SurfWatch Labs, Inc.

Slew of Source Code and Malware Leaks Increases Risk for Organizations

Earlier this month, an undergraduate student in Korea apologized for creating and making public the joke ransomware “Resenware.” The malware didn’t ask for money to decrypt files; instead, it required victims to score more than 200 million points on the “lunatic” level of the shooting game Touhou Seirensen ~ Undefined Fantastic Object.

The student told Kotaku that he released the joke malware on Github before falling asleep and by the time he woke up it had spread and “become a huge accident.” The source code was quickly removed from Github and a tool was released allowing infected users to decrypt their files without having to play the game. The creator then apologized for making a “kind of highly-fatal malware.”

That’s all well and good, but as Will Rogers once said, “Letting the cat out of the bag is a whole lot easier than putting it back in.”

A warning from Resenware shared by Malware Hunter Team.

The story highlights how quickly publicly available source code can be spread, copied, and potentially repackaged by malicious actors. That isn’t as likely to happen with Resenware due to the lack of a financial component, though it could be utilized by actors looking to cause harm rather than turn a profit. Nevertheless, profit-driven actors have numerous other recent source code leaks they can pull from.

For example, in December 2016, the source code for a commercial Android banking Trojan, along with instructions on how to use it, was released on a cybercriminal forum. Malicious actors quickly used that code to create the BankBot Trojan, which Dr. Web researchers noted can steal login credentials and payment card details by loading phishing forms and dialogs on top of legitimate applications, as well as intercept and delete text messages sent to the infected device. Since then, BankBot has made several appearances in the Google Play store, confirming Dr. Web’s January conclusion that the leak “may lead to a significant increase in the number of attacks involving Android banking Trojans.” In fact, just last week two malicious applications utilizing BankBot, HappyTimes Videos and Funny Videos 2017, were removed from the Google Play store after receiving thousands of installs.

The BankBot Trojan is just one example of the continuing evolution of malware as the stockpile of effective cybercriminal tools continues to accumulate. The leak of these tools, whether made as a joke by amateurs or for malicious purposes by professional cybercriminals, means that more polished malware is now at the fingertips of malicious actors than ever before.

Even if an inexperienced actor is unable to take and modify public malware source code, they can simply turn to professionally run as-a-service malware options that are likely doing so.

Last week MalwareBytes released a report with an interesting chart on ransomware trends. It shows that the Cerber ransomware-as-a-service (RaaS) has come to dominate the ransomware market with a nearly 90% share as its main competitor, Locky, has declined.

2017-04-19_Cerber — Cerber is dominating the ransomware market as Locky fell off sharply, according to MalwareBytes’ honeypots.

“Cerber [has spread] largely because the creators have not only developed a superior ransomware with military-grade encryption, offline encrypting, and a slew of new features, but by also making it very easy for non-technical criminals to get their hands on a customized version of the ransomware,” the report authors noted.

Those types of criminal operations can greatly benefit from the large amount of exploits and malware source code that has made its way into the public domain this year.

For example, since March 2017 we’ve seen:

The release of the source code for the NukeBot banking Trojan, a modular Trojan that comes with a web-based admin panel to control infected endpoints.
New allegedly NSA-developed exploits leaked by TheShadowBrokers, including last week’s release of a series of now-patched Windows exploits and a critical vulnerability that can hijack Solaris systems that was released a week prior (and patched today by Oracle).
More leaks of alleged CIA exploits and tools, some of which claim the CIA benefited by repackaging components of the Carberb malware source code, which was leaked in 2013, into CIA hacking tools.
A report last week claimed that the Callisto APT Group used tools leaked from the surveillance company HackingTeam, which was breached in 2015, in a series of targeted attacks last year.

Whether it’s nation-state actors, cybercriminal groups, or amateur hackers, they can all benefit by the leak of these tools over the past month. If past leaks are any indication, malicious actors will incorporate any effective tools and techniques from the recent leaks into their already-existing cyber arsenals.

As the collective knowledge grows on the cybercriminal side, it’s crucial that organizations harness their own threat intelligence in order to have their finger on the pulse of malicious actors. With that information they can more effectively counter the slew of new vulnerabilities, exploits, and as-a-service tools being used to infiltrate their networks and damage their organization.

Weekly Cyber Risk Roundup: Payment Card Breaches, Malicious Insiders, and Regulatory Action

Gamestop was the week’s top trending cybercrime target as the company is investigating reports that customer payment card information may have been stolen from gamestop.com. In addition to Gamestop, payment card information was also stolen from the restaurant chain Shoney’s and a series of car washes have issued breach notification letters tied to a compromise at an unnamed third-party point-of-sale (POS) provider.

Two sources told Brian Krebs last week that an alert from a credit card processor indicated gamestop.com was likely compromised by intruders between mid-September 2016 and the first week of February 2017. The sources said that card numbers, expiration dates, names, addresses, and verification codes were stolen due to the breach. Gamestop also operates thousands of retail locations, but there is no indication that those have been affected.

However, dozens of Shoney’s locations were impacted by a recent POS breach. A week after Krebs reported the Gamestop breach, confidential alerts from credit card associations stated that similar payment card data was stolen from the restaurant chain. Best American Hospitality Corp., which manages some of Shoney’s corporate affiliated restaurants, later issued a press release saying that remotely installed POS malware led to breaches at 37 Shoney’s locations between December 27, 2016, and March 6, 2017.

In addition, Acme Car Wash, Auto Pride Car Wash, Clearwater Express Car Wash, Waterworks Car Wash, and Wildwater Express Carwash were all notified of a point-of-sale (PoS) malware infection by their unnamed third-party POS provider. The notification occurred on March 27, and customers who used a payment card at those business during various periods in February may have had their data compromised.

Other trending cybercrime events from the week include:

New data breaches announced: A backup database containing information on 918,000 people and belonging to telemarketing company HealthNow Networks was exposed on the Internet, compromising a variety of individuals’ personal and health information. The payday loan company Wonga is investigating a data breach that may have affected up to 245,000 customers in the UK and 25,000 customers in Poland. As many as 115 families had their private information compromised when the Victorian Education Department mistakenly published documents to its website for 24 hours. At least 83 University of Louisville employees had their W-2 forms accessed when an intruder gained access to W-2 Express, a product of Equifax used by the school to provide employees with access to tax documents.

More SWIFT attacks made public: The Union Bank of India faced an attack leveraging the SWIFT system that attempted to perform $170 million in fraudulent transactions last July, but the bank was able to block the transfer of funds, the Wall Street Journal reported. The bank’s SWIFT access codes were stolen by malware after an employee opened a malicious email attachment, and the codes were used to send fraudulent instructions in an attack similar to the one that successfully stole $81 million from the Bangladesh central bank’s account at the New York Federal Reserve in February 2016.

Ransomware continues to impact patient care: A ransomware infection at Erie County Medical Center blocked access to electronic patient records and forced the center to reschedule some elective surgeries, sources told news outlets; however, the hospital has yet to confirm the shutdown of its computer was due to ransomware. IT workers have been re-imaging about 6,000 desktop computers that had to be wiped clean as a result of the infection. Ashland Women’s Health reported a data breach affecting 19,727 patients after ransomware encrypted data on the practice’s electronic health record system, including its patient scheduling application. The practice was able to restore the encrypted data using a backup, and patient care was impacted for a couple of days due to the incident.

Amazon seller accounts being hacked: Hackers are using previously compromised credentials to hijack the accounts of third-party sellers on Amazon Marketplace, change the bank account information, and then post nonexistent merchandise at cheap prices to defraud customers. The buyers are eligible for refunds from the sellers, which may come as a surprise to the account owners as the hackers are targeting dormant accounts. A company spokesperson told NBC News that it is working to make sure sellers do not have to handle the financial burden of the hacks.

Other notable cybercrime events: Five inmates at the Marion Correctional Institution used computers built from spare parts and hidden in a ceiling in a closet to perform a variety of malicious activities while incarcerated. A team of Indonesian hackers gained access to the online ticketing site Tiket.com and stole approximately Rp 4.1 billion ($308,000 USD) worth of airline tickets from carrier Citilink. Dallas officials are blaming a hacker for setting off all 156 of the city’s warning sirens more than a dozen times.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

Cyber Risk Trends From the Past Week

A variety of stories from the past week once again highlighted threats that originate not from external hackers, but from organizations’ employees and poor risk management practices.

To start, Allegro Microsystems has accused a former employee of causing $100,000 worth of damages by logging into the company’s network multiple times after resigning in order to implant malware. According to court documents, the man allegedly returned a computer meant for personal use rather than his work computer when resigning, and he used that work computer along with system administrator credentials to insert malicious code into Allegro’s finance module. The employee “designed the malicious code to copy certain headers or pointers to data into a separate database table and then to purge those headers from the finance module, thereby rendering the data in the module worthless,” the documents stated.

Another case involved a DuPont employee who admitted to stealing data from DuPont in the months before he retired in order to bolster a consulting business he planned to run. The man allegedly copied 20,000 files to his personal computer, including formulas, data, and customer information related to developments in flexographic printing plate technology. He also took pictures of restricted areas of DuPont’s plant.

On the regulatory side, the FDA sent a letter to St. Jude Medical demanding the company take action to correct a series of violations related to risks posed by the company’s implantable medical devices — an issue that received quite a bit of attention last summer after a report published by Muddy Waters and MedSec shed light on the alleged vulnerabilities. St. Jude must respond to the FDA within 15 days with “specific steps [it has] taken to correct the noted violations, as well as an explanation of how [it] plans to prevent these violations, or similar violations, from occurring again” — or else St. Jude may face further regulatory action, including potential fines.

That is what happened to Metro Community Provider Network (MCPN), which agreed last week to pay $400,000 following a January 2012 phishing incident that exposed the electronic protected health information (ePHI) of 3,2000 individuals. An investigation conducted by the Office for Civil Rights revealed that “prior to the breach incident, MCPN had not conducted a risk analysis to assess the risks and vulnerabilities in its ePHI environment, and, consequently, had not implemented any corresponding risk management plans to address the risks and vulnerabilities identified in a risk analysis.” As a result, MCPN will pay the penalty and implement a corrective action plan to better safeguard ePHI in the future.

New Cryptocurrencies Gain Traction, Spark Concern For Law Enforcement

Last month a new ransomware emerged known as “Kirk Ransomware.” The malware was interesting not just because of the Star Trek-themed imagery of James Kirk and Spock that it used, but also because it may be the first ransomware to demand payment via the cryptocurrency Monero.

Victims of the Kirk Ransomware are walked through how to make their ransom payments using Monero.

There are literally hundreds of different types of existing cryptocurrencies like Monero that cybercriminals can choose from, but bitcoin is the most well known and has been the most widely used, by far, when it comes to ransomware. Bitcoin’s status as the reigning cryptocurrency king has been driven, in part, by the growth of cybercriminal markets and ransomware actors that greatly benefit by having a semi-anonymous payment option available. However, bitcoin is facing both growing pains and an expanding group of credible challengers that claim to have better answers to some of the current issues facing cryptocurrencies.

Cryptocurrencies are, for better or worse, intertwined with cybercrime, and dark web markets and malicious actors adopting new forms of payment such as Monero and Ethereum are helping push those currencies to new heights. With that growth comes new opportunities for cybercriminals as well as new concerns for law enforcement.

As we noted in a recent blog on AlphaBay’s plans to adopt Ethereum next month, the cryptocurrency has seen a dramatic increase in price on the heels of AlphaBay’s announcement and partnerships with legitimate financial institutions. Likewise, Monero was worth around $2.50 the day before AlphaBay announced plans to adopt the currency, and less than eight months later it has jumped to more than $26.

In December 2016 an AlphaBay support representative told Bitcoin Magazine that Monero accounted for about two percent of its sales, so bitcoin remains king. However, one can assume that the actors behind AlphaBay have plenty to gain financially by riding the wave created by the largest dark web marketplace adopting new cryptocurrencies — besides simply appeasing their customers.

Monero — which advertises itself as a “secure, private, untraceable currency” — is perhaps the most praised among cybercriminals. Bitcoin was not designed to be anonymous, and every transaction is publicly visible on the distributed ledger known as the blockchain. That’s why malicious actors use third-party tools such as bitcoin tumblers to help hide the origins of bitcoins. It’s also why law enforcement officials and security researchers have been able to “follow” bitcoins to bust those buying and selling illicit goods and services.

Monero, on the other hand, allows users to send and receive funds without transactions being publicly visible on the blockchain, which is one of the reasons some malicious actors prefer it.

“Bitcoin is much more vulnerable to chain analysis,” advised one AlphaBay member in September 2016, when the dark web market adopted Monero. “I can’t stress strongly enough how much more secure it is for darknet transactions.”

2017-04-06_ABMonero — Monero is safer for both the buyer and seller, wrote one AlphaBay user.

Although cryptocurrencies such as Monero have not been as heavily scrutinized by law enforcement as the more popular bitcoin, their adoption among malicious actors is a concern — even if Monero is not perfect.

“There are obviously going to be issues if some of the more difficult to work with cryptocurrencies become popular,” Joseph Battaglia, a special agent working at the FBI’s Cyber Division in New York City, said at an event in January. “Monero is one that comes to mind, where it’s not very obvious what the transaction path is or what the actual value of the transaction is except to the end users.”

As a case in point, the dark web marketplace known as Oasis, which beat AlphaBay by two weeks to become the first market to accept Monero, suddenly went offline in late September 2016 in what may have been an exit scam. Various users quickly reported that at least 150 bitcoin was lost in the potential scam, but guessing how much Monero currency was stolen proved to be much more difficult.

“If we can’t find out, that’s a good thing,” wrote one redditor.

However, the FBI likely has a different view.

Weekly Cyber Risk Roundup: Scottrade Exposes Data and ATMs Get Blown Up, Drilled and Infected

The CIA remained as the top trending cybercrime of the week as WikiLeaks released a fourth set of documents related to the agency. The new dump includes 27 documents from the CIA’s Grasshopper framework, which WikiLeaks described as “a platform used to build customized malware payloads for Microsoft Windows operating systems.” The leaked CIA tools will likely continue to dominate much of the cybercrime discussion in the coming weeks as WikiLeaks appears to have a slow-drip campaign designed around maximizing the leak’s publicity.

The top trending new cybercrime target of the week was Scottrade, which was one of several organizations to experience a data breach due to insecure, publicly exposed data. The Scottrade incident was caused by “human error” at third-party vendor Genpact, which uploaded a data set to one of its cloud servers without the proper security protocols in place. As a result, “the commercial loan application information of a small B2B unit within Scottrade Bank, including non-public information of as many as 20,000 individuals and businesses” was exposed, Scottrade said in a statement.

Security researcher Chris Vickery, who discovered the exposed database, said it contained 48,000 lessee credit profile rows and 11,000 guarantor rows, and that each row contained various types of personal information, including Social Security numbers. The database also contained internal information such as plain text passwords and employee credentials used for API access to third-party credit report websites.

Those who read this roundup each week know that breaches due to insecure databases are common, and in addition to Scottrade, Vickery also discovered “a trove of data from a range of North Carolina government offices, including Dept of Administration, Dept of Health and Human Services, Division of Medical Assistance, Dept of Cultural Resources, Dept of Public Safety, Office of State Controller, Office of State Budget and Management, NC IT Department.”

Other trending cybercrime events from the week include:

IRS announces another data breach: The IRS is notifying 100,000 people that their tax information may have been compromised due to a data retrieval tool used when filling out the Free Application for Federal Student Aid (FAFSA). Officials first learned of the potential issue in September 2016, but the service was not disabled until suspicious activity was observed in February. Malicious actors could pretend to be students, start the financial aid application with relatively little stolen information, and give permission for the IRS to populate the form with tax data that could then be used for fraudulent returns.

Highly sensitive patient data sold on the dark web: A breach at Behavioral Health Center appears to have compromised thousands of patients’ sensitive data, including evaluations, session notes, and records of sex offenders and sex abuse victims. An actor on the dark web claims between 3000 and 3500 unique individuals are in the data, which has since been sold to another actor. “These are not just basic fullz, these are the COMPLETE clinician notes from EVERY session with a patient, sometimes spanning hundreds of sessions over years,” read a listing on the dark web. “Everything confessed/discussed in complete privacy is in here for thousands of patients. All records are from 2007 to current date.”

Healthcare organizations targeted: An amateur actor appears to be targeting healthcare organizations with spear phishing messages designed to infect victims with a variant of the Philadelphia ransomware, an unsophisticated ransomware kit that sells for a few hundred dollars. Researchers believe spear phishing messages containing a shortened URL that led to a malicious DOCX file on a personal storage site were used to infect a hospital from Oregon and Southwest Washington. ABCD Pediatrics said that its servers were infected with “Dharma Ransomware” and while investigating the incident the company also discovered suspicious user accounts that suggested a separate incident of unauthorized access.

APT10 hacking group makes headlines: The APT10 hacking group has gained access to the systems of an “unprecedented web” of victims by first targeting managed outsourced IT service companies with spear phishing messages and custom malware and then using those companies as a stepping stone into their clients’ systems. The group also inserted malicious links into certain pages of the National Foreign Trade Council’s website in order to target individuals registering for specific meetings.

Other notable cybercrime events: The International Association of Athletics Federations said information related to athletes’ therapeutic use exemption applications was compromised due to unauthorized access to its network by “Fancy Bear.” The Dutch National Charity Lotteries said that around 450,000 customers were impacted by a vulnerability in the computer systems of Lotteries’ supplier OpenOfferete. Cybercriminals stole $40,000 of direct deposit money meant for Denver Public Schools after numerous employees fell for a phishing email. A hack of digital content network Omnia affected a variety of popular YouTube channels. The New York Post app was hacked and used to send to out a series of false push notifications. Arrests were made in Dubai related to breaking into the emails of five senior White House officials and attempting to blackmail the officials with what a local law enforcement official described as “highly confidential information.”

Cyber Risk Trends From the Past Week

While business email compromise scams and other digital fraud continues to impact numerous organizations, several stories this week proved that criminals are still attempting to steal physical cash from ATMs around the world.

The flashiest story involved a gang based out England that used explosives and stolen high-powered vehicles to rip ATMs from walls. The gang would then put the stolen ATMs inside a large truck and drive away, in at least one instance right by the very police looking for them. Police announced that several recent raids had led to the arrest of the gang. Less flashy attempted ATM thefts from hotels in Edmonton led police to advise business last month that owners should bolt ATMs to the floor and place them in well lit, high-traffic areas that are monitored by surveillance cameras.

A new, more discreet method of stealing money from ATMs involves emptying the cash stored in certain models by drilling a three-inch hole in its front panel and using a $15 homemade gadget that injects malicious commands to trigger the machine’s cash dispenser. Kaspersky Lab researchers first became aware of the attack in September 2016 when a bank client discovered an empty ATM with a golf-ball sized hole by the PIN pad. Since then, similar attacks using the drill technique have been observed across Russia and Europe. The researchers did not name the ATM manufacturer, but they said the issue is difficult to fix since it would require replacing hardware in the ATMs to add more authentication measures.

Kaspersky Lab also released findings on another series of ATM attacks first hinted at back in February when a series of attacks that used in-memory malware to infect banking networks were reported. Code from the penetration-testing software Meterpreter code was combined with a number of legitimate PowerShell scripts and other utilities to create malware that could hide in the memory and invisibly collect the passwords of system administrators. That access was then used to remotely install a new breed of ATM malware called ATMitch, Kaspersky Lab researchers said in a report issued last week.

The ATMitch malware communicates with the ATM as if it is legitimate software and makes it possible for attackers to collect information about the number of banknotes in the ATM’s cassettes as well as dispense money at the touch of a button. The attackers may still be active, the researchers noted, but it is unknown how many ATMs have been targeted by the malware since the malware self-deletes after the attack. What is clear is that ATM machines remain a popular target for criminals, and businesses should be aware of the evolving methods — both crude and sophisticated — being used to steal the cash inside them.

AlphaBay to Begin Accepting Ethereum as the Bitcoin Alternative Grows More Popular

Beginning next month, malicious actors using the dark web marketplace AlphaBay will be able to buy and sell their goods using the growing cryptocurrency platform Ethereum. Ethereum will become the third payment option available on the market, joining the longstanding cryptocurrency king bitcoin as well as the privacy-focused Monero, which was adopted by AlphaBay last September.

The announcement is good news for fans of Ethereum, whose Ether cryptocurrency has seen a continued surge of growth in 2017 and is the second most popular cryptocurrency after bitcoin.

2017-04-06_AlphaBayEthereum — AlphaBay will begin accepting Ethereum deposits and withdrawals on May 1, an administrator announced on the site’s forum in March.

Bitcoin is by far the most well-known cryptocurrency, and it has been widely adopted by malicious actors and dark web markets as a convenient and semi-anonymous form of digital payment. In fact, cryptocurrencies like bitcoin, dark web markets like AlphaBay, and extortion payments like ransomware are interconnected in that the growth of one has helped spur the growth of the others.

However, bitcoin is currently experiencing growing pains, and Ethereum has emerged over the past year as its main rival. Ethereum’s proponents claim that is it is a more versatile and scalable cryptocurrency. In fact, the idea of Ethereum goes beyond just currency, which is why it and other blockchain companies have been described as bitcoin 2.0. If bitcoin was about creating a decentralized payment system, Ethereum is about using that same concept to radically re-architect everything on the web — as Ethereum creator Vitalik Buterin describes it.

Fortune magazine explained in a September 2016 profile:

Ethereum’s power lies in its ability to automate complex relationships encoded in so-called smart contracts. The contracts function like software programs that encapsulate business logic — rules about money transfers, equity stake transfers, and other types of binding obligations — based on predetermined conditions. Ethereum also has a built-in programming language, called Solidity, which lets anyone build apps easily on top of it.

There’s ongoing debate over just how secure other cryptocurrencies are compared to bitcoin. For example, in June 2016 a hacker was able to exploit a flaw in the smart contract used by The DAO, a crowdsourced venture capital platform based on the Ethereum blockchain, in order to steal more than $50 million worth of Ether.

A controversial solution to address the theft was proposed, known as a “hard fork.” Cryptocurrencies use the concept of a blockchain, which is essentially a decentralized and agreed upon ledger of all the transactions that have occurred. The hard fork would change the agreed upon rules and create a new path forward for the currency — one that would invalidate the theft. However, some Ethereum users argued that the idea of hard fork went against the very principles of a decentralized network that was designed to combat a single authority. Those that eventually rejected the fork are now on a parallel version of the blockchain, Ethereum Classic, while the rest of the community moves forward on the other fork as Ethereum.

Despite the troubles, Ethereum continues to thrive. The concept of disrupting existing business models with decentralized blockchains has gained Ethereum interest not just from dark web markets, but from legitimate companies. In February it was announced that 30 organizations — including JPMorgan Chase, Microsoft, and Intel — would team up under the Enterprise Ethereum Alliance to enhance the privacy, security, and scalability of the Ethereum blockchain.

Ethereum’s Value: Past 90 Days

2017-04-06_EthereumMarketCap — Ethereum’s market cap has grown significantly on the heels of recent announcements, according to CoinMarketCap.

All of that news has helped to more than quadruple the market cap of Ethereum in 2017, from less a billion in January 2017 to around $4 billion on April 6.

It’s still nearly a month before the option goes live, so it is unclear how many security-obsessed cybercriminals on the dark web will actually use the payment option — or if they will stick with bitcoin. Nevertheless, being adopted by AlphaBay, which is by far the most popular dark web market according to SurfWatch Labs’ data, could potentially be a huge boost for Ethereum.

Weekly Cyber Risk Roundup: More CIA Leaks, New Mirai Attacks, and LastPass Vulnerabilities

The CIA remained as the top trending cybercrime target of the week as WikiLeaks released a third set of documents related to the agency. The new release includes 676 source code files for the CIA’s secret anti-forensic Marble Framework, which WikiLeaks said “is used to hamper forensic investigators and anti-virus companies from attributing viruses, trojans and hacking attacks to the CIA.”

“The source code shows that Marble has test examples not just in English but also in Chinese, Russian, Korean, Arabic and Farsi,” WikiLeaks wrote in its announcement. “This would permit a forensic attribution double game, for example by pretending that the spoken language of the malware creator was not American English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion.”

The fact that an intelligence agency would have tools to cover its tracks is hardly surprising. However, it appears that WikiLeaks will continue to leak CIA documents for the foreseeable future, and those leaks may have yet-to-be known implications for governments, tech companies, and cybercriminal actors. After the initial CIA leak in early March, WikiLeaks tweeted that is has released less than one percent of its Vault7 series.

Another recurring story in these roundups is the Mirai botnet, and researchers said this week that a new variant is likely behind a 54-hour long DDoS attack that targeted a U.S. college. The attack peaked at 37,000 requests per second, the most Incapsula has seen out of any Mirai botnet. The company said 56 percent of all IPs used in the attack belonged to DVRs manufactured by the same vendor. IoT devices continue to make headlines for vulnerabilities – including certain devices that were allegedly targeted by the CIA – and this past week saw new warnings of methods for hacking smart televisions as well as a vulnerability in an Internet-connected washer-disinfector. As SurfWatch Labs chief security strategist Adam Meyer recently wrote, IoT devices have potentially become the largest digital footprint of organizations that is not under proper security management.

Other trending cybercrime events from the week include:

Data breaches expose more credentials: A hacker has stolen the email addresses and MD5-hashed passwords of 6.5 million accounts from Dueling Network, a now-defunct Flash game based on the Yu-Gi-Oh trading card game. Although the game was shut down in 2016, the forum continued to run until recently. Nearly 14 million stolen and fake email credentials from the 300 largest U.S. universities are for sale on the dark web, a rise from only 2.8 million last year, according to the nonprofit Digital Citizens Alliance. The stolen email addresses and passwords sell from $3.50 to $10 each.

Warnings of skimming and keylogging devices: Carleton University in Ottawa said it discovered USB keylogging devices on six classroom computers during a routine inspection, and the university is urging staff and students to change passwords for any accounts they may have accessed from classroom computers. The San Bernardino County Sheriff’s Department has received more than 70 reports of credit card fraud tied to a suspected card skimming device in Big Bear. A Romanian citizen pleaded guilty to a scheme to defraud customers of Bank of America and PNC Bank via ATM skimming.

Ransomware notifications continue: Urology Austin has notified 200,000 patients of a January 22 ransomware attack that may have compromised their information. Ransomware encrypted files belonging to Forsyth Public Schools and information such as lesson plans and schedules stored by teachers on the district server is likely lost due to the incident. Estill County Chiropractic is notifying 5,335 patients of unauthorized access to its system and a ransomware infection that may have compromised their personal information. Ransomware was found on the computer systems of the Tweede Kamer, the lower house of Dutch parliament.

Former employee causes serious problems: A former IT administrator of the Lucchese Boot Company pleaded guilty to hacking the servers and cloud accounts of his employer after he was fired, and the company claims it lost $100,000 in new orders in addition to the extra IT costs it had to endure due to the attack. According to the complaint, the former employee logged into an administrator account after being fired and proceeded to shut down the corporate email and application servers, deleted files on the servers to block any attempts for a reboot, and then began shutting down or changing the passwords on the company’s cloud accounts.

Other notable cybercrime events: The personal information of 3.7 million Hong Kong voters and the city’s 1,200 electors may have been compromised when two laptops were stolen. Approximately 95,000 individuals who applied online for a job at McDonald’s in Canada had their information compromised due to unauthorized access to the company’s database. Multiple employees of the Washington University School of Medicine fell for phishing emails designed to steal credentials used to access their email. While investigating a data breach related to employees’ W-2 forms, Daytona State College discovered a second data breach involving student financial aid forms. A Russian citizen has pleaded guilty to his role in helping spread malware known as “Ebury,” which harvested log-on credentials from infected computer servers, allowing the criminal enterprise behind the operation to operate a botnet comprising tens of thousands of infected servers throughout the world.

Cyber Risk Trends From the Past Week

The password manager LastPass has addressed a series of vulnerabilities that were discovered by Google Project Zero researcher Tavis Ormandy, including one now-patched “unique and highly sophisticated” client-side vulnerability in the LastPass browser extension.

In a March 31 update, LastPass advised its users to ensure they are running the latest version (4.1.44 or higher) of the extension so that they are protected.

The vulnerability, which could be exploited to steal data and manipulate the LastPass extension, required first luring a user to either a malicious website or a website running malicious adware and then taking advantage of the way LastPass behaves in “isolated worlds,” the company said.

An isolated world is a JavaScript execution environment that shares the same DOM (Document Object Model) as other worlds, but things like variables and functions are not shared. LastPass explained:

The separation is supposed to keep both sides safer from external manipulation. In some cases, these variables can influence the logic of the content script. It is difficult to inject arbitrary values into JavaScript using this technique. But in a particularly clever move, the report demonstrated that arbitrary strings could be injected, and one of these was enough to trick the extension into thinking it was executing on lastpass.com. By doing so, an attacker could manipulate the LastPass extension into revealing the stored data of that user, and launch arbitrary executables in the case of the binary version.

Fixing the issue required “a significant change” to the browser extensions and LastPass urges other extension developers to look for this pattern in their code and ensure that they are not vulnerable to a similar attack.

The patch came just 10 days after LastPass issued another update to address two other issues discovered by Ormandy that could allow the attacker to potentially retrieve and expose information from the LastPass account, such as user’s login credentials.

The incident serves as a reminder that vulnerabilities continue to be discovered in a variety of products, including the tools used to help keep individuals and organizations safe. Having a full accounting of an organization’s technology infrastructure as well as policies and procedures to track new vulnerabilities and patch software is one of the most effective ways to combat malicious actors who rely on exploiting well-known vulnerabilities.

Weekly Cyber Risk Roundup: JobLink, $100 Million BEC Scam and Other Breaches

Third-party cybersecurity issues were once again front and center this past week as America’s JobLink, a web-based system that links jobs seekers with employers, was compromised by a malicious actor, leading to a series of data breach announcements from states that use the system.

“On February 20, 2017, a hacker created a job seeker account in an America’s JobLink (AJL) system,” the company wrote. “The hacker then exploited a misconfiguration in the application code to gain unauthorized access to certain information of other job seekers.”

Millions of individuals may have been affected by the vulnerability, which was introduced in an AJL system update in October 2016. When exploited, it allowed the malicious actor to view the names, Social Security numbers, and dates of birth of job seekers in the AJL systems of up to ten states: Alabama (600,000), Arizona, Arkansas (19,000), Delaware (200,000), Idaho (170,000), Illinois (1.4 million), Kansas, Maine (conflicting media reports on total number affected), Oklahoma (430,000), and Vermont (186,000).

Vermont Gov. Phil Scott said at a Thursday press conference that the state was looking into the contract with ALJ, which has been in effect for about 16 years, and may potentially pursue legal recourse. At the same press conference Vermont Department of Labor Secretary Lindsay Kurrle noted potential AJL issues that may have compounded the breach, such as older Joblink accounts not being deleted.

Third-party cybersecurity issues continue to be one of the most pressing challenges facing organizations, as the numerous breaches in this roundup each week demonstrate. Despite the challenges, the digital footprints of organizations continue to grow: an issue that Adam Meyer, chief security strategist with SurfWatch Labs, and Kristi Horton, senior risk analyst with Gate 15 & Real Estate ISAC, will discuss on a Webinar tomorrow.

Other trending cybercrime events from the week include:

WikiLeaks’ dump brings legal issues, more CIA documents: Julian Assange criticized companies for not responding to WikiLeaks’ request that they comply with certain conditions in order to receive technical information on the leaked CIA exploits; however, multiple tech companies said the issue is caught up in their legal departments. WikiLeaks also continued to leak more CIA data by publishing documents that “explain the techniques used by CIA to gain ‘persistence’ on Apple Mac devices, including Macs and iPhones and demonstrate their use of EFI/UEFI and firmware malware.” The documents are mostly from the last decade, except for a couple that are dated 2012 and 2013.

Variety of issues lead to oversharing, data breaches: The UK’s Information Commissioner’s Office is investigating reports that data sharing options in SystmOne may have exposed the medical records of up to 26 million patients. The system’s “enhanced data sharing” option, which doctors turned on so that medical records could be seen by local hospitals, also allowed those records to be accessed by thousands of other workers. Mobile phone company Three is investigating a technical issue that led to some customers who logged into their accounts seeing the personal data of other customers. Med Center Health in Kentucky announced a data breach due to a former employee accessing encrypted patient billing information by falsely implying it was needed for job-related reasons.

Bots lead to gift card fraud, stock manipulation: Nearly 1,000 customer websites were targeted by a bot named “GiftGhostBot” that automatically checks millions of gift card numbers to determine which card numbers exist and contain balances. Recent pump-and-dump spam messages from the Necurs botnet falsely claimed that InCapta was about to be bought out for $1.37 per share and that people could buy shares for less than 20 cents before the buyout would be announced.

Malware spread via Ask.com toolbar: For the second time in a one month period, malicious actors were able to compromise the Ask Partner Network (APN), creators of the Ask.com toolbar, in order to spread malware that was signed and distributed as though it were a legitimate Ask software update. The first attack was discovered in November 2016, and in December 2016 researchers discovered that the “sophisticated adversary” was continuing its earlier activity “to deliver targeted attacks using signed updates containing malicious content.”

Other notable cybercrime events: Hackers going by the name ‘Turkish Crime Family’ claim to have access to a large cache of iCloud and other Apple email accounts and say they will reset accounts and remotely wipe devices on April 7 unless Apple pays a ransom. The McDonald’s India app leaked the personal information of more than 2.2 million users, and data is still allegedly being leaked despite the company’s claims that it fixed the issue. Lane Community College health clinic is notifying approximately 2,500 patients that their personal information may have been compromised due to one of its computers being infected with malware. A gang of hackers-for-hire tried to steal Baidu’s driverless car technology. The FBI believes that North Korea is responsible for the February 2016 theft of $81 million from Bangladesh Bank, and U.S. prosecutors are building potential cases that may both formally accuse North Korea of directing the theft and charge alleged Chinese middlemen

Cyber Risk Trends From the Past Week

One of the most profitable cybercriminal tactics is business email compromise scams, which has accounted for several billion dollars worth of actual and attempted losses over the past few years.

A reminder of that ongoing threat surfaced this past week when the Department of Justice announced the arrest of a Lithuanian man on charges that he had successfully duped two U.S.-based companies into wiring a total of over $100 million to bank accounts that he controlled.

The DOJ noted in its press release that the case “should serve as a wake-up call” to even the most sophisticated companies that they may be the target of advanced phishing attempts from malicious actors.

Evaldas Rimasauskas, the arrested Lithuanian man, allegedly registered and incorporated a company in Latvia with the same name as an Asian-based computer hardware manufacturer, and then opened and maintained various bank accounts using that copycat company name. He then is alleged to have sent fraudulent phishing emails to employees of companies that regularly conducted multimillion-dollar transactions with the hardware manufacturer, asking that those companies direct payments for legitimate goods and services to the bank accounts using the copycat name. The indictment also alleges that Rimasauskas submitted forged invoices, contracts, and letters that falsely appeared to have been executed and signed by executives and agents of the victim companies to banks in support of the large volume of funds that were fraudulently transmitted via wire transfer.

As the FBI and others have repeatedly warned, the lure of multi-million dollar payout leads to cybercriminals going to great lengths to successfully social engineer companies. This includes more time spent researching things such as the roles of employees and their language in written communications, as well as company authority figures, policies and procedures, and supply chains. This allows the social engineers to craft a message, or series of messages, that fits within the expected culture and communication patterns of an organization — increasing their chances of a large, fraudulent payday.

Webinar: IoT Devices Expanding Digital Footprints, Security Issues

We’ve seen a lot of discussion about the collective threat of the Internet-of-Things, ever since malicious actors proved in October 2016 that they could disrupt whole chunks of the Internet by stringing to together thousands of compromised smart devices and pointing them all at a single target.

The distributed denial-of-service (DDoS) attack against DNS provider Dyn led to a number of popular websites being unavailable throughout the U.S. and elsewhere, including Twitter, Netflix, Reddit, CNN, The New York Times, and many more. There have been other IoT-powered DDoS attacks, both before and after the Dyn attack, but that incident served as a the tipping point in many ways. For years security researchers had been warning of the poor security around insecure Internet-connected devices — from baby monitors to televisions to thermostats to vehicles — and the Dyn attack was the culmination of so many small insecurities being leveraged by malicious actors in a big way.

As I’ve written before, the core pillars of cyber threats are capability, intent, and opportunity. The billions of IoT devices making their way into homes and businesses provide an ample amount of opportunity for attackers, and it was only a matter of time before they exploited that opportunity.

Register for SurfWatch Labs’ webinar:
IoT Devices Expanding Your Level or Presence (and Your Digitital Risk Footprint)
Tuesday, March 28
1:00 – 2:00 PM (ET)

IoT devices have potentially become the largest digital footprint NOT under proper security management. In addition, many reports have projected the number of Internet-connected devices to double or even triple within the next four years. It’s a concern for businesses, particularly since the devices often lack even basic cybersecurity features, but the issues stemming from IoT devices are not new or unique.

The security community has seen similar developments over the past 15 years, as I noted in my recent Security Week column, including Virtual Machines becoming the go-to technology in the early 2000s and BYOD beginning to be adopted later in the decade. In both cases, the digital footprints of organizations expanded, and security strategies had to evolve to match those risks. A similar effort needs to be taken in the face of IoT threats.

Take a look at this chart our threat analysts put together highlighting some of the top trending targets associated with IoT cyber threats over the past year. SurfWatch Labs has collected data on everything from cameras, routers and wearable devices to numerous “Other” tags such as home security systems, printers, light bulbs, and more.

SurfWatch Labs has collected data on dozens of different types of IoT devices that can be exploited by malicious actors.

And there continues to be more developments on the IoT front. Over just the past few weeks we’ve seen:

CIA exploits tied to smart devices, such as WikiLeaks’ claim that Samsung TVs can be placed in a “fake-off” mode and used as a bug to spy on targets.
The discovery of Imeij, a new IoT malware that exploits a vulnerability in devices from AVTech, a surveillance technology company,
New reported breaches related to IoT devices, such as CloudPets line of Internet-connected toys, on the heels of a study that revealed 84% of companies have already experienced some sort of IoT breach.

This is a problem that is likely going to get worse in the near future as more of these types of threats move from the periphery of the cybercrime conversation into center stage.

For more information on this threat join Kristi Horton, Senior Risk Analyst with Gate 15 & Real Estate ISAC, and myself, Chief Security Strategist with SurfWatch Labs, for an upcoming discussion around IOT device risks, trends, and best practices for pulling these devices under better control.

Weekly Cyber Risk Roundup: Third-Party Breaches and Apache Struts Issues

Twitter is the week’s top trending cybercrime target after malicious actors leveraged a third-party analytics service known as Twitter Counter to hijack a number of Twitter accounts and post inflammatory messages written in Turkish along with images of Nazi swastikas. Hundreds of accounts were compromised, the Associated Press reported.

Forbes magazine, the Atlanta Police Department, Amnesty International, UNICEF USA, and Nike Spain were among the numerous Twitter accounts hijacked.

A Twitter spokesperson said it removed the permissions of the third-party app, which was the source of the problem. In a series of tweets on Wednesday, Tweet Counter responded to the issue: “We’re aware that our service was hacked and have started an investigation into the matter. We’ve already taken measures to contain such abuse. Assuming this abuse is indeed done using our system, we’ve blocked all ability to post tweets and changed our Twitter app key.”

Twitter hijackings are common, and we do not highlight them in this weekly report very often; however, the Tweet Counter compromise is worth noting due to the supply chain issues it represents. Organizations frequently use third-party services to help manage their numerous social media accounts, and that interconnectedness was one of the central themes of SurfWatch Labs’ annual threat intelligence report. “One of the most telling statistics in all of SurfWatch Labs’ evaluated cyber threat data is the rise of CyberFacts related to third parties,” the report stated. “It is clear that malicious actors are looking for any opportunity to exploit poor cybersecurity practices, and the supply chain provides an abundance of opportunity for cybercriminals to do so.”

Organizations should have a way to track, monitor, and address any issues pertaining to third-party tools and services so they can better manage the increased risk that stems from an interconnected world.

Other trending cybercrime events from the week include:

New point-of-sale breaches: A breach at point-of-sale vendor 24×7 Hospitality Technology appears to be behind a series of fraudulent transactions tied to Select Restaurants Inc. locations, Brian Krebs reported. 24×7 issued a breach notification letter in January saying that a network intrusion through a remote access application allowed a third party to gain access to some of 24×7 customers’ systems and execute PoSeidon malware. Multiple Australian schools are warning parents that individuals are reporting fraudulent payment card transactions after Queensland School Photography’s online ordering system was compromised.

Yahoo breach leads to indictments: A grand jury has indicted four individuals, including two officers of the Russian Federal Security Service (FSB), over their alleged roles in the hacking of at least 500 million Yahoo accounts. According to the Department of Justice, the FSB officer defendants, Dmitry Dokuchaev and Igor Sushchin, protected, directed, facilitated, and paid co-defendants Alexsey Belan and Karim Baratov to collect information through computer intrusions in the U.S. and elsewhere.

Breaches due to insecure databases and devices: Security researchers discovered hundreds of gigabytes of data from the Warren County Sheriff’s Department exposed due to an insecure network storage device, including a variety of sensitive documents and recordings. A Dun & Bradstree database containing the personal information of 33.7 million U.S. individuals has been exposed, likely due to an unsecured MongoDB database. Dun & Bradstree said that it owns the database, but stressed that the data was not stolen from its systems and that the information was approximately six months old. Thousands of sensitive U.S. Air Force documents were exposed due to an insecure backup drive belonging to an unnamed lieutenant colonel.

Ransomware infections continue to be announced: Summit Reinsurance is notifying individuals of a breach after discovering unauthorized access to a server as well as a ransomware infection. The city of Mountain Home, Arkansas, had to wipe the server of its water department and restore the data from a backup after a ransomware infection locked 90,000 files. Metropolitan Urology Group said a November 2016 ransomware infection exposed the health information of patients who received services between 2003 and 2010. Ransomware actors are shifting towards disrupting business services and demanding higher ransom payouts.

Other notable cybercrime events: A flaw in the old website of South African-based cinema chain Ster-Kinekor exposed the personal information of up to 6.7 million users. Three is notifying an additional 76,373 customers that their personal information was compromised in a November 2016 incident. Wishbone announced a data breach due to unknown individuals having “access to an API without authorization.” UK travel association ABTA announced that 43,000 individuals had their personal information compromised due to a vulnerability in the servers of a third-party hosting service. Arkansas is investigating whether malware stole the personal information of 19,000 individuals. Cincinnati Eye Institute, Laundauer, and Virginia Commonwealth University Health System announced data breaches.

Cyber Risk Trends From the Past Week

Earlier this month, a patch was issued to address a high-impact vulnerability in Apache Struts Jakarta Multipart parser that allowed attackers to remotely execute malicious code. Shortly after the patch, an exploit appeared on a Chinese-language website,. Researchers then confirmed that attackers were “widely exploiting” the vulnerability. Since then, the issue has continued to affect numerous organizations through data breaches and service downtime.

For example, the Canada Revenue Agency was one of the week’s top trending cybercrime targets after the Canadian government took the website for filing federal tax returns offline due to the vulnerability, temporarily halting services such as electronic filing until security patches could be put in place.

John Glowacki, a government security official, said during a press conference that there was “a specific and credible threat to certain government IT systems,” and Statistics Canada confirmed that hackers broke into a web server by exploiting the Apache Struts vulnerability. Glowacki also said it was his understanding that some other countries “are actually having greater problems with this specific vulnerability [than Canada].”

Those other instances have not been as widely reported; however, GMO Payment Gateway confirmed a data breach related to the vulnerability. The Japanese payment processing provider announced that an Apache Struts vulnerability led to the leak of payment card data and personal information from customers who used the Tokyo Metropolitan Government website and Japan Housing Finance Agency site. According to the breach notification, the Tokyo Metropolitan Government credit card payment site leaked the details of as many as 676,290 payment cards, and the Japan Housing Finance Agency payment site leaked the details of as many as 43,540 payment cards. The breach was discovered after an investigation was launched on March 9 due to alerts about the vulnerability. Less than six hours later, GMO discovered unauthorized access and stopped all systems running with Apache Struts 2.

Surfwatch Labs analysts warn that users with root privileges running on unpatched Apache Struts are at high risk of being fully compromised, and organizations are encouraged to patch Apache web servers as soon as possible.

“Unfortunately, fixing this critical flaw isn’t always as easy as applying a single update and rebooting,” Ars Technica’s Dan Goodin noted. “That’s because in many cases, Web apps must be rebuilt using a patched version of Apache Struts.”

Ransomware Disrupting Business Operations and Demanding Higher Payouts

Malicious actors are continually fine-tuning their tactics, and one of the best examples of this is the evolution of ransomware. Ransomware has largely been an opportunistic, rather than a targeted, form of cybercrime with the goal of infecting as many users as possible. That model has worked so effectively that extortion is now ubiquitous when it comes to cybercrime — so much so that even fake attacks are proving to be successful.

As I wrote earlier this month, the surge of extortion attacks impacting organizations has led to a number of fake extortion threats, including empty ransomware demands where actors contact organizations, lie about the organization’s data being encrypted, and ask for money to remove the non-existent threat. Cybercriminals like to follow the path of least resistance, and an attack doesn’t get much easier than simply pretending to have done something malicious.

However, attacks over the past year have proven that infecting organizations with ransomware can result in much higher payouts. The more disruptive the attack, the more money some organizations are willing to pay to make the problem go away. As a result, ransomware actors are shifting their targets towards more disruptive attacks, which we examine in our latest report, Ransomware Actors Shift Gears: New Wave of Ransomware Attacks Aims to Lock Business Services, Not Just Data.

A quick look at some of the ransomware mentioned in SurfWatch Labs new report.

It was just 13 months ago that Hollywood Presbyterian Medical Center made national attention by paying $17,000 to decrypt its files after a ransomware attack. The incident was novel at the time, but those types of stories have since become commonplace.

For example:

On November 25, 2016, an HDDCryptor infection at the San Francisco Municipal Transportation Agency led to the temporary shutdown of ticketing machines and free rides for many passengers, costing an estimated $50,000 in lost fares.
On January 19, 2017, a ransomware infection of the St. Louis Public Library computer system temporarily halted checkouts across all 17 locations and led to a several-day outage of the library’s reservable computers.
On January 31, 2017, a ransomware infection in Licking County, Ohio, led to the IT department shutting down more than a thousand computers and left a variety of departments – including the 911 call center – unable to use computers and perform services as normal for several days.
In February 2017 at the RSA Conference, researchers from the Georgia Institute of Technology presented a proof-of-concept ransomware that targets the programmable logic controllers (PLCs) used in industrial control systems (ICS).

As the Georgia Institute of Technology researchers noted: “ICS networks usually have little valuable data, but instead place the highest value on downtime, equipment health, and safety to personnel. Therefore, ransomware authors can threaten all three to raise the value side of the tradeoff equation to make ICS ransomware profitable.”

In short, if actors understand what is most valuable to an organization and can find a way to effectively disrupt those goals, they can find success in yet-to-be targeted industries. It may require more legwork, but the higher potential payouts may make it worthwhile for some actors to engage in less widespread but potentially much more profitable attacks.

Government agencies, consumer services, educational institutions, healthcare organizations, and more have all had services disrupted by ransomware over the past six months.

In addition, just last week, researchers discovered a new ransomware family, dubbed “RanRan,” that doesn’t even ask for money. Instead, the ransomware attempts to force victims “to create a public sub-domain with a name that would appear to advocate and incite violence against a Middle Eastern political leader.” The malware is described by the researchers as “fairly rudimentary” and there are a number of mistakes in the encryption process, but it serves as an example of how malicious actors that are not financially motivated can nevertheless leverage ransomware to achieve their goals.

Organizations need to take action to protect themselves against ransomware actors that are trying to find more effective ways to disrupt business operations and demand even higher ransom payouts. For more information on these evolving ransomware attacks, download SurfWatch Labs’ free report: Ransomware Actors Shift Gears: New Wave of Ransomware Attacks Aims to Lock Business Services, Not Just Data.