October’s Bad Rabbit ransomware attacks were back in the news this week due to a report that a series of phishing attacks occurred at the same time as the Bad Rabbit outbreak, and the parallel attacks may have been carried out by the same group.
The discovery also suggests that Ukraine may have been a key target of the attacks, despite Russian victims being more heavily targeted by Bad Rabbit.
The phishing attacks targeted users of Russian-designed 1C software with emails that appeared to be from the developer, the head of the Ukrainian state cyber police told Reuters. 1C products, including accounting software, are widely used in Ukraine.
The official said that 15 companies reported they were compromised by the attack, and it is possible that more people or organizations may have been affected due to 1C software’s wide use. The official also said the main theory is that both the Bad Rabbit and 1C phishing attacks were carried out by the same perpetrators with the goal of getting remote and undetected access in order to steal financial and confidential information. 1C’s developers did not respond to Reuters’ requests for comment about the phishing attacks, but a Ukrainian distributor confirmed that its users were targeted and that it warned them to take extra precautions.
Some researchers have suggested that the Bad Rabbit attacks were carried out by the same group behind June’s NotPetya outbreak. The NotPetya attack leveraged a back door that had been inserted into the M.E.Doc accounting software, which Reuters reported is used by 80 percent of Ukrainian companies. The use of popular Ukrainian accounting software during both NotPetya and attacks potentially linked to Bad Rabbit is yet another shared connection between the two events.
Other trending cybercrime events from the week include:
- Data breach announcements: Verticalscope, which manages popular Web discussion forums, confirmed that it discovered an intrusion that provided access to the individual website files of six websites. Tween Brands is notifying customers that their personal information may have been compromised due the discovery of unauthorized access to a server. HumanGood is notifying customers that their personal information may have been compromised due to unauthorized access at a third-party benefits coordination vendor. North American Title Company is notifying customers that their personal information may have compromised due to an employee’s email account being accessed by an unauthorized third party. Wilbraham, Lawler & Buba and the East Central Kansas Area Agency on Aging announced ransomware attacks that could have also compromised personal information.
- Data exposed: WikiLeaks released the source code for an alleged CIA hacking tool called “Hive,” and the release is just the first in a new series, dubbed “Vault 8,” that is intended to publish the source code from the variety of hacking tools described in the series of “Vault 7” publications earlier this year. A flaw in the website of the Australian Securities and Investments Commission (ASIC) exposes the search records and purchased documents of users such as investigative journalists and finance industry professionals. The website of the Scottish Appropriate Adult Network, which works with mentally impaired individuals that need help with the justice system, was shut down after it was found to be exposing the personal information of about 50 people. Klinger Moving Company is notifying employees that their personal information was briefly exposed due to a file that was stored on a company server being browsable via search engines.
- Other notable incidents: NIC Asia Bank said that malicious actors initiated $4.4 million worth of fraudulent money transfers via the SWIFT messaging system last month; however, the bank was able to recover all but $580,000 of the funds. The anime streaming service Crunchyroll said that intruders planted a fake homepage that pushed a malicious “CrunchyViewer” program to its viewers for several hours. Approximately 800 school websites hosted by SchoolDesk displayed a pro-ISIS video after the company was hacked and a file was injected that redirected those websites to the video. Valley Family Medicine said that two now-former employees printed a mailing list of 8,450 patient names and addresses and used the list to make postcards informing them of a new practice.
- Legal actions: A Pennsylvania man has been indicted for illegal trading via more than 50 hacked online brokerage accounts, which caused the firms servicing the accounts to lose more than $2 million. A former Minnesota resident has been charged with purchasing a year’s worth of DDoS attacks against his former employer Washburn Computer Group, as well as the networks of the Minnesota Judicial Branch, Hennepin County, and several banks. The UK’s Information Commissioner’s Office is warning employees to obey strict privacy laws on the heels of a charity worker at Rochdale Connections Trust being prosecuted for sending spreadsheets containing the personal information of 183 people to his personal email address.
SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.
Cyber Risk Trends From the Past Week
The hack of a large cache of sensitive documents from the offshore law firm Appleby, which was first reported several weeks ago, has already begun to have potentially wide-reaching ramifications.
The International Consortium of Investigative Journalists (ICIJ), which also drove the reporting around the 2016 “Panama Papers” leak, has dubbed the new leak the “Paradise Papers.”
The Guardian reported that the now-exposed Appleby documents contain information related to numerous prominent individuals and organizations, such as Donald Trump’s commerce secretary Wilbur Ross, Queen Elizabeth II and Prince Charles, associates of Canadian Prime Minister Justin Trudeau, social media platforms Twitter and Facebook, corporations Apple and Nike, a variety of wealthy private individuals, and hundreds more.
Appleby reiterated this week that the theft of its data was not a leak by an insider, but “a serious criminal act” carried out “by an intruder who deployed the tactics of a professional hacker.” The company has previously stated that it had “thoroughly and vigorously investigated the allegations” from the ICIJ and was “satisfied that there is no evidence of any wrongdoing, either on the part of ourselves or our clients.”
The BBC reported that although the 2016 Panama Papers were larger is size, the way the Paradise Papers “lifts the lid on sophisticated, upper-end offshore dealings” is unprecedented. For example, Gabriel Zucman, a professor of economics at the University of California, Berkeley, wrote in The New York Times that $70 billion, or close to 20 percent of all U.S. corporate tax revenue, is lost every year due to shifting corporate profits to tax havens.
The ICIJ and nearly 100 media groups are continuing to dig through the 13.4 million documents spanning seven decades that make up the Paradise Papers. The BBC said the papers include 6.8 million documents related to the Appleby breach, 6 million documents from corporate registries in mostly Caribbean jurisdictions, and a smaller amount from the Singapore-based international trust and corporate services provider Asiaciti Trust.
Dozens more stories related to the Paradise Papers will likely be published in the near future, although it remains to be seen what political, economic, or reputational fallout will accompany the organizations and individuals impacted by the leak.