SurfWatch Labs, Inc.

Preparedness & Cyber Risk Reduction Part Four: Awareness and Operational Training

In our ongoing series on Preparedness & Cyber Risk Reduction, we’ve discussed an “Introduction to the Preparedness Cycle” and we’ve explored the topics of preparedness and operational planning, and organizing and equipping. In our sustained effort to reduce risk through proper preparedness, we’ll tackle the next critical step in the Preparedness Cycle — training.

To effectively support our efforts to reduce organizational risks — which we defined as the “potential for an unwanted outcome resulting from an incident, event, or occurrence, as determined by its likelihood and the associated consequences” — we want to ensure our personnel are properly trained. Obviously, an organization conducts a variety of types of training and not all is relevant to preparedness (though a lot does impact broader risk management, such as some of the training that may be delivered by Human Resources). The focus of this article is specifically on two types of training: Threat Awareness Training and Operational Training.

FEMA states that, “Training provides first responders, homeland security officials, emergency management officials, private and non-governmental partners, and other personnel with the knowledge, skills, and abilities needed to perform key tasks required by specific capabilities. Organizations should make training decisions based on information derived from the assessments, strategies, and plans developed in previous steps of the Preparedness Cycle.”

I agree with FEMA’s definition, but, regrettably, it is incomplete. Our approach is to certainly encourage Operational Training to arm personnel “with the knowledge, skills, and abilities needed to perform key tasks required by specific capabilities,” often relating to the plans, procedures, systems, and equipment we put in place in the previous steps of the Preparedness Cycle but, in addition to Operational Training, it is critical that personnel have a sound understanding of the threat environment. Our motto at Gate 15 is to apply a “threat-informed, risk-based approach to analysis, preparedness and operations.” To do that right, training needs to include efforts aimed at educating personnel on the varied threats they may encounter in the workplace (and perhaps more broadly). We consider that Threat Awareness Training.

Organizations face a wide array of threats to their operations, people, and facilities. With limited time and resources, training can’t address every threat. To help prioritize training activities and emphasis, leaders should apply a threat-informed but risk-based approach to planning, developing, and conducting training. That means understanding the threats, conducting a risk assessment, and prioritizing the greatest risks as primary areas of focus. In today’s environment, an organization, we’ll call it Acme Innovations, may conduct a risk assessment and determine that Acme’s greatest areas of concern are hostile events at the workplace, a severe earthquake, a significant data breach, and being infected with ransomware.

If you recall from Part Two of this series, we said that, ideally, organizations will have a Preparedness Champion who can help develop and maintain a multi-year training and exercise program. This program — informed by a prioritized risk assessment — should detail a training schedule and progressively challenging exercises over a few years’ period. Developing a multi-year preparedness program helps protect time and allows leaders to plan for and commit funding to support the activities. Even if the details of an event change, the time and resources will be there. In Part Two of this series we met Johnny, who it turns out, is Acme Innovations’ Preparedness Champion. Johnny’s multi-year preparedness program includes Acme’s preparedness priorities, focused on the four areas noted above. For this post, let’s focus on the concerns around ransomware.

Operational Training: Based on Acme Innovations’ preparedness priorities, Johnny’s multi-year preparedness program includes a deliberate approach to reduce the risks associated with the threat of ransomware. Johnny has worked with colleagues from across Acme Innovations to develop a Ransomware Response Plan, which they’ve included as an annex to the broader Acme Innovations Incident Management Playbook. The Plan includes specific actions for personnel to take upon identifying a possible ransomware infection. Those include immediate individual actions to take, who to report the incident to, what actions Acme’s security team and IT support teams are to take, key decisions and who is responsible for them, and other details developed through the process of Operational Planning. Over the next three months, Johnny and Acme’s corporate trainer are conducting training on that plan and the expected actions of all involved parties, to ensure Acme personnel understand their individual and team responsibilities in the event of a possible ransomware infection. At the end of the three-months, Johnny is leading a tabletop exercise with key leaders and responders to validate the plan and he wants everyone to know their roles and responsibilities ahead of time. But, wait – that’s the next part of this series!
Threat Awareness Training: While Johnny and the trainer are training the organization on how to respond to a possible ransomware incident, Johnny knows that ideally, Acme will avoid getting infected in the first place. So, Johnny has done his homework, he’s looked at some of the great online resources that address ransomware, and he’s working closely with Acme’s security team to better understand how ransomware works and how it may be delivered. With his colleagues, he’s developed a deliberate Threat Awareness Training Plan to educate Acme Innovations personnel on what ransomware is, how it can enter a network, what the implications of that are, how individuals can help to reduce the risk of infection, and other nuggets he’s learned through his discussions and research. With that, he’s excited as he starts implementing his plan and educating his coworkers! Once again, good job, Johnny!

As we noted in Part Three, FEMA describes the core capability cybersecurity as protecting, and if needed, restoring, “electronic communications systems, information, and services from damage, unauthorized use, and exploitation.” Johnny’s efforts are directly supporting that for Acme Innovations but Acme knows that their threats are more than just cybersecurity. We identified Acme’s concerns above but for your organization, whether your emphasis is on health issues – such as the impacts of a potential pandemic, or natural disasters – maybe annual spring flooding or perhaps you’re in an area that is more likely to experience high-impact hurricanes, or physical security threats – such as workplace violence, the same approach to training applies. Addressing your prioritized risk concerns, both Operational Training and Threat Awareness Training should be included in your multi-year preparedness program.

But, wait, we said above that we only have limited time and resources for training. How do we get all this done?!?! Well, different organizations will approach training, and all aspects of preparedness, differently and will allocate varying amounts of time for it. Some will choose to conduct annual training days, whereas others will approach things in smaller, more frequent iterations. Some will conduct all training with internal resources, whereas some may bring in professional trainers for some, or all, of the training. Different approaches will make more or less sense for different organizations and for different threat concerns. Hurricane training may be something your organization does on an annual basis, whereas ransomware training may come in the form of a quick update every couple weeks. It will be up to you to determine the approach that makes the most sense for your organization based on your understanding of the threats, your risk assessment, your priorities, and your available time and resources.

With cybersecurity, there is abundant information available online about the array of potential threats and easy-to-find examples of real incidents. There is also a lot of great information on how to conduct training. Yes, of course, our team at Gate 15 is happy to help you develop your multi-year preparedness program and to support your operational and threat awareness training (!) but you can leverage some great free resources to help inform and support your program as well.

What’s most important is that as an organization, you follow Acme’s example, assign a responsible champion and dedicate the necessary time to plan and conduct both operational and threat awareness training. As you progress through the Preparedness Cycle, each step builds and enhances the work of the previous step. Having effective plans, people, and equipment in place, it is vital that you give them the necessary training to understand the threats your organization is most concerned about, the risks those threats pose, and the actions you need them to take. This further enhances our preparedness and resilience, minimizing the impacts of incidents and facilitating a quick return to normal operations when they do occur. With a solid training program in place, we move onto the next step in the Preparedness Cycle. In the next installment we’ll address exercises, where we have the opportunity to test and validate all the good work we’ve done!

Weekly Cyber Risk Roundup: Industroyer Malware and Fines for Delayed Breach Notification

Ukrainian power utility Ukrenergo was back in the news as the top trending cybercrime target after researchers analyzed new samples of a destructive malware, dubbed “Win32/Industroyer,” which they said was likely used in the December 2016 attack against the Ukrainian power grid.

“Industroyer is a particularly dangerous threat, since it is capable of controlling electricity substation switches and circuit breakers directly,” ESET researchers wrote. “To do so, it uses industrial communication protocols used worldwide in power supply infrastructure, transportation control systems, and other critical infrastructure systems (such as water and gas).”

The Industroyer malware uses four payload components designed to gain control of switches and circuit breakers, with each component targeting a particular communication protocol: IEC 60870-5-101, IEC 60870-5-104, IEC 61850, and OLE for Process Control Data Access (OPC DA). The malware is notable as it “is capable of doing significant harm to electric power systems and could also be refitted to target other types of critical infrastructure.”

Hackers may have hidden in Ukrenergo’s IT network undetected for six months before carrying out their December 2016 attack, which led to a power blackout in Kiev that lasted a little over an hour. Although it’s not confirmed, it is “highly probable” that Industroyer was used in that incident. The Ukrenergo attack occurred a year after a similar attack against Prykarpattyaoblenergo, which caused approximately 230,000 people to lose power. Researchers have warned that both of those incidents in Ukraine could be tests for potential attacks against Western countries’ critical infrastructure facilities in the future.

Other trending cybercrime events from the week include:

FIN10 targeted mining companies and casinos: A financially-motivated hacking group known as FIN10 spent at least three years infiltrating computers at several unnamed Canadian mining companies and casinos, stealing sensitive data, and then holding it for ransom. According to researchers, the attacks targeted sensitive files such as corporate records, private communications, and customer information, and the ransom demands ranged between 100 and 500 bitcoin. The hackers were also able to essentially shut off the production systems of some mines or casinos that did not comply, making them unable to operate for a period of time.
Updates on previously disclosed attacks: The attackers behind the 2015 attack against TV5Monde conducted reconnaissance inside the TV5Monde network for three months before launching a sabotage operation that knocked multiple channels offline and compromised multiple social media accounts. France’s national cybersecurity agency said that the attackers used a compromised third-party account that allowed them to connect to the TV5Monde VPN and that once they were inside the network they used one of two camera-control servers as a beachhead for privilege escalation. The agency also noted that the attackers were able to create their own admin-level account in Active Directory and used the IT department’s wiki to gain information. GameStop is notifying an undisclosed number of online customers that their payment card details were stolen between August 10, 2016 and February 9, 2017. The breach was acknowledged by GameStop in April, but the company only recently began notifying affected customers. Cowboys Casino in Alberta said that data stolen from a breach last year has been posted online and that the hackers are threatening to post more data next week. WikiLeaks’ latest dump of CIA documents is CherryBlossum, a project that is focused on compromising wireless networking device.
Universities targeted: Southern Oregon University said it sent $1.9 million to a malicious actor impersonating Andersen Construction, a contractor that is working on the McNeal Pavilion and Student Recreation Center construction project. University College London said that a major ransomware attack occurred on June 14 and disrupted access to a number of users’ personal and shared drives for several days after UCL users visited a compromised website. Ulster University in Northern Ireland was infected with ransomware that affected a “significant number of file shares” due to a “zero day attack.” The initial attack occurred on June 14, and the university said it believes they are will be in a position to restore the file share service by late morning on June 19.
Other notable incidents: A database containing the personal information of 6 million users of online survey site CashCrate was stolen by hackers due to an apparent compromise of third-party forum software. A developer at Tata Consultancy Service in India posted the source code and internal documents for a number of unnamed financial institutions to a public GitHub repository. Italy’s data protection authority said that Wind Tre, the country’s biggest mobile operator in terms of mobile SIMs, must notify customers of a March 20 data breach that affected 5,118 customers. A hacker pleaded guilty to the 2014 theft of hundreds of user accounts from a U.S. military communications system, an intrusion that the Department of Defense said cost $628,000 to fix.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

Cyber Risk Trends From the Past Week

New York’s attorney general Eric Schneiderman announced last Thursday that CoPilot Provider Support Services must pay $130,000 in penalties as well as reform its legal compliance program over violations related to delayed notification of a breach.

According to the attorney general, an October 2015 data breach of CoPilot’s website administration interface, PHPMyAdmin, allowed an unauthorized user to download reimbursement-related records for 221,178 patients, including their names, genders, dates of birth, addresses, phone numbers, and medical insurance card information. However, CoPilot did not begin formally notifying affected consumers until January 2017, more than a year after the incident occurred — an “unacceptable” violation of New York law.

“Although CoPilot asserted that the delay in providing notice was due to an ongoing investigation by law enforcement, the FBI never determined that consumer notification would compromise the investigation, and never instructed CoPilot to delay victim notifications,” New York’s attorney general wrote. “General Business Law § 899-aa requires companies to provide notice of a breach as soon as possible, and a company cannot presume delayed notification is warranted just because a law enforcement agency is investigating.”

In January, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) issued a $475,000 fine to Presence Health for similar reasons. OCR said that it was the agency’s first HIPAA settlement based on the untimely reporting of a breach of unsecured protected health information and that the settlement amount “balanced the need to emphasize the importance of timely breach reporting with the desire not to disincentive breach reporting altogether.”

That regulatory scrutiny may get more intense with the enforcement of the EU’s General Data Protection Regulation (GDPR) next year. The GDPR requires companies notify the appropriate authorities of a breach within 72 hours of discovery if that company collects, stores, or processes personal data for people residing in the EU. As SearchSecurity noted last month, that could force a change for the better when it comes to prompt breach notification by companies since the monetary penalties associated with violating the GDPR are much harsher than the current regulations.

Preparedness & Cyber Risk Reduction Part Three: Organize & Equip

In Parts One and Two of this blog series, “Introduction to the Preparedness Cycle,” we took a general look at threats, risks and preparedness, as well as a slightly deeper look into planning — both preparedness and operational planning — to minimize the likelihood and impacts of the undesired threats that have the potential to develop into disruptions and other “unwanted outcomes.” Such outcomes could impact organizations’ people, information, operations and/or facilities, and it is our goal to be ready and resilient — ideally preventing the incidents, but, more in some cases, minimizing their impacts and facilitating a quick return to normal operations.

One approach to supporting preparedness — which we defined as a continuous cycle of planning, organizing, training, equipping, exercising, evaluating, and taking corrective actions to support effective incident response — is to apply a deliberate process to reduce our risks. That deliberate process is the Preparedness Cycle. As we continue through that Cycle, we now move on to the next step in the process – Organizing and Equipping. I often feel like this step is an unloved child in the preparedness family — frequently glossed over as planning, training, and exercise usually get more attention. In reality, this step is critical and is more present in our day-to-day operations than the rest of the preparedness activities.

FEMA states that, “Organizing and equipping include identifying what competencies and skill sets people delivering a capability should possess and ensuring an organization possesses the correct personnel. Additionally, it includes identifying and acquiring standard and/or surge equipment an organization may need to use when delivering a specific capability.” And for our purposes, we’re focused on cybersecurity, which FEMA describes as the core capability focused on protecting “(and if needed, restore) electronic communications systems, information, and services from damage, unauthorized use, and exploitation.” There is absolutely no way we will succeed in achieving that core capability if we do not have the right people and equipment in place.

So where do we begin? Well let’s start with some reality checks and then let’s move on to ice cream, a far more enjoyable topic!

Reality Check #1: There is no silver bullet and no automated solution that will alone protect your network and information.
Reality Check #2: Intelligence and information — even deep web and dark web intelligence — are useless unless they are understood, analyzed and applied towards decision-making and action – primarily in the form of preparedness and operations.
Reality Check #3: No two organizations are the same. Some are alike — based on size, industry, clients, etc. — but they’re not the same. In most cases, their organization and equipment needs may also be alike, but not the same.
Reality Check #4: Security will require an appropriate blend of technology and human resources.

And an important note, when we speak to “equipment” here, for organizations looking to address their cybersecurity preparedness, it is not just hardware but also the software, technology and services we may apply towards our security operations.

With that – to ice cream! I’m a big fan of ice cream. Seventy-five percent of the reason I workout is probably to indulge in an extra scoop of delicious creamy heaven. I like almost every flavor and am open to nearly every topping – there are a lot of great combos I can enjoy! But for me, for my tastes, it is tough to beat three scoops of chocolate chip cookie dough ice cream coated with a generous portion of shredded Heath Bar and just the right amount of caramel and fudge. Oh, yes, that does it. But that’s me. You may be a chocolate or butter pecan person. Or a marshmallow or peanut butter sauce person. Maybe you like the combined flavor of strawberry ice cream with pineapple sauce on top. The potential combinations are endless and there are probably many that would be to your liking, but probably one or two you really, really like. And, over time, maybe your tastes change. Maybe a little more fudge. Maybe switch out the mint chocolate chip for pistachio … as your needs change, so too must your ice cream sundae!

And so it is with security. There are a lot of great tools and resources out there. Some awesome technology solutions and some great talent. But not all are right for you and your organization and those that work today, may not fit tomorrow as your organization, and the threat environment, change. As you try different things to get to know your likes and dislikes with your perfect sundae, so too must you sample and experiment with the right composition of human and technology resources for your cybersecurity in order to achieve the desired capabilities. And to the aforementioned idea that, organizing and equipping “includes identifying and acquiring standard and/or surge equipment an organization may need to use when delivering a specific capability,” we need to think of potential areas where we may need enhanced support. Perhaps if we suspect we have malware on our network or if we experience a data breach. Wherever we assess risks that we want to be able to operationally address (as opposed to something we’d accept and address via insurance, for example) and do not have the organic in-house capabilities, we need to be able to surge, with internal or external resources, to meet the potential situation.

In addition to our preferences, we also have to respect competing demands and requirements. Whether buying ice cream and groceries or security solutions and hiring talent, we have to respect the constraints of our budgets and choose smartly. I need to both eat and maintain security daily. Sometimes we can buy steak, sometimes we can’t. But we can eat. With security, maybe you can’t get that sophisticated phishing training service you wanted right now, but you can put together an in-house threat awareness program and threat identification and reporting incentive program. Maybe you can’t hire a malware analyst right now, but you can register with the FBI and submit issues into their iGuardian program or join your appropriate information sharing group and leverage their resources and capabilities. In organizing and equipping, as with all preparedness, we should start with basic steps and progress towards a desired endstate. Maybe the goal is a world-class security operations center with validated incident response capabilities. Great! But maybe that starts with some free, basic subscription services, portal registrations and hiring a junior analyst. How fast, and how robust, need to be based on your organization, your risk assessment, your available resources and your goals.

That being said, of course (!) you should consider SurfWatch Labs’ Threat Analyst and Cyber Advisor products and Gate 15’s support for your cyber exercise program … of course, of course, but you already knew that those were as critical to your security sundae as the ice cream itself!

The process of organizing and equipping – like all aspects of threat, risk and preparedness management, is continuous and needs to be regularly reassessed. As you continue into the Preparedness Cycle, as you run drills and more complex exercises to test your team and processes, and as you encounter real events and incidents, there will be numerous opportunities to document successes and opportunities for improvement. These should help you refine your people and processes, and your organization and equipment as well. But, before we get into exercises, we need to give our personnel effective training on the plans, procedures, systems, and equipment we have in place. And that will be the subject of the next installment in this series!

Weekly Cyber Risk Roundup: ‘Staggering’ Amount of Data Exposed and Hacks Lead to Fake News

Organizations are making it easy for cybercriminals by putting vast amounts of sensitive data at risk due to improper security configurations, various researchers recently warned, and this past week saw several new data breaches announced due to the public exposure of sensitive customer, patient, and other internal data.

The first warning came from Appthority, which said it discovered a “staggering amount” of leaked enterprise data from apps due to a vulnerability dubbed “HospitalGown.” The researchers said that almost 43 TB of data was found exposed across 1,000 apps due to the app developers’ failure to properly secure the backend servers with which the apps communicate and where sensitive data is stored. As a result, enterprises are leaving themselves open to data exfiltration, leakage of personal information, and potential ransom attempts, the researchers said.

In addition, John Matherly, the founder of Shodan, said that improperly configured HDFS-based servers are exposing over five petabytes of data. Matherly said he found that the smaller number of HDFS servers leak 200 times more data than MongoDB servers. He discovered 4,487 instances of HDFS-based servers exposing over 5,120 TB of data, whereas the 47,820 MongoDB servers leaked 25 TB of data. These warnings came as several organizations announced data breaches due to publicly exposing sensitive data:

A car dealership database has been publicly exposed for more than 140 days, exposing customer, vehicle, and sales details of more than 10 million car owners, including VIN numbers.
Victory Medical Center said patient information was discoverable via search engines dating back to 2013, and as a result around 2,000 patients had some of their personal information compromised.
A Cosmetic Institute in New South Wales exposed the sensitive personal information, including before-and-after photos, of more than 500 female patients after uploading their data to a publicly accessible index of the clinic’s website.

Other trending cybercrime events from the week include:

IP theft leads to extortion attempts: CD Projekt Red said that internal files such as documents connected to its upcoming game Cyberpunk 2077 were stolen by extortionists and that those files may be released to the general public as the company will not pay the ransom. TheDarkOverlord has leaked eight episodes of ABC’s unaired show “Steve Harvey’s Funderdome” on The Pirate Bay, following through on the group’s promise to release shows stolen from Hollywood-based post-production company Larson Studios late last year.
Variety of malicious actor arrested: A contractor at Pluribus International Corp. has been charged with leaking a top-secret National Security Agency document that describes Russian efforts to compromise the U.S. election. Chinese authorities have arrested 20 Apple employees for allegedly using the company’s internal computer system to gather and sell customers’ names, phone numbers, Apple IDs, and other data, which they sold as part of a scam worth more than 50 million yuan ($7.36 million). South Korean police have arrested a group of hackers that breached the hotel and guesthouse reservation app “Good Choice” in March and stole the personal data of more than 990,000 users. Two men were indicted for a $12 million identity theft scheme that involved thousands of victims, including students applying for financial aid. The men acquired personal identifying information of victims by either purchasing it or by obtaining the information through the Data Retrieval Tool on the Free Application for Federal Student Aid (FAFSA) website. A guidance counselor at Tryon Elementary School in North Carolina admitted to using information about some of his elementary school students in a $436,0000 Medicare scam.
Personal data transmitted insecurely: The Mississippi Division of Medicaid is notifying 5,220 individuals that their protected health information may have been exposed due to their information not being securely transmitted when online forms were submitted. HSBC Bermuda said the personal information of customers was compromised when the company sent an email to a small number of retail banking customers that included an attachment containing HSBC Bermuda customer data. The personal information of almost 13,000 employees of Public Services and Procurement Canada was exposed due to a spreadsheet with sensitive data being sent to 180 people in the department via unencrypted email.
Other notable incidents: Al Jazeera said that it faced a large-scale cyber-attack on Thursday against all of its systems, websites, and social media platforms. The University of Alaska is notifying 25,000 students, staff, and faculty members that their names and Social Security numbers were compromised due to a successful phishing attack in December 2016. The Maltese government has seen a significant increase in attacks believed to be carried out by Russian hacking groups in recent months — ever since Malta assumed the important position of presidency of Europe’s Council of Ministers in January. Since then, the Maltese government’s IT systems have seen a rise in phishing attacks, DDoS attempts, and malware on computer systems.

Cyber Risk Trends From the Past Week

Recent incidents have confirmed that malicious actors are using cyber-attacks and data leaks to both blatantly fabricate entire news stories and discreetly drop small pieces of fake information that can potentially have wide-reaching geopolitical implications.

For example, on May 24, a report appeared on the official Qatari news agency’s website describing a variety of statements made by the emir of Qatar, including tensions with U.S. President Donald Trump, a desire for friendship with Iran, and praise for both Hamas militants and the leader’s relationship with Israel.

The statements received widespread attention, but Qatari officials claimed they were false — a claim now backed by the FBI, which believes the fake news operation and subsequent diplomatic crisis was orchestrated by Russian officials. The New York Times described the incident as “the opening skirmish in a pitched battle among ostensible Gulf allies.” The Times also reported that the false comments led to Saudi Arabia and U.A.E. rallying dependent Arab states to cut off diplomatic relations, travel, and trade with Qatar, as well as the fracturing of the American-backed alliance against the Islamic State and Iran.

Other Russian-tied disinformation campaigns have been more subtle. Citizen Lab recently detailed a series of “tainted leaks” tied to documents stolen from journalist David Satter. Satter had his email account compromised in a targeted phishing attack in October 2016, and those emails were then selectively modified and “leaked” on the blog of CyberBerkut, a pro-Russian hacktivist group. The modified documents were designed to both cause the programs they examined to appear more subversive of Russia than they actually were as well as to discredit specific opposition individuals and groups critical of Russian President Putin and his confidants.

Both incidents are yet another example of how much impact a disinformation campaign mixed with a little bit of hacking can have on governments around the world. As the Times warned, “Any country can get in the game for the relatively low price of a few freelance hackers.”

Motivated actors could use similar tactics to impact specific organizations with tainted data leaks. A single fake email — or even a few lines modified in a legitimate email — could easily be slipped into a larger dump and then shared with news outlets. That could lead to a crisis similar to the one facing Qatar, where leaders are forced to defend themselves against statements that were never actually made before those statements spread far and wide.

TheDarkOverlord Targets Entertainment Sector with Leak of Unaired ABC Show

On Monday, the extortion group known as TheDarkOverlord released the first eight episodes of ABC’s soon-to-be-aired television show “Steve Harvey’s Funderdome” on the torrent site The Pirate Bay.

The leak of the ABC show follows a similar failed extortion attempt and subsequent leak of the first ten episodes of Netflix’s upcoming season of “Orange is the New Black” on April 28. At the time of the Netflix leak, TheDarkOverlord claimed to have stolen hundreds of gigabytes of unreleased and non-public media from a studio — including a total of 37 different film and TV titles. That leak was then tied to Larson Studios, an award-winning audio post-production studio in Hollywood.

As a result, Monday’s leak was likely not a surprise to ABC. TheDarkOverlord has been tweeting about the theft since late April and The New York Times reported that the FBI began notifying the affected companies of the theft a month before that.

Who is TheDarkOverlord?

There isn’t much known about TheDarkOverlord as the group is very careful about exposing information that could relate to its members’ identities. This actor is smart and calculated but also has become bolder and more arrogant as evidenced in communication with recent victims — as well as very recently even setting up a help desk like hotline.

2017-06-07_TheDarkOverlordTargets — There have been dozens of targets publicly tied to data theft and extortion by TheDarkOverlord over the past year.

“Time to play another round,” the group wrote in a Pastebin post announcing the leak on Monday. “We’re following through on our threats as we always do. We firmly believe that honesty and determination are the two most important factors of any business.”

The tone used by the group — both dismay that the “business” arrangement didn’t work out and a veiled threat to future victims — has become more prominent since TheDarkOverlord first began targeting healthcare organizations in June 2016.

Communication with TheDarkOverlord has shown that there is likely more than one member of the group; however, the language utilized on the group’s accounts suggests that a single member is responsible for the managing the Twitter promotions as it has a common syntax. Generally, healthcare organizations (the group’s primary targets) are under-secured and TheDarkOverlord is taking full advantage.

How TheDarkOverlord Attacks Organizations

TheDarkOverlord favors exploits that allow remote desktop control of a network. The group has also taken data acquired by other actors and exploited the clients found in these breached databases. This shows that TheDarkOverlord is not only proactive with its own targeting, but also opportunistic with regards to the sensitive data of any organization that the group comes across and can and take advantage of — as evidenced by the recent pivot from targeting healthcare organizations to those in the entertainment industry.

2017-06-07_TheDarkOverlordGroups — TheDarkOverlord initially appeared to to focus on targeting healthcare organizations, but the group has since targeted a variety of other industry groups.

In regards to the targeting of entertainment brands, TheDarkOverlord discovered what may have been a softer target in the form of the post-production company Larson Studios, which is part of several major entertainment brands’ supply chain. TheDarkOverlord claims that it was able to exfiltrate numerous unreleased (still under production) media to use as leverage, although the group has only leaked two shows thus far.

As TheDarkOverlord moves from entertainment brand to entertainment brand with its extortion efforts, the actor is learning what impacted brands are willing to pay (if anything), and the group is then releasing the media publicly in order to harm the targeted brand financially for not giving into demands. “Orange is the New Black” was leaked a full six weeks before its June 9 premiere data, and “Steve Harvey’s Funderdome” was leaked six days before its June 11 premiere. Targeted brands are likely following the impact of releasing the unaired shows very closely.

Furthermore, TheDarkOverlord has a unique relationship with the media. By garnering media attention, the group builds its reputation and applies pressure to the organizations it wishes to extort. There have been reports that TheDarkOverlord first contacts its exploited entity and demands a ransom. Once the entity refuses, the actor then lists the heathcare database on TheRealDeal Marketplace or releases entertainment media publicly and alerts the media to its presence.

Past activity has shown a slight shift in tactics as TheDarkOverlord has breached an organization and followed that up by sending the victim, along with particular media figures who request it, a sample of the data. By involving security reporters and bloggers, TheDarkOverlord lends credibility to its work while causing panic in consumers who might be associated with the breach. Consumers’ dissatisfaction will also add pressure to the extorted entities to provide ransom payment to the actor for the stolen data.

Weekly Cyber Risk Roundup: Chipotle and Kmart Announce POS Breaches

Payment card breaches were back in the news this week as both Chipotle and Kmart announced point-of-sale breaches affecting a number of locations.

The Chipotle incident, which was first disclosed on April 25, appears to be the larger of the two breaches. A recent company update on the breach said it now includes most of the company’s 2,250 locations. The restaurants were affected by point-of-sale malware for various periods of time between March 24 and April 18.

The infection was made worse by Chipotle’s decision not to adopt EMV payment technology due to concerns that the upgrades would “slow down customer lines,” according to a recent class-action lawsuit filed over the breach.

The Kmart investigation is currently ongoing, so it’s unclear how many of the company’s 735 locations are affected; however, it may be less impactful than a similar point-of-sale malware infection in 2014 since all of Kmart’s stores were EMV ‘Chip and Pin’ technology enabled during the time of the most recent breach, the company said in its press release.

“We believe certain credit card numbers have been compromised,” Kmart’s parent company Sears Holdings said in a statement. “Nevertheless, in light of our EMV compliant point-of-sale systems, which rolled out last year, we believe the exposure to cardholder data that can be used to create counterfeit cards is limited. There is also no evidence that kmart.com or Sears customers were impacted.”

Other trending cybercrime events from the week include:

Top Secret information exposed to public: Top Secret information related to the U.S. National Geospatial-Intelligence Agency (NGA), a combat support and intelligence agency housed within the Department of Defense (DoD), was exposed to the public via an unsecured Amazon Web Services “S3” bucket that required no credentials to gain access. Security researcher Chris Vickery and other Upguard researchers said the now-secured data set points to NGA contractors Booz Allen Hamilton (BAH) and industry peer Metronome. The data discovered included information that would ordinarily require a Top Secret-level security clearance from the DoD as well as plaintext credentials that granted administrative access to at least one data center’s operating system and what appeared to be Secure Shell (SSH) keys of a BAH engineer.
Healthcare breaches due to unauthorized sites, third-parties: Children’s Mercy said that patient information was compromised due to an unauthorized website operated by a physician that was created as an educational resource but did not have proper security controls in place. Adventist Health Tehachapi Valley said that 714 patients who used its vendor Fast Health to pay bills online to Tehachapi Valley Healthcare District and Adventist Health may have had their payment card details compromised due to unauthorized code on a server that was designed to capture payment card information.
Extortion attacks continue: A hacking group calling themselves “Tsar Team” has published more than 25,000 private photos and other personal data from patients of the Grozio Chirurgija clinic in Lithuania. The hackers broke into the servers of the cosmetic surgery clinic earlier this year and demanded ransoms from the clinic’s clients in more than 60 countries around the world. The blackmail ranged between €50 and €2,000 worth of bitcoin, authorities said, with nude photos, passport scans, and other sensitive data being used to ramp up the ransom demands. A hacking group known as “RavenCrew” has claimed responsibility for the hack of customer data from the ticketing platform Qnect and subsequent SMS messages that were sent to the company’s customers urging them to pressure co-founder Ryan Chen and chief technology officer Ruslan Starikov into paying the ransom. It’s believed the hackers may have exploited a security hole recently noticed by a customer.
Other notable breaches: OneLogin, a company that allows users to manage logins to multiple sites and apps all at once, announced it had experienced a breach that impacts all customers served by the company’s U.S. data center. Old Mutual said the personal information of “a relatively small group” of customers in South Africa was compromised due to unauthorized access to one of its systems. Camberwell High School in Melbourne announced a data breach due to a student gaining unauthorized access to the school management software Compass and accessing the personal information of families. The incident is similar to a breach at Blackburn High School involving the Compass system that occurred two weeks ago. Augusta University said that a phishing attack led to unauthorized access to faculty email accounts and that as a result less than one percent of patients had their personal information exposed.

Cyber Risk Trends From the Past Week

TheShadowBrokers continued to make headlines over its new subscription exploit service this past week. The hacking group said that it will release its first “dump” of planned monthly exploits and/or data to its subscribers in early July – for approximately $24,000.

Those who want to join the dump service must pay 100 ZEC (Zcash) by the end of June. The group said it has not yet decided what will be in its first dump, although it previously teased that such dumps could include:

web browser, router, and handset exploits and tools,
select items from newer Ops Disks, including newer exploits for Windows 10,
compromised network data from more SWIFT providers and central banks,
and compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs.

The group wrote that the monthly dump service is “for high rollers, hackers, security companies, OEMs, and governments.”

After TheShadowBrokers’ announcement, a crowdfunding campaign was started to help researchers and organizations purchase the upcoming July exploit dump; however, two days later the researchers behind the effort, England-based security researcher Matthew Hickey (aka Hacker Fantastic) and the French security researcher known as x0rz, cancelled the campaign citing legal reasons.

“What we tried with @hackerfantastic was a bet we could somehow get early access to help vendors and open-source software fix the bugs before any public release, that means making the 0days a little less toxic that it could have been if released (from 0day to 1day, still powerful but less efficient),” x0rz wrote. “I guess now we should only spectate what will happen next, like we did before. It’s unfortunate but that’s the way it ought to be.”

x0rz believes that TheShadowBrokers may still publicly release the dump because the group is “not here for the money and are really just seeking media coverage.” However, we’ll all have to wait until next month and see exactly what the group has to offer and – if it follows through on its promise – how damaging its monthly exploit and data dumps can potentially be for organizations.

Preparedness & Cyber Risk Reduction Part Two: Preparedness and Operational Planning

In part one of this blog series, “Introduction to the Preparedness Cycle,” we took a general look at threats, risks, and preparedness. Recognizing that there will be undesired threats that develop into disruptions and other “unwanted outcomes” impacting our organizations’ people, information, operations, and/or facilities, we want to be ready and resilient — ideally preventing the incidents, but more likely trying to minimize their impacts and facilitating a quick return to normal operations. To support that, we can apply a deliberate process of preparedness to address our threats, physical and cyber, and reduce our risks – the “potential for an unwanted outcome resulting from an incident, event, or occurrence, as determined by its likelihood and the associated consequences.”

We defined preparedness as a continuous cycle of planning, organizing, training, equipping, exercising, evaluating, and taking corrective actions to support effective incident response. This post addresses the first step – planning. There are actually two important aspects to planning – Preparedness Planning and Operational Planning — and ideally, an organization will do both.

Preparedness Planning

There are a number of ways to mitigate risks. In some instances, we assess the risk as low or the cost of mitigation as too much, and we decide not to do anything at all, accepting the risks and moving on. In some cases, we get insurance to help manage the potential consequences of an incident. In some cases, we determine to take preparedness actions to decrease risks. In those cases, preparedness – planning, as well as training and exercises – needs to be thought of like insurance in that you don’t pay insurance once and stop. You pay it month in and month out, use it or not. Same thing with preparedness. It needs to be scheduled and recurring. Plan for it, do it regularly, keep doing it. With our insurance bill, we plan for it, allocating time and resources to make sure we pay it. Again, with preparedness, we need to plan our activities and set aside the time and resources to conduct them.

Ideally, organizations will have a preparedness champion who can help develop and maintain a multi-year training and exercise program. This program – informed by a prioritized assessment of risks — should detail a training schedule and progressively challenging exercises over a few years’ period. Its not set in stone and needs to be flexible enough to be updated as threats evolve and risks are regularly reassessed. However, the near events should be locked in, with events further away scheduled, but tentative, pending confirmation or refinement. Developing a multi-year preparedness program helps protect time and allows leaders to plan for and commit funding to support the activities. Even if the details of an event change, the time and resources will be there.

In cyber preparedness, we may, for example, assess that our greatest risk is a significant data breach. And let’s say Johnny has been assigned as our Preparedness Champion. Johnny, taking his task seriously, investigates and finds that there is no plan for responding to a data breach. As such, he determines this is a priority. He talks to his leadership team and they determine that their goal is to have a validated process for responding to a data breach in 18 months. Wait, what — 18 months?!? Well, as with insurance, most of us don’t make one payment annually, we break it out over a manageable schedule and period of time. To be realistic, preparedness has to be approached similarly. Now, priority efforts may be addressed more aggressively, and some things taken much slower, but that is a decision that leaders need to weigh in on – informed by a sound understanding of the threat environment and based on a prioritized assessment of risks. For example, after the recent WannaCry outbreak, some leaders may be reassessing their patching processes and wanting to fast track and exercise new processes and procedures. Returning to our champion, Johnny develops a series of activities to plan, train staff, and exercise the data breach response plan, through a series of scheduled, progressive activities going from developing a plan, to conducting staff training, to a series of increasingly challenging exercises – a tabletop exercise, a drill, and a full-scale response – all completed within the specified 18-month period. Johnny documents his plan, gets leadership approval and resources, and executes, leading his team to the desired state of readiness by the required suspense. Good job, Johnny!

Operational Planning

This is the actual development of plans and procedures. There are different levels of planning and though they may sometimes be given different names, the four basic types of planning are: strategic, operational, tactical, and, contingency. Some may have additional steps, use different names, or stack them in a different order. For purposes of simplicity, we’re not going to address strategic planning, and for this discussion we’ll roll the rest up under operational planning – which in this context I mean as the development of plans and procedures. This is when the organization develops the plans and procedures that they will use to train their personnel and from which they will actually base their response actions. The National Incident Management System notes that, “All emergency management/response personnel and their affiliated organizations should develop procedures and protocols that translate into specific, action-oriented checklists for use during incident response operations.”

To develop his plans, procedures, and checklists, Johnny didn’t know where to start. So, he did the smart thing and looked for viable templates that he could work off, such as those provided by the Federal Trade Commission or the European Union Agency for Network and Information Security. He refined these plans to fit his organization, their people and capabilities. Along the way, Johnny also conducted several interviews to inform his draft plan. And, while we’re not at the part of this series addressing exercises yet, Johnny was. He even conducted a tabletop exercise to validate his draft plan! We’ll come back to that in part five of this series. When he was done, Johnny was able to provide his coworkers with a well thought out, validated data breach response plan and corresponding actionable checklists.

An important note, there are too many variables for any organization to address every possible threat or variation of an incident. In both physical and cybersecurity, and for pandemics and other threats — it is great to have detailed plans and protocols. However, no organization can get to a 100% solution for every situation. Having plans is important but so is building in flexibility and innovation. After hearing from some of the more experienced team members, Johnny developed a basic incident response plan, accepting that he and his co-workers would have to be able to adjust to the reality of events “on the ground.” Your plan is almost never going to be based on the exact situation you find yourself in. Plan well, be deliberate, but also be prepared for a little bit of backyard football, being able to make game time decisions when needed. Matt Stafford’s coaches don’t tell him to throw that sidearm ball, but sometimes, he has to adjust to get the ball in his receiver’s hands. Know the right form, but be ready to toss the sidearm when you have to.

In the next installment of this series, we’ll take a look at the next step in the Preparedness Cycle – organizing and equipping.

Monitoring Your Digital Risk Footprint: Q&A with a Former CISO

The digital footprints of many organizations are expanding, and with that expansion comes more avenues of attack for cybercriminals to exploit. The past few years have seen organizations having to manage more devices, more social media channels, and more customer service features — in addition to the increased interconnection and sharing of data with partners, vendors, and various as-a-service tools.

That expanding level of presence is increasing the cyber risk facing organizations, said SurfWatch Labs chief security strategist Adam Meyer. Data breaches and service interruptions now often originate outside of an organization’s walls; nevertheless, it’s the connected organizations that tend to pay the biggest price.

“At the end of the day, if a third-party is supporting a major customer-centric business process, and they have a breach and your customers need to be notified — nine times out of ten it’s not that provider’s brand that’s going to get hammered,” Meyer said on the latest Cyber Chat Podcast. “It’s going to be your brand that has to deliver the bad news.”

That’s why organizations need to ensure that proper due diligence is in place around their whole digital risk footprint, Meyer said. In today’s environment that means having intelligence around events that may occur one or several steps down the digital supply chain — as well having a plan of action in place to respond to those threats as they arise.

On the Cyber Chat Podcast, Meyer discusses a variety of topics related to digital risk management, including:

How the digital footprints of organizations have changed over the past couple years.
Why IoT devices often bypass proper security management and what actions organizations should take in regards to those devices.
The problem of growing supply chains and how one breach can quickly spread to impact dozens of connected organizations.
How organizations should respond to the shifting landscape so that they can better manage their cyber risk.

Listen to the full Cyber Chat podcast below:

Weekly Cyber Risk Roundup: More W-2 Breaches and Upcoming GDPR Challenges Organizations

Stolen W-2 information was back in the news this week due to reports of another W-2 breach as well as new data from IRS officials on the threat. The latest breach involves TALX, an Equifax subsidiary that provides online payroll, HR and tax services. KrebsOnSecurity reported that an undisclosed number of customers were affected when malicious actors were able to gain access to employee accounts containing sensitive data.

“TALX believes that the unauthorized third-party(ies) gained access to the accounts primarily by successfully answering personal questions about the affected employees in order to reset the employees’ pins (the password to the online account portal),” wrote an attorney in one breach notification letter. “Because the accesses generally appear legitimate (e.g., successful use of login credentials), TALX cannot confirm forensically exactly which accounts were, in fact, accessed without authorization, although TALX believes that only a small percentage of these potentially affected accounts were actually affected.”

The extent of the fraud perpetrated with the help of hacked TALX accounts is unclear, but that at least five organizations have received letters from Equifax about a series of incidents over the past year, Krebs reported. Those included defense contractor giant Northrop Grumman, staffing firm Allegis Group, Saint-Gobain Corp., Erickson Living, and the University of Louisville. In addition to those companies, an IRS official said that 870 organizations reported receiving a W-2 phishing email over the first four months of 2017, and about 200 of those companies lost data as a result. That was a significant rise from 2016’s numbers, which included about 100 reports and 50 confirmed breaches. The official said that the increase was driven by progress made against identity theft, which has pushed cybercriminals to need more personal data to able to impersonate taxpayers. As a result, there has been a shift towards targeting those in the payroll industry.

Other trending cybercrime events from the week include:

Men plead guilty to trade secret theft: A Chinese national has pleaded guilty to economic espionage and theft of a trade secret in relation to the theft of proprietary source code from his former employer, an unnamed U.S. company. As a developer, the man had access to a clustered file system developed and marketed by his employer as well as its underlying source code, the DOJ wrote. The man attempted to use the stolen source code to start a large-data storage technology company, according to communication he had with undercover officers. An engineer at a defense contractor has pleaded guilty to selling sensitive satellite information stolen from his employer to a person he believed to be an agent of a Russian intelligence service. In a series of meetings between February and July of 2016, the man sought and received thousands of dollars in cash payments for the trade secrets.
New data breaches announced: Williamson County Schools in Tennessee said that approximately 33,000 current and former WCS students had their usernames, encrypted passwords, and email addresses compromised due to a breach at third-party vendor Edmodo, a free classroom tool that allows students and teachers to share files and assignments. A data breach at the Florida Department of Agriculture and Consumer Services has exposed the names of 16,190 concealed weapon licensees as well as the Social Security numbers of 469 individuals. Approximately 3,000 individuals had their information compromised due to unauthorized access to a city computer in Stillwater, Oklahoma. UW Health said that 2,036 patients had their personal information compromised due to an unauthorized individual gaining access to an employee’s email account. The Canada Revenue Agency has fired an employee for improperly accessing the accounts of 1,302 taxpayers. A breach at Blackburn High School led to the theft of personal information of families, and that information was then used to send phishing emails to parents asking them to provide their payment card details.
Russia targeted Pentagon employees’ Twitter accounts: Russia sent more than 10,000 phishing messages to Defense Department officials with the goal of getting the officials to click a malicious link and, ultimately, gain control of their devices and Twitter accounts. The efforts took place after the 2016 presidential election and were disclosed in in a March report to U.S. counterintelligence officials investigating Russian interference efforts. The compromised accounts could have been used to spread false information, as has been done in the past by Russian hacking groups.
Hacking groups arrested: Twenty members of the Russian hacking group behind the Android Trojan “Cron” have been arrested. The group managed to infect over one million mobile devices and stole approximately $800,000 from Russian banks. Twenty-seven individuals tied to a series of ATM “Black Box” attacks across Europe have been arrested. A “Black Box” attack is a method of ATM jackpotting where criminals gain access to the ATM Top Box usually by drilling holes or melting in order to physically connect an unauthorized device that sends commands directly to the ATM cash dispenser in order to “cash-out” the ATM. Sixteen individuals have been arrested related to the theft of a copy of Baahubali 2 and subsequent ransom attempt from the movie’s producers, Arka Mediaworks Entertainment Ltd.

Cyber Risk Trends From the Past Week

It is now less than one year until the EU General Data Protection Regulation (GDPR) goes into effect, yet some organizations are either unaware of the upcoming privacy changes or believe they will have issues meeting next year’s deadline, according to recent research.

The GDPR was approved by the EU parliament in April 2016, and the new regulation will be fully enforceable on May 25, 2018. Among the most talked about changes from the upcoming regulation is the increase in potential fines for data breaches. Breached organizations can be fined as much as 4% of their annual global turnover or €20 million, whichever is greater, when it comes to serious violations. Lesser violations are subject to half the maximum penalty — up to €10 million or 2% of turnover. As the NCC Group noted, those new numbers mean that last year’s ICO fines could have been 79 times higher: £69m rather than £880,500 in total.

“TalkTalk’s 2016 fine of £400,000 for security failings that allowed hackers to access customer data would rocket to £59m under GDPR,” The Register noted last month. “Fines given to small and medium-sized enterprises could have been catastrophic. For example, Pharmacy2U’s fine of £130,000 would balloon to £4.4m – a significant proportion of its revenues and potentially enough to put it out of business.”

It is important to note that the new regulations generally apply to any organization that offer of goods or services to individuals in the EU, so the GDPR has global implications. However, a recent study of 500 organizations in the UK, Germany, France, and the U.S. found that 75% of organizations indicated they will struggle to be ready for next year’s deadline. According to the Varonis survey, the top three challenges facing organizations around GDPR include:

Article 17 (“Right to be forgotten”), where they must discover and target specific data and automate removal when requested by the consumer
Article 30 (Records of processing activities), including identifying personal information on their systems, understanding who has access to it and who is accessing it, and knowing when this data can and should be deleted
Article 32 (Security of processing), which means ensuring least privilege access, implementing accountability via data owners, and providing reports that policies and processes

For organizations looking to learn more about preparing for GDPR, ICO has a 12-step guide available.

Weekly Cyber Risk Roundup: WannaCry Updates and Sensitive Leaks Continue

WannaCry remained as the week’s top trending cybercrime target as organizations continued to deal with the fallout from being infected and researchers uncovered more information on the ransomware. On Friday, a Kaspersky Lab researcher tweeted that machines running Windows 7 were the most impacted by WannaCry, accounting for more than 97 percent of total infections observed by the firm. Other firms observed Windows 7 infection rates as low as 67 percent; however, both numbers contradict the initial focus on outdated systems such as Windows XP, which Kaspersky dismissed as having an “insignificant” number of infections.

As Reuters reported, computers running older versions such as Windows XP were individually vulnerable to attack, but they appear incapable of spreading infections and played a far smaller role in last week’s attack.

In addition, the past week saw a variety of manufacturers issue warnings about WannaCry potentially impacting their products. Siemens warned customers that some of its Healthineers products may be affected by the vulnerabilities exploited by WannaCry, and the Health Information Trust Alliance said that medical devices manufactured by Bayer were also vulnerable. Medical device manufacturer Becton, Dickinson and Company as well as Swiss robotics and automation firm Rockwell Automation and ABB also issued more general WannaCry advisories to their customers.

It is also worth noting that a small portion of WannaCry infections have been successfully decrypted. A French security researcher discovered a flaw in the WannaCry ransomware that allowed him to successfully decrypt several Windows XP computers using a tool called “WannaKey,” and a separate pair of French researchers then adapted the decryption tool to work for Windows 7 computers with a tool called “WannaKiwi.” If users left their computer untouched after the infection and did not reboot, they may be able to access parts of the memory and regenerate a key; however, the researcher warned it won’t work every time even in that situation.

Other trending cybercrime events from the week include:

Another large point-of-sale breach: A POS breach at Brooks Brothers locations lasted for more than a year and affected more than 300 locations, the company announced. Customers who made purchases at approximately 320 different Brooks Brothers and Brooks Brothers Outlet retail locations in the U.S. and Puerto Rico between April 4, 2016 and March 1, 2017, may have had their payment card data stolen. An unauthorized individual was able to gain access to and install POS malware on the stores’ POS systems, the company said. Online purchases were not impacted.
Hollywood targeted by extortionists: The upcoming Pirates of the Caribbean movie has been stolen by hackers who demanded “an enormous” amount of money in ransom to not release the movie. The Hollywood Reporter reported that talent agencies UTA, ICM, and WME have been targeted by hackers attempting to steal sensitive information, and the attacks are so common that their frequency has overwhelmed the FBI’s Los Angeles field office. At least one unnamed Hollywood company has paid a ransom. In addition, TheDarkOverlord said that more of the group’s previously stolen shows from Larson Studios will be released soon since “none of the affected parties has paid the ransom.”
Third-party breach leads to source code theft: The app maker Panic said the source code for several of its apps was stolen due to downloading a malware-infested version of HandBrake during a three-day window when that company was compromised and serving up a Trojanized update to its users. The attacker then sent an email demanding a large bitcoin ransom to prevent the release of the source code, but Panic did not pay that ransom. The company is warning its users to beware of any unofficial versions of their apps, as they will likely be versions using the company’s old code but with malware added.
Other notable cybercrime news: Zomato announced that 17 million user records were compromised by a grey-hat hacker. The font sharing website DaFont was hacked and the usernames, email addresses, and hashed passwords of 699,464 user accounts were stolen. Bell Canada said that a hacker managed to access the email addresses of approximately 1.9 million customers, and 1,700 customers also had their names and phone numbers accessed. The University of New Mexico Foundation is notifying approximately 23,000 donors, annuitants, foundation employees, and vendors that their personal and financial information may have been compromised. The Clinton County Board of Developmental Disabilities and Walnut Place announced they were the victims of ransomware attacks. The National University of Singapore and the Nanyang Technological University in Singapore were targeted by sophisticated hackers who broke into the school’s IT systems in an attempt to steal sensitive government and research data. A former employee of Carolina Neurosurgery & Spine Associates has been charged with selling the information of more than 150 patients to an identity thief for $10 each. United Airlines said that information regarding its flight deck access security procedures “may have been compromised” and that “some cockpit door access information may have been made public.” However, the possible public release of the security procedures was not due to a hack or data breach, CBS News reported.

Cyber Risk Trends From the Past Week

As WannaCry continues to dominate cybercrime news, the past week saw even more leaks of government-created malware and promises of additional leaks to come in the future. WikiLeaks has continued to dump files allegedly stolen from the CIA, and TheShadowBrokers group has announced a new monthly service providing various data dumps and exploits to its customers.

WikiLeaks has dumped stolen CIA documents every Friday for the past eight weeks, and the two most recent dumps include:

AfterMidnight, which is a malware framework that “allows operators to dynamically load and execute malware payloads on a target machine” and “disguises as a self-persisting Windows Service DLL.”
Assassin, which is a malware framework similar to AfterMidnight that “is an automated implant that provides a simple collection platform on remote computers running the Microsoft Windows operating system.”
Athena, which “provides remote beacon and loader capabilities on target computers running the Microsoft Windows operating system (from Windows XP to Windows 10).”

In addition to the continuing leaks of sensitive CIA material from WikiLeaks, TheShadowBrokers is using the attention around WannaCry to promote a monthly exploit service that it is launching in June. TheShadowBrokers have previously dumped stolen exploits allegedly developed by the NSA, including the EternalBlue exploit recently leveraged by WannaCry. “TheShadowBrokers Data Dump of the Month” service provides subscribers with various cybercrime tools and data for a monthly fee. According to TheShadowBrokers rambling blog post, these monthly dumps could include:

web browser, router, and handset exploits and tools
select items from newer Ops Disks, including newer exploits for Windows 10
compromised network data from more SWIFT providers and central banks
compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs

The group said that more details will be announced in June. It’s unclear if the group has more sensitive data and exploits they’re willing to publish, or if they are using their fifteen minutes of WannaCry fame in an attempt to generate some income. Either way, WannaCry serves as a reminder that organizations need to monitor the leak of government tools as they can cause serious damage when they fall into the wrong hands.