Weekly Cyber Risk Roundup – Page 6

Weekly Cyber Risk Roundup: New PoS Breaches and Simple Attacks

The week’s top trending event was the compromise at Freedom Hosting II, which has been estimated to host as much as 20 percent of active dark web sites. As a result, thousands of dark web sites were taken offline, and the stolen data has since been widely shared.

Security researcher Troy Hunt, who reviewed some of the data, said that 381,000 email addresses were exposed along with a 2.2GB MySQL file that contained database backups of customers with “a very broad range of data from different systems.” Hunt added that “a significant amount” of that data is illegal. The hacker taking credit for the incident told Motherboard that the discovery of 10 sites hosting child pornography was the impetus for escalating the attack from read-only access to gaining system privileges, which was done using a 21-step process.

The other big news of late is the announcement of several new point-of-sale data breaches. InterContinental Hotels Group announced a point-of-sale breach affecting customers who used payment cards at the restaurants and bars of 12 properties, and fast-food chain Arby’s confirmed that malware was discovered on the payment systems of corporate locations. The incidents mirror the beginning of 2016, which saw similar breach announcement from Hyatt hotels and fast-food chain Wendy’s. The IGH breach is smaller than last year’s Hyatt announcement, which likely affected guests at 250 hotels, but the Arby’s breach may be comparable to the Wendy’s breach, which affected 1,025 locations.

More than 1,000 of the 3,300 total Arby’s restaurants are corporate owned; however, not every corporate location was affected, an Arby’s spokesperson said. Arby’s has yet to release official numbers or dates of the incident, but PSCU, a service organization that serves more than 800 credit unions, issued a non-public alert saying that more than 355,000 payment cards issued by PCSU member banks were compromised due to an incident at “a large fast food restaurant chain, yet to be announced to the public.” PCSU also estimated that the fast-food chain breach occurred between Oct. 25, 2016, and January 19, 2017.

Other trending cybercrime events from the week include:

Polish financial regulator used to spread malware: A malicious actor compromised the internal systems of the Polish Financial Supervision Authority and used the financial regulator to spread malware to Polish banks. According to The Register, a modified JavaScript file likely resulted in visitors to the regulator’s site loading an external file that led to malicious payloads. A spokesperson said the regulator decided to take its entire system offline “in order to secure evidence.” Polish media have described the incident as the most serious attack ever on the Polish banking industry.

Extortion attacks continue: Taiwan brokerages are receiving DDoS extortion emails claiming to be from the group known as the “Armada Collective,” and several brokerages have reported DDoS attacks following those ransom demands. A malicious actor gained accessed to millions of messages and documents from the computer system of Doyen Global and leaked numerous emails from soccer star David Beckham after a failed blackmail attempt of “between €500,000 and a million.”

More government attacks: An attack against the Italian foreign ministry last spring compromised email communications for many months, but it did not affect the encrypted system used for classified communications. The Russian-linked APT 29 hacking group has been targeting Norwegian organizations with spear phishing emails. The attorney for Little Egg Harbor believes someone within the township is stealing data from the municipal computer systems and handing that confidential information over to a local political blogger. Hackers may have used stolen passwords to gain access to a Bureau of Consular Affairs email account that serves as a contact window to 117 Taiwanese overseas offices around the world. The former NSA contractor who faced charges in 2016 relating to the theft of 50 terabytes of highly sensitive data, allegedly stole more than 75 percent of the hacking tools belonging to the NSA’s elite hacking group known as the Tailored Access Operations.

Stolen and leaked databases: A database from the law enforcement forum PoliceOne was stolen in 2015 and the information of 700,000 members has been publicly distributed. A group of hackers claim to have a database of 20 million records stolen in 2014 from Bin Weevils, a British online children’s game owned by 55 Pixels. An actor using the name “zerodark70” is selling a database of 83,000 accounts from UPI.com, the website of the news agency United Press International. A large portion of the anti-piracy company Denuvo’s web database content is unsecured, and as a result information submitted via the company’s public contact form dating back to April 2014 has been posted online.

Other cybercrime announcements: A vulnerability in an October 2016 software update for the Michigan Data Automated System has exposed as many as 1.87 million Michigan workers’ information to a third-party vendor. UK sports retailer Sports Direct experienced a breach due to an attacker exploiting vulnerabilities in the unpatched version of the DNN platform the company was using to run a staff portal. Computer supplier Logic Supply announced there was unauthorized access to the company’s website on February 6, 2017. UK magazine publisher Future announced that its FileSilo website was breached. Singn and Arora Oncology Hematology in Michigan announced a data breach affecting 22,000 individuals.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

Cyber Risk Trends From the Past Week

The past week saw the continuation of several stories highlighted in recent risk reports.

For starters, malicious actors are exploiting the recently announced severe content injection vulnerability found in the WordPress REST API, which was fixed in the WordPress 4.7.2 update. At least twenty-four different campaigns are actively defacing WordPress sites. WordFence, which said that this is “one of the worst WordPress related vulnerabilities to emerge in some time,” reported that nearly 1.9 million defaced web pages have been indexed by Google as of February 10.

WordPress has an automatic update feature to protect against newly announced exploits being used by malicious actors, but a large number of websites appear to have disabled that feature and have not updated to version 4.7.2, which has been available since January 26.

As SurfWatch Labs continues to stress in blogs and articles, cyber threat intelligence clearly shows that the security threats are not as complex as some media and vendors make them out to be. Another example of simple but effective attacks is the growing number of organizations publicly tied to W-2 related breaches. Two weeks ago we wrote that the 2017 W-2 breach count had rose to 24 organizations. By last Friday that number had risen to 40. By Monday morning, it rose again to 48 – including school districts, colleges, healthcare organizations, manufacturers, payroll providers, restaurants, retailers and more.

IRS Commissioner John Koskinen warned that “this is one of the most dangerous email phishing scams we’ve seen in a long time.” These impersonation emails, also known as business email compromise scams, have proven to be effective, and they are costly for the organizations that fall victim to them. But they are not complex. They rely on three simple and straightforward aspects all good impersonators utilize:

A simple backstory – The malicious actors utilize the built-in story of tax season.
Appearing as though they belong – The emails matter-of-factly request information that is relevant to the payroll and human resource departments being targeted.
Projecting authority – The requests appear to come from a higher-up such as a school superintendent or executive.

Many attacks that lead to data breaches are not sophisticated efforts carried out by actors using zero-day exploits; rather, they are opportunistic attacks leveraging public vulnerabilities and simple social engineering tactics. When it comes to managing cyber risk, ensure your organization can defend against these basic attacks before addressing more advanced – and often far less relevant – cyber threats.

Weekly Cyber Risk Roundup: Ransomware and Insecure Databases Dominate Headlines

Ransomware and extortion continue to dominate the headlines in 2017. The past week saw several widely reported incidents involving service outages and lost data due to infections, as well as warnings that malicious actors are attempting to extort organizations via the threat of DDoS attacks.

The Austrian hotel Romantik Seehotel Jägerwirt paid approximately $1600 in ransom after ransomware locked the hotel out of its computer systems and the hotel was unable to issue new key cards to arriving guests. The hotel’s reservation system was down for 24 hours; however, the initial media reports that customers were locked in their rooms due to the incident were false, the owner told Motherboard. The hotel’s managing director told The Verge that the issue was that the hotel could not program keycards for the guests checking in on the same day due to the system being down. The Local reported that it was the fourth time hotel had been hit by such an attack, prompting the company to go public in order to warn others about these types of cybercrime incidents.

Several other ransomware-related service outages were announced this week. Licking County, Ohio, shut down more than a thousand computers due to a ransomware infection. A variety of departments, such as the 911 call center, were unable to use computers and had to switch over to other forms of communication, and services such as court house phones and the issuing of court documents were made unavailable, 10TV reported. In addition, The Washington Post reported that ransomware left 123 of the 187 Washington D.C. police surveillance cameras, which monitor public spaces across the city, unable to record from January 12 to January 15. The ransom demand was not paid as the police simply removed all software and restarted the system at each site.

Finally, Hong Kong’s Securities and Futures Commission warned that brokers across the city are being targeted with DDoS attacks and extortion demands from cybercriminals, and it is urging financial institutions to implement and review security measures.

Other trending cybercrime events from the week include:

Warning issued following two dozen W-2 breach announcements: The Internal Revenue Service, state tax agencies and the tax industry issued an urgent alert on Thursday warning employers that W-2 phishing scams are spreading into sectors beyond the corporate world, including school districts, tribal organizations and nonprofits. In addition, the scammers are following up the request with a more traditional fraudulent wire transfer request, resulting in some organizations losing both employees’ W-2s and thousands of dollars due to wire transfers. SurfWatch Labs has identified at least 24 organizations publicly tied to W-2 data breaches over the past two weeks. The emails are a form of the popular Business Email Compromise scam, such as the one against Sedgwick County that led to $566,000 being fraudulently transferred.

Shamoon malware strikes again: Saudi Arabia’s telecom authority is warning organizations to be on the lookout for Shamoon 2 after recent attacks led to at least three government agencies and four private sector companies going offline for 48 hours. Among those targeted were multiple petrochemical and IT services companies, which reportedly shut down their networks in an attempt to protect themselves. It appears the goal of the attack was disruption, not data exfiltration, similar to previous Shamoon attacks; however, the incident was less destructive than similar attacks in November as backups were more commonplace due that previous incident.

Czech foreign ministry targeted with DNC-style hack: A foreign government hacked the email system of the Czech foreign ministry and accessed the email system used by employees to communicate with people outside the ministry in an attack similar to the breach of the Democratic National Committee, Foreign Minister Lubomir Zaoralek said. A spokesperson for the Czech minister said the scale of the attack is still being assessed but noted that other ministries “might be in a little bit of a problem.” Officials indirectly accused Russia of carrying out the attacks.

Printing company exposes 400 GB of data: A PIP Printing and Marketing Services franchise branch located in California exposed 400 gigabytes of sensitive information due to a publicly available backup server without any password protection. The exposed data includes 50 GB of scanned documents relating to court cases, medical records, well-known companies and celebrities, as well as an archive of correspondence with attached documents, some of which have credit card numbers and billing details in plain text.

Other cybercrime announcements: The Xbox360 ISO and PSP ISO forums, which provides gamers with links to free and often-illegal game downloads, were hacked in September 2015 and the details of 2.5 million accounts were leaked. Security firms Dr. Web and Emsisoft were targeted by DDoS attacks after publishing research related to a botnet of Linux devices and an update for the Merry Christmas ransomware (MRCR) decryptor tool. The hacking group OurMine hacked into a variety of social media accounts belonging to the WWE and CNN. Toys “R” Us is forcing reward members to reset account passwords after the vendor responsible for managing the program notified the company of attempts to access customer accounts and steal coupons using credentials reused from other data breaches.

Cyber Risk Trends From the Past Week

The past week once again saw numerous organizations exposing data due to insecure public databases, and several of those databases reportedly contained data that was no longer in use.

Security researcher Chris Vickery discovered unsecured database backup files from Indycar, which exposed the personal information of more than 200,000 users as well as Indycar employee login credentials. The user data was related to a now-retired Indycar bulletin board and contained sensitive information such as names, usernames, email and physical addresses, dates of birth, password hashes and security questions and answers.

As Vickery noted, holding that user data was unnecessary since the board was no longer in use:

Why do companies hold on to password hashes long after the associated site has been shuttered? That’s nothing but liability. They are putting customers at risk for no gain. There was absolutely nothing for Indycar to gain by holding on to these password hashes. And now they are faced with negative PR as word of the situation gets out to racing fans.

In addition, Polish game development studio CD Projekt RED, which developed the popular Witcher franchise, announced that a now-obsolete forum database was hacked and more than 1.8 million user credentials were stolen in March 2016.

“It’s the old database we used to run the forum before we migrated to the login system powered by our sister company — GOG.com,” the company wrote in a post on its forums. “At the time of the event, the database was not in active use, as forum members had been asked to create better-secured GOG.com accounts almost a year earlier.”

The incidents are reminders that when it comes to cybersecurity, less data tends to equals less risk. This is particularly true for data that is no longer required to be held and may therefore receive less scrutiny than data that is being actively used. In short, if your organization is holding on to unnecessary data, it is opening itself up to unnecessary risk.

Weekly Cyber Risk Roundup: DDoS Attacks Disrupt Services and SEC Probes Yahoo

A series of distributed denial-of-service (DDoS) attacks against financial institutions led to customers of Lloyds Banking Group experiencing intermittent outages over a 48-hour period and was the top trending cybercrime event over the past week.

The Guardian reported that the attacks hit Lloyds, Halifax and Bank of Scotland from January 11 to January 13. IBTimes reported that other unnamed lenders were targeted, but experienced no down time. Motherboard spoke to a hacker who claimed to be behind the attack and allegedly tried to ransom Lloyds over the incident. However, Lloyds issued a statement saying it was able to provide normal service for “the vast majority” of customers and that “only a small number” experienced any issues during the attack.

In other DDoS news, the ticketing systems for the Sundance Film Festival were taken offline due to a cyber-attack on January 21. “We have been subject to a cyberattack that has shut down our box office,” the festival tweeted. “Our artist’s voices will be heard and the show will go on.” According to The Hollywood Reporter, “although the festival was able to get its ticketing systems back online within an hour of the Saturday breach, multiple other denial-of-service (DDoS) attacks on Sundance’s IT infrastructure followed.”

Finally, the Korea Internet & Security Agency recently issued a report echoing concerns shared by other security professionals, including SurfWatch Labs Adam Meyer: expect DDoS attacks leveraging Internet-of-Things devices to rise in 2017. South Korea has recently faced political turmoil, and in December the country’s Constitutional Court began its first hearings on the impeachment of President Park Geun-hye. The agency report predicted that DDoS attacks may occur against key government agencies and social infrastructure-related facilities with the goal of stirring the political and social instability brought on by the impeachment proceedings and potential upcoming election. According to SurfWatch Labs’ data, government was the third highest trending sector related to DDoS attacks in 2016, behind only information technology and consumer goods.

Other trending cybercrime events from the week include:

Another year of W-2 breaches begins: Approximately 1,400 Campbell County Health employees had their W-2 information stolen when an employee fell for a phishing email impersonating a hospital executive. Eight Missouri school districts were targeted with identical phishing messages impersonating the superintendent and requesting employee W-2 information, and an employee at the Odessa School District fell for the scam and forwarded the information. The Argyle Independent School District in Texas and the Tipton County School District also reported breaches due to similar phishing emails.

Media outlets hit with political attacks: The Twitter accounts of BBC Northampton and The New York Times video were both hijacked and used to spread fake messages saying that President Donald Trump was injured in the arm by gunfire at his inauguration and that Russia was planning to attack the U.S. with missiles. Crescent Hill Radio WCHQ said its FM feed was hacked and a song titled “Fuck Donald Trump” was played on repeat for 15 minutes before the station could shut down the broadcast.

Exposed databases reveal sensitive data: Security researchers have found nearly 400,000 audio recordings belonging to VICI Marketing exposed to the Internet, and as many as 17,649 of those recordings include customer payment card numbers and private customer information. The other 375,368 audio recordings are “cold calls,” some of which contain personal information. A misconfigured database used by The Candid Board, a subscription website dedicated to images and video of women who appear unaware they are being recorded, led to the leak more than 178,000 members’ information. The source also said that he or she is in possession of “a large chunk of data from multiple boards operated by this group,” which IBTimes explained was in reference to another leaked database holding tens of thousands of records from a website called NonNudeGirls.

Arrests and charges: A former employee of First Niagara call center admitted to using his position to steal callers’ personal information and then using that information to transfer $15,492.59 from customer accounts to his own. An IT worker employed by the New York Police Department accessed personnel files of police officers and then attempted to sell that information to an undercover informant. A 32-year old Russian programmer suspected of developing the NeverQuest banking Trojan was arrested in Barcelona, according to Spanish authorities.

Other cybercrime announcements: A hacker gained access to a server for the National Aids Research Institute in India and was able to access an archive containing the results of dozens of HIV tests. Malware was found on computers at 21 locations of Bowlmor AMF, the world’s largest bowling center operator, leading to a point-of-sale breach. Cockrell Hill Police Department in Texas lost some digital videos and documents dating back to 2009 after ransomware encrypted the departments files and those encrypted files were then saved to the automatic backup system. Other breach announcements include the South Washington County School district in Minnesota, MultiCare Health System, Ohio State Veterinary Medical Center at Dublin, Catholic Charities of Baltimore, and Wisconsin Democratic Party websites.

Cyber Risk Trends From the Past Week

The fallout over two massive data breaches at Yahoo continued this past week as it was reported that the Securities and Exchange Commission (SEC) opened an investigation into the timeline of Yahoo’s data breach disclosure and that the sale of Yahoo’s main web operations to Verizon has been delayed until the next quarter.

Sources told The Wall Street Journal that the SEC issued a request for documents from Yahoo in December and is looking into whether Yahoo’s breach disclosures may have violated civil securities laws. The investigation will likely focus on Yahoo’s 2014 data breach affecting 500 million users, which was announced in September 2016. Yahoo is said to have linked the 2014 breach to state-sponsored actors two years before the public disclosure. In December 2016 Yahoo disclosed a separate breach affecting more than one billion users.

The SEC has never brought a case against a company for failing to disclose a data breach, the Wall Street Journal reported, but experts said the SEC has been looking for a case to clarify guidance issued in 2011. That guidance requires the disclosure of material information about cybersecurity risks and incidents if it could affect investors, but what is “material” is still a question – a question that this case may potentially help answer.

Those two data breaches have led to speculation over the past few months of how they may impact Verizon Communication’s acquisition of Yahoo, which was valued at $4.83 billion last July. Yahoo said it is “working expeditiously” to finish the deal; nevertheless, the sale has been pushed back until next quarter.

“Yahoo has been an interesting process,” Verizon Chief Financial Officer Matt Ellis said in an interview last Tuesday with Bloomberg. “There’s been good progress, but we are still awaiting the final reports and therefore we haven’t reached any conclusions yet.”

Weekly Cyber Risk Roundup: Ransomware Disrupts Organizations and Massive Data Leaks

Extortion is once again the top trending cybercrime issue as concern continues around the theft, destruction and blackmail related to thousands of insecure MongoDB, Elasticsearch, CouchDB and Hadoop Distributed File System installations. While those stories led much of the past week’s discussion, there was also a steady stream of reports of organizations being infected with ransomware.

The most impactful, publicly known ransomware attack of late involves the St. Louis Public Library. The attack hit 700 computers across all 17 of the library’s locations on Thursday, forcing the library to temporarily stop all book borrowing. A $35,000 ransom demand was made, but the library said it will wipe its computer system rather than pay. Checkout service was restored to all locations on Saturday, according to the St. Louis Post Dispatch, and the library’s next priority is to restore service to the publicly available computers – although as of Sunday morning the library’s website stated that the “use of reservable computers is suspended.” A spokesperson said the criminals managed to infect a centralized computer server, which also disrupted the staff’s email system.

Other organizations to report disrupted services due to apparent ransomware attacks include Advanced Flexible Composites in Illinois, Valley Springs School District in Arkansas, and Kanawha County Schools in Virginia. Advanced Flexible Composites notified its customers that a January 17 hack of its computer system prevented the company from receiving emails and processing quote requests or orders. Not much information was provided about the attack; however, on the surface it sounds like a ransomware infection. Valley Springs School District’s superintendent said the school’s infection may lead to some information saved by teachers being lost such as lessons plans, curriculum and tests. Kanawha County Schools said that it was able to restore internal documents after its incident but that its website would take longer to bring back online.

Finally, the Delaware Department of Insurance is investigating an incident involving a ransomware infection and the unauthorized access of customer data at Summit Reinsurance Services and BCS Financial Corporation.

Other trending cybercrime events from the week include:

New type of SWIFT attack: Malicious actors compromised the SWIFT systems of three Indian banks and created fake trade documents that may have been used to raise finance abroad or facilitate dealings in banned items. “There was fraudulent duplication of trade documents like letters of credit (LC) and guarantees which the hackers may have or planning to encash with some offshore banks,“ a source told ET Tech. “It’s also possible that hackers did not present the fake LCs to raise funds but to carry out trade of prohibited or illegal commodities.”

Popeye’s point-of-sale breach: Point-of-sale malware was discovered at the restaurant chain Popeyes, and customers who used their payment cards at one of 10 infected locations between May 5, 2016, and August 18, 2016, likely had their information stolen, the company said in a press release. The ten locations include seven in Texas, two in North Carolina, and one in Georgia.

More employee and third-party breaches: Police in the Netherlands are alerting 20,000 potential victims about a man who worked at various companies as a website builder and used his position to insert a special script that allowed him to steal usernames and passwords. Online fashion store Showpo is suing a former employee and an online retailer over allegations the graphic designer exported a database of 306,000 customers from MailChimp and passed the information along to online retailer Black Swallow. Customers of the Victorian Game Management Authority in Australia had their personal information potentially exposed when the authority accidentally sent customer data to eight individuals who were renewing their game license. A third-party advertiser that promotes Canada’s Grey Eagle Resort and Casino was hacked and fake text messages were sent to the casino’s VIP members telling them the casino “will be closed for the remainder of January due to infestation and rodent problems.”

Healthcare-related breaches: TheDarkOverlord said it stole data from Little Red Door Cancer Services of East Central Indiana and attempted to extort the organization by threatening to release the data. CoPilot Provider Support Services announced a breach affecting approximately 220,000 individuals due to a database being illegally accessed in October 2015. Sentara Healthcare is notifying 5,454 vascular and thoracic patients that their medical information was compromised due to a breach at an unnamed third party. The orthopedics practice at The University of Maryland Faculty Physicians Inc. is notifying 1,500 patients that their information may have been accessed when an email account belonging to a physician assistant’s email account was hacked. Barts Health NHS Trust experienced a malware infection that led to taking numerous hard drives offline “as a precautionary measure” and using a manual backup for its computerized pathology results service.

Other announcements: Hackers targeted a laptop belonging to the special investigation team probing South Korean President Park Geun-hye’s political scandal. Current and former employees of Dracut Public Schools had their Social Security numbers and other personal information compromised due to an employee falling for a phishing attack. A Russian-language version of the series finale of Sherlock circulated online before the episode was broadcast. The forums of Clash of Clans developer Supercell and MrExcel, both of which use vBulletin, announced data breaches.

Cyber Risk Trends From the Past Week

Security researchers frequently discover private data being exposed to the Internet due to technical errors such as poorly secured data backups, and this past week several new incidents along those lines.

Chris Vickery’s discovery of multiple misconfigured Rsync instances at Canadian ISP KWIC appears to be truly massive potential breach, with CSO Online reporting that terabytes of information for all of its customers was exposed. The issue was fixed after the company was notified of the problem; however, it is unclear how long the information was available before the fix. The data exposed included credit card details, email addresses, passwords, names, home and business addresses, phone numbers, email backups, VPN details and credentials, internal KWIC backups, and more.

In last week’s roundup we noted that incorrectly configured databases exposed the data of 3.3 million Hello Kitty fans as well as thousands of patients of Canadian plastic surgery company SpaSurgica. The week before that data related to healthcare professionals deployed within the U.S. Military’s Special Operations Command (SOCOM) was exposed in a similar fashion. The week before that data belonging to Ameriprise clients was exposed due to an advisor synchronizing data between between his home and work and neither drive requiring a password.

This past week saw a similar story of a poorly configured backup drive. Interpreters Unlimited, a California-based translation and interpreter company, exposed thousands of sensitive documents due to an Internet-connected backup drive used by an IT manager that had no password protection and was online for four to six months. Files seen by ZDNet showed that the drive contained dozens of usernames, email addresses and passwords stored in plain text for the company’s infrastructure, including its website, hosted email and domain name servers, and remote desktop apps. The drive also contained the private data of clients and employees such as Social Security numbers and the amount of money translators earned.

The constant trickle of company, customer and employee data being leaked due to the poor practices of employees and partners should serve as a reminder for all organizations that data breaches often spring from mistakes made within the organization — not just external cybercriminals.

Weekly Cyber Risk Roundup: More Extortion and Marijuana Retailers’ Woes

Extortion continues to dominate the cybercrime headlines in 2017 with the week’s top two trending targets being the successful ransom at Los Angeles Valley College and continued extortion attempts around MongoDB databases.

It was less than a year ago that Hollywood Presbyterian Medical Center became a national news story by paying a $17,000 ransomware demand so that staff could regain access to infected computers. A year later those types of stories are no longer unique; they’re routine. Los Angeles Community College District’s recent decision to pay a $28,000 ransom after an infection “disrupted many computer, online, email and voice mail systems” is just the latest of example.

“It was the assessment of our outside cybersecurity experts that making a payment would offer an extremely high probability of restoring access to the affected systems, while failure to pay would virtually guarantee that data would be lost,” the district said in a FAQ, echoing the sentiments of many other organizations who’ve decided to pay ransoms. “The District has a cybersecurity insurance policy to address these specific types of cyber intrusions and it was activated during this incident. While much time will pass before this matter is resolved, we have already availed ourselves of the resources provided by the policy, including assistance of cybersecurity experts.”

In addition, the ongoing issue of insecure MongoDB databases being stolen, deleted and subsequently extorted continues to rack up thousands of new potential victims, including Princeton University. Researchers Victor Gevers and Niall Merrigan have been tracking the various victims and ransom demands as threat actors compete to have the most up-to-date ransom notes. The problem, Merrigan told KrebsOnSecurity, is that with so many actors the victims may not know who actually has the stolen data. Merrigan advises victims not to pay unless they have proof that the extortionists actually have the files being ransomed. Lastly, it appears some of those actors have now shifted towards ElasticSearch servers, with more than 3,000 victims as of Monday morning.

Other trending cybercrime events from the week include:

Another week of large-scale breaches: Mobile phone hacking company Cellebrite was breached and 900 GB of data was compromised, including customer information, databases and a vast amount of technical data regarding Cellebrite’s products. E-Sports Entertainment Association (ESEA) was hacked last December and a database containing information on 1.5 million players was stolen. The actor also attempted to extort the company for $100,000, but ESEA refused to pay. Three brokers who left the commercial real estate firm Avison Young used external hard drives to “downloaded massive amounts of data,” including client and financial information, market intelligence and strategic plans, according to a complaint filed by the firm.

More accidental data exposure: A MongoDB database belonging to Sanrio, the company behind Hello Kitty, was misconfigured and exposed to the public in 2015, and a copy of that database has recently surfaced online. Approximately 3.3 million Hello Kitty fans are affected, including 186,261 records related to individuals under the age of 18. Canadian plastic surgery company SpaSurgica exposed the detailed medical histories of thousands of patients due to an unprotected remote synchronization (rsync) service, according to MacKeeper researchers. The files contained medical histories, personal information, and intimate before and after pictures of breast augmentation and other surgeries. An email sent by Ball State University’s retention office to students on academic probation accidentally contained an Excel spreadsheet of 59 students on probation for the spring semester rather than planned attachment about upcoming academic help sessions.

Cyber-attack leads to another blackout: The December 2016 blackout in Ukraine was due to a cyber-attack, and it is connected to a similar attack in 2015, as well as hacks at the national railway system, several government ministries and a national pension fund. The head of ISSP, a Ukrainian company investigating the incident, said that the recent attack against a Ukrainian utility was a “more complex” and “much better organized” version of the 2015 attack. He also said that the different cybercriminal groups that worked together appeared to be testing techniques that could be used elsewhere in the world.

Other breach announcements: Outdated data management software led to the leak of financial information for at least 2,000 Taipei City Government employees, city officials said. A November data breach at TwoPlusTwo poker forum exposed the personal information of its users, and the stolen data was subsequently offered for sale on the Internet. Fraudulent login attempts were made to Spreadshirt partner accounts using previously compromised credentials with the goal of redirecting payments by changing the Paypal payout address. Dozens of Israeli soldiers had their smartphones hacked by Hamas militants impersonating attractive women. Italian police have arrested two siblings for allegedly hacking into thousands of email accounts using a customized malware known as “EyePyramid” and then using the stolen information to make investments. The Susan M. Hughes Center recently notified HHS of an August ransomware infection that affected 11,400 patients’ information.

Cyber Risk Trends From the Past Week

As SurfWatch Labs noted in its annual report, organizations are increasingly struggling with third-party and supply chain cybercrime.

This issue was highlighted once again this past week as a cyber-attack at MJ Freeway, a popular software platform used by marijuana retailers, disrupted operations at 1,000 retailers across 23 states. A full week after the initial attack the company is still working to restore some level of services to many of its clients. A full recovery may take several weeks, Jeannette Ward, director of data and marketing for MJ Freeway, told Marijuana Business Daily.

The motivations behind the attack are unclear, but the attack appears to be aimed at corrupting the company’s data, not stealing it.

“Attackers took down both MJ Freeway’s production and backup servers, causing an outage for all of our clients,” MJ Freeway CEO Amy Poinsett said in a video uploaded on Saturday, “Current analysis shows the attackers did not extract any client or patient data and did not view any patient data thanks to encryption measures we had in place.”

However, she added that “the damage from the attack is extensive” and the company is currently trying to call customers individually to move them to alternate MJ Freeway sites, which is taking more time than she would like. A number of stores had to temporarily close due to the outage, and those that remained open have had to deal with lengthy lines and customer complaints as manual transactions increased the time for each sale.

As SurfWatch Labs noted in its 2016 Cyber Trends Report, the percentage of targets publicly associated with third-party cybercrime nearly doubled from the second half of 2015 to the second half of 2016.

“SurfWatch Labs analysts contribute this third-party growth to the expanding ecosystem of partners and suppliers that provide various products and services,” the report stated. “Cybercrime is increasingly interconnected, and the effects of one data breach or cyber-attack are difficult to isolate and contain.”

That appears to be the case with MJ Freeway.

Weekly Cyber Risk Roundup: Russian Hacking and New Extortion Campaigns

This week’s top trending cybercrime story is a hack that wasn’t: Vermont’s Burlington Electric Department. A December 30 Washington Post story falsely claimed that Russian threat actors had penetrated the U.S. power grid via the Vermont utility. That story has since been widely debunked, as the alleged international hacking incident was set off by a department employee simply checking his Yahoo email account. The employee’s actions triggered an alert, as it matched an IP address tied to indicators of compromise released by the Department of Homeland Security related to the alleged Russian hacking around the U.S. presidential election.

“We uploaded the indicators to our scanning system to look for the types of things specified,” Burlington Electric Department general manager Neil Lunderville told Fortune. “Then sometime on Friday morning, when one of our employees went to check email at Yahoo.com, our scanning system intercepted communications from that computer and an IP address listed in the indicators of compromise. When warned of that, we immediately isolated the computer, pulled it off the network, and alerted federal authorities.”

The incident involved a single computer not even connected to the grid control systems, he added.

The false story comes on the heels of a report issued by DHS and the FBI on Grizzly Steppe, the U.S. code name for the malicious cyber activity carried out by the Russian civilian and military intelligence services. That interference led President Barack Obama to sanction four Russian individuals and five Russian entities, as well as to order 35 Russian diplomats to leave the country and close two Russian compounds.

Intelligence officials testified before Congress on Thursday, and Director of National Intelligence James Clapper said that Russia’s role included hacking and the ongoing dissemination of “fake news.” Thursday also saw the resignation of former CIA director James Woolsey from Donald Trump’s transition team over what the Chicago Tribune described as “growing tensions over Trump’s vision for intelligence agencies.”

Other trending cybercrime events from the week include:

Bugs and mistakes expose sensitive data: A bug in Nevada’s website portal exposed the personal data of more than 11,700 medical marijuana dispensary applications. Data related to healthcare professionals deployed within the U.S. Military’s Special Operations Command (SOCOM) was publicly exposed due to an unprotected remote synchronization service tied to Potomac Healthcare Solutions, which provides healthcare workers to the U.S. government through Booz Allen Hamilton. More than 10,000 invites to collaborate on Box.com accounts or documents were indexed and discoverable on search engines, including some documents containing sensitive financial and proprietary company information. PakWheels, an automotive classified site in Pakistan, announced a data breach due to a vulnerability in outdated vBulletin forum software.

Payment card breaches: British multinational hotel company InterContinental Hotels Group (IHG) is investigating a possible payment card breach after being notified of fraud patterns observed on credit and debit cards used at some IHG properties in the U.S., particularly Holiday Inn and Holiday Inn Express hotels. Topps announced a data breach affecting payment card and other data entered by customers when placing orders via its website. The incident was discovered in October and affects orders made through the Topps website between approximately July 30, 2016, and October 12, 2016.

Defacements and downtime: The Google Brazil domain was unavailable for 30 minutes on Tuesday afternoon due to a DNS attack that directed visitors to a defacement page. The official website of the Philippine military was defaced on December 30 by a hacker with the online handle “Shin0bi H4x0r.”

Ransomware updates: A ransomware infection at Los Angeles Valley College blocked access to emails, voicemail and computer systems as the computers of as many as 1,800 full-time faculty and staff could be infected. Ransomware actors are calling education establishments and claiming to be from the Department of Education, Department for Work and Pensions, and telecoms providers in order to obtain the contact information of the head teacher or financial administrator to attempt a ransomware infection.

Other breach announcements: Northside Independent School District is notifying 23,000 current and former students and employees that their information may have compromised after an investigation of an August 2016 compromise of employee email accounts turned out to be a more widespread breach. The founder of KeepKey said his company email and phone were temporarily compromised on December 25, and the attacker reset accounts linked to the email address and was able to access several channels for a short period. Recent widespread electricity cuts across Istanbul have been attributed to a major cyber-attack, according to sources from the Energy Ministry. The New Hampshire Department of Health and Human Services is notifying 15,000 individuals that their personal information was exposed when a former patient at New Hampshire’s state psychiatric hospital posted information he had previously stolen to a social media website. The Organization for Security and Co-operation in Europe has recently confirmed that it was hit by a major cyber-attack in the first weeks of November when hackers managed to “compromise the confidentiality” of its IT network.

Cyber Risk Trends From the Past Week

Organizations once again are being blackmailed by threat actors who are either threatening to release stolen data or else holding data hostage unless a ransom payment is made.

TheDarkOverlord is continuing its well-established tactic of hacking, extorting and then dumping data on a variety of targets. According to databreaches.net, “TDO appears to have dumped pretty much everything of any significance from two of the previously disclosed victims companies, Pre-Con Products, LTD, and G.S. Polymers, Inc. Other entities whose data TDO dumped include PcWorks, L.L.C. (in Ohio), International Textiles & Apparel, Inc. in Los Angeles, and UniQoptics, L.L.C. in Simi Valley.”

A new extortion campaign is being carried out by an actor using the name “Harak1r1.” The hacker is hijacking insecure MongoDB databases, stealing the data, and replacing the data with a single table and record called “WARNING.” The actor then attempts to extort the victims to recover their data. Researchers said the campaign is ongoing and that between Tuesday and Wednesday the number of compromised databases rose from around 2000 to more than 3500. The actor requests a 0.2 bitcoin ransom payment for victims to regain access to the files, which at least 17 companies have paid. The actor appears to be manually selecting the targets based on databases that appear to contain important data, according to Victor Gevers, co-founder of GDI Foundation.

Interestingly, it appears that a second threat actor may be using the same tactic, but charging 0.5 bitcoin instead, according to a Wednesday tweet addressed to Gevers.

As of Saturday afternoon, the second bitcoin address had 11 bitcoin transactions totaling 3.31 bitcoins, so it is possible that more victims are making ransom payments.

Weekly Cyber Risk Roundup: Unique Cyber-Attacks and Insider Theft

Yahoo remained as the top trending cybercrime target due to a data breach affecting more than a billion accounts. The breach is so large that regulators such as the FTC and SEC are facing uncharted territory when it comes to potential fines or other consequences related to the incident, Vice News reported.

Looking beyond the ongoing Yahoo story, there were several unique cybercrime-related events worth noting from the past week.

For starters, a data breach at Kia and Hyundai aided in the physical theft of dozens of cars, Israeli police said. Criminals were able to use the stolen data to make car keys for luxury cars and steal those cars directly from the owners’ homes. The three men who were arrested allegedly looked for the registration numbers on Kia and Hyundai models and then used those number along with stolen anti-theft protection numbers and other codes to make keys for each specific car. Once the keys were made they would visit the owners homes — the information was also in the stolen data — to steal the vehicles and then sell them on the Palestinian car market.

Another interesting story is the recent sudden shutdown of a power distribution station near Kiev, which left the northern part of the city without electricity. Vsevolod Kovalchuk, the acting chief director of Ukrenergo, told Reuters that the outage was likely due to an external cyber-attack. The outage amounted to 200 megawatts of capacity, which is about a fifth of Kiev’s nighttime energy consumption.

If definitively tied to a cyber actor, the incident would be the second time in a year that a Ukrainian power outage was attributed to a cyber-attack. The December 2015 outage at Prykarpattyaoblenergo has been frequently cited as the first power outage directly tied to a cyber-attack.

Other trending cybercrime events from the week include:

Education Information Compromised: Online learning platform Lynda.com is notifying its 9.5 million users of a data breach after a database was accessed that contained users’ contact information, learning data and courses viewed. The Columbia County School District in Georgia confirmed it was the victim of a data breach after an external actor accessed a server containing confidential employee information such as names, Social Security numbers and dates of birth. A malware infection at Summit Reinsurance Services may have compromised the information of 1,000 current and former employees at Black Hawk College, as well as those employees’ dependents. The University of Nebraska-Lincoln notified approximately 30,000 students that their names and ID numbers may have been compromised when a server hosting a math placement exam was breached.

More Healthcare Data Breaches: Community Health Plan of Washington is notifying 381,534 people that their information may have been compromised due to a vulnerability in the computer network of NTT Data, which provides the nonprofit with technical services. East Valley Community Health Center in California is notifying patients of a Troldesh/Shade ransomware infection on a server containing patient information. The server contained 65,000 insurance claims from the past six years, which included names, dates of birth, home addresses, medical record numbers, health diagnosis codes and insurance account numbers. A number of employees allegedly attempted to access the medical records of Kayne West during his recent week-long stay at the UCLA Medical Center.

OurMine Continues to Hijack Popular Accounts: The hacking group known as “OurMine” managed to hijack the Twitter accounts of both Netflix and Marvel on Wednesday. The group posted its usual message about how they were just testing security, along with their contact information.

DDoS Attacks Used to Protest New Law in Thailand: Thai government websites were hit with DDoS attacks in protest of a new law that restricts internet freedom. The websites of the Defense Ministry, Ministry of Digital Economy and Society, the Prime Minister’s Office, and the Office of the National Security Council were all targeted. In addition, a hacker going by the name “blackplans” posted screenshots of documents allegedly stolen from government websites.

Other breach announcements: A May 2016 phishing incident led to 108 employees of L.A. County handing over their email credentials, resulting in a data breach affecting 756,000 individuals. A hacker going by “1×0123” claims to have hacked PayAsUGym and is attempting to sell a database of information on 305,000 customers. A database backup from the forum of digital currency Ethereum was stolen after a malicious actor socially engineered access to a mobile phone number and gained access to accounts. About 350 Ameriprise clients had their investment portfolios exposed due to an advisor synchronizing data between between his home and work and neither drive requiring a password. The Bleacher Report announced a data breach affecting an unknown number of users who signed up for accounts on its website. The U.S. Election Assistance Commission (EAC) acknowledged a potential intrusion after a malicious actor was spotted selling information related to an unpatched SQL injection vulnerability.

Cyber Risk Trends From the Past Week

Several stories from the past week once again highlighted the problem of malicious insiders stealing intellectual property and taking that stolen data directly to company rivals in order to give those rivals a leg up on the competition.

The first case involves India’s Quatrro Global Services, which recently filed a complaint with local police accusing two former employees of stealing a customer database and using that database to open a rival remote support company, MS Care Limited.

The employees left Quatrro Global Services in late 2014 and early 2015 and opened the rival company in January 2016. The complaint alleges the database was “used to derive unlawful commercial benefit by accessing our customers, leading to our commercial loss while gaining unauthorised access to our customer’s personal information, which could be used for unlawful purposes.”

A separate case involves David Kent, 41, who recently pleaded guilty to stealing more 500,000 user resumes from Rigzone.com, a company that he sold in 2010, and then using the stolen data to boost the membership of his new oil and gas networking website, Oilpro. According to the complaint, Rigzone’s database was hacked twice, and its members were subsequently solicited to join Oilpro. After building up the membership base in this manner, Kent then tried to sell the Oilpro website by stating that it had grown to 500,000 members through traditional marketing methods.

As SurfWatch Labs noted in October, insider threats are one of the most difficult challenges facing organizations. A recent survey of 500 security professionals from enterprise companies found that one in three organizations had experienced an insider data breach within the past year and that more than half of respondents believe that insider threats have become more frequent over the past year.

SurfWatch Labs data confirms those security professionals worry, having collected data on more than 240 industry targets publicly associated with the “insider activity” tag over the past year.

Weekly Cyber Risk Roundup: Largest Breach Ever and Law Firm Lawsuits

On Wednesday, Yahoo announced a data breach that affects more than one billion user accounts. The intrusion, which Yahoo believes occurred in August 2013, comes just months after the company announced a separate breach involving “at least 500 million user accounts.” The new breach was discovered after law enforcement received Yahoo data from a third party. The compromised information includes names, email addresses, telephone numbers, dates of birth, MD5-hashed passwords, and some encrypted or unencrypted security questions and answers.

As The New York Times noted, the breach gives Yahoo the distinction of having the largest ever data breach – on two separate occasions.

It also appears that the intruders were able to use stolen source code to forge cookies, which allowed the malicious actors to gain access to some users’ accounts without needing a password.

Yahoo said those forged cookies have been invalidated, along with any unencrypted security questions and answers. Yahoo did not make clear how many unencrypted security questions and answers were stolen, but users who used those same questions and answers on other sites may face increased risk around those accounts being compromised in the future.

The newly announced breach has also led to more speculation about the potential impact on Yahoo’s pending $4.8 billion deal to be acquired by Verizon. Sources told Reuters that Verizon is looking for “major concessions” from Yahoo, and Verizon reiterated that it would “review the impact of this new development before reaching any final conclusions” about proceeding with the deal.

The incident may also have an affect on the size of Yahoo’s user base. Reuters reported that several cybersecurity experts and bodies such as Germany’s Federal Office for Information Security are now advising Yahoo users to consider abandoning the service for email providers that may be more secure.

Other trending cybercrime events from the week include:

Russian hacking put front-and-center: U.S. intelligence officials have “a high level of confidence” that Russian President Vladimir Putin was personally involved in the effort to interfere with the presidential election. Officials told ABC News that Russian hackers targeted as many as two email systems associated with the Republican National Committee, but the incidents didn’t raise the same level of concern as similar attacks against the DNC because the systems had long been unused. Germany’s domestic intelligence agency reported that Russia is trying to destabilize German society via targeted cyber-attacks against political parties and disinformation campaigns. The head of the Swedish Military Intelligence and Security Service said that Russian hacking is a “serious threat” that may “influence democratic decision-making.”

Insiders cause more cyber headaches: The February 2016 theft at Bangladesh Bank was aided by five low to mid-level employees who were negligent and careless but not directly involved in the crime, according to a Bangladesh government-appointed panel. Hong Kong officials have arrested 29 current and former employees across five financial institutions for alleged bribery and sharing of confidential customer information. A two-year investigation found that lax privacy procedures at the Ohio Department of Rehabilitation and Correction contributed to a $422,000 scheme that used prisoners’ identities to apply for federal student loans. An employee of Banner Boswell Hospital in Arizona has been arrested for allegedly stealing patients’ credit card information and using that information to buy items online.

More DDoS attacks amid arrests: A series of DDoS attacks aimed at disrupting updates about the pro-Russian separatist conflict brought down the websites for Ukraine’s Finance Ministry and State Treasury. Nearly three dozen users of “booter” services were arrested in a global effort dubbed “Operation Tarpit,” a law enforcement campaign aimed at weakening demand for cybercrime-for-hire services and raising awareness of the risks of engaging in cybercrime.

Other breach announcements: A backup server belonging to Joan Jett’s Blackheart Records had no password and left open port 873, which is typically used for the file synchronization protocol rsync, potentially exposing more than 200 gigabytes of data. A hacker going by the name Kapustkiy claims to have hacked the website for the Consular Department of the Embassy of the Russian Federation in the Netherlands and stole thousands of passport numbers and personal details. The hacking group known as “Legion” claims to have several terabytes worth of data stolen from more than 40,000 Indian servers. KFC is urging 1.2 million members of the Colonel Club loyalty program to change their passwords due to a small number of accounts being compromised. An unauthorized third party accessed Quest Diagnostics’ MyQuest by Care360 app and obtained the Protected Health Information of approximately 34,000 individuals. An unnamed doctor’s office in Hamilton, Ontario, experienced a breach involving electronic patient records. The data of 1000 students who attended Frederick County Public Schools between November 2005 and November 2006 was found online by a former student.

Cyber Risk Trends From the Past Week

The past week saw several legal developments involving both past breaches and possible future lawsuits.

Ruby Corp, the operator of AshleyMadison, has agreed to pay $1.6 million to settle state and Federal Trade Commission charges related to its massive July 2015 data breach. The total fine was $17.5 million, but the remaining portion was suspended based on Ruby Corp.’s inability to pay.

“I recognize that it was a far lower number frankly than I would have liked,” FTC Chairwoman Edith Ramirez said on a conference call with reporters. “We want them to feel the pain. We don’t want them to profit from unlawful conduct. At the same time, we are not going to seek to put a company out of business.”

The settlement also requires the implementation of a comprehensive data-security program, including third-party assessments.

Another interesting story of note is a lawsuit that was recently filed against the Chicago-based law firm Johnson & Bell that alleges the firm failed to protect confidential customer information. According to the lawyer that filed the case, it is the first class action lawsuit against a law firm over inadequate data security measures. The same lawyer previously said he had identified a total of 15 firms lacking basic security measures that may be targeted by lawsuits, although the others have not yet been publicly named.

The Johnson & Bell lawsuit was filed back in April 2016; however, it only recently became public and moved to arbitration. Although the complaint does not claim that any data was actually stolen, it alleges that the firm put clients at risk due to using an out of date time-entry system, a VPN that was prone to man-in-the-middle attacks, and an email system that was vulnerable to the DROWN attack.

As SurfWatch Labs noted in our whitepaper, Flipping the Script: Law Firms Hunted by Cybercriminals, law firms are attractive targets for malicious actors as they often have weaker security than the clients they represent. Breaches may also be especially damaging for law offices as confidentiality is at the core of the legal process and law firms often have access to valuable data.

Weekly Cyber Risk Roundup: Another Botnet and the Gamification of Cybercrime

Botnets were once again front-and-center this past week as new developments were announced by security researchers, malicious actors and government officials.

To start, CloudFlare observed a ten-day long series of distributed denial-of-service (DDoS) attacks that have generated as much as 400 Gbps in traffic, sparking fears of yet another massive botnet that can disrupt organizations. The attacks “are not coming from the much talked about Mirai botnet,” the researchers wrote. “They are using different attack software and are sending very large L3/L4 floods aimed at the TCP protocol.”

Following that announcement, the hacker known as BestBuy, who had previously begun advertising a Marai-based DDoS service, claimed to have taken control of 3.2 million routers. He told Motherboard that a server he set up automatically connects to vulnerable routers and pushes a malicious firmware update to them. “They are ours, even after reboot. They will not accept any new firmware from [Internet Service Provider] or anyone, and connect back to us every time :),” he said in an online chat. “Bots that cannot die until u throw device into the trash.”

If true, those developments are certainly worrisome for organizations like Deutsche Telecom, the UK Postal Office, TalkTalk, and Kcom ISP – all of which have seen customer outages due to attempted Marai infections – not to mention the businesses that may be targeted with DDoS attacks from all those compromised devices.

One piece of good news on the botnet front: the cybercriminal network known as Avalanche was dismantled in what authorities are describing as the largest-ever use of sinkholing to combat botnet infrastructures. Europol said that the four-year investigation with global partners resulted in over 800,000 domains being seized, sinkholed or blocked. Although exact calculations are difficult, monetary losses associated with attacks conducted over the Avalanche network are estimated to be in the hundreds of millions of dollars worldwide.

Other trending cybercrime events from the week include:

Massive thefts announced: Technical trade secrets were stolen from ThyssenKrupp, one of the world’s largest steel makers, in what the company described as a “massive cyber attack.” The theft occurred at the steel production and manufacturing plant design divisions, the company said. Two billion rubles ($31 million) was stolen from banking clients that hold accounts at Russia’s central bank, according to a bank spokesperson. The hackers attempted to steal approximately five billion rubles, but the bank managed to recover some of the money. Reuters reported that hackers broke into accounts at the bank by faking a client’s credentials, citing a report issued by the bank.

Ransomware updates: The ransomware attack that affected about 900 computers at the San Francisco Municipal Transportation Agency cost the agency an estimated $50,000 in lost fares due to passengers being unable to pay. Ransomware behind the infection that caused an NHS hospital trust to shut down systems and cancel 2,800 patient appointments in early November has been confirmed as Globe2. Allegheny County district attorney Stephen Zappala Jr. admitted that his office was hit in January 2015 and that the office paid nearly $1,400 in ransom. The announcement came after several victims of the Avalanche network were revealed via court documents.

Malicious insiders face consequences: A former computer support technician employed at Experian subsidiary Hotwire.com pleaded guilty to accessing the emails of executives and using that non-public information to illegally profit from trading Expedia stock. The man accessed documents and emails on the devices of the Chief Financial Officer and the Head of Investor Relations. A former employee of Internet service provider Pa Online was sentenced to 24 months in prison and ordered to pay $26,000 in restitution for hacking into Pa Online’s network after being fired and installing malware that caused files and directories to be erased and the network to crash.

Third-party breaches: More than 43,000 Indian patient pathology reports, including those of HIV patients, were left publicly exposed by Health Solutions. Security researcher Troy Hunt said the information is now removed from public view after a lengthy process to track down and motivate those behind the leak and that the incident appears to be the result of shockingly poor security. A breach of a contractor’s email account exposed the information of individuals who participated in the U.S. Olympic Committee’s 100-Days Out event in April 2016. Members of the Scotland Supporters Club were sent phishing emails from the Scottish Football Association’s official email account after a third-party email database was compromised.

Other data breaches: An Intranet server for South Korea’s cyber command was contaminated with malware, and the attack appears to have come from North Korea, the South Korean military said. An official said that some military documents had been hacked, including confidential information, but that they have yet to determine the full extent of the leak. Around 420,000 customers may have had their personal information leaked due to a data breach at an online store run by IPSA, a subsidiary of Japanese cosmetics maker Shiseido. A University of Wisconsin–Madison law school database was breached, resulting in 1,213 applicants having their names and Social Security numbers compromised.

Cyber Risk Trends From the Past Week

One of the more interesting developments over the past week is the new tactics being used by malicious actors in order to spread malware and encourage cyber-attacks. For example, a new ransomware called “Popcorn Time” is encouraging victims to spread ransomware by offering them options when it comes to decrypting their files. They can go the usual route of paying the 1 bitcoin ransom, or they can go the “nasty way” and infect other users in order to avoid payment.

“Send the link below to other people, if two or more people will install this file and pay, we will decrypt your files for free,” the malware authors wrote. This is the first time SurfWatch Labs has observed ransomware developers using the tactic of leveraging victims in order to intentionally spread the malware.

Another interesting cybercriminal tactic is being used by a DDoS collaboration service called “Surface Defense.” A set of Turkish hackers is using gamification to encourage others to attack political organizations are not in line with Turkey’s government. They provide a point system for attacks, rewards that can be earned, and a live scoreboard. Rewards include cybercriminal tools such as click-fraud bots and the Sledgehammer DDoS tool. Two dozen organizations are being targeted by the gamified-DDoS service, including the German Christian Democratic Party, The People’s Democratic Party of Turkey, the Armenian Genocide Archive, and the Kurdistan Workers Party. Users can also suggest new targets.

Malicious actors are continuing to experiment with new ways to expand their reach. It is difficult to judge how successful these types of tactics will be, but expect other actors to incorporate similar features in the future if they are proven to be successful.

Weekly Cyber Risk Roundup: Shamoon is Back and Marai Problems Continue

The European Commission is the top trending cybercrime target over the past two weeks after experiencing a distributed denial-of-service attack (DDoS) that brought down Internet access for several hours over two separate periods, making it difficult for employees to work, a staff member told Politico.

However, the most impactful event from the period is the campaign that targeted organizations in Saudi Arabia with the Shamoon malware and wiped the hard drives of thousands of computers. The campaign targeted six organizations, resulting in extensive damage at four of them. People familiar with the investigation told Bloomberg that thousands of computers were destroyed at the headquarters of Saudi’s General Authority of Civil Aviation and that office operations came to a halt for several days after critical data was erased. Among the other targets were the Saudi Central Bank and several unnamed government agencies.

Saudi authorities said evidence suggests Iran is to blame. The attackers used the exact same Shamoon malware that hit Saudi Aramco in 2012 and destroyed 35,000 computers, according to people familiar with the investigation. Ars Technica noted that Shamoon attempts to spread across networks by turning on file sharing and attempting to connect to common network file shares. In addition, the attackers used stolen credentials hard-coded into the malware.

Shamoon is made up of three components. The dropper component determines whether to install a 32-bit or 64-bit version of the malware. The wiper component uses RawDisk, the same driver that was used against Sony Pictures in 2014. The communications component was not used in this attack as the malware was configured with the IP of 1.1.1.1.

Other trending cybercrime events from the week include:

Another week of “oops” breaches: Security researcher Chris Vickery discovered a file repository for Allied-Horizontal exposed to the Internet and requiring no authentication that contained sensitive information related to explosives. Confidential police files on 54 terrorist cases were copied onto a staffer’s private storage device that was connected to the Internet without a password. The U.S. Department of Housing and Urban Development accidentally made the personal information of almost 600,000 individuals temporarily available to the public via its website.

Individuals and organizations face blackmail: Hackers have allegedly stolen data from Valartis Bank Liechtenstein and are threatening individual customers that they will leak their stolen information to financial authorities and the media if they do not pay ransom demands. The hacking group known as TheDarkOverlord said they gained access to Dropbox and email accounts for Gorilla Glue and stole 500 GB of information, including intellectual property and product designs. TheDarkOverlord said they offered the company “a handsome business proposition,” which is the group’s way of saying they demanded ransom.

Ransomware disrupts organizations: The computer systems of the San Francisco Municipal Transportation Agency were infected with ransomware, and the actor behind the attack demanded $73,000 in ransom. Passengers unable to pay fares due to locked machines were temporarily given free rides. Bigfork School District in Montana recently experienced a ransomware infection due to a malicious email attachment, but the district said it would not pay any ransom demands. Computers at Carleton University in Canada were infected with ransomware, bringing research to a halt. The attackers asked for around $39,000 to decrypt the data.

Business-to-business cybercrime: Gaming company Zynga is suing two former employees over the theft of “extremely sensitive” information, which was then allegedly taken to rival company Scopely. James Frazer-Mann, a 35-year-old former operator of Elite Loans, was sentenced by a UK court for hiring a hacker to DDoS his former company’s competitors and the website of the Consumer Action Group.

More data breaches announced: The Madison Square Garden Company announced a point-of-sale data breach affecting customers who used payment cards to purchase food and merchandise at Madison Square Garden, the Theater at Madison Square Garden, Radio City Music Hall, Beacon Theater and Chicago Theater. The Navy was notified by Hewlett Packard that the names and Social Security numbers of more than 130,000 sailors were compromised. An unauthorized party gained access to a Michigan State University server containing personal information on 400,000 individuals, but only 449 of those records are confirmed to have been accessed. The hacker behind the data breach at Casino Rama has uploaded a five gigabyte file containing more than 14,000 documents to a torrent website. UK Telecom company Three announced a data breach after cybercriminals were able to gain access to its upgrade system using authorized logins.The sensitive personal information of 17,000 students was compromised in a data breach at Erasmus University in the Netherlands.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past two weeks. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

Cyber Risk Trends From the Past Week

Over the past two weeks, most industry sectors have seen an increase in their SurfWatch Labs’ cyber risk scores. The IT sector, once again, has the highest overall score. That is due, in part, to ongoing worry over DDoS attacks tied to Marai and other botnets compromised of Internet-of-Things devices.

Around 900,000 customers of Deutsche Telekom had their service disrupted due to external actors trying and failing to infect routers with malware, the company said. The attack caused crashes or restrictions on approximately four to five percent of all routers. Thousands of KCOM customers also lost their Internet access due to routers being targeted in a cyber-attack. KCOM issued a statement about the incident:

“We have now identified that the root cause of the problem was a cyber attack that targets a vulnerability in certain broadband routers, causing them to crash and disconnect from the network. The only affected router we have supplied to customers is the ZyXel AMG1302-T10B. The vast majority of our customers are now able to connect to and use their broadband service as usual.”

Researchers have identified other companies that use routers made by ZyXel and may be vulnerable to similar attacks, including Irish telecom operator Eir and Vodafone Group Plc in Britain.

Two hackers have since claimed credit for the attack against Deutsche Telekom and apologized for the outage. They were trying to enlist those routers in a growing Marai botent, which they claim is now the most powerful Marai-based botnet. One of the hackers told Motherboard the botnet included over a million devices; however, other researchers have estimated that number to be around 400,000.

The hackers, going by the name BestBuy and Popopret, are advertising a DDoS service powered by their new botnet with attacks allegedly ranging up to 700 Gbps.

2016-12-03_botnetad — Source: BleepingComputer

Popopret told BleepingComputer that the price for a two-week long attack using 50,000 bots — and an attack duration of one hour along with a 5-10 minute cooldown time between attacks — is approximately $3000-$4,000. BestBuy reported similarly high fees, telling Motherboard that a similar attack using 600,000 bots would cost $15,000-$20,000.

It is unclear exactly how many devices the group controls at the moment, but it is clear that various groups are competing to infect and retain control over a growing number of Internet-connected devices.