Weekly Cyber Risk Roundup – Page 7

Weekly Cyber Risk Roundup: Adult Friend Finder’s Massive Breach and Securing IoT Devices

Distributed denial-of-service (DDoS) attacks were once again among the most discussed cybercrime events of the week as discussion around the Marai botnet continued and a handful of Russian banks were targeted with attacks powered by compromised Internet-of-Things (IoT) devices. The week also saw one of the largest data breaches ever as the Adult Friend Network was hacked and the details of 412 million accounts were compromised.

The information compromised in the Adult Friend Finder hack dates back 20 years, according to LeakedSource, and includes email addresses, passwords stored in either plain visible format or SHA1, dates of last visits, browser information, IP addresses and site membership status. Accounts for a variety of sites were infected: 339 million Adult Friend Finder accounts, 62 millions Cams.com accounts, 7 million Penthouse.com accounts, 1.4 million Stripshow.com accounts and 1.1 million iCams.com accounts.

This is the second time Adult Friend Network has been hacked in 18 months. In May 2015 almost four million users had their personal details leaked by hackers.

It’s not clear who was ultimately behind the recent hack. A researcher going by the name revolver posted screenshots of a Local File Inclusion vulnerability being exploited on Adult Friend Finder in October and threatened to “leak everything,” but he said he was not behind the breach. Friend Finder Networks vice president and senior counsel, Diana Ballou did say that the company identified and fixed “a vulnerability that was related to the ability to access source code through an injection vulnerability.” The breach is the second largest of the year in terms of the number of customer accounts compromised — behind only Yahoo, which affected more half a billion accounts.

Other trending cybercrime events from the week include:

More large data breaches: Casino Rama Resort in Ontario recently announced the theft of a variety of data including IT information, financial reports, security incident reports, Casino Rama Resort email, patron credit inquiries, collection and debt information, vendor information, and contracts and employee information such as performance reviews, payroll data, terminations, social insurance numbers and dates of birth. A man hacked into the website of the Indian state of Kerala’s government’s civil supplies department, stole information on all of 8,022,360 of Kerala’s Public Distribution System beneficiaries and their family members, and then uploaded that information to Facebook. Recruitment firm Michael Page may have had as much as 30GB of data exposed when it was published to a publicly exposed website, according to researcher Troy Hunt. Hunt said multinational consulting and outsourcing firm Capgemini was behind the exposed data.

Retail woes both criminal and accidental: A&M has announced a payment card breach affecting customers who shopped at Annie Sez, Afaze, Mandee, Sirens and Urban Planet locations between November 2015 and August 2016. Australian discount department store Big W is apologizing to customers after a technical issue led to a small number of customers having the first stage of the online checkout process pre-populated with the personal information of another customer.

More ransomware attacks and payments: The office of Robert J. Magnon at Seguin Dermatology is informing patients of a September ransomware attack that likely accessed protected health information. The Lansing Board of Water & Light acknowledged it paid a $25,000 ransom after an employee opened an infected attachment and the resulting ransomware infection shut down the board’s accounting systems, email systems and phone lines.

Hacktivist attacks and sentences: A hacking group known as “Amn3s1a Team” claims to have stolen internal documents, source code and other information from the file-sharing site Mega.nz. ZDNet examined an 800-megabyte archive of source code — which appears to be related to its instant messenger service Megachat, the site’s Chrome browser extension, and a private RSA key. A 22-year-old Tennessee man and member of the NullCrew hacking collective has been sentenced to 45 months in prison for his role in hacking Bell Canada. Canadian prosecutors said the hackers exfiltrated million of files from Bell Canada, and the man posted about 12,700 customer logins and passwords and Tweeted a link to the data. A hacker going by the Twitter handle @CyberZeist announced that he had hacked the Windham County Sheriff’s Office, posted the stolen database on Pastebin, and was even offering to give away backdoor access.

Cybercrime goes virtual: A group of hackers wrote software that tricked Electronic Arts’ servers into thinking that thousands of FIFA soccer matches had been completed in order to “mine” FIFA coins, and that virtual currency was then sold via black market sites for millions of dollars in profits, according to a recently unsealed FBI indictment.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

Cyber Risk Trends From the Past Week

For the second week in a row, most sectors saw a decline in their overall SurfWatch Labs’ cyber risk scores. The financials sector saw the biggest drop and is now at its lowest score of all of 2016 after steadily declining throughout October.

Much of the discussion around cyber risk over the past month has been focused on issues related to DDoS attacks and Internet-connected devices. The most discussed new cybercrime event of the past week, by far, was the DDoS attacks against at least five of Russia’s largest banks. Reports indicate that the attacks were carried out over a two-day period and generally lasted for one hour each, although one attack lasted for almost 12 hours. The attacks were powered by around 24,000 compromised IoT devices across 30 countries, and Sberbank said the attacks were among the most powerful the bank had seen.

The concern around IoT devices has also led the Department of Homeland Security to release its Strategic Principles for Securing the Internet of Things (IoT), which is designed as “a first step to motivate and frame conversations about positive measures for IoT security among IoT developers, manufacturers, service providers, and the users who purchase and deploy the devices, services, and systems.” The document contains six principles that would “dramatically improve the the security posture of IoT,” and those principles are meant to be adapted and applied as needed.

In addition, the document outlines four key areas of effort going forward:

Coordinate across federal departments and agencies to engage with IoT stakeholders and jointly explore ways to mitigate the risks posed by IoT.
Build awareness of risks associated with IoT across stakeholders.
Identify and advance incentives for incorporating IoT security.
Contribute to international standards development processes for IoT.

“We recognize the efforts underway by our colleagues at other federal agencies, and the work of private sector entities to advance architectures and institute practices to address the security of the IoT,” DHS wrote “This document is a first step to strengthen those efforts by articulating overarching security principles. But next steps will surely be required.”

Weekly Cyber Risk Roundup: Services Get Disrupted and Hacking Elections

Distributed denial-of-service (DDoS) attacks and other incidents leading to service interruption have been widely discussed in the cybersecurity community ever since the October attack against DNS provider Dyn. This past week saw Marai-driven attacks that reportedly knocked out Internet access for the entire county of Liberia; however, security researchers such as Brian Krebs noted that those news articles may have exaggerated the facts as there is little evidence “anything close to a country-wide outage” occurred as a result of the attack.

“While it is likely that a local operator might have experienced a brief outage, we have no knowledge of a national Internet outage and there are no data to [substantiate] that,” Daniel Brewer, general manager for the Cable Consortium of Liberia, told Krebs.

Nevertheless, concerns around DDoS attacks remain high, and some have speculated that the attacks against Liberia and others may be test runs for a larger attack in the future.

In other service interruption news, two apartment buildings located in Lappeenranta, Finland, and managed by facilities services company Valtia had the systems that controlled central heating and warm water circulation disabled by a DDoS attack. The systems tried rebooting the main control circuit in response to the attack, the CEO of Valtia said, and this was repeated in an endless loop resulting in the heat not working for the properties. Also, a unspecified malware infection caused three UK hospitals to cancel operations, outpatient appointments and diagnostic procedures for three days while staff access to patient records was restored. According to The Sun, approximately 3,300 patients at hospitals in Grimsby, Scunthorpe and Goole were affected. The attacks led to a high-severity alert being issued to National Health Service providers reminding “all users of the need for proactive measures to reduce the likelihood of infection and minimise the impacts of any compromise.”

Other trending cybercrime events from the week include:

Fraud and financial loss continue: Tesco Bank said the widespread criminal activity that led to the halting of online transactions has been narrowed down to £2.5 million in losses across 9,000 accounts – a drop from the 20,000 accounts previously reported. Sentinel Hotel is notifying customers of a breach after reports of unauthorized charges on guests payment cards led to the discovery of malware on a point-of-sale terminal. City of El Paso officials revealed the city was scammed out of more than $3 million via a phishing attack. The city has recovered about half of the money. A ransomware infection recently locked up several government systems in Madison County, Indiana, and county commissioners voted to pay the extortion demands in order to regain control of those systems.

Poor security leads to potential breaches: Researchers discovered that 128 car dealership systems were being backed up to a central location without any encryption or security, potentially exposing the personal information of both customers and employees. Cisco is warning job applicants that information on the Cisco Professional Careers mobile website may have been exposed as a result of an incorrect security setting following system maintenance. Newfoundland and Labrador’s privacy commissioner is ordering Eastern Health to examine controls around employees logging out of accounts after an incident in which a doctor failed to log out of Meditech patient information software and patient information was accessed and printed by an unknown person.

More breaches and data dumps: Two hackers claim to have used SQL injection to steal personal information from seven Indian High Commission websites and published the stolen databases in a Pastebin post. Anonymous Italia has defaced several police websites and leaked 70 megabytes of data presumably stolen from the databases of the Sindacato Autonomo Polizia Penitenziaria’s blog and its official monthly magazine. Integrity Transitional Hospital, based in Texas, recently reported a health data hacking incident that potentially affects the information of more than 29,000 patients.

Cybercrime leads to arrests: A man has been arrested for compromising more than a thousand university email accounts and then using that access to further compromise other social media and online accounts. The man allegedly accessed one university’s password reset utility approximately 18,640 different times between October 2015 and September 2016 and successfully changed the passwords for 1,035 unique accounts. An employee of Lex Autolease Limited pleaded guilty to selling the personal information of hundreds of customers to a third party. A 19-year old hacker plead guilty to creating and running the Titanium Stresser booter service, which has been used in more than 1.7 million DDoS attacks worldwide.

Cyber Risk Trends From the Past Week

Most industry sectors saw a slight decline in their SurfWatch Labs’ cyber risk scores this week. The biggest story of late, naturally, was the U.S. presidential election, and now that it is over, pundits from both sides are reflecting on how their candidates managed to win or lose the race. That examination includes the role that cybersecurity, hacking and data leaks may have played in the outcome.

In fact, back in August we posed that very question: would 2016 be the first presidential campaign ultimately swung by information obtained in a data breach? The answer remains uncertain. What is certain is that cyber-issues were put front-and-center in a way we have never seen in any other presidential election.

For example, in the days leading up to the election, WikiLeaks published 8,000 more leaked emails from the Democratic National Committee, dubbed #DNCLeak2. That dump came after a previous release of 20,000 emails from the DNC as well as 50,000 emails from Hillary Clinton aide John Podesta. The effect of those stolen emails being steadily leaked — and other cyber-issues such as Clinton’s personal email server — may be impossible to quantify, but they likely contributed in some way to nearly 60 percent of voters who perceived Clinton as a dishonest and untrustworthy candidate.

WikiLeaks founder Julian Assange wrote an election day post defending his actions and stating that publishing the stolen emails was not an attempt to influence the outcome of the election.

“We publish material given to us if it is of political, diplomatic, historical or ethical importance and which has not been published elsewhere,” Assange wrote. “At the same time, we cannot publish what we do not have. To date, we have not received information on Donald Trump’s campaign, or Jill Stein’s campaign, or Gary Johnson’s campaign or any of the other candidates that fulfills our stated editorial criteria.”

Clearly, Assange is saying if WikiLeaks did have information on other political candidates then that information would be made public as well — as it has in the past with the release hundreds of thousands of emails related to the government of Turkey. WikiLeaks claims to be non-partisan, but other threat actors do have a biased agenda and those actors are likely to be emboldened by the success of this year’s election-related hacks.

As Wired wrote: “For Russia, [Trump’s win] will also be taken as a win for the chaos-injecting tactics of political hacks and leaks that the country’s operatives used to meddle in America’s election — and an incentive to try them elsewhere. … That Russia perceives those operations as successful, experts say, will only encourage similar hacks aimed at shifting elections and sowing distrust of political processes in Western democracies, particularly those in Europe.”

Those efforts are already underway, researchers have noted, with at least a dozen European organizations being targeted by groups linked to the Russian state since that hacks against the DNC. Whether this election was ultimately swayed by breaches and other cyber-issues may be up for debate, but what is clear is that political and advocacy organizations are actively being targeted and that threat actors will likely try to influence future elections across the globe to align with their goals.

Weekly Cyber Risk Roundup: Latest Breaches and Enhanced Security Standards

The massive distributed denial-of-service (DDoS) attack that disrupted websites and services on October 21 was the focal point of a large portion of cybercrime discussion last week. As we noted in a previous post, the attack against DNS provider Dyn has led to widespread concern about insecure Internet-connected devices and calls for government agencies to get involved in order to ensure those devices are secured against future attacks.

According to some reports, the DDoS attack may have surpassed one terabyte per second of traffic; however, the latest analysis from Dyn indicates that the botnet behind the attack may have been much smaller than the initial reports of “millions.”

“It appears the malicious attacks were sourced from at least one botnet, with the retry storm providing a false indicator of a significantly larger set of endpoints than we now know it to be,” wrote Scott Hilton, EVP of products at Dyn. “We are still working on analyzing the data but the estimate at the time of this report is up to 100,000 malicious endpoints. We are able to confirm that a significant volume of attack traffic originated from Mirai-based botnets.”

Other trending DDoS news includes the Syrian Cyber Army claiming responsibility for attacks against Belgian news organizations. The DDoS attacks made several news websites inaccessible or extremely slow, including De Standaard, Het Nieuwsblad, Gazet van Antwerpen, Het Belang van Limburg and RTFB. In another case of ideological hacktivism, Martin Gottesfeld, 32, was indicted for his role in DDoS attacks against Boston Children’s Hospital (BCH) and the Wayside Youth and Family Support Network. Gottesfeld admitted to his involvement in #OpJustina in a written editorial, saying that the attack against BCH was designed to interfere with a fundraiser in order to cause maximum financial damage. Finally, The Guardian is reporting that financial institutions in London are stockpiling bitcoins in the event extortionists target them with powerful DDoS attacks.

Other trending cybercrime events from the week include:

Payment card breaches announced: Danish payment processor Nets is warning of a payment card breach that appears to be tied to a foreign-based Internet retailer and is advising banks to block up to 100,000 cards in order to prevent fraudulent transactions. A data breach at Hitachi Payment Services, which manages ATM network processing for Yes Bank, is suspected to be the cause of recent fraud that has led to banks in India either replacing or asking customers to change security codes on 3.25 million debit cards. A pro-Donald Trump super PAC known as Great America PAC has mistakenly published the credit card numbers and expiration dates of 49 donors. Last month the same super PAC exposed 336 donors’ email addresses and phone numbers.

Data breaches continue, both large and small: A Red Cross Blood Service database of 1.28 million donor records going back to 2010 was accidentally published to a webserver by a third-party contractor. A hacker known as Peace told Motherboard he hacked Adult FriendFinder and obtained a database of 73 million users, and another hacker known as Revolver or 1×0123 posted screenshots appearing to show he had access to the website’s infrastructure. A Ukrainian hacker group known as CyberJunta has released more than a gigabyte of emails stolen from the office of Russian politician Vladislav Surkov. Baystate Health is notifying about 13,000 patients that their personal information may have been compromised due to a phishing attack that was designed to look like an internal memo. Virgin Media potentially exposed the personal information of up to 50,000 people applying for jobs. Rocky Mountain Credit Union in Montana notified 135 of its members that their personal information may have been accidentally exposed due to an undisclosed security issue discovered on the website customers use to upload documents related to mortgage applications. The University of Santa Clara’s Office of Marketing and Communications had internal documents stolen and leaked to the student newspaper due to an employee leaving his or her username and password in plain site at a workstation.

Update on cybercrime charges and arrests: The Booz Allen Hamilton contractor who was arrested for the possession of classified NSA materials allegedly had documents dating back to 1996 that were marked either “secret” or “top secret,” according to recent court filings. In total, investigators have seized more than 50 terabytes of information and thousands of pages of documents. Celebgate hacker Ryan Collins, 36, of Lancaster, Pennsylvania, was sentenced to 18 months in prison for using phishing emails designed to steal Apple and Google credentials and then using those stolen credentials to hack into more than 100 accounts. Authorities said there is no evidence that Collins was responsible for the leak of nude celebrity photographs tied to the hack. Yevgeniy Nikulin, the Russian man who was arrested in connection with the 2012 LinkedIn breach, has also been indicted for his alleged role in the breaches at Dropbox and Formspring, according to documents unsealed on Friday.

Note: Dyn, by far the top trending new target, is not shown in the chart below in order to make the other targets more readable.

Cyber Risk Trends From the Past Week

The Financials sector’s cyber risk score peaked in early October, reaching its highest level since February 2016. Since then, it has steadily declined for most of the month — until the past week. This week’s rise in cyber risk score (+2.2%) was the biggest increase of any sector over the period.

Part of that may be tied to the recent payment card breaches highlighted above, which began at online retailers and other providers before moving to directly impact banks. For example, the chief executive of National Payments Corp of India said that the spike in reported fraud that led to advising banks to replace cards was tied to a possible compromise of one of the payment switch provider’s systems. Sources told Reuters that the issue stemmed from a breach in systems of Hitachi Payment Services, which is currently investigating the matter.

That interconnectivity of the Financials sector has led to concerns from government agencies, and the the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corporation recently issued a joint proposal on enhanced cyber risk management standards to address those concerns.

“Due to the interconnectedness of the U.S. financial system, a cyber incident or failure at one interconnected entity may not only impact the safety and soundness of the entity, but also other financial entities with potentially systemic consequences,” the proposal stated. “The enhanced standards would be designed to increase covered entities’ operational resilience and reduce the potential impact on the financial system in the event of a failure, cyber-attack, or the failure to implement appropriate cyber risk management.”

The proposal addresses five categories of cyber standards: cyber risk governance; cyber risk management; internal dependency management; external dependency management; and incident response, cyber resilience, and situational awareness.

According to the proposal, “The agencies are considering establishing a two-tiered approach, with the proposed enhanced standards applying to all systems of covered entities and an additional, higher set of expectations, or ‘sector-critical standards,’ applying to those systems of covered entities that are critical to the financial sector.”

The enhanced standards would apply to certain entities with total consolidated assets of $50 billion or more on an enterprise-wide basis, they added. Comments on the proposal are open until January 17, 2017.

Weekly Cyber Risk Roundup: Massive Data Dumps and More Insider Breaches

After a short period without seeing any new mega breach announcements, the past two weeks has seen several massive data dumps totaling more than 130 million records. In last week’s roundup, we mentioned a hacker going by the Twitter handle “0x2Taylor” who released 58 million records claiming to be stolen from an unsecured database. That leak has been attributed to Modern Business Solutions, but the company did not responded to numerous news outlets or sites that reached out to them about the breach.

It was also recently announced that gaming company Evony was hacked in June 2016 and more than 33 million user records were stolen. The compromised records contained usernames, email addresses, passwords, IP addresses and other internal data. LeakedSource said the passwords were stored using unsalted MD5 hashing and that they had already cracked “most” of the passwords.

On Thursday, a massive data breach was announced affecting Weebly, a popular web-hosting service featuring a drag-and-drop website builder. That breach included more than 43 million user records containing usernames, email addresses, passwords and IP addresses. The good news, LeakedSource wrote, was that the company actually responded to its notification attempts and “did not have [its] head buried deeply in the sand” like other companies it has attempted to notify of late. Also, the compromised passwords were stored using uniquely salted Bcrypt hashing. That’s good because as a hosting provider the breach not only affected tens of millions of users, but also tens of millions of websites.

As our Mid-Year 2016 Cybercrime Trends report noted, the credentials stolen/leaked tag appeared in 12.7% of the negative CyberFacts collected by SurfWatch Labs in the first half of 2016, a rise from 8.3% in 2015. A quick look at the updated data shows that since that report, that number has risen once again to 13.3% — driven, in part, by the more than 130 million records compromised in these three data breaches.

Other trending cybercrime events from the week include:

WikiLeaks, government leaks, dominate news: On Monday WikiLeaks tweeted that the Internet link for founder Julian Assange was intentionally severed by Ecuador. Ecuador later confirmed it was behind the interference due to WikiLeaks’ decision to publish documents affecting the U.S. election and Ecuador’s desire to not meddle in the election processes. That hasn’t stopped the ongoing leak of emails from Hillary Clinton’s campaign manager John Podesta, which was brought up several times during Wednesday’s presidential debate. Executive director of the North Carolina GOP Dallas Woodhouse is the latest official to have his email hacked. In this case it was used to send phishing emails to all of his contacts with a link to a fake Dropbox file titled “GOP-financial_Document.pdf.”

Financial information continues to be targeted: Axis Bank in India is investigating a cyber intrusion after being notified by Kaspersky Lab of a potential breach. Approximately 1,000 members of One Nevada Credit Union had their payment card information stolen via ATM skimming devices, and at least one member had $5,000 stolen due to the incident. Noble House Hotels & Resorts announced a point-of-sale breach affecting payment cards used at its Teton Mountain Lodge & Spa and Hotel Terra properties. According to the company’s press release, only customers who used their cards between September 5 and September 6 of this year were impacted.

Researcher’s computer infected, data stolen: A researcher at the University of Toyama’s Hydrogen Isotope Research Center had research data and personal information stolen from a personal computer after clicking on an attachment claiming to be questions from a student. Japanese news sources said that “huge volumes” of data were transmitted while the computer was infected. The data affected mostly included research that was either already published or slated to be published, as well as the email addresses of 1,500 people. The individual whose device was compromised was researching tritium, a radioactive isotope of hydrogen that may one day be used for fuel in nuclear fusion reactors.

More data breaches announced: CalOptima announced that 56,000 of its members may have had their personal information compromised when an employee downloaded their information onto a personal, unencrypted USB drive. Australian event management company Pont3 announced its third-party external electronic mailing account was accessed without authorization resulting in some participant, volunteer and associated information being stolen. redBus, an inter-city bus ticketing service founded in India, is investigating a possible data breach after being alerted of a potential intrusion; however, the company said it has not been able to conclusively establish a data breach.

Russian man tied to LinkedIn breach: A Russian man that was arrested by Czech police is connected to the 2012 data breach at LinkedIn, the company said on Wednesday, although officials have not publicly confirmed the connection. Russian news agency TASS indicated that Russia would fight any attempts to extradite the man to the U.S.

Cyber Risk Trends From the Past Week

After several weeks of steady or dropping cyber risk scores, this week saw a consistent rise in risk across most sectors. Nine out of twelve sectors saw an uptick in cyber risk score when compared to the previous week, with Utilities (+10.9%) and Healthcare (+9.7%) seeing the biggest change. Government and Other Organizations experienced a rise of more than 6%, in part due to the many cyber-attacks and leaks tied to the U.S. presidential election.

Another reason for that rise is a steady trickle of small-scale data breaches tied to groups such as education and healthcare facilities. In a recent blog, we highlighted the difficult and growing problem of malicious insiders, but as that blog noted, the majority of insider incidents are unintentional errors committed by employees, vendors and third parties.

We saw several such news stories this past week:

Katy Independent School District in Texas experienced a data breach affecting 78,000 students after a third-party that works with the district’s student data management system accidentally copied student information and uploaded it to a security software application used by 29 other school districts.

Nearly 700 users of Vermont’s online health insurance marketplace had their information inadvertently exposed due to a subcontractor mishandling their data and making it publicly accessible. WEX Health was hired by Vermont to perform payment processing for the insurance exchange, and Samanage, a subcontractor for WEX Health, made a data file publicly accessible for nearly two months.

St. Joseph Health agreed to a settlement with the U.S. Department of Health and Human Services, Office for Civil Rights over accidentally making electronic protected health information publicly accessible on the Internet from February 2011 until February 2012.

This week’s stories highlight the variety of ways a data breach can occur from ill-trained employees and contractors along with other poor risk management strategies.

In the case of Katy Independent School District, an employee for SunGard K-12 mistakenly copied a file containing Katy ISD data into a standard installation pack for an information security software application. In the case of St. Joseph Health, a server that was purchased to store files included a file sharing application whose default settings allowed anyone with an Internet connection to access them. St. Joseph Health did not examine it or modify it after implementation, HHS wrote in a press release, leading to the ePHI of 31,800 individuals being compromised. That mistake cost St. Joseph a payment of $2,140,500 and the adoption of a comprehensive corrective action plan in order to settle potential HIPAA violations.

Those incidents, along with our previous blog on malicious insiders, serves as an important reminder that many data breaches do not come from outside the organization; rather, they come from within.

Weekly Cyber Risk Roundup: More POS Breaches and the Rise of Destructive Attacks

Massive distributed denial-of-service attacks and data breaches remained front and center in SurfWatch Labs’ cybercrime data this week as old attacks against Brian Krebs, OVH, Yahoo and others continued to be heavily discussed. But looking beyond those headline-grabbing stories, the data also reflects a surge in reports of stolen payment card information.

On Tuesday, University of Central Florida police announced they were able to tie a recent surge in fraud reports to malware on the systems of AD Food Services, which operates Asian Chao, Huey Magoo’s and the Corner Café in the Student Union.

On Wednesday, luggage and handbag company Vera Bradley announced a breach affecting retail stores. Law enforcement notified the company of a potential issue on September 15, and it was discovered that payment cards used at store locations between July 25, 2016, and September 23, 2016, may have been affected.

On Thursday, it was reported that Dutch developer Willem de Groot discovered skimming scripts on more than 6,000 online stores running vulnerable versions of the Magneto ecommerce platform. The active operation is adding 85 stores each day, and de Groot estimates that the number of stolen cards is in the hundreds of thousands.

In addition, American 1 Credit Union in Michigan announced last week that it is temporarily blocking payments to all Wendy’s franchise locations due to ongoing fraud issues. Community members are reporting fraudulent activity on newly issued payment cards used at Wendy’s, suggesting that the malware issue may be ongoing for the fast-food chain. Like other credit unions, American 1 Credit Union reported its total losses related to the Wendy’s data breach are growing beyond the losses incurred from the 2014 Home Depot breach.

Other trending cybercrime events from the week include:

TheDarkOverlord extortion demands continue: Peachtree Orthopedic Clinic in Atlanta is notifying patients of a data breach after discovering unauthorized access into its computer system. After the clinic’s announcement, the actor known as TheDarkOverlord leaked documents allegedly stolen from the clinic and announced they had another 543,879 records containing personal and health information. Athens Orthopedic Clinic, another victim of TheDarkOverlord, confirmed that TheDarkOverlord demanded nearly $400,000 in ransom for the stolen patient data and threatened to call patients and publicly name the company if the clinic didn’t comply with the extortion demands.

Another massive breach reported: A hacker going by the name “0x2Taylor” has released 58 million records claiming to be stolen from Modern Business Systems (MBS), which offers in-house data management and monetization solutions to companies. MBS has not publicly confirmed the data breach, but researchers have confirmed that MBS was running an unsecured MongoDB database as the hacker suggested. The hacker also shared a screenshot indicating he or she has another database containing 258 million rows of data.

Beware of social engineering: An employee that clicked on a link that appeared to be for a Dropbox file led to a hacker targeting a customer of garden furniture company Gaze Burvill and requesting payment of £7,148 to a fraudulent bank account. Australian not-for-profit health fund CBHS said an unnamed third party has been breached and is warning customers to be on the lookout for phishing emails. The Clinton Foundation is warning that donors are being targeted with phishing messages. Indian police are investigating about 700 people over a scam where workers posed as IRS officials and duped U.S. citizens out of tens of millions of dollars. A Connecticut man has been charged with stealing login credentials from users of Dark Web marketplaces using a combination phishing pages and port forwarding and then using those credentials to steal bitcoins.

Effective backups thwart ransomware: Hutchinson Community Foundation was infected with ransomware on September 19, but it was able to fully recover the data from backups without paying a ransom. Nevertheless, the foundation is notifying donors, vendors and other stakeholders that information may have been compromised during the attack.

Hackers continue to target U.S. political figures: The Twitter account of Hillary Clinton’s campaign chief, John Podesta, was hijacked and used to urge followers to vote for Donald Trump. In addition, screenshots circulating online suggest that Podesta’s iCloud account may have been compromised. Users on 4chan claimed that Podesta’s iCloud password, which was published by WikiLeaks, was still working; however, WikiLeaks said that it made sure the credentials were changed.

Cyber Risk Trends From the Past Week

SurfWatch Labs industry risk scores remained fairly stable. Other Organizations (+0.8%) – which includes groups such as education, advocacy and political parties – was the only sector to see a noticeable increase in risk score compared to the previous week.

Nation-state hacking remains one of the most talked about cyber risks, and that discussion grew more intense as the U.S. presidential elections moved into the final month. On Friday, the U.S. formally accused the Russian government of orchestrating the recent attacks against the Democratic National Committee and others in an effort “to interfere with the U.S. election process.” A statement from director of national intelligence James Clapper and the Department of Homeland Security said that they believe only Russia’s senior-most officials could have authorized the hacking efforts. That public accusation was followed by promises of a “proportional” response against Russia; however, White House Press Secretary Josh Earnest added that ““it is unlikely that our response would be announced in advance.”

The U.S. isn’t the only country facing nation-state espionage. A Wednesday report from the Australian Cyber Security Centre said the 2015 hacking of the Australian Bureau of Meteorology’s network was carried out by foreign adversaries. That attack compromised government systems and led to the theft of sensitive documents, and after the attack officials estimated it would cost millions of dollars to plug the related security holes. The report also said that the attacks demonstrate a willingness of actors to use disruptive and destructive measures when targeting organizations.

That destructive nature is demonstrated by the April 2015 attack on France’s TV5Monde. A recent investigation linked the incident to the Russian hacking group APT 28 and revealed that the attack, which knocked 12 channels off the air, was designed to destroy the TV network. The attack turned out to be more sophisticated than initially reported, with the network first being infiltrated in January 2015 in order to conduct reconnaissance on the way TV5Monde broadcast TV signals. Seven points of entry were used, including a Netherlands-based company that supplied the remote-controlled cameras used in the network’s studios. According to the BBC, the attackers then fabricated malware designed to corrupt and destroy the Internet-connected hardware that controlled the TV station’s operations.

“It’s the worst thing that can happen to you in television,” Yves Bigot, the director-general of TV5Monde told the BBC. “We were a couple of hours from having the whole station gone for good.”

These attacks, ranging from influencing elections to destroying TV networks, are believed to be carried out by nation-states or other advanced actors who are increasingly using those disruptive and destructive tactics to achieve their goals – and with the U.S. promising retaliatory attacks, we can expect to see more such attacks in the near future.

Weekly Cyber Risk Roundup: Internet of Things Sparks Security Concerns

There has been growing concern around distributed denial-of-service (DDoS) attacks this week as the source code for the Internet-of-Things (IoT) driven botnet “Mirai” has been publicly released by a user on Hackforums. The Mirai botnet has been tied to the recent massive DDoS attack against Brian Krebs website and is made up of a growing number of Internet-connected devices.

The botnet includes a variety of compromised home and small office items such as routers, DVRs and security cameras – many of which use default usernames and passwords. The IoT devices are aimed at users often more concerned about convenience than security, and as Brian Krebs pointed out, even if users do take steps to secure devices by changing default credentials the malware may still spread.

Cybercriminal actors may use botnets like Marai to create more powerful DDoS attacks against industries that are traditionally vulnerable to extortion, such as gaming and ecommerce, but the Marai source code release also empowers actors looking to disrupt organizations for ideological or political reasons. For example, Newsweek alleged it was the victim of such an attack this week when its website was hit with a DDoS attack after publishing a story claiming that one of Donald Trump’s companies violated the Cuba trade embargo in 1998. In part due to that attack, consumer publishing was the most discussed industry group associated with cybercrime over the past seven days.

With Marai added to the growing list of free tools available to actors, expect to see more DDoS attacks like the ones against KrebsOnSecurity and Newsweek, which appear to be aimed at silencing or punishing critics.

Other trending cybercrime events from the week include:

Another week, another list of companies hit with ransomware: Cloud service provider VESK paid £18,600 after being infected with a new strain of the Samas DR ransomware. The New Jersey Spine Center paid an undisclosed amount after a July CryptoWall attack encrypted all electronic medical records and the most recent backup as well as disabled the phone system. The forest department of the state government of Kerala in India was infected with ransomware known as RSA-4096. Urgent Care Clinic of Oxford is notifying patients that their data may have been compromised by what appears to be a ransomware attack. A “glitch” after a ransomware attack led the Marin Healthcare District and Prima Medical Foundation to notify more than 5,000 patients that some of their medical data has been lost, even though they paid the ransom.

Data exposed through mistakes and flaws: C&Z Tech Limited acknowledged that a database of more than 1.5 million user records was exposed online, but said that the leak was from a test database; however, ZDNet disputes that claim, writing that their own verification of the data found “no reason to believe that this is test or dummy data.” Census data on 96,000 employees of the Australian federal government was downloaded nearly 60 times before being removed from official websites. A vulnerability discovered in the Charter Communications website could have exposed the personal information of customers. Customers of Ottawa marijuana dispensary chain Magna Terra Health Services had their email addresses exposed when an employee sent an email with 470 of their customers cc’d.

Alleged political dumps, both old and new: A hacker who goes by the name Guccifer 2.0 published an 860-megabyte file of donor information allegedly stolen from the Clinton foundation servers; however, a variety of news outlets have reported that the data appears to actually be from a previous hack of the Democratic Congressional Campaign Committee and the Democratic National Committee. Berat Albayrak, Turkey’s Energy Minister and son-in-law of President Erdoğan, is the week’s second highest trending new target (after Newsweek) on the heels of hacking group RedHack leaking 17 gigabytes of data, which the group said was stolen by discovering Albayrak’s mobile operating system, writing an exploit to steal his password, and gaining access to his iPad after several weeks of attempts.

More data breach announcements: Hutton Hotel is notifying customers of a payment card breach affecting guests who placed hotel reservations during the period from September 2012 to April 2015, as well as those who made purchases at the onsite food and beverage outlets from November 2015 to June 2016. Hackers gained access to computer systems at Wheeler & Egger, CPAs and used the information to fraudulently file 45 tax returns. Apria Healthcare, a provider of home respiratory services and other medical equipment, is notifying patients that an employee’s email account was compromised.

Out with the old hacktivists, in with the new: Federal authorities in Chicago have charged two suspected members of the hacking group Lizard squad for operating DDoS-for-hire websites. Although Lizard Squad has been quiet of late, other hacking groups continue to disrupt organizations. For example, OurMine defaced and deleted several articles on the BuzzFeed website in retaliation for a story claiming to have identified one of the group’s members as a Saudi teen called “Ahmad Makki.”

Insulin Pump Vulnerability and Other Advisories

The focus on IoT devices was prevalent throughout SurfWatch Labs’ data this week. In addition to all of the botnet-related discussion, Johnson & Johnson announced that a security vulnerability in its Animas OneTouch Ping insulin pump that could be exploited to overdose diabetic patients with insulin.

The Reuters story cited medical device experts who claim this is the first time a manufacturer has issued such a warning to patients about a cyber vulnerability in their devices; however, the company’s letter to patients described the risk as “extremely low.”

“It would require technical expertise, sophisticated equipment and proximity to the pump, as the OneTouch Ping system is not connected to the internet or to any external network,” the letter said.

The issue, which was discovered by Rapid7 researcher Jay Radcliffe, is that a hacker can spoof communications between a wireless remote control and the insulin pump since that communication is not encrypted. About 114,000 patients use the device in the United States and Canada.

The company said that if patients were concerned, they could stop potential attacks by discontinuing use of the wireless remote control and programming the pump to limit the maximum insulin dose. Johnson & Johnson said it first reviewed the vulnerability with the FDA, which issued draft guidance on managing cybersecurity vulnerabilities in medical devices in January.

Other noteworthy advisories and cybercrime news from the week include:

68 million stolen Dropbox credentials published online: The previously stolen database of more than 68 million user records has been published online by Thomas White on his I’m Cthulhu blog. Nearly half of the passwords are secured with the strong hashing function bcrypt, Motherboard wrote. The other half appear to use the older SHA-1 algorithm. The publication adds to the already massive list of now-public user credentials.

Vulnerability discovered in OpenJPEG: Cisco Talos researchers have disclosed a zero-day vulnerability in the jpeg2000 image file format parser as implemented in the OpenJpeg library. The vulnerability can lead to an attacker executing arbitrary code. “For a successful attack, the target user needs to open a malicious jpeg2000 file,” the researchers wrote. “The jpeg2000 image file format is mostly used for embedding images inside PDF documents and the OpenJpeg library is used by a number of popular PDF renderers making PDF documents a likely attack vector.”

Users report suspected malvertising on Spotify: Users of Spotify’s free desktop streaming service are reporting strange behavior that is suspected to be related to malvertising. “If you have Spotify Free open, it will launch – and keep on launching – the default internet browser on the computer to different kinds of malware/virus sites. Some of them do not even require user action to be able to cause harm,” wrote one user. “I have 3 different systems (computers) which are all clean and they are all doing this, all via Spotify – I am thinking it’s the Ads in Spotify Free. I hope this has been noticed and Spotify staff are fixing it – fast.”

TalkTalk fined £400,000 over data breach: The UK’s Information Commissioner’s Office (ICO) has issued a record £400,000 fine to TalkTalk over a data breach that “could have been prevented if TalkTalk had taken basic steps to protect customers’ information.” In October 2015, a hacker used SQL injection to access the personal data of 156,959 customers including their names, addresses, dates of birth, phone numbers and email addresses. In more than 15,000 cases, bank account details and sort codes were also compromised. “The data was taken from an underlying customer database that was part of TalkTalk’s acquisition of Tiscali’s UK operations in 2009,” the ICO said. “TalkTalk failed to properly scan this infrastructure for possible threats and so was unaware the vulnerable pages existed or that they enabled access to a database that held customer information.”

SurfWatch Labs collected data on a variety of cybercrime advisories over the past week. Some of the trending practice tags associated with those advisories are shown in the chart below.

Weekly Cyber Risk Roundup: Executives Scrutinized Over Cyber-Issues

What’s Everyone Talking About? Trending Cybercrime Events

Yahoo was the week’s top trending cybercrime target as the fallout of a breach affecting more than 500 million accounts continues to play out. CEO Marissa Mayer has faced intense scrutiny from lawmakers and others over the handling of the company’s cybersecurity.

A Wednesday New York Times article citing a group of current and former employees painted a picture of Mayer as a CEO that often clashed with the security side of the organization over spending and refused to take action in several instances – including rejecting an automatic reset of user passwords after discovering a breach.

“Employees say the move was rejected by Ms. Mayer’s team for fear that even something as simple as a password change would drive Yahoo’s shrinking email users to other services,” the Times wrote.

A group of senators issued a letter to Mayer calling the two-year gap between the initial breach and announcement of the breach “unacceptable.” Sen. Mark Warner is also urging the Securities and Exchange Commission to investigate whether Yahoo properly informed investors of its data breach after reports surfaced indicating that Mayer was aware of the breach as early as July of this year.

“Yahoo has been engaged in an effort to sell its Internet business, including the unit affected by the breach, to Verizon since at least July 25, 2016, yet Yahoo reportedly did not inform Verizon of the breach until September 20, 2016,” Sen. Warner wrote in a letter to the SEC. “More puzzlingly, the company noted in a proxy statement as recently as September 9, 2016 that, ‘To the knowledge of Seller, there have not been any incidents of, or third party claims alleging, (i) Security Breaches, unauthorized access or unauthorized use of any of Seller’s or the Business Subsidiaries’ information technology systems.’”

Mayer isn’t the only CEO to come under fire from lawmakers this week. Wells Fargo CEO John Strumpf has become the butt of jokes on late night talk shows after being publicly lambasted by members of the House Financial Services Committee over the bank fraudulently opening more than 2 million customer accounts without their knowledge. Sen. Elizabeth Warren has repeatedly called for Strumpf to resign, and Rep. Michael Capuano said yesterday that Stumpf is “clearly and unequivocally guilty” of a range of crimes related to the scheme, including conspiracy to commit fraud, conspiracy to commit identity theft and racketeering. The backlash led to Wells Fargo announcing this week that Strumpf and former head of community banking Carrie Tolstedt would not receive a total of $60 million in unvested equity awards.

In addition to angry lawmakers, a group of former employees is suing the company, saying that they were forced to choose between either committing fraud by opening unauthorized accounts or losing their job. That lawsuit adds to a growing list of lawsuits that have filed against both Wells Fargo and Yahoo.

Cyber Risk Trends From the Past Week

The financials sector was among the biggest risers in cyber risk this week as its SurfWatch Labs’ cyber risk score rose nearly 5.7 percent compared to the previous week. Much of that was driven by chatter on the Dark Web and data leaks such as the one impacting California investment bank WestPark Capital.

On Sunday, a hacker or group of hackers known as TheDarkOverlord released about 20 files allegedly stolen from WestPark Capital after an unsuccessful ransom attempt against the company. They also claimed other groups were using their name to perform attacks in a Pastebin post.

The “signature” business proposal referenced in the Pastebin post is likely similar to the series of extortion attempts the group made earlier this year against various healthcare organizations. TheDarkOverlord has frequently used the media and leaked samples of stolen data to build up a reputation as a legitimate threat and to put pressure on victim companies in hopes that they will decide to pay the group’s ransom demands.

This is the first instance SurfWatch Labs has observed TheDarkOverlord targeting financial organizations, but – if the group’s Pastebin post is to be believed – the media attention is leading to copycats using both TheDarkOverlord’s name and extortion methods. Similar attacks may occur in the future.

Other trending cybercrime events from the week include:

State-Sponsored Actors Target Government: Data breaches previously attributed to nation-state actors trying to de-legitimize the outcome of the upcoming U.S. elections have widened. Law enforcement officials now believe about 10 state election databases have had their systems probed or breached, and the FBI is reaching out to some Democratic Party staffers to investigate possible hacking into cell phones. However, despite all the attention on state-sponsored actors, a new SurfWatch Labs report noted that hacktivists tend to make up the bulk of government-related cyber-attacks, such as the Monte Melkonian Cyber Army leaking data claiming to be from Azerbaijani military, police and bank servers this week.

Employees Continue to Cause Data Breaches: A former Verizon Wireless technician pleaded guilty to using Verizon computer systems to access call records and locations of customers and then sending that information to a private investigator. Congressman Mike Honda is suing Ro Khanna, the man he’s running against in the November 2016 election, over a former intern allegedly stealing thousands of donors’ information from an old Dropbox account years after his access should have been revoked. A former employee of Alberta Hospital Edmonton inappropriately accessed the records of 1,309 patients over an 11+ year period. A former employee of Mastic Beach village impersonated the chief of police and illegally accessed information on 488 Mastic Beach residents. Sensitive Medicare information on Australian citizens was uploaded to the Internet several months ago, potentially putting patients at risk. A software update to the Alberta College of Paramedics’ (ACP) navigation portal led to a security breach.

Hackers Cause Plenty of Data Breaches Too: A hacker said he downloaded more than 2.2 million email addresses and plaintext passwords from social hangout site i-Dressup and that the entire database of 5.5 million entries could be stolen using an SQL injection attack. The entire Florida Bar Association database appears to have been stolen including email addresses, phone numbers, fax numbers, mailing addresses and more, according to databreaches.net. NZME, a media company in New Zealand, said that details of competition entrants may have been accessed due to a cyber-attack on a third-party cloud server. Software company Jive is asking some users of its task management software Producteev to reset their passwords after an August data breach that exposed some email addresses and passwords.

Worry Over Terrorism and Hacking: A hacker who helped to publish a “kill list” of 1,300 U.S. military and other government personnel has been sentenced to 20 years in prison. “This case represents the first time we have seen the very real and dangerous national security cyber threat that results from the combination of terrorism and hacking,” said Assistant Attorney General Carlin.

Weekly Cyber Risk Roundup: Yahoo One of Many New Data Breaches

The past week has been full of various data breach announcements that have flown mostly under the radar. One exception is the breach at the World Anti-Doping Agency (WADA). New batches of information on Olympic athletes continue to be leaked, and the Entertainment sector’s cyber risk score has steadily risen to reflect those leaks. Another exception, and one of the biggest data breach stories of the year, is Thursday’s announcement from Yahoo that 500 million users had their information stolen in late 2014 by alleged state-sponsored hackers.

The theft includes names, email addresses, phone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers.

The New York Times described the Yahoo breach as “the biggest known intrusion of one company’s computer network.” U.S. Sen. Richard Blumenthal said that if claims that Yahoo knew about the breach since August are true, taking two months to inform users is “a blatant betrayal of their users’ trust.” Sen. Mark Warner is using the incident to push for the adoption of a uniform data breach notification standard.

The Yahoo breach is just the latest example of years-old breaches that have come to light in recent months and affected tens or, in Yahoo’s case, hundreds of millions of individuals. The already massive list of potentially exposed passwords continues to grow, making good password hygiene more important than ever. But the Yahoo breach highlights another nagging problem: the use of static, knowledge-based authentication questions.

From Yahoo’s announcement:

“We invalidated unencrypted security questions and answers so they cannot be used to access an account. … Change your password and security questions and answers for any other accounts on which you used the same or similar information used for your Yahoo account.”

Except unlike passwords, static-based questions cannot be changed. How do you change your mother’s maiden name, your favorite teacher, or the name of your first pet? Fake answers can be used – and they are more secure – but what percentage of people will actually take that extra step?

A February survey from password manager LastPass indicates the majority of people are still reusing passwords. Fifty-nine percent of respondents said they reuse passwords across multiple services and 61% said they are more likely to share work passwords than personal passwords.

Organizations need to be aware of recent credential breaches, inform and train users about the threat, and ensure that password policies and procedures reflect the current level of risk surrounding compromised credentials.

What’s Everyone Talking About? Trending Cybercrime Events

In addition to the highly-publicized data breaches from Yahoo and WADA, many other companies made data breach announcements over the past week.

Some of those apparent breaches are sparse on details – such as the FBI seizing computers at Camden County Courthouse in Missouri or office supplies firm AF Smith taking its Apple website offline after fears of a payment card breach – however, many of this week’s announcements showcased the various ways in which data breach can occur.

Data breaches were caused by:

Unauthorized access: Codman Square Health Center is notifying patients of a data breach after an unauthorized individual accessed information through the New England Healthcare Exchange Network. Mobile review site MoDaCo said a data breach of 875,000 accounts likely occurred by way of a compromised administrator account. A Florida man has been arrested on charges of hacking into computers operated by the Linux Kernel Organization and the Linux Foundation using compromised credentials. A Kennesaw State University student used a professor’s account to hack into the school’s system to change grades and steal personal information. Police also discovered the usernames and passwords of at least 36 faculty members in a notebook in his home. The Pokemon battle simulator Pokemon Showdown was breached and the hacker was able to steal a database dump by compromising administrator’s credentials via social engineering and then using a privilege escalation vulnerability.

Improper court filings: WakeMed Health and Hospitals has been ordered by a federal judge to notify thousands of patients that their personal and medical information was disclosed in court filings over a six-year period. Most of WakeMed’s bankruptcy claims were filed by now-retired employee Valeria Soles. In court testimony, Soles said she had no training and no supervision with regard to filing claims and that no one else in her department knew how to file bankruptcy claims.

Missing devices: The University of Ottawa is investigating the disappearance of an external hard drive containing the personal information of approximately 900 students. According to CBC News, the hard drive was used to back up personal information on students with physical or learning disabilities or mental health issues that applied for special academic accommodations.

Employee error: The recent leak of NSA hacking tools by a group known as Shadow Brokers is suspected to have originated with an employee or contractor who made the mistake three years ago. The theory is that tools were left on a remote computer during an operation and that Russian hackers eventually found them.

Third parties: A data breach at the payroll service used by Oconee County, South Carolina, led to 230 county employees not receiving their scheduled direct deposits. The investigation is ongoing and the source of the breach is currently unknown.

Cybercriminal hackers: Hackers claim to have stolen a database from Australian point-of-sale vendor H&L Australia, and the alleged 14.1 gigabytes of data along with an active backdoor to the company’s network was apparently offered for sale more than two months ago.

In addition to the data breaches listed above, SurfWatch Labs also collected data on many different companies tied to cyber-attacks and illegal trading over the past week. Some of those newly seen targets are shown in the chart below.

Weekly Cyber Risk Roundup: Ransomware Ups the Ante and Other Headlines

Three of this week’s top four trending industry targets centered around DDoS attacks. Linode, which made last week’s roundup over reported DDoS attacks, was targeted once again. The cloud hosting company has seen DDoS attacks throughout the month, with the latest attack coming on September 13, according to company logs. Additionally, Brian Krebs’ website was hit with DDoS attacks after his reporting on the booter service VDoS led to the arrest of two young Israeli men who allegedly ran the cybercrime-as-a-service operation.

Trending new data breaches and cyber-attacks recently observed in SurfWatch Labs’ data are shown below.

Noteworthy cybercrime events from the past week include:

Variety of New Breaches Reported: Dutch news sources are reporting that hackers have stolen 22 gigabytes of data from municipal servers in Almelo, though at the moment it is unclear what data may have been compromised. London-based VoIP Talk is emailing customers about a potential breach after discovering “attempts to exploit vulnerabilities in our infrastructure to obtain customer data.” The paid-to-click site ClixSense suffered a data breach in which a hacker exposed 2.2 million subscriber identities and put another 4.4 million up for sale. The Exile Mod gaming forum website was hacked and the personal details of nearly 12,000 users was posted online by a group going by the name “Expl.oit.” EurekAlert!, which is used to distribute scientific press releases, temporarily shut down their website after a breach compromised usernames and passwords and two embargoed news releases were prematurely released. The personal information of 29 Olympic athletes has been stolen from the World Anti-Doping Administration. Finally, a data breach at Regpack, an online enrollment platform serving the private education industry, has led to 324,000 people having personal information exposed.
More Extortion Attacks: A hacker attempted to extort Bremerton Housing Authority in Washington for 6 bitcoins (around $3,700) after gaining access to its website and stealing a database of 1,100 client names and the last four digits of Social Security numbers. University Gastroenterology in Rhode Island is notifying patients of a data breach after what sounds like a ransomware attack. In its notification letter, it wrote that an unauthorized individual had gained access to an electronic file storage system from Consultants in Gastroenterology, which it acquired in 2014, and “encrypted several files.”
Political Parties Continue to be Targeted: State Democratic Party officials are being breached and impersonated by hackers, according to a warning from the Association of State Democratic Chairs. The message urged recipients to avoid searching the leaked DNC information posted by WikiLeaks due to concerns over malware being embedded in the links. Additionally, a “serious misconfiguration” on Donald Trump’s website exposed the resumes of prospective interns, according to security researcher Chris Vickery.
Stolen Laptops Continue: M Holdings Securities, a subsidiary of M Financial Holdings, had a password-protected laptop with information on 20,000 clients stolen from the trunk of an employee’s car on July 29. Roughly 2,000 of those clients had Social Security numbers potentially compromised. U.S. Healthworks began notifying 1,400 patients of a data breach earlier this month after a laptop and the laptop’s password were stolen from an employee.

Other Noteable Cyber Risk News

This week saw little movement among most sectors’ overall cyber risk scores. Other Organizations – which includes groups such as political parties, schools, and charities – saw the week’s biggest rise in risk, up 1.6%.

Ransomware was at the forefront of much of the week’s cybercrime news. CBC News reported that a school board and a support group for cancer patients, both in Canada, were infected with the Zepto ransomware, and the actor behind the attack demanded $20,000 in payment to decrypt the files. Those high prices may become more commonplace, the FBI warned in an alert published on Thursday. Recent ransomware variants have been seen targeting vulnerable business servers rather than individual users, and the actors behind these targeted attacks have been upping their ransom demands as the data they encrypt grows more valuable.

“This recent technique of targeting host servers and systems could translate into victims paying more to get their decryption keys, a prolonged recovery time, and the possibility that victims will not obtain full decryption of their files,” the alert warns. “Recent victims who have been infected with these types of ransomware variants have not been provided the decryption keys for all their files after paying the ransom, and some have been extorted for even more money after payment.”

The FBI isn’t the only government agency warning of the threat. In July, the Department of Health and Human Service stated that PHI being encrypted by ransomware qualifies as a “breach” in most circumstances, and FTC chairwoman Edith Ramirez warned this week that “a company’s unreasonable failure to patch vulnerabilities known to be exploited by ransomware might violate the FTC Act.”

It’s worth taking a moment to review this week’s advice on combatting ransomware from the FBI alert:

Regularly back up data and verify the integrity of those backups. Backups are critical in ransomware incidents; if you are infected, backups may be the best way to recover your critical data.
Secure your backups. Ensure backups are not connected to the computers and networks they are backing up. Examples might include securing backups in the cloud or physically storing them offline. It should be noted, some instances of ransomware have the capability to lock cloud-based backups when systems continuously back up in real-time, also known as persistent synchronization.
Scrutinize links contained in e-mails and do not open attachments included in unsolicited e-mails.
Only download software – especially free software – from sites you know and trust. When possible, verify the integrity of the software through a digital signature prior to execution.
Ensure application patches for the operating system, software, and firmware are up to date, including Adobe Flash, Java, Web browsers, etc.
Ensure anti-virus and anti-malware solutions are set to automatically update and regular scans are conducted.
Disable macro scripts from files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full Office Suite applications.
Implement software restrictions or other controls to prevent the execution of programs in common ransomware locations, such as temporary folders supporting popular Internet browsers, or compression/decompression programs, including those located in the AppData/LocalAppData folder.

Tracking the exact number of ransomware victims is difficult, the FBI said, since many attacks go unreported. The FBI is urging victims to report ransomware incidents regardless of the outcome so that they can better understand who is behind the attacks and how they operate.