Marai – SurfWatch Labs, Inc.

2017 Cyber Forecast: The IoT Problem is Going to Get Worse

The new year is underway, and one of the biggest causes of concern carrying over into 2017 is the threat posed by the growing number of compromised Internet-of-Things (IoT) devices. As I stated in my previous cyber forecast blog on extortion, I prefer to base my “predictions” around actual intelligence and verifiable data. IoT-related security threats have been talked about for the past few years, but they have been relegated to the periphery of the cybercrime conversation due to the fact there wasn’t much threat data around real-world attacks. However, the second half of 2016 saw those concerns move front-and-center due to a series of incidents tied to the Mirai botnet:

In September, both KrebsOnSecurity and French hosting provider OVH were hit with massive DDoS attacks, reportedly hitting 620 Gbps attack and 1 Tbps in size.
Those attacks were quickly tied the Mirai botnet, the source code of which was subsequently released by a user on Hackforums.
A few weeks after the source code went public, DNS provider Dyn was hit with what appears to have been an even larger DDoS attack – causing major sites such as Twitter, Netflix, Reddit, Spotify and others to be disrupted across the U.S. and Europe.

Those attacks will certainly lead to increased scrutiny within the IoT marketplace both now and in the future, but in the meantime cybercriminals are focusing their attention on finding new ways to leverage the numerous vulnerable IoT devices for their own malicious purposes. The past few months have seen various hacking groups fighting to take control over their share of those compromised devices, as well as companies such as Deutsche Telekom and others suffering outages as those groups tried to expand their botnets by attempting to infect customers’ routers with Mirai. One group has even been observed selling IoT-powered DDoS services that claim to provide as much as 700 Gbps in traffic.

All of that activity has led to one of the clearest trends in SurfWatch Labs’ data over the past few months: an enormous rise in threat intelligence surrounding the “service interruption” category.

serviceinterruption_cfs — This chart from SurfWatch Labs’ 2016 Cyber Threat Trends Report shows a sharp increase in the amount of threat intelligence related to the service interruption category in Q4 2016.

“Over the past two years, the ‘service interruption’ tag has typically appeared in approximately 16% of the negative CyberFacts collected by SurfWatch Labs,” SurfWatch Labs noted in its annual cyber trends report, Rise of IoT Botnets Showcases Cybercriminals’ Ability to Find New Avenues of Attack. “However, that number jumped to more than 42% over the last half of the year due to growing concern around IoT-powered botnets such as Mirai.”

The problem of botnets powered by compromised IoT devices goes beyond just service interruption. It reflects many of the larger cybersecurity issues facing organizations in 2017:

an expanding number of vulnerable devices
the problem of default or easy-to-guess credentials
the difficulty of identifying vulnerabilities and patching them in a timely manner
questions of who along the supply chain is responsible for security
and issues outside your organization’s direct control that impact your cyber risk

Compromised IoT devices are a perfect example of the interconnectedness of cybercrime and how the poor security of one component by one manufacturer can led to hundreds of thousands of devices being vulnerable.

The sudden surge in concern around IoT devices reminds me of similar cyber risk discussions that have occurred around ICS/SCADA over the last few years. In both cases, the devices were often designed without cybersecurity in mind and those cybersecurity implications are now leading to serious potential consequences. However, unlike ICS/SCADA devices, IoT devices are primarily consumer focused. As we noted in the 2016 Cyber Trends Report, the potential of having multiple devices per household for any developed nation means that collectively these vulnerable devices are the largest digital footprint in the world not under proper security management.

DDoS attacks have always been a staple of cybercrime, but the expanding number of potentially compromised devices, along with cybercriminal tools designed to easily exploit those devices, has created growing concern around the tactic. Due to these concerns, I forecast with moderate confidence that IoT-driven botnets will affect a greater number organizations in 2017 as suppliers, manufacturers, regulators and the security community all continue to wrestle with this ongoing issue.

Weekly Cyber Risk Roundup: Shamoon is Back and Marai Problems Continue

The European Commission is the top trending cybercrime target over the past two weeks after experiencing a distributed denial-of-service attack (DDoS) that brought down Internet access for several hours over two separate periods, making it difficult for employees to work, a staff member told Politico.

However, the most impactful event from the period is the campaign that targeted organizations in Saudi Arabia with the Shamoon malware and wiped the hard drives of thousands of computers. The campaign targeted six organizations, resulting in extensive damage at four of them. People familiar with the investigation told Bloomberg that thousands of computers were destroyed at the headquarters of Saudi’s General Authority of Civil Aviation and that office operations came to a halt for several days after critical data was erased. Among the other targets were the Saudi Central Bank and several unnamed government agencies.

Saudi authorities said evidence suggests Iran is to blame. The attackers used the exact same Shamoon malware that hit Saudi Aramco in 2012 and destroyed 35,000 computers, according to people familiar with the investigation. Ars Technica noted that Shamoon attempts to spread across networks by turning on file sharing and attempting to connect to common network file shares. In addition, the attackers used stolen credentials hard-coded into the malware.

Shamoon is made up of three components. The dropper component determines whether to install a 32-bit or 64-bit version of the malware. The wiper component uses RawDisk, the same driver that was used against Sony Pictures in 2014. The communications component was not used in this attack as the malware was configured with the IP of 1.1.1.1.

Other trending cybercrime events from the week include:

Another week of “oops” breaches: Security researcher Chris Vickery discovered a file repository for Allied-Horizontal exposed to the Internet and requiring no authentication that contained sensitive information related to explosives. Confidential police files on 54 terrorist cases were copied onto a staffer’s private storage device that was connected to the Internet without a password. The U.S. Department of Housing and Urban Development accidentally made the personal information of almost 600,000 individuals temporarily available to the public via its website.

Individuals and organizations face blackmail: Hackers have allegedly stolen data from Valartis Bank Liechtenstein and are threatening individual customers that they will leak their stolen information to financial authorities and the media if they do not pay ransom demands. The hacking group known as TheDarkOverlord said they gained access to Dropbox and email accounts for Gorilla Glue and stole 500 GB of information, including intellectual property and product designs. TheDarkOverlord said they offered the company “a handsome business proposition,” which is the group’s way of saying they demanded ransom.

Ransomware disrupts organizations: The computer systems of the San Francisco Municipal Transportation Agency were infected with ransomware, and the actor behind the attack demanded $73,000 in ransom. Passengers unable to pay fares due to locked machines were temporarily given free rides. Bigfork School District in Montana recently experienced a ransomware infection due to a malicious email attachment, but the district said it would not pay any ransom demands. Computers at Carleton University in Canada were infected with ransomware, bringing research to a halt. The attackers asked for around $39,000 to decrypt the data.

Business-to-business cybercrime: Gaming company Zynga is suing two former employees over the theft of “extremely sensitive” information, which was then allegedly taken to rival company Scopely. James Frazer-Mann, a 35-year-old former operator of Elite Loans, was sentenced by a UK court for hiring a hacker to DDoS his former company’s competitors and the website of the Consumer Action Group.

More data breaches announced: The Madison Square Garden Company announced a point-of-sale data breach affecting customers who used payment cards to purchase food and merchandise at Madison Square Garden, the Theater at Madison Square Garden, Radio City Music Hall, Beacon Theater and Chicago Theater. The Navy was notified by Hewlett Packard that the names and Social Security numbers of more than 130,000 sailors were compromised. An unauthorized party gained access to a Michigan State University server containing personal information on 400,000 individuals, but only 449 of those records are confirmed to have been accessed. The hacker behind the data breach at Casino Rama has uploaded a five gigabyte file containing more than 14,000 documents to a torrent website. UK Telecom company Three announced a data breach after cybercriminals were able to gain access to its upgrade system using authorized logins.The sensitive personal information of 17,000 students was compromised in a data breach at Erasmus University in the Netherlands.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past two weeks. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

Cyber Risk Trends From the Past Week

Over the past two weeks, most industry sectors have seen an increase in their SurfWatch Labs’ cyber risk scores. The IT sector, once again, has the highest overall score. That is due, in part, to ongoing worry over DDoS attacks tied to Marai and other botnets compromised of Internet-of-Things devices.

Around 900,000 customers of Deutsche Telekom had their service disrupted due to external actors trying and failing to infect routers with malware, the company said. The attack caused crashes or restrictions on approximately four to five percent of all routers. Thousands of KCOM customers also lost their Internet access due to routers being targeted in a cyber-attack. KCOM issued a statement about the incident:

“We have now identified that the root cause of the problem was a cyber attack that targets a vulnerability in certain broadband routers, causing them to crash and disconnect from the network. The only affected router we have supplied to customers is the ZyXel AMG1302-T10B. The vast majority of our customers are now able to connect to and use their broadband service as usual.”

Researchers have identified other companies that use routers made by ZyXel and may be vulnerable to similar attacks, including Irish telecom operator Eir and Vodafone Group Plc in Britain.

Two hackers have since claimed credit for the attack against Deutsche Telekom and apologized for the outage. They were trying to enlist those routers in a growing Marai botent, which they claim is now the most powerful Marai-based botnet. One of the hackers told Motherboard the botnet included over a million devices; however, other researchers have estimated that number to be around 400,000.

The hackers, going by the name BestBuy and Popopret, are advertising a DDoS service powered by their new botnet with attacks allegedly ranging up to 700 Gbps.

2016-12-03_botnetad — Source: BleepingComputer

Popopret told BleepingComputer that the price for a two-week long attack using 50,000 bots — and an attack duration of one hour along with a 5-10 minute cooldown time between attacks — is approximately $3000-$4,000. BestBuy reported similarly high fees, telling Motherboard that a similar attack using 600,000 bots would cost $15,000-$20,000.

It is unclear exactly how many devices the group controls at the moment, but it is clear that various groups are competing to infect and retain control over a growing number of Internet-connected devices.

Weekly Cyber Risk Roundup: Adult Friend Finder’s Massive Breach and Securing IoT Devices

Distributed denial-of-service (DDoS) attacks were once again among the most discussed cybercrime events of the week as discussion around the Marai botnet continued and a handful of Russian banks were targeted with attacks powered by compromised Internet-of-Things (IoT) devices. The week also saw one of the largest data breaches ever as the Adult Friend Network was hacked and the details of 412 million accounts were compromised.

The information compromised in the Adult Friend Finder hack dates back 20 years, according to LeakedSource, and includes email addresses, passwords stored in either plain visible format or SHA1, dates of last visits, browser information, IP addresses and site membership status. Accounts for a variety of sites were infected: 339 million Adult Friend Finder accounts, 62 millions Cams.com accounts, 7 million Penthouse.com accounts, 1.4 million Stripshow.com accounts and 1.1 million iCams.com accounts.

This is the second time Adult Friend Network has been hacked in 18 months. In May 2015 almost four million users had their personal details leaked by hackers.

It’s not clear who was ultimately behind the recent hack. A researcher going by the name revolver posted screenshots of a Local File Inclusion vulnerability being exploited on Adult Friend Finder in October and threatened to “leak everything,” but he said he was not behind the breach. Friend Finder Networks vice president and senior counsel, Diana Ballou did say that the company identified and fixed “a vulnerability that was related to the ability to access source code through an injection vulnerability.” The breach is the second largest of the year in terms of the number of customer accounts compromised — behind only Yahoo, which affected more half a billion accounts.

Other trending cybercrime events from the week include:

More large data breaches: Casino Rama Resort in Ontario recently announced the theft of a variety of data including IT information, financial reports, security incident reports, Casino Rama Resort email, patron credit inquiries, collection and debt information, vendor information, and contracts and employee information such as performance reviews, payroll data, terminations, social insurance numbers and dates of birth. A man hacked into the website of the Indian state of Kerala’s government’s civil supplies department, stole information on all of 8,022,360 of Kerala’s Public Distribution System beneficiaries and their family members, and then uploaded that information to Facebook. Recruitment firm Michael Page may have had as much as 30GB of data exposed when it was published to a publicly exposed website, according to researcher Troy Hunt. Hunt said multinational consulting and outsourcing firm Capgemini was behind the exposed data.

Retail woes both criminal and accidental: A&M has announced a payment card breach affecting customers who shopped at Annie Sez, Afaze, Mandee, Sirens and Urban Planet locations between November 2015 and August 2016. Australian discount department store Big W is apologizing to customers after a technical issue led to a small number of customers having the first stage of the online checkout process pre-populated with the personal information of another customer.

More ransomware attacks and payments: The office of Robert J. Magnon at Seguin Dermatology is informing patients of a September ransomware attack that likely accessed protected health information. The Lansing Board of Water & Light acknowledged it paid a $25,000 ransom after an employee opened an infected attachment and the resulting ransomware infection shut down the board’s accounting systems, email systems and phone lines.

Hacktivist attacks and sentences: A hacking group known as “Amn3s1a Team” claims to have stolen internal documents, source code and other information from the file-sharing site Mega.nz. ZDNet examined an 800-megabyte archive of source code — which appears to be related to its instant messenger service Megachat, the site’s Chrome browser extension, and a private RSA key. A 22-year-old Tennessee man and member of the NullCrew hacking collective has been sentenced to 45 months in prison for his role in hacking Bell Canada. Canadian prosecutors said the hackers exfiltrated million of files from Bell Canada, and the man posted about 12,700 customer logins and passwords and Tweeted a link to the data. A hacker going by the Twitter handle @CyberZeist announced that he had hacked the Windham County Sheriff’s Office, posted the stolen database on Pastebin, and was even offering to give away backdoor access.

Cybercrime goes virtual: A group of hackers wrote software that tricked Electronic Arts’ servers into thinking that thousands of FIFA soccer matches had been completed in order to “mine” FIFA coins, and that virtual currency was then sold via black market sites for millions of dollars in profits, according to a recently unsealed FBI indictment.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

Cyber Risk Trends From the Past Week

For the second week in a row, most sectors saw a decline in their overall SurfWatch Labs’ cyber risk scores. The financials sector saw the biggest drop and is now at its lowest score of all of 2016 after steadily declining throughout October.

Much of the discussion around cyber risk over the past month has been focused on issues related to DDoS attacks and Internet-connected devices. The most discussed new cybercrime event of the past week, by far, was the DDoS attacks against at least five of Russia’s largest banks. Reports indicate that the attacks were carried out over a two-day period and generally lasted for one hour each, although one attack lasted for almost 12 hours. The attacks were powered by around 24,000 compromised IoT devices across 30 countries, and Sberbank said the attacks were among the most powerful the bank had seen.

The concern around IoT devices has also led the Department of Homeland Security to release its Strategic Principles for Securing the Internet of Things (IoT), which is designed as “a first step to motivate and frame conversations about positive measures for IoT security among IoT developers, manufacturers, service providers, and the users who purchase and deploy the devices, services, and systems.” The document contains six principles that would “dramatically improve the the security posture of IoT,” and those principles are meant to be adapted and applied as needed.

In addition, the document outlines four key areas of effort going forward:

Coordinate across federal departments and agencies to engage with IoT stakeholders and jointly explore ways to mitigate the risks posed by IoT.
Build awareness of risks associated with IoT across stakeholders.
Identify and advance incentives for incorporating IoT security.
Contribute to international standards development processes for IoT.

“We recognize the efforts underway by our colleagues at other federal agencies, and the work of private sector entities to advance architectures and institute practices to address the security of the IoT,” DHS wrote “This document is a first step to strengthen those efforts by articulating overarching security principles. But next steps will surely be required.”

Weekly Cyber Risk Roundup: Services Get Disrupted and Hacking Elections

Distributed denial-of-service (DDoS) attacks and other incidents leading to service interruption have been widely discussed in the cybersecurity community ever since the October attack against DNS provider Dyn. This past week saw Marai-driven attacks that reportedly knocked out Internet access for the entire county of Liberia; however, security researchers such as Brian Krebs noted that those news articles may have exaggerated the facts as there is little evidence “anything close to a country-wide outage” occurred as a result of the attack.

“While it is likely that a local operator might have experienced a brief outage, we have no knowledge of a national Internet outage and there are no data to [substantiate] that,” Daniel Brewer, general manager for the Cable Consortium of Liberia, told Krebs.

Nevertheless, concerns around DDoS attacks remain high, and some have speculated that the attacks against Liberia and others may be test runs for a larger attack in the future.

In other service interruption news, two apartment buildings located in Lappeenranta, Finland, and managed by facilities services company Valtia had the systems that controlled central heating and warm water circulation disabled by a DDoS attack. The systems tried rebooting the main control circuit in response to the attack, the CEO of Valtia said, and this was repeated in an endless loop resulting in the heat not working for the properties. Also, a unspecified malware infection caused three UK hospitals to cancel operations, outpatient appointments and diagnostic procedures for three days while staff access to patient records was restored. According to The Sun, approximately 3,300 patients at hospitals in Grimsby, Scunthorpe and Goole were affected. The attacks led to a high-severity alert being issued to National Health Service providers reminding “all users of the need for proactive measures to reduce the likelihood of infection and minimise the impacts of any compromise.”

Other trending cybercrime events from the week include:

Fraud and financial loss continue: Tesco Bank said the widespread criminal activity that led to the halting of online transactions has been narrowed down to £2.5 million in losses across 9,000 accounts – a drop from the 20,000 accounts previously reported. Sentinel Hotel is notifying customers of a breach after reports of unauthorized charges on guests payment cards led to the discovery of malware on a point-of-sale terminal. City of El Paso officials revealed the city was scammed out of more than $3 million via a phishing attack. The city has recovered about half of the money. A ransomware infection recently locked up several government systems in Madison County, Indiana, and county commissioners voted to pay the extortion demands in order to regain control of those systems.

Poor security leads to potential breaches: Researchers discovered that 128 car dealership systems were being backed up to a central location without any encryption or security, potentially exposing the personal information of both customers and employees. Cisco is warning job applicants that information on the Cisco Professional Careers mobile website may have been exposed as a result of an incorrect security setting following system maintenance. Newfoundland and Labrador’s privacy commissioner is ordering Eastern Health to examine controls around employees logging out of accounts after an incident in which a doctor failed to log out of Meditech patient information software and patient information was accessed and printed by an unknown person.

More breaches and data dumps: Two hackers claim to have used SQL injection to steal personal information from seven Indian High Commission websites and published the stolen databases in a Pastebin post. Anonymous Italia has defaced several police websites and leaked 70 megabytes of data presumably stolen from the databases of the Sindacato Autonomo Polizia Penitenziaria’s blog and its official monthly magazine. Integrity Transitional Hospital, based in Texas, recently reported a health data hacking incident that potentially affects the information of more than 29,000 patients.

Cybercrime leads to arrests: A man has been arrested for compromising more than a thousand university email accounts and then using that access to further compromise other social media and online accounts. The man allegedly accessed one university’s password reset utility approximately 18,640 different times between October 2015 and September 2016 and successfully changed the passwords for 1,035 unique accounts. An employee of Lex Autolease Limited pleaded guilty to selling the personal information of hundreds of customers to a third party. A 19-year old hacker plead guilty to creating and running the Titanium Stresser booter service, which has been used in more than 1.7 million DDoS attacks worldwide.

Cyber Risk Trends From the Past Week

Most industry sectors saw a slight decline in their SurfWatch Labs’ cyber risk scores this week. The biggest story of late, naturally, was the U.S. presidential election, and now that it is over, pundits from both sides are reflecting on how their candidates managed to win or lose the race. That examination includes the role that cybersecurity, hacking and data leaks may have played in the outcome.

In fact, back in August we posed that very question: would 2016 be the first presidential campaign ultimately swung by information obtained in a data breach? The answer remains uncertain. What is certain is that cyber-issues were put front-and-center in a way we have never seen in any other presidential election.

For example, in the days leading up to the election, WikiLeaks published 8,000 more leaked emails from the Democratic National Committee, dubbed #DNCLeak2. That dump came after a previous release of 20,000 emails from the DNC as well as 50,000 emails from Hillary Clinton aide John Podesta. The effect of those stolen emails being steadily leaked — and other cyber-issues such as Clinton’s personal email server — may be impossible to quantify, but they likely contributed in some way to nearly 60 percent of voters who perceived Clinton as a dishonest and untrustworthy candidate.

WikiLeaks founder Julian Assange wrote an election day post defending his actions and stating that publishing the stolen emails was not an attempt to influence the outcome of the election.

“We publish material given to us if it is of political, diplomatic, historical or ethical importance and which has not been published elsewhere,” Assange wrote. “At the same time, we cannot publish what we do not have. To date, we have not received information on Donald Trump’s campaign, or Jill Stein’s campaign, or Gary Johnson’s campaign or any of the other candidates that fulfills our stated editorial criteria.”

Clearly, Assange is saying if WikiLeaks did have information on other political candidates then that information would be made public as well — as it has in the past with the release hundreds of thousands of emails related to the government of Turkey. WikiLeaks claims to be non-partisan, but other threat actors do have a biased agenda and those actors are likely to be emboldened by the success of this year’s election-related hacks.

As Wired wrote: “For Russia, [Trump’s win] will also be taken as a win for the chaos-injecting tactics of political hacks and leaks that the country’s operatives used to meddle in America’s election — and an incentive to try them elsewhere. … That Russia perceives those operations as successful, experts say, will only encourage similar hacks aimed at shifting elections and sowing distrust of political processes in Western democracies, particularly those in Europe.”

Those efforts are already underway, researchers have noted, with at least a dozen European organizations being targeted by groups linked to the Russian state since that hacks against the DNC. Whether this election was ultimately swayed by breaches and other cyber-issues may be up for debate, but what is clear is that political and advocacy organizations are actively being targeted and that threat actors will likely try to influence future elections across the globe to align with their goals.

Weekly Cyber Risk Roundup: Latest Breaches and Enhanced Security Standards

The massive distributed denial-of-service (DDoS) attack that disrupted websites and services on October 21 was the focal point of a large portion of cybercrime discussion last week. As we noted in a previous post, the attack against DNS provider Dyn has led to widespread concern about insecure Internet-connected devices and calls for government agencies to get involved in order to ensure those devices are secured against future attacks.

According to some reports, the DDoS attack may have surpassed one terabyte per second of traffic; however, the latest analysis from Dyn indicates that the botnet behind the attack may have been much smaller than the initial reports of “millions.”

“It appears the malicious attacks were sourced from at least one botnet, with the retry storm providing a false indicator of a significantly larger set of endpoints than we now know it to be,” wrote Scott Hilton, EVP of products at Dyn. “We are still working on analyzing the data but the estimate at the time of this report is up to 100,000 malicious endpoints. We are able to confirm that a significant volume of attack traffic originated from Mirai-based botnets.”

Other trending DDoS news includes the Syrian Cyber Army claiming responsibility for attacks against Belgian news organizations. The DDoS attacks made several news websites inaccessible or extremely slow, including De Standaard, Het Nieuwsblad, Gazet van Antwerpen, Het Belang van Limburg and RTFB. In another case of ideological hacktivism, Martin Gottesfeld, 32, was indicted for his role in DDoS attacks against Boston Children’s Hospital (BCH) and the Wayside Youth and Family Support Network. Gottesfeld admitted to his involvement in #OpJustina in a written editorial, saying that the attack against BCH was designed to interfere with a fundraiser in order to cause maximum financial damage. Finally, The Guardian is reporting that financial institutions in London are stockpiling bitcoins in the event extortionists target them with powerful DDoS attacks.

Other trending cybercrime events from the week include:

Payment card breaches announced: Danish payment processor Nets is warning of a payment card breach that appears to be tied to a foreign-based Internet retailer and is advising banks to block up to 100,000 cards in order to prevent fraudulent transactions. A data breach at Hitachi Payment Services, which manages ATM network processing for Yes Bank, is suspected to be the cause of recent fraud that has led to banks in India either replacing or asking customers to change security codes on 3.25 million debit cards. A pro-Donald Trump super PAC known as Great America PAC has mistakenly published the credit card numbers and expiration dates of 49 donors. Last month the same super PAC exposed 336 donors’ email addresses and phone numbers.

Data breaches continue, both large and small: A Red Cross Blood Service database of 1.28 million donor records going back to 2010 was accidentally published to a webserver by a third-party contractor. A hacker known as Peace told Motherboard he hacked Adult FriendFinder and obtained a database of 73 million users, and another hacker known as Revolver or 1×0123 posted screenshots appearing to show he had access to the website’s infrastructure. A Ukrainian hacker group known as CyberJunta has released more than a gigabyte of emails stolen from the office of Russian politician Vladislav Surkov. Baystate Health is notifying about 13,000 patients that their personal information may have been compromised due to a phishing attack that was designed to look like an internal memo. Virgin Media potentially exposed the personal information of up to 50,000 people applying for jobs. Rocky Mountain Credit Union in Montana notified 135 of its members that their personal information may have been accidentally exposed due to an undisclosed security issue discovered on the website customers use to upload documents related to mortgage applications. The University of Santa Clara’s Office of Marketing and Communications had internal documents stolen and leaked to the student newspaper due to an employee leaving his or her username and password in plain site at a workstation.

Update on cybercrime charges and arrests: The Booz Allen Hamilton contractor who was arrested for the possession of classified NSA materials allegedly had documents dating back to 1996 that were marked either “secret” or “top secret,” according to recent court filings. In total, investigators have seized more than 50 terabytes of information and thousands of pages of documents. Celebgate hacker Ryan Collins, 36, of Lancaster, Pennsylvania, was sentenced to 18 months in prison for using phishing emails designed to steal Apple and Google credentials and then using those stolen credentials to hack into more than 100 accounts. Authorities said there is no evidence that Collins was responsible for the leak of nude celebrity photographs tied to the hack. Yevgeniy Nikulin, the Russian man who was arrested in connection with the 2012 LinkedIn breach, has also been indicted for his alleged role in the breaches at Dropbox and Formspring, according to documents unsealed on Friday.

Note: Dyn, by far the top trending new target, is not shown in the chart below in order to make the other targets more readable.

Cyber Risk Trends From the Past Week

The Financials sector’s cyber risk score peaked in early October, reaching its highest level since February 2016. Since then, it has steadily declined for most of the month — until the past week. This week’s rise in cyber risk score (+2.2%) was the biggest increase of any sector over the period.

Part of that may be tied to the recent payment card breaches highlighted above, which began at online retailers and other providers before moving to directly impact banks. For example, the chief executive of National Payments Corp of India said that the spike in reported fraud that led to advising banks to replace cards was tied to a possible compromise of one of the payment switch provider’s systems. Sources told Reuters that the issue stemmed from a breach in systems of Hitachi Payment Services, which is currently investigating the matter.

That interconnectivity of the Financials sector has led to concerns from government agencies, and the the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corporation recently issued a joint proposal on enhanced cyber risk management standards to address those concerns.

“Due to the interconnectedness of the U.S. financial system, a cyber incident or failure at one interconnected entity may not only impact the safety and soundness of the entity, but also other financial entities with potentially systemic consequences,” the proposal stated. “The enhanced standards would be designed to increase covered entities’ operational resilience and reduce the potential impact on the financial system in the event of a failure, cyber-attack, or the failure to implement appropriate cyber risk management.”

The proposal addresses five categories of cyber standards: cyber risk governance; cyber risk management; internal dependency management; external dependency management; and incident response, cyber resilience, and situational awareness.

According to the proposal, “The agencies are considering establishing a two-tiered approach, with the proposed enhanced standards applying to all systems of covered entities and an additional, higher set of expectations, or ‘sector-critical standards,’ applying to those systems of covered entities that are critical to the financial sector.”

The enhanced standards would apply to certain entities with total consolidated assets of $50 billion or more on an enterprise-wide basis, they added. Comments on the proposal are open until January 17, 2017.

DDoS Attacks Dominate News, Spark Calls for Regulation

Last week’s massive distributed denial-of-service (DDOS) attacks, which made popular websites and services inaccessible to users across the East Coast and elsewhere, has since led to widespread concern about insecure Internet-connected devices and calls for government agencies to get involved in order to ensure those devices are secured against future attacks.

In fact, the attack against DNS provider Dyn, which happened just six days ago, has already become the most talked about target tied to “service interruption” in all of 2016, according to SurfWatch Labs’ data.

Friday’s DDoS attack against Dyn is concerning for several reasons. First, reports have claimed the attack reached 1.2 terabytes per second. If true, that would make it the largest DDoS attack ever. Second, Dyn confirmed yesterday that the Mirai botnet was a primary source of malicious attack traffic. The source code for that botnet was made public earlier this month, and last week Level 3 Threat Research Labs said that the number of Marai bots it had observed had more than doubled since the code was released. Finally, some researchers have claimed the attack was carried out by amateur hackers, not sophisticated state-sponsored or financially-motivated actors.

That combination suggests that more attacks like the one against Dyn will occur in the future, adding to a trend that SurfWatch Labs has observed throughout the year of increased evaluated intelligence around the service interruption tag.

The number of CyberFacts collected by SurfWatch Labs related to “service interruption” has steadily increased throughout the year, peaking with last week’s attack against Dyn.

The Marai-driven attacks have also put one company as the face of the Internet-of-Things problem, unfairly or not: XiongMai Technologies.

XiongMai Technologies is a Chinese electronic company that makes products used in a variety of brands, including DVRs and cameras tied to the recent DDoS attacks. XiongMai said on Monday that it would issue a recall of some of its U.S. products, although it’s unclear how successful that recall will be.

Like Yahoo, Wells Fargo and other companies tied to major cyber incidents this year, XiongMai Technologies and manufacturers of Internet-connected devices have now moved onto the radar of politicians and regulators. On Wednesday, Virginia Sen. Mark Warner sent letters to the Federal Communications Commission, Federal Trade Commission and the Department of Homeland Security’s National Cybersecurity & Communications Integration Center about his “growing concern” over the “unprecedented” volume of DDoS attacks driven by the Marai botnet exploiting connected devices.

“[O]ver 500,000 connected devices were vulnerable to Mirai because of an exploitable component from a single vendor’s management software,” Warner wrote. “Manufacturers today are flooding the market with cheap, insecure devices, with few market incentives to design the products with security in mind, or to provide ongoing support.”

The letter continued: “DDoS attacks can be powerful tools for censorship, criminal extortion, or nation-state aggression. Tools such as Mirai source code, amplified by an embedded base of insecure devices worldwide, accomplish more than isolated nuisance; these are capabilities – weapons even – that can debilitate entire ranges of economic activity.”

Warner provided a list of questions on how to potentially deal with the issue of insecure Internet-connected devices, including ways to make consumers more aware of the risk, trying to work with ISPs to designate insecure devices and deny them connections to their networks, and establishing and enforcing minimal technical security standards.

“I am interested in a range of expert opinions and meaningful action on new and improved tools to better protect American consumers, manufacturers, retailers, Internet sites and service providers,” Warner said.

Being thrust into the spotlight is an unusual situation for XiongMai, a company whose brand tends to remain behind the curtain of its “white label” products, which are sold and then incorporated into other brands’ offerings. Accurately gauging the potential fallout to companies such as XiongMai is difficult, but it’s safe to say that no company wants to be referenced, even indirectly, as the poster child for “cheap, insecure” devices. However, the recent DDoS attacks powered by the Marai botnet — against Krebs on Security, OVH and now Dyn — are quickly on their way to becoming the most discussed cybersecurity stories of 2016, and XiongMai and other manufacturers of connected devices are along for that ride.

Weekly Cyber Risk Roundup: Internet of Things Sparks Security Concerns

There has been growing concern around distributed denial-of-service (DDoS) attacks this week as the source code for the Internet-of-Things (IoT) driven botnet “Mirai” has been publicly released by a user on Hackforums. The Mirai botnet has been tied to the recent massive DDoS attack against Brian Krebs website and is made up of a growing number of Internet-connected devices.

The botnet includes a variety of compromised home and small office items such as routers, DVRs and security cameras – many of which use default usernames and passwords. The IoT devices are aimed at users often more concerned about convenience than security, and as Brian Krebs pointed out, even if users do take steps to secure devices by changing default credentials the malware may still spread.

Cybercriminal actors may use botnets like Marai to create more powerful DDoS attacks against industries that are traditionally vulnerable to extortion, such as gaming and ecommerce, but the Marai source code release also empowers actors looking to disrupt organizations for ideological or political reasons. For example, Newsweek alleged it was the victim of such an attack this week when its website was hit with a DDoS attack after publishing a story claiming that one of Donald Trump’s companies violated the Cuba trade embargo in 1998. In part due to that attack, consumer publishing was the most discussed industry group associated with cybercrime over the past seven days.

With Marai added to the growing list of free tools available to actors, expect to see more DDoS attacks like the ones against KrebsOnSecurity and Newsweek, which appear to be aimed at silencing or punishing critics.

Other trending cybercrime events from the week include:

Another week, another list of companies hit with ransomware: Cloud service provider VESK paid £18,600 after being infected with a new strain of the Samas DR ransomware. The New Jersey Spine Center paid an undisclosed amount after a July CryptoWall attack encrypted all electronic medical records and the most recent backup as well as disabled the phone system. The forest department of the state government of Kerala in India was infected with ransomware known as RSA-4096. Urgent Care Clinic of Oxford is notifying patients that their data may have been compromised by what appears to be a ransomware attack. A “glitch” after a ransomware attack led the Marin Healthcare District and Prima Medical Foundation to notify more than 5,000 patients that some of their medical data has been lost, even though they paid the ransom.

Data exposed through mistakes and flaws: C&Z Tech Limited acknowledged that a database of more than 1.5 million user records was exposed online, but said that the leak was from a test database; however, ZDNet disputes that claim, writing that their own verification of the data found “no reason to believe that this is test or dummy data.” Census data on 96,000 employees of the Australian federal government was downloaded nearly 60 times before being removed from official websites. A vulnerability discovered in the Charter Communications website could have exposed the personal information of customers. Customers of Ottawa marijuana dispensary chain Magna Terra Health Services had their email addresses exposed when an employee sent an email with 470 of their customers cc’d.

Alleged political dumps, both old and new: A hacker who goes by the name Guccifer 2.0 published an 860-megabyte file of donor information allegedly stolen from the Clinton foundation servers; however, a variety of news outlets have reported that the data appears to actually be from a previous hack of the Democratic Congressional Campaign Committee and the Democratic National Committee. Berat Albayrak, Turkey’s Energy Minister and son-in-law of President Erdoğan, is the week’s second highest trending new target (after Newsweek) on the heels of hacking group RedHack leaking 17 gigabytes of data, which the group said was stolen by discovering Albayrak’s mobile operating system, writing an exploit to steal his password, and gaining access to his iPad after several weeks of attempts.

More data breach announcements: Hutton Hotel is notifying customers of a payment card breach affecting guests who placed hotel reservations during the period from September 2012 to April 2015, as well as those who made purchases at the onsite food and beverage outlets from November 2015 to June 2016. Hackers gained access to computer systems at Wheeler & Egger, CPAs and used the information to fraudulently file 45 tax returns. Apria Healthcare, a provider of home respiratory services and other medical equipment, is notifying patients that an employee’s email account was compromised.

Out with the old hacktivists, in with the new: Federal authorities in Chicago have charged two suspected members of the hacking group Lizard squad for operating DDoS-for-hire websites. Although Lizard Squad has been quiet of late, other hacking groups continue to disrupt organizations. For example, OurMine defaced and deleted several articles on the BuzzFeed website in retaliation for a story claiming to have identified one of the group’s members as a Saudi teen called “Ahmad Makki.”

Insulin Pump Vulnerability and Other Advisories

The focus on IoT devices was prevalent throughout SurfWatch Labs’ data this week. In addition to all of the botnet-related discussion, Johnson & Johnson announced that a security vulnerability in its Animas OneTouch Ping insulin pump that could be exploited to overdose diabetic patients with insulin.

The Reuters story cited medical device experts who claim this is the first time a manufacturer has issued such a warning to patients about a cyber vulnerability in their devices; however, the company’s letter to patients described the risk as “extremely low.”

“It would require technical expertise, sophisticated equipment and proximity to the pump, as the OneTouch Ping system is not connected to the internet or to any external network,” the letter said.

The issue, which was discovered by Rapid7 researcher Jay Radcliffe, is that a hacker can spoof communications between a wireless remote control and the insulin pump since that communication is not encrypted. About 114,000 patients use the device in the United States and Canada.

The company said that if patients were concerned, they could stop potential attacks by discontinuing use of the wireless remote control and programming the pump to limit the maximum insulin dose. Johnson & Johnson said it first reviewed the vulnerability with the FDA, which issued draft guidance on managing cybersecurity vulnerabilities in medical devices in January.

Other noteworthy advisories and cybercrime news from the week include:

68 million stolen Dropbox credentials published online: The previously stolen database of more than 68 million user records has been published online by Thomas White on his I’m Cthulhu blog. Nearly half of the passwords are secured with the strong hashing function bcrypt, Motherboard wrote. The other half appear to use the older SHA-1 algorithm. The publication adds to the already massive list of now-public user credentials.

Vulnerability discovered in OpenJPEG: Cisco Talos researchers have disclosed a zero-day vulnerability in the jpeg2000 image file format parser as implemented in the OpenJpeg library. The vulnerability can lead to an attacker executing arbitrary code. “For a successful attack, the target user needs to open a malicious jpeg2000 file,” the researchers wrote. “The jpeg2000 image file format is mostly used for embedding images inside PDF documents and the OpenJpeg library is used by a number of popular PDF renderers making PDF documents a likely attack vector.”

Users report suspected malvertising on Spotify: Users of Spotify’s free desktop streaming service are reporting strange behavior that is suspected to be related to malvertising. “If you have Spotify Free open, it will launch – and keep on launching – the default internet browser on the computer to different kinds of malware/virus sites. Some of them do not even require user action to be able to cause harm,” wrote one user. “I have 3 different systems (computers) which are all clean and they are all doing this, all via Spotify – I am thinking it’s the Ads in Spotify Free. I hope this has been noticed and Spotify staff are fixing it – fast.”

TalkTalk fined £400,000 over data breach: The UK’s Information Commissioner’s Office (ICO) has issued a record £400,000 fine to TalkTalk over a data breach that “could have been prevented if TalkTalk had taken basic steps to protect customers’ information.” In October 2015, a hacker used SQL injection to access the personal data of 156,959 customers including their names, addresses, dates of birth, phone numbers and email addresses. In more than 15,000 cases, bank account details and sort codes were also compromised. “The data was taken from an underlying customer database that was part of TalkTalk’s acquisition of Tiscali’s UK operations in 2009,” the ICO said. “TalkTalk failed to properly scan this infrastructure for possible threats and so was unaware the vulnerable pages existed or that they enabled access to a database that held customer information.”

SurfWatch Labs collected data on a variety of cybercrime advisories over the past week. Some of the trending practice tags associated with those advisories are shown in the chart below.