Weekly Cyber Risk Roundup: Big Telecom Leaks and AlphaBay Goes Offline

Massive database leaks were once again among the week’s top trending cybercrime targets, including incidents involving U.S. Verizon customers, France’s Orange S.A, and India’s Reliance Jio Infocomm.

2017-07-014_ITT.PNG

The Verizon leak was caused by a third-party engineer at NICE Systems and affected as many as 14 million U.S. customers. The engineer appears to have created a publicly available Amazon Web Services S3 bucket that logged customer call data for unknown purposes. As a result, personal information, account information, and Verizon account PIN codes were potentially exposed. A Verizon spokesperson acknowledged the breach, but said only 6 million customers had their data exposed by the incident.

In addition, French-language text files stored in the server show internal data from Paris-based telecommunications corporation Orange S.A., also a NICE Systems partner. However, the researchers said it “appears this internal Orange data is less sensitive.”

In addition, Reliance Jio Infocomm, an Indian telecom company with over 100 million subscribers, is investigating a potential incident after local news sites reported that names, telephone numbers and email addresses of Jio users were visible on a site called “Magicapk.” However, an initial investigation showed that Jio’s apps and websites were secure, ET Telecom reported. Last week the police brought in a suspect who was in possession of partial details of Jio subscribers, including their names, email IDs, alternate mobile phone numbers, and the dates of activation of SIM cards. That data may have been taken from a Jio retailer, since they have access to that type of subscriber data, the deputy commissioner of police for Navi Mumbai said.

2017-07-014_ITTGroup

Other trending cybercrime events from the week include:

  • More payment card breaches: A breach of Avanti Markets internal networks allowed malicious actors to push malware to self-checkout devices used in corporate break rooms, and as a result payment card information may have been compromised. Avanti said that it believes the malware was only active between July 2 and July 4 of this year. B&B Theatres, which operates 50 locations across seven states, discovered a point-of-sale breach that appears to date back two years. A recent alert estimated the window of exposure of the breach to be between April 2015 and April 2017. Real Estate Business Services (REBS) notified 1,033 California Association of Realtors members that their personal and payment card information may have been stolen when the online store they use was compromised with malware. The infection occurred between March 13 and May 15.
  • Medical information exposed: The County Commissioners Association of Pennsylvania (CAAP) said that the details of approximately 1,800 child welfare cases were exposed online by third-party vendor Avanco International. University of Iowa Health Care is notifying 5,292 patients that a limited set of their protected health information was “inadvertently saved in unencrypted files that were posted online through an application development site” and exposed for nearly two years. A former employee of the St. Charles Health System is accused of the unauthorized access and viewing of thousands of patient records.
  • More ransomware infections: Community Care of St. Catharines and Thorold in Ontario had its systems infected by NW4 ransomware, which demanded a $3,000 ransom payment. A Community Care spokesperson said that it backs up its data regularly so there was no need to pay the extortion. However, it still took nearly a week for Community Care to restore full access to its computers, and some data that was not captured in the most recent backup was lost. The dental office of Dr. Douglas Boucher, DDS, and Dr. Andrea Yaley, DDS, is notifying patients of a ransomware attack that may have compromised their patient information. The office said that its computer systems were believed to have been hacked around May 19, 2017, and on June 2 it received a ransomware notice. Records were restored from a backup; however, the office said the hacker did access its email system and may have accessed its patient dental health records.
  • Other notable incidents: A hacker going by the name Dhostpwned was able to use a PHP shell to compromise the dark web hosting provider Deep Hosting and said he obtained “the majority” of files and SQL databases on the server. An employee at the Australian Tax Office (ATO) published an ATO guide on how to hack mobile phones that included instructions on how to bypass passwords and obtain data even if the phone battery is depleted and it does not have a sim card. A Russian-born cybercriminal living in Los Angeles was sentenced to 110 months in prison for running a sophisticated scheme to steal and traffic sensitive personal and financial information in the online criminal underground.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-07-14_ITTNew

Cyber Risk Trends From the Past Week

2017-07-14_RiskScoresThe dark web marketplace AlphaBay has been taken down in a law enforcement raid and one of the alleged leaders of the site has been found dead in his Thai prison cell in an apparent suicide.  

(See “AlphaBay and Hansa Brought Down by Basic Mistakes, Indictment Reveals” for more information.)

As SurfWatch Labs has noted in the past, AlphaBay was by far the largest and most popular dark web marketplace before it suddenly went dark earlier this month, leading concerned users to speculate if its owners had either been arrested or performed an exit scam. It is not uncommon for dark web markets to disappear without notice. However, AlphaBay had built up a reputation for reliability and become the undisputed king of the dark web marketplaces over the past two years.

Alexandre Cazes, the man who committed suicide in his jail cell, is alleged to be the operator of AlphaBay known as “Alpha02.” U.S. authorities issued a warrant for Cazes arrest on June 30, and he was arrested in Bangkok on July 5, the Bangkok Post reported, the same day the dark web market suddenly went offline. Arrangements were being made for his return to the United States to face charges when Cazes reportedly used a towel to hang himself.

Wired reported that conservative estimates put AlphaBay’s daily transactions between $600,000 and $800,000 a day. With the site suddenly gone, a significant percentage of the cybercriminal ecosystem is now in search of a new home. That influx of traffic forced the dark web market Hansa to close its doors to new businesses due to “technical issues.” Users of Dream Market also reported issues accessing the site following AlphaBay’s takedown.

The next few months will certainly be an interesting time on the dark web as those users look for a new place to buy, sell, and trade their goods and services — and as the story and fallout around the takedown begin to take shape.

Weekly Cyber Risk Roundup: ‘Staggering’ Amount of Data Exposed and Hacks Lead to Fake News

Organizations are making it easy for cybercriminals by putting vast amounts of sensitive data at risk due to improper security configurations, various researchers recently warned, and this past week saw several new data breaches announced due to the public exposure of sensitive customer, patient, and other internal data.

2017-06-09_ITT

The first warning came from Appthority, which said it discovered a “staggering amount” of leaked enterprise data from apps due to a vulnerability dubbed “HospitalGown.” The researchers said that almost 43 TB of data was found exposed across 1,000 apps due to the app developers’ failure to properly secure the backend servers with which the apps communicate and where sensitive data is stored. As a result, enterprises are leaving themselves open to data exfiltration, leakage of personal information, and potential ransom attempts, the researchers said.

In addition, John Matherly, the founder of Shodan, said that improperly configured HDFS-based servers are exposing over five petabytes of data. Matherly said he found that the smaller number of HDFS servers leak 200 times more data than MongoDB servers. He discovered 4,487 instances of HDFS-based servers exposing over 5,120 TB of data, whereas the 47,820 MongoDB servers leaked 25 TB of data. These warnings came as several organizations announced data breaches due to publicly exposing sensitive data:

  • A car dealership database has been publicly exposed for more than 140 days, exposing customer, vehicle, and sales details of more than 10 million car owners, including VIN numbers.
  • Victory Medical Center said patient information was discoverable via search engines dating back to 2013, and as a result around 2,000 patients had some of their personal information compromised.
  • A Cosmetic Institute in New South Wales exposed the sensitive personal information, including before-and-after photos, of more than 500 female patients after uploading their data to a publicly accessible index of the clinic’s website.

2017-06-09_ITTGroup

Other trending cybercrime events from the week include:

  • IP theft leads to extortion attempts: CD Projekt Red said that internal files such as documents connected to its upcoming game Cyberpunk 2077 were stolen by extortionists and that those files may be released to the general public as the company will not pay the ransom. TheDarkOverlord has leaked eight episodes of ABC’s unaired show “Steve Harvey’s Funderdome” on The Pirate Bay, following through on the group’s promise to release shows stolen from Hollywood-based post-production company Larson Studios late last year.
  • Variety of malicious actor arrested: A contractor at Pluribus International Corp. has been charged with leaking a top-secret National Security Agency document that describes Russian efforts to compromise the U.S. election. Chinese authorities have arrested 20 Apple employees for allegedly using the company’s internal computer system to gather and sell customers’ names, phone numbers, Apple IDs, and other data, which they sold as part of a scam worth more than 50 million yuan ($7.36 million). South Korean police have arrested a group of hackers that breached the hotel and guesthouse reservation app “Good Choice” in March and stole the personal data of more than 990,000 users. Two men were indicted for a $12 million identity theft scheme that involved thousands of victims, including students applying for financial aid. The men acquired personal identifying information of victims by either purchasing it or by obtaining the information through the Data Retrieval Tool on the Free Application for Federal Student Aid (FAFSA) website. A guidance counselor at Tryon Elementary School in North Carolina admitted to using information about some of his elementary school students in a $436,0000 Medicare scam.
  • Personal data transmitted insecurely: The Mississippi Division of Medicaid is notifying 5,220 individuals that their protected health information may have been exposed due to their information not being securely transmitted when online forms were submitted. HSBC Bermuda said the personal information of customers was compromised when the company sent an email to a small number of retail banking customers that included an attachment containing HSBC Bermuda customer data. The personal information of almost 13,000 employees of Public Services and Procurement Canada was exposed due to a spreadsheet with sensitive data being sent to 180 people in the department via unencrypted email.
  • Other notable incidents: Al Jazeera said that it faced a large-scale cyber-attack on Thursday against all of its systems, websites, and social media platforms. The University of Alaska is notifying 25,000 students, staff, and faculty members that their names and Social Security numbers were compromised due to a successful phishing attack in December 2016. The Maltese government has seen a significant increase in attacks believed to be carried out by Russian hacking groups in recent months — ever since Malta assumed the important position of presidency of Europe’s Council of Ministers in January. Since then, the Maltese government’s IT systems have seen a rise in phishing attacks, DDoS attempts, and malware on computer systems.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-06-09_ITTNew

Cyber Risk Trends From the Past Week

2017-06-09_RiskScoresRecent incidents have confirmed that malicious actors are using cyber-attacks and data leaks to both blatantly fabricate entire news stories and discreetly drop small pieces of fake information that can potentially have wide-reaching geopolitical implications.

For example, on May 24, a report appeared on the official Qatari news agency’s website describing a variety of statements made by the emir of Qatar, including tensions with U.S. President Donald Trump, a desire for friendship with Iran, and praise for both Hamas militants and the leader’s relationship with Israel.

The statements received widespread attention, but Qatari officials claimed they were false — a claim now backed by the FBI, which believes the fake news operation and subsequent diplomatic crisis was orchestrated by Russian officials. The New York Times described the incident as “the opening skirmish in a pitched battle among ostensible Gulf allies.” The Times also reported that the false comments led to Saudi Arabia and U.A.E. rallying dependent Arab states to cut off diplomatic relations, travel, and trade with Qatar, as well as the fracturing of the American-backed alliance against the Islamic State and Iran.

Other Russian-tied disinformation campaigns have been more subtle. Citizen Lab recently detailed a series of “tainted leaks” tied to documents stolen from journalist David Satter. Satter had his email account compromised in a targeted phishing attack in October 2016, and those emails were then selectively modified and “leaked” on the blog of CyberBerkut, a pro-Russian hacktivist group. The modified documents were designed to both cause the programs they examined to appear more subversive of Russia than they actually were as well as to discredit specific opposition individuals and groups critical of Russian President Putin and his confidants.

Both incidents are yet another example of how much impact a disinformation campaign mixed with a little bit of hacking can have on governments around the world. As the Times warned, “Any country can get in the game for the relatively low price of a few freelance hackers.”

Motivated actors could use similar tactics to impact specific organizations with tainted data leaks. A single fake email — or even a few lines modified in a legitimate email — could easily be slipped into a larger dump and then shared with news outlets. That could lead to a crisis similar to the one facing Qatar, where leaders are forced to defend themselves against statements that were never actually made before those statements spread far and wide.

Weekly Cyber Risk Roundup: Scottrade Exposes Data and ATMs Get Blown Up, Drilled and Infected

The CIA remained as the top trending cybercrime of the week as WikiLeaks released a fourth set of documents related to the agency. The new dump includes 27 documents from the CIA’s Grasshopper framework, which WikiLeaks described as “a platform used to build customized malware payloads for Microsoft Windows operating systems.” The leaked CIA tools will likely continue to dominate much of the cybercrime discussion in the coming weeks as WikiLeaks appears to have a slow-drip campaign designed around maximizing the leak’s publicity.

2017-04-07_ITT

The top trending new cybercrime target of the week was Scottrade, which was one of several organizations to experience a data breach due to insecure, publicly exposed data. The Scottrade incident was caused by “human error” at third-party vendor Genpact, which uploaded a data set to one of its cloud servers without the proper security protocols in place. As a result, “the commercial loan application information of a small B2B unit within Scottrade Bank, including non-public information of as many as 20,000 individuals and businesses” was exposed, Scottrade said in a statement.

Security researcher Chris Vickery, who discovered the exposed database, said it contained 48,000 lessee credit profile rows and 11,000 guarantor rows, and that each row contained various types of personal information, including Social Security numbers. The database also contained internal information such as plain text passwords and employee credentials used for API access to third-party credit report websites.

Those who read this roundup each week know that breaches due to insecure databases are common, and in addition to Scottrade, Vickery also discovered “a trove of data from a range of North Carolina government offices, including Dept of Administration, Dept of Health and Human Services, Division of Medical Assistance, Dept of Cultural Resources, Dept of Public Safety, Office of State Controller, Office of State Budget and Management, NC IT Department.”

2017-04-07_ITTGroup

Other trending cybercrime events from the week include:

  • IRS announces another data breach: The IRS is notifying 100,000 people that their tax information may have been compromised due to a data retrieval tool used when filling out the Free Application for Federal Student Aid (FAFSA). Officials first learned of the potential issue in September 2016, but the service was not disabled until suspicious activity was observed in February. Malicious actors could pretend to be students, start the financial aid application with relatively little stolen information, and give permission for the IRS to populate the form with tax data that could then be used for fraudulent returns.
  • Highly sensitive patient data sold on the dark web: A breach at Behavioral Health Center appears to have compromised thousands of patients’ sensitive data, including evaluations, session notes, and records of sex offenders and sex abuse victims. An actor on the dark web claims between 3000 and 3500 unique individuals are in the data, which has since been sold to another actor. “These are not just basic fullz, these are the COMPLETE clinician notes from EVERY session with a patient, sometimes spanning hundreds of sessions over years,” read a listing on the dark web. “Everything confessed/discussed in complete privacy is in here for thousands of patients. All records are from 2007 to current date.”
  • Healthcare organizations targeted: An amateur actor appears to be targeting healthcare organizations with spear phishing messages designed to infect victims with a variant of the Philadelphia ransomware, an unsophisticated ransomware kit that sells for a few hundred dollars. Researchers believe spear phishing messages containing a shortened URL that led to a malicious DOCX file on a personal storage site were used to infect a hospital from Oregon and Southwest Washington. ABCD Pediatrics said that its servers were infected with “Dharma Ransomware” and while investigating the incident the company also discovered suspicious user accounts that suggested a separate incident of unauthorized access.
  • APT10 hacking group makes headlines: The APT10 hacking group has gained access to the systems of an “unprecedented web” of victims by first targeting managed outsourced IT service companies with spear phishing messages and custom malware and then using those companies as a stepping stone into their clients’ systems. The group also inserted malicious links into certain pages of the National Foreign Trade Council’s website in order to target individuals registering for specific meetings.
  • Other notable cybercrime events: The International Association of Athletics Federations said information related to athletes’ therapeutic use exemption applications was compromised due to unauthorized access to its network by “Fancy Bear.” The Dutch National Charity Lotteries said that around 450,000 customers were impacted by a vulnerability in the computer systems of Lotteries’ supplier OpenOfferete. Cybercriminals stole $40,000 of direct deposit money meant for Denver Public Schools after numerous employees fell for a phishing email. A hack of digital content network Omnia affected a variety of popular YouTube channels. The New York Post app was hacked and used to send to out a series of false push notifications. Arrests were made in Dubai related to breaking into the emails of five senior White House officials and attempting to blackmail the officials with what a local law enforcement official described as “highly confidential information.”

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-04-07_ITTNew

Cyber Risk Trends From the Past Week

2017-04-07_RiskScores

While business email compromise scams and other digital fraud continues to impact numerous organizations, several stories this week proved that criminals are still attempting to steal physical cash from ATMs around the world.

The flashiest story involved a gang based out England that used explosives and stolen high-powered vehicles to rip ATMs from walls. The gang would then put the stolen ATMs inside a large truck and drive away, in at least one instance right by the very police looking for them. Police announced that several recent raids had led to the arrest of the gang. Less flashy attempted ATM thefts from hotels in Edmonton led police to advise business last month that owners should bolt ATMs to the floor and place them in well lit, high-traffic areas that are monitored by surveillance cameras.

A new, more discreet method of stealing money from ATMs involves emptying the cash stored in certain models by drilling a three-inch hole in its front panel and using a $15 homemade gadget that injects malicious commands to trigger the machine’s cash dispenser. Kaspersky Lab researchers first became aware of the attack in September 2016 when a bank client discovered an empty ATM with a golf-ball sized hole by the PIN pad. Since then, similar attacks using the drill technique have been observed across Russia and Europe. The researchers did not name the ATM manufacturer, but they said the issue is difficult to fix since it would require replacing hardware in the ATMs to add more authentication measures.

Kaspersky Lab also released findings on another series of ATM attacks first hinted at back in February when a series of attacks that used in-memory malware to infect banking networks were reported. Code from the penetration-testing software Meterpreter code was combined with a number of legitimate PowerShell scripts and other utilities to create malware that could hide in the memory and invisibly collect the passwords of system administrators. That access was then used to remotely install a new breed of ATM malware called ATMitch, Kaspersky Lab researchers said in a report issued last week.

The ATMitch malware communicates with the ATM as if it is legitimate software and makes it possible for attackers to collect information about the number of banknotes in the ATM’s cassettes as well as dispense money at the touch of a button. The attackers may still be active, the researchers noted, but it is unknown how many ATMs have been targeted by the malware since the malware self-deletes after the attack. What is clear is that ATM machines remain a popular target for criminals, and businesses should be aware of the evolving methods — both crude and sophisticated — being used to steal the cash inside them.

Weekly Cyber Risk Roundup: Massive Leaks Expose CIA Secrets and Alleged Spam Operation

The week’s top trending cybercrime story was WikiLeaks’ release of more than 8,000 documents related to the U.S. Central Intelligence Agency. The dump, called “Vault 7,” contains information on the CIA’s hacking tools and methods and is “the largest ever publication of confidential documents on the agency,” according to WikiLeaks.

2017-03-11_ITT.png“Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized ‘zero day’ exploits, malware remote control systems and associated documentation,” WikiLeaks wrote in a press release. “This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.”

The leak has led to widespread reports on the CIA’s hacking capabilities, including tools to compromise Windows, OS X, iOS, and Android devices; ways to circumvent popular antivirus programs; an exploit that uses a USB stick to turn smart TVs into bugging devices; and efforts to infect vehicle control systems. The U.S. is investigating the source of the leaks, which a CIA spokesperson described as deeply troubling and “designed to damage the intelligence community’s ability to protect America against terrorists and other adversaries.”

WikiLeaks said it carefully reviewed the published documents and has avoided “the distribution of ‘armed’ cyberweapons until a consensus emerges on the technical and political nature of the CIA’s program and how such ‘weapons’ should analyzed, disarmed and published.” On Thursday, WikiLeaks founder Julian Assange held a press conference where he said WikiLeaks would give technology companies “exclusive access” to the details of the exploits so that they could patch any software flaws; however, Thomas Fox-Brewster of Forbes reported that as of Saturday morning companies such as Google and Microsoft had yet to receive those technical details from WikiLeaks.

2017-03-11_ITTGroups

Other trending cybercrime events from the week include:

  • Verifone investigating data breach: Verifone, the largest maker of credit card terminals used in the U.S., is investigating a breach after being alerted in January by Visa and MasterCard that malicious actors appeared to have been inside of Verifone’s network since mid-2016, a source told KrebsOnSecurity. “According to the forensic information to-date, the cyber attempt was limited to controllers at approximately two dozen gas stations, and occurred over a short time frame,” Verifone wrote in a statement to Brian Krebs. “We believe that no other merchants were targeted and the integrity of our networks and merchants’ payment terminals remain secure and fully operational.”
  • TalkTalk responds to scam center report: Two days after the BBC reported on an industrial-scale Indian scam call center targeting TalkTalk customers, the UK-based Internet service provider temporarily banned TeamViewer and other similar remote control software programs over security issues related the scammers. Teamviewer said that it is “in extensive talks to find a comprehensive joint solution to better address this scamming issue.”
  • Tax information continues to be targeted: Daytona State College is notifying employees that their W-2 information may have been stolen after some employee W-2 statements were discovered being sold on cybercriminal markets. A glitch in Rhode Island’s Department of Human Services’ computer system resulted in more than 1,000 people receiving tax forms with the wrong information. Malicious actors are sharing concerns about government efforts to combat tax fraud, as well as tips on how those protections can be circumvented, on various dark web forums.
  • Organizations face extortion demands: Since the U.S. presidential election, at least a dozen progressive groups have faced extortion attacks where malicious actors search organizations’ emails for embarrassing details and then threaten to release that information if blackmail demands ranging from $30,000 to $150,000 are not paid. A Florida man was charged with intentionally damaging computers that hosted a San Diego software company’s website. The Pennsylvania Senate Democratic Caucus computer system was shut down after a ransomware infection made the system inaccessible to caucus members and employees. Fake extortion demands and empty threats are on the rise as cybercriminals capitalize on the growing number of ransom-related attacks.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-03-11_ITTNew

Cyber Risk Trends From the Past Week

2017-03-11_RiskScoresNearly every week researchers discover new data breaches due to publicly exposed databases that require no authentication, and this past week insecure Rync backups exposed the entire operation of River City Media (RCM), providing a rare glimpse inside what security researcher Chris Vickery described as “a massive, illegal spam operation.”

The discovery led to a months-long investigation as MacKeeper Security Research Center, CSO Online, and Spamhaus came together to examine the data, which included everything from Hipchat logs to accounting details to infrastructure planning and more. Vickery said that there are enough spreadsheets, hard drive backups, and chat logs leaked to fill a book, and both CSO Online and MacKeeper have already teased future stories peeling back additional layers of the operation.

But perhaps the most alarming discovery — along with details of  abusive scripts and techniques that have been forwarded to Google, Microsoft, Apple, and others — is a database of nearly 1.4 billion email accounts combined with real names, user IP addresses, and often physical address. Those email lists are used by RCM, which masquerades as a legitimate marketing firm, to send up to a billion emails a day, much of which can be classified as spam, according to the researchers.

On Thursday RCM issued a press release addressing the “numerous false and defamatory” statements made by the researchers and news outlets. The company said that the researchers did not find RCM’s “confidential and proprietary information through an unprotected rsync backup” and that if the researchers had contacted them prior to publication “they would have realized that a number of the statements in their articles were false and easily disprovable.” However, the press release did not provide an alternative explanation for how the researchers accessed the data, and Vickery said the company was not alerted since “it was decided that we should approach law enforcement and the affected companies (like Microsoft and Yahoo) before making any attempts at contacting the spammers directly.”

“What was legal and illegal isn’t for me to decide,” said Vickery. “But there are plenty of logs where they discuss illegal scripts and research into basically attacking mail servers and tricking the mail servers into doing things that would be against the law.”

Expect additional information to be reported in the coming weeks as the researchers and reporters comb through all of the data that was exposed.

Fake Extortion Demands and Empty Threats on the Rise

I’ve previously written about the rise of extortion as an emerging trend for 2017, but if you didn’t want to take my word for it, you should have listened to the numerous warnings shared at this year’s RSA 2017. Cyber-extortion has become one of the primary cybersecurity-related issues facing organizations — and it appears to be here to stay.

My analyst team has researched cyber extortion and have found that malicious actors are not only engaging in these threat tactics, but they’re using the surging popularity of extortion and ransomware to target organizations with a variety of fake extortion demands and empty threats. We cover this topic in depth in our latest report, The Extortion Epidemic: Fake Threats on the Rise as Ransoms and Blackmail Gain Popularity.

In the graphic below I’ve noted some popular extortion threats, how actors carry out the threats and the impending results. Essentially they’re following the path of least resistance and most profit.

The Many Faces of Extortion: Popular Threats
extortion-only-breakdown

2017-02-28_extortionittbyyearupdated
The number of organizations publicly associated with ransom and extortion continues to grow, and 2017 is on pace to see the highest number yet, based on data from the first two months of the year.

The gist of it all is that organizations have real fear around these threats and trust that bad actors have the ability to carry out these threats. Putting trust in bad guys is a bad idea!

The fake ransoms are successful in large part because their real counterparts have impacted so many organizations. We’re already on pace to have more organizations publicly tied to ransoms and extortion in 2017 than any other year.

FBI officials have estimated the single subset of extortion known as ransomware to be a billion-dollar-a-year business, and fake ransomware threats have sprung up in the wake of that growth. A November 2016 survey of large UK businesses found that more than 40 percent had been contacted by cybercriminals claiming a fake ransomware infection. Surprisingly, two-thirds of those contacted reportedly paid the “bluff” ransom.

DDoS extortion threats are similarly low-effort cybercriminal campaigns, requiring only the sending of a threatening email. Earlier this month, Reuters reported that extortionists using the name “Armada Collective” had threatened Taiwanese brokerages with DDoS threats. Several of the brokerages experienced legitimate attacks following the threats; however, 2016 saw several campaigns leveraging the Armada Collective name where the threats were completely empty. One campaign generated over $100,000 in payments despite researchers not finding a single incident where a DDoS attack was actually made.

2017-01-30_armadaemail.png
A portion of the extortion email sent to the owner of Alpha Bookkeeping Services in Port Elizabeth, South Africa, in September 2016.

Extortion is also frequently tied to data breaches — both real and fake — as it is an another simple and direct avenue for cybercriminals to monetize stolen data. In January 2017 the E-Sports Entertainment Association (ESEA) was breached and the actor demanded a ransom payment of $100,000 to not release or sell the information on 1.5 million players.

ESEA said in its breach announcement that it did not pay the ransom because “paying any amount of money would not have provided any guarantees to our users as to what would happen with their stolen data.”

That is what reportedly happened to many of the victims who paid ransoms to have their hijacked MongoDB and other databases restored: they found themselves out both the data and the ransom payment. As noted in our report, it’s hard to have faith in cybercriminals, and organizations who do pay ransoms should be aware that in many cases those actors may not follow through after receiving extortion payments.

For more information on extortion threats and how to keep your organization safe, download the free report: The Extortion Epidemic: Fake Threats on the Rise as Ransoms and Blackmail Gain Popularity.

Weekly Cyber Risk Roundup: Cloudflare Bug Discovered, Typos Lead to Theft

This week’s biggest story is the Cloudflare software bug discovered by Google researchers and disclosed Thursday that could have compromised private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data.

2017-02-24_ITT.png“The bug was serious because the leaked memory could contain private information and because it had been cached by search engines,” wrote John Graham-Cumming, the CTO of Cloudflare, which provides performance and security services to numerous major websites. “We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.”

The bug was discovered by researcher Tavis Ormandy on February 17, and the data leakage may date back to September 22. However, the greatest period of impact was between February 13 and February 18 “with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage,” the company said. Popular services such as Uber, 1Password, FitBit, OkCupid, and many more use Cloudflare. Uber told media outlets the impact on its customers is minimal since “very little Uber traffic actually goes through Cloudflare,” and 1Pass said the company “designed 1Password with the expectation that SSL/TLS can fail” exactly for these types of incidents.

Days before the public disclosure, Ormandy wrote: “I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We’re talking full HTTPS requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.” Then in another comment, “We’re still working on identifying data that needs to be purged from caches.”

As Wired reported, efforts to discover any leaked data that has been cached and not yet scrubbed “has become something of an internet-wide scavenger hunt.”

2017-02-24_ittgroups

Other trending cybercrime events from the week include:

  • Presidential campaign website defaced: A hacker going by the name “Pro_Mast3r” defaced a presidential campaign website for Donald Trump with a message that read, in part, “Peace From Iraq.” The hacker told Brian Krebs that he exploited a DNS misconfiguration to assume control of secure2.donaldjtrump.com.
  • New databases continue to be sold on the dark web: An actor using the name “Berkut” is selling a database of 950,000 user accounts for the website of the music festival Coachella that was allegedly stolen this month. Motherboard confirmed the legitimacy of the database, which contains email addresses, usernames, and hashed passwords. The $300 listing claims that 360,000 of the accounts are related to the main Coachella website and the other 590,000, which contain additional information such as IP addresses, are related to the message board.
  • Employees and students access sensitive data: Dignity Health St. Joseph’s Hospital and Medical Center is notifying approximately 600 patients that a part-time hospital employee viewed portions their medical records without a business reason between October 1, 2016, and November 22, 2016. An Ohio Department of Taxation employee was fired for accessing the confidential tax information of relatives and acquaintances dozens of times. A student of the South Washington County school district in Minnesota hacked into the district’s server and downloaded the data of more than 15,000 people to an external hard drive in January.
  • Cybercrime-related arrests and sentencing: On Wednesday, February 22, UK law enforcement announced the arrest of a 29-year old British man charged with suspicion of carrying out the cyber attack against Deutsche Telekom in November of last year, which impacted up to 900,000 customers of the ISP. SurfWatch Labs analysts have moderate confidence that this individual is the hacker known as “Bestbuy,” and additional researchers have said the actor also used the alias “Popopret.” A former systems administrator for Georgia-Pacific was sentenced to 34 months in prison and ordered to pay damages of more than $1 million after pleading guilty to remotely accessing the plant’s computer system and intentionally transmitting code and commands designed to cause significant damage to Georgia-Pacific and its operations.
  • Other cybercrime announcements:  The personal information of 55 million voters in the Philippines was compromised when a computer from the Office of the Election Officer in Wao, Lanao del Sur was stolen, but the data was encrypted using the AES-256 protocol. A spear phishing campaign against individuals in the Mongolian government used the popular remote access tool Poison Ivy as well as two publicly available techniques to evade AppLocker application whitelisting, four stages of PowerShell scripts to make execution difficult to trace, and decoy documents to minimize user suspicion. The Texas Department of Transportation said a breach of its automated administrative system affected a small number of employees whose information was compromised and potentially altered. Actress Emily Ratajkowski is the latest celebrity to have an iCloud account containing sensitive information hacked.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-02-24_ittnew

Cyber Risk Trends From the Past Week

2017-02-24_riskscoresThe Cloudflare bug can be traced back to a single character of code, which resulted in a buffer overrun, the company said.

“The Ragel code we wrote contained a bug that caused the pointer to jump over the end of the buffer and past the ability of an equality check to spot the buffer overrun,” Graham-Cumming said. “Had the check been done using >= instead of == jumping over the buffer end would have been caught.”

Cloudflare wasn’t the only company to face issues due to a single character. Zerocoin announced last Friday that a a typographical error of a single additional character in code allowed an attacker to create Zerocoin spend transactions without a corresponding mint, resulting in the creation of about 370,000 Zcoins. Zerocoin discovered the bug when it noticed the total mint transactions did not match up with the total spend transactions. All but around 20,000 of the Zcoins were completely sold for around 410 BTC in profit. “Despite the severity of the hack, we will not be forfeiting or blacklisting any coins,” Zerocoin wrote in an announcement. “Trading will resume once pools and exchanges have had time to update their code. A new release will be pushed out pretty soon.”

These types of small issues continue to cause major issues for organizations. This past week also saw reports that a database belonging to digital publisher Ziff Davis could have been exfiltrated due to a website configuration issue affecting itmanagement.com, potentially exposing 7.5 million records. The database contained names, phone numbers, employment details, and email and employer addresses, as well as contact information for users registered on other Ziff Davis properties. Contact information for anyone in the shared database could have been viewed by incrementing or decrementing a field in a URL belonging to one Ziff Davis publication, according to multiple researchers.

There was also the discovery that more than 1.4 million emails sent over Harvard Computer Society (HCS) email lists were found to be public, including emails divulging Harvard students’ grades, financial aid information, bank account numbers for some student organizations, advance copies of a final exam, answer keys to problem sets, and more – likely since the default setting for HCS list archives was public. In addition, New York’s Stewart International Airport publicly exposed 760GB of server backup data for over a year due a network storage drive, which was installed by a contracted third-party IT specialist, that contained several backup images of servers and was not password protected.

The week’s incidents are yet another reminder that a good portion of effective cyber hygiene revolves around looking inward at an organization’s technology, policies, and procedures and their associated cyber risk.

Weekly Cyber Risk Roundup: Ransomware and Insecure Databases Dominate Headlines

Ransomware and extortion continue to dominate the headlines in 2017. The past week saw several widely reported incidents involving service outages and lost data due to infections, as well as warnings that malicious actors are attempting to extort organizations via the threat of DDoS attacks.

2017-02-04_ITT.pngThe Austrian hotel Romantik Seehotel Jägerwirt paid approximately $1600 in ransom after ransomware locked the hotel out of its computer systems and the hotel was unable to issue new key cards to arriving guests. The hotel’s reservation system was down for 24 hours; however, the initial media reports that customers were locked in their rooms due to the incident were false, the owner told Motherboard. The hotel’s managing director told The Verge that the issue was that the hotel could not program keycards for the guests checking in on the same day due to the system being down. The Local reported that it was the fourth time hotel had been hit by such an attack, prompting the company to go public in order to warn others about these types of cybercrime incidents.

Several other ransomware-related service outages were announced this week. Licking County, Ohio, shut down more than a thousand computers due to a ransomware infection. A variety of departments, such as the 911 call center, were unable to use computers and had to switch over to other forms of communication, and services such as court house phones and the issuing of court documents were made unavailable, 10TV reported. In addition, The Washington Post reported that ransomware left 123 of the 187 Washington D.C. police surveillance cameras, which monitor public spaces across the city, unable to record from January 12 to January 15. The ransom demand was not paid as the police simply removed all software and restarted the system at each site.

Finally, Hong Kong’s Securities and Futures Commission warned that brokers across the city are being targeted with DDoS attacks and extortion demands from cybercriminals, and it is urging financial institutions to implement and review security measures.

2017-02-04_ittgroups

Other trending cybercrime events from the week include:

  • Warning issued following two dozen W-2 breach announcements: The Internal Revenue Service, state tax agencies and the tax industry issued an urgent alert on Thursday warning employers that W-2 phishing scams are spreading into sectors beyond the corporate world, including school districts, tribal organizations and nonprofits. In addition, the scammers are following up the request with a more traditional fraudulent wire transfer request, resulting in some organizations losing both employees’ W-2s and thousands of dollars due to wire transfers. SurfWatch Labs has identified at least 24 organizations publicly tied to W-2 data breaches over the past two weeks. The emails are a form of the popular Business Email Compromise scam, such as the one against Sedgwick County that led to $566,000 being fraudulently transferred.
  • Shamoon malware strikes again: Saudi Arabia’s telecom authority is warning organizations to be on the lookout for Shamoon 2 after recent attacks led to at least three government agencies and four private sector companies going offline for 48 hours. Among those targeted were multiple petrochemical and IT services companies, which reportedly shut down their networks in an attempt to protect themselves. It appears the goal of the attack was disruption, not data exfiltration, similar to previous Shamoon attacks; however, the incident was less destructive than similar attacks in November as backups were more commonplace due that previous incident.
  • Czech foreign ministry targeted with DNC-style hack: A foreign government hacked the email system of the Czech foreign ministry and accessed the email system used by employees to communicate with people outside the ministry in an attack similar to the breach of the Democratic National Committee, Foreign Minister Lubomir Zaoralek said. A spokesperson for the Czech minister said the scale of the attack is still being assessed but noted that other ministries “might be in a little bit of a problem.” Officials indirectly accused Russia of carrying out the attacks.
  • Printing company exposes 400 GB of data: A PIP Printing and Marketing Services franchise branch located in California exposed 400 gigabytes of sensitive information due to a publicly available backup server without any password protection. The exposed data includes 50 GB of scanned documents relating to court cases, medical records, well-known companies and celebrities, as well as an archive of correspondence with attached documents, some of which have credit card numbers and billing details in plain text.
  • Other cybercrime announcements: The Xbox360 ISO and PSP ISO forums, which provides gamers with links to free and often-illegal game downloads, were hacked in September 2015 and the details of 2.5 million accounts were leaked. Security firms Dr. Web and Emsisoft were targeted by DDoS attacks after publishing research related to a botnet of Linux devices and an update for the Merry Christmas ransomware (MRCR) decryptor tool. The hacking group OurMine hacked into a variety of social media accounts belonging to the WWE and CNN. Toys “R” Us is forcing reward members to reset account passwords after the vendor responsible for managing the program notified the company of attempts to access customer accounts and steal coupons using credentials reused from other data breaches.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-02-04_ittnew

Cyber Risk Trends From the Past Week

2017-02-04_riskThe past week once again saw numerous organizations exposing data due to insecure public databases, and several of those databases reportedly contained data that was no longer in use.

Security researcher Chris Vickery discovered unsecured database backup files from Indycar, which exposed the personal information of more than 200,000 users as well as Indycar employee login credentials. The user data was related to a now-retired Indycar bulletin board and contained sensitive information such as names, usernames, email and physical addresses, dates of birth, password hashes and security questions and answers.

As Vickery noted, holding that user data was unnecessary since the board was no longer in use:

Why do companies hold on to password hashes long after the associated site has been shuttered? That’s nothing but liability. They are putting customers at risk for no gain. There was absolutely nothing for Indycar to gain by holding on to these password hashes. And now they are faced with negative PR as word of the situation gets out to racing fans.

In addition, Polish game development studio CD Projekt RED, which developed the popular Witcher franchise, announced that a now-obsolete forum database was hacked and more than 1.8 million user credentials were stolen in March 2016.

“It’s the old database we used to run the forum before we migrated to the login system powered by our sister company — GOG.com,” the company wrote in a post on its forums. “At the time of the event, the database was not in active use, as forum members had been asked to create better-secured GOG.com accounts almost a year earlier.”

The incidents are reminders that when it comes to cybersecurity, less data tends to equals less risk. This is particularly true for data that is no longer required to be held and may therefore receive less scrutiny than data that is being actively used. In short, if your organization is holding on to unnecessary data, it is opening itself up to unnecessary risk.