Weekly Cyber Risk Roundup – Page 4

Weekly Cyber Risk Roundup: Banks Threatened with DDoS Attacks and Researchers Investigate NotPetya

South Korean financial institutions dominated the week’s top trending targets due to a series of extortion demands that have threatened distributed denial-of-service (DDoS) attacks unless those institutions pay between 10 and 15 bitcoins ($24,000 to $36,000) in ransom each.

At least 27 financial institutions received the extortion demands from a group claiming to be the Armada Collective, including major banks, security companies, and the Korea Exchange, the Korea Joongang Daily reported. It is unclear if the group behind the threats is associated with the real Armada Collective, or if it is yet another group that is attempting to leverage the popular extortionists identity in order to gain credibility. In early 2016, a group was able to successfully extort more than $100,000 by threatening DDoS attacks under the Armada Collective name — but researchers concluded that specific threat was empty and the group never actually carried out any attacks — despite being profitable.

According to The Korea Times, the group carried out a small attack last Monday on the Korea Financial Telecommunications & Clearings Institute (KFTC), Suhyup Bank, DGB Daegu Bank, and JB Bank — with a promise of more powerful attacks to come in the future if the institutions do not pay their ransoms by the July 3 deadline. The DDoS attacks did not disrupt any services, the Times reported, and the small DDoS attack against KFTC last Monday lasted for only 16 minutes. Previous extortion campaigns have seen groups using a similar tactic of small DDoS attacks to prove they have some capability and lend credibility to their threats; however, the full capabilities of the group behind the most recent demands is unclear.

It is possible that the group is simply looking for easy blackmail targets following the recent $1.1 million dollar ransom payment that was made by South Korean web hosting firm Nayana. Researchers had previously speculated that the large ransom payment could lead to more South Korean organizations being targeted.

Other trending cybercrime events from the week include:

Attackers target government: Dozens of email accounts belonging to members of parliament and peers were breached during “a sustained and determined attack on all parliamentary user accounts in an attempt to identify weak passwords.” A hacker going by the name “Vigilance” said that he gained access to 23 state of Minnesota databases and was able to steal 1,400 email addresses and some corresponding “weakly encrypted” passwords. The hacker then published the information in protest of the police officer charged with killing Philando Castile being found not guilty. Multiple government websites were defaced with pro-ISIS propaganda and a logo saying the hack was carried out by “Team System DZ.”

Organizations expose more data: The personal information of 2,200 Aetna customers in Ohio and Texas was compromised due to their data being “inappropriately available for a period of time.” Corpus Christi Independent School District said that it is notifying 6,100 individuals that employee names and Social Security numbers from late 2016 through early 2017 were inadvertently made visible online. The Campbell River School District is warning parents and guardians of Timberline Secondary students that their personal information may have been “inappropriately accessed” due to a file being left on a shared drive that students and staff could access. Users of the UK government’s data dashboard, data.gov.uk, were asked to change their passwords after a file containing their names, email addresses, and hashed passwords was left publicly accessible on a third-party system.

Disgruntled employees harm employers: A Pennsylvania man has been sentenced to one year and one day in prison for hacking and damaging the IT networks of several water utility providers across the U.S. East Coast. A disgruntled employee led to a breach of Professional Counseling and Medical Associates’ electronic health records system. The FBI said a former employee of Transformations Autism Treatment Center tried to hack into the company’s computer system and steal the personal information of autistic children.

Other notable incidents: Internet radio service 8tracks said that a copy of its user database has been leaked, including usernames, email addresses, and SHA1-hashed passwords. The full leaked dataset includes around 18 million accounts. Information security consultant Paul Moore reported a data breach involving Kerv after he received both an email from an “anonymous” Kerv user that “had inside information which wouldn’t otherwise be available” and admin credentials from a Tor address. Acting State Supreme Court Justice Lori Sattler told police that she was scammed out of $1,057,500 when she responded to an email impersonating her real estate lawyer and wired the money to an account at the Commerce Bank of China. Two men who are suspected to be part of an international group that hacked into Microsoft’s network in early 2017 have been arrested by British police.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

Cyber Risk Trends From the Past Week

One of the biggest stories that occurred last week was the spread of a ransomware/wiper malware known as NotPetya.

The outbreak was similar to May’s quick spread of the WannaCry ransomware, and those that were infected across the Ukraine, the UK, the Netherlands, India, Spain, Denmark, and elsewhere were shown a ransom demand asking for $300 in bitcoin along with contact details. However, various researchers quickly concluded that the intention behind the attack was likely disruption, not monetary gain.

Previous versions of similar ransomware like Petya used a personal infection ID that contained crucial information for the key recovery, Kaspersky explained in its analysis. However, the NotPetya malware uses randomly generated data in place of that personal key. That means that the attackers have little hope of actually recovering their data, even if they wanted to do so.

As Ars Technica noted, other researchers have come to similar conclusions about NotPetya. Matt Suiche of Comae Technologies concluded that the ransomware aspect of NotPetya may a have been a front to push the media narrative towards the attacker being an unknown cybercriminal group rather than a nation-state attacker with data destruction in mind.

The head of the Center for Cyber Protection within Ukraine’s State Service for Special Communications and Information Protection agreed with that assessment, saying “I think this [NotPetya malware] was directed at us” and that the event was definitely not a criminal attack, but likely a state-sponsored one carrying over from Ukraine’s ongoing cyberwar with Russia. That theory is not confirmed, but as SurfWatch Labs noted, “strong evidence points to the attack beginning with the hacking of the Ukrainian accounting software MeDoc where the automatic update feature was used to download the worm.”

Ukraine’s security service SBU announced that a number of international organizations are helping to investigate the NotPetya attacks and identify the culprits, so more information about the attacks will likely be announced in the near future.

Weekly Cyber Risk Roundup: Million Dollar Extortion Payments and TheDarkOverlord Loses Credibility

Ransomware made headlines this past week due to several infections that disrupted business operations, as well as a million dollar extortion payment that was negotiated by South Korean web hosting firm Nayana after its servers were infected with Erebus Ransomware on June 10. Nayana said the payment was necessary to restore 150 servers and the 3,400 affected client websites, most of which were for small companies and startups.

The initial ransom demand was for 5 billion won ($4.4 million) in bitcoin, but the company managed to negotiate the payment down to 1.3 billion won ($1.1 million or 397.6 bitcoin). In a statement on the company’s website (Korean language) on Thursday, Nayana CEO Hwang Chilghong said he knows the company should not negotiate with hackers, but that the damage was too widespread and too many people would be harmed if the company did not pay the extortion.

WannaCry was also back in the news this week due to Honda Motor saying that plants in Japan, North America, Europe, China, and other regions were recently infected with the ransomware despite efforts to protect their networks following last month’s WannaCry outbreak. One location, a Sayama automobile plant located near Tokyo, was idled due to the infection. Authorities in Victoria, Australia also announced that 55 traffic and speed cameras were accidentally infected with WannaCry due to a maintenance worker using an infected USB stick. Local media reported that the police have decided to cancel 590 fines sent to road users caught by the WannaCry-infected cameras.

Other ransomware news includes Waverly Health Center in Iowa being infected with an unknown ransomware variant and having to shut down their IT systems for a period of time, and Proofpoint researchers saying that the ransomware infections recently reported at several UK universities were part of a larger malvertising campaign carried out by the AdGholas group that leveraged the Astrum Exploit Kit to spread Mole ransomware.

Other trending cybercrime events from the week include:

Massive voter database leaked: A database containing detailed information on 198 million U.S. voters and compiled by GOP political consultant Deep Root Analytics was left exposed to the Internet for 12 days. The information included data pulled from voter lists maintained by the RNC that was augmented by other sources such as social media sites. The leak includes data on some voters such as ethnicity, religion, contact information, and views on a variety of political issues. In addition, the data included proprietary information such as unique RNC identifiers for each voter.

POS breach discovered at The Buckle: The clothing store chain The Buckle announced that point-of-sale (POS) malware was discovered on some of its retail POS systems and that some payment cards used between October 28, 2016 and April 14, 2017 may have been affected. The Buckle believes that the malware did not collect data from all transactions or all POS systems for each day within that time period. The company also said that all stores had EMV technology enabled during the time that the incident occurred, which helped to limit the impact of the breach.

Services disrupted: The CyberTeam hacking group announced on Twitter that it was responsible for the outage that affected Skype on Monday and Tuesday. Microsoft has not confirmed the cause of the outage, but the service was reported down in multiple countries across Europe, as well as Japan, Singapore, India, Pakistan, and South Africa. Square Enix said that Final Fantasy XIV game servers were being repeatedly targeted by DDoS attacks from an anonymous third party.

More incidents tied to errors and glitches: The email addresses of registered consultancies of the UK government’s Cyber Essentials scheme were exposed due to a configuration error in the Pervade Software platform, according to the IASME Consortium, which runs the accreditation. The sensitive personal information of students was compromised when a staff member at the UK’s University of East Anglia “mistakenly” emailed a spreadsheet with confidential data to 320 American Studies students. A man used a glitch to steal more than £99,000 from the Clydesdale Yorkshire Bank last December when, for approximately one hour, the man’s account showed a credit balance even though he did not have any money.

Other notable incidents: Online banking service Ffrees notified its users that some of their personal information was “temporarily exposed” due to an “information security incident.” Virgin Media is advising more than 800,000 customers using the Super Hub 2 router to change both their network and router passwords if they are using the default passwords shown on the device’s attached sticker. Torrance Memorial Medical Center said a phishing attack compromised email accounts containing “work-related reports” and the personal data of patients. The latest batch of CIA documents released by WikiLeaks, dubbed “Brutal Kangaroo,” revolves around “a tool suite for Microsoft Windows that targets closed networks by air gap jumping using thumbdrives.” A joint law enforcement action known as the eCommerce Action 2017 led to the arrest of 76 professional fraudsters and members of Internet-based criminal networks across 26 countries.

Cyber Risk Trends From the Past Week

Larson Studios, the family-owned audio post-production business that was hacked by TheDarkOverlord, has finally provided public comments about the December 2016 attack that led to the theft of a variety of unaired episodes from major studios. That incident led to leak of ten episodes of Netflix’s Orange is the New Black and eight episodes of ABC’s Steve Harvey’s Funderdome.

The takeaway from company president Rick Larson following the ordeal: “Don’t trust hackers.”

He learned that lesson after Larson Studios eventually paid TheDarkOverlord a $50,000 ransom as part of an agreement between the two to keep the breach private. However, a few months later the FBI told Larson Studios that TheDarkOverlord was attempting to extort the company’s clients with the stolen video, and the group then tried to publicly pressure Netflix and others into paying a ransom demand.

Why TheDarkOverlord would attempt to double-dip on the group’s ransom demand is somewhat puzzling. As SurfWatch Labs has noted in multiple blogs, the group has spent the past year carefully projecting an image of professionalism, framing its extortion demands as straightforward “business proposals” and using the media to try to spread the group’s message: pay up and everything will quietly go away. For example, in June 2016 when the group first began making headlines, TheDarkOverlord used the media to warn companies, “Next time an adversary comes to you and offers you an opportunity to cover this up and make it go away for a small fee to prevent the leak, take the offer.” They also warned that the ransom payment would be “a modest amount compared to the damage that will be caused” from a public leak. The group’s tone did not change when it came to extorting Netflix nearly a year later: “You’re going to lose a lot more money in all of this than what our modest offer was.”

It appears that after a full year of trying to build that image as a “trustworthy” extortionist, TheDarkOverlord has now lost its credibility — and, it should be noted, that credibility is what pushed companies like Larson Studios over the edge when deciding if the company should pay. As Rick Larson told Variety, previous media reports suggested that paying TheDarkOverlord actually worked.

TheDarkOverlord appears to be in damage control now, and the group is trying to regain that credibility by arguing that Larson Studios violated its agreement by contacting the FBI. The group also continues to leak data on other organizations, but hopefully those organizations will take heed of the message from Rick Larson to never put their trust in hackers — and it’s clear that now includes TheDarkOverlord.

Weekly Cyber Risk Roundup: Industroyer Malware and Fines for Delayed Breach Notification

Ukrainian power utility Ukrenergo was back in the news as the top trending cybercrime target after researchers analyzed new samples of a destructive malware, dubbed “Win32/Industroyer,” which they said was likely used in the December 2016 attack against the Ukrainian power grid.

“Industroyer is a particularly dangerous threat, since it is capable of controlling electricity substation switches and circuit breakers directly,” ESET researchers wrote. “To do so, it uses industrial communication protocols used worldwide in power supply infrastructure, transportation control systems, and other critical infrastructure systems (such as water and gas).”

The Industroyer malware uses four payload components designed to gain control of switches and circuit breakers, with each component targeting a particular communication protocol: IEC 60870-5-101, IEC 60870-5-104, IEC 61850, and OLE for Process Control Data Access (OPC DA). The malware is notable as it “is capable of doing significant harm to electric power systems and could also be refitted to target other types of critical infrastructure.”

Hackers may have hidden in Ukrenergo’s IT network undetected for six months before carrying out their December 2016 attack, which led to a power blackout in Kiev that lasted a little over an hour. Although it’s not confirmed, it is “highly probable” that Industroyer was used in that incident. The Ukrenergo attack occurred a year after a similar attack against Prykarpattyaoblenergo, which caused approximately 230,000 people to lose power. Researchers have warned that both of those incidents in Ukraine could be tests for potential attacks against Western countries’ critical infrastructure facilities in the future.

Other trending cybercrime events from the week include:

FIN10 targeted mining companies and casinos: A financially-motivated hacking group known as FIN10 spent at least three years infiltrating computers at several unnamed Canadian mining companies and casinos, stealing sensitive data, and then holding it for ransom. According to researchers, the attacks targeted sensitive files such as corporate records, private communications, and customer information, and the ransom demands ranged between 100 and 500 bitcoin. The hackers were also able to essentially shut off the production systems of some mines or casinos that did not comply, making them unable to operate for a period of time.
Updates on previously disclosed attacks: The attackers behind the 2015 attack against TV5Monde conducted reconnaissance inside the TV5Monde network for three months before launching a sabotage operation that knocked multiple channels offline and compromised multiple social media accounts. France’s national cybersecurity agency said that the attackers used a compromised third-party account that allowed them to connect to the TV5Monde VPN and that once they were inside the network they used one of two camera-control servers as a beachhead for privilege escalation. The agency also noted that the attackers were able to create their own admin-level account in Active Directory and used the IT department’s wiki to gain information. GameStop is notifying an undisclosed number of online customers that their payment card details were stolen between August 10, 2016 and February 9, 2017. The breach was acknowledged by GameStop in April, but the company only recently began notifying affected customers. Cowboys Casino in Alberta said that data stolen from a breach last year has been posted online and that the hackers are threatening to post more data next week. WikiLeaks’ latest dump of CIA documents is CherryBlossum, a project that is focused on compromising wireless networking device.
Universities targeted: Southern Oregon University said it sent $1.9 million to a malicious actor impersonating Andersen Construction, a contractor that is working on the McNeal Pavilion and Student Recreation Center construction project. University College London said that a major ransomware attack occurred on June 14 and disrupted access to a number of users’ personal and shared drives for several days after UCL users visited a compromised website. Ulster University in Northern Ireland was infected with ransomware that affected a “significant number of file shares” due to a “zero day attack.” The initial attack occurred on June 14, and the university said it believes they are will be in a position to restore the file share service by late morning on June 19.
Other notable incidents: A database containing the personal information of 6 million users of online survey site CashCrate was stolen by hackers due to an apparent compromise of third-party forum software. A developer at Tata Consultancy Service in India posted the source code and internal documents for a number of unnamed financial institutions to a public GitHub repository. Italy’s data protection authority said that Wind Tre, the country’s biggest mobile operator in terms of mobile SIMs, must notify customers of a March 20 data breach that affected 5,118 customers. A hacker pleaded guilty to the 2014 theft of hundreds of user accounts from a U.S. military communications system, an intrusion that the Department of Defense said cost $628,000 to fix.

Cyber Risk Trends From the Past Week

New York’s attorney general Eric Schneiderman announced last Thursday that CoPilot Provider Support Services must pay $130,000 in penalties as well as reform its legal compliance program over violations related to delayed notification of a breach.

According to the attorney general, an October 2015 data breach of CoPilot’s website administration interface, PHPMyAdmin, allowed an unauthorized user to download reimbursement-related records for 221,178 patients, including their names, genders, dates of birth, addresses, phone numbers, and medical insurance card information. However, CoPilot did not begin formally notifying affected consumers until January 2017, more than a year after the incident occurred — an “unacceptable” violation of New York law.

“Although CoPilot asserted that the delay in providing notice was due to an ongoing investigation by law enforcement, the FBI never determined that consumer notification would compromise the investigation, and never instructed CoPilot to delay victim notifications,” New York’s attorney general wrote. “General Business Law § 899-aa requires companies to provide notice of a breach as soon as possible, and a company cannot presume delayed notification is warranted just because a law enforcement agency is investigating.”

In January, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) issued a $475,000 fine to Presence Health for similar reasons. OCR said that it was the agency’s first HIPAA settlement based on the untimely reporting of a breach of unsecured protected health information and that the settlement amount “balanced the need to emphasize the importance of timely breach reporting with the desire not to disincentive breach reporting altogether.”

That regulatory scrutiny may get more intense with the enforcement of the EU’s General Data Protection Regulation (GDPR) next year. The GDPR requires companies notify the appropriate authorities of a breach within 72 hours of discovery if that company collects, stores, or processes personal data for people residing in the EU. As SearchSecurity noted last month, that could force a change for the better when it comes to prompt breach notification by companies since the monetary penalties associated with violating the GDPR are much harsher than the current regulations.

Weekly Cyber Risk Roundup: ‘Staggering’ Amount of Data Exposed and Hacks Lead to Fake News

Organizations are making it easy for cybercriminals by putting vast amounts of sensitive data at risk due to improper security configurations, various researchers recently warned, and this past week saw several new data breaches announced due to the public exposure of sensitive customer, patient, and other internal data.

The first warning came from Appthority, which said it discovered a “staggering amount” of leaked enterprise data from apps due to a vulnerability dubbed “HospitalGown.” The researchers said that almost 43 TB of data was found exposed across 1,000 apps due to the app developers’ failure to properly secure the backend servers with which the apps communicate and where sensitive data is stored. As a result, enterprises are leaving themselves open to data exfiltration, leakage of personal information, and potential ransom attempts, the researchers said.

In addition, John Matherly, the founder of Shodan, said that improperly configured HDFS-based servers are exposing over five petabytes of data. Matherly said he found that the smaller number of HDFS servers leak 200 times more data than MongoDB servers. He discovered 4,487 instances of HDFS-based servers exposing over 5,120 TB of data, whereas the 47,820 MongoDB servers leaked 25 TB of data. These warnings came as several organizations announced data breaches due to publicly exposing sensitive data:

A car dealership database has been publicly exposed for more than 140 days, exposing customer, vehicle, and sales details of more than 10 million car owners, including VIN numbers.
Victory Medical Center said patient information was discoverable via search engines dating back to 2013, and as a result around 2,000 patients had some of their personal information compromised.
A Cosmetic Institute in New South Wales exposed the sensitive personal information, including before-and-after photos, of more than 500 female patients after uploading their data to a publicly accessible index of the clinic’s website.

Other trending cybercrime events from the week include:

IP theft leads to extortion attempts: CD Projekt Red said that internal files such as documents connected to its upcoming game Cyberpunk 2077 were stolen by extortionists and that those files may be released to the general public as the company will not pay the ransom. TheDarkOverlord has leaked eight episodes of ABC’s unaired show “Steve Harvey’s Funderdome” on The Pirate Bay, following through on the group’s promise to release shows stolen from Hollywood-based post-production company Larson Studios late last year.
Variety of malicious actor arrested: A contractor at Pluribus International Corp. has been charged with leaking a top-secret National Security Agency document that describes Russian efforts to compromise the U.S. election. Chinese authorities have arrested 20 Apple employees for allegedly using the company’s internal computer system to gather and sell customers’ names, phone numbers, Apple IDs, and other data, which they sold as part of a scam worth more than 50 million yuan ($7.36 million). South Korean police have arrested a group of hackers that breached the hotel and guesthouse reservation app “Good Choice” in March and stole the personal data of more than 990,000 users. Two men were indicted for a $12 million identity theft scheme that involved thousands of victims, including students applying for financial aid. The men acquired personal identifying information of victims by either purchasing it or by obtaining the information through the Data Retrieval Tool on the Free Application for Federal Student Aid (FAFSA) website. A guidance counselor at Tryon Elementary School in North Carolina admitted to using information about some of his elementary school students in a $436,0000 Medicare scam.
Personal data transmitted insecurely: The Mississippi Division of Medicaid is notifying 5,220 individuals that their protected health information may have been exposed due to their information not being securely transmitted when online forms were submitted. HSBC Bermuda said the personal information of customers was compromised when the company sent an email to a small number of retail banking customers that included an attachment containing HSBC Bermuda customer data. The personal information of almost 13,000 employees of Public Services and Procurement Canada was exposed due to a spreadsheet with sensitive data being sent to 180 people in the department via unencrypted email.
Other notable incidents: Al Jazeera said that it faced a large-scale cyber-attack on Thursday against all of its systems, websites, and social media platforms. The University of Alaska is notifying 25,000 students, staff, and faculty members that their names and Social Security numbers were compromised due to a successful phishing attack in December 2016. The Maltese government has seen a significant increase in attacks believed to be carried out by Russian hacking groups in recent months — ever since Malta assumed the important position of presidency of Europe’s Council of Ministers in January. Since then, the Maltese government’s IT systems have seen a rise in phishing attacks, DDoS attempts, and malware on computer systems.

Cyber Risk Trends From the Past Week

Recent incidents have confirmed that malicious actors are using cyber-attacks and data leaks to both blatantly fabricate entire news stories and discreetly drop small pieces of fake information that can potentially have wide-reaching geopolitical implications.

For example, on May 24, a report appeared on the official Qatari news agency’s website describing a variety of statements made by the emir of Qatar, including tensions with U.S. President Donald Trump, a desire for friendship with Iran, and praise for both Hamas militants and the leader’s relationship with Israel.

The statements received widespread attention, but Qatari officials claimed they were false — a claim now backed by the FBI, which believes the fake news operation and subsequent diplomatic crisis was orchestrated by Russian officials. The New York Times described the incident as “the opening skirmish in a pitched battle among ostensible Gulf allies.” The Times also reported that the false comments led to Saudi Arabia and U.A.E. rallying dependent Arab states to cut off diplomatic relations, travel, and trade with Qatar, as well as the fracturing of the American-backed alliance against the Islamic State and Iran.

Other Russian-tied disinformation campaigns have been more subtle. Citizen Lab recently detailed a series of “tainted leaks” tied to documents stolen from journalist David Satter. Satter had his email account compromised in a targeted phishing attack in October 2016, and those emails were then selectively modified and “leaked” on the blog of CyberBerkut, a pro-Russian hacktivist group. The modified documents were designed to both cause the programs they examined to appear more subversive of Russia than they actually were as well as to discredit specific opposition individuals and groups critical of Russian President Putin and his confidants.

Both incidents are yet another example of how much impact a disinformation campaign mixed with a little bit of hacking can have on governments around the world. As the Times warned, “Any country can get in the game for the relatively low price of a few freelance hackers.”

Motivated actors could use similar tactics to impact specific organizations with tainted data leaks. A single fake email — or even a few lines modified in a legitimate email — could easily be slipped into a larger dump and then shared with news outlets. That could lead to a crisis similar to the one facing Qatar, where leaders are forced to defend themselves against statements that were never actually made before those statements spread far and wide.

Weekly Cyber Risk Roundup: Chipotle and Kmart Announce POS Breaches

Payment card breaches were back in the news this week as both Chipotle and Kmart announced point-of-sale breaches affecting a number of locations.

The Chipotle incident, which was first disclosed on April 25, appears to be the larger of the two breaches. A recent company update on the breach said it now includes most of the company’s 2,250 locations. The restaurants were affected by point-of-sale malware for various periods of time between March 24 and April 18.

The infection was made worse by Chipotle’s decision not to adopt EMV payment technology due to concerns that the upgrades would “slow down customer lines,” according to a recent class-action lawsuit filed over the breach.

The Kmart investigation is currently ongoing, so it’s unclear how many of the company’s 735 locations are affected; however, it may be less impactful than a similar point-of-sale malware infection in 2014 since all of Kmart’s stores were EMV ‘Chip and Pin’ technology enabled during the time of the most recent breach, the company said in its press release.

“We believe certain credit card numbers have been compromised,” Kmart’s parent company Sears Holdings said in a statement. “Nevertheless, in light of our EMV compliant point-of-sale systems, which rolled out last year, we believe the exposure to cardholder data that can be used to create counterfeit cards is limited. There is also no evidence that kmart.com or Sears customers were impacted.”

Other trending cybercrime events from the week include:

Top Secret information exposed to public: Top Secret information related to the U.S. National Geospatial-Intelligence Agency (NGA), a combat support and intelligence agency housed within the Department of Defense (DoD), was exposed to the public via an unsecured Amazon Web Services “S3” bucket that required no credentials to gain access. Security researcher Chris Vickery and other Upguard researchers said the now-secured data set points to NGA contractors Booz Allen Hamilton (BAH) and industry peer Metronome. The data discovered included information that would ordinarily require a Top Secret-level security clearance from the DoD as well as plaintext credentials that granted administrative access to at least one data center’s operating system and what appeared to be Secure Shell (SSH) keys of a BAH engineer.
Healthcare breaches due to unauthorized sites, third-parties: Children’s Mercy said that patient information was compromised due to an unauthorized website operated by a physician that was created as an educational resource but did not have proper security controls in place. Adventist Health Tehachapi Valley said that 714 patients who used its vendor Fast Health to pay bills online to Tehachapi Valley Healthcare District and Adventist Health may have had their payment card details compromised due to unauthorized code on a server that was designed to capture payment card information.
Extortion attacks continue: A hacking group calling themselves “Tsar Team” has published more than 25,000 private photos and other personal data from patients of the Grozio Chirurgija clinic in Lithuania. The hackers broke into the servers of the cosmetic surgery clinic earlier this year and demanded ransoms from the clinic’s clients in more than 60 countries around the world. The blackmail ranged between €50 and €2,000 worth of bitcoin, authorities said, with nude photos, passport scans, and other sensitive data being used to ramp up the ransom demands. A hacking group known as “RavenCrew” has claimed responsibility for the hack of customer data from the ticketing platform Qnect and subsequent SMS messages that were sent to the company’s customers urging them to pressure co-founder Ryan Chen and chief technology officer Ruslan Starikov into paying the ransom. It’s believed the hackers may have exploited a security hole recently noticed by a customer.
Other notable breaches: OneLogin, a company that allows users to manage logins to multiple sites and apps all at once, announced it had experienced a breach that impacts all customers served by the company’s U.S. data center. Old Mutual said the personal information of “a relatively small group” of customers in South Africa was compromised due to unauthorized access to one of its systems. Camberwell High School in Melbourne announced a data breach due to a student gaining unauthorized access to the school management software Compass and accessing the personal information of families. The incident is similar to a breach at Blackburn High School involving the Compass system that occurred two weeks ago. Augusta University said that a phishing attack led to unauthorized access to faculty email accounts and that as a result less than one percent of patients had their personal information exposed.

Cyber Risk Trends From the Past Week

TheShadowBrokers continued to make headlines over its new subscription exploit service this past week. The hacking group said that it will release its first “dump” of planned monthly exploits and/or data to its subscribers in early July – for approximately $24,000.

Those who want to join the dump service must pay 100 ZEC (Zcash) by the end of June. The group said it has not yet decided what will be in its first dump, although it previously teased that such dumps could include:

web browser, router, and handset exploits and tools,
select items from newer Ops Disks, including newer exploits for Windows 10,
compromised network data from more SWIFT providers and central banks,
and compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs.

The group wrote that the monthly dump service is “for high rollers, hackers, security companies, OEMs, and governments.”

After TheShadowBrokers’ announcement, a crowdfunding campaign was started to help researchers and organizations purchase the upcoming July exploit dump; however, two days later the researchers behind the effort, England-based security researcher Matthew Hickey (aka Hacker Fantastic) and the French security researcher known as x0rz, cancelled the campaign citing legal reasons.

“What we tried with @hackerfantastic was a bet we could somehow get early access to help vendors and open-source software fix the bugs before any public release, that means making the 0days a little less toxic that it could have been if released (from 0day to 1day, still powerful but less efficient),” x0rz wrote. “I guess now we should only spectate what will happen next, like we did before. It’s unfortunate but that’s the way it ought to be.”

x0rz believes that TheShadowBrokers may still publicly release the dump because the group is “not here for the money and are really just seeking media coverage.” However, we’ll all have to wait until next month and see exactly what the group has to offer and – if it follows through on its promise – how damaging its monthly exploit and data dumps can potentially be for organizations.

Weekly Cyber Risk Roundup: More W-2 Breaches and Upcoming GDPR Challenges Organizations

Stolen W-2 information was back in the news this week due to reports of another W-2 breach as well as new data from IRS officials on the threat. The latest breach involves TALX, an Equifax subsidiary that provides online payroll, HR and tax services. KrebsOnSecurity reported that an undisclosed number of customers were affected when malicious actors were able to gain access to employee accounts containing sensitive data.

“TALX believes that the unauthorized third-party(ies) gained access to the accounts primarily by successfully answering personal questions about the affected employees in order to reset the employees’ pins (the password to the online account portal),” wrote an attorney in one breach notification letter. “Because the accesses generally appear legitimate (e.g., successful use of login credentials), TALX cannot confirm forensically exactly which accounts were, in fact, accessed without authorization, although TALX believes that only a small percentage of these potentially affected accounts were actually affected.”

The extent of the fraud perpetrated with the help of hacked TALX accounts is unclear, but that at least five organizations have received letters from Equifax about a series of incidents over the past year, Krebs reported. Those included defense contractor giant Northrop Grumman, staffing firm Allegis Group, Saint-Gobain Corp., Erickson Living, and the University of Louisville. In addition to those companies, an IRS official said that 870 organizations reported receiving a W-2 phishing email over the first four months of 2017, and about 200 of those companies lost data as a result. That was a significant rise from 2016’s numbers, which included about 100 reports and 50 confirmed breaches. The official said that the increase was driven by progress made against identity theft, which has pushed cybercriminals to need more personal data to able to impersonate taxpayers. As a result, there has been a shift towards targeting those in the payroll industry.

Other trending cybercrime events from the week include:

Men plead guilty to trade secret theft: A Chinese national has pleaded guilty to economic espionage and theft of a trade secret in relation to the theft of proprietary source code from his former employer, an unnamed U.S. company. As a developer, the man had access to a clustered file system developed and marketed by his employer as well as its underlying source code, the DOJ wrote. The man attempted to use the stolen source code to start a large-data storage technology company, according to communication he had with undercover officers. An engineer at a defense contractor has pleaded guilty to selling sensitive satellite information stolen from his employer to a person he believed to be an agent of a Russian intelligence service. In a series of meetings between February and July of 2016, the man sought and received thousands of dollars in cash payments for the trade secrets.
New data breaches announced: Williamson County Schools in Tennessee said that approximately 33,000 current and former WCS students had their usernames, encrypted passwords, and email addresses compromised due to a breach at third-party vendor Edmodo, a free classroom tool that allows students and teachers to share files and assignments. A data breach at the Florida Department of Agriculture and Consumer Services has exposed the names of 16,190 concealed weapon licensees as well as the Social Security numbers of 469 individuals. Approximately 3,000 individuals had their information compromised due to unauthorized access to a city computer in Stillwater, Oklahoma. UW Health said that 2,036 patients had their personal information compromised due to an unauthorized individual gaining access to an employee’s email account. The Canada Revenue Agency has fired an employee for improperly accessing the accounts of 1,302 taxpayers. A breach at Blackburn High School led to the theft of personal information of families, and that information was then used to send phishing emails to parents asking them to provide their payment card details.
Russia targeted Pentagon employees’ Twitter accounts: Russia sent more than 10,000 phishing messages to Defense Department officials with the goal of getting the officials to click a malicious link and, ultimately, gain control of their devices and Twitter accounts. The efforts took place after the 2016 presidential election and were disclosed in in a March report to U.S. counterintelligence officials investigating Russian interference efforts. The compromised accounts could have been used to spread false information, as has been done in the past by Russian hacking groups.
Hacking groups arrested: Twenty members of the Russian hacking group behind the Android Trojan “Cron” have been arrested. The group managed to infect over one million mobile devices and stole approximately $800,000 from Russian banks. Twenty-seven individuals tied to a series of ATM “Black Box” attacks across Europe have been arrested. A “Black Box” attack is a method of ATM jackpotting where criminals gain access to the ATM Top Box usually by drilling holes or melting in order to physically connect an unauthorized device that sends commands directly to the ATM cash dispenser in order to “cash-out” the ATM. Sixteen individuals have been arrested related to the theft of a copy of Baahubali 2 and subsequent ransom attempt from the movie’s producers, Arka Mediaworks Entertainment Ltd.

Cyber Risk Trends From the Past Week

It is now less than one year until the EU General Data Protection Regulation (GDPR) goes into effect, yet some organizations are either unaware of the upcoming privacy changes or believe they will have issues meeting next year’s deadline, according to recent research.

The GDPR was approved by the EU parliament in April 2016, and the new regulation will be fully enforceable on May 25, 2018. Among the most talked about changes from the upcoming regulation is the increase in potential fines for data breaches. Breached organizations can be fined as much as 4% of their annual global turnover or €20 million, whichever is greater, when it comes to serious violations. Lesser violations are subject to half the maximum penalty — up to €10 million or 2% of turnover. As the NCC Group noted, those new numbers mean that last year’s ICO fines could have been 79 times higher: £69m rather than £880,500 in total.

“TalkTalk’s 2016 fine of £400,000 for security failings that allowed hackers to access customer data would rocket to £59m under GDPR,” The Register noted last month. “Fines given to small and medium-sized enterprises could have been catastrophic. For example, Pharmacy2U’s fine of £130,000 would balloon to £4.4m – a significant proportion of its revenues and potentially enough to put it out of business.”

It is important to note that the new regulations generally apply to any organization that offer of goods or services to individuals in the EU, so the GDPR has global implications. However, a recent study of 500 organizations in the UK, Germany, France, and the U.S. found that 75% of organizations indicated they will struggle to be ready for next year’s deadline. According to the Varonis survey, the top three challenges facing organizations around GDPR include:

Article 17 (“Right to be forgotten”), where they must discover and target specific data and automate removal when requested by the consumer
Article 30 (Records of processing activities), including identifying personal information on their systems, understanding who has access to it and who is accessing it, and knowing when this data can and should be deleted
Article 32 (Security of processing), which means ensuring least privilege access, implementing accountability via data owners, and providing reports that policies and processes

For organizations looking to learn more about preparing for GDPR, ICO has a 12-step guide available.

Weekly Cyber Risk Roundup: WannaCry Updates and Sensitive Leaks Continue

WannaCry remained as the week’s top trending cybercrime target as organizations continued to deal with the fallout from being infected and researchers uncovered more information on the ransomware. On Friday, a Kaspersky Lab researcher tweeted that machines running Windows 7 were the most impacted by WannaCry, accounting for more than 97 percent of total infections observed by the firm. Other firms observed Windows 7 infection rates as low as 67 percent; however, both numbers contradict the initial focus on outdated systems such as Windows XP, which Kaspersky dismissed as having an “insignificant” number of infections.

As Reuters reported, computers running older versions such as Windows XP were individually vulnerable to attack, but they appear incapable of spreading infections and played a far smaller role in last week’s attack.

In addition, the past week saw a variety of manufacturers issue warnings about WannaCry potentially impacting their products. Siemens warned customers that some of its Healthineers products may be affected by the vulnerabilities exploited by WannaCry, and the Health Information Trust Alliance said that medical devices manufactured by Bayer were also vulnerable. Medical device manufacturer Becton, Dickinson and Company as well as Swiss robotics and automation firm Rockwell Automation and ABB also issued more general WannaCry advisories to their customers.

It is also worth noting that a small portion of WannaCry infections have been successfully decrypted. A French security researcher discovered a flaw in the WannaCry ransomware that allowed him to successfully decrypt several Windows XP computers using a tool called “WannaKey,” and a separate pair of French researchers then adapted the decryption tool to work for Windows 7 computers with a tool called “WannaKiwi.” If users left their computer untouched after the infection and did not reboot, they may be able to access parts of the memory and regenerate a key; however, the researcher warned it won’t work every time even in that situation.

Other trending cybercrime events from the week include:

Another large point-of-sale breach: A POS breach at Brooks Brothers locations lasted for more than a year and affected more than 300 locations, the company announced. Customers who made purchases at approximately 320 different Brooks Brothers and Brooks Brothers Outlet retail locations in the U.S. and Puerto Rico between April 4, 2016 and March 1, 2017, may have had their payment card data stolen. An unauthorized individual was able to gain access to and install POS malware on the stores’ POS systems, the company said. Online purchases were not impacted.
Hollywood targeted by extortionists: The upcoming Pirates of the Caribbean movie has been stolen by hackers who demanded “an enormous” amount of money in ransom to not release the movie. The Hollywood Reporter reported that talent agencies UTA, ICM, and WME have been targeted by hackers attempting to steal sensitive information, and the attacks are so common that their frequency has overwhelmed the FBI’s Los Angeles field office. At least one unnamed Hollywood company has paid a ransom. In addition, TheDarkOverlord said that more of the group’s previously stolen shows from Larson Studios will be released soon since “none of the affected parties has paid the ransom.”
Third-party breach leads to source code theft: The app maker Panic said the source code for several of its apps was stolen due to downloading a malware-infested version of HandBrake during a three-day window when that company was compromised and serving up a Trojanized update to its users. The attacker then sent an email demanding a large bitcoin ransom to prevent the release of the source code, but Panic did not pay that ransom. The company is warning its users to beware of any unofficial versions of their apps, as they will likely be versions using the company’s old code but with malware added.
Other notable cybercrime news: Zomato announced that 17 million user records were compromised by a grey-hat hacker. The font sharing website DaFont was hacked and the usernames, email addresses, and hashed passwords of 699,464 user accounts were stolen. Bell Canada said that a hacker managed to access the email addresses of approximately 1.9 million customers, and 1,700 customers also had their names and phone numbers accessed. The University of New Mexico Foundation is notifying approximately 23,000 donors, annuitants, foundation employees, and vendors that their personal and financial information may have been compromised. The Clinton County Board of Developmental Disabilities and Walnut Place announced they were the victims of ransomware attacks. The National University of Singapore and the Nanyang Technological University in Singapore were targeted by sophisticated hackers who broke into the school’s IT systems in an attempt to steal sensitive government and research data. A former employee of Carolina Neurosurgery & Spine Associates has been charged with selling the information of more than 150 patients to an identity thief for $10 each. United Airlines said that information regarding its flight deck access security procedures “may have been compromised” and that “some cockpit door access information may have been made public.” However, the possible public release of the security procedures was not due to a hack or data breach, CBS News reported.

Cyber Risk Trends From the Past Week

As WannaCry continues to dominate cybercrime news, the past week saw even more leaks of government-created malware and promises of additional leaks to come in the future. WikiLeaks has continued to dump files allegedly stolen from the CIA, and TheShadowBrokers group has announced a new monthly service providing various data dumps and exploits to its customers.

WikiLeaks has dumped stolen CIA documents every Friday for the past eight weeks, and the two most recent dumps include:

AfterMidnight, which is a malware framework that “allows operators to dynamically load and execute malware payloads on a target machine” and “disguises as a self-persisting Windows Service DLL.”
Assassin, which is a malware framework similar to AfterMidnight that “is an automated implant that provides a simple collection platform on remote computers running the Microsoft Windows operating system.”
Athena, which “provides remote beacon and loader capabilities on target computers running the Microsoft Windows operating system (from Windows XP to Windows 10).”

In addition to the continuing leaks of sensitive CIA material from WikiLeaks, TheShadowBrokers is using the attention around WannaCry to promote a monthly exploit service that it is launching in June. TheShadowBrokers have previously dumped stolen exploits allegedly developed by the NSA, including the EternalBlue exploit recently leveraged by WannaCry. “TheShadowBrokers Data Dump of the Month” service provides subscribers with various cybercrime tools and data for a monthly fee. According to TheShadowBrokers rambling blog post, these monthly dumps could include:

web browser, router, and handset exploits and tools
select items from newer Ops Disks, including newer exploits for Windows 10
compromised network data from more SWIFT providers and central banks
compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs

The group said that more details will be announced in June. It’s unclear if the group has more sensitive data and exploits they’re willing to publish, or if they are using their fifteen minutes of WannaCry fame in an attempt to generate some income. Either way, WannaCry serves as a reminder that organizations need to monitor the leak of government tools as they can cause serious damage when they fall into the wrong hands.

Weekly Cyber Risk Roundup: WannaCrypt Spreads and Trump Signs Executive Order

The week’s top cybercrime event was the spread of WannaCrypt ransomware, which managed to infect tens of thousands of computers on Friday. The attack affected NHS hospitals and facilities in England and Scotland, Telefonica and Gas Natural in Spain, FedEx in the U.S., and numerous other organizations — largely across Asia and Europe.

By Saturday researchers reported more than 126,000 detections of the ransomware across 104 countries. The number of infections may have been worse, but the security researcher MalwareTech managed to halt the spread of the malware by purchasing a domain name, which essentially triggered a “kill switch.” MalwareTech explained why the ransomware had this design:

“I believe [the attackers] were trying to query an intentionally unregistered domain which would appear registered in certain sandbox environments, then once they see the domain responding, they know they’re in a sandbox [and] the malware exits to prevent further analysis. This technique isn’t unprecedented and is actually used by the Necurs trojan … however, because WannaCrypt used a single hardcoded domain, my [registration] of it caused all infections globally to believe they were inside a sandbox and exit.”

WannaCrypt leverages an allegedly NSA-derived exploit called “EternalBlue” that was made public by TheShadowBrokers last month. Microsoft has patched the flaw (MS17-010), but Friday’s events made it clear that many organizations have yet to apply that patch. Microsoft also announced that it is taking “the highly unusual step” of providing a security update for Windows XP, Windows 8, and Windows Server 2003 to help protect its customers from the threat. Organizations should patch immediately. As MalwareTech noted on Sunday, the last version of WannaCrypt was stoppable, but the next version will likely remove that flaw.

Other trending cybercrime events from the week include:

Third-party providers lead to breaches: Hackers managed to gain access to the stem files of Lady Gaga last December by sending spear phishing messages to executives at September Management, a music management business, and Cherrytree Music Company, a management and record company. Debenhams Flowers said that 26,000 website customers had their data compromised due to malware stealing their payment details from Ecomnova, a third-party e-commerce company. The email addresses and usernames of individuals who used the dating website Guardian Soulmates were exposed by a third-party service provider, resulting in members of the site receiving explicit spam emails.
Malicious actors sell and leak stolen data: A dark web vendor using the handle “nclay” claims to have 77 million records stolen from social learning platform Edmodo and is attempting to sell them on the dark web for just over $1000. The data allegedly includes usernames, email addresses, and passwords that are hashed with bcrypt and salted. Malicious actors leaked 9GB of internal documents from the campaign staff of France’s President-elect Emmanuel Macron in the days prior to the country’s election. A group known as “TuftsLeaks” published financial information belonging to Tufts University, including department budgets, the salaries of thousands of staff and faculty, and the ID numbers of student employees.
Healthcare organizations expose data: Patients of Bronx-Lebanon Hospital Center had their sensitive health and personal information exposed to the internet due to a misconfigured rsync backup managed by IHealth Innovations. The records and files from a number of departments were publicly accessible and viewable, including cardiology, surgery, pulmonology, psychiatry, and neurosurgery. A flaw in the website of True Health Diagnostics allowed users to view the medical records of other patients by modifying a single digit in the PDF link to their own records. Diamond Institute for Infertility and Menopause in New Jersey said that 14,633 patients had their data exposed due to an unknown individual gaining access to the third-party server in February 2017.
Other notable cybercrime news: An internet-connected backup drive used by New York University’s Institute for Mathematics and Advanced Supercomputing contained hundreds of pages of documents detailing an advanced code-breaking machine that had never before been described in public. The project was a joint supercomputing initiative administered by NYU, the Department of Defense, and IBM. A California court has found a former private security officer guilty of hacking into the servers of Security Specialists, his former employer, to steal data on customers; delete information such as archived emails, server files, and databases; deface the company website; steal proprietary software; and set up a rival business that used the stolen software. The incident occurred after the employee was fired in 2014 for logging into the payroll database with administrative credentials in order to pad his hours. Confluence Charter Schools is warning parents and staff that a hack of network servers has impacted email, phones, SISFIN, its financial system, and its student information system Infinite Campus and that the “breach has caused some files to be unrecoverable.”

Cyber Risk Trends From the Past Week

On Thursday, President Donald Trump issued an executive order on strengthening the cybersecurity of federal networks and critical infrastructure. The order includes a variety of mostly reporting requirements designed to protect federal networks, update outdated systems, and direct agency heads to work together “so that we view our federal I.T. as one enterprise network,” said Trump’s homeland security advisor Tom Bossert.

The order also requires the heads of federal agencies to use The Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standards and Technology (NIST) to assess and manage their agency’s cyber risk. Each agency must submit a risk management report to the Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB) within 90 days that outlines their plan to implement the framework. The director of OMB and other supporting officials will then have 60 days to review the reports and pass along information to the president regarding a plan to align budgetary needs, policies, guidelines, and standards with the NIST framework. The Obama administration had previously encouraged the private sector to adopt the NIST framework, but government agencies were never required to follow it — until now.

“It is something that we have asked the private sector to implement, and not forced upon ourselves,” Bossert said at the daily White House press briefing on Thursday. “From this point forward, departments and agencies shall practice what we preach and implement that same NIST framework for risk management and risk reduction.”

The order also includes reporting regarding critical infrastructure, which builds upon the order issued by Obama in 2013, and reporting on “strategic options for deterring adversaries and better protecting the American people from cyber threats.”

As many media outlets have reported, the executive order has received a mostly positive response from the cybersecurity community; however, it is largely a continuation of the cybersecurity policy under previous administrations and has received some criticism for being more focused on reporting than actions.

Weekly Cyber Risk Roundup: TheDarkOverlord Returns and Multiple Attacks Circumvent 2FA

TheDarkOverlord was back in the news this week due to leaking data from multiple companies after failed extortion attempts. The most prominent leak involved Netflix, which had the first 10 episodes of the fifth season of its show Orange is the New Black leaked after it refused to cave to the actor’s ransom demands. The group also claims to have unreleased shows from ABC, Fox, National Geographic, and IFC. Media outlets reported that the shows appear to have been stolen from post-production studio Larson Studios in late 2016.

It’s unclear exactly how much TheDarkOverlord demanded from Netflix to not release the episodes, but the actor once again framed its response to the failed extortion attempt by trying to appeal to future victims, essentially arguing that paying up will cost them a lot less money than having their data released.

“It didn’t have to be this way, Netflix,” the actor wrote in a post on April 29. “We figured a pragmatic business such as yourselves would see and understand the benefits of cooperating with a reasonable and merciful entity like ourselves. … And to the [other networks]: there’s still time to save yourselves. Our offer(s) are still on the table — for now.”

TheDarkOverlord has not yet released episodes allegedly stolen from other networks. However, three healthcare providers had data dumped by the actor on May 4. Aesthetic Dentistry in New York City and OC Gastrocare in California were both hacked last year by TheDarkOverlord, databreaches.net reported, and their dumps from last week contained 3,496 patient records and 34,100 patient records, respectively. The third dump was the biggest, containing more than 142,000 patient records allegedly stolen from Tampa Bay Surgery Center.

That large dump appears to be tied to a previously undisclosed breach, and TheDarkOverlord tweeted that the “clinic didn’t do anything wrong except annoy us.” That annoyance likely stemmed from the fact that the center did not cave to the group’s ransom demands, just like numerous other organizations targeted over the past year.

Other trending cybercrime events from the week include:

Payment card breaches continue: Sabre announced that it is investigating a data breach after discovering “unauthorized access to payment information contained in a subset of hotel reservations processed through our Hospitality Solutions SynXis Central Reservations system.” More than 32,000 properties use Sabre’s SynXis reservations system, which is described as an inventory management Software-as-a-Service application. Sabre told customers that the unauthorized access has been “shut off” and that there are not any additional details to share at this time.
Numerous ransomware infections reported: An April 22 ransomware infection at electronic health records vendor Greenway Health disrupted services to 400 client organizations using the vendor’s Intergy cloud-hosted platform, and half of those customers were still waiting to have a full EHR services restored on Monday, May 1. Pekin Community High School’s computer systems were infected with ransomware, and the actor demanded $37,000 in order to restore the encrypted files. Ransomware infected the computer systems of Cambrian College in Ontario and demanded a $54,000 payment. The school’s web portals, grade report, and student learning management systems were disrupted, and final grades and spring semester registration had to be postponed for several days. The law firm Moses Afonso Ryan Ltd was infected with ransomware last year that demanded a $25,000 ransom payment, and after paying a negotiated ransom payment the firm then had to renegotiate an additional payment when the first key purchased to decrypt the documents did not work.
Large amounts of data exposed: Around 135 million Aadhaar ID numbers and around 100 million bank account numbers have been leaked from four Indian government portals, according to a report released by The Centre for Internet and Society. The four government portals examined in the report include: National Social Assistance Programme, National Rural Employment Guarantee Act, Daily Online Payment Reports under NREGA, and Chandranna Bima Scheme. Data belonging to Alliance Direct Lending Corporation was found publicly available online and as a result at least 550,000 customers have had their personal information exposed. According to MacKeeper, the leaked data contained 124 files (with five to ten thousands records each) that contained financing records broken down by dealerships as well as 20 audio recordings of customers agreeing to auto loans or refinancing of auto loans.
Other notable cybercrime news: Retina-X Studios announced that in February 2017 a malicious actor was able to break into a server that held database tables for its Net Orbit, PhoneSheriff, and TeenShield products, and the actor then wiped “any data that he was able to force access to.” According to the company, the actor was able to find a vulnerability in a decompiled and decrypted version of a now-discontinued product in order to achieve the unauthorized access. Grey Eagle Resort & Casino in Calgary has had an additional 1.7 GB of data dumped, and the hackers behind the dump indicated that the data would be uploaded to torrent sites “soon” and that more data dumps would follow in the coming weeks. The casino initially had data released by hackers in January, and the new dump appears to include more data that was stolen prior to the first leak.

Cyber Risk Trends From the Past Week

Several recent cybercrime events have proven that although two-factor authentication is an effective way to prevent fraudulent transactions, malicious actors are focusing their efforts on ways to defeat that increasingly popular layer of security.

German newspaper Süddeutsche Zeitung reported that customers of O2-Telefonica had funds removed from their bank accounts due to malicious actors exploiting a flaw in Signalling System No. 7 (SS7) — which is used by telecom companies around the world use to ensure their networks interoperate — in order to intercept the text message authentication codes sent to customers and then use those codes to successfully steal funds from customers’ bank accounts. The attack was carried out from the network of an unnamed “foreign provider,” and one expert told the German paper that insider access could be bought for as little as €1000 in order to carry out similar attacks.

The flaw in SS7 has been known since 2014, and in 2015 60 Minutes aired a segment in which researchers demonstrated how U.S. Representative Ted Lieu’s phone messages and conversations could be intercepted. Lieu said the recent theft is yet another example of the insecurity of text-based, two factor authentication:

“Everyone’s accounts protected by text-based two-factor authentication, such as bank accounts, are potentially at risk until the FCC and telecom industry fix the devastating SS7 security flaw. Both the FCC and telecom industry have been aware that hackers can acquire our text messages and phone conversations just knowing our cell phone number. It is unacceptable the FCC and telecom industry have not acted sooner to protect our privacy and financial security. I urge the Republican-controlled Congress to hold immediate hearings on this issue.”

In addition, the UK’s National Fraud & Cyber Crime Reporting Centre is warning that malicious actors are continuing to use “SIM splitting” attacks to take control of victims’ phone numbers, authenticate transactions, and steal money from bank accounts. Like the SS7-based attacks, malicious actors first gain access to the victim’s bank accounts via phishing, malware, or cybercriminal markets — but in this case the actors then successfully report their phone lost or stolen in order to active the SIM card on a new phone and intercept communications. The fraudsters then transfer money from the victim’s account to a parallel business account they opened, and when the bank calls or texts to verify the transactions, they are in control of the victim’s phone number and can confirm the fraudulent transactions. In both cases, malicious actors have proven that they can successfully circumvent two-factor authentication with a little extra legwork.

Weekly Cyber Risk Roundup: Ashley Madison Blackmail Returns, Facebook and Google Victims of Fraud

An old data breach came back to life this week as Ashley Madison users who had their data compromised back in July 2015 are once again being blackmailed — this time by an extortion group threatening to launch a public website and contact people in victims’ social media networks. The website will allegedly be launched on Monday, at which point it will be clear if the threat is just a ploy to extort victims who are low-hanging fruit or if the group will actually carry out their attempt at public shaming.

“On May 1 2017 we are launching our new site — Cheaters Gallery – exposing those who cheat and destroy families,” a group using a Ukrainian top level domain recently wrote in an email to some Ashley Madison users. “We will launch the site with a big email to all the friends and family of cheaters taken from Facebook, LinkedIn and other social sites. This will include you if do not pay to opting out.”

Robin Harris wrote on ZDNet that the email he received quoted his personal Ashley Madison profile and that the blackmail price for “opting out” of the Cheaters Gallery website was around $500. Of course, paying that blackmail won’t accomplish much unless the victims are willing to keep paying ransoms in an endless game of extortion whack-a-mole. The breached Ashley Madison data has been circulating for 20 months now — ever since the account details of around 32 million users were published on the dark web — and numerous other actors have attempted to extort the victims in the past via extortion emails and letters sent to victims and their spouses. The repeated blackmail campaigns indicate that either victims are paying up and the campaigns are profitable or that the actors behind them at least believed they would be worth the investment.

Seeing another round of Ashley Madison blackmail threats nearly two years after the breach is a reminder that once data is exposed, it remains exposed forever. As SurfWatch Labs noted in a report last year, the pool of compromised data never empties; it only grows. That means that malicious actors can use, reuse, build upon, and find new ways to monetize that expanding pool of data now and in the future.

Other trending cybercrime events from the week include:

More payment card breaches: Chain restaurant Chipotle said that it is investigating a possible point-of-sale breach after detecting “unauthorized activity on the network that supports payment processing for purchases made in our restaurants.” The investigation is focusing transactions that occurred at locations from March 24, 2017 through April 18, 2017. Trading card dealer Blowout Cards announced a data breach due to “an exploit in the form of a modified payment .php file” that allowed the intruders to skim payment card information as customers checked out via its website. As a result, those who used credit and debit cards to check out via the site’s shopping cart between January 2017 and April 20, 2017, had their information compromised.
Espionage groups behind South Korea, Israel attacks: Iran’s OilRig hacking group is behind a series of targeted attacks against 250 individuals in government agencies, high-tech companies, medical organizations, and educational institutions such as the renowned Ben-Gurion University. The attacks took place between April 19 and 24 and employed the just-patched Microsoft CVE-2017-0199 remote code execution vulnerability in the Windows Object Linking and Embedding (OLE) application programming interface. Two cyber-espionage groups linked to China have been observed launching a variety of attacks against South Korea’s government, military, defense companies, and a big conglomerate involved in deploying Terminal High-Altitude Area Defense, or Thaad, a U.S. missile-defense system designed to protect South Korea from a North Korean missile threat.
FIN7 campaign uses social engineering: The FIN7 group (also known as Carbanak) is targeting large restaurant chains, hospitality, and financial service organizations with spear phishing messages centered around complaints, catering orders, or resumes. The group has also been observed calling stores at targeted organizations to ensure they received the email and attempting to walk them through the infection process, as it has done in previous campaigns.
Phishing leads to fraud, data breaches: Fraudsters were able to convince more than 500 University of California students to hand over their health information, and that information was used to steal almost $12 million from the university by writing fake medical prescriptions in the students’ names. The Iowa Veterans Home is notifying 2,969 people that their medical and financial information may have been compromised after three IVH employees fell for phishing emails that compromised their email account credentials.
Other notable cybercrime events: A vulnerability in a popular third-party library used by HipChat.com led to a data breach. The email addresses and unique IMEI numbers from Ciphr phone users have been dumped online, and Ciphr claims that the leak was carried out by a rival secure phone company. A hacker claims to have compromised the forums of R2 games. Concordia University said that approximately 9,000 students may have been affected by unauthorized access to its online course systems. The information of 8,000 Home Depot customers who had lodged complaints with its MyInstall program was found exposed online. Ransomware infected some City of Newark computers. WikiLeaks has published the user guide for the “Weeping Angel” tool allegedly developed by the CIA.

Cyber Risk Trends From the Past Week

Facebook and Google confirmed this week that they were the victims of the $100 million phishing scheme announced by the Department of Justice of last month.

The scheme was carried out by Evaldas Rimasauskas, a Lithuanian man who allegedly impersonated the large Taiwan-based manufacturer Quanta Computer in order to dupe the companies into making a series of fraudulent payments. According to the indictment, Rimasauskas, registered and incorporated a company in Latvia with the same name as Quanta Computer and then forged email addresses, invoices, and corporate stamps in order to convince the accounting departments at the two tech companies to make transfers worth tens of millions of dollars over a two year span, stealing $100 million in total.

Facebook and Google both told Fortune that they have since recovered the bulk of the funds.

Acting U.S. Attorney Joon H. Kim said in a DOJ press release that “this case should serve as a wake-up call to all companies – even the most sophisticated – that they too can be victims of phishing attacks by cyber criminals.”

That same concern was echoed in a report from the Association for Financial Professionals published in early April. According to the report, 74 percent of finance professionals reported that their organizations were victims of business email compromise (BEC) scams in 2016, a 10-percentage point increase from the previous year.

Likewise, in December 2016 the FBI warned of a dramatic increase in BEC scams, which attempt to assume the identity of a person of authority within the company or — in the case of the Facebook and Google thefts — a trusted vendor before asking to initiate a fraudulent wire transfer.