Weekly Cyber Risk Roundup: Deloitte Breached and More Possible Supply Chain Attacks

Deloitte, one the world’s “big four” accounting firms, was the week’s top trending new cybercrime target after it was reported that the firm experienced a breach that compromised some of its clients’ information.

2017-09-29_RiskScores.png

The Guardian reported that Deloitte clients’ information was compromised after a malicious actor gained access to the firm’s global email server through an administrator account that did not have two-step verification enabled.

Six Deloitte clients have been informed of the breach, which was first discovered in March 2017 and may have dated back to October 2016. The Guardian was told that an estimated five million emails could have been accessed by the hackers since emails to and from Deloitte’s 244,000 staff were stored in the Azure cloud service; however, Deloitte said the number of emails that were at risk is “very small fraction of the amount that has been suggested.”

Shortly after The Guardian story broke, Brian Krebs reported that a source close to the Deloitte investigation said the company’s breach involves the compromise of all administrator accounts at the company, that it’s “unfortunate how we have handled this and swept it under the rug,” and that “it wasn’t a small amount of emails like reported.” The source also said that investigators identified several gigabytes of data being exfiltrated and that Deloitte is not sure exactly how much data was taken.

Additionally, The Register reported that what appeared to be a collection of Deloitte’s corporate VPN passwords, user names, and operational details were found within a public-facing GitHub-hosted repository; that a Deloitte employee uploaded company proxy login credentials to his public Google+ page; and that Deloitte has “loads” of internal and potentially critical systems unnecessarily facing the public internet with remote-desktop access enabled.

2017-09-29_ITTGroups

Other trending cybercrime events from the week include:

  • Ransomware continues: Montgomery County, Alabama officials said the county paid 9 bitcoins ($37,000) in ransom to regain access to its files after a SamSam ransomware infection disrupted services at the Montgomery County District Attorney’s Office. Officials said they had backups in place, but that the off-site backup servers were nearing capacity, along with some other issues. San Ysidro School District said it was infected with ransomware that affected emails and some shared files and demanded $18,000 in ransom. However, the school did not pay the ransom as it had a backup in place. The Arkansas Oral & Facial Surgery Center is notifying patients of a July 26 ransomware infection that made inaccessible imaging files such as x-rays, document attachments, and all electronic patient data related to visits within three weeks prior to the infection.
  • Other extortion attacks: Malicious actors are using compromised iCloud credentials along with Find My iPhone to lock users computers with a passcode and then demand a ransom to unlock the device. Mac Rumors reported that the attack can bypass two-factor authentication since Apple allows users to access Find My iPhone without requiring two-factor authentication in the event that the user’s only trusted device is missing. A group using the name Phantom Squad is believed to have sent extortion emails to thousands of companies threatening DDoS attacks on September 30 unless a 0.2 bitcoin ($720) ransom is paid. SMART (“Sports Medicine and Rehabilitation Therapy”) Physical Therapy in Massachusetts said that TheDarkOverlord accessed data stored in Patterson PTOS software, and TheDarkOverlord shared the stolen database of 16,428 patient records with databreaches.net, which confirmed the breach. TheDarkOverlord went public with the breach after a failed ransom attempt.
  • New point-of-sale breaches: The fast-food chain Sonic said it is investigating a possible payment card breach at its stores, and security blogger Brian Krebs reported that the incident may be tied to a batch of five million fresh payment cards being offered for sale on the stolen credit card shop known as Joker’s Stash. Whole Foods said that some of the taprooms and full table-service restaurants in its grocery stores experienced a point-of-sale breach. The breach did not affect credit cards used at the store’s main checkout systems as those use a different point-of-sale system.
  • Other notable incidents: The Toms River police department said that 3,7000 individuals had their information compromised due to a data breach. Fresno Unified School District said that the personal information of 53 employees, retirees, and their dependents was found in the possession of multiple individuals arrested by the Gilroy and Clovis police departments. Signator Investors is notifying customers that an unknown third party gained unauthorized access to some client records. The Brown Armstrong financial consultancy firm is warning that fraudulent tax returns were filed under some of its client’s names. A lawyer at the law firm Wilmer, Cutler, Pickering, Hale and Dorr inadvertently leaked PepsiCo privileged information by email to a Wall Street Journal reporter. The federal government notified 21 states that they were the target of hacking related to the 2016 presidential election.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

Cyber Risk Trends From the Past Week

2017-09-29_RiskScoresLast week we noted the malicious version of CCleaner that was downloaded approximately 2.27 million times appeared to have been an espionage campaign designed to gain access to the networks of at least 18 tech firms.

This week Morphisec, the firm that discovered the backdoored version of CCleaner, said that there may be other similar attacks leveraging common applications that have been compromised in an attempt to gain access to even more corporate networks.

The company’s chief technology officer Michael Gorelik said that it is currently investigating historical “false positive” reports in an attempt to discover evidence if other applications have been backdoored. Gorelik said that he believes there were other supply chain attacks like the CCleaner one, and that the initial findings of the investigation were “very interesting.”

As SurfWatch Labs has previously noted, supply chains have proven to be one of the more difficult aspects for organizations to defend against, and malicious actors have shifted their attacks towards weak points in the supply chain to exploit the interconnected nature of organizations. For example, the June spread of WannaCry, perhaps the year’s most widely reported cyber incident, was tied to infections from the updater process for tax accounting software created by the Ukrainian company MEDoc.

The issues around CCleaner and MEDoc have been widely reported, but there are numerous other example of smaller-scale incidents that regularly occur. For example, last month npm, which describes itself as “the world’s largest software registry,” said that it removed more than 40 malicious packages after discovering an actor going by the name “hacktask” had published them with similar names to popular npm packages in an attempt to trick users into downloading them. In addition, popular Android apps, WordPress plugins, and other widely used products are frequently compromised to deliver various types of malware.

The researchers looking into supply chain attacks similar to CCleaner have not yet announced any other potential compromises, but organizations should keep an eye on the story to see if any discoveries occur in the coming weeks regarding applications being compromised to gain access to corporate networks.

Weekly Cyber Risk Roundup: SEC, Illicit Trading and CCleaner Industrial Espionage

The U.S. Securities and Exchange Commission (SEC) was the week’s top trending new cybercrime target following the announcement that a data breach compromised sensitive data that may have “provided the basis for illicit gain through trading.” SEC chairman Jay Clayton said the commission learned last month that an incident “previously detected” in 2016 may have led to the illicit trading.

2017-09-24_ITT.png

“Specifically, a software vulnerability in the test filing component of our EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information,” Clayton said in a statement.

EDGAR — which is an acronym for electronic data gathering, analysis, and retrieval — contains millions of filings from companies. The investigation is ongoing, but it is likely that any insider trading due to the breach would have occurred between the period when company filings were made and when those filings were released to the public. The SEC breach echoes, on a smaller scale, the insider trading scheme for which a Ukrainian hacker was sentenced to prison earlier this year. That scheme revolved around the theft of 150,000 news releases from Business Wire, Marketwired, and PR Newswire between February 2010 and August 2015, which led to more than $100 million in illegal profits.

Reuters said it had viewed a confidential report stating that the U.S. Department of Homeland Security detected five “critical” weaknesses on the SEC’s computers as of January 23. In addition, the Government Accountability Office warned in July that the SEC was “at unnecessary risk of compromise” because of deficiencies in its information systems. Reuters also reported that new SEC reporting rules start to come into effect in December that require funds to confidentially file monthly, rather than quarterly, portfolio holdings with the SEC. The breach has unnerved investor groups such as the Investment Company Institute, which wants the SEC to answer cybersecurity concerns before the SEC begins collecting additional sensitive data.

2017-09-24_ITTGroup

Other trending cybercrime events from the week include:

  • TheDarkOverlord threatens violence: Flathead County in Montana closed 30 schools for several days following a breach and ransom letter that claimed to come from TheDarkOverlord and hinted at physical violence, as well as threats against individual families that leveraged the school’s electronic directory. Databreaches.net wrote that “the Flathead case is not the first case where TheDarkOverlord has contacted its victims by phone or SMS to threaten them or deliver obscenity-laden messages.”
  • Organizations expose more data: Researchers discovered an Amazon AWS S3 bucket belonging to Viacom that contained “a vast array of internal access credentials and critical data that could be used to cause immense harm to the multinational corporation’s business operations.” Researchers discovered an Amazon AWS S3 bucket with more than half a million records belonging to the automobile tracking company SVR Tracking. The Office of the Australian Information Commissioner is investigating the exposure of the financial information of customers of Amazing Rentals. The British supermarket chain Iceland exposed customer information on its home delivery confirmation sheets, which also contained an IP address that led to a insecure login portal for Iceland’s scheduling system. Premier Medical Associates said that 900 patients that submitted information via the “Contact Us” portion of its website had that data compromised due to search engines retrieving the submissions.
  • New data breaches: OurMine gained access to Vevo’s media storage servers and leaked 3.12TB of company data. Bulletproof 360 is notifying customers that their payment information may have been compromised due to the discovery of unauthorized code on its website’s checkout page. TD Ameritrade said “unauthorized code” led to the breach of customer information. LiteBit is notifying users that their personal information was accessed in an attack that targeted a supplier and a LiteBit server. Cornerstone Business and Management Solutions said that it discovered an unauthorized account on a server and that the data of Certified Medical Supplies patients was compromised. Irish National Teachers’ Organization said that more than 30,000 teachers had their personal information compromised due to hackers gaining access to its online learning portal. TRUEbenefits, ABB, Inc., Morehead Memorial Hospital in North Carolina, and AU Medical Center all announced breaches due to compromised employee email accounts.
  • Other notable incidents: Montgomery County in Alabama said that a ransomware infection locked up computer systems and disrupted some county services. PeaceHealth Southwest Medical Center is notifying 1,969 patients that their protected health information was unnecessarily accessed by an employee. A Georgia man was found guilty of inserting malicious code known as a “logic bomb” into a national-level computer program responsible for handling pay and personnel actions for nearly 200,000 U.S. Army reservists. An Arizona man was sentenced to four years of federal probation for making changes to a company website that prevented the company’s employees from using their email accounts, redirecting the company’s homepage to a blank page, demanding $10,000 to return everything to normal, and then redirecting the company’s homepage to a pornographic website when it refused to pay the ransom.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-09-24_ITTNew

Cyber Risk Trends From the Past Week

2017-09-24_RiskScoresLast week the developer of CCleaner announced that approximately 2.27 million users of CCleaner downloaded a legitimately signed version of the utility containing malicious code. Shortly thereafter, it was reported that the spreading of a backdoored version of CCleaner appears to have been an espionage campaign designed to gain access to the networks of at least 18 tech firms.

The malicious version of CCleaner was available on the site from August 15 to September 12, said Piriform, which was recently acquired by Avast, and affected customers with the 32-bit version of the v5.33.6162 of CCleaner and the v1.07.3191 of CCleaner Cloud. The compromised code could have resulted in “the transmission of non-sensitive data (computer name, IP address, list of installed software, list of active software, list of network adapters) to a 3rd party computer server in the USA.”

Researchers found evidence that the actors attempted to filter their collection of compromised victim machines to find computers inside the networks of tech firms, such as Intel, Google, Microsoft, Akamai, Samsung, Sony, VMware, HTC, Linksys, D-Link, Cisco, and more. In about half of the cases, the actors behind the attack successfully compromised a machine within the company’s network and used that to install another piece of malware likely intended for industrial espionage. The researchers also noted that the list of targets discovered was likely modified throughout the month-long campaign, so there may be additional companies that were targeted besides the 18 that were identified.

“These findings also support and reinforce our previous recommendation that those impacted by this supply chain attack should not simply remove the affected version of CCleaner or update to the latest version, but should restore from backups or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also any other malware that may be resident on the system,” Cisco researchers wrote.