Weekly Cyber Risk Roundup – Page 5

Weekly Cyber Risk Roundup: Payment Card Data at Risk Due to POS Breaches and Ecommerce Vulnerabilities

Point-of-sale breaches were once again among the week’s top trending cybercrime targets, as InterContinental Hotels Group (IHG) announced that its previously disclosed POS breach had expanded from the dozen properties reported in February to at least 1,175 properties. Affected hotels include popular brands such as Holiday Inn, Holiday Inn Express, InterContinental, Kimpton Hotels, Crowne Plaza, and more.

According to the company’s press release, the investigation discovered “malware designed to access payment card data from cards used onsite at front desks for certain IHG-branded franchise hotel locations between September 29, 2016 and December 29, 2016.” The release doesn’t directly state the number of properties affected, instead it directs viewers to a cumbersome breach lookup tool that divides the nearly 1,200-strong list of affected properties into countries, states, and even hundreds of individual cities.

The release also states that hotels that upgraded their technology were not affected by the breach: “Before this incident began, many IHG-branded franchise hotel locations had implemented IHG’s Secure Payment Solution (SPS), a point-to-point encryption payment acceptance solution. Properties that had implemented SPS before September 29, 2016 were not affected. Many more properties implemented SPS after September 29, 2016, and the implementation of SPS ended the ability of the malware to find payment card data and, therefore, cards used at these locations after SPS implementation were not affected.”

That’s a sliver of good news; however, nearly 1,200 hotels were impacted and that list may grow in the future as “a small percentage of IHG-branded franchise properties did not participate in the investigation.” The lookup tool will be updated as new properties are added. Unfortunately, for heavy travelers that means returning to the clumsy tool periodically and checking every city they stayed in over the affected period for new breach updates.

Other trending cybercrime events from the week include:

More breaches due to poor practices and faulty updates: The accidental posting of a file containing the embedded personal information of 5,600 individuals to Rhode Island’s Transparency Portal and General Assembly website is the third recent data breach tied to UHIP, a new system for state benefits. The cybersecurity company Tanium is apologizing for exposing information related to El Camino Hospital in California in hundreds of presentations for potential customers from early 2012 through mid-2015 as well as several now-deleted YouTube videos. As many as 2,000 individuals in the UK may have had their personal information visible to other customers on the RingGo parking app due to a faulty software update.
Former employees continue to cause damage: A former employee of engineering firm Allen & Hoshall admitted to accessing the company’s servers repeatedly over a two-year period as well as accessing the email account of a former colleague hundreds of times in order to download and view data from his former employer. A man was arrested for attempting to steal proprietary computer code for a trading platform developed by his employer, an unnamed financial services firm with an office in New York. The online retailer Black Swallow has agreed to pay $60,000 to Showpo to settle a dispute alleging that a former Showpo graphic designer downloaded the company’s entire customer database and gave it to her new employer.
Old data breaches come to light: Allrecipes is warning its users that their email addresses and passwords may have been compromised when logging into their accounts prior to June 2013, nearly four years ago. There is not a lot information on what happened, as the notification email said that the company “cannot determine with certainty who did this or how this occurred.” While announcing a series of automated attacks against its InCircle, Neiman Marcus, Bergdorf Goodman, Last Call, CUSP, and Horchow websites, Neiman Marcus also noted that a similar automated attack in December 2015 provided access to full payment card details — not just the last four digits as initially reported.
Physical theft of sensitive data at hotel: Police seized bags of documents containing the personal information of guests staying at the Seasons Hotel at Sydney’s Darling Harbour, and one woman has been charged in relation to the theft, according to police. The information was likely stolen around March 21 and included dozens of guest registration forms, which feature photocopies of passports, driver’s licences, and other forms of personal identification.
Other notable cybercrime events: Over 2.4 million email addresses and MD5-hashed passwords were stolen from Fashion Fantasy Game, an online game and social network for fashion lovers, in 2016, and the game’s website appears to contain several existing vulnerabilities that could leak data. Cleveland Metropolitan School District is warning some employees, students, guardians, and affiliates that their information may have been compromised when multiple employees fell for a phishing email that compromised their email account credentials. Security and privacy concerns have been raised after London’s Metropolitan Police apparently gave the addresses of 30,000 gun owners to a marketing agency to help promote the sale of a “firearms protection pack.”

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

Cyber Risk Trends From the Past Week

In addition to the wide-reaching POS breach that IHG announced this week, online retailers may also be at risk of potential payment card breaches due to an unpatched zero-day vulnerability in the Magento ecommerce platform.

Security researchers at DefenseCode said they discovered the high-risk vulnerability during a security audit of Magento Community edition. The researchers said the vulnerability “could lead to remote code execution and thus the complete system compromise including the database containing sensitive customer information such as stored credit card numbers and other payment information.”

DefenseCode did not examine the Magento Enterprise version, but a researcher told Threatpost that both versions share the same underlying vulnerable code. The researcher also said that they have made repeated attempts to notify Magento of the issue since November 2016, but it has yet to be patched. In an email to customers, Magento said it plans on addressing the vulnerability soon:

This vulnerability will be addressed in our next release targeted for early May. Until then, we recommend enforcing the use of “Add Secret Key to URLs” to mitigate potential attacks. To turn on this feature:

1. Logon to Merchant Site Admin URL (e.g., your domain.com/admin)

2. Click on Stores > Configuration > ADVANCED > Admin > Security > Add Secret Key to URLs

3. Select YES from the dropdown options

4. Click on Save Config

Magento is used by approximately 200,000 online retailers, so the vulnerability is a cause for concern, particularly since it is now public and likely will not be patched for at least several weeks. In addition, an attack could be carried out by targeting any Magento admin panel user.

“Full administrative access is not required to exploit this vulnerability as any Magento administrative panel user regardless of assigned roles and permissions can access the remote image retrieval functionality [at the root of the vulnerability],” the advisory noted. “Therefore, gaining a low privileged access can enable the attacker to compromise the whole system or at very least, the database.”

Weekly Cyber Risk Roundup: Payment Card Breaches, Malicious Insiders, and Regulatory Action

Gamestop was the week’s top trending cybercrime target as the company is investigating reports that customer payment card information may have been stolen from gamestop.com. In addition to Gamestop, payment card information was also stolen from the restaurant chain Shoney’s and a series of car washes have issued breach notification letters tied to a compromise at an unnamed third-party point-of-sale (POS) provider.

Two sources told Brian Krebs last week that an alert from a credit card processor indicated gamestop.com was likely compromised by intruders between mid-September 2016 and the first week of February 2017. The sources said that card numbers, expiration dates, names, addresses, and verification codes were stolen due to the breach. Gamestop also operates thousands of retail locations, but there is no indication that those have been affected.

However, dozens of Shoney’s locations were impacted by a recent POS breach. A week after Krebs reported the Gamestop breach, confidential alerts from credit card associations stated that similar payment card data was stolen from the restaurant chain. Best American Hospitality Corp., which manages some of Shoney’s corporate affiliated restaurants, later issued a press release saying that remotely installed POS malware led to breaches at 37 Shoney’s locations between December 27, 2016, and March 6, 2017.

In addition, Acme Car Wash, Auto Pride Car Wash, Clearwater Express Car Wash, Waterworks Car Wash, and Wildwater Express Carwash were all notified of a point-of-sale (PoS) malware infection by their unnamed third-party POS provider. The notification occurred on March 27, and customers who used a payment card at those business during various periods in February may have had their data compromised.

Other trending cybercrime events from the week include:

New data breaches announced: A backup database containing information on 918,000 people and belonging to telemarketing company HealthNow Networks was exposed on the Internet, compromising a variety of individuals’ personal and health information. The payday loan company Wonga is investigating a data breach that may have affected up to 245,000 customers in the UK and 25,000 customers in Poland. As many as 115 families had their private information compromised when the Victorian Education Department mistakenly published documents to its website for 24 hours. At least 83 University of Louisville employees had their W-2 forms accessed when an intruder gained access to W-2 Express, a product of Equifax used by the school to provide employees with access to tax documents.

More SWIFT attacks made public: The Union Bank of India faced an attack leveraging the SWIFT system that attempted to perform $170 million in fraudulent transactions last July, but the bank was able to block the transfer of funds, the Wall Street Journal reported. The bank’s SWIFT access codes were stolen by malware after an employee opened a malicious email attachment, and the codes were used to send fraudulent instructions in an attack similar to the one that successfully stole $81 million from the Bangladesh central bank’s account at the New York Federal Reserve in February 2016.

Ransomware continues to impact patient care: A ransomware infection at Erie County Medical Center blocked access to electronic patient records and forced the center to reschedule some elective surgeries, sources told news outlets; however, the hospital has yet to confirm the shutdown of its computer was due to ransomware. IT workers have been re-imaging about 6,000 desktop computers that had to be wiped clean as a result of the infection. Ashland Women’s Health reported a data breach affecting 19,727 patients after ransomware encrypted data on the practice’s electronic health record system, including its patient scheduling application. The practice was able to restore the encrypted data using a backup, and patient care was impacted for a couple of days due to the incident.

Amazon seller accounts being hacked: Hackers are using previously compromised credentials to hijack the accounts of third-party sellers on Amazon Marketplace, change the bank account information, and then post nonexistent merchandise at cheap prices to defraud customers. The buyers are eligible for refunds from the sellers, which may come as a surprise to the account owners as the hackers are targeting dormant accounts. A company spokesperson told NBC News that it is working to make sure sellers do not have to handle the financial burden of the hacks.

Other notable cybercrime events: Five inmates at the Marion Correctional Institution used computers built from spare parts and hidden in a ceiling in a closet to perform a variety of malicious activities while incarcerated. A team of Indonesian hackers gained access to the online ticketing site Tiket.com and stole approximately Rp 4.1 billion ($308,000 USD) worth of airline tickets from carrier Citilink. Dallas officials are blaming a hacker for setting off all 156 of the city’s warning sirens more than a dozen times.

Cyber Risk Trends From the Past Week

A variety of stories from the past week once again highlighted threats that originate not from external hackers, but from organizations’ employees and poor risk management practices.

To start, Allegro Microsystems has accused a former employee of causing $100,000 worth of damages by logging into the company’s network multiple times after resigning in order to implant malware. According to court documents, the man allegedly returned a computer meant for personal use rather than his work computer when resigning, and he used that work computer along with system administrator credentials to insert malicious code into Allegro’s finance module. The employee “designed the malicious code to copy certain headers or pointers to data into a separate database table and then to purge those headers from the finance module, thereby rendering the data in the module worthless,” the documents stated.

Another case involved a DuPont employee who admitted to stealing data from DuPont in the months before he retired in order to bolster a consulting business he planned to run. The man allegedly copied 20,000 files to his personal computer, including formulas, data, and customer information related to developments in flexographic printing plate technology. He also took pictures of restricted areas of DuPont’s plant.

On the regulatory side, the FDA sent a letter to St. Jude Medical demanding the company take action to correct a series of violations related to risks posed by the company’s implantable medical devices — an issue that received quite a bit of attention last summer after a report published by Muddy Waters and MedSec shed light on the alleged vulnerabilities. St. Jude must respond to the FDA within 15 days with “specific steps [it has] taken to correct the noted violations, as well as an explanation of how [it] plans to prevent these violations, or similar violations, from occurring again” — or else St. Jude may face further regulatory action, including potential fines.

That is what happened to Metro Community Provider Network (MCPN), which agreed last week to pay $400,000 following a January 2012 phishing incident that exposed the electronic protected health information (ePHI) of 3,2000 individuals. An investigation conducted by the Office for Civil Rights revealed that “prior to the breach incident, MCPN had not conducted a risk analysis to assess the risks and vulnerabilities in its ePHI environment, and, consequently, had not implemented any corresponding risk management plans to address the risks and vulnerabilities identified in a risk analysis.” As a result, MCPN will pay the penalty and implement a corrective action plan to better safeguard ePHI in the future.

Weekly Cyber Risk Roundup: Scottrade Exposes Data and ATMs Get Blown Up, Drilled and Infected

The CIA remained as the top trending cybercrime of the week as WikiLeaks released a fourth set of documents related to the agency. The new dump includes 27 documents from the CIA’s Grasshopper framework, which WikiLeaks described as “a platform used to build customized malware payloads for Microsoft Windows operating systems.” The leaked CIA tools will likely continue to dominate much of the cybercrime discussion in the coming weeks as WikiLeaks appears to have a slow-drip campaign designed around maximizing the leak’s publicity.

The top trending new cybercrime target of the week was Scottrade, which was one of several organizations to experience a data breach due to insecure, publicly exposed data. The Scottrade incident was caused by “human error” at third-party vendor Genpact, which uploaded a data set to one of its cloud servers without the proper security protocols in place. As a result, “the commercial loan application information of a small B2B unit within Scottrade Bank, including non-public information of as many as 20,000 individuals and businesses” was exposed, Scottrade said in a statement.

Security researcher Chris Vickery, who discovered the exposed database, said it contained 48,000 lessee credit profile rows and 11,000 guarantor rows, and that each row contained various types of personal information, including Social Security numbers. The database also contained internal information such as plain text passwords and employee credentials used for API access to third-party credit report websites.

Those who read this roundup each week know that breaches due to insecure databases are common, and in addition to Scottrade, Vickery also discovered “a trove of data from a range of North Carolina government offices, including Dept of Administration, Dept of Health and Human Services, Division of Medical Assistance, Dept of Cultural Resources, Dept of Public Safety, Office of State Controller, Office of State Budget and Management, NC IT Department.”

Other trending cybercrime events from the week include:

IRS announces another data breach: The IRS is notifying 100,000 people that their tax information may have been compromised due to a data retrieval tool used when filling out the Free Application for Federal Student Aid (FAFSA). Officials first learned of the potential issue in September 2016, but the service was not disabled until suspicious activity was observed in February. Malicious actors could pretend to be students, start the financial aid application with relatively little stolen information, and give permission for the IRS to populate the form with tax data that could then be used for fraudulent returns.

Highly sensitive patient data sold on the dark web: A breach at Behavioral Health Center appears to have compromised thousands of patients’ sensitive data, including evaluations, session notes, and records of sex offenders and sex abuse victims. An actor on the dark web claims between 3000 and 3500 unique individuals are in the data, which has since been sold to another actor. “These are not just basic fullz, these are the COMPLETE clinician notes from EVERY session with a patient, sometimes spanning hundreds of sessions over years,” read a listing on the dark web. “Everything confessed/discussed in complete privacy is in here for thousands of patients. All records are from 2007 to current date.”

Healthcare organizations targeted: An amateur actor appears to be targeting healthcare organizations with spear phishing messages designed to infect victims with a variant of the Philadelphia ransomware, an unsophisticated ransomware kit that sells for a few hundred dollars. Researchers believe spear phishing messages containing a shortened URL that led to a malicious DOCX file on a personal storage site were used to infect a hospital from Oregon and Southwest Washington. ABCD Pediatrics said that its servers were infected with “Dharma Ransomware” and while investigating the incident the company also discovered suspicious user accounts that suggested a separate incident of unauthorized access.

APT10 hacking group makes headlines: The APT10 hacking group has gained access to the systems of an “unprecedented web” of victims by first targeting managed outsourced IT service companies with spear phishing messages and custom malware and then using those companies as a stepping stone into their clients’ systems. The group also inserted malicious links into certain pages of the National Foreign Trade Council’s website in order to target individuals registering for specific meetings.

Other notable cybercrime events: The International Association of Athletics Federations said information related to athletes’ therapeutic use exemption applications was compromised due to unauthorized access to its network by “Fancy Bear.” The Dutch National Charity Lotteries said that around 450,000 customers were impacted by a vulnerability in the computer systems of Lotteries’ supplier OpenOfferete. Cybercriminals stole $40,000 of direct deposit money meant for Denver Public Schools after numerous employees fell for a phishing email. A hack of digital content network Omnia affected a variety of popular YouTube channels. The New York Post app was hacked and used to send to out a series of false push notifications. Arrests were made in Dubai related to breaking into the emails of five senior White House officials and attempting to blackmail the officials with what a local law enforcement official described as “highly confidential information.”

Cyber Risk Trends From the Past Week

While business email compromise scams and other digital fraud continues to impact numerous organizations, several stories this week proved that criminals are still attempting to steal physical cash from ATMs around the world.

The flashiest story involved a gang based out England that used explosives and stolen high-powered vehicles to rip ATMs from walls. The gang would then put the stolen ATMs inside a large truck and drive away, in at least one instance right by the very police looking for them. Police announced that several recent raids had led to the arrest of the gang. Less flashy attempted ATM thefts from hotels in Edmonton led police to advise business last month that owners should bolt ATMs to the floor and place them in well lit, high-traffic areas that are monitored by surveillance cameras.

A new, more discreet method of stealing money from ATMs involves emptying the cash stored in certain models by drilling a three-inch hole in its front panel and using a $15 homemade gadget that injects malicious commands to trigger the machine’s cash dispenser. Kaspersky Lab researchers first became aware of the attack in September 2016 when a bank client discovered an empty ATM with a golf-ball sized hole by the PIN pad. Since then, similar attacks using the drill technique have been observed across Russia and Europe. The researchers did not name the ATM manufacturer, but they said the issue is difficult to fix since it would require replacing hardware in the ATMs to add more authentication measures.

Kaspersky Lab also released findings on another series of ATM attacks first hinted at back in February when a series of attacks that used in-memory malware to infect banking networks were reported. Code from the penetration-testing software Meterpreter code was combined with a number of legitimate PowerShell scripts and other utilities to create malware that could hide in the memory and invisibly collect the passwords of system administrators. That access was then used to remotely install a new breed of ATM malware called ATMitch, Kaspersky Lab researchers said in a report issued last week.

The ATMitch malware communicates with the ATM as if it is legitimate software and makes it possible for attackers to collect information about the number of banknotes in the ATM’s cassettes as well as dispense money at the touch of a button. The attackers may still be active, the researchers noted, but it is unknown how many ATMs have been targeted by the malware since the malware self-deletes after the attack. What is clear is that ATM machines remain a popular target for criminals, and businesses should be aware of the evolving methods — both crude and sophisticated — being used to steal the cash inside them.

Weekly Cyber Risk Roundup: More CIA Leaks, New Mirai Attacks, and LastPass Vulnerabilities

The CIA remained as the top trending cybercrime target of the week as WikiLeaks released a third set of documents related to the agency. The new release includes 676 source code files for the CIA’s secret anti-forensic Marble Framework, which WikiLeaks said “is used to hamper forensic investigators and anti-virus companies from attributing viruses, trojans and hacking attacks to the CIA.”

“The source code shows that Marble has test examples not just in English but also in Chinese, Russian, Korean, Arabic and Farsi,” WikiLeaks wrote in its announcement. “This would permit a forensic attribution double game, for example by pretending that the spoken language of the malware creator was not American English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion.”

The fact that an intelligence agency would have tools to cover its tracks is hardly surprising. However, it appears that WikiLeaks will continue to leak CIA documents for the foreseeable future, and those leaks may have yet-to-be known implications for governments, tech companies, and cybercriminal actors. After the initial CIA leak in early March, WikiLeaks tweeted that is has released less than one percent of its Vault7 series.

Another recurring story in these roundups is the Mirai botnet, and researchers said this week that a new variant is likely behind a 54-hour long DDoS attack that targeted a U.S. college. The attack peaked at 37,000 requests per second, the most Incapsula has seen out of any Mirai botnet. The company said 56 percent of all IPs used in the attack belonged to DVRs manufactured by the same vendor. IoT devices continue to make headlines for vulnerabilities – including certain devices that were allegedly targeted by the CIA – and this past week saw new warnings of methods for hacking smart televisions as well as a vulnerability in an Internet-connected washer-disinfector. As SurfWatch Labs chief security strategist Adam Meyer recently wrote, IoT devices have potentially become the largest digital footprint of organizations that is not under proper security management.

Other trending cybercrime events from the week include:

Data breaches expose more credentials: A hacker has stolen the email addresses and MD5-hashed passwords of 6.5 million accounts from Dueling Network, a now-defunct Flash game based on the Yu-Gi-Oh trading card game. Although the game was shut down in 2016, the forum continued to run until recently. Nearly 14 million stolen and fake email credentials from the 300 largest U.S. universities are for sale on the dark web, a rise from only 2.8 million last year, according to the nonprofit Digital Citizens Alliance. The stolen email addresses and passwords sell from $3.50 to $10 each.

Warnings of skimming and keylogging devices: Carleton University in Ottawa said it discovered USB keylogging devices on six classroom computers during a routine inspection, and the university is urging staff and students to change passwords for any accounts they may have accessed from classroom computers. The San Bernardino County Sheriff’s Department has received more than 70 reports of credit card fraud tied to a suspected card skimming device in Big Bear. A Romanian citizen pleaded guilty to a scheme to defraud customers of Bank of America and PNC Bank via ATM skimming.

Ransomware notifications continue: Urology Austin has notified 200,000 patients of a January 22 ransomware attack that may have compromised their information. Ransomware encrypted files belonging to Forsyth Public Schools and information such as lesson plans and schedules stored by teachers on the district server is likely lost due to the incident. Estill County Chiropractic is notifying 5,335 patients of unauthorized access to its system and a ransomware infection that may have compromised their personal information. Ransomware was found on the computer systems of the Tweede Kamer, the lower house of Dutch parliament.

Former employee causes serious problems: A former IT administrator of the Lucchese Boot Company pleaded guilty to hacking the servers and cloud accounts of his employer after he was fired, and the company claims it lost $100,000 in new orders in addition to the extra IT costs it had to endure due to the attack. According to the complaint, the former employee logged into an administrator account after being fired and proceeded to shut down the corporate email and application servers, deleted files on the servers to block any attempts for a reboot, and then began shutting down or changing the passwords on the company’s cloud accounts.

Other notable cybercrime events: The personal information of 3.7 million Hong Kong voters and the city’s 1,200 electors may have been compromised when two laptops were stolen. Approximately 95,000 individuals who applied online for a job at McDonald’s in Canada had their information compromised due to unauthorized access to the company’s database. Multiple employees of the Washington University School of Medicine fell for phishing emails designed to steal credentials used to access their email. While investigating a data breach related to employees’ W-2 forms, Daytona State College discovered a second data breach involving student financial aid forms. A Russian citizen has pleaded guilty to his role in helping spread malware known as “Ebury,” which harvested log-on credentials from infected computer servers, allowing the criminal enterprise behind the operation to operate a botnet comprising tens of thousands of infected servers throughout the world.

Cyber Risk Trends From the Past Week

The password manager LastPass has addressed a series of vulnerabilities that were discovered by Google Project Zero researcher Tavis Ormandy, including one now-patched “unique and highly sophisticated” client-side vulnerability in the LastPass browser extension.

In a March 31 update, LastPass advised its users to ensure they are running the latest version (4.1.44 or higher) of the extension so that they are protected.

The vulnerability, which could be exploited to steal data and manipulate the LastPass extension, required first luring a user to either a malicious website or a website running malicious adware and then taking advantage of the way LastPass behaves in “isolated worlds,” the company said.

An isolated world is a JavaScript execution environment that shares the same DOM (Document Object Model) as other worlds, but things like variables and functions are not shared. LastPass explained:

The separation is supposed to keep both sides safer from external manipulation. In some cases, these variables can influence the logic of the content script. It is difficult to inject arbitrary values into JavaScript using this technique. But in a particularly clever move, the report demonstrated that arbitrary strings could be injected, and one of these was enough to trick the extension into thinking it was executing on lastpass.com. By doing so, an attacker could manipulate the LastPass extension into revealing the stored data of that user, and launch arbitrary executables in the case of the binary version.

Fixing the issue required “a significant change” to the browser extensions and LastPass urges other extension developers to look for this pattern in their code and ensure that they are not vulnerable to a similar attack.

The patch came just 10 days after LastPass issued another update to address two other issues discovered by Ormandy that could allow the attacker to potentially retrieve and expose information from the LastPass account, such as user’s login credentials.

The incident serves as a reminder that vulnerabilities continue to be discovered in a variety of products, including the tools used to help keep individuals and organizations safe. Having a full accounting of an organization’s technology infrastructure as well as policies and procedures to track new vulnerabilities and patch software is one of the most effective ways to combat malicious actors who rely on exploiting well-known vulnerabilities.

Weekly Cyber Risk Roundup: JobLink, $100 Million BEC Scam and Other Breaches

Third-party cybersecurity issues were once again front and center this past week as America’s JobLink, a web-based system that links jobs seekers with employers, was compromised by a malicious actor, leading to a series of data breach announcements from states that use the system.

“On February 20, 2017, a hacker created a job seeker account in an America’s JobLink (AJL) system,” the company wrote. “The hacker then exploited a misconfiguration in the application code to gain unauthorized access to certain information of other job seekers.”

Millions of individuals may have been affected by the vulnerability, which was introduced in an AJL system update in October 2016. When exploited, it allowed the malicious actor to view the names, Social Security numbers, and dates of birth of job seekers in the AJL systems of up to ten states: Alabama (600,000), Arizona, Arkansas (19,000), Delaware (200,000), Idaho (170,000), Illinois (1.4 million), Kansas, Maine (conflicting media reports on total number affected), Oklahoma (430,000), and Vermont (186,000).

Vermont Gov. Phil Scott said at a Thursday press conference that the state was looking into the contract with ALJ, which has been in effect for about 16 years, and may potentially pursue legal recourse. At the same press conference Vermont Department of Labor Secretary Lindsay Kurrle noted potential AJL issues that may have compounded the breach, such as older Joblink accounts not being deleted.

Third-party cybersecurity issues continue to be one of the most pressing challenges facing organizations, as the numerous breaches in this roundup each week demonstrate. Despite the challenges, the digital footprints of organizations continue to grow: an issue that Adam Meyer, chief security strategist with SurfWatch Labs, and Kristi Horton, senior risk analyst with Gate 15 & Real Estate ISAC, will discuss on a Webinar tomorrow.

Other trending cybercrime events from the week include:

WikiLeaks’ dump brings legal issues, more CIA documents: Julian Assange criticized companies for not responding to WikiLeaks’ request that they comply with certain conditions in order to receive technical information on the leaked CIA exploits; however, multiple tech companies said the issue is caught up in their legal departments. WikiLeaks also continued to leak more CIA data by publishing documents that “explain the techniques used by CIA to gain ‘persistence’ on Apple Mac devices, including Macs and iPhones and demonstrate their use of EFI/UEFI and firmware malware.” The documents are mostly from the last decade, except for a couple that are dated 2012 and 2013.

Variety of issues lead to oversharing, data breaches: The UK’s Information Commissioner’s Office is investigating reports that data sharing options in SystmOne may have exposed the medical records of up to 26 million patients. The system’s “enhanced data sharing” option, which doctors turned on so that medical records could be seen by local hospitals, also allowed those records to be accessed by thousands of other workers. Mobile phone company Three is investigating a technical issue that led to some customers who logged into their accounts seeing the personal data of other customers. Med Center Health in Kentucky announced a data breach due to a former employee accessing encrypted patient billing information by falsely implying it was needed for job-related reasons.

Bots lead to gift card fraud, stock manipulation: Nearly 1,000 customer websites were targeted by a bot named “GiftGhostBot” that automatically checks millions of gift card numbers to determine which card numbers exist and contain balances. Recent pump-and-dump spam messages from the Necurs botnet falsely claimed that InCapta was about to be bought out for $1.37 per share and that people could buy shares for less than 20 cents before the buyout would be announced.

Malware spread via Ask.com toolbar: For the second time in a one month period, malicious actors were able to compromise the Ask Partner Network (APN), creators of the Ask.com toolbar, in order to spread malware that was signed and distributed as though it were a legitimate Ask software update. The first attack was discovered in November 2016, and in December 2016 researchers discovered that the “sophisticated adversary” was continuing its earlier activity “to deliver targeted attacks using signed updates containing malicious content.”

Other notable cybercrime events: Hackers going by the name ‘Turkish Crime Family’ claim to have access to a large cache of iCloud and other Apple email accounts and say they will reset accounts and remotely wipe devices on April 7 unless Apple pays a ransom. The McDonald’s India app leaked the personal information of more than 2.2 million users, and data is still allegedly being leaked despite the company’s claims that it fixed the issue. Lane Community College health clinic is notifying approximately 2,500 patients that their personal information may have been compromised due to one of its computers being infected with malware. A gang of hackers-for-hire tried to steal Baidu’s driverless car technology. The FBI believes that North Korea is responsible for the February 2016 theft of $81 million from Bangladesh Bank, and U.S. prosecutors are building potential cases that may both formally accuse North Korea of directing the theft and charge alleged Chinese middlemen

Cyber Risk Trends From the Past Week

One of the most profitable cybercriminal tactics is business email compromise scams, which has accounted for several billion dollars worth of actual and attempted losses over the past few years.

A reminder of that ongoing threat surfaced this past week when the Department of Justice announced the arrest of a Lithuanian man on charges that he had successfully duped two U.S.-based companies into wiring a total of over $100 million to bank accounts that he controlled.

The DOJ noted in its press release that the case “should serve as a wake-up call” to even the most sophisticated companies that they may be the target of advanced phishing attempts from malicious actors.

Evaldas Rimasauskas, the arrested Lithuanian man, allegedly registered and incorporated a company in Latvia with the same name as an Asian-based computer hardware manufacturer, and then opened and maintained various bank accounts using that copycat company name. He then is alleged to have sent fraudulent phishing emails to employees of companies that regularly conducted multimillion-dollar transactions with the hardware manufacturer, asking that those companies direct payments for legitimate goods and services to the bank accounts using the copycat name. The indictment also alleges that Rimasauskas submitted forged invoices, contracts, and letters that falsely appeared to have been executed and signed by executives and agents of the victim companies to banks in support of the large volume of funds that were fraudulently transmitted via wire transfer.

As the FBI and others have repeatedly warned, the lure of multi-million dollar payout leads to cybercriminals going to great lengths to successfully social engineer companies. This includes more time spent researching things such as the roles of employees and their language in written communications, as well as company authority figures, policies and procedures, and supply chains. This allows the social engineers to craft a message, or series of messages, that fits within the expected culture and communication patterns of an organization — increasing their chances of a large, fraudulent payday.

Weekly Cyber Risk Roundup: Third-Party Breaches and Apache Struts Issues

Twitter is the week’s top trending cybercrime target after malicious actors leveraged a third-party analytics service known as Twitter Counter to hijack a number of Twitter accounts and post inflammatory messages written in Turkish along with images of Nazi swastikas. Hundreds of accounts were compromised, the Associated Press reported.

Forbes magazine, the Atlanta Police Department, Amnesty International, UNICEF USA, and Nike Spain were among the numerous Twitter accounts hijacked.

A Twitter spokesperson said it removed the permissions of the third-party app, which was the source of the problem. In a series of tweets on Wednesday, Tweet Counter responded to the issue: “We’re aware that our service was hacked and have started an investigation into the matter. We’ve already taken measures to contain such abuse. Assuming this abuse is indeed done using our system, we’ve blocked all ability to post tweets and changed our Twitter app key.”

Twitter hijackings are common, and we do not highlight them in this weekly report very often; however, the Tweet Counter compromise is worth noting due to the supply chain issues it represents. Organizations frequently use third-party services to help manage their numerous social media accounts, and that interconnectedness was one of the central themes of SurfWatch Labs’ annual threat intelligence report. “One of the most telling statistics in all of SurfWatch Labs’ evaluated cyber threat data is the rise of CyberFacts related to third parties,” the report stated. “It is clear that malicious actors are looking for any opportunity to exploit poor cybersecurity practices, and the supply chain provides an abundance of opportunity for cybercriminals to do so.”

Organizations should have a way to track, monitor, and address any issues pertaining to third-party tools and services so they can better manage the increased risk that stems from an interconnected world.

Other trending cybercrime events from the week include:

New point-of-sale breaches: A breach at point-of-sale vendor 24×7 Hospitality Technology appears to be behind a series of fraudulent transactions tied to Select Restaurants Inc. locations, Brian Krebs reported. 24×7 issued a breach notification letter in January saying that a network intrusion through a remote access application allowed a third party to gain access to some of 24×7 customers’ systems and execute PoSeidon malware. Multiple Australian schools are warning parents that individuals are reporting fraudulent payment card transactions after Queensland School Photography’s online ordering system was compromised.

Yahoo breach leads to indictments: A grand jury has indicted four individuals, including two officers of the Russian Federal Security Service (FSB), over their alleged roles in the hacking of at least 500 million Yahoo accounts. According to the Department of Justice, the FSB officer defendants, Dmitry Dokuchaev and Igor Sushchin, protected, directed, facilitated, and paid co-defendants Alexsey Belan and Karim Baratov to collect information through computer intrusions in the U.S. and elsewhere.

Breaches due to insecure databases and devices: Security researchers discovered hundreds of gigabytes of data from the Warren County Sheriff’s Department exposed due to an insecure network storage device, including a variety of sensitive documents and recordings. A Dun & Bradstree database containing the personal information of 33.7 million U.S. individuals has been exposed, likely due to an unsecured MongoDB database. Dun & Bradstree said that it owns the database, but stressed that the data was not stolen from its systems and that the information was approximately six months old. Thousands of sensitive U.S. Air Force documents were exposed due to an insecure backup drive belonging to an unnamed lieutenant colonel.

Ransomware infections continue to be announced: Summit Reinsurance is notifying individuals of a breach after discovering unauthorized access to a server as well as a ransomware infection. The city of Mountain Home, Arkansas, had to wipe the server of its water department and restore the data from a backup after a ransomware infection locked 90,000 files. Metropolitan Urology Group said a November 2016 ransomware infection exposed the health information of patients who received services between 2003 and 2010. Ransomware actors are shifting towards disrupting business services and demanding higher ransom payouts.

Other notable cybercrime events: A flaw in the old website of South African-based cinema chain Ster-Kinekor exposed the personal information of up to 6.7 million users. Three is notifying an additional 76,373 customers that their personal information was compromised in a November 2016 incident. Wishbone announced a data breach due to unknown individuals having “access to an API without authorization.” UK travel association ABTA announced that 43,000 individuals had their personal information compromised due to a vulnerability in the servers of a third-party hosting service. Arkansas is investigating whether malware stole the personal information of 19,000 individuals. Cincinnati Eye Institute, Laundauer, and Virginia Commonwealth University Health System announced data breaches.

Cyber Risk Trends From the Past Week

Earlier this month, a patch was issued to address a high-impact vulnerability in Apache Struts Jakarta Multipart parser that allowed attackers to remotely execute malicious code. Shortly after the patch, an exploit appeared on a Chinese-language website,. Researchers then confirmed that attackers were “widely exploiting” the vulnerability. Since then, the issue has continued to affect numerous organizations through data breaches and service downtime.

For example, the Canada Revenue Agency was one of the week’s top trending cybercrime targets after the Canadian government took the website for filing federal tax returns offline due to the vulnerability, temporarily halting services such as electronic filing until security patches could be put in place.

John Glowacki, a government security official, said during a press conference that there was “a specific and credible threat to certain government IT systems,” and Statistics Canada confirmed that hackers broke into a web server by exploiting the Apache Struts vulnerability. Glowacki also said it was his understanding that some other countries “are actually having greater problems with this specific vulnerability [than Canada].”

Those other instances have not been as widely reported; however, GMO Payment Gateway confirmed a data breach related to the vulnerability. The Japanese payment processing provider announced that an Apache Struts vulnerability led to the leak of payment card data and personal information from customers who used the Tokyo Metropolitan Government website and Japan Housing Finance Agency site. According to the breach notification, the Tokyo Metropolitan Government credit card payment site leaked the details of as many as 676,290 payment cards, and the Japan Housing Finance Agency payment site leaked the details of as many as 43,540 payment cards. The breach was discovered after an investigation was launched on March 9 due to alerts about the vulnerability. Less than six hours later, GMO discovered unauthorized access and stopped all systems running with Apache Struts 2.

Surfwatch Labs analysts warn that users with root privileges running on unpatched Apache Struts are at high risk of being fully compromised, and organizations are encouraged to patch Apache web servers as soon as possible.

“Unfortunately, fixing this critical flaw isn’t always as easy as applying a single update and rebooting,” Ars Technica’s Dan Goodin noted. “That’s because in many cases, Web apps must be rebuilt using a patched version of Apache Struts.”

Weekly Cyber Risk Roundup: Massive Leaks Expose CIA Secrets and Alleged Spam Operation

The week’s top trending cybercrime story was WikiLeaks’ release of more than 8,000 documents related to the U.S. Central Intelligence Agency. The dump, called “Vault 7,” contains information on the CIA’s hacking tools and methods and is “the largest ever publication of confidential documents on the agency,” according to WikiLeaks.

“Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized ‘zero day’ exploits, malware remote control systems and associated documentation,” WikiLeaks wrote in a press release. “This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.”

The leak has led to widespread reports on the CIA’s hacking capabilities, including tools to compromise Windows, OS X, iOS, and Android devices; ways to circumvent popular antivirus programs; an exploit that uses a USB stick to turn smart TVs into bugging devices; and efforts to infect vehicle control systems. The U.S. is investigating the source of the leaks, which a CIA spokesperson described as deeply troubling and “designed to damage the intelligence community’s ability to protect America against terrorists and other adversaries.”

WikiLeaks said it carefully reviewed the published documents and has avoided “the distribution of ‘armed’ cyberweapons until a consensus emerges on the technical and political nature of the CIA’s program and how such ‘weapons’ should analyzed, disarmed and published.” On Thursday, WikiLeaks founder Julian Assange held a press conference where he said WikiLeaks would give technology companies “exclusive access” to the details of the exploits so that they could patch any software flaws; however, Thomas Fox-Brewster of Forbes reported that as of Saturday morning companies such as Google and Microsoft had yet to receive those technical details from WikiLeaks.

Other trending cybercrime events from the week include:

Verifone investigating data breach: Verifone, the largest maker of credit card terminals used in the U.S., is investigating a breach after being alerted in January by Visa and MasterCard that malicious actors appeared to have been inside of Verifone’s network since mid-2016, a source told KrebsOnSecurity. “According to the forensic information to-date, the cyber attempt was limited to controllers at approximately two dozen gas stations, and occurred over a short time frame,” Verifone wrote in a statement to Brian Krebs. “We believe that no other merchants were targeted and the integrity of our networks and merchants’ payment terminals remain secure and fully operational.”

TalkTalk responds to scam center report: Two days after the BBC reported on an industrial-scale Indian scam call center targeting TalkTalk customers, the UK-based Internet service provider temporarily banned TeamViewer and other similar remote control software programs over security issues related the scammers. Teamviewer said that it is “in extensive talks to find a comprehensive joint solution to better address this scamming issue.”

Tax information continues to be targeted: Daytona State College is notifying employees that their W-2 information may have been stolen after some employee W-2 statements were discovered being sold on cybercriminal markets. A glitch in Rhode Island’s Department of Human Services’ computer system resulted in more than 1,000 people receiving tax forms with the wrong information. Malicious actors are sharing concerns about government efforts to combat tax fraud, as well as tips on how those protections can be circumvented, on various dark web forums.

Organizations face extortion demands: Since the U.S. presidential election, at least a dozen progressive groups have faced extortion attacks where malicious actors search organizations’ emails for embarrassing details and then threaten to release that information if blackmail demands ranging from $30,000 to $150,000 are not paid. A Florida man was charged with intentionally damaging computers that hosted a San Diego software company’s website. The Pennsylvania Senate Democratic Caucus computer system was shut down after a ransomware infection made the system inaccessible to caucus members and employees. Fake extortion demands and empty threats are on the rise as cybercriminals capitalize on the growing number of ransom-related attacks.

Other noteable cybercrime events: President Donald Trump has inherited a ramped up cyberwarfare effort against the North Korean missile system, and the approach taken by the U.S. has “distinct echoes” of Stuxnet. A data breach at Kennesaw State University’s Center for Election Systems may have compromised as many as 7.5 million voter records. A bug in an update implemented by software company Solarwinds led to customers receiving alerts that contained information about their competitors. Data that appears to be from various databases related to the University of Georgia was posted on a public paste site. Home Depot has agreed to a proposed $25 million settlement with the financial institutions affected by the company’s 2014 data breach. Chadron Community Hospital and Health Services, Tarleton Medical, the University of Idaho, and the Greater Essex County District School Board announced data breaches.

Cyber Risk Trends From the Past Week

Nearly every week researchers discover new data breaches due to publicly exposed databases that require no authentication, and this past week insecure Rync backups exposed the entire operation of River City Media (RCM), providing a rare glimpse inside what security researcher Chris Vickery described as “a massive, illegal spam operation.”

The discovery led to a months-long investigation as MacKeeper Security Research Center, CSO Online, and Spamhaus came together to examine the data, which included everything from Hipchat logs to accounting details to infrastructure planning and more. Vickery said that there are enough spreadsheets, hard drive backups, and chat logs leaked to fill a book, and both CSO Online and MacKeeper have already teased future stories peeling back additional layers of the operation.

But perhaps the most alarming discovery — along with details of abusive scripts and techniques that have been forwarded to Google, Microsoft, Apple, and others — is a database of nearly 1.4 billion email accounts combined with real names, user IP addresses, and often physical address. Those email lists are used by RCM, which masquerades as a legitimate marketing firm, to send up to a billion emails a day, much of which can be classified as spam, according to the researchers.

On Thursday RCM issued a press release addressing the “numerous false and defamatory” statements made by the researchers and news outlets. The company said that the researchers did not find RCM’s “confidential and proprietary information through an unprotected rsync backup” and that if the researchers had contacted them prior to publication “they would have realized that a number of the statements in their articles were false and easily disprovable.” However, the press release did not provide an alternative explanation for how the researchers accessed the data, and Vickery said the company was not alerted since “it was decided that we should approach law enforcement and the affected companies (like Microsoft and Yahoo) before making any attempts at contacting the spammers directly.”

“What was legal and illegal isn’t for me to decide,” said Vickery. “But there are plenty of logs where they discuss illegal scripts and research into basically attacking mail servers and tricking the mail servers into doing things that would be against the law.”

Expect additional information to be reported in the coming weeks as the researchers and reporters comb through all of the data that was exposed.

Weekly Cyber Risk Roundup: Cloudflare Aftermath and Online Stores Breached

The Cloudflare software bug that resulted in the potential leaking of sensitive data remained as the top trending cybercrime event of the past week as researchers continued to investigate and quantify the effects of the incident. In a March 1 blog post, Cloudflare CEO Matthew Prince described the “Cloudbleed” impact as “potentially massive” and said the bug “had the potential to be much worse” than the initial analysis suggested.

Cloudflare summarized its findings as of March 1:

Their logs showed no evidence that the bug was maliciously exploited before it was patched.
The vast majority of Cloudflare customers had no data leaked.
A review of tens of thousands of pages of leaked data from search engine caches revealed a large number of instances of leaked internal Cloudflare headers and customer cookies, but no instances of passwords, credit card numbers, or health records.
The review is ongoing.

The bug was first discovered by researcher Tavis Ormandy on February 17. Ormandy wrote that the data leakage may date back to September 22, 2016, and that he was able to find “full HTTPS requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.”

Price said that “the nightmare scenario” would be if a hacker had been aware of the Cloudflare bug and had been able to quietly mine data before the company was notified by Google’s Project Zero team and a patch was issued. “For the last twelve days we’ve been reviewing our logs to see if there’s any evidence to indicate that a hacker was exploiting the bug before it was patched,” Price wrote. “We’ve found nothing so far to indicate that was the case.”

Other trending cybercrime events from the week include:

Political hacks and fallout continue: The daughter of political consultant Paul Manafort had her iPhone data hacked and a database containing more than 280,000 text messages, many of which shed light on the family’s views of Russia-aligned Ukrainian strongman Viktor Yanukovych and President Donald Trump, have been leaked on a darknet website run by a hacktivist collective. The files appear to have been accessed through a backup of Andrea Manafort’s iPhone stored on a computer or iCloud account. Three Russians were recently charged with treason for allegedly passing secrets to U.S. firm Verisign and other unidentified American companies, which in turn shared them with U.S. intelligence agencies. The charges come after the U.S. has accused Russia of hacking, and Reuters reported the charges may be a signal that Russia “would now take action against forms of cooperation that it previously tolerated.”

More payment card breaches: Hospitality company Benchmark announced a payment card breach affecting six of its properties, including the hotel front desks of Doral Arrowwood, Eaglewood Resort & Spa, and the Santa Barbara Beach & Golf Resort and the food and beverage locations of The Chattanoogan, Willows Lodge, and Turtle Bay Resort. Niagara-Wheatfield School District officials are warning individuals who purchased tickets to attend a school production of “The Lion King” that there have been several reports of credit card fraud tied to those purchases. The school sold the tickets using the ticket sales platform ShowTix4U; however, a spokesperson said there may have been other ways the credit card information could have become compromised. Touring and transportation company Roberts Hawaii is notifying customers of a payment card breach. Authorities are urging customer of Downeast Credit Union in Belfast to check their account for suspicious activity after the discovery of a skimming device in an ATM at the Down East Credit Union Belfast branch.

Unauthorized access due to employees and poor security: Vanderbilt University Medical Center is notifying 3,247 patients that their patient files were accessed between May 2015 and December 2016 by two staff members who worked as patient transporters. WVU Medicine University Healthcare is notifying 7,445 patients that their protected health information was compromised due to an employee accessing the data without authorization, and 113 of the patients are victims of identity theft. Chicago Public Schools students had their information potentially compromised due to a Google spreadsheet that did not require a login and included special education students’ personal information.

Other noteable cybercrime events: Spiral Toys sells an internet-connected teddy bear that allows kids and parents to exchange messages via audio recordings, and more than two million of those messages, as well as more than 800,000 email addresses and bcrypt-hashed passwords, have been potentially compromised due to being stored on a database that wasn’t behind a firewall or password-protected. Singapore’s Ministry of Defence said that a “targeted and carefully planned” attack resulted in a breach of its I-net system. An actor using the name “CrimeAgency” on Twitter claims to have hacked 126 vBulletin-based forums that were using outdated versions of the software. Luxury motorcoach company Hampton Jitney is advising customers to change their passwords after a security breach discovered on Wednesday compromised personal information stored by the company.

Cyber Risk Trends From the Past Week

Several companies have issued breach notification letters related to a malware incident at Aptos, Inc., which provides e-commerce solutions for a number of online stores. The breach at Aptos was discovered in November 2016, and notification by the various companies affected was delayed until recently at the request of law enforcement.

According to a notification from Mrs Prindables:

Mrs Prindables along with a wide range of major retailers, utilizes a third party company named Aptos to operate and maintain the technology for website and telephone orders. On February 6, 2017, Aptos informed us that unauthorized person(s) electronically accessed and placed malware on Aptos’ platform holding information for 40 online retailers, including Mrs Prindables, from approximately February 2016 and ended in December 2016. Aptos has told us that it discovered the breach in November 2016, but was asked by law enforcement investigating the incident to delay notification to allow the investigation to move forward.

Other companies to issue breach notification letters, as noted by databreaches.net, include: AlphaIndustries.com, AtlanticCigar.com, BlueMercury.com, Hue.com, MovieMars.com, Nutrex-Hawaii.com, PegasusLighting.com, PlowandHearth.com, Purdys.com, Runnings.com, Sport-Mart.com, Thiesens.com, VapourBeauty.com, WestMusic.com, and PercussionSource.com.

The breach announcement comes on the heels of a report that found “a steady rise” in online fraud attack rates throughout 2016. The shift in tactics toward card-not-present fraud was expected as increased security associated with the U.S. adoption of EMV technology made card-present fraud less profitable. Fraud does not go away; it only shifts. As SurfWatch Labs Adam Meyer has said, fraud is like a balloon: apply a little pressure to one area and malicious actors quickly expand into an area with less resistance.

However, card-present fraud is still impacting organizations. The past month saw a point-of-sale breach at InterContinental Hotels Group that affected the restaurants and bars of 12 properties and another breach that affected six Benchmark properties. In addition, malware was discovered on the payment systems of Arby’s corporate locations. Nevertheless, SurfWatch Labs cyber threat intelligence data, along with reports from other researchers, clearly shows a continued shift as cybercriminals move to find the sweet spot between difficulty and profit when it comes to payment card fraud — and that increasingly appears to be online.

Weekly Cyber Risk Roundup: Cloudflare Bug Discovered, Typos Lead to Theft

This week’s biggest story is the Cloudflare software bug discovered by Google researchers and disclosed Thursday that could have compromised private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data.

“The bug was serious because the leaked memory could contain private information and because it had been cached by search engines,” wrote John Graham-Cumming, the CTO of Cloudflare, which provides performance and security services to numerous major websites. “We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.”

The bug was discovered by researcher Tavis Ormandy on February 17, and the data leakage may date back to September 22. However, the greatest period of impact was between February 13 and February 18 “with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage,” the company said. Popular services such as Uber, 1Password, FitBit, OkCupid, and many more use Cloudflare. Uber told media outlets the impact on its customers is minimal since “very little Uber traffic actually goes through Cloudflare,” and 1Pass said the company “designed 1Password with the expectation that SSL/TLS can fail” exactly for these types of incidents.

Days before the public disclosure, Ormandy wrote: “I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We’re talking full HTTPS requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.” Then in another comment, “We’re still working on identifying data that needs to be purged from caches.”

As Wired reported, efforts to discover any leaked data that has been cached and not yet scrubbed “has become something of an internet-wide scavenger hunt.”

Other trending cybercrime events from the week include:

Presidential campaign website defaced: A hacker going by the name “Pro_Mast3r” defaced a presidential campaign website for Donald Trump with a message that read, in part, “Peace From Iraq.” The hacker told Brian Krebs that he exploited a DNS misconfiguration to assume control of secure2.donaldjtrump.com.

New databases continue to be sold on the dark web: An actor using the name “Berkut” is selling a database of 950,000 user accounts for the website of the music festival Coachella that was allegedly stolen this month. Motherboard confirmed the legitimacy of the database, which contains email addresses, usernames, and hashed passwords. The $300 listing claims that 360,000 of the accounts are related to the main Coachella website and the other 590,000, which contain additional information such as IP addresses, are related to the message board.

Employees and students access sensitive data: Dignity Health St. Joseph’s Hospital and Medical Center is notifying approximately 600 patients that a part-time hospital employee viewed portions their medical records without a business reason between October 1, 2016, and November 22, 2016. An Ohio Department of Taxation employee was fired for accessing the confidential tax information of relatives and acquaintances dozens of times. A student of the South Washington County school district in Minnesota hacked into the district’s server and downloaded the data of more than 15,000 people to an external hard drive in January.

Cybercrime-related arrests and sentencing: On Wednesday, February 22, UK law enforcement announced the arrest of a 29-year old British man charged with suspicion of carrying out the cyber attack against Deutsche Telekom in November of last year, which impacted up to 900,000 customers of the ISP. SurfWatch Labs analysts have moderate confidence that this individual is the hacker known as “Bestbuy,” and additional researchers have said the actor also used the alias “Popopret.” A former systems administrator for Georgia-Pacific was sentenced to 34 months in prison and ordered to pay damages of more than $1 million after pleading guilty to remotely accessing the plant’s computer system and intentionally transmitting code and commands designed to cause significant damage to Georgia-Pacific and its operations.

Other cybercrime announcements: The personal information of 55 million voters in the Philippines was compromised when a computer from the Office of the Election Officer in Wao, Lanao del Sur was stolen, but the data was encrypted using the AES-256 protocol. A spear phishing campaign against individuals in the Mongolian government used the popular remote access tool Poison Ivy as well as two publicly available techniques to evade AppLocker application whitelisting, four stages of PowerShell scripts to make execution difficult to trace, and decoy documents to minimize user suspicion. The Texas Department of Transportation said a breach of its automated administrative system affected a small number of employees whose information was compromised and potentially altered. Actress Emily Ratajkowski is the latest celebrity to have an iCloud account containing sensitive information hacked.

Cyber Risk Trends From the Past Week

The Cloudflare bug can be traced back to a single character of code, which resulted in a buffer overrun, the company said.

“The Ragel code we wrote contained a bug that caused the pointer to jump over the end of the buffer and past the ability of an equality check to spot the buffer overrun,” Graham-Cumming said. “Had the check been done using >= instead of == jumping over the buffer end would have been caught.”

Cloudflare wasn’t the only company to face issues due to a single character. Zerocoin announced last Friday that a a typographical error of a single additional character in code allowed an attacker to create Zerocoin spend transactions without a corresponding mint, resulting in the creation of about 370,000 Zcoins. Zerocoin discovered the bug when it noticed the total mint transactions did not match up with the total spend transactions. All but around 20,000 of the Zcoins were completely sold for around 410 BTC in profit. “Despite the severity of the hack, we will not be forfeiting or blacklisting any coins,” Zerocoin wrote in an announcement. “Trading will resume once pools and exchanges have had time to update their code. A new release will be pushed out pretty soon.”

These types of small issues continue to cause major issues for organizations. This past week also saw reports that a database belonging to digital publisher Ziff Davis could have been exfiltrated due to a website configuration issue affecting itmanagement.com, potentially exposing 7.5 million records. The database contained names, phone numbers, employment details, and email and employer addresses, as well as contact information for users registered on other Ziff Davis properties. Contact information for anyone in the shared database could have been viewed by incrementing or decrementing a field in a URL belonging to one Ziff Davis publication, according to multiple researchers.

There was also the discovery that more than 1.4 million emails sent over Harvard Computer Society (HCS) email lists were found to be public, including emails divulging Harvard students’ grades, financial aid information, bank account numbers for some student organizations, advance copies of a final exam, answer keys to problem sets, and more – likely since the default setting for HCS list archives was public. In addition, New York’s Stewart International Airport publicly exposed 760GB of server backup data for over a year due a network storage drive, which was installed by a contracted third-party IT specialist, that contained several backup images of servers and was not password protected.

The week’s incidents are yet another reminder that a good portion of effective cyber hygiene revolves around looking inward at an organization’s technology, policies, and procedures and their associated cyber risk.

Weekly Cyber Risk Roundup: Yahoo’s Value Drops and New Regulations

Yahoo is once again back in the news for a variety of reasons, including a reported third data breach. However, it appears the reports of a “new breach” stem from additional notifications that were sent to some users on Wednesday regarding forged cookies being used to access accounts. Yahoo first disclosed that it was notifying affected users that “an unauthorized third party accessed our proprietary code to learn how to forge cookies” in its December 2016 breach announcement.

“As we have previously disclosed, our outside forensic experts have been investigating the creation of forged cookies that could have enabled an intruder to access our users’ accounts without a password,” a Yahoo spokesperson said regarding the recent account notifications. “The investigation has identified user accounts for which we believe forged cookies were taken or used. Yahoo is in the process of notifying all potentially affected account holders.”

In addition to users potentially growing weary of Yahoo’s months-long series of breach notifications, two senators sent a letter to Yahoo questioning the company’s “willingness to deal with Congress with complete candor” about the recent breaches. Initial inquiries showed that “company officials have been unable to provide answers to many basic questions about the reported breaches” and a planned congressional staff meeting was cancelled at the last minute by Yahoo, wrote Sen. John Thune, chairman of the Senate Commerce Committee, and Sen. Jerry Moran, chairman of the Consumer Protection and Data Security Subcommittee. The letter requests answers to five questions related to Yahoo’s breaches and subsequent response by February 23.

All of that negative press may translate into hundreds of millions of dollars being cut from Yahoo’s pending deal to be acquired by Verizon. Bloomberg reported last Wednesday that the two companies were close reaching a renegotiated deal that would lower the price of the core Yahoo business from $4.8 billion to about $4.55 billion — a $250 million dollar discount. In addition, the remaining aspects of Yahoo, to be renamed Altaba Inc., will likely share any ongoing legal responsibilities related to the breaches, although the deal is not yet final.

Other trending cybercrime events from the week include:

Variety of espionage campaigns: A campaign dubbed “Operation BugDrop” targeted a broad range of Ukrainian targets by remotely controlling computer microphones in order to eavesdrop on sensitive conversations, and at least 70 victims have been confirmed in a range of sectors including critical infrastructure, media, and scientific research. A phishing campaign against journalists, labor rights activists, and human rights defenders used fully-fleshed out social media accounts of a fake UK university graduate to engage with targets for months and make repeated attempts to bait the targets into handing over Gmail credentials. Spyware from the Israeli cyberarms dealer NSO Group has been found on the phones of nutrition policy makers, activists and government employees that are proponents of Mexico’s soda tax, leading to concerns over how the NSO Group is vetting potential government clients and whether a Mexican government agency is behind the espionage.

Actor breached dozens of organizations: A hacker going by the name “Rasputin” has breached more than 60 universities and government agencies by allegedly using a self-developed SQL injection tool. The targets included dozens of universities in the U.S. and the UK, city and state governments, and federal agencies like the Department of Health and Human Services.

Employee data compromised: In addition to a growing list of organizations impacted by W-2 phishing emails, Lexington Medical Center announced a W-2 breach involving unauthorized access to its employee information database known as eConnect/Peoplesoft. The city of Guelph, Ontario, is notifying some employees that their personal information was compromised when a flash drive containing sensitive documents was accidentally given to a former city employee as part of an ongoing wrongful dismissal lawsuit. A data breach at the San Antonio Symphony compromised the data of about 250 employees.

Ukraine accuses Russia of critical infrastructure attacks: Ukrainian officials accused Russia of targeting their critical infrastructure with malware designed to attack specific industrial processes, including modules that sought to harm equipment inside the electric grid. The attacks employed a mechanism dubbed “Telebots” to infect computers that control infrastructure. Researchers believe that Telebots evolved from BlackEnergy, a group that first attacked Ukraine’s energy industry in December 2015.

Other cybercrime announcements: FunPlus, the creators of the popular mobile game Family Farm Seaside, said it was the victim of a data breach, and the actor behind the attack claims to have stolen millions of email addresses as well as 16GB of product source code. Columbia Sportsware announced that it is investigating a cyber-attack on its prAna online clothing store. Hackers have stolen data on approximately 3,600 customers of Danish telecom company 3 and then attempted to blackmail the company for millions of dollars in return for not making the data public. Family Service Rochester, an organization that works with families with child welfare or family violence concerns, is notifying individuals of unauthorized access to their personal information, as well as a ransomware infection. Bingham County computer servers were infected with ransomware. The Russian Healthcare Ministry recently experienced its “largest” DDoS attack in recent years.

Cyber Risk Trends From the Past Week

In addition to Yahoo, the past few weeks have seen several new regulatory announcements and fines related to data breaches.

For starters, New York Governor Andrew Cuomo announced that new regulations will go into effect on March 1, 2017, “to protect New York’s financial services industry and consumers from the ever-growing threat of cyber-attacks.” The regulation includes minimum standards organizations must meet, such as:

Controls relating to the governance framework for a robust cybersecurity program, including adequate funding, staffing, oversight, and reporting
Standards for technology systems, including access controls, encryption, and penetration testing
Standards to help address breaches, including an incident response plan, preservation of data, and notice to the Department of Financial Services (DFS) of material events
Accountability by requiring identification and documentation of material deficiencies, remediation plans, and annual certifications of regulatory compliance to DFS

In addition to the New York regulations, the Australian data breach notification law passed through the Senate and will go into effect either by a proclaimed date or a year after receiving Royal Assent. Violating these soon-to-be-implemented rules can be costly for organizations. Over just the past week organizations of various sizes announced breach-related settlements — most of which were compounded by not following required security practices.

Memorial Healthcare Systems will pay $5.5 million for failing “to implement procedures with respect to reviewing, modifying and/or terminating users’ right of access, as required by the HIPAA Rules.”
Horizon Blue Cross Blue Shield of New Jersey will pay $1.1 million over the theft of unencrypted laptops.
Grand Buffet restaurant will pay a $30,000 over the theft of payment card information by an employee and failing to implement corrective actions after being informed about the mishandling of credit cards.

Following the cybersecurity best practices outlined by regulatory bodies can not only help prevent many security incidents from occurring in the first place, but in the event of a breach those organizations are far less likely to face the wrath of government bodies.