Kaspersky Lab – SurfWatch Labs, Inc.

Weekly Cyber Risk Roundup: Kaspersky’s Alleged Espionage and SmartVista Bug Unpatched

The National Security Agency and Kaspersky Lab were once again among the week’s top trending targets due to continued reporting around Kaspersky’s alleged involvement in the 2015 theft of classified materials from the home computer of an NSA employee.

As we noted last week, sources told the The Wall Street Journal that a contractor took the sensitive data home without the NSA’s knowledge, and the Russian government was able to then steal that information by leveraging the contractor’s use of antivirus software created by Kaspersky. However, the Washington Post subsequently reported that the individual in question was actually an employee in the NSA’s elite Tailored Access Operations division.

In addition, officials told the WSJ this week that Kaspersky’s antivirus software was modified to search for terms such as “top secret,” as well as the classified code names of U.S. government programs, in an operation that is broader and more pervasive than just the one hacked employee. That modification could not have been done without Kaspersky’s knowledge, an official told the paper. However, Kaspersky has continued to state that it “was not involved in, and does not possess any knowledge of, the situation in question.”

The New York Times reported that the U.S. was first made aware of the espionage campaign leveraging Kaspersky by Israeli intelligence officers who hacked into Kaspersky Labs in 2014. Those hackers, later dubbed Duqu 2.0, exploited up to three zero-days in order to spy on Kaspersky Lab technologies, ongoing research, and internal processes, Kaspersky wrote in 2015 after discovering the intrusion.

Officials told the WSJ that it remains unclear exactly how many other government computers or employees may have been targeted via Kaspersky software – or if any additional sensitive data was stolen.

Other trending cybercrime events from the week include:

Defense-related breaches: The Australian Signals Directorate said that a defense contractor had 30 gigabytes of data stolen, including data related to F-35 Joint Strike Fighters, the C-130 military transport aircraft, the new spy plane P-8 Poseidon, the smart bomb JDAM, and some Australian naval vessels. A breach of South Korea’s military network last year allowed North Korean hackers to access vast amounts of data, including classified wartime contingency plans jointly created by the U.S. and South Korea.
Payment card breaches: Irish retailer Musgrave is asking customers of SuperValu, Centra, and Mace to be on the lookout for fraudulent charges due to concerns that their payment card numbers and expiration dates may have been stolen. Hyatt Hotels is notifying customers that payment card information swiped and manually entered at the front desks of some locations may have been compromised. Hue.com and nononsense.com, and their parent company Kayser-Roth, are notifying customers of a payment card breach tied to third-party website order processor Aptos. Droege Computing Services said that a StampAuctionNetwork server was hacked and payment card information was compromised due to a breach that occurred through Droege’s main offices. Tommie Cooper and Cricut are notifying customers that payment information may have been stolen due to malware on the checkout portions of their websites.
Other data breaches: Accenture confirmed it exposed massive amounts of data across four unsecured cloud servers, including passwords and secret decryption keys. Disqus said that 17.55 million users had their information compromised due to a security breach affecting a database from 2012 that included information dating back to 2007. A security researcher discovered a vulnerability in T-Mobile’s website that allowed malicious actors to gain access to customers’ personal data as long as they had a correct phone number. The previously reported breach at Deloitte compromised a server that contained the emails of at least 350 clients, The Guardian reported. Catholic United Financial is notifying members of breach due to SQL injection attacks. Palo Alto High School officials warned that students’ personal information was breached and posted to a “rogue” website. SyncHR is notifying employees that it accidentally exposed their benefit information to other HR administrators and customers.
Other notable events: Nearly $60 million was stolen from Far Eastern International Bank in Taiwan using malware designed to generate fraudulent SWIFT messages. The bank said it has recovered the vast majority of the stolen funds, with only $500,000 still outstanding. A security bug in the music platform PledgeMusic allowed anyone to log into some users’ accounts using a correct email address along with an incorrect password or no password at all. The bug could have been exploited to make unauthorized payments and pledges to artists. David Kent, the founder of the networking website oilpro.com, was sentenced to one year and one day in prison for hacking into the database of competitor Rigzone, stealing information on over 700,000 customers, using that information to grow Oilpro, and then attempting to sell Oilpro with its inflated growth and stolen data to Rigzone.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

Cyber Risk Trends From the Past Week

Researchers have published the details of a yet-to-be patched SQL injection vulnerability affecting BPC Banking Technologies’ SmartVista product suite after numerous reports of the bug went unanswered.

Exploiting the vulnerability requires authenticated access to the transactions portion of SmartVista front-end, the researchers said, and it can lead to the compromise of various sensitive data depending on the level of access the BPC SmartVista user was granted. Researchers said the company has yet to respond to multiple vulnerability reports from Rapid7, CERT/CC in the U.S., and SwissCERT that date as far back as May 10.

BPC’s website states that the company has 188 customers across 66 countries, including “huge tier 1 banks, and both midsize and smaller companies.” The website also states that all of its solutions are delivered via the SmartVista product suite, which “handles all aspects of ATM management, billing, mobile and contactless payments, settlement, point of sale, card issuing and acquiring, microfinance and electronic payments processing.”

Rapid7 researchers said that an attacker could craft a series of true/false statements to brute-force query the database, allowing information from accessible tables to be exposed, such as usernames and passwords. Rapid7 program manager Samuel Huckins told Threatpost the company was hesitant to publish its findings due to the potential for financial and data loss, but it has not received any response from BPC or evidence of the vulnerability being patched across many months.

“After a certain point, we needed to move forward and make it public in the hope they see it and take action,” Huckins said. “This could impact a lot of their customers who may not be aware of this at all.”

The researchers advised users to contact BPC support for more details, to limit access to the management interface of SmartVista, and to regularly perform audits of successful and failed logins.

Weekly Cyber Risk Roundup: Yahoo Breach Expands, Equifax Grilled, Another NSA Insider

Yahoo and Equifax were both back in the news this week due to new details emerging around their respective data breaches, including Yahoo revising the number of affected accounts to three billion and Equifax’s former CEO being grilled before Congress.

Yahoo had previously stated that its 2013 data breach affected one billion user accounts, which made it the most widespread data breach in history. On Tuesday Verizon Communications, which acquired Yahoo for $4.48 billion in June, tripled the number of impacted accounts to include all three billion of Yahoo’s users accounts. The breach was particularly egregious not only because of its size, but because it involved sensitive information such as the security questions and answers and backup email addresses used to recover accounts. Yahoo’s massive 2013 breach is in addition to a separate, previously disclosed breach that affected 500 million Yahoo accounts in 2014.

This week also saw the congressional testimony of Equifax’s former CEO Richard Smith. Smith said the breach was due to a combination of “both human error and technology failures” around implementing an Apache Struts patch made available on March 6, which was not patched for months despite a policy stating patches occur within a 48-hour time period. The testimony was met with harsh criticism from some lawmakers. For example, Sen. Elizabeth Warren (D-Mass.) questioned the entire business model of Equifax, claiming that the company has no incentive to protect consumer data and highlighting various avenues through which the company is making “millions of dollars off its own screwup.” Warren said that Equifax may “actually come out ahead” financially in regards to its breach, which affects 145 million people.

Despite the ongoing fallout, the IRS renewed a $7.25 million contract with Equifax to use its services to verify taxpayer identities. The contract drew major criticism; however, IRS Deputy Commissioner Jeffrey Tribiano said it was a necessary “stop gap” so millions of taxpayers did not lose access to their transcripts.

Other trending cybercrime events from the week include:

Newly announced data breaches: Auburn Eye Care Associates of California was hacked by TheDarkOverlord and thousands of patients records were stolen from its electronic health record system. Cabrillo Community College District said that it discovered unauthorized access to a server containing a database with student orientation information. The Online Traffic School said that customer information was compromised due to an individual gaining unauthorized access to part of its network. Northwestern Mutual Life Insurance Company said that customer information was compromised due to a financial advisor falling for a scam that led to a malicious actor gaining remote access to a desktop computer multiple times. The law firm Clark Hill had its systems accessed by Chinese hackers and sensitive documents related to Chinese dissident Guo Wengui were subsequently released on Twitter. Phoenix Inn Suites is the latest hotel to issue a breach notification tied to the Sabre Hospitality Solutions SynXis Central Reservations system.

Organizations expose data: A misconfigured database that collected data on activity on a number of NFL-related domains such as the National Football League Players Association’s website exposed the data of 1,133 NFL players and agents. The database also included a ransom message from February 2017 similar to the ones targeting other Elasticsearch servers earlier this year — indicating that the data was accessed by cybercriminals. FlexShopper said a database containing payment and other customer information may have been exposed on the internet for several days. National Bank of Canada said that 400 customers had their personal information exposed due to a website glitch. Graton Resort and Casino, Kenco, and North Carolina A&T State University all announced breaches related to inadvertently disclosing sensitive customer, employee, and student data via email attachments.

Other notable incidents: U.S. government officials believe that the personal cellphone of chief of staff John Kelly was compromised, and the compromise may date back to December 2016. The R6DB gaming service, which provides statistics for Rainbow Six Siege gamers, said that an automated bot breached its PostgreSQL installation and wiped the database then demanded a ransom payment. Etherparty said it had to shut down its website for 90 minutes after discovering a fraudulent contribution address on the site just an hour after the ICO for its FUEL token went live. The City of Englewood said that it was hit with a ransomware infection. The UK National Lottery and Kazakhstan banks reported service disruptions due to DDoS attacks.

Arrests and legal actions: A federal indictment alleges that a former Hewlett-Packard Enterprise Corp. employee intentionally caused damage to Oregon’s Medicaid Management Information System (MMIS) after being laid off, resulting in an eight-hour loss of functionality for the system. The former principal of Seven Peaks School in Oregon is being sued for allegedly downloading thousands of private documents related to the students and staff, including psychological evaluations of students.

Cyber Risk Trends From the Past Week

On Thursday, The Wall Street Journal reported that the Russian government was able to steal highly classified NSA material from an NSA contractor who removed the classified material and put it on his home computer without the NSA’s knowledge.

The sources said that the breach, which occurred in 2015, was first discovered in the spring of 2016 and included details about how the NSA penetrates foreign computer networks, code it used for such spying, and details on how the NSA defends networks inside the U.S.

Sources told the WSJ that the hackers appear to have used the antivirus software created by Russia-based Kaspersky Lab in order to identify the files on the contractor’s computer. The paper also reported that it is the first known incident of the popular antivirus software being exploited by Russian hackers to conduct espionage against the U.S. government.

Kaspersky Lab said it “has not been provided any information or evidence substantiating this alleged incident, and as a result, we must assume that this is another example of a false accusation.”

The alleged NSA breach provides some insight into reports that the FBI has been urging private companies throughout the year to discontinue using Kaspersky products due to intelligence that indicated the company is an unacceptable threat to national security. In addition, the Department of Homeland security issued a directive in September ordering federal agencies to take actions to ultimately remove Kaspersky-related products from government computers.

The breach also appears to be separate from the incidents involving NSA contractor Harold T. Martin III, who hoarded large quantities of sensitive NSA data and hacking tools in his home, and TheShadowBrokers, a group that is best known for the April 2017 release of stolen NSA exploits such as EternalBlue, among others. As we noted in our August blog, officials have not linked TheShadowBrokers to Martin’s insider theft, and it appears the same can be said of the newly reported NSA breach. However, this new incident now makes two recent insiders who have successfully taken highly confidential NSA data home — and at least one case of that data then being successfully targeted by foreign hackers once it was in a less secure environment.

Weekly Cyber Risk Roundup: Another Ethereum Heist and FBI Warns Against Kaspersky Lab

Cryptocurrency theft was the week’s top trending cybercrime story as malicious actors were able to capitalize yet again on an upcoming Ethereum initial coin offering (ICO) to steal approximately $500,000 worth of Ether — this time from investors in the cryptocurrency platform Enigma.

Enigma said that malicious actors managed to compromise the enigma.co domain, its Slack channel, and certain email lists. The actors then posted messages via the compromised channels claiming that the platform was offering a “pre-sale” of tokens ahead of next month’s official ICO.

Enigma CEO Guy Zyskind said the attack “joins a long list of other similar attacks plaguing the crypto-community.” For example, just last month there were three different multi-million dollar Ethereum heists: $34 million was stolen due to a bug in the code of the Parity Ethereum client and $10 million and $8.4 million were stolen during the ICOs of Coindash and Veritaseum.

“We want to make sure that no one in our community that was a victim to this well-coordinated phishing attack is financially hurt,” Zyskind said in a blog post. “We will restore funds to everyone that lost money in this recent scam attempt after our token sale concludes.”

With four large Ethereum thefts over just the past month, it is clear that malicious actors have found a new — and relatively simple — way to capitalize on the excitement of Ethereum investors. Similar attacks will likely occur in the future as malicious actors play copycat and attempt to capitalize on other ICOs for a quick payday.

Other trending cybercrime events from the week include:

Hacktivist and political leaks: Web hosting provider DreamHost had its services disrupted by a DDoS attack on Wednesday. It’s unclear who orchestrated the attack, but DreamHost was recently involved in several politically-charged news stories. The Anonymous-affiliated group AnonOps leaked the private cell phone numbers and email addresses of 22 Republican congressmen in an effort to get individuals to urge their members of Congress to condemn President Trump’s recent statements surrounding Charlottesville and push for his impeachment. The hacking group known as “Fancy Bear” released information related to doping in FIFA, including email exchanges between FIFA and representatives of anti-doping agencies, files showing the number of players using illegal substances, and therapeutic use exemption data, which gives athletes medical permission to take banned substances.

Healthcare-related breaches: A hacker claiming to represent Anonymous said he gained access to a database of NHS patient data managed by SwiftQueue and downloaded over 11 million records, but SwiftQueue said that its database only contains records for 1.2 million individuals and that its initial investigation suggests only 32,501 “lines of administrative data” have been accessed. MJHS Home Care is notifying patients that an employee email account was compromised due to a phishing incident and that patient information may have been exposed. The Institute for Women’s Health in Texas is notifying patients of the discovery of a keylogger on its network. Salina Family Healthcare Center is notifying patients that their personal information may have been compromised due to a June 18 ransomware infection. St. Mark’s Surgical Center is notifying patients of a April 13 ransomware infection that may have compromised their personal information.

Carbon Black says bug affected 10 customers: Cybersecurity company Carbon Black said that 10 of its customers were potentially impacted by a corner-case bug that may have resulted in some miscategorized files being uploaded to a third-party, cloud-based scanner. The bug was introduced in Cb Response sensor versions 5.2.7+ and 6.0.4+ from April 2017 or later, the company said, and required a series of other conditions in order to be triggered.

Other notable incidents: A database that appears to be associated with the online group hotel room booking service Groupize was found exposed on the Internet. The researchers who discovered the exposed database said it contained many hotel documents, including service agreements, earnings, and details about commissions, which allowed them to see “exactly how the discount hotel business model works in detail.” The City of Oceanside, California, has suspended its online utility bill payment system over concerns that the system may have been breached after multiple users reported that they received unauthorized charges on their payment cards. The hacking group OurMine hijacked the Twitter and Facebook accounts of Sony’s PlayStation Network (PSN) and claims to have a stolen PSN database; however, media outlets reported that there does not appear to be any evidence as of yet supporting the claims of a breached PSN database.

Cyber Risk Trends From the Past Week

In July, the U.S. government removed the Russia-based Kaspersky Lab from two lists of approved government vendors, and recently it was revealed the the FBI has been warning private organizations to stop using Kaspersky products as well.

The FBI has been briefing private companies on the threat since the beginning of the year, citing intelligence that claims to show the company is an unacceptable threat to national security, officials told CyberScoop. The FBI has prioritized briefing organizations in the energy sector and those that use ICS and SCADA systems, as well as large tech companies.

The officials claim that Kaspersky has deep and active relationships with Russian intelligence and have highlighted multiple specific accusations of wrongdoing, sources told CyberScoop.

Kaspersky denied the allegations, with a representative saying that the company is “caught in the middle of a geopolitical fight” and “has never helped, nor will help, any government in the world with its cyber-espionage or offensive cyber efforts.”

CyberScoop reported that organizations using ICS and SCADA systems have been relatively cooperative and that some have already moved forward and signed deals with Kaspersky competitors. However, those in the tech space don’t have the same sense of urgency and have been less receptive to the FBI’s recommendations.

In addition, Reuters reported that a defense spending policy bill from the Senate Armed Services Committee was recently amended to prohibit the U.S. Defense Department from using Kaspersky software platforms because the company “might be vulnerable to Russian government influence.”