St. Jude – SurfWatch Labs, Inc.

Weekly Cyber Risk Roundup: Instagram Bug May Affect Millions and FDA Recalls Vulnerable Pacemakers

Instagram was among the week’s top trending cybercrime targets due to both the company confirming a bug that may have leaked some users’ personal information and a malicious actor claiming that he is selling the personal data of six million Instagram users.

On August 28, Instagram’s most popular user, Selena Gomez, had her account hacked and used to spread nude photographs from 2015 of her ex-boyfriend Justin Bieber. Two days later, Instagram warned that a bug in the Instagram API had been used to steal some high-profile users’ personal information — which may have contributed to the Gomez account takeover.

“We recently discovered that one or more individuals obtained unlawful access to a number of high-profile Instagram users’ contact information — specifically email address and phone number — by exploiting a bug in an Instagram API,” the company said. “At this point we believe this effort was targeted at high-profile users so, out of an abundance of caution, we are notifying our verified account holders of this issue.”

However, that same day a malicious actor claiming to have scraped the personal data of six million Instagram users contacted Ars Technica and told the outlet that he or she was selling the data in a searchable website for $10 per query. The actor claimed to have learned of the vulnerability used to scrape the data in an IRC discussion — suggesting that the bug confirmed by Instagram may have a wider scope of impact than initially thought. An Instagram representative said company officials are aware of the claim and are investigating it. Researchers said the 10,000-record sample provider by the actor appears to be legitimate. Until Instagram clarifies the extent of the bug and the subsequent breach of personal information, Instagram users should assume that their associated email addresses and phone numbers may in the hands of malicious actors.

Other trending cybercrime events from the week include:

Numerous ransomware announcements: NHS Lanarkshire hospitals were disrupted by a Bitpaymer ransomware infection that resulted in the staff bank and telephone systems going offline, as well as the rescheduling of appointments. An employee of the German state parliament of Saxony-Anhalt opened a malicious attachment in a spear phishing email, leading to a ransomware infection that media said “crippled” the state parliament’s network. Dorchester School District 2 in South Carolina announced it paid $2,900 via its insurance coverage after 25 of the 65 servers for the district’s computer network were infected with ransomware. Medical Oncology Hematology Consultants, PA in Delaware said that a ransomware infection affected 19,203 patients. The Indiana accounting firm Whitinger & Company notified clients of a data breach and ransomware attack.

Insiders lead to lawsuits, data breaches: Allstate Insurance has filed a lawsuit against Ameriprise Financial accusing the company of attempting to steal confidential information by encouraging Allstate agents to create contact lists and download client data to use in soliciting clients once they quit and get hired at Ameriprise. Tewksbury Hospital in Massachusetts discovered unauthorized employee access to patients’ medical records that dated back to 2003 and is attempting to notify affected individuals that their information was compromised.

Organizations expose data: Researchers discovered an insecure backup device belonging to the London-based Bell Lomax Agency that exposed thousands of documents related to the company and its literary clients. MacKeeper researchers said anyone could access the documents, which included the Agency’s Quickbooks accounting files, archive email boxes, financial data, expenses, administrative details, royalties, and client details for 2014-2015. Major League Lacrosse is notifying all players that their information was accidentally available online due a link on its website that pointed to a spreadsheet containing data on every player in the league.

Other notable incidents: There have been multiple attacks against South Korean cryptocurrency exchanges, financial technology companies, and startups that use blockchain technology. CeX is notifying two million registered website customers that their information may have been accessed by an unauthorized third party. MacEwan University said that it was the victim of an $11.8 million wire transfer fraud after a series of fraudulent emails convinced university staff to change electronic banking information for one of the university’s major vendors. Swedish web hosting company Loopia said that hackers accessed parts of its customer database, including customer contact information and encrypted passwords. Zazzle is warning customers that their accounts may have been compromised due to brute-force attacks and is prompting customers to choose new passwords. Oklahoma City’s Tower Hotel is the latest in a growing number of hotels to announce being impacted by the breach of the Sabre Hospitality Solutions SynXis Central Reservations system. The hacking group OurMine used a domain spoofing attack to redirect visitors of WikiLeaks website to a page created by the group.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

Cyber Risk Trends From the Past Week

The FDA has approved a firmware update for certain Abbott (formerly St. Jude’s) pacemakers to address cybersecurity vulnerabilities — essentially ordering a recall to correct the issues present in 465,000 implanted RF-enabled cardiac pacemakers.

“The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical’s RF-enabled implantable cardiac pacemakers and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user (i.e. someone other than the patient’s physician) to access a patient’s device using commercially available equipment,” the FDA wrote in safety communication. “This access could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing.”

The firmware update follows a series of high-profile news stories regarding St. Jude dating back to 2016 when the healthcare cybersecurity company MedSec teamed up with the short selling firm Muddy Waters to disclose — and ultimately profit from — several remotely executable flaws in St. Jude pacemakers and defibrillators. A lawsuit, government alerts, and a January 2017 patch that many claimed fell short followed (the timeline is summarized well in this article from CSO Online).

The firmware update requires an in-person patient visit with a health care provider and takes approximately 3 minutes to complete. After installing the update, any device attempting to communicate with the implanted pacemaker must provide authorization to do so. The FDA asks affected patients to consult with their physicians about any risks associated with receiving the firmware update, which has “a very low risk of an update malfunction.”

In 2016, the FDA issued recommendations to manufacturers for continued monitoring, reporting, and remediation of medical device cybersecurity vulnerabilities.

Weekly Cyber Risk Roundup: Payment Card Breaches, Malicious Insiders, and Regulatory Action

Gamestop was the week’s top trending cybercrime target as the company is investigating reports that customer payment card information may have been stolen from gamestop.com. In addition to Gamestop, payment card information was also stolen from the restaurant chain Shoney’s and a series of car washes have issued breach notification letters tied to a compromise at an unnamed third-party point-of-sale (POS) provider.

Two sources told Brian Krebs last week that an alert from a credit card processor indicated gamestop.com was likely compromised by intruders between mid-September 2016 and the first week of February 2017. The sources said that card numbers, expiration dates, names, addresses, and verification codes were stolen due to the breach. Gamestop also operates thousands of retail locations, but there is no indication that those have been affected.

However, dozens of Shoney’s locations were impacted by a recent POS breach. A week after Krebs reported the Gamestop breach, confidential alerts from credit card associations stated that similar payment card data was stolen from the restaurant chain. Best American Hospitality Corp., which manages some of Shoney’s corporate affiliated restaurants, later issued a press release saying that remotely installed POS malware led to breaches at 37 Shoney’s locations between December 27, 2016, and March 6, 2017.

In addition, Acme Car Wash, Auto Pride Car Wash, Clearwater Express Car Wash, Waterworks Car Wash, and Wildwater Express Carwash were all notified of a point-of-sale (PoS) malware infection by their unnamed third-party POS provider. The notification occurred on March 27, and customers who used a payment card at those business during various periods in February may have had their data compromised.

Other trending cybercrime events from the week include:

New data breaches announced: A backup database containing information on 918,000 people and belonging to telemarketing company HealthNow Networks was exposed on the Internet, compromising a variety of individuals’ personal and health information. The payday loan company Wonga is investigating a data breach that may have affected up to 245,000 customers in the UK and 25,000 customers in Poland. As many as 115 families had their private information compromised when the Victorian Education Department mistakenly published documents to its website for 24 hours. At least 83 University of Louisville employees had their W-2 forms accessed when an intruder gained access to W-2 Express, a product of Equifax used by the school to provide employees with access to tax documents.

More SWIFT attacks made public: The Union Bank of India faced an attack leveraging the SWIFT system that attempted to perform $170 million in fraudulent transactions last July, but the bank was able to block the transfer of funds, the Wall Street Journal reported. The bank’s SWIFT access codes were stolen by malware after an employee opened a malicious email attachment, and the codes were used to send fraudulent instructions in an attack similar to the one that successfully stole $81 million from the Bangladesh central bank’s account at the New York Federal Reserve in February 2016.

Ransomware continues to impact patient care: A ransomware infection at Erie County Medical Center blocked access to electronic patient records and forced the center to reschedule some elective surgeries, sources told news outlets; however, the hospital has yet to confirm the shutdown of its computer was due to ransomware. IT workers have been re-imaging about 6,000 desktop computers that had to be wiped clean as a result of the infection. Ashland Women’s Health reported a data breach affecting 19,727 patients after ransomware encrypted data on the practice’s electronic health record system, including its patient scheduling application. The practice was able to restore the encrypted data using a backup, and patient care was impacted for a couple of days due to the incident.

Amazon seller accounts being hacked: Hackers are using previously compromised credentials to hijack the accounts of third-party sellers on Amazon Marketplace, change the bank account information, and then post nonexistent merchandise at cheap prices to defraud customers. The buyers are eligible for refunds from the sellers, which may come as a surprise to the account owners as the hackers are targeting dormant accounts. A company spokesperson told NBC News that it is working to make sure sellers do not have to handle the financial burden of the hacks.

Other notable cybercrime events: Five inmates at the Marion Correctional Institution used computers built from spare parts and hidden in a ceiling in a closet to perform a variety of malicious activities while incarcerated. A team of Indonesian hackers gained access to the online ticketing site Tiket.com and stole approximately Rp 4.1 billion ($308,000 USD) worth of airline tickets from carrier Citilink. Dallas officials are blaming a hacker for setting off all 156 of the city’s warning sirens more than a dozen times.

Cyber Risk Trends From the Past Week

A variety of stories from the past week once again highlighted threats that originate not from external hackers, but from organizations’ employees and poor risk management practices.

To start, Allegro Microsystems has accused a former employee of causing $100,000 worth of damages by logging into the company’s network multiple times after resigning in order to implant malware. According to court documents, the man allegedly returned a computer meant for personal use rather than his work computer when resigning, and he used that work computer along with system administrator credentials to insert malicious code into Allegro’s finance module. The employee “designed the malicious code to copy certain headers or pointers to data into a separate database table and then to purge those headers from the finance module, thereby rendering the data in the module worthless,” the documents stated.

Another case involved a DuPont employee who admitted to stealing data from DuPont in the months before he retired in order to bolster a consulting business he planned to run. The man allegedly copied 20,000 files to his personal computer, including formulas, data, and customer information related to developments in flexographic printing plate technology. He also took pictures of restricted areas of DuPont’s plant.

On the regulatory side, the FDA sent a letter to St. Jude Medical demanding the company take action to correct a series of violations related to risks posed by the company’s implantable medical devices — an issue that received quite a bit of attention last summer after a report published by Muddy Waters and MedSec shed light on the alleged vulnerabilities. St. Jude must respond to the FDA within 15 days with “specific steps [it has] taken to correct the noted violations, as well as an explanation of how [it] plans to prevent these violations, or similar violations, from occurring again” — or else St. Jude may face further regulatory action, including potential fines.

That is what happened to Metro Community Provider Network (MCPN), which agreed last week to pay $400,000 following a January 2012 phishing incident that exposed the electronic protected health information (ePHI) of 3,2000 individuals. An investigation conducted by the Office for Civil Rights revealed that “prior to the breach incident, MCPN had not conducted a risk analysis to assess the risks and vulnerabilities in its ePHI environment, and, consequently, had not implemented any corresponding risk management plans to address the risks and vulnerabilities identified in a risk analysis.” As a result, MCPN will pay the penalty and implement a corrective action plan to better safeguard ePHI in the future.

Short Selling Vulnerabilities Latest in String of Stock Market Manipulation

Medical device company St. Jude filed a lawsuit yesterday against Muddy Waters and MedSec Holdings over a “false” report about cybersecurity issues in St. Jude’s cardiac devices. The August report caused the company’s stock to drop more than ten percent on the heels of those allegations and raised questions around a pending $25 billion deal to be acquired by Abbott Laboratories.

The heart of the issue is that MedSec Holdings, which discovered the alleged flaws, did not disclose them to St. Jude; rather, they took their findings to short-selling firm Muddy Waters in order to short St. Jude stock and turn a profit from the public disclosure.

MedSec contacted Muddy Waters with the proposal to short St. Jude stock after spending 18 months doing research and not generating any revenue, CEO Justine Bone said. Money made from shorting the stock will help finance development of secure medical device technology.

In its lawsuit, St. Jude said, “This insidious scheme to try to frighten and confuse patients and doctors by publicly disseminating false and unsubstantiated information in order to gain a financial windfall and thereby cause investors to panic and drive the St. Jude stock price down must by stopped and defendants must be held accountable so that such activity will not be incentivized and repeated in the future.”

The public battle has been at the center of an ongoing debate over the past two weeks — once again putting the issue of manipulating the stock market via cyber front and center.

Malicious Actors Profit From Stock Market

It’s no secret that malicious actors seek similar types of non-public information that can be used to leverage big profits in the stock market.

Perhaps the most famous recent case involves the theft of press releases from various newswire services. According to an August 2015 complaint filed by the Securities Exchange Commission (SEC), hackers gained access to the services, stole more than 100,000 press releases for publicly traded companies, and then used that information – often quarterly or annual earnings data – to reap over $100 million in unlawful profits.

As we noted in our 2015 Cyber Risk Report, the hackers worked with a network of traders to capitalize on the window between when a draft of a press release was provided and when it was made available to the public. In some instances that window was only a few minutes, but having that knowledge was extremely profitable, as the SEC complaint demonstrated.

2h2015_sec — By using non-public earnings information, the network of traders listed above were able to generate millions of dollars in profits through illegal trades.

Additionally, last summer reports of the hacking group Fin4 breaking into corporate email accounts to steal mergers and acquisitions data sparked the SEC to approach companies about possible breaches.

“The SEC is interested because failures in cybersecurity have prompted a dangerous, new method of unlawful insider trading,” John Reed Stark, a former head of Internet enforcement at the SEC, told Reuters.

Other cybercriminals have used less sophisticated methods to manipulate stock prices.

In July Gery Shalon, 32, and Ziv Orenstein, 41, were extradited from Israel and pled not guilty to charges that included a breach at JPMorgan Chase, which authorities described as the “largest theft of customer data from a U.S. financial institution in history.” The stolen contact information was used to send deceptive communications in order to inflate stock prices, a practice known as pump and dump.

First, they would execute prearranged manipulative trades to cause the stock’s price to rise small amounts on successive days. Then they would send spam emails — sometimes millions a day — touting the stock. Finally, after artificially pumping up the price, they would dump their shares of the stock for huge profits.

A New White-Hat Shorting Strategy

While cyber-experts have long-pointed to the massive profits criminals can make from combining cyber-attacks with strategies such as shorting, the move towards white-hat hackers doing the same thing has created some concern.

MedSec CEO Justine Bone said she knows the approach they used will lead to criticism, but that it was the most powerful way to inflict pain on St. Jude over the company’s “negligent level of attention to cybersecurity.”

Although many companies have implemented bug bounties in an effort to encourage researchers and other hackers to disclose vulnerabilities in a responsible manner, those programs often don’t come with big payouts or spur the change desired by the person who disclosed the bug. Those players may attempt to copy the MedSec strategy — resulting in more profits and more public pressure to respond to alleged vulnerabilities. That gives yet another reason for investors to be concerned over potential cyber issues.

Medical device consultants Billy Rios and Jonathan Butts told Bloomberg that traders were clearly blindsided and scrambling over this new idea, having been inundated with requests from hedge funds, short sellers and other investors about the Muddy Waters report.

“This is almost like The Big Short,” Butts said. “Someone saw something that nobody else did.”