Tag: Energy

Weekly Cyber Risk Roundup: Equifax Criticized Over Breach and Energy Sector Companies Compromised

Last Thursday, Equifax announced a data breach affecting 143 million individuals. The breach, which compromised sensitive personal information such as Social Security numbers and driver’s license numbers, is not just the most impactful breach that occurred over the past week, it may be the most significant breach we see in all of 2017.

2017-09-11_ITT

As SurfWatch Labs chief security strategist Adam Meyer noted, the impact of the Equifax breach will likely continue to ripple outward and affect individuals and organizations far beyond the near term. After all, the Social Security numbers and dates of birth that were stolen in the breach are static identifiers that range from difficult to impossible to change. Meyer also noted that malicious actors excel at snowballing information and could potentially use the leaked data as a springboard to circumvent knowledge-based authentication services, such as those that are offered by Equifax.

Equifax’s response to the breach has also drawn criticism on a variety of fronts. Bloomberg reported that three senior Equifax executives sold nearly $1.8 million worth of shares in the days following the breach, which was first discovered on July 29. Brian Krebs called the breach response a “dumpster fire” for a variety of reasons, including a tool that Equifax said potential victims could use to see if they are affected being “completely broken” and concerns around a now-modified terms of service clause that initially appeared to force victims to waive future class action rights in exchange for signing up for identity theft services. The New York Times reported that the 10-digit PINs being provided to those that choose to pay to freeze their credit files are not as secure as one would expect. Finally, The Hill reported that numerous members of Congress and states attorneys general have already launched investigations and are demanding further explanations from Equifax.

2017-09-11_ITTGroups

Other trending cybercrime events from the week include:

  • Notable data breaches: The Latin American social network Taringa said that hackers have stolen the usernames, email addresses, and MD5-hashed passwords of nearly 29 million users. The state government of Western Australia has ordered an urgent review of the state’s TAFE cyber security systems after the information of 13,000 students was compromised when an unauthorized user gained access to the TAFE’s IT system on two separate occasions. The Community Memorial Health System in Ventura, California, is notifying 959 patients that their personal information may have been compromised due to an employee’s email account being accessed following a phishing email. The Alaska Office of Children’s Services said that malware was found on two computers and that more than 500 individuals may have had their personal information stolen as a result. The Hong Kong jobs website cpjobs.com said that an unauthorized third party was able to gain access to user data and passwords. A customer of the DDoS-for-hire service TrueStresser claims to have hacked the company and released what appears to be legitimate company data.
  • Organizations exposed data: Researchers discovered more than 600GB of sensitive data exposed via two insecure Amazon S3 buckets that appear to be connected to the global communication software and service provider BroadSoft, Inc. Much of the internal development data apparently saved by Broadsoft engineers related to Time Warner Cable. Researchers discovered a misconfigured CouchDB database connected to MoneyBack that exposed the passports, IDs, and other personal details of thousands of travelers to Mexico. Researchers discovered an unsecured Amazon Web Services S3 data storage bucket that contained 9,402 resumes and application forms submitted for positions with North Carolina-based private security firm TigerSwan. An email error led to those who preordered Essential phones receiving the personal details of other customers, including copies of driver’s licenses.
  • Another wave of MongoDB ransoms: Attacks against insecure MongoDB instances surged recently as three groups of hackers wiped approximately 26,000 MongoDB databases and left ransom notes saying the data would be restored for between 0.05 and 0.15 bitcoin, or as much as $650. The researchers said that few organizations have paid the ransom.
  • Other notable incidents: WikiLeaks has published a series of documents related to the CIA’s Protego project, which WikiLeaks described as “a PIC-based missile control system that was developed by Raytheon.” Verrit, an online hub that includes information for Hillary Clinton backers to share, recently went offline after experiencing a “pretty significant and sophisticated” cyber-attack, the site’s creator said. The UK’s National Fraud & Cyber Crime Reporting Center is warning that students are being targeted with a phishing scam that claims their Student Loans Company accounts have been suspended due to incomplete information.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-09-11_ITTNew

Cyber Risk Trends From the Past Week

2017-09-11_RiskScoresSecurity researchers are once again warning that the energy sector is the target of increased cyber-attacks. Symantec said that it has observed increased activity from the actors behind the Dragonfly 2.0 campaign and that there are strong indicators of recent attacks against organizations in the U.S., Turkey, Switzerland, and elsewhere.

Like the original Dragonfly campaign, which ran from 2011 to 2014, the new campaign uses a combination of malicious emails, watering hole attacks, and Trojanized software to gain access to victim networks, the researchers said in a report.

“The original Dragonfly campaigns now appear to have been a more exploratory phase where the attackers were simply trying to gain access to the networks of targeted organizations,” Symantec wrote. “The Dragonfly 2.0 campaigns show how the attackers may be entering into a new phase, with recent campaigns potentially providing them with access to operational systems, access that could be used for more disruptive purposes in future.”

Symantec researcher Eric Chien told Wired that there were more than 20 cases of hackers successfully gaining access to targeted companies’ networks and that the intruders had gained operational access to a handful of companies, including several in the U.S. and at least one in Turkey.

He warned that “there’s nothing left standing in the way [of sabotage] except the motivation of some actor out in the world.”

Weekly Cyber Risk Roundup: Cryptocurrency Wallets Emptied and a Dozen Power Plants Breached

Cryptocurrency theft was among the week’s top trending cybercrime practices due to users at both South Korean cryptocurrency exchange Bithumb and Classic Ether Wallet reporting that their digital currency wallets were emptied due to cyber-attacks.

2017-07-07_ITT.PNG

Bithumb reported that one of its employees personal computers had been hacked in February 2017 and that the personal details of 31,800 Bithumb website users (about 3 percent of total users) had been compromised as a result. The stolen data included users’ names, mobile phone numbers, and email addresses. The exchange said there was no direct access to funds stored on the exchange; however, it appears the attackers were able to use the contact information to carry out phishing attacks against Bithumb users in order to obtain the one-time passwords needed to gain access those users’ funds.

One user reported losing as much as 1.2 billion won ($1.04 million) in the attack. Bithumb said shortly after the attack that it would pay up to 100,000 won ($87) to victims. Additional compensation will be available once individual losses are verified, the company said, but it is unclear if victims will be fully reimbursed.

Users of the Classic Ether Wallet also reported having their wallets emptied earlier this month. That theft appears to be due to a malicious actor managing to socially engineer the service’s German hosting provider 1&1 into handing over access to the domain. The actor then switched the site’s settings to direct the funds to his or her own malicious server. Multiple users who visited classicetherwallet.com and provided their private key while the site was in control of the fraudsters reported that they had their account emptied. Exact losses due to the incident is unclear, but some media outlets reported it could be nearly $300,000 worth of Ethereum Classic cryptocurrency.

2017-07-07_ITTGroup

Other trending cybercrime events from the week include:

  • Large databases exposed: Two databases containing the personal information of 3 million WWE fans were exposed to the Internet without requiring a username and password. The data included names, email and physical address, educational background, earnings, and ethnicity. UK car insurance company AA exposed the sensitive information of over 100,000 customers due to insecure database backups related to AA’s online store and never informed those customers of a breach, Motherboard reported. The database obtained by Motherboard included 117,000 unique email addresses, names, physical and IP addresses, details of purchases, and payment card information such as the last four digits of the card and its expiration date.
  • Insiders lead to extortion, theft: A former Dentons litigation associate in Los Angeles has been charged with extortion over allegedly demanding that his former law firm pay him $210,000 and give him a piece of artwork or else he would leak sensitive data to the Above the Law blog. According to court documents, the man accessed confidential information when one of the firm’s partners gave him access to his email while working a case. A crime analyst with the Smyrna Police Department was charged with 31 counts of computer theft over the alleged theft of information without authorization, including the driver’s licenses and mobile data of 28 victims.
  • Sabre confirms breach affecting multiple companies: Sabre said its investigation into a previously disclosed breach found that an unauthorized party was able to use compromised account credentials to gain access to payment card information and certain reservation information for a subset of hotel reservations processed through the SHS SynXis Central Reservations system. The breach occurred over a seven-month period from August 2016 to March 2017. Sabre said it notified partners and customers that use the reservations system, as well as some travel management companies and travel agencies that booked travelers that may have been affected. Sabre did not disclose the total number of individuals affected by the breach.
  • Other notable incidents: A Georgia men pleaded guilty to charges related to a BEC scam that defrauded Sedgwick County out of $566,000. Anonymous Bulgaria has leaked files from the Azerbaijan Embassy in Bulgaria that claim Silk Ways Airlines has carried tens of tons of heavy weapons and ammunition headed to terrorists under the cover of 350 diplomatic flights. Cove Family & Sports Medicine said that a ransomware infection encrypted medical records as well as a portion of its backup records. Walnut Place said that while it was investigating a previous ransomware infection it was affected by a second ransomware incident. Medicaid members in Indiana are being warned that their patient information was potentially accessible between February and May of 2017. Wooster-Ashland Regional Council of Governments said that its computer network as breached on May 26 and more than 200,000 records were compromised. The Simcoe County District School Board is warning parents of a potential privacy breach at Collingwood Collegiate Institute involving their email addresses and phone numbers.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-07-07_ITTNew.PNG

Cyber Risk Trends From the Past Week

2017-07-07_RiskScoresRussian state-sponsored hackers are responsible for recent cyber-intrusions into the business systems of U.S. nuclear power plants and other energy companies, government officials said. It is the first time Russian government hackers are known to have compromised the networks of U.S. nuclear plants, the officials added.

The statements followed a joint alert from the FBI and Homeland Security at the end of June that warned APT actors were targeting employees in the energy sector with phishing messages and watering hole attacks designed to harvest credentials that could be used to gain access to victims’ networks. The attackers were observed sending highly targeted messages to senior industrial control engineers containing fake resumes for control engineering jobs, as well as compromising websites commonly visited by their target victims and deploying man-in-the-middle attacks.

There is no evidence of any breaches or disruptions of the cores systems controlling operations at the plants, The Washington Post reported. Instead, the focus appears to be on systems dealing with business and administrative tasks, such as personnel. The New York Times reported that the joint DHS and FBI report concluded that the hackers appeared determined to map out computer networks — potentially with a goal of carrying out more destructive attacks in the future. Bloomberg reported that at least a dozen power plants had their networks breached by the APT actors, including the Wolf Creek nuclear facility in Kansas.

“There was absolutely no operational impact to Wolf Creek,” a spokeswoman for the nuclear plant said. “The reason that is true is because the operational computer systems are completely separate from the corporate network.”

However, as we’ve seen in attacks just this week, potentially compromised personnel and business data could be leveraged in future targeted phishing messages to gain more information or access — or to find a weak point or an individual that may be leveraged for future attacks.