espionage – SurfWatch Labs, Inc.

Weekly Cyber Risk Roundup: Kaspersky’s Alleged Espionage and SmartVista Bug Unpatched

The National Security Agency and Kaspersky Lab were once again among the week’s top trending targets due to continued reporting around Kaspersky’s alleged involvement in the 2015 theft of classified materials from the home computer of an NSA employee.

As we noted last week, sources told the The Wall Street Journal that a contractor took the sensitive data home without the NSA’s knowledge, and the Russian government was able to then steal that information by leveraging the contractor’s use of antivirus software created by Kaspersky. However, the Washington Post subsequently reported that the individual in question was actually an employee in the NSA’s elite Tailored Access Operations division.

In addition, officials told the WSJ this week that Kaspersky’s antivirus software was modified to search for terms such as “top secret,” as well as the classified code names of U.S. government programs, in an operation that is broader and more pervasive than just the one hacked employee. That modification could not have been done without Kaspersky’s knowledge, an official told the paper. However, Kaspersky has continued to state that it “was not involved in, and does not possess any knowledge of, the situation in question.”

The New York Times reported that the U.S. was first made aware of the espionage campaign leveraging Kaspersky by Israeli intelligence officers who hacked into Kaspersky Labs in 2014. Those hackers, later dubbed Duqu 2.0, exploited up to three zero-days in order to spy on Kaspersky Lab technologies, ongoing research, and internal processes, Kaspersky wrote in 2015 after discovering the intrusion.

Officials told the WSJ that it remains unclear exactly how many other government computers or employees may have been targeted via Kaspersky software – or if any additional sensitive data was stolen.

Other trending cybercrime events from the week include:

Defense-related breaches: The Australian Signals Directorate said that a defense contractor had 30 gigabytes of data stolen, including data related to F-35 Joint Strike Fighters, the C-130 military transport aircraft, the new spy plane P-8 Poseidon, the smart bomb JDAM, and some Australian naval vessels. A breach of South Korea’s military network last year allowed North Korean hackers to access vast amounts of data, including classified wartime contingency plans jointly created by the U.S. and South Korea.
Payment card breaches: Irish retailer Musgrave is asking customers of SuperValu, Centra, and Mace to be on the lookout for fraudulent charges due to concerns that their payment card numbers and expiration dates may have been stolen. Hyatt Hotels is notifying customers that payment card information swiped and manually entered at the front desks of some locations may have been compromised. Hue.com and nononsense.com, and their parent company Kayser-Roth, are notifying customers of a payment card breach tied to third-party website order processor Aptos. Droege Computing Services said that a StampAuctionNetwork server was hacked and payment card information was compromised due to a breach that occurred through Droege’s main offices. Tommie Cooper and Cricut are notifying customers that payment information may have been stolen due to malware on the checkout portions of their websites.
Other data breaches: Accenture confirmed it exposed massive amounts of data across four unsecured cloud servers, including passwords and secret decryption keys. Disqus said that 17.55 million users had their information compromised due to a security breach affecting a database from 2012 that included information dating back to 2007. A security researcher discovered a vulnerability in T-Mobile’s website that allowed malicious actors to gain access to customers’ personal data as long as they had a correct phone number. The previously reported breach at Deloitte compromised a server that contained the emails of at least 350 clients, The Guardian reported. Catholic United Financial is notifying members of breach due to SQL injection attacks. Palo Alto High School officials warned that students’ personal information was breached and posted to a “rogue” website. SyncHR is notifying employees that it accidentally exposed their benefit information to other HR administrators and customers.
Other notable events: Nearly $60 million was stolen from Far Eastern International Bank in Taiwan using malware designed to generate fraudulent SWIFT messages. The bank said it has recovered the vast majority of the stolen funds, with only $500,000 still outstanding. A security bug in the music platform PledgeMusic allowed anyone to log into some users’ accounts using a correct email address along with an incorrect password or no password at all. The bug could have been exploited to make unauthorized payments and pledges to artists. David Kent, the founder of the networking website oilpro.com, was sentenced to one year and one day in prison for hacking into the database of competitor Rigzone, stealing information on over 700,000 customers, using that information to grow Oilpro, and then attempting to sell Oilpro with its inflated growth and stolen data to Rigzone.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

Cyber Risk Trends From the Past Week

Researchers have published the details of a yet-to-be patched SQL injection vulnerability affecting BPC Banking Technologies’ SmartVista product suite after numerous reports of the bug went unanswered.

Exploiting the vulnerability requires authenticated access to the transactions portion of SmartVista front-end, the researchers said, and it can lead to the compromise of various sensitive data depending on the level of access the BPC SmartVista user was granted. Researchers said the company has yet to respond to multiple vulnerability reports from Rapid7, CERT/CC in the U.S., and SwissCERT that date as far back as May 10.

BPC’s website states that the company has 188 customers across 66 countries, including “huge tier 1 banks, and both midsize and smaller companies.” The website also states that all of its solutions are delivered via the SmartVista product suite, which “handles all aspects of ATM management, billing, mobile and contactless payments, settlement, point of sale, card issuing and acquiring, microfinance and electronic payments processing.”

Rapid7 researchers said that an attacker could craft a series of true/false statements to brute-force query the database, allowing information from accessible tables to be exposed, such as usernames and passwords. Rapid7 program manager Samuel Huckins told Threatpost the company was hesitant to publish its findings due to the potential for financial and data loss, but it has not received any response from BPC or evidence of the vulnerability being patched across many months.

“After a certain point, we needed to move forward and make it public in the hope they see it and take action,” Huckins said. “This could impact a lot of their customers who may not be aware of this at all.”

The researchers advised users to contact BPC support for more details, to limit access to the management interface of SmartVista, and to regularly perform audits of successful and failed logins.

Weekly Cyber Risk Roundup: Yahoo Breach Expands, Equifax Grilled, Another NSA Insider

Yahoo and Equifax were both back in the news this week due to new details emerging around their respective data breaches, including Yahoo revising the number of affected accounts to three billion and Equifax’s former CEO being grilled before Congress.

Yahoo had previously stated that its 2013 data breach affected one billion user accounts, which made it the most widespread data breach in history. On Tuesday Verizon Communications, which acquired Yahoo for $4.48 billion in June, tripled the number of impacted accounts to include all three billion of Yahoo’s users accounts. The breach was particularly egregious not only because of its size, but because it involved sensitive information such as the security questions and answers and backup email addresses used to recover accounts. Yahoo’s massive 2013 breach is in addition to a separate, previously disclosed breach that affected 500 million Yahoo accounts in 2014.

This week also saw the congressional testimony of Equifax’s former CEO Richard Smith. Smith said the breach was due to a combination of “both human error and technology failures” around implementing an Apache Struts patch made available on March 6, which was not patched for months despite a policy stating patches occur within a 48-hour time period. The testimony was met with harsh criticism from some lawmakers. For example, Sen. Elizabeth Warren (D-Mass.) questioned the entire business model of Equifax, claiming that the company has no incentive to protect consumer data and highlighting various avenues through which the company is making “millions of dollars off its own screwup.” Warren said that Equifax may “actually come out ahead” financially in regards to its breach, which affects 145 million people.

Despite the ongoing fallout, the IRS renewed a $7.25 million contract with Equifax to use its services to verify taxpayer identities. The contract drew major criticism; however, IRS Deputy Commissioner Jeffrey Tribiano said it was a necessary “stop gap” so millions of taxpayers did not lose access to their transcripts.

Other trending cybercrime events from the week include:

Newly announced data breaches: Auburn Eye Care Associates of California was hacked by TheDarkOverlord and thousands of patients records were stolen from its electronic health record system. Cabrillo Community College District said that it discovered unauthorized access to a server containing a database with student orientation information. The Online Traffic School said that customer information was compromised due to an individual gaining unauthorized access to part of its network. Northwestern Mutual Life Insurance Company said that customer information was compromised due to a financial advisor falling for a scam that led to a malicious actor gaining remote access to a desktop computer multiple times. The law firm Clark Hill had its systems accessed by Chinese hackers and sensitive documents related to Chinese dissident Guo Wengui were subsequently released on Twitter. Phoenix Inn Suites is the latest hotel to issue a breach notification tied to the Sabre Hospitality Solutions SynXis Central Reservations system.

Organizations expose data: A misconfigured database that collected data on activity on a number of NFL-related domains such as the National Football League Players Association’s website exposed the data of 1,133 NFL players and agents. The database also included a ransom message from February 2017 similar to the ones targeting other Elasticsearch servers earlier this year — indicating that the data was accessed by cybercriminals. FlexShopper said a database containing payment and other customer information may have been exposed on the internet for several days. National Bank of Canada said that 400 customers had their personal information exposed due to a website glitch. Graton Resort and Casino, Kenco, and North Carolina A&T State University all announced breaches related to inadvertently disclosing sensitive customer, employee, and student data via email attachments.

Other notable incidents: U.S. government officials believe that the personal cellphone of chief of staff John Kelly was compromised, and the compromise may date back to December 2016. The R6DB gaming service, which provides statistics for Rainbow Six Siege gamers, said that an automated bot breached its PostgreSQL installation and wiped the database then demanded a ransom payment. Etherparty said it had to shut down its website for 90 minutes after discovering a fraudulent contribution address on the site just an hour after the ICO for its FUEL token went live. The City of Englewood said that it was hit with a ransomware infection. The UK National Lottery and Kazakhstan banks reported service disruptions due to DDoS attacks.

Arrests and legal actions: A federal indictment alleges that a former Hewlett-Packard Enterprise Corp. employee intentionally caused damage to Oregon’s Medicaid Management Information System (MMIS) after being laid off, resulting in an eight-hour loss of functionality for the system. The former principal of Seven Peaks School in Oregon is being sued for allegedly downloading thousands of private documents related to the students and staff, including psychological evaluations of students.

Cyber Risk Trends From the Past Week

On Thursday, The Wall Street Journal reported that the Russian government was able to steal highly classified NSA material from an NSA contractor who removed the classified material and put it on his home computer without the NSA’s knowledge.

The sources said that the breach, which occurred in 2015, was first discovered in the spring of 2016 and included details about how the NSA penetrates foreign computer networks, code it used for such spying, and details on how the NSA defends networks inside the U.S.

Sources told the WSJ that the hackers appear to have used the antivirus software created by Russia-based Kaspersky Lab in order to identify the files on the contractor’s computer. The paper also reported that it is the first known incident of the popular antivirus software being exploited by Russian hackers to conduct espionage against the U.S. government.

Kaspersky Lab said it “has not been provided any information or evidence substantiating this alleged incident, and as a result, we must assume that this is another example of a false accusation.”

The alleged NSA breach provides some insight into reports that the FBI has been urging private companies throughout the year to discontinue using Kaspersky products due to intelligence that indicated the company is an unacceptable threat to national security. In addition, the Department of Homeland security issued a directive in September ordering federal agencies to take actions to ultimately remove Kaspersky-related products from government computers.

The breach also appears to be separate from the incidents involving NSA contractor Harold T. Martin III, who hoarded large quantities of sensitive NSA data and hacking tools in his home, and TheShadowBrokers, a group that is best known for the April 2017 release of stolen NSA exploits such as EternalBlue, among others. As we noted in our August blog, officials have not linked TheShadowBrokers to Martin’s insider theft, and it appears the same can be said of the newly reported NSA breach. However, this new incident now makes two recent insiders who have successfully taken highly confidential NSA data home — and at least one case of that data then being successfully targeted by foreign hackers once it was in a less secure environment.

Weekly Cyber Risk Roundup: SEC, Illicit Trading and CCleaner Industrial Espionage

The U.S. Securities and Exchange Commission (SEC) was the week’s top trending new cybercrime target following the announcement that a data breach compromised sensitive data that may have “provided the basis for illicit gain through trading.” SEC chairman Jay Clayton said the commission learned last month that an incident “previously detected” in 2016 may have led to the illicit trading.

“Specifically, a software vulnerability in the test filing component of our EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information,” Clayton said in a statement.

EDGAR — which is an acronym for electronic data gathering, analysis, and retrieval — contains millions of filings from companies. The investigation is ongoing, but it is likely that any insider trading due to the breach would have occurred between the period when company filings were made and when those filings were released to the public. The SEC breach echoes, on a smaller scale, the insider trading scheme for which a Ukrainian hacker was sentenced to prison earlier this year. That scheme revolved around the theft of 150,000 news releases from Business Wire, Marketwired, and PR Newswire between February 2010 and August 2015, which led to more than $100 million in illegal profits.

Reuters said it had viewed a confidential report stating that the U.S. Department of Homeland Security detected five “critical” weaknesses on the SEC’s computers as of January 23. In addition, the Government Accountability Office warned in July that the SEC was “at unnecessary risk of compromise” because of deficiencies in its information systems. Reuters also reported that new SEC reporting rules start to come into effect in December that require funds to confidentially file monthly, rather than quarterly, portfolio holdings with the SEC. The breach has unnerved investor groups such as the Investment Company Institute, which wants the SEC to answer cybersecurity concerns before the SEC begins collecting additional sensitive data.

Other trending cybercrime events from the week include:

TheDarkOverlord threatens violence: Flathead County in Montana closed 30 schools for several days following a breach and ransom letter that claimed to come from TheDarkOverlord and hinted at physical violence, as well as threats against individual families that leveraged the school’s electronic directory. Databreaches.net wrote that “the Flathead case is not the first case where TheDarkOverlord has contacted its victims by phone or SMS to threaten them or deliver obscenity-laden messages.”
Organizations expose more data: Researchers discovered an Amazon AWS S3 bucket belonging to Viacom that contained “a vast array of internal access credentials and critical data that could be used to cause immense harm to the multinational corporation’s business operations.” Researchers discovered an Amazon AWS S3 bucket with more than half a million records belonging to the automobile tracking company SVR Tracking. The Office of the Australian Information Commissioner is investigating the exposure of the financial information of customers of Amazing Rentals. The British supermarket chain Iceland exposed customer information on its home delivery confirmation sheets, which also contained an IP address that led to a insecure login portal for Iceland’s scheduling system. Premier Medical Associates said that 900 patients that submitted information via the “Contact Us” portion of its website had that data compromised due to search engines retrieving the submissions.
New data breaches: OurMine gained access to Vevo’s media storage servers and leaked 3.12TB of company data. Bulletproof 360 is notifying customers that their payment information may have been compromised due to the discovery of unauthorized code on its website’s checkout page. TD Ameritrade said “unauthorized code” led to the breach of customer information. LiteBit is notifying users that their personal information was accessed in an attack that targeted a supplier and a LiteBit server. Cornerstone Business and Management Solutions said that it discovered an unauthorized account on a server and that the data of Certified Medical Supplies patients was compromised. Irish National Teachers’ Organization said that more than 30,000 teachers had their personal information compromised due to hackers gaining access to its online learning portal. TRUEbenefits, ABB, Inc., Morehead Memorial Hospital in North Carolina, and AU Medical Center all announced breaches due to compromised employee email accounts.
Other notable incidents: Montgomery County in Alabama said that a ransomware infection locked up computer systems and disrupted some county services. PeaceHealth Southwest Medical Center is notifying 1,969 patients that their protected health information was unnecessarily accessed by an employee. A Georgia man was found guilty of inserting malicious code known as a “logic bomb” into a national-level computer program responsible for handling pay and personnel actions for nearly 200,000 U.S. Army reservists. An Arizona man was sentenced to four years of federal probation for making changes to a company website that prevented the company’s employees from using their email accounts, redirecting the company’s homepage to a blank page, demanding $10,000 to return everything to normal, and then redirecting the company’s homepage to a pornographic website when it refused to pay the ransom.

Cyber Risk Trends From the Past Week

Last week the developer of CCleaner announced that approximately 2.27 million users of CCleaner downloaded a legitimately signed version of the utility containing malicious code. Shortly thereafter, it was reported that the spreading of a backdoored version of CCleaner appears to have been an espionage campaign designed to gain access to the networks of at least 18 tech firms.

The malicious version of CCleaner was available on the site from August 15 to September 12, said Piriform, which was recently acquired by Avast, and affected customers with the 32-bit version of the v5.33.6162 of CCleaner and the v1.07.3191 of CCleaner Cloud. The compromised code could have resulted in “the transmission of non-sensitive data (computer name, IP address, list of installed software, list of active software, list of network adapters) to a 3rd party computer server in the USA.”

Researchers found evidence that the actors attempted to filter their collection of compromised victim machines to find computers inside the networks of tech firms, such as Intel, Google, Microsoft, Akamai, Samsung, Sony, VMware, HTC, Linksys, D-Link, Cisco, and more. In about half of the cases, the actors behind the attack successfully compromised a machine within the company’s network and used that to install another piece of malware likely intended for industrial espionage. The researchers also noted that the list of targets discovered was likely modified throughout the month-long campaign, so there may be additional companies that were targeted besides the 18 that were identified.

“These findings also support and reinforce our previous recommendation that those impacted by this supply chain attack should not simply remove the affected version of CCleaner or update to the latest version, but should restore from backups or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also any other malware that may be resident on the system,” Cisco researchers wrote.

Trade Secret Legislation Awaits Obama’s Signature

Organizations will soon have another avenue to seek relief from trade secret theft, as President Obama is expected to sign into law the Defend Trade Secrets Act. The bill, which gives companies the ability to pursue trade secret cases in federal courts rather than at the state level, is the latest in a string of headlines related to stolen intellectual property.

The effort is meant to help combat the growing problem of espionage, which costs the U.S. $300 billion and 2.1 million jobs each year, according to a 2013 report from the Commission on the Theft of American Intellectual Property.

2016-05-03_espionage — Many different individuals and groups have been associated with cyber-espionage so far this year, according to threat intelligence data from SurfWatch Labs.

House Judiciary Committee Chairman Bob Goodlatte (R-Va.) said the DTSA would “build on efforts over the past two years and take a significant and positive step toward improving our nation’s trade secret laws.”

The first version of DTSA was introduced in 2014, just weeks before the U.S. made waves when — for the first time ever — they filed charges against five Chinese military hackers for cyber-espionage against U.S. corporations. That 2014 indictment centered around alleged hacking and theft related to six organizations: Westinghouse, SolarWorld, U.S. Steel, Allegheny Technologies, the United Steelworkers Union, and Alcoa.

Those allegations continue to play out as U.S. Steel recently took steps to request the government prevent imports from China’s largest manufacturers due to, among other things, trade secret theft. A complaint filed on April 26 with the U.S. International Trade Commission under a section of the U.S. Tariff Act alleges those stolen trade secrets led to decades of research in creating the next generation of high-strength steel being taken and reproduced in China.

The DTSA gives the many organizations affected by the theft of trade secrets another outlet to seek relief, and the version awaiting Obama’s signature has received widespread support (the house voted 410-2 in favor); however, the legislation is not without detractors. When the bill was first introduced two years ago, 31 law professors signed a letter opposing it, and in November 2015 they again called on Congress to reject the DTSA:

While we agree that effective legal protection for U.S. businesses’ legitimate trade secrets is important to American innovation, we believe that the DTSA — which would represent the most significant expansion of federal law in intellectual property since the Lanham Act in 1946 — will not solve the problems identified by its sponsors. Instead of addressing cyberespionage head-on, passage of the DTSA is likely to create new problems that could adversely impact domestic innovation, increase the duration and cost of trade secret litigation, and ultimately negatively affect economic growth.

The federal law does not replace current state laws, the group argued, so it will complicate rather than simplify trade secret litigation by adding a new layer of federal jurisprudence.

What this Means for Business

Most states have adopted a version of the Uniform Trade Secrets Act, which is how most trade secret disputes are currently handled. Once the DTSA is signed into law, organizations will be able to decide whether federal or state courts are more beneficial.

Although most legal experts agree that the DTSA provides a slightly broader interpretation of “trade secrets” as well as additional tools that can be used, the choice of avenue for litigation will likely need to be decided on a case by case basis.

“State courts may still to be a more preferable venue for many plaintiffs, as they typically provide more lenient rules for obtaining ex parte relief and a temporary restraining order,” the National Law Review noted. “Federal courts are often backlogged and may not hear a temporary restraining request immediately. By the time a temporary restraining order is issued, the critical information may be disclosed or forever gone. Thus, an expedited hearing in state court may outweigh the benefits of the federal court option provided by the DTSA.”

Trade secrets are often the most important assets for an organization, and the recent legal developments should serve as a reminder for businesses to assess the risks associated with those secrets, do their best to ensure those secrets are protected, and to have a plan in place so they can take legal recourse should those secrets get stolen.