vulnerability – SurfWatch Labs, Inc.

Weekly Cyber Risk Roundup: DDoS Attacks Hit Sweden, Researchers Warn of ROCA

The Swedish Transportation Administration and other related agencies were among the week’s top trending cybercrime targets due to a series of distributed denial-of-service (DDoS) attacks that led to services being disrupted earlier this month.

The DDoS attacks against the Swedish Transportation Administration affected all of its web-based systems, including the IT system that manages train orders, the administration’s email system, Skype, and its website. Officials said the disruption, which led to the driving of trains manually, resulted in the stoppage and delays of some trains.

A spokesperson for the administration said (Swedish) that the DDoS attacks targeted its internet service providers, TDC and DGC; however, the attacks appeared designed to disrupt the administration’s services.

The following day saw additional DDoS attacks against the website of Sweden’s Transport Agency, as well as public transport operators Västtrafik in western Sweden, which briefly crashed the operator’s ticket booking app and online travel planner.

The incident follows warnings from various DDoS mitigation providers about DDoS attacks. CDNetworks – which surveyed organizations in the UK, Germany, Austria, and Switzerland – found that more than half of the organizations were hit by DDoS attacks in the past year. A10 Networks warned that the number of organizations experiencing an average DDoS attack over 50 Gbps has quadrupled in the past two years. In addition, Incapsula researchers recently warned of a new “pulse wave” DDoS attack that provides an “easy way” for attackers to double their attack output. A Neustar report also found that DDoS attacks are frequently accompanied by other malicious activity, such as viruses, malware, ransomware, and lost customer data.

Other trending cybercrime events from the week include:

Large data leaks: The Republican phone polling firm Victory Phones had 223 GB worth of data stolen in what appears to be an attack against an unsecured MongoDB database that occurred in January 2017. The incident exposed data on hundreds of thousands of Americans who submitted donations to political campaigns. A researcher has discovered the personal information of millions of South Africans among a large dump of other data breaches. The data includes 30 million unique South African ID numbers, about 2.2 valid email addresses, and other personal information. We Heart It announced a data breach affecting 8 million accounts created between 2008 and November 2013.
Payment card breaches: Pizza Hut is warning that customers who used the company’s website or mobile app to place an order during a 28-hour period in early October may have had their information compromised. The online e-commerce platform Spark Pay is notifying customers of a payment card breach involving merchant websites after discovering malicious code on a server. Citizens Financial Group is notifying customers of an ATM skimming incident that occurred at a Citizens Bank ATM located in Cambridge, Massachusetts.
Other data breaches: Microsoft’s internal database for tracking bugs was hacked in 2013 revealing descriptions of critical and unfixed vulnerabilities for widely used software such a Windows. Transamerica Retirement Solutions is notifying some customers that it discovered unauthorized access to their retirement plan online account information due to the use of compromised third-party user credentials. Officials said the cryptocurrency exchange Bithumb was targeted with phishing emails containing malware and that led to the personal and financial information of at least 30,000 users being exposed. Chase Brexton Health Care is notifying 16,000 patients of a breach due to a phishing attack that led to the compromise of four employee email accounts and the attackers rerouting the victims’ paychecks to a bank account under their control. Namaste Health Care in Missouri is notifying approximately 1,600 patients of a ransomware infection that may have led to the attacker accessing their information. Rivermend Health is notifying 1,300 patients that their personal information may have been compromised due to a breach of an employee’s email account.
Other notable events: The British TV production firm Mammoth Company was hacked by North Korean hackers after reports the company was creating a TV show about a British nuclear scientist taken prisoner in North Korea. The attack did not cause any harm, but it did cause widespread alarm, the BBC reported. Domino’s Australia said that it is investigating a potential issue with a former supplier’s system after a number of customers received unauthorized spam emails. A University of Kansas student was expelled after using a keylogger device to steal faculty credentials and change his grades.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

Cyber Risk Trends From the Past Week

Researchers have discovered a vulnerability, dubbed “ROCA” (CVE-2017-15361), in the cryptographic smartcards, security tokens, and other secure hardware chips manufactured by Infineon Technologies AG, and that vulnerability could allow an attacker to calculate the private portion of an RSA key.

The vulnerability is due to the way the Infineon Trusted Platform Module firmware “mishandles RSA key generation, which makes it easier for attackers to defeat various cryptographic protection mechanisms via targeted attacks,” the CVE states.

Chips manufactured as early as 2012 are affected by the vulnerability, the researchers said.

“The currently confirmed number of vulnerable keys found is about 760,000 but possibly up to two to three magnitudes more are vulnerable,” the researchers said. “We found and analyzed vulnerable keys in various domains including electronic citizen documents, authentication tokens, trusted boot devices, software package signing, TLS/HTTPS keys and PGP.”

Researchers said that malicious actors could feasibly use what’s known as a “practical factorization attack” against key lengths of up to 2048 bits, and if the attack is improved it could be used against 4096-bit RSA keys in the future. According to the researchers, the time and complexity cost associated with selected key lengths are:

512 bit RSA keys – 2 CPU hours (the cost of $0.06);
1024 bit RSA keys – 97 CPU days (the cost of $40-$80);
2048 bit RSA keys – 140.8 CPU years (the cost of $20,000 – $40,000).

If a vulnerable key is found, organizations should contact their device vendor for further advice, the researchers said. Forbes reported that Fujitsu, Google, HP, Lenovo, and Microsoft have all pushed out fixes for their relevant hardware and software. The researchers will present their full findings at the ACM Conference on Computer and Communications Security later this month.

Weekly Cyber Risk Roundup: Kaspersky’s Alleged Espionage and SmartVista Bug Unpatched

The National Security Agency and Kaspersky Lab were once again among the week’s top trending targets due to continued reporting around Kaspersky’s alleged involvement in the 2015 theft of classified materials from the home computer of an NSA employee.

As we noted last week, sources told the The Wall Street Journal that a contractor took the sensitive data home without the NSA’s knowledge, and the Russian government was able to then steal that information by leveraging the contractor’s use of antivirus software created by Kaspersky. However, the Washington Post subsequently reported that the individual in question was actually an employee in the NSA’s elite Tailored Access Operations division.

In addition, officials told the WSJ this week that Kaspersky’s antivirus software was modified to search for terms such as “top secret,” as well as the classified code names of U.S. government programs, in an operation that is broader and more pervasive than just the one hacked employee. That modification could not have been done without Kaspersky’s knowledge, an official told the paper. However, Kaspersky has continued to state that it “was not involved in, and does not possess any knowledge of, the situation in question.”

The New York Times reported that the U.S. was first made aware of the espionage campaign leveraging Kaspersky by Israeli intelligence officers who hacked into Kaspersky Labs in 2014. Those hackers, later dubbed Duqu 2.0, exploited up to three zero-days in order to spy on Kaspersky Lab technologies, ongoing research, and internal processes, Kaspersky wrote in 2015 after discovering the intrusion.

Officials told the WSJ that it remains unclear exactly how many other government computers or employees may have been targeted via Kaspersky software – or if any additional sensitive data was stolen.

Other trending cybercrime events from the week include:

Defense-related breaches: The Australian Signals Directorate said that a defense contractor had 30 gigabytes of data stolen, including data related to F-35 Joint Strike Fighters, the C-130 military transport aircraft, the new spy plane P-8 Poseidon, the smart bomb JDAM, and some Australian naval vessels. A breach of South Korea’s military network last year allowed North Korean hackers to access vast amounts of data, including classified wartime contingency plans jointly created by the U.S. and South Korea.
Payment card breaches: Irish retailer Musgrave is asking customers of SuperValu, Centra, and Mace to be on the lookout for fraudulent charges due to concerns that their payment card numbers and expiration dates may have been stolen. Hyatt Hotels is notifying customers that payment card information swiped and manually entered at the front desks of some locations may have been compromised. Hue.com and nononsense.com, and their parent company Kayser-Roth, are notifying customers of a payment card breach tied to third-party website order processor Aptos. Droege Computing Services said that a StampAuctionNetwork server was hacked and payment card information was compromised due to a breach that occurred through Droege’s main offices. Tommie Cooper and Cricut are notifying customers that payment information may have been stolen due to malware on the checkout portions of their websites.
Other data breaches: Accenture confirmed it exposed massive amounts of data across four unsecured cloud servers, including passwords and secret decryption keys. Disqus said that 17.55 million users had their information compromised due to a security breach affecting a database from 2012 that included information dating back to 2007. A security researcher discovered a vulnerability in T-Mobile’s website that allowed malicious actors to gain access to customers’ personal data as long as they had a correct phone number. The previously reported breach at Deloitte compromised a server that contained the emails of at least 350 clients, The Guardian reported. Catholic United Financial is notifying members of breach due to SQL injection attacks. Palo Alto High School officials warned that students’ personal information was breached and posted to a “rogue” website. SyncHR is notifying employees that it accidentally exposed their benefit information to other HR administrators and customers.
Other notable events: Nearly $60 million was stolen from Far Eastern International Bank in Taiwan using malware designed to generate fraudulent SWIFT messages. The bank said it has recovered the vast majority of the stolen funds, with only $500,000 still outstanding. A security bug in the music platform PledgeMusic allowed anyone to log into some users’ accounts using a correct email address along with an incorrect password or no password at all. The bug could have been exploited to make unauthorized payments and pledges to artists. David Kent, the founder of the networking website oilpro.com, was sentenced to one year and one day in prison for hacking into the database of competitor Rigzone, stealing information on over 700,000 customers, using that information to grow Oilpro, and then attempting to sell Oilpro with its inflated growth and stolen data to Rigzone.

Cyber Risk Trends From the Past Week

Researchers have published the details of a yet-to-be patched SQL injection vulnerability affecting BPC Banking Technologies’ SmartVista product suite after numerous reports of the bug went unanswered.

Exploiting the vulnerability requires authenticated access to the transactions portion of SmartVista front-end, the researchers said, and it can lead to the compromise of various sensitive data depending on the level of access the BPC SmartVista user was granted. Researchers said the company has yet to respond to multiple vulnerability reports from Rapid7, CERT/CC in the U.S., and SwissCERT that date as far back as May 10.

BPC’s website states that the company has 188 customers across 66 countries, including “huge tier 1 banks, and both midsize and smaller companies.” The website also states that all of its solutions are delivered via the SmartVista product suite, which “handles all aspects of ATM management, billing, mobile and contactless payments, settlement, point of sale, card issuing and acquiring, microfinance and electronic payments processing.”

Rapid7 researchers said that an attacker could craft a series of true/false statements to brute-force query the database, allowing information from accessible tables to be exposed, such as usernames and passwords. Rapid7 program manager Samuel Huckins told Threatpost the company was hesitant to publish its findings due to the potential for financial and data loss, but it has not received any response from BPC or evidence of the vulnerability being patched across many months.

“After a certain point, we needed to move forward and make it public in the hope they see it and take action,” Huckins said. “This could impact a lot of their customers who may not be aware of this at all.”

The researchers advised users to contact BPC support for more details, to limit access to the management interface of SmartVista, and to regularly perform audits of successful and failed logins.

Weekly Cyber Risk Roundup: Equifax Fallout and Widespread Bluetooth Vulnerabilities

Equifax continued to dominate cybersecurity discussion over the last week as security researchers, government officials, lawyers, and the media have continued to ask questions around the fallout related to the massive breach, which affects 143 million consumers in the U.S. as well as others across the globe.

Equifax confirmed that the actors behind the breach exploited an Apache Struts vulnerability (CVE-2017-5638). The Apache Software Foundation noted that vulnerability was made public and a patch was issued for it on March 7, more than two months before the initial “mid-May” comprise at Equifax.

“In conclusion, the Equifax data compromise was due to their failure to install the security updates provided in a timely manner,” the foundation wrote in a blog post.

To add to the company’s woes, researchers discovered that an online portal for Argentinian employees to manage credit report disputes had, among other issues, the ridiculously easy-to-guess username and password combination of “admin” and “admin” — potentially leaking the sensitive information of those in Argentina and possibly other Latin American countries.

In addition, the FTC, which has opened an investigation into the breach, is warning consumers to be on the lookout for scams involving Equifax imposters and advising consumers to never give information to anyone who calls unprompted and claims to be from the company. Visa and Mastercard are also sending confidential alerts to U.S. financial institutions regarding the 209,000 payment card numbers that were also stolen in the breach. Brian Krebs reported that it appears those stolen payment cards are, ironically, tied to people signing up for credit monitoring service through Equifax. Finally, the breach has prompted Elizabeth Warren and 11 other Democratic senators to introduce a bill to give consumers the ability to freeze their credit for free.

Other trending cybercrime events from the week include:

Notable data breaches: The website canoe.ca said that the personal information of one million Canoe site users was compromised by a breach that affected databases containing records from 1996 to 2008. Children’s Hospital Colorado is notifying 3,400 patients that their information may have been compromised due to an employee’s email account being accessed by an unauthorized party on July 11. Donors of the Somerville House Foundation, which is responsible for running the elite school in Australia, were warned that a former employee had copied over their data to a personal hard drive.
Organizations expose data: Individuals who used translate.com may have had sensitive data they submitted made public and discoverable via search engines. Researchers and media have found a variety of sensitive data that was submitted to the site being leaked, including email exchanges, sensitive company documents, personal information, and more. Translate.com said, “there was a clear note on our homepage stating: ‘All translations will be sent to our community to improve accuracy’ and that ‘some of these requests were indexed by search engines such as Google and Microsoft at that time.’” The personal information of 593,328 Alaskan voters was exposed due to a misconfigured CouchDB database by Minnesota-based software company Equals3, which licensed the data from TargetSmart.
Ransomware incidents: Hackers were able to gain access to the communications system for Schuyler County via a brute-force attack, and as a result some enhanced 911 features were disrupted. Officials said that the county is rebuilding all of its files and servers following the attack, indicating that there may have been some sort of ransomware attack or other destructive malware. A ransomware infection has disrupted the Butler County, Kansas, computer system for several days and forced paperwork to be filled out by hand, the county sheriff said.
Arrests and legal actions: The Russian cybercriminal Roman Seleznev pleaded guilty to his role in the 2008 hack of RBS Worldpay and cashing out $2,178,349 associated with five hacked debit card numbers. Artur Sargsyan, the owner of the file-sharing website Sharebeast.com, has pleaded guilty to one felony count of copyright infringement related to the website, which facilitated the unauthorized distribution and reproduction of over one billion copies of copyrighted works. A North Carolina man who goes by the moniker “D3F4ULT” and was a member of the “Crackas With Attitude” hacking group has been sentenced to five years in prison for hacking government computer systems and the online accounts of government officials. A Texas man was sentenced to 27 months in prison for hacking and damaging 13 servers operated by the healthcare facility Centerville Clinic, Inc., as well as engaging in a scheme to defraud the facility using its purchase card to order merchandise from staples after resigning from his role as a systems administrator. The U.S. Treasury department issued sanctions against 11 entities and individuals tied to Iran, including some actors who are accused of launching DDoS against against U.S. financial institutions between 2011 and 2013.

Cyber Risk Trends From the Past Week

Security researchers are advising people to ensure their Bluetooth connections are turned off when not in use after the discovery of a series of vulnerabilities that can be used to compromise billions of Bluetooth-enabled devices.

The eight vulnerabilities, dubbed “BlueBorne,” were first reported by Armis Labs and “are the most serious Bluetooth vulnerabilities identified to date,” according to a company spokesperson.

“BlueBorne allows attackers to take control of devices, access corporate data and networks, penetrate secure ‘air-gapped’ networks, and spread malware to other devices,” the researchers wrote in a paper detailing the vulnerabilities. “The attack does not require the targeted device to be set on discoverable mode or to be paired to the attacker’s device. In addition, the targeted user is not required to authorize or authenticate the connection to the attacker’s device.”

As an Armis spokesperson told Bleeping Computer, one example of an attack could be a malicious actor simply walking into a bank carrying weaponized code on a Bluetooth-enabled device in order to infect other devices and gain a foothold on a previously secured network. In addition to the paper, Armis has uploaded videos showing how the BlueBorne attacks work across various devices.

Four of the vulnerabilities affect Android (CVE-2017-0781, CVE-2017-0782, CVE-2017-0783, and CVE-2017-0785), two affect Linux (CVE-2017-1000251 and CVE-2017-1000250), one affects iOS (CVE-2017-14315), and one affects Windows (CVE-2017-8628). Ars Technica reported that the Windows vulnerability was patched in July, Google provided device manufacturers with a patch in August, Linux maintainers will likely release a patch soon, and iOS version 10 is not affected by the vulnerability.

Weekly Cyber Risk Roundup: More CIA Leaks, New Mirai Attacks, and LastPass Vulnerabilities

The CIA remained as the top trending cybercrime target of the week as WikiLeaks released a third set of documents related to the agency. The new release includes 676 source code files for the CIA’s secret anti-forensic Marble Framework, which WikiLeaks said “is used to hamper forensic investigators and anti-virus companies from attributing viruses, trojans and hacking attacks to the CIA.”

“The source code shows that Marble has test examples not just in English but also in Chinese, Russian, Korean, Arabic and Farsi,” WikiLeaks wrote in its announcement. “This would permit a forensic attribution double game, for example by pretending that the spoken language of the malware creator was not American English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion.”

The fact that an intelligence agency would have tools to cover its tracks is hardly surprising. However, it appears that WikiLeaks will continue to leak CIA documents for the foreseeable future, and those leaks may have yet-to-be known implications for governments, tech companies, and cybercriminal actors. After the initial CIA leak in early March, WikiLeaks tweeted that is has released less than one percent of its Vault7 series.

Another recurring story in these roundups is the Mirai botnet, and researchers said this week that a new variant is likely behind a 54-hour long DDoS attack that targeted a U.S. college. The attack peaked at 37,000 requests per second, the most Incapsula has seen out of any Mirai botnet. The company said 56 percent of all IPs used in the attack belonged to DVRs manufactured by the same vendor. IoT devices continue to make headlines for vulnerabilities – including certain devices that were allegedly targeted by the CIA – and this past week saw new warnings of methods for hacking smart televisions as well as a vulnerability in an Internet-connected washer-disinfector. As SurfWatch Labs chief security strategist Adam Meyer recently wrote, IoT devices have potentially become the largest digital footprint of organizations that is not under proper security management.

Other trending cybercrime events from the week include:

Data breaches expose more credentials: A hacker has stolen the email addresses and MD5-hashed passwords of 6.5 million accounts from Dueling Network, a now-defunct Flash game based on the Yu-Gi-Oh trading card game. Although the game was shut down in 2016, the forum continued to run until recently. Nearly 14 million stolen and fake email credentials from the 300 largest U.S. universities are for sale on the dark web, a rise from only 2.8 million last year, according to the nonprofit Digital Citizens Alliance. The stolen email addresses and passwords sell from $3.50 to $10 each.

Warnings of skimming and keylogging devices: Carleton University in Ottawa said it discovered USB keylogging devices on six classroom computers during a routine inspection, and the university is urging staff and students to change passwords for any accounts they may have accessed from classroom computers. The San Bernardino County Sheriff’s Department has received more than 70 reports of credit card fraud tied to a suspected card skimming device in Big Bear. A Romanian citizen pleaded guilty to a scheme to defraud customers of Bank of America and PNC Bank via ATM skimming.

Ransomware notifications continue: Urology Austin has notified 200,000 patients of a January 22 ransomware attack that may have compromised their information. Ransomware encrypted files belonging to Forsyth Public Schools and information such as lesson plans and schedules stored by teachers on the district server is likely lost due to the incident. Estill County Chiropractic is notifying 5,335 patients of unauthorized access to its system and a ransomware infection that may have compromised their personal information. Ransomware was found on the computer systems of the Tweede Kamer, the lower house of Dutch parliament.

Former employee causes serious problems: A former IT administrator of the Lucchese Boot Company pleaded guilty to hacking the servers and cloud accounts of his employer after he was fired, and the company claims it lost $100,000 in new orders in addition to the extra IT costs it had to endure due to the attack. According to the complaint, the former employee logged into an administrator account after being fired and proceeded to shut down the corporate email and application servers, deleted files on the servers to block any attempts for a reboot, and then began shutting down or changing the passwords on the company’s cloud accounts.

Other notable cybercrime events: The personal information of 3.7 million Hong Kong voters and the city’s 1,200 electors may have been compromised when two laptops were stolen. Approximately 95,000 individuals who applied online for a job at McDonald’s in Canada had their information compromised due to unauthorized access to the company’s database. Multiple employees of the Washington University School of Medicine fell for phishing emails designed to steal credentials used to access their email. While investigating a data breach related to employees’ W-2 forms, Daytona State College discovered a second data breach involving student financial aid forms. A Russian citizen has pleaded guilty to his role in helping spread malware known as “Ebury,” which harvested log-on credentials from infected computer servers, allowing the criminal enterprise behind the operation to operate a botnet comprising tens of thousands of infected servers throughout the world.

Cyber Risk Trends From the Past Week

The password manager LastPass has addressed a series of vulnerabilities that were discovered by Google Project Zero researcher Tavis Ormandy, including one now-patched “unique and highly sophisticated” client-side vulnerability in the LastPass browser extension.

In a March 31 update, LastPass advised its users to ensure they are running the latest version (4.1.44 or higher) of the extension so that they are protected.

The vulnerability, which could be exploited to steal data and manipulate the LastPass extension, required first luring a user to either a malicious website or a website running malicious adware and then taking advantage of the way LastPass behaves in “isolated worlds,” the company said.

An isolated world is a JavaScript execution environment that shares the same DOM (Document Object Model) as other worlds, but things like variables and functions are not shared. LastPass explained:

The separation is supposed to keep both sides safer from external manipulation. In some cases, these variables can influence the logic of the content script. It is difficult to inject arbitrary values into JavaScript using this technique. But in a particularly clever move, the report demonstrated that arbitrary strings could be injected, and one of these was enough to trick the extension into thinking it was executing on lastpass.com. By doing so, an attacker could manipulate the LastPass extension into revealing the stored data of that user, and launch arbitrary executables in the case of the binary version.

Fixing the issue required “a significant change” to the browser extensions and LastPass urges other extension developers to look for this pattern in their code and ensure that they are not vulnerable to a similar attack.

The patch came just 10 days after LastPass issued another update to address two other issues discovered by Ormandy that could allow the attacker to potentially retrieve and expose information from the LastPass account, such as user’s login credentials.

The incident serves as a reminder that vulnerabilities continue to be discovered in a variety of products, including the tools used to help keep individuals and organizations safe. Having a full accounting of an organization’s technology infrastructure as well as policies and procedures to track new vulnerabilities and patch software is one of the most effective ways to combat malicious actors who rely on exploiting well-known vulnerabilities.

Weekly Cyber Risk Roundup: Third-Party Breaches and Apache Struts Issues

Twitter is the week’s top trending cybercrime target after malicious actors leveraged a third-party analytics service known as Twitter Counter to hijack a number of Twitter accounts and post inflammatory messages written in Turkish along with images of Nazi swastikas. Hundreds of accounts were compromised, the Associated Press reported.

Forbes magazine, the Atlanta Police Department, Amnesty International, UNICEF USA, and Nike Spain were among the numerous Twitter accounts hijacked.

A Twitter spokesperson said it removed the permissions of the third-party app, which was the source of the problem. In a series of tweets on Wednesday, Tweet Counter responded to the issue: “We’re aware that our service was hacked and have started an investigation into the matter. We’ve already taken measures to contain such abuse. Assuming this abuse is indeed done using our system, we’ve blocked all ability to post tweets and changed our Twitter app key.”

Twitter hijackings are common, and we do not highlight them in this weekly report very often; however, the Tweet Counter compromise is worth noting due to the supply chain issues it represents. Organizations frequently use third-party services to help manage their numerous social media accounts, and that interconnectedness was one of the central themes of SurfWatch Labs’ annual threat intelligence report. “One of the most telling statistics in all of SurfWatch Labs’ evaluated cyber threat data is the rise of CyberFacts related to third parties,” the report stated. “It is clear that malicious actors are looking for any opportunity to exploit poor cybersecurity practices, and the supply chain provides an abundance of opportunity for cybercriminals to do so.”

Organizations should have a way to track, monitor, and address any issues pertaining to third-party tools and services so they can better manage the increased risk that stems from an interconnected world.

Other trending cybercrime events from the week include:

New point-of-sale breaches: A breach at point-of-sale vendor 24×7 Hospitality Technology appears to be behind a series of fraudulent transactions tied to Select Restaurants Inc. locations, Brian Krebs reported. 24×7 issued a breach notification letter in January saying that a network intrusion through a remote access application allowed a third party to gain access to some of 24×7 customers’ systems and execute PoSeidon malware. Multiple Australian schools are warning parents that individuals are reporting fraudulent payment card transactions after Queensland School Photography’s online ordering system was compromised.

Yahoo breach leads to indictments: A grand jury has indicted four individuals, including two officers of the Russian Federal Security Service (FSB), over their alleged roles in the hacking of at least 500 million Yahoo accounts. According to the Department of Justice, the FSB officer defendants, Dmitry Dokuchaev and Igor Sushchin, protected, directed, facilitated, and paid co-defendants Alexsey Belan and Karim Baratov to collect information through computer intrusions in the U.S. and elsewhere.

Breaches due to insecure databases and devices: Security researchers discovered hundreds of gigabytes of data from the Warren County Sheriff’s Department exposed due to an insecure network storage device, including a variety of sensitive documents and recordings. A Dun & Bradstree database containing the personal information of 33.7 million U.S. individuals has been exposed, likely due to an unsecured MongoDB database. Dun & Bradstree said that it owns the database, but stressed that the data was not stolen from its systems and that the information was approximately six months old. Thousands of sensitive U.S. Air Force documents were exposed due to an insecure backup drive belonging to an unnamed lieutenant colonel.

Ransomware infections continue to be announced: Summit Reinsurance is notifying individuals of a breach after discovering unauthorized access to a server as well as a ransomware infection. The city of Mountain Home, Arkansas, had to wipe the server of its water department and restore the data from a backup after a ransomware infection locked 90,000 files. Metropolitan Urology Group said a November 2016 ransomware infection exposed the health information of patients who received services between 2003 and 2010. Ransomware actors are shifting towards disrupting business services and demanding higher ransom payouts.

Other notable cybercrime events: A flaw in the old website of South African-based cinema chain Ster-Kinekor exposed the personal information of up to 6.7 million users. Three is notifying an additional 76,373 customers that their personal information was compromised in a November 2016 incident. Wishbone announced a data breach due to unknown individuals having “access to an API without authorization.” UK travel association ABTA announced that 43,000 individuals had their personal information compromised due to a vulnerability in the servers of a third-party hosting service. Arkansas is investigating whether malware stole the personal information of 19,000 individuals. Cincinnati Eye Institute, Laundauer, and Virginia Commonwealth University Health System announced data breaches.

Cyber Risk Trends From the Past Week

Earlier this month, a patch was issued to address a high-impact vulnerability in Apache Struts Jakarta Multipart parser that allowed attackers to remotely execute malicious code. Shortly after the patch, an exploit appeared on a Chinese-language website,. Researchers then confirmed that attackers were “widely exploiting” the vulnerability. Since then, the issue has continued to affect numerous organizations through data breaches and service downtime.

For example, the Canada Revenue Agency was one of the week’s top trending cybercrime targets after the Canadian government took the website for filing federal tax returns offline due to the vulnerability, temporarily halting services such as electronic filing until security patches could be put in place.

John Glowacki, a government security official, said during a press conference that there was “a specific and credible threat to certain government IT systems,” and Statistics Canada confirmed that hackers broke into a web server by exploiting the Apache Struts vulnerability. Glowacki also said it was his understanding that some other countries “are actually having greater problems with this specific vulnerability [than Canada].”

Those other instances have not been as widely reported; however, GMO Payment Gateway confirmed a data breach related to the vulnerability. The Japanese payment processing provider announced that an Apache Struts vulnerability led to the leak of payment card data and personal information from customers who used the Tokyo Metropolitan Government website and Japan Housing Finance Agency site. According to the breach notification, the Tokyo Metropolitan Government credit card payment site leaked the details of as many as 676,290 payment cards, and the Japan Housing Finance Agency payment site leaked the details of as many as 43,540 payment cards. The breach was discovered after an investigation was launched on March 9 due to alerts about the vulnerability. Less than six hours later, GMO discovered unauthorized access and stopped all systems running with Apache Struts 2.

Surfwatch Labs analysts warn that users with root privileges running on unpatched Apache Struts are at high risk of being fully compromised, and organizations are encouraged to patch Apache web servers as soon as possible.

“Unfortunately, fixing this critical flaw isn’t always as easy as applying a single update and rebooting,” Ars Technica’s Dan Goodin noted. “That’s because in many cases, Web apps must be rebuilt using a patched version of Apache Struts.”

Weekly Cyber Risk Roundup: Cloudflare Aftermath and Online Stores Breached

The Cloudflare software bug that resulted in the potential leaking of sensitive data remained as the top trending cybercrime event of the past week as researchers continued to investigate and quantify the effects of the incident. In a March 1 blog post, Cloudflare CEO Matthew Prince described the “Cloudbleed” impact as “potentially massive” and said the bug “had the potential to be much worse” than the initial analysis suggested.

Cloudflare summarized its findings as of March 1:

Their logs showed no evidence that the bug was maliciously exploited before it was patched.
The vast majority of Cloudflare customers had no data leaked.
A review of tens of thousands of pages of leaked data from search engine caches revealed a large number of instances of leaked internal Cloudflare headers and customer cookies, but no instances of passwords, credit card numbers, or health records.
The review is ongoing.

The bug was first discovered by researcher Tavis Ormandy on February 17. Ormandy wrote that the data leakage may date back to September 22, 2016, and that he was able to find “full HTTPS requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.”

Price said that “the nightmare scenario” would be if a hacker had been aware of the Cloudflare bug and had been able to quietly mine data before the company was notified by Google’s Project Zero team and a patch was issued. “For the last twelve days we’ve been reviewing our logs to see if there’s any evidence to indicate that a hacker was exploiting the bug before it was patched,” Price wrote. “We’ve found nothing so far to indicate that was the case.”

Other trending cybercrime events from the week include:

Political hacks and fallout continue: The daughter of political consultant Paul Manafort had her iPhone data hacked and a database containing more than 280,000 text messages, many of which shed light on the family’s views of Russia-aligned Ukrainian strongman Viktor Yanukovych and President Donald Trump, have been leaked on a darknet website run by a hacktivist collective. The files appear to have been accessed through a backup of Andrea Manafort’s iPhone stored on a computer or iCloud account. Three Russians were recently charged with treason for allegedly passing secrets to U.S. firm Verisign and other unidentified American companies, which in turn shared them with U.S. intelligence agencies. The charges come after the U.S. has accused Russia of hacking, and Reuters reported the charges may be a signal that Russia “would now take action against forms of cooperation that it previously tolerated.”

More payment card breaches: Hospitality company Benchmark announced a payment card breach affecting six of its properties, including the hotel front desks of Doral Arrowwood, Eaglewood Resort & Spa, and the Santa Barbara Beach & Golf Resort and the food and beverage locations of The Chattanoogan, Willows Lodge, and Turtle Bay Resort. Niagara-Wheatfield School District officials are warning individuals who purchased tickets to attend a school production of “The Lion King” that there have been several reports of credit card fraud tied to those purchases. The school sold the tickets using the ticket sales platform ShowTix4U; however, a spokesperson said there may have been other ways the credit card information could have become compromised. Touring and transportation company Roberts Hawaii is notifying customers of a payment card breach. Authorities are urging customer of Downeast Credit Union in Belfast to check their account for suspicious activity after the discovery of a skimming device in an ATM at the Down East Credit Union Belfast branch.

Unauthorized access due to employees and poor security: Vanderbilt University Medical Center is notifying 3,247 patients that their patient files were accessed between May 2015 and December 2016 by two staff members who worked as patient transporters. WVU Medicine University Healthcare is notifying 7,445 patients that their protected health information was compromised due to an employee accessing the data without authorization, and 113 of the patients are victims of identity theft. Chicago Public Schools students had their information potentially compromised due to a Google spreadsheet that did not require a login and included special education students’ personal information.

Other noteable cybercrime events: Spiral Toys sells an internet-connected teddy bear that allows kids and parents to exchange messages via audio recordings, and more than two million of those messages, as well as more than 800,000 email addresses and bcrypt-hashed passwords, have been potentially compromised due to being stored on a database that wasn’t behind a firewall or password-protected. Singapore’s Ministry of Defence said that a “targeted and carefully planned” attack resulted in a breach of its I-net system. An actor using the name “CrimeAgency” on Twitter claims to have hacked 126 vBulletin-based forums that were using outdated versions of the software. Luxury motorcoach company Hampton Jitney is advising customers to change their passwords after a security breach discovered on Wednesday compromised personal information stored by the company.

Cyber Risk Trends From the Past Week

Several companies have issued breach notification letters related to a malware incident at Aptos, Inc., which provides e-commerce solutions for a number of online stores. The breach at Aptos was discovered in November 2016, and notification by the various companies affected was delayed until recently at the request of law enforcement.

According to a notification from Mrs Prindables:

Mrs Prindables along with a wide range of major retailers, utilizes a third party company named Aptos to operate and maintain the technology for website and telephone orders. On February 6, 2017, Aptos informed us that unauthorized person(s) electronically accessed and placed malware on Aptos’ platform holding information for 40 online retailers, including Mrs Prindables, from approximately February 2016 and ended in December 2016. Aptos has told us that it discovered the breach in November 2016, but was asked by law enforcement investigating the incident to delay notification to allow the investigation to move forward.

Other companies to issue breach notification letters, as noted by databreaches.net, include: AlphaIndustries.com, AtlanticCigar.com, BlueMercury.com, Hue.com, MovieMars.com, Nutrex-Hawaii.com, PegasusLighting.com, PlowandHearth.com, Purdys.com, Runnings.com, Sport-Mart.com, Thiesens.com, VapourBeauty.com, WestMusic.com, and PercussionSource.com.

The breach announcement comes on the heels of a report that found “a steady rise” in online fraud attack rates throughout 2016. The shift in tactics toward card-not-present fraud was expected as increased security associated with the U.S. adoption of EMV technology made card-present fraud less profitable. Fraud does not go away; it only shifts. As SurfWatch Labs Adam Meyer has said, fraud is like a balloon: apply a little pressure to one area and malicious actors quickly expand into an area with less resistance.

However, card-present fraud is still impacting organizations. The past month saw a point-of-sale breach at InterContinental Hotels Group that affected the restaurants and bars of 12 properties and another breach that affected six Benchmark properties. In addition, malware was discovered on the payment systems of Arby’s corporate locations. Nevertheless, SurfWatch Labs cyber threat intelligence data, along with reports from other researchers, clearly shows a continued shift as cybercriminals move to find the sweet spot between difficulty and profit when it comes to payment card fraud — and that increasingly appears to be online.

Weekly Cyber Risk Roundup: Cloudflare Bug Discovered, Typos Lead to Theft

This week’s biggest story is the Cloudflare software bug discovered by Google researchers and disclosed Thursday that could have compromised private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data.

“The bug was serious because the leaked memory could contain private information and because it had been cached by search engines,” wrote John Graham-Cumming, the CTO of Cloudflare, which provides performance and security services to numerous major websites. “We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.”

The bug was discovered by researcher Tavis Ormandy on February 17, and the data leakage may date back to September 22. However, the greatest period of impact was between February 13 and February 18 “with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage,” the company said. Popular services such as Uber, 1Password, FitBit, OkCupid, and many more use Cloudflare. Uber told media outlets the impact on its customers is minimal since “very little Uber traffic actually goes through Cloudflare,” and 1Pass said the company “designed 1Password with the expectation that SSL/TLS can fail” exactly for these types of incidents.

Days before the public disclosure, Ormandy wrote: “I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We’re talking full HTTPS requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.” Then in another comment, “We’re still working on identifying data that needs to be purged from caches.”

As Wired reported, efforts to discover any leaked data that has been cached and not yet scrubbed “has become something of an internet-wide scavenger hunt.”

Other trending cybercrime events from the week include:

Presidential campaign website defaced: A hacker going by the name “Pro_Mast3r” defaced a presidential campaign website for Donald Trump with a message that read, in part, “Peace From Iraq.” The hacker told Brian Krebs that he exploited a DNS misconfiguration to assume control of secure2.donaldjtrump.com.

New databases continue to be sold on the dark web: An actor using the name “Berkut” is selling a database of 950,000 user accounts for the website of the music festival Coachella that was allegedly stolen this month. Motherboard confirmed the legitimacy of the database, which contains email addresses, usernames, and hashed passwords. The $300 listing claims that 360,000 of the accounts are related to the main Coachella website and the other 590,000, which contain additional information such as IP addresses, are related to the message board.

Employees and students access sensitive data: Dignity Health St. Joseph’s Hospital and Medical Center is notifying approximately 600 patients that a part-time hospital employee viewed portions their medical records without a business reason between October 1, 2016, and November 22, 2016. An Ohio Department of Taxation employee was fired for accessing the confidential tax information of relatives and acquaintances dozens of times. A student of the South Washington County school district in Minnesota hacked into the district’s server and downloaded the data of more than 15,000 people to an external hard drive in January.

Cybercrime-related arrests and sentencing: On Wednesday, February 22, UK law enforcement announced the arrest of a 29-year old British man charged with suspicion of carrying out the cyber attack against Deutsche Telekom in November of last year, which impacted up to 900,000 customers of the ISP. SurfWatch Labs analysts have moderate confidence that this individual is the hacker known as “Bestbuy,” and additional researchers have said the actor also used the alias “Popopret.” A former systems administrator for Georgia-Pacific was sentenced to 34 months in prison and ordered to pay damages of more than $1 million after pleading guilty to remotely accessing the plant’s computer system and intentionally transmitting code and commands designed to cause significant damage to Georgia-Pacific and its operations.

Other cybercrime announcements: The personal information of 55 million voters in the Philippines was compromised when a computer from the Office of the Election Officer in Wao, Lanao del Sur was stolen, but the data was encrypted using the AES-256 protocol. A spear phishing campaign against individuals in the Mongolian government used the popular remote access tool Poison Ivy as well as two publicly available techniques to evade AppLocker application whitelisting, four stages of PowerShell scripts to make execution difficult to trace, and decoy documents to minimize user suspicion. The Texas Department of Transportation said a breach of its automated administrative system affected a small number of employees whose information was compromised and potentially altered. Actress Emily Ratajkowski is the latest celebrity to have an iCloud account containing sensitive information hacked.

Cyber Risk Trends From the Past Week

The Cloudflare bug can be traced back to a single character of code, which resulted in a buffer overrun, the company said.

“The Ragel code we wrote contained a bug that caused the pointer to jump over the end of the buffer and past the ability of an equality check to spot the buffer overrun,” Graham-Cumming said. “Had the check been done using >= instead of == jumping over the buffer end would have been caught.”

Cloudflare wasn’t the only company to face issues due to a single character. Zerocoin announced last Friday that a a typographical error of a single additional character in code allowed an attacker to create Zerocoin spend transactions without a corresponding mint, resulting in the creation of about 370,000 Zcoins. Zerocoin discovered the bug when it noticed the total mint transactions did not match up with the total spend transactions. All but around 20,000 of the Zcoins were completely sold for around 410 BTC in profit. “Despite the severity of the hack, we will not be forfeiting or blacklisting any coins,” Zerocoin wrote in an announcement. “Trading will resume once pools and exchanges have had time to update their code. A new release will be pushed out pretty soon.”

These types of small issues continue to cause major issues for organizations. This past week also saw reports that a database belonging to digital publisher Ziff Davis could have been exfiltrated due to a website configuration issue affecting itmanagement.com, potentially exposing 7.5 million records. The database contained names, phone numbers, employment details, and email and employer addresses, as well as contact information for users registered on other Ziff Davis properties. Contact information for anyone in the shared database could have been viewed by incrementing or decrementing a field in a URL belonging to one Ziff Davis publication, according to multiple researchers.

There was also the discovery that more than 1.4 million emails sent over Harvard Computer Society (HCS) email lists were found to be public, including emails divulging Harvard students’ grades, financial aid information, bank account numbers for some student organizations, advance copies of a final exam, answer keys to problem sets, and more – likely since the default setting for HCS list archives was public. In addition, New York’s Stewart International Airport publicly exposed 760GB of server backup data for over a year due a network storage drive, which was installed by a contracted third-party IT specialist, that contained several backup images of servers and was not password protected.

The week’s incidents are yet another reminder that a good portion of effective cyber hygiene revolves around looking inward at an organization’s technology, policies, and procedures and their associated cyber risk.