Tag: HBO

Weekly Cyber Risk Roundup: More HBO Leaks and UK Talks New Data Protections

HBO was once again the week’s top trending target as the actors behind the company’s breach continued to leak data stolen from the company, including emails that showed HBO attempted to negotiate a $250,000 “bounty payment” in response to the theft.

2017-08-11_ITT.png

A source told Reuters that the negotiation email was sent as a stall tactic and that HBO never intended to pay the attackers, who reportedly demanded $6 million in ransom.

“You have the advantage of having surprised us,” HBO’s email read, according to Variety. “In the spirit of professional cooperation, we are asking you to extend your deadline for one week.”

The actors behind the attack claim to have stolen 1.5 terabytes worth of data. In late July, the group leaked several episodes of unaired HBO shows as well as leaked a script for an unaired episode of Game of Thrones. Last Tuesday the group leaked an additional 3.4 GB of data.

As The Guardian reported, that leak included more Game of Thrones scripts, internal HBO documents, and a month’s worth of emails from HBO’s vice president for film programming. Among the documents were technical data detailing HBO’s internal network and administrator passwords, a spreadsheet of legal claims against the TV network, job offer letters to several top executives, slides discussing future technology plans, and a document that appears to list the contact information of Game of Thrones actors.

The group also claimed that HBO was its seventeenth target and that HBO was only the third company to have not paid the ransom demanded by the group. An HBO spokesperson previously said that the company’s ongoing investigation “has not given us a reason to believe that our e-mail system as a whole has been compromised.”

2017-08-11_ITTGroups

Other trending cybercrime events from the week include:

  • Actors target Ireland’s grid: Ireland’s EirGrid said that the country’s electric grid was targeted by state-sponsored actors that managed to gain access to a Vodafone network used by the company and then compromised routers used by EirGrid in Wales and Northern Ireland. The breach of the Vodafone network allowed the hackers to create a type of wiretap known as Generic Routing Encapsulation (GRE) to tunnel into EirGrid’s Vodafone router, the Independent reported.
  • Millions of Venezuelans lose cell service: Venezuelan government websites were the target of a massive cyber-attack allegedly carried out by a group known as “The Binary Guardians,” and as a result seven million mobile phone users were left without service, government officials said. The attacks affected the Movilnet’s GSM platform, officials said, leaving seven million of the thirteen million mobile phone users without service.
  • New data breaches: Parkbytext is notifying its users that their information may have been compromised due to malware during a service outage. The personal information of 100,000 Dutch drivers was leaked due a flaw in the LeaseWise software created by software company CarWise ICT and used by 52 Dutch car leasing companies. UCLA officials said that a Summer Sessions and International Education Office server was potentially breached in a May 18 cyber-attack and that the personal information of 32,000 students may have been compromised.
  • Agencies warn of phishing scams: A new phishing scam is impersonating tax software providers in an attempt to steal credentials from tax professionals, the IRS warned. Scammers are impersonating officials from the National Institutes of Health and telling consumers that they’ve been selected to receive a $14,000 grant in an attempt to get victims to pay a fee via gift cards or their bank account numbers, the FTC warned.
  • Arrests and sentences: Two Israeli men were arrested and indicted in Israel on charges believed to be related to operating the DDoS-for-hire service known as vDOS. A former employer of Allen & Hoshall has been sentenced to 18 months in prison for repeatedly accessing the company’s servers over a two-year period in order to obtain proprietary information. An Australian man has been sentenced to an 18-month suspended sentence for his role in operating an illegal network that allowed the selling of unauthorized access to Foxtel service to more than 8,000 people.
  • Other notable incidents: Pernod Ricard SA, producer of Absolut vodka and Chivas Regal Scotch whisky, was the target of a cyber-attack, and some employees at the company’s London office had to turn in their computers to be inspected for infections, sources told Bloomberg. Four different anonymous Bloomberg chat rooms were shut down after a user from the investment firm Janus Henderson sent an unmasked list of all the previous day’s 866 participants in the metal and mining chat room to people in the chat room.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-08-11_ITTNew

Cyber Risk Trends From the Past Week

2017-08-11_RiskScoresThe UK Department for Digital, Culture, Media & Sport (DCMS) released a statement of intent on a new data protection bill last week.

The goal of future data protection acts is to “ensure that we help to prepare the UK for the future after we have left the EU,” wrote DCMS Minister for Digital Matt Hancock.

“The EU General Data Protection Regulation (GDPR) and the Data Protection Law Enforcement Directive (DPLED) have been developed to allow people to be sure they are in control of their personal information while continuing to allow businesses to develop innovative digital services without the chilling effect of over-regulation,” Hancock wrote. “Implementation will be done in a way that as far as possible preserves the concepts of the Data Protection Act to ensure that the transition for all is as smooth as possible, while complying with the GDPR and DPLED in full.”

In short, any changes to UK law will be designed around existing international frameworks such as GDPR, which already includes provisions such as individuals being able to exercise their “right to be forgotten” and request that their personal information be deleted, as well as the potential for much larger penalties for organizations that suffer data breaches. As the BBC reported, the current maximum fine for breaking existing data breach protection laws is £500,000, and that will be increased up to £17 million or 4% of global turnover.

As Daradjeet Jagpal noted, the UK government intends to apply for some exemptions from the GDPR, such as allowing organizations other than police to process personal data on criminal convictions and offences, as well as allowing automated data processing — with the caveat that individuals will have the right to challenge any resulting decisions and request human intervention.

Numerous surveys this year have noted that a significant percentage of organizations remain unprepared for the upcoming implementation of GDPR, which is set to go into effect on May 25, 2018. For example, Veritas reported that only nine percent of UK organizations that believe they are prepared for the GDPR are likely in actual compliance. Organizations should remain aware of any potential changes in data protection laws such as GDPR and work to ensure that they will be in compliance with those changes before they become the law of the land.

Weekly Cyber Risk Roundup: HBO Hackers Promise More Leaks and Dark Web Vendors Reuse Passwords

HBO was among the week’s top trending cybercrime targets as malicious actors claimed to have stolen 1.5 terabytes of company data and subsequently leaked upcoming episodes of “Ballers,” “Room 104,” “Insecure,” and the unaired comedy “Barry,” which is scheduled to air in 2018. The hackers also leaked the script for Sunday night’s episode of Game of Thrones before it aired, as well as the apparent personal information and account details of a senior HBO executive.

2017-08-04_ITT.png

In a separate incident, Sunday night’s episode of Game of Thrones was leaked several days early and spread via torrent sites due to an incident at distribution partner Star India, which published the episode early on its official website before removing it shortly thereafter.

The actors behind the HBO breach initially teased that more leaks were “coming soon.” Later, someone claiming to represent the group told The Hollywood Reporter that additional leaks would occur on Sunday; however, the contact then said the leaks would be delayed “because of some new buyers.”

“Some of HBO’s top competitors are negotiating with us for buying the dump,” the contact wrote in an email. “The deal are near to close. Poor HBO never rise again.”

As THR pointed out, it’s unlikely HBO’s direct rivals would purchase the stolen data. Variety reported that the hackers appeared to have accessed thousands of internal documents, employee data, and possibly internal corporate email. CEO Richard Plepler notified employees that the incident “resulted in some stolen proprietary information, including some of our programming.” However, CNN reported that HBO does not believe the company’s email system as a whole was compromised, despite THR’s contact alleging that they still have “full access to their webmails.”

2017-08-04_ITTGroups

Other trending cybercrime events from the week include:

  • Airlines issue warnings: Virgin America notified employees and contractors that their information may have been compromised due to a network intrusion first detected on March 13, 2017. The unauthorized access may have compromised the login credentials of approximately 3,120 employees and contractors, as well as the personal information of 110 employees. Malicious actors have leaked data allegedly tied to Spirit Airlines Free Spirit accounts after a failed extortion attempt against the airline. Spirit said that the actor attempted to extort the company using previously compromised email addresses and passwords from other data breaches. Canadian airline WestJet announced that the profile data of some WestJet Rewards members has been disclosed online by an unauthorized third party. WestJet did not indicate what data was leaked or how many customers were affected.
  • #LeakTheAnalyst operation targeting researchers: A hacking group going by the name “31337 Hackers” leaked data belonging to a security researcher working for FireEye’s breach investigation unit Mandiant, and the group also may have gained access to the researcher’s Hotmail, OneDrive, and LinkedIn accounts. The data appears to be stolen from the researcher’s personal computer, and there is “no evidence that FireEye or Mandiant systems were compromised,” FireEye said. The group said the leak is part of a larger operation that is targeting security researchers, dubbed “#LeakTheAnalyst.”
  • New data breaches: Health insurer Anthem said that 18,500 customers’ personal and medical information may have been compromised by an employee at LaunchPoint. The Daniel Drake Center for Post-Acute Care is notifying 4,721 patients that their information may have been compromised due to an employee accessing their medical records without authorization. Kaleida Health is notifying patients that their information may have been compromised due a phishing incident that allowed an unauthorized third party to gain access to a small number of Kaleida Health email accounts. Kids Pass said that the personal information of users could have been compromised by changing the URL of the activation code sent to new users in order to view other account holders’ data. An attacker managed to trick an employee at A9t9 into handing over the company’s Google developer account credentials and then pushed out a malicious version of the Copyfish Chrome extension.
  • More ransomware: An unnamed Canadian company paid $425,000 after a ransomware attack encrypted its production databases and backups. The intruders gained access due to spear phishing messages that were sent to six senior company officials. Northwest Rheumatology of Tucson is notifying patients that their information may have been compromised following a ransomware attack that occurred on April 10, 2017.
  • Arrests and sentences: The security researcher known as “Malwaretech,” who is best known for helping to stop the spread of the WannaCry malware, was arrested for allegedly creating and distributing the Kronos banking Trojan. A Seattle man has been arrested on charges of extorting multiple media companies with threats of DDoS attacks. A Russian citizen was sentenced to 46 months in prison for his role in infecting tens of thousands of computers with the Ebury malware.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-08-04_ITTNew

Cyber Risk Trends From the Past Week

2017-08-04_RiskScoresLaw enforcement continues to target activity on the dark web following the recent takedown of AlphaBay and Hansa Market, two of the three largest cybercriminal marketplaces on the dark web.

Those takedowns left Dream Market as the new king of the dark web; however, there has been speculation by its users that Dream Market may have been compromised by law enforcement as well — or at least that 16 vendor accounts on the site may have been compromised.

One of those 16 alleged vendors said that Dutch law enforcement had seized his or her vendor account and changed all of its information on the same night that Hansa Market was taken offline.

“I can clearly say that (at least) my account was seized by dutch LE,” the user wrote. “I think they came on it through my sillyness using same password on hansamarket. … I don’t think dreammarket itself is compromised, I only think the LE is trying to fuck the rest out of this community by using log-in informations from other markets.”

As Naked Security reported, there has been no confirmation from the Dutch police about the alleged takeover of Dream Market accounts, but it makes sense that authorities would exploit password reuse and lack of two-factor authentication by cybercriminals in order to further their reach into active dark web markets.

A recent survey (PDF) found that 81% of those in the U.S. reuse passwords across multiple online accounts — and this now includes dark web vendors too, if the Dream Market news is any indication. This reuse occurs despite the fact that password reuse and credential-stuffing attacks lead to numerous cases of account takeovers, data breaches, and other cybersecurity incidents each week.

It may be impossible to stop users from reusing passwords, but, as Troy Hunt noted, NIST recommends that organizations become proactive and block passwords that have been previously tied to data breaches in order to improve security. That’s why he’s released a list of 320 million previously compromised passwords for organizations to download for free and use to protect their systems.

“Use this data to do good things,” Hunt wrote. “Take it as an opportunity to not just reduce the risk to the service you’re involved in running, but also to help make people aware of the broader risks they face due to their password management practices.”