Weekly Cyber Risk Roundup: Cloudflare Aftermath and Online Stores Breached

The Cloudflare software bug that resulted in the potential leaking of sensitive data remained as the top trending cybercrime event of the past week as researchers continued to investigate and quantify the effects of the incident. In a March 1 blog post, Cloudflare CEO Matthew Prince described the “Cloudbleed” impact as “potentially massive” and said the bug “had the potential to be much worse” than the initial analysis suggested.


Cloudflare summarized its findings as of March 1:

  1. Their logs showed no evidence that the bug was maliciously exploited before it was patched.
  2. The vast majority of Cloudflare customers had no data leaked.
  3. A review of tens of thousands of pages of leaked data from search engine caches revealed a large number of instances of leaked internal Cloudflare headers and customer cookies, but no instances of passwords, credit card numbers, or health records.
  4. The review is ongoing.

The bug was first discovered by researcher Tavis Ormandy on February 17. Ormandy wrote that the data leakage may date back to September 22, 2016, and that he was able to find “full HTTPS requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.”

Price said that “the nightmare scenario” would be if a hacker had been aware of the Cloudflare bug and had been able to quietly mine data before the company was notified by Google’s Project Zero team and a patch was issued. “For the last twelve days we’ve been reviewing our logs to see if there’s any evidence to indicate that a hacker was exploiting the bug before it was patched,” Price wrote. “We’ve found nothing so far to indicate that was the case.”


Other trending cybercrime events from the week include:

  • Political hacks and fallout continue: The daughter of political consultant Paul Manafort had her iPhone data hacked and a database containing more than 280,000 text messages, many of which shed light on the family’s views of Russia-aligned Ukrainian strongman Viktor Yanukovych and President Donald Trump, have been leaked on a darknet website run by a hacktivist collective. The files appear to have been accessed through a backup of Andrea Manafort’s iPhone stored on a computer or iCloud account. Three Russians were recently charged with treason for allegedly passing secrets to U.S. firm Verisign and other unidentified American companies, which in turn shared them with U.S. intelligence agencies. The charges come after the U.S. has accused Russia of hacking, and Reuters reported the charges may be a signal that Russia “would now take action against forms of cooperation that it previously tolerated.”
  • More payment card breaches: Hospitality company Benchmark announced a payment card breach affecting six of its properties, including the hotel front desks of Doral Arrowwood, Eaglewood Resort & Spa, and the Santa Barbara Beach & Golf Resort and the food and beverage locations of The Chattanoogan, Willows Lodge, and Turtle Bay Resort. Niagara-Wheatfield School District officials are warning individuals who purchased tickets to attend a school production of “The Lion King” that there have been several reports of credit card fraud tied to those purchases. The school sold the tickets using the ticket sales platform ShowTix4U; however, a spokesperson said there may have been other ways the credit card information could have become compromised. Touring and transportation company Roberts Hawaii is notifying customers of a payment card breach. Authorities are urging customer of Downeast Credit Union in Belfast to check their account for suspicious activity after the discovery of a skimming device in an ATM at the Down East Credit Union Belfast branch.
  • Unauthorized access due to employees and poor security: Vanderbilt University Medical Center is notifying 3,247 patients that their patient files were accessed between May 2015 and December 2016 by two staff members who worked as patient transporters. WVU Medicine University Healthcare is notifying 7,445 patients that their protected health information was compromised due to an employee accessing the data without authorization, and 113 of the patients are victims of identity theft. Chicago Public Schools students had their information potentially compromised due to a Google spreadsheet that did not require a login and included special education students’ personal information.
  • Other noteable cybercrime events: Spiral Toys sells an internet-connected teddy bear that allows kids and parents to exchange messages via audio recordings, and more than two million of those messages, as well as more than 800,000 email addresses and bcrypt-hashed passwords, have been potentially compromised due to being stored on a database that wasn’t behind a firewall or password-protected. Singapore’s Ministry of Defence said that a “targeted and carefully planned” attack resulted in a breach of its I-net system. An actor using the name “CrimeAgency” on Twitter claims to have hacked 126 vBulletin-based forums that were using outdated versions of the software. Luxury motorcoach company Hampton Jitney is advising customers to change their passwords after a security breach discovered on Wednesday compromised personal information stored by the company.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.


Cyber Risk Trends From the Past Week

2017-03-03_riskscoresSeveral companies have issued breach notification letters related to a malware incident at Aptos, Inc., which provides e-commerce solutions for a number of online stores. The breach at Aptos was discovered in November 2016, and notification by the various companies affected was delayed until recently at the request of law enforcement.

According to a notification from Mrs Prindables:

Mrs Prindables along with a wide range of major retailers, utilizes a third party company named Aptos to operate and maintain the technology for website and telephone orders. On February 6, 2017, Aptos informed us that unauthorized person(s) electronically accessed and placed malware on Aptos’ platform holding information for 40 online retailers, including Mrs Prindables, from approximately February 2016 and ended in December 2016. Aptos has told us that it discovered the breach in November 2016, but was asked by law enforcement investigating the incident to delay notification to allow the investigation to move forward.

Other companies to issue breach notification letters, as noted by databreaches.net, include: AlphaIndustries.com, AtlanticCigar.com, BlueMercury.com, Hue.com, MovieMars.com, Nutrex-Hawaii.com, PegasusLighting.com, PlowandHearth.com, Purdys.com, Runnings.com, Sport-Mart.com, Thiesens.com, VapourBeauty.com, WestMusic.com, and PercussionSource.com.

The breach announcement comes on the heels of a report that found “a steady rise” in online fraud attack rates throughout 2016. The shift in tactics toward card-not-present fraud was expected as increased security associated with the U.S. adoption of EMV technology made card-present fraud less profitable. Fraud does not go away; it only shifts. As SurfWatch Labs Adam Meyer has said, fraud is like a balloon: apply a little pressure to one area and malicious actors quickly expand into an area with less resistance.

However, card-present fraud is still impacting organizations. The past month saw a point-of-sale breach at InterContinental Hotels Group that affected the restaurants and bars of 12 properties and another breach that affected six Benchmark properties. In addition, malware was discovered on the payment systems of Arby’s corporate locations. Nevertheless, SurfWatch Labs cyber threat intelligence data, along with reports from other researchers, clearly shows a continued shift as cybercriminals move to find the sweet spot between difficulty and profit when it comes to payment card fraud — and that increasingly appears to be online.

Weekly Cyber Risk Roundup: Cloudflare Bug Discovered, Typos Lead to Theft

This week’s biggest story is the Cloudflare software bug discovered by Google researchers and disclosed Thursday that could have compromised private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data.

2017-02-24_ITT.png“The bug was serious because the leaked memory could contain private information and because it had been cached by search engines,” wrote John Graham-Cumming, the CTO of Cloudflare, which provides performance and security services to numerous major websites. “We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.”

The bug was discovered by researcher Tavis Ormandy on February 17, and the data leakage may date back to September 22. However, the greatest period of impact was between February 13 and February 18 “with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage,” the company said. Popular services such as Uber, 1Password, FitBit, OkCupid, and many more use Cloudflare. Uber told media outlets the impact on its customers is minimal since “very little Uber traffic actually goes through Cloudflare,” and 1Pass said the company “designed 1Password with the expectation that SSL/TLS can fail” exactly for these types of incidents.

Days before the public disclosure, Ormandy wrote: “I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We’re talking full HTTPS requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.” Then in another comment, “We’re still working on identifying data that needs to be purged from caches.”

As Wired reported, efforts to discover any leaked data that has been cached and not yet scrubbed “has become something of an internet-wide scavenger hunt.”


Other trending cybercrime events from the week include:

  • Presidential campaign website defaced: A hacker going by the name “Pro_Mast3r” defaced a presidential campaign website for Donald Trump with a message that read, in part, “Peace From Iraq.” The hacker told Brian Krebs that he exploited a DNS misconfiguration to assume control of secure2.donaldjtrump.com.
  • New databases continue to be sold on the dark web: An actor using the name “Berkut” is selling a database of 950,000 user accounts for the website of the music festival Coachella that was allegedly stolen this month. Motherboard confirmed the legitimacy of the database, which contains email addresses, usernames, and hashed passwords. The $300 listing claims that 360,000 of the accounts are related to the main Coachella website and the other 590,000, which contain additional information such as IP addresses, are related to the message board.
  • Employees and students access sensitive data: Dignity Health St. Joseph’s Hospital and Medical Center is notifying approximately 600 patients that a part-time hospital employee viewed portions their medical records without a business reason between October 1, 2016, and November 22, 2016. An Ohio Department of Taxation employee was fired for accessing the confidential tax information of relatives and acquaintances dozens of times. A student of the South Washington County school district in Minnesota hacked into the district’s server and downloaded the data of more than 15,000 people to an external hard drive in January.
  • Cybercrime-related arrests and sentencing: On Wednesday, February 22, UK law enforcement announced the arrest of a 29-year old British man charged with suspicion of carrying out the cyber attack against Deutsche Telekom in November of last year, which impacted up to 900,000 customers of the ISP. SurfWatch Labs analysts have moderate confidence that this individual is the hacker known as “Bestbuy,” and additional researchers have said the actor also used the alias “Popopret.” A former systems administrator for Georgia-Pacific was sentenced to 34 months in prison and ordered to pay damages of more than $1 million after pleading guilty to remotely accessing the plant’s computer system and intentionally transmitting code and commands designed to cause significant damage to Georgia-Pacific and its operations.
  • Other cybercrime announcements:  The personal information of 55 million voters in the Philippines was compromised when a computer from the Office of the Election Officer in Wao, Lanao del Sur was stolen, but the data was encrypted using the AES-256 protocol. A spear phishing campaign against individuals in the Mongolian government used the popular remote access tool Poison Ivy as well as two publicly available techniques to evade AppLocker application whitelisting, four stages of PowerShell scripts to make execution difficult to trace, and decoy documents to minimize user suspicion. The Texas Department of Transportation said a breach of its automated administrative system affected a small number of employees whose information was compromised and potentially altered. Actress Emily Ratajkowski is the latest celebrity to have an iCloud account containing sensitive information hacked.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.


Cyber Risk Trends From the Past Week

2017-02-24_riskscoresThe Cloudflare bug can be traced back to a single character of code, which resulted in a buffer overrun, the company said.

“The Ragel code we wrote contained a bug that caused the pointer to jump over the end of the buffer and past the ability of an equality check to spot the buffer overrun,” Graham-Cumming said. “Had the check been done using >= instead of == jumping over the buffer end would have been caught.”

Cloudflare wasn’t the only company to face issues due to a single character. Zerocoin announced last Friday that a a typographical error of a single additional character in code allowed an attacker to create Zerocoin spend transactions without a corresponding mint, resulting in the creation of about 370,000 Zcoins. Zerocoin discovered the bug when it noticed the total mint transactions did not match up with the total spend transactions. All but around 20,000 of the Zcoins were completely sold for around 410 BTC in profit. “Despite the severity of the hack, we will not be forfeiting or blacklisting any coins,” Zerocoin wrote in an announcement. “Trading will resume once pools and exchanges have had time to update their code. A new release will be pushed out pretty soon.”

These types of small issues continue to cause major issues for organizations. This past week also saw reports that a database belonging to digital publisher Ziff Davis could have been exfiltrated due to a website configuration issue affecting itmanagement.com, potentially exposing 7.5 million records. The database contained names, phone numbers, employment details, and email and employer addresses, as well as contact information for users registered on other Ziff Davis properties. Contact information for anyone in the shared database could have been viewed by incrementing or decrementing a field in a URL belonging to one Ziff Davis publication, according to multiple researchers.

There was also the discovery that more than 1.4 million emails sent over Harvard Computer Society (HCS) email lists were found to be public, including emails divulging Harvard students’ grades, financial aid information, bank account numbers for some student organizations, advance copies of a final exam, answer keys to problem sets, and more – likely since the default setting for HCS list archives was public. In addition, New York’s Stewart International Airport publicly exposed 760GB of server backup data for over a year due a network storage drive, which was installed by a contracted third-party IT specialist, that contained several backup images of servers and was not password protected.

The week’s incidents are yet another reminder that a good portion of effective cyber hygiene revolves around looking inward at an organization’s technology, policies, and procedures and their associated cyber risk.