SurfWatch Labs, Inc.

As WannaCry Spreads, Law Firm Reveals Separate Ransomware Cost Them $700,000

Businesses across the world are still recovering from last Friday’s outbreak of the WannaCry ransomware. On Monday, White House homeland security adviser Tom Bossert said that the ransomware had hit more than 300,000 computers, and security researchers have since detected several new versions of the malware — at least one of which doesn’t have the widely reported “kill switch” built in that has been used to slow the malware’s spread.

Much has been written about the effects of the ransomware on patients at NHS facilities, on downtime at factories, and on disrupted services at numerous other organizations. Various groups have estimated that the potential costs from the WannaCry outbreak may total between several hundred million and $4 billion.

The attention on WannaCry is deserved; however, there is a much smaller piece of ransomware news that emerged last month that highlights the devastating impact ransomware can have on a single organization. In a complaint filed in April against its insurer, the law firm Moses Afonso Ryan Ltd. (MAR) claims that a ransomware infection took more than three months to resolve, costing the firm more than $700,000 in lost billings.

“During the three months that the documents and information of MAR was held captive by the perpetrators of the ransomware attack, the attorneys of the firm were unproductive and unable to work at a reasonable efficiency,” the firm wrote in its complaint. “Year to year billing comparisons reveal a reduction of over $700,000 of billings for the three months of interruption.”

Dispute Over Insurance Policy Coverage

MAR is suing its insurer, Sentinel Insurance Company, claiming that the policy it purchased “is designed to protect MAR against precisely the type of loss it has now incurred as a result of the ransomware attack and interruption of its business.”

Sentinel countered that it did, in fact, pay $20,000 in damages, but it denied the additional claim for the alleged lost “business income” as it exceeded what Sentinel believes are the limits of the policy.

Like the other insurance-related lawsuits — such as the Fourth Circuit ruling against Travelers Insurance in August 2016 — the dispute appears to revolve around the language of the policy and what specifically the policy covers when it comes to cybercrime.

“Sentinel admits that it has not paid for all of the losses MAR has claimed resulted from the ransomware attack it suffered, as certain of the losses claimed are not covered by the policy,” Sentinel argued in court documents. “The only coverage under the policy for loss or damage caused by a computer virus is under the Computers and Media Endorsement [section], which changes the policy to provide additional coverage [up to $20,000] for certain computer-related losses.”

Three Months to Resolve the Ransomware?

The lawsuit is yet another reminder that organizations need to ensure they know what their insurance policies cover in regards to cyber-attacks, but that is not the only cyber risk management lesson worth noting from the lawsuit. The court documents also revealed that it took several months for MAR to recover from the single ransomware incident — far more than the average of 42 hours that Ponemon found most ransomware victims spend.

The process to recover encrypted documents and recreate lost ones took more than three months, MAR said.

The long recovery time was due to a variety of reasons, which the law firm outlined in its complaint:

In May 2016, a ransomware infection led to all of the documents and information stored on the MAR computer network being disabled and the computer network losing all functionality. MAR then hired security experts to fix the problem, but those experts were unable to gain access to the files.
In June 2016, the firm made contact with the attacker and negotiated a 13 bitcoin ransom. It took several days to purchase the bitcoins and pay the extortionist because the firm said they were unaware that new account holders could only purchase 2 bitcoins per day.
In July 2016, the firm had to re-establish communication with the attacker after discovering the decryption keys and tools it purchased did not work. A second bitcoin ransom was then negotiated and paid.
In August 2016, MAR had to recreate documents after discovering that it could not recover documents saved on a temporary server during the three months of business interruption.

All of this resulted due to a combination of events: an attorney at MAR clicking on an email attachment from an unknown source, a lack of proper backups and incident response plan to address a well-known security issue, and a malicious actor that took advantage of the situation by demanding multiple ransom payments.

MAR is just one example of a business that was unprepared for a ransomware attack, and numerous other organizations are likely experiencing similar issues this week. As Elliptic noted, WannaCry has generated over $80,000 in ransom payments since Friday.

However, organizations that decided to pay the WannaCry ransom were lucky that it only required a $300 or $600 payment depending on how quickly they acted. In addition, multiple researchers have reported that organizations were able to successfully restore their files after payment, even as law enforcement agencies have advised there are no guarantees when dealing with cybercriminals.

This is not the case for many ransomware victims. Some recent ransomware campaigns have been observed charging a full two bitcoin in ransom (around $3,700) for any infections, and some organizations have received targeted ransom demands totaling tens of thousands of dollars — and, in cases like MAR, the decryption keys purchased at those inflated prices may not even work.

Hopefully, WannaCry will help push organizations towards better understanding, preparation, and incident response around ransomware since the problem is not going away any time soon.

Weekly Cyber Risk Roundup: WannaCrypt Spreads and Trump Signs Executive Order

The week’s top cybercrime event was the spread of WannaCrypt ransomware, which managed to infect tens of thousands of computers on Friday. The attack affected NHS hospitals and facilities in England and Scotland, Telefonica and Gas Natural in Spain, FedEx in the U.S., and numerous other organizations — largely across Asia and Europe.

By Saturday researchers reported more than 126,000 detections of the ransomware across 104 countries. The number of infections may have been worse, but the security researcher MalwareTech managed to halt the spread of the malware by purchasing a domain name, which essentially triggered a “kill switch.” MalwareTech explained why the ransomware had this design:

“I believe [the attackers] were trying to query an intentionally unregistered domain which would appear registered in certain sandbox environments, then once they see the domain responding, they know they’re in a sandbox [and] the malware exits to prevent further analysis. This technique isn’t unprecedented and is actually used by the Necurs trojan … however, because WannaCrypt used a single hardcoded domain, my [registration] of it caused all infections globally to believe they were inside a sandbox and exit.”

WannaCrypt leverages an allegedly NSA-derived exploit called “EternalBlue” that was made public by TheShadowBrokers last month. Microsoft has patched the flaw (MS17-010), but Friday’s events made it clear that many organizations have yet to apply that patch. Microsoft also announced that it is taking “the highly unusual step” of providing a security update for Windows XP, Windows 8, and Windows Server 2003 to help protect its customers from the threat. Organizations should patch immediately. As MalwareTech noted on Sunday, the last version of WannaCrypt was stoppable, but the next version will likely remove that flaw.

Other trending cybercrime events from the week include:

Third-party providers lead to breaches: Hackers managed to gain access to the stem files of Lady Gaga last December by sending spear phishing messages to executives at September Management, a music management business, and Cherrytree Music Company, a management and record company. Debenhams Flowers said that 26,000 website customers had their data compromised due to malware stealing their payment details from Ecomnova, a third-party e-commerce company. The email addresses and usernames of individuals who used the dating website Guardian Soulmates were exposed by a third-party service provider, resulting in members of the site receiving explicit spam emails.
Malicious actors sell and leak stolen data: A dark web vendor using the handle “nclay” claims to have 77 million records stolen from social learning platform Edmodo and is attempting to sell them on the dark web for just over $1000. The data allegedly includes usernames, email addresses, and passwords that are hashed with bcrypt and salted. Malicious actors leaked 9GB of internal documents from the campaign staff of France’s President-elect Emmanuel Macron in the days prior to the country’s election. A group known as “TuftsLeaks” published financial information belonging to Tufts University, including department budgets, the salaries of thousands of staff and faculty, and the ID numbers of student employees.
Healthcare organizations expose data: Patients of Bronx-Lebanon Hospital Center had their sensitive health and personal information exposed to the internet due to a misconfigured rsync backup managed by IHealth Innovations. The records and files from a number of departments were publicly accessible and viewable, including cardiology, surgery, pulmonology, psychiatry, and neurosurgery. A flaw in the website of True Health Diagnostics allowed users to view the medical records of other patients by modifying a single digit in the PDF link to their own records. Diamond Institute for Infertility and Menopause in New Jersey said that 14,633 patients had their data exposed due to an unknown individual gaining access to the third-party server in February 2017.
Other notable cybercrime news: An internet-connected backup drive used by New York University’s Institute for Mathematics and Advanced Supercomputing contained hundreds of pages of documents detailing an advanced code-breaking machine that had never before been described in public. The project was a joint supercomputing initiative administered by NYU, the Department of Defense, and IBM. A California court has found a former private security officer guilty of hacking into the servers of Security Specialists, his former employer, to steal data on customers; delete information such as archived emails, server files, and databases; deface the company website; steal proprietary software; and set up a rival business that used the stolen software. The incident occurred after the employee was fired in 2014 for logging into the payroll database with administrative credentials in order to pad his hours. Confluence Charter Schools is warning parents and staff that a hack of network servers has impacted email, phones, SISFIN, its financial system, and its student information system Infinite Campus and that the “breach has caused some files to be unrecoverable.”

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

Cyber Risk Trends From the Past Week

On Thursday, President Donald Trump issued an executive order on strengthening the cybersecurity of federal networks and critical infrastructure. The order includes a variety of mostly reporting requirements designed to protect federal networks, update outdated systems, and direct agency heads to work together “so that we view our federal I.T. as one enterprise network,” said Trump’s homeland security advisor Tom Bossert.

The order also requires the heads of federal agencies to use The Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standards and Technology (NIST) to assess and manage their agency’s cyber risk. Each agency must submit a risk management report to the Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB) within 90 days that outlines their plan to implement the framework. The director of OMB and other supporting officials will then have 60 days to review the reports and pass along information to the president regarding a plan to align budgetary needs, policies, guidelines, and standards with the NIST framework. The Obama administration had previously encouraged the private sector to adopt the NIST framework, but government agencies were never required to follow it — until now.

“It is something that we have asked the private sector to implement, and not forced upon ourselves,” Bossert said at the daily White House press briefing on Thursday. “From this point forward, departments and agencies shall practice what we preach and implement that same NIST framework for risk management and risk reduction.”

The order also includes reporting regarding critical infrastructure, which builds upon the order issued by Obama in 2013, and reporting on “strategic options for deterring adversaries and better protecting the American people from cyber threats.”

As many media outlets have reported, the executive order has received a mostly positive response from the cybersecurity community; however, it is largely a continuation of the cybersecurity policy under previous administrations and has received some criticism for being more focused on reporting than actions.

Preparedness & Cyber Risk Reduction Part One: Introduction to the Preparedness Cycle

Bad things happen. Whether we’re dealing with our personal or professional business, life seems to always have a variety of bumps and obstacles that pop up in our path. We should anticipate that these disruptions will arise and prepare ourselves to move through them as successfully and efficiently as possible while minimizing the impacts the disruptions cause. In dealing with the wide spectrum of threats that can cause operational disruptions to our organizations – regardless of whether they are health or natural catastrophes, terrorists or cybercrime – a key part of successfully overcoming the impacts of incidents is taking the time to properly prepare. Preparedness can be defined as a continuous cycle of planning, organizing, training, equipping, exercising, evaluating, and taking corrective actions to support effective incident response.

In today’s cyber threat environment, it seems many organizations are struggling to determine how to mitigate the array of cyber threats and associated risks they are facing. In a fast paced, frequently changing environment, one could be overwhelmed trying to determine how to prepare for and respond to the attacks and incidents that could arise. But alas! There is hope! While the Preparedness Cycle is often thought of in relation to “traditional” threats – hurricanes, explosives and earthquakes, for example – it is just as valid an approach to take in confronting cyber threats and works just as well to reduce the associated risks and impacts of such events.

But let’s back up. Threats, risks – what are we talking about? Malware, ransomware, cyberattacks, phishing, whaling (did you say whaling?), espionage, insider threats, denial of service, social media… what am I going to do with all these threats?! Or are they risks?

Let’s start with lexicon. Terms matter. So, let’s start with some basic definitions. I like references because then I can blame someone else for the typos… in 2010, the Department of Homeland Security’s Risk Steering Committee developed the “DHS Risk Lexicon” providing sound definitions for a number of key terms. Let’s look at the two most fundamental: Threats and Risks.

Threat is defined as a “natural or man-made occurrence, individual, entity, or action that has or indicates the potential to harm life, information, operations, the environment, and/or property.”
Risk is defined as the “potential for an unwanted outcome resulting from an incident, event, or occurrence, as determined by its likelihood and the associated consequences.”

As we try to understand our cyber threat environment, we have to gain an appreciation for the many occurrences, individuals, and entities that have the potential to cause harm. This can be developed in a number of ways and the means by which we gain a sound understanding of the threat environment and how to conduct a risk assessment could be entire blog series’ of their own. For today, we’ll just assume you’re maintaining threat awareness via great resources like SurfWatch Labs’ and Gate 15’s blogs and Twitter feeds … and that you’ve then assessed those threats in relation to your organizational interests and that you’ve developed a prioritized assessment of your risks.

No organization is able to specifically address every threat and risk, nor to address them all as thoroughly as we’d like. By prioritizing our risks, and recognizing that you only have limited time and resources to work with, you can then find ways to “get the most bang for the buck” in determining how to approach preparedness activities. Some risks, you will choose to simply accept. Some will get addressed via insurance. Others will be addressed by using the Preparedness Cycle and a deliberate process of planning, training, organizing and equipping, exercising and evaluating and improving. In the next few installments of this blog series, we’ll take a look at each one of these parts of the Cycle and ways you can progressively reduce your cyber risk via proper preparedness.

Weekly Cyber Risk Roundup: TheDarkOverlord Returns and Multiple Attacks Circumvent 2FA

TheDarkOverlord was back in the news this week due to leaking data from multiple companies after failed extortion attempts. The most prominent leak involved Netflix, which had the first 10 episodes of the fifth season of its show Orange is the New Black leaked after it refused to cave to the actor’s ransom demands. The group also claims to have unreleased shows from ABC, Fox, National Geographic, and IFC. Media outlets reported that the shows appear to have been stolen from post-production studio Larson Studios in late 2016.

It’s unclear exactly how much TheDarkOverlord demanded from Netflix to not release the episodes, but the actor once again framed its response to the failed extortion attempt by trying to appeal to future victims, essentially arguing that paying up will cost them a lot less money than having their data released.

“It didn’t have to be this way, Netflix,” the actor wrote in a post on April 29. “We figured a pragmatic business such as yourselves would see and understand the benefits of cooperating with a reasonable and merciful entity like ourselves. … And to the [other networks]: there’s still time to save yourselves. Our offer(s) are still on the table — for now.”

TheDarkOverlord has not yet released episodes allegedly stolen from other networks. However, three healthcare providers had data dumped by the actor on May 4. Aesthetic Dentistry in New York City and OC Gastrocare in California were both hacked last year by TheDarkOverlord, databreaches.net reported, and their dumps from last week contained 3,496 patient records and 34,100 patient records, respectively. The third dump was the biggest, containing more than 142,000 patient records allegedly stolen from Tampa Bay Surgery Center.

That large dump appears to be tied to a previously undisclosed breach, and TheDarkOverlord tweeted that the “clinic didn’t do anything wrong except annoy us.” That annoyance likely stemmed from the fact that the center did not cave to the group’s ransom demands, just like numerous other organizations targeted over the past year.

Other trending cybercrime events from the week include:

Payment card breaches continue: Sabre announced that it is investigating a data breach after discovering “unauthorized access to payment information contained in a subset of hotel reservations processed through our Hospitality Solutions SynXis Central Reservations system.” More than 32,000 properties use Sabre’s SynXis reservations system, which is described as an inventory management Software-as-a-Service application. Sabre told customers that the unauthorized access has been “shut off” and that there are not any additional details to share at this time.
Numerous ransomware infections reported: An April 22 ransomware infection at electronic health records vendor Greenway Health disrupted services to 400 client organizations using the vendor’s Intergy cloud-hosted platform, and half of those customers were still waiting to have a full EHR services restored on Monday, May 1. Pekin Community High School’s computer systems were infected with ransomware, and the actor demanded $37,000 in order to restore the encrypted files. Ransomware infected the computer systems of Cambrian College in Ontario and demanded a $54,000 payment. The school’s web portals, grade report, and student learning management systems were disrupted, and final grades and spring semester registration had to be postponed for several days. The law firm Moses Afonso Ryan Ltd was infected with ransomware last year that demanded a $25,000 ransom payment, and after paying a negotiated ransom payment the firm then had to renegotiate an additional payment when the first key purchased to decrypt the documents did not work.
Large amounts of data exposed: Around 135 million Aadhaar ID numbers and around 100 million bank account numbers have been leaked from four Indian government portals, according to a report released by The Centre for Internet and Society. The four government portals examined in the report include: National Social Assistance Programme, National Rural Employment Guarantee Act, Daily Online Payment Reports under NREGA, and Chandranna Bima Scheme. Data belonging to Alliance Direct Lending Corporation was found publicly available online and as a result at least 550,000 customers have had their personal information exposed. According to MacKeeper, the leaked data contained 124 files (with five to ten thousands records each) that contained financing records broken down by dealerships as well as 20 audio recordings of customers agreeing to auto loans or refinancing of auto loans.
Other notable cybercrime news: Retina-X Studios announced that in February 2017 a malicious actor was able to break into a server that held database tables for its Net Orbit, PhoneSheriff, and TeenShield products, and the actor then wiped “any data that he was able to force access to.” According to the company, the actor was able to find a vulnerability in a decompiled and decrypted version of a now-discontinued product in order to achieve the unauthorized access. Grey Eagle Resort & Casino in Calgary has had an additional 1.7 GB of data dumped, and the hackers behind the dump indicated that the data would be uploaded to torrent sites “soon” and that more data dumps would follow in the coming weeks. The casino initially had data released by hackers in January, and the new dump appears to include more data that was stolen prior to the first leak.

Cyber Risk Trends From the Past Week

Several recent cybercrime events have proven that although two-factor authentication is an effective way to prevent fraudulent transactions, malicious actors are focusing their efforts on ways to defeat that increasingly popular layer of security.

German newspaper Süddeutsche Zeitung reported that customers of O2-Telefonica had funds removed from their bank accounts due to malicious actors exploiting a flaw in Signalling System No. 7 (SS7) — which is used by telecom companies around the world use to ensure their networks interoperate — in order to intercept the text message authentication codes sent to customers and then use those codes to successfully steal funds from customers’ bank accounts. The attack was carried out from the network of an unnamed “foreign provider,” and one expert told the German paper that insider access could be bought for as little as €1000 in order to carry out similar attacks.

The flaw in SS7 has been known since 2014, and in 2015 60 Minutes aired a segment in which researchers demonstrated how U.S. Representative Ted Lieu’s phone messages and conversations could be intercepted. Lieu said the recent theft is yet another example of the insecurity of text-based, two factor authentication:

“Everyone’s accounts protected by text-based two-factor authentication, such as bank accounts, are potentially at risk until the FCC and telecom industry fix the devastating SS7 security flaw. Both the FCC and telecom industry have been aware that hackers can acquire our text messages and phone conversations just knowing our cell phone number. It is unacceptable the FCC and telecom industry have not acted sooner to protect our privacy and financial security. I urge the Republican-controlled Congress to hold immediate hearings on this issue.”

In addition, the UK’s National Fraud & Cyber Crime Reporting Centre is warning that malicious actors are continuing to use “SIM splitting” attacks to take control of victims’ phone numbers, authenticate transactions, and steal money from bank accounts. Like the SS7-based attacks, malicious actors first gain access to the victim’s bank accounts via phishing, malware, or cybercriminal markets — but in this case the actors then successfully report their phone lost or stolen in order to active the SIM card on a new phone and intercept communications. The fraudsters then transfer money from the victim’s account to a parallel business account they opened, and when the bank calls or texts to verify the transactions, they are in control of the victim’s phone number and can confirm the fraudulent transactions. In both cases, malicious actors have proven that they can successfully circumvent two-factor authentication with a little extra legwork.

Greater Interconnectivity Means a Greater Level of Presence and in Turn More Risk

Technology advances continue to push boundaries — remember when a phone was just a phone?! More “smart” devices, more interconnectivity between businesses and customers, businesses and suppliers, businesses and partners … all of this speeds transactions and the way business is conducted. Information is shared, items are purchased — all with the click of a button these days.

Inherent in all this productivity goodness is that your digital presence is expanding across many channels that are outside the traditional company boundaries. With this expanding presence comes greater risk. It’s become much harder to have visibility of the level of risk your organization faces across the many digital channels. You of course have physical risks that have been around in the past, but now can be tied into cyber activity. You have cybercriminals (and potentially other types of adversaries) looking to exploit weaknesses for financial or competitive gains. Social media. Your supply chain. Insider risks (whether malicious or negligent). On and on …

The more connections you have, the more presence you have, the more opportunity that exists for malicious actors. This isn’t to say close your business off from the world. That’s obviously not realistic and not a good way to do business. But there two essential things you can do to minimize this issue:

Get an understanding of your level of presence and the level of risk associated to different areas. Having this intel sets the stage for how to stay on top of your risk and proactively address it.
Identify people, processes and technology to help continuously monitor and manage these risks — so they don’t become larger issues for your business.

Some questions to pose to your organization as a starting point:

Who in the organization has accountability for digital risk? Corporate security? Info security? Risk management? Legal? Compliance? Executive suite and/or board level? Brand officer?
What about “smart” building devices? Who owns these?
What about “smart” devices brought in by your employees? How are these managed? And by whom?
How does digital risk play into the organization’s overall risk management process?
What processes are in place to limit the risk?
What processes are in place to address a threat?

This list isn’t exhaustive, but you get the idea of how you need to think about this issue.

We recently announced a strategic partnership with PlanetRisk to deliver comprehensive cybersecurity and enterprise risk analytics and visualization for Fortune 1000 and government customers. Together we’re hosting a live webinar discussion on How to Mitigate Risk from Your Expanding Digital Presence.

I look forward to seeing you on the webinar. For more information and to sign up for the webinar, visit: http://info.surfwatchlabs.com/Webcast/How-to-Mitigate-Risk-from-Your-Expanding-Digital-Presence/05102017

Talking Strategic, Operational and Tactical Threat Intelligence

Cyber threat intelligence has become increasingly popular over the past few years. With that rise comes a variety of questions around the different types of intelligence that is available and how that intelligence can be best implemented by organizations looking to mitigate their cyber risk.

According to SurfWatch Labs chief security strategist Adam Meyer, there are three main types of threat intelligence — tactical, operational, and strategic — however, a focus has recently emerged on strategic threat intelligence.

“Strategic is where a lot of the business alignment can happen,” Meyer said this week on the Cyber Chat podcast. “You’re translating the capabilities out there, intentions out there, of adversaries — how they’re targeting things — and comparing it against you as an organization.”

That type of intelligence has proven to be a good starting point to answering a key question that organizational leaders may have: “Are we well-positioned for cyber risk or are we not? And if not, why not?”

On the Cyber Chat podcast, Meyer discusses a variety of topics related to cyber threat intelligence, including:

the difference between tactical, operational, and strategic threat intelligence,
how that intelligence can help manage an organization’s cyber risk,
what organizations should look for when evaluating threat intelligence,
and how threat intelligence will likely evolve in the coming years.

“The intent is to deliver finished and evaluated intelligence and put it on the desk of the decision maker. That helps them make better decisions,” Meyer said. “If you’re not doing that, you’re not technically in my book doing intelligence.”

Listen to the full Cyber Chat podcast below:

Weekly Cyber Risk Roundup: Ashley Madison Blackmail Returns, Facebook and Google Victims of Fraud

An old data breach came back to life this week as Ashley Madison users who had their data compromised back in July 2015 are once again being blackmailed — this time by an extortion group threatening to launch a public website and contact people in victims’ social media networks. The website will allegedly be launched on Monday, at which point it will be clear if the threat is just a ploy to extort victims who are low-hanging fruit or if the group will actually carry out their attempt at public shaming.

“On May 1 2017 we are launching our new site — Cheaters Gallery – exposing those who cheat and destroy families,” a group using a Ukrainian top level domain recently wrote in an email to some Ashley Madison users. “We will launch the site with a big email to all the friends and family of cheaters taken from Facebook, LinkedIn and other social sites. This will include you if do not pay to opting out.”

Robin Harris wrote on ZDNet that the email he received quoted his personal Ashley Madison profile and that the blackmail price for “opting out” of the Cheaters Gallery website was around $500. Of course, paying that blackmail won’t accomplish much unless the victims are willing to keep paying ransoms in an endless game of extortion whack-a-mole. The breached Ashley Madison data has been circulating for 20 months now — ever since the account details of around 32 million users were published on the dark web — and numerous other actors have attempted to extort the victims in the past via extortion emails and letters sent to victims and their spouses. The repeated blackmail campaigns indicate that either victims are paying up and the campaigns are profitable or that the actors behind them at least believed they would be worth the investment.

Seeing another round of Ashley Madison blackmail threats nearly two years after the breach is a reminder that once data is exposed, it remains exposed forever. As SurfWatch Labs noted in a report last year, the pool of compromised data never empties; it only grows. That means that malicious actors can use, reuse, build upon, and find new ways to monetize that expanding pool of data now and in the future.

Other trending cybercrime events from the week include:

More payment card breaches: Chain restaurant Chipotle said that it is investigating a possible point-of-sale breach after detecting “unauthorized activity on the network that supports payment processing for purchases made in our restaurants.” The investigation is focusing transactions that occurred at locations from March 24, 2017 through April 18, 2017. Trading card dealer Blowout Cards announced a data breach due to “an exploit in the form of a modified payment .php file” that allowed the intruders to skim payment card information as customers checked out via its website. As a result, those who used credit and debit cards to check out via the site’s shopping cart between January 2017 and April 20, 2017, had their information compromised.
Espionage groups behind South Korea, Israel attacks: Iran’s OilRig hacking group is behind a series of targeted attacks against 250 individuals in government agencies, high-tech companies, medical organizations, and educational institutions such as the renowned Ben-Gurion University. The attacks took place between April 19 and 24 and employed the just-patched Microsoft CVE-2017-0199 remote code execution vulnerability in the Windows Object Linking and Embedding (OLE) application programming interface. Two cyber-espionage groups linked to China have been observed launching a variety of attacks against South Korea’s government, military, defense companies, and a big conglomerate involved in deploying Terminal High-Altitude Area Defense, or Thaad, a U.S. missile-defense system designed to protect South Korea from a North Korean missile threat.
FIN7 campaign uses social engineering: The FIN7 group (also known as Carbanak) is targeting large restaurant chains, hospitality, and financial service organizations with spear phishing messages centered around complaints, catering orders, or resumes. The group has also been observed calling stores at targeted organizations to ensure they received the email and attempting to walk them through the infection process, as it has done in previous campaigns.
Phishing leads to fraud, data breaches: Fraudsters were able to convince more than 500 University of California students to hand over their health information, and that information was used to steal almost $12 million from the university by writing fake medical prescriptions in the students’ names. The Iowa Veterans Home is notifying 2,969 people that their medical and financial information may have been compromised after three IVH employees fell for phishing emails that compromised their email account credentials.
Other notable cybercrime events: A vulnerability in a popular third-party library used by HipChat.com led to a data breach. The email addresses and unique IMEI numbers from Ciphr phone users have been dumped online, and Ciphr claims that the leak was carried out by a rival secure phone company. A hacker claims to have compromised the forums of R2 games. Concordia University said that approximately 9,000 students may have been affected by unauthorized access to its online course systems. The information of 8,000 Home Depot customers who had lodged complaints with its MyInstall program was found exposed online. Ransomware infected some City of Newark computers. WikiLeaks has published the user guide for the “Weeping Angel” tool allegedly developed by the CIA.

Cyber Risk Trends From the Past Week

Facebook and Google confirmed this week that they were the victims of the $100 million phishing scheme announced by the Department of Justice of last month.

The scheme was carried out by Evaldas Rimasauskas, a Lithuanian man who allegedly impersonated the large Taiwan-based manufacturer Quanta Computer in order to dupe the companies into making a series of fraudulent payments. According to the indictment, Rimasauskas, registered and incorporated a company in Latvia with the same name as Quanta Computer and then forged email addresses, invoices, and corporate stamps in order to convince the accounting departments at the two tech companies to make transfers worth tens of millions of dollars over a two year span, stealing $100 million in total.

Facebook and Google both told Fortune that they have since recovered the bulk of the funds.

Acting U.S. Attorney Joon H. Kim said in a DOJ press release that “this case should serve as a wake-up call to all companies – even the most sophisticated – that they too can be victims of phishing attacks by cyber criminals.”

That same concern was echoed in a report from the Association for Financial Professionals published in early April. According to the report, 74 percent of finance professionals reported that their organizations were victims of business email compromise (BEC) scams in 2016, a 10-percentage point increase from the previous year.

Likewise, in December 2016 the FBI warned of a dramatic increase in BEC scams, which attempt to assume the identity of a person of authority within the company or — in the case of the Facebook and Google thefts — a trusted vendor before asking to initiate a fraudulent wire transfer.

Behind the Scenes of a $170 Million Payment Card Fraud Operation

On Friday, 32-year-old Russian hacker Roman Seleznev was sentenced to 27 years in prison for running a cybercriminal operation that stole millions of payment cards, resulting in at least $169 million in damages to small business and financial institutions. It’s the longest sentence ever issued in the U.S. for cybercrime, and the court documents and testimony that led to the sentence revealed the inner workings of a decade-long operation that helped to grow and evolve payment card fraud into what it is today.

Earlier this month, in documents urging the judge to issue a lengthy sentence, the prosecution said Seleznev may have harmed more victims and caused more financial losses than any other defendant that ever appeared before the court:

“Seleznev is the highest profile long-term cybercriminal ever convicted by an American jury. His criminal conduct spanned over a decade and he became one of the most revered point-of-sale hackers in the criminal underworld. … Unlike smaller players in the carding community, Seleznev was a pioneer in the industry. He was not simply a market participant – he was a market maker whose automated vending sites and tutorials helped grow the market for stolen card data.”

In total, the government was able to identify 2,950,468 unique credit card numbers that Seleznev stole, possessed, or sold related to more than 500 U.S. business, subsequently affecting 3,700 financial institutions around the world. And — as the government pointed out — that is just the known losses.

Driving Small Businesses to Bankruptcy

Photo of money taken from Seleznev’s iPhone, which was confiscated upon his arrest in July 2014. In addition, the laptop in his possession at that time contained more than 1.7 million stolen credit card numbers.

As we wrote when Seleznev was convicted on 38 of the 40 counts he faced last year, many of the organizations he targeted were small businesses, and the testimony of seven of those businesses were heard in the court case.

Seattle’s Broadway Grill has perhaps been the most publicized of the point-of-sale breaches. Owner CJ Saretto testified that bad publicity from the breach instantly reduced the restaurant’s revenue by 40 percent and eventually forced him to “walk away from the business, shutter the doors, [and file] personal bankruptcy.” Other owners testified that the effect on business was “horrendous,” that the breach forced them into heavy debt, and that business “has never been the same” since the incident.

It’s no coincidence those that testified in the case against Seleznev were small business owners. Seleznev tended to target small businesses in the restaurant and hospitality industry, particularly if they had poor password security around their point-of-sale devices.

Seleznev “developed and used automated techniques, such as port scanning, to identify retail point of sale computer systems … that were connected to the Internet, that were dedicated to or involved with credit card processing, and that would be vulnerable to criminal hacks,” the indictment stated.

“He quickly learned that many of these businesses’ point of sale systems were remotely maintained by vendors with poor password security,” the government said in its sentencing memorandum. “Because most of his victims were small businesses, they were unlikely to have in-house IT or security personnel. As a result, these companies made extremely attractive targets for someone with Seleznev’s skills as a hacker.”

Track2, Bulba, 2Pac, and POS Dumps

However, Seleznev went far beyond merely stealing payment card information, he also helped to develop and operate websites to market the stolen data and promote more individuals to get into payment card fraud. Seleznev was 18 years old when he began participating in the Russian underground “carding” community under the alias “nCuX,” and seven years later, in 2009 when the U.S. Secret Service tried and failed to coordinate his arrest, he had become a major provider of stolen credit card data, according to court documents.

Just three months after being tipped off to the potential arrest by contacts inside the FSB and retiring his “nCuX” alias, Seleznev was back in the game under the name “Track2.” He soon unveiled two new automated vending websites, “Track2” and “Bulba,” which allowed buyers to to automatically search and purchase his stolen credit card data by using filters such as a particular financial institution or card brand.

2017-04-26_SeleznevBulba — Screenshot of Bulba, an automated vending website used by Seleznev to buy and sell stolen payment card information.

Those features have become commonplace now, but as the prosecution noted, it was “a major innovation” at the time and the “Track2 and Bulba websites achieved instant success.”

“[The sites] made it possible for criminals to efficiently search for and purchase stolen credit card data through a process as easy as buying a book on Amazon,” the prosecution wrote. “Automated vending sites increased the efficiency [of] credit card data trafficking, and remain the gold standard for credit card trafficking to this day.”

2017-04-26_AlphaBayCarding — The popular dark web marketplace AlphaBay adopted a similar automated shop for stolen payment card information in May 2015, but it includes more search options and a more user-friendly interface than Seleznev’s 2009 Bulba site.

In April 2011, Seleznev was injured in a terrorist bombing in Marrakesh, Morocco, and hospitalized for several months. His co-conspirators ran the Track2 and Bulba websites in his absence until they closed up shop in January 2012 citing no new dumps to sell.

Once again, Seleznev choose to return to cybercrime by innovating his operations. Switching monikers to “2Pac,” he launched a new automated vending site that would not only sell his stolen data but would offer stolen cards from “the best sellers in one place.” Seleznev would take a portion of the proceeds for each sale, and he used this model to resell credit data stolen in popular breaches such as Target, Michaels, and Nieman Marcus on the 2Pac site.

2017-04-26_SeleznevATMDump — Someone chatting with Seleznev trying to get payment card data stolen via ATM skimmers listed on the 2Pac site.

In addition, Seleznev needed a continuous stream of dumps and customers to fuel his 2Pac site, so he began teaching others the basics of payment card fraud via a sister site, called “POS Dumps.”

2017-04-26_Seleznev2PacTutorial — The POS Dumps site linked to the 2Pac site and walked wannabe fraudsters through the steps necessary to become a criminal.

The POS Dumps website contained four categories to teach amateurs how to successfully commit payment card fraud:

Choosing and buying equipment
Choosing and buying dumps
How to generate Track1 and why it is needed
Writing the dumps onto cards

The website even had links to eBay to purchase the necessary equipment (an MSR206 manual swipe magnetic card reader/writer) and custom malware to help write the stolen payment card data onto other cards.

2017-04-26_SeleznevTheJERM — POS Dumps provided a “comprehensive” program to interface with the MSR206 magnetic reader/writer to help wannabe cybercriminals commit fraud.

The prosecution wrote that the POS Dumps website “trained thousands of new criminals in the basics of how to use the data to commit fraud.” Similar types of tutorials related to fraud and cybercrime remain among the most commonly listed items on dark web markets today, according to SurfWatch Labs’ data.

A Record 27-Year Prison Sentence

2017-04-26_SeleznevGuidelines — The prosecution argued that the U.S. sentencing guidelines stated that “unauthorized charges … shall not be less than $500 per access device.” Therefore, Seleznev’s 2.9 million stolen credit cards equated to more than $1.4 billion in losses.

Court documents from the defense called the long prison sentence “draconian.” However, Seleznev clearly knew his actions could have serious consequences. He monitored the U.S. court’s PACER system for any criminal indictments against him, and when agents arrested him in the Maldives as he attempted to board a plane in 2014, he immediately asked if the U.S. had an extradition treaty. The U.S. did not have a formal treaty with the Maldives, but an agreement was obtained in the days prior to take custody of Seleznev.

The prosecution described Seleznev’s sentencing guideline calculation as “literally off the charts.” A score of 43 recommends a life sentence, and Seleznev scored 16 points above that — a 59.

The judge agreed with the prosecution and sentenced Seleznev to 27 years in prison last Friday.

“The notion that the Internet is a Wild West where anything goes is a thing of the past,” said U.S. Attorney Annette L. Hayes. “As Mr. Seleznev has now learned, and others should take note – we are working closely with our law enforcement partners around the world to find, apprehend, and bring to justice those who use the internet to steal and destroy our peace of mind. Whether the victims are multi-national banks or small pizza joints, we are all victims when our day-to-day transactions result in millions of dollars ending up in the wrong hands.”

Weekly Cyber Risk Roundup: Payment Card Data at Risk Due to POS Breaches and Ecommerce Vulnerabilities

Point-of-sale breaches were once again among the week’s top trending cybercrime targets, as InterContinental Hotels Group (IHG) announced that its previously disclosed POS breach had expanded from the dozen properties reported in February to at least 1,175 properties. Affected hotels include popular brands such as Holiday Inn, Holiday Inn Express, InterContinental, Kimpton Hotels, Crowne Plaza, and more.

According to the company’s press release, the investigation discovered “malware designed to access payment card data from cards used onsite at front desks for certain IHG-branded franchise hotel locations between September 29, 2016 and December 29, 2016.” The release doesn’t directly state the number of properties affected, instead it directs viewers to a cumbersome breach lookup tool that divides the nearly 1,200-strong list of affected properties into countries, states, and even hundreds of individual cities.

The release also states that hotels that upgraded their technology were not affected by the breach: “Before this incident began, many IHG-branded franchise hotel locations had implemented IHG’s Secure Payment Solution (SPS), a point-to-point encryption payment acceptance solution. Properties that had implemented SPS before September 29, 2016 were not affected. Many more properties implemented SPS after September 29, 2016, and the implementation of SPS ended the ability of the malware to find payment card data and, therefore, cards used at these locations after SPS implementation were not affected.”

That’s a sliver of good news; however, nearly 1,200 hotels were impacted and that list may grow in the future as “a small percentage of IHG-branded franchise properties did not participate in the investigation.” The lookup tool will be updated as new properties are added. Unfortunately, for heavy travelers that means returning to the clumsy tool periodically and checking every city they stayed in over the affected period for new breach updates.

Other trending cybercrime events from the week include:

More breaches due to poor practices and faulty updates: The accidental posting of a file containing the embedded personal information of 5,600 individuals to Rhode Island’s Transparency Portal and General Assembly website is the third recent data breach tied to UHIP, a new system for state benefits. The cybersecurity company Tanium is apologizing for exposing information related to El Camino Hospital in California in hundreds of presentations for potential customers from early 2012 through mid-2015 as well as several now-deleted YouTube videos. As many as 2,000 individuals in the UK may have had their personal information visible to other customers on the RingGo parking app due to a faulty software update.
Former employees continue to cause damage: A former employee of engineering firm Allen & Hoshall admitted to accessing the company’s servers repeatedly over a two-year period as well as accessing the email account of a former colleague hundreds of times in order to download and view data from his former employer. A man was arrested for attempting to steal proprietary computer code for a trading platform developed by his employer, an unnamed financial services firm with an office in New York. The online retailer Black Swallow has agreed to pay $60,000 to Showpo to settle a dispute alleging that a former Showpo graphic designer downloaded the company’s entire customer database and gave it to her new employer.
Old data breaches come to light: Allrecipes is warning its users that their email addresses and passwords may have been compromised when logging into their accounts prior to June 2013, nearly four years ago. There is not a lot information on what happened, as the notification email said that the company “cannot determine with certainty who did this or how this occurred.” While announcing a series of automated attacks against its InCircle, Neiman Marcus, Bergdorf Goodman, Last Call, CUSP, and Horchow websites, Neiman Marcus also noted that a similar automated attack in December 2015 provided access to full payment card details — not just the last four digits as initially reported.
Physical theft of sensitive data at hotel: Police seized bags of documents containing the personal information of guests staying at the Seasons Hotel at Sydney’s Darling Harbour, and one woman has been charged in relation to the theft, according to police. The information was likely stolen around March 21 and included dozens of guest registration forms, which feature photocopies of passports, driver’s licences, and other forms of personal identification.
Other notable cybercrime events: Over 2.4 million email addresses and MD5-hashed passwords were stolen from Fashion Fantasy Game, an online game and social network for fashion lovers, in 2016, and the game’s website appears to contain several existing vulnerabilities that could leak data. Cleveland Metropolitan School District is warning some employees, students, guardians, and affiliates that their information may have been compromised when multiple employees fell for a phishing email that compromised their email account credentials. Security and privacy concerns have been raised after London’s Metropolitan Police apparently gave the addresses of 30,000 gun owners to a marketing agency to help promote the sale of a “firearms protection pack.”

Cyber Risk Trends From the Past Week

In addition to the wide-reaching POS breach that IHG announced this week, online retailers may also be at risk of potential payment card breaches due to an unpatched zero-day vulnerability in the Magento ecommerce platform.

Security researchers at DefenseCode said they discovered the high-risk vulnerability during a security audit of Magento Community edition. The researchers said the vulnerability “could lead to remote code execution and thus the complete system compromise including the database containing sensitive customer information such as stored credit card numbers and other payment information.”

DefenseCode did not examine the Magento Enterprise version, but a researcher told Threatpost that both versions share the same underlying vulnerable code. The researcher also said that they have made repeated attempts to notify Magento of the issue since November 2016, but it has yet to be patched. In an email to customers, Magento said it plans on addressing the vulnerability soon:

This vulnerability will be addressed in our next release targeted for early May. Until then, we recommend enforcing the use of “Add Secret Key to URLs” to mitigate potential attacks. To turn on this feature:

1. Logon to Merchant Site Admin URL (e.g., your domain.com/admin)

2. Click on Stores > Configuration > ADVANCED > Admin > Security > Add Secret Key to URLs

3. Select YES from the dropdown options

4. Click on Save Config

Magento is used by approximately 200,000 online retailers, so the vulnerability is a cause for concern, particularly since it is now public and likely will not be patched for at least several weeks. In addition, an attack could be carried out by targeting any Magento admin panel user.

“Full administrative access is not required to exploit this vulnerability as any Magento administrative panel user regardless of assigned roles and permissions can access the remote image retrieval functionality [at the root of the vulnerability],” the advisory noted. “Therefore, gaining a low privileged access can enable the attacker to compromise the whole system or at very least, the database.”

Do You Know Your Adversary?

Threat intelligence means a lot of different things to different people. Oftentimes organizations think of tactical information that helps defenders in their on-the-network battles with the bad guys. But, as Forrester Research recently noted in their report Achieve Early Success In Threat Intelligence With The Right Collection Strategy:

“Don’t fall into the trap of subscribing to tactical indicator feeds that you can just pump into your security information management and forget about.”

Tactical intel has it’s role and importance, but starting there can lead you down a rathole. To start off, you need to understand the big picture and then from there you need to understand your adversary, specifically:

Who is the actor, what is their motivation and intent, capability, and opportunity?
What is the threat campaign they are deploying? What is it targeting? How is it being carried out?
What are the associated events and supporting evidence that can be used to provide a level of confidence around the seriousness and impact of this threat to your business?
How can you reduce the adversary’s opportunity? What are the processes and/or tools to minimize this exposure?

On Wednesday, April 26 at 1pm ET, please join us for a threat intelligence discussion and see a live demonstration of SurfWatch Threat Analyst, which recently received 5 out of 5 stars from SC Magazine. Adam Meyer, our Chief Security Strategist and head of the SurfWatch analyst team (and formerly a CISO with the 2nd largest transportation system in the US) will lead this discussion and demonstration.