supply chain – SurfWatch Labs, Inc.

Weekly Cyber Risk Roundup: Deloitte Breached and More Possible Supply Chain Attacks

Deloitte, one the world’s “big four” accounting firms, was the week’s top trending new cybercrime target after it was reported that the firm experienced a breach that compromised some of its clients’ information.

The Guardian reported that Deloitte clients’ information was compromised after a malicious actor gained access to the firm’s global email server through an administrator account that did not have two-step verification enabled.

Six Deloitte clients have been informed of the breach, which was first discovered in March 2017 and may have dated back to October 2016. The Guardian was told that an estimated five million emails could have been accessed by the hackers since emails to and from Deloitte’s 244,000 staff were stored in the Azure cloud service; however, Deloitte said the number of emails that were at risk is “very small fraction of the amount that has been suggested.”

Shortly after The Guardian story broke, Brian Krebs reported that a source close to the Deloitte investigation said the company’s breach involves the compromise of all administrator accounts at the company, that it’s “unfortunate how we have handled this and swept it under the rug,” and that “it wasn’t a small amount of emails like reported.” The source also said that investigators identified several gigabytes of data being exfiltrated and that Deloitte is not sure exactly how much data was taken.

Additionally, The Register reported that what appeared to be a collection of Deloitte’s corporate VPN passwords, user names, and operational details were found within a public-facing GitHub-hosted repository; that a Deloitte employee uploaded company proxy login credentials to his public Google+ page; and that Deloitte has “loads” of internal and potentially critical systems unnecessarily facing the public internet with remote-desktop access enabled.

Other trending cybercrime events from the week include:

Ransomware continues: Montgomery County, Alabama officials said the county paid 9 bitcoins ($37,000) in ransom to regain access to its files after a SamSam ransomware infection disrupted services at the Montgomery County District Attorney’s Office. Officials said they had backups in place, but that the off-site backup servers were nearing capacity, along with some other issues. San Ysidro School District said it was infected with ransomware that affected emails and some shared files and demanded $18,000 in ransom. However, the school did not pay the ransom as it had a backup in place. The Arkansas Oral & Facial Surgery Center is notifying patients of a July 26 ransomware infection that made inaccessible imaging files such as x-rays, document attachments, and all electronic patient data related to visits within three weeks prior to the infection.
Other extortion attacks: Malicious actors are using compromised iCloud credentials along with Find My iPhone to lock users computers with a passcode and then demand a ransom to unlock the device. Mac Rumors reported that the attack can bypass two-factor authentication since Apple allows users to access Find My iPhone without requiring two-factor authentication in the event that the user’s only trusted device is missing. A group using the name Phantom Squad is believed to have sent extortion emails to thousands of companies threatening DDoS attacks on September 30 unless a 0.2 bitcoin ($720) ransom is paid. SMART (“Sports Medicine and Rehabilitation Therapy”) Physical Therapy in Massachusetts said that TheDarkOverlord accessed data stored in Patterson PTOS software, and TheDarkOverlord shared the stolen database of 16,428 patient records with databreaches.net, which confirmed the breach. TheDarkOverlord went public with the breach after a failed ransom attempt.
New point-of-sale breaches: The fast-food chain Sonic said it is investigating a possible payment card breach at its stores, and security blogger Brian Krebs reported that the incident may be tied to a batch of five million fresh payment cards being offered for sale on the stolen credit card shop known as Joker’s Stash. Whole Foods said that some of the taprooms and full table-service restaurants in its grocery stores experienced a point-of-sale breach. The breach did not affect credit cards used at the store’s main checkout systems as those use a different point-of-sale system.
Other notable incidents: The Toms River police department said that 3,7000 individuals had their information compromised due to a data breach. Fresno Unified School District said that the personal information of 53 employees, retirees, and their dependents was found in the possession of multiple individuals arrested by the Gilroy and Clovis police departments. Signator Investors is notifying customers that an unknown third party gained unauthorized access to some client records. The Brown Armstrong financial consultancy firm is warning that fraudulent tax returns were filed under some of its client’s names. A lawyer at the law firm Wilmer, Cutler, Pickering, Hale and Dorr inadvertently leaked PepsiCo privileged information by email to a Wall Street Journal reporter. The federal government notified 21 states that they were the target of hacking related to the 2016 presidential election.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

Cyber Risk Trends From the Past Week

Last week we noted the malicious version of CCleaner that was downloaded approximately 2.27 million times appeared to have been an espionage campaign designed to gain access to the networks of at least 18 tech firms.

This week Morphisec, the firm that discovered the backdoored version of CCleaner, said that there may be other similar attacks leveraging common applications that have been compromised in an attempt to gain access to even more corporate networks.

The company’s chief technology officer Michael Gorelik said that it is currently investigating historical “false positive” reports in an attempt to discover evidence if other applications have been backdoored. Gorelik said that he believes there were other supply chain attacks like the CCleaner one, and that the initial findings of the investigation were “very interesting.”

As SurfWatch Labs has previously noted, supply chains have proven to be one of the more difficult aspects for organizations to defend against, and malicious actors have shifted their attacks towards weak points in the supply chain to exploit the interconnected nature of organizations. For example, the June spread of WannaCry, perhaps the year’s most widely reported cyber incident, was tied to infections from the updater process for tax accounting software created by the Ukrainian company MEDoc.

The issues around CCleaner and MEDoc have been widely reported, but there are numerous other example of smaller-scale incidents that regularly occur. For example, last month npm, which describes itself as “the world’s largest software registry,” said that it removed more than 40 malicious packages after discovering an actor going by the name “hacktask” had published them with similar names to popular npm packages in an attempt to trick users into downloading them. In addition, popular Android apps, WordPress plugins, and other widely used products are frequently compromised to deliver various types of malware.

The researchers looking into supply chain attacks similar to CCleaner have not yet announced any other potential compromises, but organizations should keep an eye on the story to see if any discoveries occur in the coming weeks regarding applications being compromised to gain access to corporate networks.

Weekly Cyber Risk Roundup: Charlottesville Sparks Hacktivism and Controversy

The politics surrounding the “Unite the Right” rally and its counter-protests in Charlottesville spilled over into the cyber world this week as hacktivists took action against websites and a debate emerged around the ethics of hosting white nationalist websites as well as doxing individuals who attended the rally.

Under the hashtag #OpDomesticTerrorism, hacktivists have urged DDoS attacks against white nationalist websites and posted leaks of some of those websites’ alleged members. In addition, the hacking group known as “New World Hackers” said it carried out a DDoS attack against the Charlottesville city website to “deliver our own version of justice to the KKK and government.”

Other individuals began to search through the many images of the “Unite the Right” rally in order to publicly identify those who attended the event. The man behind the Twitter account “Yes, You’re Racist” called on users to help identify the “nazis marching in #Charlottesville” so he could “make them famous.” However, not all the doxing attempts were accurate. For example, an assistant professor at the University of Arkansas was wrongly identified and said he eventually had to call the police due to numerous threats being made against him and his wife as well as their home addresses being posted online. The man behind the Twitter account said he’s received death threats over the doxing as well.

Technology companies were also brought into the debate. GoDaddy, Google, Cloudflare, Zoho, Sendgrid, and Discord all cut services to the Neo-Nazi website The Daily Stormer, USA Today reported. However, those actions led to a rebuke from the Electronic Frontier Foundation for private companies “decid[ing] who gets to speak and who doesn’t.”

Other trending cybercrime events from the week include:

HBO troubles continue: The hacking group OurMine temporarily hijacked several HBO social media accounts. In addition, the group of hackers that breached HBO in late July has continued to leak stolen episodes and other documents. Authorities also said that four current and former employees at Prime Focus Technologies, which handles Star India’s data, have been arrested on suspicion of leaking a Star India copy of the August 7 episode of Game of Thrones. Finally, a third-party vendor accidentally posted the August 20 episode of Game of Thrones on the HBO Nordic and HBO España platforms, and that episode was quickly pirated.

DDoS attacks make headlines: DDoS attacks against Blizzard disrupted services for several popular games, including Overwatch and World of Warcraft. The website of Ukraine’s national postal service Ukrposhta was the target of a two-day long DDoS attack that caused slowdowns and interruptions for the website and its services.

More ransomware infections: LG Electronics said that the self-service kiosks at some of its service centers were infected with ransomware, causing some access problems. The ransomware appears to have been identical to the WannaCry ransomware that made headlines in May, officials from the Korea Internet & Security Agency said. Pacific Alliance Medical Center said that a June 14 ransomware infection may have compromised the protected health information of patients.

Data inadvertently exposed: Voting machine supplier Election Systems & Software exposed the personal information of more than 1.8 million Illinois residents due to an insecure Amazon Web Services device. ES&S said the exposed server did not include “any ballot information or vote totals and were not in any way connected to Chicago’s voting or tabulation systems.” The Texas Association of School Boards notified some school district employees that a server containing their names and Social Security numbers “inadvertently became visible on the Internet.”

Other notable incidents: Surgical Dermatology Group in Alabama is notifying patients that their personal and healthcare information may have been compromised due to a breach at its cloud hosting and server management provider, TekLinks, Inc. City of Hope said that it is notifying patients that their medical information may have been compromised following an email phishing incident that led to four employee email accounts being compromised. OSHA has suspended access to its new Injury Tracking Application (ITA) after it was notified by the Department of Homeland Security of a potential breach of user information. The Scottish Parliament said it was the target of a brute force cyber-attack and members of parliament and staff with parliamentary email addresses were warned to make sure their passwords were as secure as possible. A former Columbia Sportswear information technology manager was charged with one count of computer fraud for allegedly accessing the company’s computer systems for more than two years after leaving the company.

Cyber Risk Trends From the Past Week

One of the week’s most notable advisories involved the software vendor NetSarang and a backdoor dubbed “ShadowPad” that was shipped out with a July version of the company’s products.

“Regretfully, the Build release of our full line of products on July 18, 2017 was unknowingly shipped with a backdoor, which had the potential to be exploited by its creator,” NetSarang said in a statement. “The fact that malicious groups and entities are utilizing commercial and legitimate software for illicit gain is an ever-growing concern and one that NetSarang, as well as others in the computer software industry, is taking very seriously.”

The issue was first discovered by a financial institution partner of Kaspersky Lab — which described the backdoor as “one of the largest known supply-chain attacks” — after discovering suspicious DNS requests originating on a system involved in the processing of financial transactions. Those requests were later discovered to be the result of a malicious module hidden inside a recent version of NetSarang software.

“If the attackers considered the system to be ‘interesting,’ the command server would reply and activate a fully-fledged backdoor platform that would silently deploy itself inside the attacked computer,” Kaspersky wrote. “After that, on command from the attackers, the backdoor platform would be able to download and execute further malicious code.”

That malicious module has been activated at least once in Hong Kong, but it is possible that other organizations have been infected, the researchers said. NetSarang said that the affected builds are Xmanager Enterprise 5.0 Build 1232, Xmanager 5.0 Build 1045, Xshell 5.0 Build 1322, Xftp 5.0 Build 1218, and Xlpd 5.0 Build 1220. Organizations using those builds should cease using the software until an update can be applied.

TheDarkOverlord Targets Entertainment Sector with Leak of Unaired ABC Show

On Monday, the extortion group known as TheDarkOverlord released the first eight episodes of ABC’s soon-to-be-aired television show “Steve Harvey’s Funderdome” on the torrent site The Pirate Bay.

The leak of the ABC show follows a similar failed extortion attempt and subsequent leak of the first ten episodes of Netflix’s upcoming season of “Orange is the New Black” on April 28. At the time of the Netflix leak, TheDarkOverlord claimed to have stolen hundreds of gigabytes of unreleased and non-public media from a studio — including a total of 37 different film and TV titles. That leak was then tied to Larson Studios, an award-winning audio post-production studio in Hollywood.

As a result, Monday’s leak was likely not a surprise to ABC. TheDarkOverlord has been tweeting about the theft since late April and The New York Times reported that the FBI began notifying the affected companies of the theft a month before that.

Who is TheDarkOverlord?

There isn’t much known about TheDarkOverlord as the group is very careful about exposing information that could relate to its members’ identities. This actor is smart and calculated but also has become bolder and more arrogant as evidenced in communication with recent victims — as well as very recently even setting up a help desk like hotline.

2017-06-07_TheDarkOverlordTargets — There have been dozens of targets publicly tied to data theft and extortion by TheDarkOverlord over the past year.

“Time to play another round,” the group wrote in a Pastebin post announcing the leak on Monday. “We’re following through on our threats as we always do. We firmly believe that honesty and determination are the two most important factors of any business.”

The tone used by the group — both dismay that the “business” arrangement didn’t work out and a veiled threat to future victims — has become more prominent since TheDarkOverlord first began targeting healthcare organizations in June 2016.

Communication with TheDarkOverlord has shown that there is likely more than one member of the group; however, the language utilized on the group’s accounts suggests that a single member is responsible for the managing the Twitter promotions as it has a common syntax. Generally, healthcare organizations (the group’s primary targets) are under-secured and TheDarkOverlord is taking full advantage.

How TheDarkOverlord Attacks Organizations

TheDarkOverlord favors exploits that allow remote desktop control of a network. The group has also taken data acquired by other actors and exploited the clients found in these breached databases. This shows that TheDarkOverlord is not only proactive with its own targeting, but also opportunistic with regards to the sensitive data of any organization that the group comes across and can and take advantage of — as evidenced by the recent pivot from targeting healthcare organizations to those in the entertainment industry.

2017-06-07_TheDarkOverlordGroups — TheDarkOverlord initially appeared to to focus on targeting healthcare organizations, but the group has since targeted a variety of other industry groups.

In regards to the targeting of entertainment brands, TheDarkOverlord discovered what may have been a softer target in the form of the post-production company Larson Studios, which is part of several major entertainment brands’ supply chain. TheDarkOverlord claims that it was able to exfiltrate numerous unreleased (still under production) media to use as leverage, although the group has only leaked two shows thus far.

As TheDarkOverlord moves from entertainment brand to entertainment brand with its extortion efforts, the actor is learning what impacted brands are willing to pay (if anything), and the group is then releasing the media publicly in order to harm the targeted brand financially for not giving into demands. “Orange is the New Black” was leaked a full six weeks before its June 9 premiere data, and “Steve Harvey’s Funderdome” was leaked six days before its June 11 premiere. Targeted brands are likely following the impact of releasing the unaired shows very closely.

Furthermore, TheDarkOverlord has a unique relationship with the media. By garnering media attention, the group builds its reputation and applies pressure to the organizations it wishes to extort. There have been reports that TheDarkOverlord first contacts its exploited entity and demands a ransom. Once the entity refuses, the actor then lists the heathcare database on TheRealDeal Marketplace or releases entertainment media publicly and alerts the media to its presence.

Past activity has shown a slight shift in tactics as TheDarkOverlord has breached an organization and followed that up by sending the victim, along with particular media figures who request it, a sample of the data. By involving security reporters and bloggers, TheDarkOverlord lends credibility to its work while causing panic in consumers who might be associated with the breach. Consumers’ dissatisfaction will also add pressure to the extorted entities to provide ransom payment to the actor for the stolen data.

Monitoring Your Digital Risk Footprint: Q&A with a Former CISO

The digital footprints of many organizations are expanding, and with that expansion comes more avenues of attack for cybercriminals to exploit. The past few years have seen organizations having to manage more devices, more social media channels, and more customer service features — in addition to the increased interconnection and sharing of data with partners, vendors, and various as-a-service tools.

That expanding level of presence is increasing the cyber risk facing organizations, said SurfWatch Labs chief security strategist Adam Meyer. Data breaches and service interruptions now often originate outside of an organization’s walls; nevertheless, it’s the connected organizations that tend to pay the biggest price.

“At the end of the day, if a third-party is supporting a major customer-centric business process, and they have a breach and your customers need to be notified — nine times out of ten it’s not that provider’s brand that’s going to get hammered,” Meyer said on the latest Cyber Chat Podcast. “It’s going to be your brand that has to deliver the bad news.”

That’s why organizations need to ensure that proper due diligence is in place around their whole digital risk footprint, Meyer said. In today’s environment that means having intelligence around events that may occur one or several steps down the digital supply chain — as well having a plan of action in place to respond to those threats as they arise.

On the Cyber Chat Podcast, Meyer discusses a variety of topics related to digital risk management, including:

How the digital footprints of organizations have changed over the past couple years.
Why IoT devices often bypass proper security management and what actions organizations should take in regards to those devices.
The problem of growing supply chains and how one breach can quickly spread to impact dozens of connected organizations.
How organizations should respond to the shifting landscape so that they can better manage their cyber risk.

Listen to the full Cyber Chat podcast below:

Greater Interconnectivity Means a Greater Level of Presence and in Turn More Risk

Technology advances continue to push boundaries — remember when a phone was just a phone?! More “smart” devices, more interconnectivity between businesses and customers, businesses and suppliers, businesses and partners … all of this speeds transactions and the way business is conducted. Information is shared, items are purchased — all with the click of a button these days.

Inherent in all this productivity goodness is that your digital presence is expanding across many channels that are outside the traditional company boundaries. With this expanding presence comes greater risk. It’s become much harder to have visibility of the level of risk your organization faces across the many digital channels. You of course have physical risks that have been around in the past, but now can be tied into cyber activity. You have cybercriminals (and potentially other types of adversaries) looking to exploit weaknesses for financial or competitive gains. Social media. Your supply chain. Insider risks (whether malicious or negligent). On and on …

The more connections you have, the more presence you have, the more opportunity that exists for malicious actors. This isn’t to say close your business off from the world. That’s obviously not realistic and not a good way to do business. But there two essential things you can do to minimize this issue:

Get an understanding of your level of presence and the level of risk associated to different areas. Having this intel sets the stage for how to stay on top of your risk and proactively address it.
Identify people, processes and technology to help continuously monitor and manage these risks — so they don’t become larger issues for your business.

Some questions to pose to your organization as a starting point:

Who in the organization has accountability for digital risk? Corporate security? Info security? Risk management? Legal? Compliance? Executive suite and/or board level? Brand officer?
What about “smart” building devices? Who owns these?
What about “smart” devices brought in by your employees? How are these managed? And by whom?
How does digital risk play into the organization’s overall risk management process?
What processes are in place to limit the risk?
What processes are in place to address a threat?

This list isn’t exhaustive, but you get the idea of how you need to think about this issue.

We recently announced a strategic partnership with PlanetRisk to deliver comprehensive cybersecurity and enterprise risk analytics and visualization for Fortune 1000 and government customers. Together we’re hosting a live webinar discussion on How to Mitigate Risk from Your Expanding Digital Presence.

I look forward to seeing you on the webinar. For more information and to sign up for the webinar, visit: http://info.surfwatchlabs.com/Webcast/How-to-Mitigate-Risk-from-Your-Expanding-Digital-Presence/05102017

Weekly Cyber Risk Roundup: JobLink, $100 Million BEC Scam and Other Breaches

Third-party cybersecurity issues were once again front and center this past week as America’s JobLink, a web-based system that links jobs seekers with employers, was compromised by a malicious actor, leading to a series of data breach announcements from states that use the system.

“On February 20, 2017, a hacker created a job seeker account in an America’s JobLink (AJL) system,” the company wrote. “The hacker then exploited a misconfiguration in the application code to gain unauthorized access to certain information of other job seekers.”

Millions of individuals may have been affected by the vulnerability, which was introduced in an AJL system update in October 2016. When exploited, it allowed the malicious actor to view the names, Social Security numbers, and dates of birth of job seekers in the AJL systems of up to ten states: Alabama (600,000), Arizona, Arkansas (19,000), Delaware (200,000), Idaho (170,000), Illinois (1.4 million), Kansas, Maine (conflicting media reports on total number affected), Oklahoma (430,000), and Vermont (186,000).

Vermont Gov. Phil Scott said at a Thursday press conference that the state was looking into the contract with ALJ, which has been in effect for about 16 years, and may potentially pursue legal recourse. At the same press conference Vermont Department of Labor Secretary Lindsay Kurrle noted potential AJL issues that may have compounded the breach, such as older Joblink accounts not being deleted.

Third-party cybersecurity issues continue to be one of the most pressing challenges facing organizations, as the numerous breaches in this roundup each week demonstrate. Despite the challenges, the digital footprints of organizations continue to grow: an issue that Adam Meyer, chief security strategist with SurfWatch Labs, and Kristi Horton, senior risk analyst with Gate 15 & Real Estate ISAC, will discuss on a Webinar tomorrow.

Other trending cybercrime events from the week include:

WikiLeaks’ dump brings legal issues, more CIA documents: Julian Assange criticized companies for not responding to WikiLeaks’ request that they comply with certain conditions in order to receive technical information on the leaked CIA exploits; however, multiple tech companies said the issue is caught up in their legal departments. WikiLeaks also continued to leak more CIA data by publishing documents that “explain the techniques used by CIA to gain ‘persistence’ on Apple Mac devices, including Macs and iPhones and demonstrate their use of EFI/UEFI and firmware malware.” The documents are mostly from the last decade, except for a couple that are dated 2012 and 2013.

Variety of issues lead to oversharing, data breaches: The UK’s Information Commissioner’s Office is investigating reports that data sharing options in SystmOne may have exposed the medical records of up to 26 million patients. The system’s “enhanced data sharing” option, which doctors turned on so that medical records could be seen by local hospitals, also allowed those records to be accessed by thousands of other workers. Mobile phone company Three is investigating a technical issue that led to some customers who logged into their accounts seeing the personal data of other customers. Med Center Health in Kentucky announced a data breach due to a former employee accessing encrypted patient billing information by falsely implying it was needed for job-related reasons.

Bots lead to gift card fraud, stock manipulation: Nearly 1,000 customer websites were targeted by a bot named “GiftGhostBot” that automatically checks millions of gift card numbers to determine which card numbers exist and contain balances. Recent pump-and-dump spam messages from the Necurs botnet falsely claimed that InCapta was about to be bought out for $1.37 per share and that people could buy shares for less than 20 cents before the buyout would be announced.

Malware spread via Ask.com toolbar: For the second time in a one month period, malicious actors were able to compromise the Ask Partner Network (APN), creators of the Ask.com toolbar, in order to spread malware that was signed and distributed as though it were a legitimate Ask software update. The first attack was discovered in November 2016, and in December 2016 researchers discovered that the “sophisticated adversary” was continuing its earlier activity “to deliver targeted attacks using signed updates containing malicious content.”

Other notable cybercrime events: Hackers going by the name ‘Turkish Crime Family’ claim to have access to a large cache of iCloud and other Apple email accounts and say they will reset accounts and remotely wipe devices on April 7 unless Apple pays a ransom. The McDonald’s India app leaked the personal information of more than 2.2 million users, and data is still allegedly being leaked despite the company’s claims that it fixed the issue. Lane Community College health clinic is notifying approximately 2,500 patients that their personal information may have been compromised due to one of its computers being infected with malware. A gang of hackers-for-hire tried to steal Baidu’s driverless car technology. The FBI believes that North Korea is responsible for the February 2016 theft of $81 million from Bangladesh Bank, and U.S. prosecutors are building potential cases that may both formally accuse North Korea of directing the theft and charge alleged Chinese middlemen

Cyber Risk Trends From the Past Week

One of the most profitable cybercriminal tactics is business email compromise scams, which has accounted for several billion dollars worth of actual and attempted losses over the past few years.

A reminder of that ongoing threat surfaced this past week when the Department of Justice announced the arrest of a Lithuanian man on charges that he had successfully duped two U.S.-based companies into wiring a total of over $100 million to bank accounts that he controlled.

The DOJ noted in its press release that the case “should serve as a wake-up call” to even the most sophisticated companies that they may be the target of advanced phishing attempts from malicious actors.

Evaldas Rimasauskas, the arrested Lithuanian man, allegedly registered and incorporated a company in Latvia with the same name as an Asian-based computer hardware manufacturer, and then opened and maintained various bank accounts using that copycat company name. He then is alleged to have sent fraudulent phishing emails to employees of companies that regularly conducted multimillion-dollar transactions with the hardware manufacturer, asking that those companies direct payments for legitimate goods and services to the bank accounts using the copycat name. The indictment also alleges that Rimasauskas submitted forged invoices, contracts, and letters that falsely appeared to have been executed and signed by executives and agents of the victim companies to banks in support of the large volume of funds that were fraudulently transmitted via wire transfer.

As the FBI and others have repeatedly warned, the lure of multi-million dollar payout leads to cybercriminals going to great lengths to successfully social engineer companies. This includes more time spent researching things such as the roles of employees and their language in written communications, as well as company authority figures, policies and procedures, and supply chains. This allows the social engineers to craft a message, or series of messages, that fits within the expected culture and communication patterns of an organization — increasing their chances of a large, fraudulent payday.

Weekly Cyber Risk Roundup: Third-Party Breaches and Apache Struts Issues

Twitter is the week’s top trending cybercrime target after malicious actors leveraged a third-party analytics service known as Twitter Counter to hijack a number of Twitter accounts and post inflammatory messages written in Turkish along with images of Nazi swastikas. Hundreds of accounts were compromised, the Associated Press reported.

Forbes magazine, the Atlanta Police Department, Amnesty International, UNICEF USA, and Nike Spain were among the numerous Twitter accounts hijacked.

A Twitter spokesperson said it removed the permissions of the third-party app, which was the source of the problem. In a series of tweets on Wednesday, Tweet Counter responded to the issue: “We’re aware that our service was hacked and have started an investigation into the matter. We’ve already taken measures to contain such abuse. Assuming this abuse is indeed done using our system, we’ve blocked all ability to post tweets and changed our Twitter app key.”

Twitter hijackings are common, and we do not highlight them in this weekly report very often; however, the Tweet Counter compromise is worth noting due to the supply chain issues it represents. Organizations frequently use third-party services to help manage their numerous social media accounts, and that interconnectedness was one of the central themes of SurfWatch Labs’ annual threat intelligence report. “One of the most telling statistics in all of SurfWatch Labs’ evaluated cyber threat data is the rise of CyberFacts related to third parties,” the report stated. “It is clear that malicious actors are looking for any opportunity to exploit poor cybersecurity practices, and the supply chain provides an abundance of opportunity for cybercriminals to do so.”

Organizations should have a way to track, monitor, and address any issues pertaining to third-party tools and services so they can better manage the increased risk that stems from an interconnected world.

Other trending cybercrime events from the week include:

New point-of-sale breaches: A breach at point-of-sale vendor 24×7 Hospitality Technology appears to be behind a series of fraudulent transactions tied to Select Restaurants Inc. locations, Brian Krebs reported. 24×7 issued a breach notification letter in January saying that a network intrusion through a remote access application allowed a third party to gain access to some of 24×7 customers’ systems and execute PoSeidon malware. Multiple Australian schools are warning parents that individuals are reporting fraudulent payment card transactions after Queensland School Photography’s online ordering system was compromised.

Yahoo breach leads to indictments: A grand jury has indicted four individuals, including two officers of the Russian Federal Security Service (FSB), over their alleged roles in the hacking of at least 500 million Yahoo accounts. According to the Department of Justice, the FSB officer defendants, Dmitry Dokuchaev and Igor Sushchin, protected, directed, facilitated, and paid co-defendants Alexsey Belan and Karim Baratov to collect information through computer intrusions in the U.S. and elsewhere.

Breaches due to insecure databases and devices: Security researchers discovered hundreds of gigabytes of data from the Warren County Sheriff’s Department exposed due to an insecure network storage device, including a variety of sensitive documents and recordings. A Dun & Bradstree database containing the personal information of 33.7 million U.S. individuals has been exposed, likely due to an unsecured MongoDB database. Dun & Bradstree said that it owns the database, but stressed that the data was not stolen from its systems and that the information was approximately six months old. Thousands of sensitive U.S. Air Force documents were exposed due to an insecure backup drive belonging to an unnamed lieutenant colonel.

Ransomware infections continue to be announced: Summit Reinsurance is notifying individuals of a breach after discovering unauthorized access to a server as well as a ransomware infection. The city of Mountain Home, Arkansas, had to wipe the server of its water department and restore the data from a backup after a ransomware infection locked 90,000 files. Metropolitan Urology Group said a November 2016 ransomware infection exposed the health information of patients who received services between 2003 and 2010. Ransomware actors are shifting towards disrupting business services and demanding higher ransom payouts.

Other notable cybercrime events: A flaw in the old website of South African-based cinema chain Ster-Kinekor exposed the personal information of up to 6.7 million users. Three is notifying an additional 76,373 customers that their personal information was compromised in a November 2016 incident. Wishbone announced a data breach due to unknown individuals having “access to an API without authorization.” UK travel association ABTA announced that 43,000 individuals had their personal information compromised due to a vulnerability in the servers of a third-party hosting service. Arkansas is investigating whether malware stole the personal information of 19,000 individuals. Cincinnati Eye Institute, Laundauer, and Virginia Commonwealth University Health System announced data breaches.

Cyber Risk Trends From the Past Week

Earlier this month, a patch was issued to address a high-impact vulnerability in Apache Struts Jakarta Multipart parser that allowed attackers to remotely execute malicious code. Shortly after the patch, an exploit appeared on a Chinese-language website,. Researchers then confirmed that attackers were “widely exploiting” the vulnerability. Since then, the issue has continued to affect numerous organizations through data breaches and service downtime.

For example, the Canada Revenue Agency was one of the week’s top trending cybercrime targets after the Canadian government took the website for filing federal tax returns offline due to the vulnerability, temporarily halting services such as electronic filing until security patches could be put in place.

John Glowacki, a government security official, said during a press conference that there was “a specific and credible threat to certain government IT systems,” and Statistics Canada confirmed that hackers broke into a web server by exploiting the Apache Struts vulnerability. Glowacki also said it was his understanding that some other countries “are actually having greater problems with this specific vulnerability [than Canada].”

Those other instances have not been as widely reported; however, GMO Payment Gateway confirmed a data breach related to the vulnerability. The Japanese payment processing provider announced that an Apache Struts vulnerability led to the leak of payment card data and personal information from customers who used the Tokyo Metropolitan Government website and Japan Housing Finance Agency site. According to the breach notification, the Tokyo Metropolitan Government credit card payment site leaked the details of as many as 676,290 payment cards, and the Japan Housing Finance Agency payment site leaked the details of as many as 43,540 payment cards. The breach was discovered after an investigation was launched on March 9 due to alerts about the vulnerability. Less than six hours later, GMO discovered unauthorized access and stopped all systems running with Apache Struts 2.

Surfwatch Labs analysts warn that users with root privileges running on unpatched Apache Struts are at high risk of being fully compromised, and organizations are encouraged to patch Apache web servers as soon as possible.

“Unfortunately, fixing this critical flaw isn’t always as easy as applying a single update and rebooting,” Ars Technica’s Dan Goodin noted. “That’s because in many cases, Web apps must be rebuilt using a patched version of Apache Struts.”

Weekly Cyber Risk Roundup: Cloudflare Aftermath and Online Stores Breached

The Cloudflare software bug that resulted in the potential leaking of sensitive data remained as the top trending cybercrime event of the past week as researchers continued to investigate and quantify the effects of the incident. In a March 1 blog post, Cloudflare CEO Matthew Prince described the “Cloudbleed” impact as “potentially massive” and said the bug “had the potential to be much worse” than the initial analysis suggested.

Cloudflare summarized its findings as of March 1:

Their logs showed no evidence that the bug was maliciously exploited before it was patched.
The vast majority of Cloudflare customers had no data leaked.
A review of tens of thousands of pages of leaked data from search engine caches revealed a large number of instances of leaked internal Cloudflare headers and customer cookies, but no instances of passwords, credit card numbers, or health records.
The review is ongoing.

The bug was first discovered by researcher Tavis Ormandy on February 17. Ormandy wrote that the data leakage may date back to September 22, 2016, and that he was able to find “full HTTPS requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.”

Price said that “the nightmare scenario” would be if a hacker had been aware of the Cloudflare bug and had been able to quietly mine data before the company was notified by Google’s Project Zero team and a patch was issued. “For the last twelve days we’ve been reviewing our logs to see if there’s any evidence to indicate that a hacker was exploiting the bug before it was patched,” Price wrote. “We’ve found nothing so far to indicate that was the case.”

Other trending cybercrime events from the week include:

Political hacks and fallout continue: The daughter of political consultant Paul Manafort had her iPhone data hacked and a database containing more than 280,000 text messages, many of which shed light on the family’s views of Russia-aligned Ukrainian strongman Viktor Yanukovych and President Donald Trump, have been leaked on a darknet website run by a hacktivist collective. The files appear to have been accessed through a backup of Andrea Manafort’s iPhone stored on a computer or iCloud account. Three Russians were recently charged with treason for allegedly passing secrets to U.S. firm Verisign and other unidentified American companies, which in turn shared them with U.S. intelligence agencies. The charges come after the U.S. has accused Russia of hacking, and Reuters reported the charges may be a signal that Russia “would now take action against forms of cooperation that it previously tolerated.”

More payment card breaches: Hospitality company Benchmark announced a payment card breach affecting six of its properties, including the hotel front desks of Doral Arrowwood, Eaglewood Resort & Spa, and the Santa Barbara Beach & Golf Resort and the food and beverage locations of The Chattanoogan, Willows Lodge, and Turtle Bay Resort. Niagara-Wheatfield School District officials are warning individuals who purchased tickets to attend a school production of “The Lion King” that there have been several reports of credit card fraud tied to those purchases. The school sold the tickets using the ticket sales platform ShowTix4U; however, a spokesperson said there may have been other ways the credit card information could have become compromised. Touring and transportation company Roberts Hawaii is notifying customers of a payment card breach. Authorities are urging customer of Downeast Credit Union in Belfast to check their account for suspicious activity after the discovery of a skimming device in an ATM at the Down East Credit Union Belfast branch.

Unauthorized access due to employees and poor security: Vanderbilt University Medical Center is notifying 3,247 patients that their patient files were accessed between May 2015 and December 2016 by two staff members who worked as patient transporters. WVU Medicine University Healthcare is notifying 7,445 patients that their protected health information was compromised due to an employee accessing the data without authorization, and 113 of the patients are victims of identity theft. Chicago Public Schools students had their information potentially compromised due to a Google spreadsheet that did not require a login and included special education students’ personal information.

Other noteable cybercrime events: Spiral Toys sells an internet-connected teddy bear that allows kids and parents to exchange messages via audio recordings, and more than two million of those messages, as well as more than 800,000 email addresses and bcrypt-hashed passwords, have been potentially compromised due to being stored on a database that wasn’t behind a firewall or password-protected. Singapore’s Ministry of Defence said that a “targeted and carefully planned” attack resulted in a breach of its I-net system. An actor using the name “CrimeAgency” on Twitter claims to have hacked 126 vBulletin-based forums that were using outdated versions of the software. Luxury motorcoach company Hampton Jitney is advising customers to change their passwords after a security breach discovered on Wednesday compromised personal information stored by the company.

Cyber Risk Trends From the Past Week

Several companies have issued breach notification letters related to a malware incident at Aptos, Inc., which provides e-commerce solutions for a number of online stores. The breach at Aptos was discovered in November 2016, and notification by the various companies affected was delayed until recently at the request of law enforcement.

According to a notification from Mrs Prindables:

Mrs Prindables along with a wide range of major retailers, utilizes a third party company named Aptos to operate and maintain the technology for website and telephone orders. On February 6, 2017, Aptos informed us that unauthorized person(s) electronically accessed and placed malware on Aptos’ platform holding information for 40 online retailers, including Mrs Prindables, from approximately February 2016 and ended in December 2016. Aptos has told us that it discovered the breach in November 2016, but was asked by law enforcement investigating the incident to delay notification to allow the investigation to move forward.

Other companies to issue breach notification letters, as noted by databreaches.net, include: AlphaIndustries.com, AtlanticCigar.com, BlueMercury.com, Hue.com, MovieMars.com, Nutrex-Hawaii.com, PegasusLighting.com, PlowandHearth.com, Purdys.com, Runnings.com, Sport-Mart.com, Thiesens.com, VapourBeauty.com, WestMusic.com, and PercussionSource.com.

The breach announcement comes on the heels of a report that found “a steady rise” in online fraud attack rates throughout 2016. The shift in tactics toward card-not-present fraud was expected as increased security associated with the U.S. adoption of EMV technology made card-present fraud less profitable. Fraud does not go away; it only shifts. As SurfWatch Labs Adam Meyer has said, fraud is like a balloon: apply a little pressure to one area and malicious actors quickly expand into an area with less resistance.

However, card-present fraud is still impacting organizations. The past month saw a point-of-sale breach at InterContinental Hotels Group that affected the restaurants and bars of 12 properties and another breach that affected six Benchmark properties. In addition, malware was discovered on the payment systems of Arby’s corporate locations. Nevertheless, SurfWatch Labs cyber threat intelligence data, along with reports from other researchers, clearly shows a continued shift as cybercriminals move to find the sweet spot between difficulty and profit when it comes to payment card fraud — and that increasingly appears to be online.

Weekly Cyber Risk Roundup: More Extortion and Marijuana Retailers’ Woes

Extortion continues to dominate the cybercrime headlines in 2017 with the week’s top two trending targets being the successful ransom at Los Angeles Valley College and continued extortion attempts around MongoDB databases.

It was less than a year ago that Hollywood Presbyterian Medical Center became a national news story by paying a $17,000 ransomware demand so that staff could regain access to infected computers. A year later those types of stories are no longer unique; they’re routine. Los Angeles Community College District’s recent decision to pay a $28,000 ransom after an infection “disrupted many computer, online, email and voice mail systems” is just the latest of example.

“It was the assessment of our outside cybersecurity experts that making a payment would offer an extremely high probability of restoring access to the affected systems, while failure to pay would virtually guarantee that data would be lost,” the district said in a FAQ, echoing the sentiments of many other organizations who’ve decided to pay ransoms. “The District has a cybersecurity insurance policy to address these specific types of cyber intrusions and it was activated during this incident. While much time will pass before this matter is resolved, we have already availed ourselves of the resources provided by the policy, including assistance of cybersecurity experts.”

In addition, the ongoing issue of insecure MongoDB databases being stolen, deleted and subsequently extorted continues to rack up thousands of new potential victims, including Princeton University. Researchers Victor Gevers and Niall Merrigan have been tracking the various victims and ransom demands as threat actors compete to have the most up-to-date ransom notes. The problem, Merrigan told KrebsOnSecurity, is that with so many actors the victims may not know who actually has the stolen data. Merrigan advises victims not to pay unless they have proof that the extortionists actually have the files being ransomed. Lastly, it appears some of those actors have now shifted towards ElasticSearch servers, with more than 3,000 victims as of Monday morning.

Other trending cybercrime events from the week include:

Another week of large-scale breaches: Mobile phone hacking company Cellebrite was breached and 900 GB of data was compromised, including customer information, databases and a vast amount of technical data regarding Cellebrite’s products. E-Sports Entertainment Association (ESEA) was hacked last December and a database containing information on 1.5 million players was stolen. The actor also attempted to extort the company for $100,000, but ESEA refused to pay. Three brokers who left the commercial real estate firm Avison Young used external hard drives to “downloaded massive amounts of data,” including client and financial information, market intelligence and strategic plans, according to a complaint filed by the firm.

More accidental data exposure: A MongoDB database belonging to Sanrio, the company behind Hello Kitty, was misconfigured and exposed to the public in 2015, and a copy of that database has recently surfaced online. Approximately 3.3 million Hello Kitty fans are affected, including 186,261 records related to individuals under the age of 18. Canadian plastic surgery company SpaSurgica exposed the detailed medical histories of thousands of patients due to an unprotected remote synchronization (rsync) service, according to MacKeeper researchers. The files contained medical histories, personal information, and intimate before and after pictures of breast augmentation and other surgeries. An email sent by Ball State University’s retention office to students on academic probation accidentally contained an Excel spreadsheet of 59 students on probation for the spring semester rather than planned attachment about upcoming academic help sessions.

Cyber-attack leads to another blackout: The December 2016 blackout in Ukraine was due to a cyber-attack, and it is connected to a similar attack in 2015, as well as hacks at the national railway system, several government ministries and a national pension fund. The head of ISSP, a Ukrainian company investigating the incident, said that the recent attack against a Ukrainian utility was a “more complex” and “much better organized” version of the 2015 attack. He also said that the different cybercriminal groups that worked together appeared to be testing techniques that could be used elsewhere in the world.

Other breach announcements: Outdated data management software led to the leak of financial information for at least 2,000 Taipei City Government employees, city officials said. A November data breach at TwoPlusTwo poker forum exposed the personal information of its users, and the stolen data was subsequently offered for sale on the Internet. Fraudulent login attempts were made to Spreadshirt partner accounts using previously compromised credentials with the goal of redirecting payments by changing the Paypal payout address. Dozens of Israeli soldiers had their smartphones hacked by Hamas militants impersonating attractive women. Italian police have arrested two siblings for allegedly hacking into thousands of email accounts using a customized malware known as “EyePyramid” and then using the stolen information to make investments. The Susan M. Hughes Center recently notified HHS of an August ransomware infection that affected 11,400 patients’ information.

Cyber Risk Trends From the Past Week

As SurfWatch Labs noted in its annual report, organizations are increasingly struggling with third-party and supply chain cybercrime.

This issue was highlighted once again this past week as a cyber-attack at MJ Freeway, a popular software platform used by marijuana retailers, disrupted operations at 1,000 retailers across 23 states. A full week after the initial attack the company is still working to restore some level of services to many of its clients. A full recovery may take several weeks, Jeannette Ward, director of data and marketing for MJ Freeway, told Marijuana Business Daily.

The motivations behind the attack are unclear, but the attack appears to be aimed at corrupting the company’s data, not stealing it.

“Attackers took down both MJ Freeway’s production and backup servers, causing an outage for all of our clients,” MJ Freeway CEO Amy Poinsett said in a video uploaded on Saturday, “Current analysis shows the attackers did not extract any client or patient data and did not view any patient data thanks to encryption measures we had in place.”

However, she added that “the damage from the attack is extensive” and the company is currently trying to call customers individually to move them to alternate MJ Freeway sites, which is taking more time than she would like. A number of stores had to temporarily close due to the outage, and those that remained open have had to deal with lengthy lines and customer complaints as manual transactions increased the time for each sale.

As SurfWatch Labs noted in its 2016 Cyber Trends Report, the percentage of targets publicly associated with third-party cybercrime nearly doubled from the second half of 2015 to the second half of 2016.

“SurfWatch Labs analysts contribute this third-party growth to the expanding ecosystem of partners and suppliers that provide various products and services,” the report stated. “Cybercrime is increasingly interconnected, and the effects of one data breach or cyber-attack are difficult to isolate and contain.”

That appears to be the case with MJ Freeway.

Organizations Struggle with Third Party and Supply Chain Cybercrime, Says New Report

The past year saw organizations struggle with third-party issues as malicious actors shifted their tactics towards weak points in the supply chain and exploited the interconnected nature of cybercrime, according to a new report from SurfWatch Labs.

“One of the most telling statistics in all of SurfWatch Labs’ evaluated cyber threat data is the rise of CyberFacts related to third parties,” the report stated. “The second half of 2016 saw the percentage of targets publicly associated with third-party cybercrime nearly double compared to the same period in 2015. It is clear that malicious actors are looking for any opportunity to exploit poor cybersecurity practices, and the supply chain provides an abundance of opportunity for cybercriminals to do so.”

SurfWatch Labs annual threat intelligence report, Rise of IoT Botnets Showcases Cybercriminals’ Ability to Find New Avenues of Attack, was based on more than a hundred thousand CyberFacts collected against more than 6,000 targets – 4,066 targets publicly associated with cybercrime and an additional 2,395 observed being discussed on the dark web.

Cybercrime in 2016

Cybercrime is increasingly interconnected, the report noted, and the effects of a data breach or poor cyber hygiene at one organization often move through supply chains to impact other connected organizations. That was true when it came to the growing number of compromised Internet-of-Things devices, which we wrote about last week, and it was true for a number of other cybercrime events as well.

For example:

Previously stolen employee credentials were fed into remote access services in order to compromise new organizations.
Data stolen from one organization went on to have significant economic, political and reputational impact on other parties.
Threat actors used information obtained in previous attacks to establish trust and legitimacy in social engineering campaigns that lead to new data breaches.
Those new data breaches, some of them truly massive, led to even more private information entering the public domain.

That ripple effect was evident in many of the year’s top trending data breaches.

Breaches at Yahoo, LinkedIn and others collectively accounted for well over two billion passwords being fully or partially exposed, as well as the exposure of some users’ security questions and answers. The massive breach at Panamanian law firm Mossack Fonseca led to ongoing international probes as well as the Prime Minister of Iceland stepping down. The breach at the Democratic National Committee took center stage on the campaign trail as leaked emails and other cybersecurity issues helped to shape, in part, who would be the next president of the United States.

“The amount of private data circulating among cybercriminal groups combined with an environment in which organizations are providing more points of access for customers and employees means that many organizations are more exposed than ever,” the report stated.

Key trends and statistics from SurfWatch Labs’ 2016 cybercrime data include:

More cybercrime tied to third parties: SurfWatch Labs analysts contribute this third-party growth to the expanding ecosystem of partners and suppliers that provide various products and services. This business model requires a natural need to extend the “level of presence” of organizations by sharing or fully outsourcing the creation and management of sensitive data, increasing the chance of a compromise.
Compromised credentials surged: The amount of publicly exposed user credentials grew significantly in 2016. SurfWatch Labs collected data on more than 1,100 organizations associated with the “credentials stolen/leaked” tag across both public and dark web sources over the past year, up from 828 last year.
Healthcare led way for supply chain cybercrime: SurfWatch Labs collected data on more targets tied to third-party cybercrime in the healthcare facilities and services group than any other, although the numbers may be skewed due to more strict reporting requirements in the sector.
Infected IoT devices led to increased service interruption: Over the past two years, the “service interruption” tag has typically appeared in approximately 16% of the negative CyberFacts collected by SurfWatch Labs. However, that number jumped to more than 42% over the last half of the year due to growing concern around IoT-powered botnets such as Mirai.

To read the full, complimentary report, visit info.surfwatchlabs.com/reports/2016-cybercrime-trends-year-in-review. Join SurfWatch threat intelligence analysts for a webinar on January 11, 1pm ET for a discussion of the report findings.