New Cryptocurrencies Gain Traction, Spark Concern For Law Enforcement

Last month a new ransomware emerged known as “Kirk Ransomware.” The malware was interesting not just because of the Star Trek-themed imagery of James Kirk and Spock that it used, but also because it may be the first ransomware to demand payment via the cryptocurrency Monero.

2017-04-06_KirkRansomware.png
Victims of the Kirk Ransomware are walked through how to make their ransom payments using Monero.

There are literally hundreds of different types of existing cryptocurrencies like Monero that cybercriminals can choose from, but bitcoin is the most well known and has been the most widely used, by far, when it comes to ransomware. Bitcoin’s status as the reigning cryptocurrency king has been driven, in part, by the growth of cybercriminal markets and ransomware actors that greatly benefit by having a semi-anonymous payment option available. However, bitcoin is facing both growing pains and an expanding group of credible challengers that claim to have better answers to some of the current issues facing cryptocurrencies.

Cryptocurrencies are, for better or worse, intertwined with cybercrime, and dark web markets and malicious actors adopting new forms of payment such as Monero and Ethereum are helping push those currencies to new heights. With that growth comes new opportunities for cybercriminals as well as new concerns for law enforcement.

As we noted in a recent blog on AlphaBay’s plans to adopt Ethereum next month, the cryptocurrency has seen a dramatic increase in price on the heels of AlphaBay’s announcement and partnerships with legitimate financial institutions. Likewise, Monero was worth around $2.50 the day before AlphaBay announced plans to adopt the currency, and less than eight months later it has jumped to more than $26.

In December 2016 an AlphaBay support representative told Bitcoin Magazine that Monero accounted for about two percent of its sales, so bitcoin remains king. However,  one can assume that the actors behind AlphaBay have plenty to gain financially by riding the wave created by the largest dark web marketplace adopting new cryptocurrencies — besides simply appeasing their customers.

Monero — which advertises itself as a “secure, private, untraceable currency” — is perhaps the most praised among cybercriminals. Bitcoin was not designed to be anonymous, and every transaction is publicly visible on the distributed ledger known as the blockchain. That’s why malicious actors use third-party tools such as bitcoin tumblers to help hide the origins of bitcoins. It’s also why law enforcement officials and security researchers have been able to “follow” bitcoins to bust those buying and selling illicit goods and services.

Monero, on the other hand, allows users to send and receive funds without transactions being publicly visible on the blockchain, which is one of the reasons some malicious actors prefer it.

“Bitcoin is much more vulnerable to chain analysis,” advised one AlphaBay member in September 2016, when the dark web market adopted Monero. “I can’t stress strongly enough how much more secure it is for darknet transactions.”

2017-04-06_ABMonero
Monero is safer for both the buyer and seller, wrote one AlphaBay user.

Although cryptocurrencies such as Monero have not been as heavily scrutinized by law enforcement as the more popular bitcoin, their adoption among malicious actors is a concern — even if Monero is not perfect.

“There are obviously going to be issues if some of the more difficult to work with cryptocurrencies become popular,” Joseph Battaglia, a special agent working at the FBI’s Cyber Division in New York City, said at an event in January. “Monero is one that comes to mind, where it’s not very obvious what the transaction path is or what the actual value of the transaction is except to the end users.”

As a case in point, the dark web marketplace known as Oasis, which beat AlphaBay by two weeks to become the first market to accept Monero, suddenly went offline in late September 2016 in what may have been an exit scam. Various users quickly reported that at least 150 bitcoin was lost in the potential scam, but guessing how much Monero currency was stolen proved to be much more difficult.

“If we can’t find out, that’s a good thing,” wrote one redditor.

However, the FBI likely has a different view.

Ransomware Disrupting Business Operations and Demanding Higher Payouts

Malicious actors are continually fine-tuning their tactics, and one of the best examples of this is the evolution of ransomware. Ransomware has largely been an opportunistic, rather than a targeted, form of cybercrime with the goal of infecting as many users as possible. That model has worked so effectively that extortion is now ubiquitous when it comes to cybercrime — so much so that even fake attacks are proving to be successful.

As I wrote earlier this month, the surge of extortion attacks impacting organizations has led to a number of fake extortion threats, including empty ransomware demands where actors contact organizations, lie about the organization’s data being encrypted, and ask for money to remove the non-existent threat. Cybercriminals like to follow the path of least resistance, and an attack doesn’t get much easier than simply pretending to have done something malicious.

However, attacks over the past year have proven that infecting organizations with ransomware can result in much higher payouts. The more disruptive the attack, the more money some organizations are willing to pay to make the problem go away. As a result, ransomware actors are shifting their targets towards more disruptive attacks, which we examine in our latest report, Ransomware Actors Shift Gears: New Wave of Ransomware Attacks Aims to Lock Business Services, Not Just Data.

A quick look at some of the ransomware mentioned in SurfWatch Labs new report.

It was just 13 months ago that Hollywood Presbyterian Medical Center made national attention by paying $17,000 to decrypt its files after a ransomware attack. The incident was novel at the time, but those types of stories have since become commonplace.

For example:

  • On November 25, 2016, an HDDCryptor infection at the San Francisco Municipal Transportation Agency led to the temporary shutdown of ticketing machines and free rides for many passengers, costing an estimated $50,000 in lost fares.
  • On January 19, 2017, a ransomware infection of the St. Louis Public Library computer system temporarily halted checkouts across all 17 locations and led to a several-day outage of the library’s reservable computers. 
  • On January 31, 2017, a ransomware infection in Licking County, Ohio, led to the IT department shutting down more than a thousand computers and left a variety of departments – including the 911 call center – unable to use computers and perform services as normal for several days.
  • In February 2017 at the RSA Conference,  researchers from the Georgia Institute of Technology presented a proof-of-concept ransomware that targets the programmable logic controllers (PLCs) used in industrial control systems (ICS).

As the Georgia Institute of Technology researchers noted: “ICS networks usually have little valuable data, but instead place the highest value on downtime, equipment health, and safety to personnel. Therefore, ransomware authors can threaten all three to raise the value side of the tradeoff equation to make ICS ransomware profitable.”

In short, if actors understand what is most valuable to an organization and can find a way to effectively disrupt those goals, they can find success in yet-to-be targeted industries. It may require more legwork, but the higher potential payouts may make it worthwhile for some actors to engage in less widespread but potentially much more profitable attacks.

Government agencies, consumer services, educational institutions, healthcare organizations, and more have all had services disrupted by ransomware over the past six months.

In addition, just last week, researchers discovered a new ransomware family, dubbed “RanRan,” that doesn’t even ask for money. Instead, the ransomware attempts to force victims “to create a public sub-domain with a name that would appear to advocate and incite violence against a Middle Eastern political leader.” The malware is described by the researchers as “fairly rudimentary” and there are a number of mistakes in the encryption process, but it serves as an example of how malicious actors that are not financially motivated can nevertheless leverage ransomware to achieve their goals.

Organizations need to take action to protect themselves against ransomware actors that are trying to find more effective ways to disrupt business operations and demand even higher ransom payouts. For more information on these evolving ransomware attacks, download SurfWatch Labs’ free report: Ransomware Actors Shift Gears: New Wave of Ransomware Attacks Aims to Lock Business Services, Not Just Data.

Fake Extortion Demands and Empty Threats on the Rise

I’ve previously written about the rise of extortion as an emerging trend for 2017, but if you didn’t want to take my word for it, you should have listened to the numerous warnings shared at this year’s RSA 2017. Cyber-extortion has become one of the primary cybersecurity-related issues facing organizations — and it appears to be here to stay.

My analyst team has researched cyber extortion and have found that malicious actors are not only engaging in these threat tactics, but they’re using the surging popularity of extortion and ransomware to target organizations with a variety of fake extortion demands and empty threats. We cover this topic in depth in our latest report, The Extortion Epidemic: Fake Threats on the Rise as Ransoms and Blackmail Gain Popularity.

In the graphic below I’ve noted some popular extortion threats, how actors carry out the threats and the impending results. Essentially they’re following the path of least resistance and most profit.

The Many Faces of Extortion: Popular Threats
extortion-only-breakdown

2017-02-28_extortionittbyyearupdated
The number of organizations publicly associated with ransom and extortion continues to grow, and 2017 is on pace to see the highest number yet, based on data from the first two months of the year.

The gist of it all is that organizations have real fear around these threats and trust that bad actors have the ability to carry out these threats. Putting trust in bad guys is a bad idea!

The fake ransoms are successful in large part because their real counterparts have impacted so many organizations. We’re already on pace to have more organizations publicly tied to ransoms and extortion in 2017 than any other year.

FBI officials have estimated the single subset of extortion known as ransomware to be a billion-dollar-a-year business, and fake ransomware threats have sprung up in the wake of that growth. A November 2016 survey of large UK businesses found that more than 40 percent had been contacted by cybercriminals claiming a fake ransomware infection. Surprisingly, two-thirds of those contacted reportedly paid the “bluff” ransom.

DDoS extortion threats are similarly low-effort cybercriminal campaigns, requiring only the sending of a threatening email. Earlier this month, Reuters reported that extortionists using the name “Armada Collective” had threatened Taiwanese brokerages with DDoS threats. Several of the brokerages experienced legitimate attacks following the threats; however, 2016 saw several campaigns leveraging the Armada Collective name where the threats were completely empty. One campaign generated over $100,000 in payments despite researchers not finding a single incident where a DDoS attack was actually made.

2017-01-30_armadaemail.png
A portion of the extortion email sent to the owner of Alpha Bookkeeping Services in Port Elizabeth, South Africa, in September 2016.

Extortion is also frequently tied to data breaches — both real and fake — as it is an another simple and direct avenue for cybercriminals to monetize stolen data. In January 2017 the E-Sports Entertainment Association (ESEA) was breached and the actor demanded a ransom payment of $100,000 to not release or sell the information on 1.5 million players.

ESEA said in its breach announcement that it did not pay the ransom because “paying any amount of money would not have provided any guarantees to our users as to what would happen with their stolen data.”

That is what reportedly happened to many of the victims who paid ransoms to have their hijacked MongoDB and other databases restored: they found themselves out both the data and the ransom payment. As noted in our report, it’s hard to have faith in cybercriminals, and organizations who do pay ransoms should be aware that in many cases those actors may not follow through after receiving extortion payments.

For more information on extortion threats and how to keep your organization safe, download the free report: The Extortion Epidemic: Fake Threats on the Rise as Ransoms and Blackmail Gain Popularity.

Weekly Cyber Risk Roundup: Ransomware and Insecure Databases Dominate Headlines

Ransomware and extortion continue to dominate the headlines in 2017. The past week saw several widely reported incidents involving service outages and lost data due to infections, as well as warnings that malicious actors are attempting to extort organizations via the threat of DDoS attacks.

2017-02-04_ITT.pngThe Austrian hotel Romantik Seehotel Jägerwirt paid approximately $1600 in ransom after ransomware locked the hotel out of its computer systems and the hotel was unable to issue new key cards to arriving guests. The hotel’s reservation system was down for 24 hours; however, the initial media reports that customers were locked in their rooms due to the incident were false, the owner told Motherboard. The hotel’s managing director told The Verge that the issue was that the hotel could not program keycards for the guests checking in on the same day due to the system being down. The Local reported that it was the fourth time hotel had been hit by such an attack, prompting the company to go public in order to warn others about these types of cybercrime incidents.

Several other ransomware-related service outages were announced this week. Licking County, Ohio, shut down more than a thousand computers due to a ransomware infection. A variety of departments, such as the 911 call center, were unable to use computers and had to switch over to other forms of communication, and services such as court house phones and the issuing of court documents were made unavailable, 10TV reported. In addition, The Washington Post reported that ransomware left 123 of the 187 Washington D.C. police surveillance cameras, which monitor public spaces across the city, unable to record from January 12 to January 15. The ransom demand was not paid as the police simply removed all software and restarted the system at each site.

Finally, Hong Kong’s Securities and Futures Commission warned that brokers across the city are being targeted with DDoS attacks and extortion demands from cybercriminals, and it is urging financial institutions to implement and review security measures.

2017-02-04_ittgroups

Other trending cybercrime events from the week include:

  • Warning issued following two dozen W-2 breach announcements: The Internal Revenue Service, state tax agencies and the tax industry issued an urgent alert on Thursday warning employers that W-2 phishing scams are spreading into sectors beyond the corporate world, including school districts, tribal organizations and nonprofits. In addition, the scammers are following up the request with a more traditional fraudulent wire transfer request, resulting in some organizations losing both employees’ W-2s and thousands of dollars due to wire transfers. SurfWatch Labs has identified at least 24 organizations publicly tied to W-2 data breaches over the past two weeks. The emails are a form of the popular Business Email Compromise scam, such as the one against Sedgwick County that led to $566,000 being fraudulently transferred.
  • Shamoon malware strikes again: Saudi Arabia’s telecom authority is warning organizations to be on the lookout for Shamoon 2 after recent attacks led to at least three government agencies and four private sector companies going offline for 48 hours. Among those targeted were multiple petrochemical and IT services companies, which reportedly shut down their networks in an attempt to protect themselves. It appears the goal of the attack was disruption, not data exfiltration, similar to previous Shamoon attacks; however, the incident was less destructive than similar attacks in November as backups were more commonplace due that previous incident.
  • Czech foreign ministry targeted with DNC-style hack: A foreign government hacked the email system of the Czech foreign ministry and accessed the email system used by employees to communicate with people outside the ministry in an attack similar to the breach of the Democratic National Committee, Foreign Minister Lubomir Zaoralek said. A spokesperson for the Czech minister said the scale of the attack is still being assessed but noted that other ministries “might be in a little bit of a problem.” Officials indirectly accused Russia of carrying out the attacks.
  • Printing company exposes 400 GB of data: A PIP Printing and Marketing Services franchise branch located in California exposed 400 gigabytes of sensitive information due to a publicly available backup server without any password protection. The exposed data includes 50 GB of scanned documents relating to court cases, medical records, well-known companies and celebrities, as well as an archive of correspondence with attached documents, some of which have credit card numbers and billing details in plain text.
  • Other cybercrime announcements: The Xbox360 ISO and PSP ISO forums, which provides gamers with links to free and often-illegal game downloads, were hacked in September 2015 and the details of 2.5 million accounts were leaked. Security firms Dr. Web and Emsisoft were targeted by DDoS attacks after publishing research related to a botnet of Linux devices and an update for the Merry Christmas ransomware (MRCR) decryptor tool. The hacking group OurMine hacked into a variety of social media accounts belonging to the WWE and CNN. Toys “R” Us is forcing reward members to reset account passwords after the vendor responsible for managing the program notified the company of attempts to access customer accounts and steal coupons using credentials reused from other data breaches.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-02-04_ittnew

Cyber Risk Trends From the Past Week

2017-02-04_riskThe past week once again saw numerous organizations exposing data due to insecure public databases, and several of those databases reportedly contained data that was no longer in use.

Security researcher Chris Vickery discovered unsecured database backup files from Indycar, which exposed the personal information of more than 200,000 users as well as Indycar employee login credentials. The user data was related to a now-retired Indycar bulletin board and contained sensitive information such as names, usernames, email and physical addresses, dates of birth, password hashes and security questions and answers.

As Vickery noted, holding that user data was unnecessary since the board was no longer in use:

Why do companies hold on to password hashes long after the associated site has been shuttered? That’s nothing but liability. They are putting customers at risk for no gain. There was absolutely nothing for Indycar to gain by holding on to these password hashes. And now they are faced with negative PR as word of the situation gets out to racing fans.

In addition, Polish game development studio CD Projekt RED, which developed the popular Witcher franchise, announced that a now-obsolete forum database was hacked and more than 1.8 million user credentials were stolen in March 2016.

“It’s the old database we used to run the forum before we migrated to the login system powered by our sister company — GOG.com,” the company wrote in a post on its forums. “At the time of the event, the database was not in active use, as forum members had been asked to create better-secured GOG.com accounts almost a year earlier.”

The incidents are reminders that when it comes to cybersecurity, less data tends to equals less risk. This is particularly true for data that is no longer required to be held and may therefore receive less scrutiny than data that is being actively used. In short, if your organization is holding on to unnecessary data, it is opening itself up to unnecessary risk.

Weekly Cyber Risk Roundup: Ransomware Disrupts Organizations and Massive Data Leaks

Extortion is once again the top trending cybercrime issue as concern continues around the theft, destruction and blackmail related to thousands of insecure MongoDB, Elasticsearch, CouchDB and Hadoop Distributed File System installations. While those stories led much of the past week’s discussion, there was also a steady stream of reports of organizations being infected with ransomware.

2017-01-20_ittThe most impactful, publicly known ransomware attack of late involves the St. Louis Public Library. The attack hit 700 computers across all 17 of the library’s locations on Thursday, forcing the library to temporarily stop all book borrowing. A $35,000 ransom demand was made, but the library said it will wipe its computer system rather than pay. Checkout service was restored to all locations on Saturday, according to the St. Louis Post Dispatch, and the library’s next priority is to restore service to the publicly available computers – although as of Sunday morning the library’s website stated that the “use of reservable computers is suspended.” A spokesperson said the criminals managed to infect a centralized computer server, which also disrupted the staff’s email system.

Other organizations to report disrupted services due to apparent ransomware attacks include Advanced Flexible Composites in Illinois, Valley Springs School District in Arkansas, and Kanawha County Schools in Virginia. Advanced Flexible Composites notified its customers that a January 17 hack of its computer system prevented the company from receiving emails and processing quote requests or orders. Not much information was provided about the attack; however, on the surface it sounds like a ransomware infection. Valley Springs School District’s superintendent said the school’s infection may lead to some information saved by teachers being lost such as lessons plans, curriculum and tests. Kanawha County Schools said that it was able to restore internal documents after its incident but that its website would take longer to bring back online.

Finally, the Delaware Department of Insurance is investigating an incident involving a ransomware infection and the unauthorized access of customer data at Summit Reinsurance Services and BCS Financial Corporation.

2017-01-20_groups

Other trending cybercrime events from the week include:

  • New type of SWIFT attack: Malicious actors compromised the SWIFT systems of three Indian banks and created fake trade documents that may have been used to raise finance abroad or facilitate dealings in banned items. “There was fraudulent duplication of trade documents like letters of credit (LC) and guarantees which the hackers may have or planning to encash with some offshore banks,“ a source told ET Tech. “It’s also possible that hackers did not present the fake LCs to raise funds but to carry out trade of prohibited or illegal commodities.”
  • Popeye’s point-of-sale breach: Point-of-sale malware was discovered at the restaurant chain Popeyes, and customers who used their payment cards at one of 10 infected locations between May 5, 2016, and August 18, 2016, likely had their information stolen, the company said in a press release. The ten locations include seven in Texas, two in North Carolina, and one in Georgia.
  • More employee and third-party breaches: Police in the Netherlands are alerting 20,000 potential victims about a man who worked at various companies as a website builder and used his position to insert a special script that allowed him to steal usernames and passwords. Online fashion store Showpo is suing a former employee and an online retailer over allegations the graphic designer exported a database of 306,000 customers from MailChimp and passed the information along to online retailer Black Swallow. Customers of the Victorian Game Management Authority in Australia had their personal information potentially exposed when the authority accidentally sent customer data to eight individuals who were renewing their game license. A third-party advertiser that promotes Canada’s Grey Eagle Resort and Casino was hacked and fake text messages were sent to the casino’s VIP members telling them the casino “will be closed for the remainder of January due to infestation and rodent problems.”
  • Healthcare-related breaches: TheDarkOverlord said it stole data from Little Red Door Cancer Services of East Central Indiana and attempted to extort the organization by threatening to release the data. CoPilot Provider Support Services announced a breach affecting approximately 220,000 individuals due to a database being illegally accessed in October 2015. Sentara Healthcare is notifying 5,454 vascular and thoracic patients that their medical information was compromised due to a breach at an unnamed third party. The orthopedics practice at The University of Maryland Faculty Physicians Inc. is notifying 1,500 patients that their information may have been accessed when an email account belonging to a physician assistant’s email account was hacked. Barts Health NHS Trust experienced a malware infection that led to taking numerous hard drives offline “as a precautionary measure” and using a manual backup for its computerized pathology results service.
  • Other announcements: Hackers targeted a laptop belonging to the special investigation team probing South Korean President Park Geun-hye’s political scandal. Current and former employees of Dracut Public Schools had their Social Security numbers and other personal information compromised due to an employee falling for a phishing attack. A Russian-language version of the series finale of Sherlock circulated online before the episode was broadcast. The forums of Clash of Clans developer Supercell and MrExcel, both of which use vBulletin, announced data breaches.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-01-20_ittnew

Cyber Risk Trends From the Past Week

2017-01-20_riskscoresSecurity researchers frequently discover private data being exposed to the Internet due to technical errors such as poorly secured data backups, and this past week several new incidents along those lines.

Chris Vickery’s discovery of multiple misconfigured Rsync instances at Canadian ISP KWIC appears to be truly massive potential breach, with CSO Online reporting that terabytes of information for all of its customers was exposed. The issue was fixed after the company was notified of the problem; however, it is unclear how long the information was available before the fix. The data exposed included credit card details, email addresses, passwords, names, home and business addresses, phone numbers, email backups, VPN details and credentials, internal KWIC backups, and more.

In last week’s roundup we noted that incorrectly configured databases exposed the data of 3.3 million Hello Kitty fans as well as thousands of patients of Canadian plastic surgery company SpaSurgica. The week before that data related to healthcare professionals deployed within the U.S. Military’s Special Operations Command (SOCOM) was exposed in a similar fashion. The week before that data belonging to Ameriprise clients was exposed due to an advisor synchronizing data between between his home and work and neither drive requiring a password.

This past week saw a similar story of a poorly configured backup drive. Interpreters Unlimited, a California-based translation and interpreter company, exposed thousands of sensitive documents due to an Internet-connected backup drive used by an IT manager that had no password protection and was online for four to six months. Files seen by ZDNet showed that the drive contained dozens of usernames, email addresses and passwords stored in plain text for the company’s infrastructure, including its website, hosted email and domain name servers, and remote desktop apps. The drive also contained the private data of clients and employees such as Social Security numbers and the amount of money translators earned.

The constant trickle of company, customer and employee data being leaked due to the poor practices of employees and partners should serve as a reminder for all organizations that data breaches often spring from mistakes made within the organization — not just external cybercriminals.

Weekly Cyber Risk Roundup: More Extortion and Marijuana Retailers’ Woes

Extortion continues to dominate the cybercrime headlines in 2017 with the week’s top two trending targets being the successful ransom at Los Angeles Valley College and continued extortion attempts around MongoDB databases.

2017-01-013_ITT.pngIt was less than a year ago that Hollywood Presbyterian Medical Center became a national news story by paying a $17,000 ransomware demand so that staff could regain access to infected computers. A year later those types of stories are no longer unique; they’re routine. Los Angeles Community College District’s recent decision to pay a $28,000 ransom after an infection “disrupted many computer, online, email and voice mail systems” is just the latest of example.

“It was the assessment of our outside cybersecurity experts that making a payment would offer an extremely high probability of restoring access to the affected systems, while failure to pay would virtually guarantee that data would be lost,” the district said in a FAQ, echoing the sentiments of many other organizations who’ve decided to pay ransoms. “The District has a cybersecurity insurance policy to address these specific types of cyber intrusions and it was activated during this incident. While much time will pass before this matter is resolved, we have already availed ourselves of the resources provided by the policy, including assistance of cybersecurity experts.”

In addition, the ongoing issue of insecure MongoDB databases being stolen, deleted and subsequently extorted continues to rack up thousands of new potential victims, including Princeton University. Researchers Victor Gevers and Niall Merrigan have been tracking the various victims and ransom demands as threat actors compete to have the most up-to-date ransom notes. The problem, Merrigan told KrebsOnSecurity, is that with so many actors the victims may not know who actually has the stolen data. Merrigan advises victims not to pay unless they have proof that the extortionists actually have the files being ransomed. Lastly, it appears some of those actors have now shifted towards ElasticSearch servers, with more than 3,000 victims as of Monday morning.

2017-01-013_ittgroups

Other trending cybercrime events from the week include:

  • Another week of large-scale breaches: Mobile phone hacking company Cellebrite was breached and 900 GB of data was compromised, including customer information, databases and a vast amount of technical data regarding Cellebrite’s products. E-Sports Entertainment Association (ESEA) was hacked last December and a database containing information on 1.5 million players was stolen. The actor also attempted to extort the company for $100,000, but ESEA refused to pay. Three brokers who left the commercial real estate firm Avison Young used external hard drives to “downloaded massive amounts of data,” including client and financial information, market intelligence and strategic plans, according to a complaint filed by the firm.
  • More accidental data exposure: A MongoDB database belonging to Sanrio, the company behind Hello Kitty, was misconfigured and exposed to the public in 2015, and a copy of that database has recently surfaced online. Approximately 3.3 million Hello Kitty fans are affected, including 186,261 records related to individuals under the age of 18. Canadian plastic surgery company SpaSurgica exposed the detailed medical histories of thousands of patients due to an unprotected remote synchronization (rsync) service, according to MacKeeper researchers. The files contained medical histories, personal information, and intimate before and after pictures of breast augmentation and other surgeries. An email sent by Ball State University’s retention office to students on academic probation accidentally contained an Excel spreadsheet of 59 students on probation for the spring semester rather than planned attachment about upcoming academic help sessions.
  • Cyber-attack leads to another blackout: The December 2016 blackout in Ukraine was due to a cyber-attack, and it is connected to a similar attack in 2015, as well as hacks at the national railway system, several government ministries and a national pension fund. The head of ISSP, a Ukrainian company investigating the incident, said that the recent attack against a Ukrainian utility was a “more complex” and “much better organized” version of the 2015 attack. He also said that the different cybercriminal groups that worked together appeared to be testing techniques that could be used elsewhere in the world.
  • Other breach announcements: Outdated data management software led to the leak of financial information for at least 2,000 Taipei City Government employees, city officials said. A November data breach at TwoPlusTwo poker forum exposed the personal information of its users, and the stolen data was subsequently offered for sale on the Internet. Fraudulent login attempts were made to Spreadshirt partner accounts using previously compromised credentials with the goal of redirecting payments by changing the Paypal payout address. Dozens of Israeli soldiers had their smartphones hacked by Hamas militants impersonating attractive women. Italian police have arrested two siblings for allegedly hacking into thousands of email accounts using a customized malware known as “EyePyramid” and then using the stolen information to make investments. The Susan M. Hughes Center recently notified HHS of an August ransomware infection that affected 11,400 patients’ information.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-01-013_ittnew

Cyber Risk Trends From the Past Week

2017-01-013_riskAs SurfWatch Labs noted in its annual report, organizations are increasingly struggling with third-party and supply chain cybercrime.

This issue was highlighted once again this past week as a cyber-attack at MJ Freeway,  a popular software platform used by marijuana retailers, disrupted operations at 1,000 retailers across 23 states. A full week after the initial attack the company is still working to restore some level of services to many of its clients. A full recovery may take several weeks, Jeannette Ward, director of data and marketing for MJ Freeway, told Marijuana Business Daily.

The motivations behind the attack are unclear, but the attack appears to be aimed at corrupting the company’s data, not stealing it.

“Attackers took down both MJ Freeway’s production and backup servers, causing an outage for all of our clients,” MJ Freeway CEO Amy Poinsett said in a video uploaded on Saturday, “Current analysis shows the attackers did not extract any client or patient data and did not view any patient data thanks to encryption measures we had in place.”

However, she added that “the damage from the attack is extensive” and the company is currently trying to call customers individually to move them to alternate MJ Freeway sites, which is taking more time than she would like. A number of stores had to temporarily close due to the outage, and those that remained open have had to deal with lengthy lines and customer complaints as manual transactions increased the time for each sale.

As SurfWatch Labs noted in its 2016 Cyber Trends Report, the percentage of targets publicly associated with third-party cybercrime nearly doubled from the second half of 2015 to the second half of 2016.

“SurfWatch Labs analysts contribute this third-party growth to the expanding ecosystem of partners and suppliers that provide various products and services,” the report stated. “Cybercrime is increasingly interconnected, and the effects of one data breach or cyber-attack are difficult to isolate and contain.”

That appears to be the case with MJ Freeway.

Weekly Cyber Risk Roundup: Another Botnet and the Gamification of Cybercrime

Botnets were once again front-and-center this past week as new developments were announced by security researchers, malicious actors and government officials.

2016-12-09_ITT.pngTo start, CloudFlare observed a ten-day long series of distributed denial-of-service (DDoS) attacks that have generated as much as 400 Gbps in traffic, sparking fears of yet another massive botnet that can disrupt organizations. The attacks “are not coming from the much talked about Mirai botnet,” the researchers wrote. “They are using different attack software and are sending very large L3/L4 floods aimed at the TCP protocol.”

Following that announcement, the hacker known as BestBuy, who had previously begun advertising a Marai-based DDoS service, claimed to have taken control of 3.2 million routers. He told Motherboard that a server he set up automatically connects to vulnerable routers and pushes a malicious firmware update to them. “They are ours, even after reboot. They will not accept any new firmware from [Internet Service Provider] or anyone, and connect back to us every time :),” he said in an online chat. “Bots that cannot die until u throw device into the trash.”

If true, those developments are certainly worrisome for organizations like Deutsche Telecom, the UK Postal Office, TalkTalk, and Kcom ISP – all of which have seen customer outages due to attempted Marai infections – not to mention the businesses that may be targeted with DDoS attacks from all those compromised devices.

One piece of good news on the botnet front: the cybercriminal network known as Avalanche was dismantled in what authorities are describing as the largest-ever use of sinkholing to combat botnet infrastructures. Europol said that the four-year investigation with global partners resulted in over 800,000 domains being seized, sinkholed or blocked. Although exact calculations are difficult, monetary losses associated with attacks conducted over the Avalanche network are estimated to be in the hundreds of millions of dollars worldwide.

2016-12-09_groups

Other trending cybercrime events from the week include:

  • Massive thefts announced: Technical trade secrets were stolen from ThyssenKrupp, one of the world’s largest steel makers, in what the company described as a “massive cyber attack.” The theft occurred at the steel production and manufacturing plant design divisions, the company said. Two billion rubles ($31 million) was stolen from banking clients that hold accounts at Russia’s central bank, according to a bank spokesperson. The hackers attempted to steal approximately five billion rubles, but the bank managed to recover some of the money. Reuters reported that hackers broke into accounts at the bank by faking a client’s credentials, citing a report issued by the bank.
  • Ransomware updates: The ransomware attack that affected about 900 computers at the San Francisco Municipal Transportation Agency cost the agency an estimated $50,000 in lost fares due to passengers being unable to pay. Ransomware behind the infection that caused an NHS hospital trust to shut down systems and cancel 2,800 patient appointments in early November has been confirmed as Globe2. Allegheny County district attorney Stephen Zappala Jr. admitted that his office was hit in January 2015 and that the office paid nearly $1,400 in ransom. The announcement came after several victims of the Avalanche network were revealed via court documents.
  • Malicious insiders face consequences: A former computer support technician employed at Experian subsidiary Hotwire.com pleaded guilty to accessing the emails of executives and using that non-public information to illegally profit from trading Expedia stock. The man accessed documents and emails on the devices of the Chief Financial Officer and the Head of Investor Relations. A former employee of Internet service provider Pa Online was sentenced to 24 months in prison and ordered to pay $26,000 in restitution for hacking into Pa Online’s network after being fired and installing malware that caused files and directories to be erased and the network to crash.
  • Third-party breaches: More than 43,000 Indian patient pathology reports, including those of HIV patients, were left publicly exposed by Health Solutions. Security researcher Troy Hunt said the information is now removed from public view after a lengthy process to track down and motivate those behind the leak and that the incident appears to be the result of shockingly poor security. A breach of a contractor’s email account exposed the information of individuals who participated in the U.S. Olympic Committee’s 100-Days Out event in April 2016. Members of the Scotland Supporters Club were sent phishing emails from the Scottish Football Association’s official email account after a third-party email database was compromised.
  • Other data breaches: An Intranet server for South Korea’s cyber command was contaminated with malware, and the attack appears to have come from North Korea, the South Korean military said. An official said that some military documents had been hacked, including confidential information, but that they have yet to determine the full extent of the leak. Around 420,000 customers may have had their personal information leaked due to a data breach at an online store run by IPSA, a subsidiary of Japanese cosmetics maker Shiseido. A University of Wisconsin–Madison law school database was breached, resulting in 1,213 applicants having their names and Social Security numbers compromised.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2016-12-09_ittnew

Cyber Risk Trends From the Past Week

2016-12-09_risk

One of the more interesting developments over the past week is the new tactics being used by malicious actors in order to spread malware and encourage cyber-attacks. For example, a new ransomware called “Popcorn Time” is encouraging victims to spread ransomware by offering them options when it comes to decrypting their files. They can go the usual route of paying the 1 bitcoin ransom, or they can go the “nasty way” and infect other users in order to avoid payment.

popcorn_ransomware_referral.png

“Send the link below to other people, if two or more people will install this file and pay, we will decrypt your files for free,” the malware authors wrote. This is the first time SurfWatch Labs has observed ransomware developers using the tactic of leveraging victims in order to intentionally spread the malware.

Another interesting cybercriminal tactic is being used by a DDoS collaboration service called “Surface Defense.” A set of Turkish hackers is using gamification to encourage others to attack political organizations are not in line with Turkey’s government. They provide a point system for attacks, rewards that can be earned, and a live scoreboard. Rewards include cybercriminal tools such as click-fraud bots and the Sledgehammer DDoS tool. Two dozen organizations are being targeted by the gamified-DDoS service, including the German Christian Democratic Party, The People’s Democratic Party of Turkey, the Armenian Genocide Archive, and the Kurdistan Workers Party. Users can also suggest new targets.

Malicious actors are continuing to experiment with new ways to expand their reach. It is difficult to judge how successful these types of tactics will be, but expect other actors to incorporate similar features in the future if they are proven to be successful.