UK Talks New Data Protections

HBO was once again the week’s top trending target as the actors behind the company’s breach continued to leak data stolen from the company, including emails that showed HBO attempted to negotiate a $250,000 “bounty payment” in response to the theft.

2017-08-11_ITT.png

A source told Reuters that the negotiation email was sent as a stall tactic and that HBO never intended to pay the attackers, who reportedly demanded $6 million in ransom.

“You have the advantage of having surprised us,” HBO’s email read, according to Variety. “In the spirit of professional cooperation, we are asking you to extend your deadline for one week.”

The actors behind the attack claim to have stolen 1.5 terabytes worth of data. In late July, the group leaked several episodes of unaired HBO shows as well as leaked a script for an unaired episode of Game of Thrones. Last Tuesday the group leaked an additional 3.4 GB of data.

As The Guardian reported, that leak included more Game of Thrones scripts, internal HBO documents, and a month’s worth of emails from HBO’s vice president for film programming. Among the documents were technical data detailing HBO’s internal network and administrator passwords, a spreadsheet of legal claims against the TV network, job offer letters to several top executives, slides discussing future technology plans, and a document that appears to list the contact information of Game of Thrones actors.

The group also claimed that HBO was its seventeenth target and that HBO was only the third company to have not paid the ransom demanded by the group. An HBO spokesperson previously said that the company’s ongoing investigation “has not given us a reason to believe that our e-mail system as a whole has been compromised.”

2017-08-11_ITTGroups

Other trending cybercrime events from the week include:

  • Actors target Ireland’s grid: Ireland’s EirGrid said that the country’s electric grid was targeted by state-sponsored actors that managed to gain access to a Vodafone network used by the company and then compromised routers used by EirGrid in Wales and Northern Ireland. The breach of the Vodafone network allowed the hackers to create a type of wiretap known as Generic Routing Encapsulation (GRE) to tunnel into EirGrid’s Vodafone router, the Independent reported.
  • Millions of Venezuelans lose cell service: Venezuelan government websites were the target of a massive cyber-attack allegedly carried out by a group known as “The Binary Guardians,” and as a result seven million mobile phone users were left without service, government officials said. The attacks affected the Movilnet’s GSM platform, officials said, leaving seven million of the thirteen million mobile phone users without service.
  • New data breaches: Parkbytext is notifying its users that their information may have been compromised due to malware during a service outage. The personal information of 100,000 Dutch drivers was leaked due a flaw in the LeaseWise software created by software company CarWise ICT and used by 52 Dutch car leasing companies. UCLA officials said that a Summer Sessions and International Education Office server was potentially breached in a May 18 cyber-attack and that the personal information of 32,000 students may have been compromised.
  • Agencies warn of phishing scams: A new phishing scam is impersonating tax software providers in an attempt to steal credentials from tax professionals, the IRS warned. Scammers are impersonating officials from the National Institutes of Health and telling consumers that they’ve been selected to receive a $14,000 grant in an attempt to get victims to pay a fee via gift cards or their bank account numbers, the FTC warned.
  • Arrests and sentences: Two Israeli men were arrested and indicted in Israel on charges believed to be related to operating the DDoS-for-hire service known as vDOS. A former employer of Allen & Hoshall has been sentenced to 18 months in prison for repeatedly accessing the company’s servers over a two-year period in order to obtain proprietary information. An Australian man has been sentenced to an 18-month suspended sentence for his role in operating an illegal network that allowed the selling of unauthorized access to Foxtel service to more than 8,000 people.
  • Other notable incidents: Pernod Ricard SA, producer of Absolut vodka and Chivas Regal Scotch whisky, was the target of a cyber-attack, and some employees at the company’s London office had to turn in their computers to be inspected for infections, sources told Bloomberg. Four different anonymous Bloomberg chat rooms were shut down after a user from the investment firm Janus Henderson sent an unmasked list of all the previous day’s 866 participants in the metal and mining chat room to people in the chat room.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-08-11_ITTNew

Cyber Risk Trends From the Past Week

2017-08-11_RiskScoresThe UK Department for Digital, Culture, Media & Sport (DCMS) released a statement of intent on a new data protection bill last week.

The goal of future data protection acts is to “ensure that we help to prepare the UK for the future after we have left the EU,” wrote DCMS Minister for Digital Matt Hancock.

“The EU General Data Protection Regulation (GDPR) and the Data Protection Law Enforcement Directive (DPLED) have been developed to allow people to be sure they are in control of their personal information while continuing to allow businesses to develop innovative digital services without the chilling effect of over-regulation,” Hancock wrote. “Implementation will be done in a way that as far as possible preserves the concepts of the Data Protection Act to ensure that the transition for all is as smooth as possible, while complying with the GDPR and DPLED in full.”

In short, any changes to UK law will be designed around existing international frameworks such as GDPR, which already includes provisions such as individuals being able to exercise their “right to be forgotten” and request that their personal information be deleted, as well as the potential for much larger penalties for organizations that suffer data breaches. As the BBC reported, the current maximum fine for breaking existing data breach protection laws is £500,000, and that will be increased up to £17 million or 4% of global turnover.

As Daradjeet Jagpal noted, the UK government intends to apply for some exemptions from the GDPR, such as allowing organizations other than police to process personal data on criminal convictions and offences, as well as allowing automated data processing — with the caveat that individuals will have the right to challenge any resulting decisions and request human intervention.

Numerous surveys this year have noted that a significant percentage of organizations remain unprepared for the upcoming implementation of GDPR, which is set to go into effect on May 25, 2018. For example, Veritas reported that only nine percent of UK organizations that believe they are prepared for the GDPR are likely in actual compliance. Organizations should remain aware of any potential changes in data protection laws such as GDPR and work to ensure that they will be in compliance with those changes before they become the law of the land.

Weekly Cyber Risk Roundup: HBO Hackers Promise More Leaks and Dark Web Vendors Reuse Passwords

HBO was among the week’s top trending cybercrime targets as malicious actors claimed to have stolen 1.5 terabytes of company data and subsequently leaked upcoming episodes of “Ballers,” “Room 104,” “Insecure,” and the unaired comedy “Barry,” which is scheduled to air in 2018. The hackers also leaked the script for Sunday night’s episode of Game of Thrones before it aired, as well as the apparent personal information and account details of a senior HBO executive.

2017-08-04_ITT.png

In a separate incident, Sunday night’s episode of Game of Thrones was leaked several days early and spread via torrent sites due to an incident at distribution partner Star India, which published the episode early on its official website before removing it shortly thereafter.

The actors behind the HBO breach initially teased that more leaks were “coming soon.” Later, someone claiming to represent the group told The Hollywood Reporter that additional leaks would occur on Sunday; however, the contact then said the leaks would be delayed “because of some new buyers.”

“Some of HBO’s top competitors are negotiating with us for buying the dump,” the contact wrote in an email. “The deal are near to close. Poor HBO never rise again.”

As THR pointed out, it’s unlikely HBO’s direct rivals would purchase the stolen data. Variety reported that the hackers appeared to have accessed thousands of internal documents, employee data, and possibly internal corporate email. CEO Richard Plepler notified employees that the incident “resulted in some stolen proprietary information, including some of our programming.” However, CNN reported that HBO does not believe the company’s email system as a whole was compromised, despite THR’s contact alleging that they still have “full access to their webmails.”

2017-08-04_ITTGroups

Other trending cybercrime events from the week include:

  • Airlines issue warnings: Virgin America notified employees and contractors that their information may have been compromised due to a network intrusion first detected on March 13, 2017. The unauthorized access may have compromised the login credentials of approximately 3,120 employees and contractors, as well as the personal information of 110 employees. Malicious actors have leaked data allegedly tied to Spirit Airlines Free Spirit accounts after a failed extortion attempt against the airline. Spirit said that the actor attempted to extort the company using previously compromised email addresses and passwords from other data breaches. Canadian airline WestJet announced that the profile data of some WestJet Rewards members has been disclosed online by an unauthorized third party. WestJet did not indicate what data was leaked or how many customers were affected.
  • #LeakTheAnalyst operation targeting researchers: A hacking group going by the name “31337 Hackers” leaked data belonging to a security researcher working for FireEye’s breach investigation unit Mandiant, and the group also may have gained access to the researcher’s Hotmail, OneDrive, and LinkedIn accounts. The data appears to be stolen from the researcher’s personal computer, and there is “no evidence that FireEye or Mandiant systems were compromised,” FireEye said. The group said the leak is part of a larger operation that is targeting security researchers, dubbed “#LeakTheAnalyst.”
  • New data breaches: Health insurer Anthem said that 18,500 customers’ personal and medical information may have been compromised by an employee at LaunchPoint. The Daniel Drake Center for Post-Acute Care is notifying 4,721 patients that their information may have been compromised due to an employee accessing their medical records without authorization. Kaleida Health is notifying patients that their information may have been compromised due a phishing incident that allowed an unauthorized third party to gain access to a small number of Kaleida Health email accounts. Kids Pass said that the personal information of users could have been compromised by changing the URL of the activation code sent to new users in order to view other account holders’ data. An attacker managed to trick an employee at A9t9 into handing over the company’s Google developer account credentials and then pushed out a malicious version of the Copyfish Chrome extension.
  • More ransomware: An unnamed Canadian company paid $425,000 after a ransomware attack encrypted its production databases and backups. The intruders gained access due to spear phishing messages that were sent to six senior company officials. Northwest Rheumatology of Tucson is notifying patients that their information may have been compromised following a ransomware attack that occurred on April 10, 2017.
  • Arrests and sentences: The security researcher known as “Malwaretech,” who is best known for helping to stop the spread of the WannaCry malware, was arrested for allegedly creating and distributing the Kronos banking Trojan. A Seattle man has been arrested on charges of extorting multiple media companies with threats of DDoS attacks. A Russian citizen was sentenced to 46 months in prison for his role in infecting tens of thousands of computers with the Ebury malware.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-08-04_ITTNew

Cyber Risk Trends From the Past Week

2017-08-04_RiskScoresLaw enforcement continues to target activity on the dark web following the recent takedown of AlphaBay and Hansa Market, two of the three largest cybercriminal marketplaces on the dark web.

Those takedowns left Dream Market as the new king of the dark web; however, there has been speculation by its users that Dream Market may have been compromised by law enforcement as well — or at least that 16 vendor accounts on the site may have been compromised.

One of those 16 alleged vendors said that Dutch law enforcement had seized his or her vendor account and changed all of its information on the same night that Hansa Market was taken offline.

“I can clearly say that (at least) my account was seized by dutch LE,” the user wrote. “I think they came on it through my sillyness using same password on hansamarket. … I don’t think dreammarket itself is compromised, I only think the LE is trying to fuck the rest out of this community by using log-in informations from other markets.”

As Naked Security reported, there has been no confirmation from the Dutch police about the alleged takeover of Dream Market accounts, but it makes sense that authorities would exploit password reuse and lack of two-factor authentication by cybercriminals in order to further their reach into active dark web markets.

A recent survey (PDF) found that 81% of those in the U.S. reuse passwords across multiple online accounts — and this now includes dark web vendors too, if the Dream Market news is any indication. This reuse occurs despite the fact that password reuse and credential-stuffing attacks lead to numerous cases of account takeovers, data breaches, and other cybersecurity incidents each week.

It may be impossible to stop users from reusing passwords, but, as Troy Hunt noted, NIST recommends that organizations become proactive and block passwords that have been previously tied to data breaches in order to improve security. That’s why he’s released a list of 320 million previously compromised passwords for organizations to download for free and use to protect their systems.

“Use this data to do good things,” Hunt wrote. “Take it as an opportunity to not just reduce the risk to the service you’re involved in running, but also to help make people aware of the broader risks they face due to their password management practices.”

Weekly Cyber Risk Roundup: UniCredit Breach and Two Swedish Officials Resign

The Italian bank UniCredit was among the week’s top trending cybercrime targets after the bank announced it had been the victim of two separate data breaches affecting approximately 400,000 customers who had taken out personal loans.

2017-07-31_ITT.png

The first breach occurred between September and October 2016, and the second breach occurred between June and July 2017, UniCredit wrote it its press release. The breaches occurred “due to unauthorized access through an Italian third party provider” and resulted in personal information and international bank account numbers being compromised.

Bloomberg, which described the incident as “one of the biggest breaches of European banking security this year,” reported that both breaches were only discovered this past week.

Daniele Tonella, the CEO of UniCredit Business Integrated Solutions, said that while conducting checks the IT department discovered that some users from an external commercial partner were accessing client data. Tonella said the bank quickly moved to block the access and has since upgraded the system.

UniCredit said that it is investing €2.3 billion in upgrading and strengthening its IT systems as part of its “Transform 19” plan.

2017-07-31_ITTGroups

Other trending cybercrime events from the week include:

  • Payment card and bitcoin thefts announced: The Galt House Hotel is notifying patients that it discovered malware on its point-of-sale systems and that customers who used their cards at the hotel between December 21, 2016 and April 11, 2017 may have had their information compromised. Newcastle University is warning that a fake website is using its brand and duping students into handing over their payment card information and other personal details in order to sign up for fake courses. Police arrested a man who claims to have used malware to steal between $40 million and $50 million worth of bitcoin. According to court documents, the man said he wrote software that simulates the code used to create bitcoin wallets and then distributed that software via certain internet forums. The software would steal bitcoin keys by replacing other people’s wallets with the attacker’s wallets during transactions.
  • New ransomware announcements:  The Groundlings Theatre said that an email containing a fake invoice led to a ransomware infection that encrypted 54,000 files. The company said it paid the £300 ransom demand to recover the files and that it should take about four weeks to fully recover all of them. Plastic Surgery Associates of South Dakota is notifying patients that their information may have been compromised due to a ransomware infection on February 12, 2017. The Women’s Health Care Group of PA said that malicious actors exploited a security vulnerability to gain access to its systems as far back as January 2017 and that led to a ransomware infection and the potential compromise of patient information.
  • More accidental disclosures: Sutton Council in the UK published an unredacted spreadsheet on its website that listed the names and payments issued to hundreds of individuals who received over £500 in benefits such as disability, adoption, fostering allowances, day care respite, and special needs education. BlueCross BlueShield of Tennessee said that 657 employers’ group benefit administrators were sent information meant for other companies due to a computer glitch. As a result, 2,100 individuals had their personal information compromised, including member names, dates of birth, plan type and coverage dates, and member identification numbers.
  • Other notable incidents: A dark web user is selling 40 million voter records from 9 different states and has hinted that he may possess records for an additional 20 to 25 states. More than 5.5 million Social Security numbers were stolen in the previously reported March 2017 data breach of America’s Job Link Alliance-TS. The University of Vermont Medical Center is notifying 2,300 patients that their information may have been compromised due to a phishing incident that led to an unauthorized third party gaining access to an employee email account. A North American casino had its Internet-connected fish tank compromised, and the attacker used that access to move laterally to other places in the network. The supermarket chain Loblaws said that a “small number of user accounts” were affected by “unauthorized online activity” and is asking users to reset passwords.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-07-31_ITTNew

Cyber Risk Trends From the Past Week

2017-07-31_RiskScoresTwo Swedish officials have resigned following criticism over a large data breach that may have compromised classified information as well as the sensitive personal data of citizens.

According to The New York Times, the breach was due to a lack of adequate safeguards being adopted when the Swedish government entered into an outsourcing agreement with IBM Sweden to manage vehicle registration and driver’s license databases back in April 2015. The nearly $100 million agreement lacked certain safeguards, the Times reported, which allowed unauthorized personnel at IBM subsidiaries in Eastern Europe to access large amounts of sensitive data such as details about Sweden’s infrastructure and the identities of people working undercover for the Swedish police and the Swedish security service.

Last Thursday, Swedish Prime Minister Stefan Löfven announced the resignation of Anders Ygeman, the Minister of Home Affairs, and Anna Johansson, the Minister of Infrastructure. Politico reported that Defense Minister Peter Hultqvist will not resign, despite demands from the opposition that he do so.

News of the leak first began to spread earlier this month after the Transport Agency’s former director general Maria Agren, who had been fired in January, was fined 70,000 Swedish krona ($10,700) for mishandling confidential information, The Sydney Morning Herald reported. Anders Thornberg, the head of Sweden’s security service, said that that while inadequately protected information must be considered breached, the data may not have been compromised due to that inadequate protection. However, Thornberg also said that the incident was “very serious because it could damage our operational business that we are conducting every day in order to protect Sweden.”

The Times reported that results from a preliminary investigation revealed at least three unauthorized people in the Czech Republic had full access to the sensitive databases.

Weekly Cyber Risk Roundup: Three Ethereum Heists and NotPetya Fallout Continues

The cryptocurrency Ethereum made numerous headlines this past week due to three separate multi-million dollar thefts: one due to a bug in the code of the Parity Ethereum client, one caused by a website hack that redirected funds meant for the Initial Coin Offering (ICO) of Coindash, and one tied to a hacker managing to steal VERI tokens during the ICO of Veritaseum.

2017-07-24_ITT.png

The largest theft involved a bug found in the multi-signature wallet code used as part of Parity Wallet software, which led to 3 wallets being exploited and reports of more than 150,000 ETH (approximately $34 million) being stolen. As Parity noted, a total of 596 multi-sig wallets were vulnerable, but the vast majority of the funds in those wallets were commandeered by a group known as the White Hat Group in order to prevent the theft of an additional 377,000 ETH (approximately $85 million).

That theft followed an announcement from Coindash that an actor had managed to gain access to its official website during the company’s ICO and changed the text on the site to an ether wallet address likely controlled by the attacker — resulting in investors sending $10 million worth of Ether to the fraudulent address. The company’s developers said that “all CoinDash investors will get their tokens”; however, Coin Desk reported that individuals who made transactions after the website was shut down will not be compensated.

Finally, Veritaseum confirmed that a malicious actor stole $8.4 million worth of VERI tokens from the platform’s ICO on July 23. The attackers immediately resold the tokens during the “very sophisticated” attack. Not much was disclosed about the attack, but “there is at least one corporate partner that may have dropped the ball and be liable,” the company’s founder said.

2017-07-24_ITTGroups

Other trending cybercrime events from the week include:

  • More information exposed due to errors: Dow Jones & Company confirmed that at least 2.2 million customers had their data exposed due to an Amazon Web Services S3 bucket that was configured to allow any AWS “Authenticated Users” to download the data. In addition, the leak contained the details of 1.6 million entries in a suite of databases known as Dow Jones Risk and Compliance, a set of subscription-only corporate intelligence programs used largely by financial institutions for compliance with anti-money laundering regulations. Security researchers discovered an insecure database owned by the data services company DM Print that had 31,000 records, including administrative credentials for the database. With that information, anyone could access highly sensitive health information such as names, date of births, NIN numbers, addresses, investment data, and more. Travel company Flight Centre said that the personal information and customer passports “relating to some leisure customers in Australia was accidentally made available to a small number of potential third party suppliers for a short period of time.”
  • Insider breaches: An employee at Bupa copied and removed insurance information relating to 108,000 international insurance plans affecting 547,000 customers. The company said the data included names, dates of birth, nationalities, and some contact and administrative information. Detroit Medical Center is notifying 1,529 patients of a breach at a contracted staffing agency where an employee provided their information to unauthorized individuals. The breach occurred between March 2015 and May 2016. The Nova Scotia Health Authority said that 337 patients had their personal health information accessed inappropriately in two separate incidents involving six employees.
  • More energy sector warnings: The UK’s National Cyber Security Centre (NCSC) warned that state-sponsored actors are targeting the country’s energy sector and that  “a number of Industrial Control System engineering and services organisations” have likely been compromised. The warnings followed similar alerts from U.S. agencies about hackers successfully targeting U.S. energy companies. While other sectors have been targeted, the focus of the attacks are engineering, industrial control, and water sector companies, the NCSC said.
  • Other notable incidents: Domain name registrar Gandi said that an unauthorized connection that occurred at one of the technical providers it uses to manage a number of geographic TLDs led to 751 domains having their traffic forwarded to a malicious site exploiting security flaws in several browsers. There were 22 breach incidents in the Veterans Administration’s monthly reports to Congress between May 2016 and June 7, 2017, and only one of those breaches received any media coverage at the time, according to data obtained via a Freedom of Information Act request by databreaches.net. A dark web vendor going by the name “dnu2k” is selling data tied to dadeschools.net, k12.wi.us, and other “freshly hacked emails.” The latest dump of CIA documents from WikiLeaks involves contractor Raytheon Blackbird Technologies providing “Proof-of-Concept ideas and assessments for malware attack vectors” to the agency.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-07-24_ITTNew

Cyber Risk Trends From the Past Week

2017-07-24_RiskScores

The picture of the damage cause by the NotPetya global outbreak in late June continues to crystallize as more companies reveal the details and fallout of their infections.

For starters, FedEx said that some of the damage caused by the NotPetya attack may be permanent, particularly when it comes to TNT Express B.V., which FedEx acquired in May 2016. Some of TNTs customers were “still experiencing widespread service and invoicing delays” nearly three weeks after the NotPetya infection, according to SEC documents filed by FedEx.

“We cannot yet estimate how long it will take to restore the systems that were impacted, and it is reasonably possible that TNT will be unable to fully restore all of the affected systems and recover all of the critical business data that was encrypted by the virus,” FedEx wrote in its filing. That filing listed more a dozen types of costs and damages potentially resulting from the incident — ranging from operational disruption to remediation to permanent customer loss to litigation.

In addition, the France-based Compagnie de Saint Gobain SA said that a preliminary assessment of the NotPetya infection estimated the incident would cost the company approximately 1% of first half sales. That equates to approximately €200 million as a result of the attack, The Street reported.  

Earlier this month, The Guardian reported that Reckitt Benckiser, a British consumer goods company, may lose around €100 million due to NotPetya. In addition, Mondelez, the maker of Oreo cookies, said that the attack had disrupted shipping and invoicing during the last four days of the second quarter and that in a few markets the company had “permanently lost some of that revenue due to holiday feature timing.”

NotPetya may not have generated nearly as much extortion money as other ransomware — if that was even its intention to begin with — however, the global attack has proven quite impactful for numerous organizations so far. The second half of 2017 will likely see the total costs of the attack become more clear as other organizations reveal more details about how NotPetya affected their operations — and how the fallout from the attack has impacted the year’s financial projections.

Weekly Cyber Risk Roundup: Big Telecom Leaks and AlphaBay Goes Offline

Massive database leaks were once again among the week’s top trending cybercrime targets, including incidents involving U.S. Verizon customers, France’s Orange S.A, and India’s Reliance Jio Infocomm.

2017-07-014_ITT.PNG

The Verizon leak was caused by a third-party engineer at NICE Systems and affected as many as 14 million U.S. customers. The engineer appears to have created a publicly available Amazon Web Services S3 bucket that logged customer call data for unknown purposes. As a result, personal information, account information, and Verizon account PIN codes were potentially exposed. A Verizon spokesperson acknowledged the breach, but said only 6 million customers had their data exposed by the incident.

In addition, French-language text files stored in the server show internal data from Paris-based telecommunications corporation Orange S.A., also a NICE Systems partner. However, the researchers said it “appears this internal Orange data is less sensitive.”

In addition, Reliance Jio Infocomm, an Indian telecom company with over 100 million subscribers, is investigating a potential incident after local news sites reported that names, telephone numbers and email addresses of Jio users were visible on a site called “Magicapk.” However, an initial investigation showed that Jio’s apps and websites were secure, ET Telecom reported. Last week the police brought in a suspect who was in possession of partial details of Jio subscribers, including their names, email IDs, alternate mobile phone numbers, and the dates of activation of SIM cards. That data may have been taken from a Jio retailer, since they have access to that type of subscriber data, the deputy commissioner of police for Navi Mumbai said.

2017-07-014_ITTGroup

Other trending cybercrime events from the week include:

  • More payment card breaches: A breach of Avanti Markets internal networks allowed malicious actors to push malware to self-checkout devices used in corporate break rooms, and as a result payment card information may have been compromised. Avanti said that it believes the malware was only active between July 2 and July 4 of this year. B&B Theatres, which operates 50 locations across seven states, discovered a point-of-sale breach that appears to date back two years. A recent alert estimated the window of exposure of the breach to be between April 2015 and April 2017. Real Estate Business Services (REBS) notified 1,033 California Association of Realtors members that their personal and payment card information may have been stolen when the online store they use was compromised with malware. The infection occurred between March 13 and May 15.
  • Medical information exposed: The County Commissioners Association of Pennsylvania (CAAP) said that the details of approximately 1,800 child welfare cases were exposed online by third-party vendor Avanco International. University of Iowa Health Care is notifying 5,292 patients that a limited set of their protected health information was “inadvertently saved in unencrypted files that were posted online through an application development site” and exposed for nearly two years. A former employee of the St. Charles Health System is accused of the unauthorized access and viewing of thousands of patient records.
  • More ransomware infections: Community Care of St. Catharines and Thorold in Ontario had its systems infected by NW4 ransomware, which demanded a $3,000 ransom payment. A Community Care spokesperson said that it backs up its data regularly so there was no need to pay the extortion. However, it still took nearly a week for Community Care to restore full access to its computers, and some data that was not captured in the most recent backup was lost. The dental office of Dr. Douglas Boucher, DDS, and Dr. Andrea Yaley, DDS, is notifying patients of a ransomware attack that may have compromised their patient information. The office said that its computer systems were believed to have been hacked around May 19, 2017, and on June 2 it received a ransomware notice. Records were restored from a backup; however, the office said the hacker did access its email system and may have accessed its patient dental health records.
  • Other notable incidents: A hacker going by the name Dhostpwned was able to use a PHP shell to compromise the dark web hosting provider Deep Hosting and said he obtained “the majority” of files and SQL databases on the server. An employee at the Australian Tax Office (ATO) published an ATO guide on how to hack mobile phones that included instructions on how to bypass passwords and obtain data even if the phone battery is depleted and it does not have a sim card. A Russian-born cybercriminal living in Los Angeles was sentenced to 110 months in prison for running a sophisticated scheme to steal and traffic sensitive personal and financial information in the online criminal underground.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-07-14_ITTNew

Cyber Risk Trends From the Past Week

2017-07-14_RiskScoresThe dark web marketplace AlphaBay has been taken down in a law enforcement raid and one of the alleged leaders of the site has been found dead in his Thai prison cell in an apparent suicide.  

(See “AlphaBay and Hansa Brought Down by Basic Mistakes, Indictment Reveals” for more information.)

As SurfWatch Labs has noted in the past, AlphaBay was by far the largest and most popular dark web marketplace before it suddenly went dark earlier this month, leading concerned users to speculate if its owners had either been arrested or performed an exit scam. It is not uncommon for dark web markets to disappear without notice. However, AlphaBay had built up a reputation for reliability and become the undisputed king of the dark web marketplaces over the past two years.

Alexandre Cazes, the man who committed suicide in his jail cell, is alleged to be the operator of AlphaBay known as “Alpha02.” U.S. authorities issued a warrant for Cazes arrest on June 30, and he was arrested in Bangkok on July 5, the Bangkok Post reported, the same day the dark web market suddenly went offline. Arrangements were being made for his return to the United States to face charges when Cazes reportedly used a towel to hang himself.

Wired reported that conservative estimates put AlphaBay’s daily transactions between $600,000 and $800,000 a day. With the site suddenly gone, a significant percentage of the cybercriminal ecosystem is now in search of a new home. That influx of traffic forced the dark web market Hansa to close its doors to new businesses due to “technical issues.” Users of Dream Market also reported issues accessing the site following AlphaBay’s takedown.

The next few months will certainly be an interesting time on the dark web as those users look for a new place to buy, sell, and trade their goods and services — and as the story and fallout around the takedown begin to take shape.

Weekly Cyber Risk Roundup: Cryptocurrency Wallets Emptied and a Dozen Power Plants Breached

Cryptocurrency theft was among the week’s top trending cybercrime practices due to users at both South Korean cryptocurrency exchange Bithumb and Classic Ether Wallet reporting that their digital currency wallets were emptied due to cyber-attacks.

2017-07-07_ITT.PNG

Bithumb reported that one of its employees personal computers had been hacked in February 2017 and that the personal details of 31,800 Bithumb website users (about 3 percent of total users) had been compromised as a result. The stolen data included users’ names, mobile phone numbers, and email addresses. The exchange said there was no direct access to funds stored on the exchange; however, it appears the attackers were able to use the contact information to carry out phishing attacks against Bithumb users in order to obtain the one-time passwords needed to gain access those users’ funds.

One user reported losing as much as 1.2 billion won ($1.04 million) in the attack. Bithumb said shortly after the attack that it would pay up to 100,000 won ($87) to victims. Additional compensation will be available once individual losses are verified, the company said, but it is unclear if victims will be fully reimbursed.

Users of the Classic Ether Wallet also reported having their wallets emptied earlier this month. That theft appears to be due to a malicious actor managing to socially engineer the service’s German hosting provider 1&1 into handing over access to the domain. The actor then switched the site’s settings to direct the funds to his or her own malicious server. Multiple users who visited classicetherwallet.com and provided their private key while the site was in control of the fraudsters reported that they had their account emptied. Exact losses due to the incident is unclear, but some media outlets reported it could be nearly $300,000 worth of Ethereum Classic cryptocurrency.

2017-07-07_ITTGroup

Other trending cybercrime events from the week include:

  • Large databases exposed: Two databases containing the personal information of 3 million WWE fans were exposed to the Internet without requiring a username and password. The data included names, email and physical address, educational background, earnings, and ethnicity. UK car insurance company AA exposed the sensitive information of over 100,000 customers due to insecure database backups related to AA’s online store and never informed those customers of a breach, Motherboard reported. The database obtained by Motherboard included 117,000 unique email addresses, names, physical and IP addresses, details of purchases, and payment card information such as the last four digits of the card and its expiration date.
  • Insiders lead to extortion, theft: A former Dentons litigation associate in Los Angeles has been charged with extortion over allegedly demanding that his former law firm pay him $210,000 and give him a piece of artwork or else he would leak sensitive data to the Above the Law blog. According to court documents, the man accessed confidential information when one of the firm’s partners gave him access to his email while working a case. A crime analyst with the Smyrna Police Department was charged with 31 counts of computer theft over the alleged theft of information without authorization, including the driver’s licenses and mobile data of 28 victims.
  • Sabre confirms breach affecting multiple companies: Sabre said its investigation into a previously disclosed breach found that an unauthorized party was able to use compromised account credentials to gain access to payment card information and certain reservation information for a subset of hotel reservations processed through the SHS SynXis Central Reservations system. The breach occurred over a seven-month period from August 2016 to March 2017. Sabre said it notified partners and customers that use the reservations system, as well as some travel management companies and travel agencies that booked travelers that may have been affected. Sabre did not disclose the total number of individuals affected by the breach.
  • Other notable incidents: A Georgia men pleaded guilty to charges related to a BEC scam that defrauded Sedgwick County out of $566,000. Anonymous Bulgaria has leaked files from the Azerbaijan Embassy in Bulgaria that claim Silk Ways Airlines has carried tens of tons of heavy weapons and ammunition headed to terrorists under the cover of 350 diplomatic flights. Cove Family & Sports Medicine said that a ransomware infection encrypted medical records as well as a portion of its backup records. Walnut Place said that while it was investigating a previous ransomware infection it was affected by a second ransomware incident. Medicaid members in Indiana are being warned that their patient information was potentially accessible between February and May of 2017. Wooster-Ashland Regional Council of Governments said that its computer network as breached on May 26 and more than 200,000 records were compromised. The Simcoe County District School Board is warning parents of a potential privacy breach at Collingwood Collegiate Institute involving their email addresses and phone numbers.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-07-07_ITTNew.PNG

Cyber Risk Trends From the Past Week

2017-07-07_RiskScoresRussian state-sponsored hackers are responsible for recent cyber-intrusions into the business systems of U.S. nuclear power plants and other energy companies, government officials said. It is the first time Russian government hackers are known to have compromised the networks of U.S. nuclear plants, the officials added.

The statements followed a joint alert from the FBI and Homeland Security at the end of June that warned APT actors were targeting employees in the energy sector with phishing messages and watering hole attacks designed to harvest credentials that could be used to gain access to victims’ networks. The attackers were observed sending highly targeted messages to senior industrial control engineers containing fake resumes for control engineering jobs, as well as compromising websites commonly visited by their target victims and deploying man-in-the-middle attacks.

There is no evidence of any breaches or disruptions of the cores systems controlling operations at the plants, The Washington Post reported. Instead, the focus appears to be on systems dealing with business and administrative tasks, such as personnel. The New York Times reported that the joint DHS and FBI report concluded that the hackers appeared determined to map out computer networks — potentially with a goal of carrying out more destructive attacks in the future. Bloomberg reported that at least a dozen power plants had their networks breached by the APT actors, including the Wolf Creek nuclear facility in Kansas.

“There was absolutely no operational impact to Wolf Creek,” a spokeswoman for the nuclear plant said. “The reason that is true is because the operational computer systems are completely separate from the corporate network.”

However, as we’ve seen in attacks just this week, potentially compromised personnel and business data could be leveraged in future targeted phishing messages to gain more information or access — or to find a weak point or an individual that may be leveraged for future attacks.