Weekly Cyber Risk Roundup: WannaCry Updates and Sensitive Leaks Continue

WannaCry remained as the week’s top trending cybercrime target as organizations continued to deal with the fallout from being infected and researchers uncovered more information on the ransomware. On Friday, a Kaspersky Lab researcher tweeted that machines running Windows 7 were the most impacted by WannaCry, accounting for more than 97 percent of total infections observed by the firm. Other firms observed Windows 7 infection rates as low as 67 percent; however, both numbers contradict the initial focus on outdated systems such as Windows XP, which Kaspersky dismissed as having an “insignificant” number of infections.

2017-05-19_ITT.PNG

As Reuters reported, computers running older versions such as Windows XP were individually vulnerable to attack, but they appear incapable of spreading infections and played a far smaller role in last week’s attack.

In addition, the past week saw a variety of manufacturers issue warnings about WannaCry potentially impacting their products. Siemens warned customers that some of its Healthineers products may be affected by the vulnerabilities exploited by WannaCry, and the Health Information Trust Alliance said that medical devices manufactured by Bayer were also vulnerable. Medical device manufacturer Becton, Dickinson and Company as well as Swiss robotics and automation firm Rockwell Automation and ABB also issued more general WannaCry advisories to their customers.

It is also worth noting that a small portion of WannaCry infections have been successfully decrypted. A French security researcher discovered a flaw in the WannaCry ransomware that allowed him to successfully decrypt several Windows XP computers using a tool called “WannaKey,” and a separate pair of French researchers then adapted the decryption tool to work for Windows 7 computers with a tool called “WannaKiwi.” If users left their computer untouched after the infection and did not reboot, they may be able to access parts of the memory and regenerate a key; however, the researcher warned it won’t work every time even in that situation.

2017-05-19_ITTGroup

Other trending cybercrime events from the week include:

  • Another large point-of-sale breach: A POS breach at Brooks Brothers locations lasted for more than a year and affected more than 300 locations, the company announced. Customers who made purchases at approximately 320 different Brooks Brothers and Brooks Brothers Outlet retail locations in the U.S. and Puerto Rico between April 4, 2016 and March 1, 2017, may have had their payment card data stolen. An unauthorized individual was able to gain access to and install POS malware on the stores’ POS systems, the company said. Online purchases were not impacted.
  • Hollywood targeted by extortionists: The upcoming Pirates of the Caribbean movie has been stolen by hackers who demanded “an enormous” amount of money in ransom to not release the movie. The Hollywood Reporter reported that talent agencies UTA, ICM, and WME have been targeted by hackers attempting to steal sensitive information, and the attacks are so common that their frequency has overwhelmed the FBI’s Los Angeles field office. At least one unnamed Hollywood company has paid a ransom. In addition, TheDarkOverlord said that more of the group’s previously stolen shows from Larson Studios will be released soon since “none of the affected parties has paid the ransom.”
  • Third-party breach leads to source code theft: The app maker Panic said the source code for several of its apps was stolen due to downloading a malware-infested version of HandBrake during a three-day window when that company was compromised and serving up a Trojanized update to its users. The attacker then sent an email demanding a large bitcoin ransom to prevent the release of the source code, but Panic did not pay that ransom. The company is warning its users to beware of any unofficial versions of their apps, as they will likely be versions using the company’s old code but with malware added.
  • Other notable cybercrime news: Zomato announced that 17 million user records were compromised by a grey-hat hacker. The font sharing website DaFont was hacked and the usernames, email addresses, and hashed passwords of 699,464 user accounts were stolen. Bell Canada said that a hacker managed to access the email addresses of approximately 1.9 million customers, and 1,700 customers also had their names and phone numbers accessed. The University of New Mexico Foundation is notifying approximately 23,000 donors, annuitants, foundation employees, and vendors that their personal and financial information may have been compromised. The Clinton County Board of Developmental Disabilities and Walnut Place announced they were the victims of ransomware attacks. The National University of Singapore and the Nanyang Technological University in Singapore were targeted by sophisticated hackers who broke into the school’s IT systems in an attempt to steal sensitive government and research data. A former employee of Carolina Neurosurgery & Spine Associates has been charged with selling the information of more than 150 patients to an identity thief for $10 each. United Airlines said that information regarding its flight deck access security procedures “may have been compromised” and that “some cockpit door access information may have been made public.” However, the possible public release of the security procedures was not due to a hack or data breach, CBS News reported.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-05-19_ITTNew

Cyber Risk Trends From the Past Week

2017-05-19_RiskScoresAs WannaCry continues to dominate cybercrime news, the past week saw even more leaks of government-created malware and promises of additional leaks to come in the future. WikiLeaks has continued to dump files allegedly stolen from the CIA, and TheShadowBrokers group has announced a new monthly service providing various data dumps and exploits to its customers.

WikiLeaks has dumped stolen CIA documents every Friday for the past eight weeks, and the two most recent dumps include:

  • AfterMidnight, which is a malware framework that “allows operators to dynamically load and execute malware payloads on a target machine” and “disguises as a self-persisting Windows Service DLL.”
  • Assassin, which is a malware framework similar to AfterMidnight that “is an automated implant that provides a simple collection platform on remote computers running the Microsoft Windows operating system.”
  • Athena, which “provides remote beacon and loader capabilities on target computers running the Microsoft Windows operating system (from Windows XP to Windows 10).”

In addition to the continuing leaks of sensitive CIA material from WikiLeaks, TheShadowBrokers is using the attention around WannaCry to promote a monthly exploit service that it is launching in June. TheShadowBrokers have previously dumped stolen exploits allegedly developed by the NSA, including the EternalBlue exploit recently leveraged by WannaCry.  “TheShadowBrokers Data Dump of the Month” service provides subscribers with various cybercrime tools and data for a monthly fee. According to TheShadowBrokers rambling blog post, these monthly dumps could include:

  • web browser, router, and handset exploits and tools
  • select items from newer Ops Disks, including newer exploits for Windows 10
  • compromised network data from more SWIFT providers and central banks
  • compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs

The group said that more details will be announced in June. It’s unclear if the group has more sensitive data and exploits they’re willing to publish, or if they are using their fifteen minutes of WannaCry fame in an attempt to generate some income. Either way, WannaCry serves as a reminder that organizations need to monitor the leak of government tools as they can cause serious damage when they fall into the wrong hands.

Weekly Cyber Risk Roundup: Scottrade Exposes Data and ATMs Get Blown Up, Drilled and Infected

The CIA remained as the top trending cybercrime of the week as WikiLeaks released a fourth set of documents related to the agency. The new dump includes 27 documents from the CIA’s Grasshopper framework, which WikiLeaks described as “a platform used to build customized malware payloads for Microsoft Windows operating systems.” The leaked CIA tools will likely continue to dominate much of the cybercrime discussion in the coming weeks as WikiLeaks appears to have a slow-drip campaign designed around maximizing the leak’s publicity.

2017-04-07_ITT

The top trending new cybercrime target of the week was Scottrade, which was one of several organizations to experience a data breach due to insecure, publicly exposed data. The Scottrade incident was caused by “human error” at third-party vendor Genpact, which uploaded a data set to one of its cloud servers without the proper security protocols in place. As a result, “the commercial loan application information of a small B2B unit within Scottrade Bank, including non-public information of as many as 20,000 individuals and businesses” was exposed, Scottrade said in a statement.

Security researcher Chris Vickery, who discovered the exposed database, said it contained 48,000 lessee credit profile rows and 11,000 guarantor rows, and that each row contained various types of personal information, including Social Security numbers. The database also contained internal information such as plain text passwords and employee credentials used for API access to third-party credit report websites.

Those who read this roundup each week know that breaches due to insecure databases are common, and in addition to Scottrade, Vickery also discovered “a trove of data from a range of North Carolina government offices, including Dept of Administration, Dept of Health and Human Services, Division of Medical Assistance, Dept of Cultural Resources, Dept of Public Safety, Office of State Controller, Office of State Budget and Management, NC IT Department.”

2017-04-07_ITTGroup

Other trending cybercrime events from the week include:

  • IRS announces another data breach: The IRS is notifying 100,000 people that their tax information may have been compromised due to a data retrieval tool used when filling out the Free Application for Federal Student Aid (FAFSA). Officials first learned of the potential issue in September 2016, but the service was not disabled until suspicious activity was observed in February. Malicious actors could pretend to be students, start the financial aid application with relatively little stolen information, and give permission for the IRS to populate the form with tax data that could then be used for fraudulent returns.
  • Highly sensitive patient data sold on the dark web: A breach at Behavioral Health Center appears to have compromised thousands of patients’ sensitive data, including evaluations, session notes, and records of sex offenders and sex abuse victims. An actor on the dark web claims between 3000 and 3500 unique individuals are in the data, which has since been sold to another actor. “These are not just basic fullz, these are the COMPLETE clinician notes from EVERY session with a patient, sometimes spanning hundreds of sessions over years,” read a listing on the dark web. “Everything confessed/discussed in complete privacy is in here for thousands of patients. All records are from 2007 to current date.”
  • Healthcare organizations targeted: An amateur actor appears to be targeting healthcare organizations with spear phishing messages designed to infect victims with a variant of the Philadelphia ransomware, an unsophisticated ransomware kit that sells for a few hundred dollars. Researchers believe spear phishing messages containing a shortened URL that led to a malicious DOCX file on a personal storage site were used to infect a hospital from Oregon and Southwest Washington. ABCD Pediatrics said that its servers were infected with “Dharma Ransomware” and while investigating the incident the company also discovered suspicious user accounts that suggested a separate incident of unauthorized access.
  • APT10 hacking group makes headlines: The APT10 hacking group has gained access to the systems of an “unprecedented web” of victims by first targeting managed outsourced IT service companies with spear phishing messages and custom malware and then using those companies as a stepping stone into their clients’ systems. The group also inserted malicious links into certain pages of the National Foreign Trade Council’s website in order to target individuals registering for specific meetings.
  • Other notable cybercrime events: The International Association of Athletics Federations said information related to athletes’ therapeutic use exemption applications was compromised due to unauthorized access to its network by “Fancy Bear.” The Dutch National Charity Lotteries said that around 450,000 customers were impacted by a vulnerability in the computer systems of Lotteries’ supplier OpenOfferete. Cybercriminals stole $40,000 of direct deposit money meant for Denver Public Schools after numerous employees fell for a phishing email. A hack of digital content network Omnia affected a variety of popular YouTube channels. The New York Post app was hacked and used to send to out a series of false push notifications. Arrests were made in Dubai related to breaking into the emails of five senior White House officials and attempting to blackmail the officials with what a local law enforcement official described as “highly confidential information.”

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-04-07_ITTNew

Cyber Risk Trends From the Past Week

2017-04-07_RiskScores

While business email compromise scams and other digital fraud continues to impact numerous organizations, several stories this week proved that criminals are still attempting to steal physical cash from ATMs around the world.

The flashiest story involved a gang based out England that used explosives and stolen high-powered vehicles to rip ATMs from walls. The gang would then put the stolen ATMs inside a large truck and drive away, in at least one instance right by the very police looking for them. Police announced that several recent raids had led to the arrest of the gang. Less flashy attempted ATM thefts from hotels in Edmonton led police to advise business last month that owners should bolt ATMs to the floor and place them in well lit, high-traffic areas that are monitored by surveillance cameras.

A new, more discreet method of stealing money from ATMs involves emptying the cash stored in certain models by drilling a three-inch hole in its front panel and using a $15 homemade gadget that injects malicious commands to trigger the machine’s cash dispenser. Kaspersky Lab researchers first became aware of the attack in September 2016 when a bank client discovered an empty ATM with a golf-ball sized hole by the PIN pad. Since then, similar attacks using the drill technique have been observed across Russia and Europe. The researchers did not name the ATM manufacturer, but they said the issue is difficult to fix since it would require replacing hardware in the ATMs to add more authentication measures.

Kaspersky Lab also released findings on another series of ATM attacks first hinted at back in February when a series of attacks that used in-memory malware to infect banking networks were reported. Code from the penetration-testing software Meterpreter code was combined with a number of legitimate PowerShell scripts and other utilities to create malware that could hide in the memory and invisibly collect the passwords of system administrators. That access was then used to remotely install a new breed of ATM malware called ATMitch, Kaspersky Lab researchers said in a report issued last week.

The ATMitch malware communicates with the ATM as if it is legitimate software and makes it possible for attackers to collect information about the number of banknotes in the ATM’s cassettes as well as dispense money at the touch of a button. The attackers may still be active, the researchers noted, but it is unknown how many ATMs have been targeted by the malware since the malware self-deletes after the attack. What is clear is that ATM machines remain a popular target for criminals, and businesses should be aware of the evolving methods — both crude and sophisticated — being used to steal the cash inside them.

Weekly Cyber Risk Roundup: More CIA Leaks, New Mirai Attacks, and LastPass Vulnerabilities

The CIA remained as the top trending cybercrime target of the week as WikiLeaks released a third set of documents related to the agency. The new release includes 676 source code files for the CIA’s secret anti-forensic Marble Framework, which WikiLeaks said “is used to hamper forensic investigators and anti-virus companies from attributing viruses, trojans and hacking attacks to the CIA.”

2017-04-01_ITT“The source code shows that Marble has test examples not just in English but also in Chinese, Russian, Korean, Arabic and Farsi,” WikiLeaks wrote in its announcement. “This would permit a forensic attribution double game, for example by pretending that the spoken language of the malware creator was not American English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion.”

The fact that an intelligence agency would have tools to cover its tracks is hardly surprising. However, it appears that WikiLeaks will continue to leak CIA documents for the foreseeable future, and those leaks may have yet-to-be known implications for governments, tech companies, and cybercriminal actors. After the initial CIA leak in early March, WikiLeaks tweeted that is has released less than one percent of its Vault7 series.

Another recurring story in these roundups is the Mirai botnet, and researchers said this week that a new variant is likely behind a 54-hour long DDoS attack that targeted a U.S. college. The attack peaked at 37,000 requests per second, the most Incapsula has seen out of any Mirai botnet. The company said 56 percent of all IPs used in the attack belonged to DVRs manufactured by the same vendor. IoT devices continue to make headlines for vulnerabilities – including certain devices that were allegedly targeted by the CIA – and this past week saw new warnings of methods for hacking smart televisions as well as a vulnerability in an Internet-connected washer-disinfector. As SurfWatch Labs chief security strategist Adam Meyer recently wrote, IoT devices have potentially become the largest digital footprint of organizations that is not under proper security management.

2017-04-01_ITTGroups

Other trending cybercrime events from the week include:

  • Data breaches expose more credentials:  A hacker has stolen the email addresses and MD5-hashed passwords of 6.5 million accounts from Dueling Network, a now-defunct Flash game based on the Yu-Gi-Oh trading card game. Although the game was shut down in 2016, the forum continued to run until recently. Nearly 14 million stolen and fake email credentials from the 300 largest U.S. universities are for sale on the dark web, a rise from only 2.8 million last year, according to the nonprofit Digital Citizens Alliance. The stolen email addresses and passwords sell from $3.50 to $10 each.
  • Warnings of skimming and keylogging devices: Carleton University in Ottawa said it discovered USB keylogging devices on six classroom computers during a routine inspection, and the university is urging staff and students to change passwords for any accounts they may have accessed from classroom computers. The San Bernardino County Sheriff’s Department has received more than 70 reports of credit card fraud tied to a suspected card skimming device in Big Bear. A Romanian citizen pleaded guilty to a scheme to defraud customers of Bank of America and PNC Bank via ATM skimming.
  • Ransomware notifications continue: Urology Austin has notified 200,000 patients of a January 22 ransomware attack that may have compromised their information. Ransomware encrypted files belonging to Forsyth Public Schools and information such as lesson plans and schedules stored by teachers on the district server is likely lost due to the incident. Estill County Chiropractic is notifying 5,335 patients of unauthorized access to its system and a ransomware infection that may have compromised their personal information. Ransomware was found on the computer systems of the Tweede Kamer, the lower house of Dutch parliament.
  • Former employee causes serious problems: A former IT administrator of the Lucchese Boot Company pleaded guilty to hacking the servers and cloud accounts of his employer after he was fired, and the company claims it lost $100,000 in new orders in addition to the extra IT costs it had to endure due to the attack. According to the complaint, the former employee logged into an administrator account after being fired and proceeded to shut down the corporate email and application servers, deleted files on the servers to block any attempts for a reboot, and then began shutting down or changing the passwords on the company’s cloud accounts.
  • Other notable cybercrime events: The personal information of 3.7 million Hong Kong voters and the city’s 1,200 electors may have been compromised when two laptops were stolen. Approximately 95,000 individuals who applied online for a job at McDonald’s in Canada had their information compromised due to unauthorized access to the company’s database. Multiple employees of the Washington University School of Medicine fell for phishing emails designed to steal credentials used to access their email. While investigating a data breach related to employees’ W-2 forms, Daytona State College discovered a second data breach involving student financial aid forms. A Russian citizen has pleaded guilty to his role in helping spread malware known as “Ebury,” which harvested log-on credentials from infected computer servers, allowing the criminal enterprise behind the operation to operate a botnet comprising tens of thousands of infected servers throughout the world.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-04-01_ITTNew

Cyber Risk Trends From the Past Week

2017-04-01_RiskScoresThe password manager LastPass has addressed a series of vulnerabilities that were discovered by Google Project Zero researcher Tavis Ormandy, including one now-patched “unique and highly sophisticated” client-side vulnerability in the LastPass browser extension.

In a March 31 update, LastPass advised its users to ensure they are running the latest version (4.1.44 or higher) of the extension so that they are protected.

The vulnerability, which could be exploited to steal data and manipulate the LastPass extension, required first luring a user to either a malicious website or a website running malicious adware and then taking advantage of the way LastPass behaves in “isolated worlds,” the company said.

An isolated world is a JavaScript execution environment that shares the same DOM (Document Object Model) as other worlds, but things like variables and functions are not shared. LastPass explained:

The separation is supposed to keep both sides safer from external manipulation. In some cases, these variables can influence the logic of the content script. It is difficult to inject arbitrary values into JavaScript using this technique. But in a particularly clever move, the report demonstrated that arbitrary strings could be injected, and one of these was enough to trick the extension into thinking it was executing on lastpass.com. By doing so, an attacker could manipulate the LastPass extension into revealing the stored data of that user, and launch arbitrary executables in the case of the binary version.

Fixing the issue required “a significant change” to the browser extensions and LastPass urges other extension developers to look for this pattern in their code and ensure that they are not vulnerable to a similar attack.

The patch came just 10 days after LastPass issued another update to address two other issues discovered by Ormandy that could allow the attacker to potentially retrieve and expose information from the LastPass account, such as user’s login credentials.

The incident serves as a reminder that vulnerabilities continue to be discovered in a variety of products, including the tools used to help keep individuals and organizations safe. Having a full accounting of an organization’s technology infrastructure as well as policies and procedures to track new vulnerabilities and patch software is one of the most effective ways to combat malicious actors who rely on exploiting well-known vulnerabilities.

Weekly Cyber Risk Roundup: Massive Leaks Expose CIA Secrets and Alleged Spam Operation

The week’s top trending cybercrime story was WikiLeaks’ release of more than 8,000 documents related to the U.S. Central Intelligence Agency. The dump, called “Vault 7,” contains information on the CIA’s hacking tools and methods and is “the largest ever publication of confidential documents on the agency,” according to WikiLeaks.

2017-03-11_ITT.png“Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized ‘zero day’ exploits, malware remote control systems and associated documentation,” WikiLeaks wrote in a press release. “This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.”

The leak has led to widespread reports on the CIA’s hacking capabilities, including tools to compromise Windows, OS X, iOS, and Android devices; ways to circumvent popular antivirus programs; an exploit that uses a USB stick to turn smart TVs into bugging devices; and efforts to infect vehicle control systems. The U.S. is investigating the source of the leaks, which a CIA spokesperson described as deeply troubling and “designed to damage the intelligence community’s ability to protect America against terrorists and other adversaries.”

WikiLeaks said it carefully reviewed the published documents and has avoided “the distribution of ‘armed’ cyberweapons until a consensus emerges on the technical and political nature of the CIA’s program and how such ‘weapons’ should analyzed, disarmed and published.” On Thursday, WikiLeaks founder Julian Assange held a press conference where he said WikiLeaks would give technology companies “exclusive access” to the details of the exploits so that they could patch any software flaws; however, Thomas Fox-Brewster of Forbes reported that as of Saturday morning companies such as Google and Microsoft had yet to receive those technical details from WikiLeaks.

2017-03-11_ITTGroups

Other trending cybercrime events from the week include:

  • Verifone investigating data breach: Verifone, the largest maker of credit card terminals used in the U.S., is investigating a breach after being alerted in January by Visa and MasterCard that malicious actors appeared to have been inside of Verifone’s network since mid-2016, a source told KrebsOnSecurity. “According to the forensic information to-date, the cyber attempt was limited to controllers at approximately two dozen gas stations, and occurred over a short time frame,” Verifone wrote in a statement to Brian Krebs. “We believe that no other merchants were targeted and the integrity of our networks and merchants’ payment terminals remain secure and fully operational.”
  • TalkTalk responds to scam center report: Two days after the BBC reported on an industrial-scale Indian scam call center targeting TalkTalk customers, the UK-based Internet service provider temporarily banned TeamViewer and other similar remote control software programs over security issues related the scammers. Teamviewer said that it is “in extensive talks to find a comprehensive joint solution to better address this scamming issue.”
  • Tax information continues to be targeted: Daytona State College is notifying employees that their W-2 information may have been stolen after some employee W-2 statements were discovered being sold on cybercriminal markets. A glitch in Rhode Island’s Department of Human Services’ computer system resulted in more than 1,000 people receiving tax forms with the wrong information. Malicious actors are sharing concerns about government efforts to combat tax fraud, as well as tips on how those protections can be circumvented, on various dark web forums.
  • Organizations face extortion demands: Since the U.S. presidential election, at least a dozen progressive groups have faced extortion attacks where malicious actors search organizations’ emails for embarrassing details and then threaten to release that information if blackmail demands ranging from $30,000 to $150,000 are not paid. A Florida man was charged with intentionally damaging computers that hosted a San Diego software company’s website. The Pennsylvania Senate Democratic Caucus computer system was shut down after a ransomware infection made the system inaccessible to caucus members and employees. Fake extortion demands and empty threats are on the rise as cybercriminals capitalize on the growing number of ransom-related attacks.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-03-11_ITTNew

Cyber Risk Trends From the Past Week

2017-03-11_RiskScoresNearly every week researchers discover new data breaches due to publicly exposed databases that require no authentication, and this past week insecure Rync backups exposed the entire operation of River City Media (RCM), providing a rare glimpse inside what security researcher Chris Vickery described as “a massive, illegal spam operation.”

The discovery led to a months-long investigation as MacKeeper Security Research Center, CSO Online, and Spamhaus came together to examine the data, which included everything from Hipchat logs to accounting details to infrastructure planning and more. Vickery said that there are enough spreadsheets, hard drive backups, and chat logs leaked to fill a book, and both CSO Online and MacKeeper have already teased future stories peeling back additional layers of the operation.

But perhaps the most alarming discovery — along with details of  abusive scripts and techniques that have been forwarded to Google, Microsoft, Apple, and others — is a database of nearly 1.4 billion email accounts combined with real names, user IP addresses, and often physical address. Those email lists are used by RCM, which masquerades as a legitimate marketing firm, to send up to a billion emails a day, much of which can be classified as spam, according to the researchers.

On Thursday RCM issued a press release addressing the “numerous false and defamatory” statements made by the researchers and news outlets. The company said that the researchers did not find RCM’s “confidential and proprietary information through an unprotected rsync backup” and that if the researchers had contacted them prior to publication “they would have realized that a number of the statements in their articles were false and easily disprovable.” However, the press release did not provide an alternative explanation for how the researchers accessed the data, and Vickery said the company was not alerted since “it was decided that we should approach law enforcement and the affected companies (like Microsoft and Yahoo) before making any attempts at contacting the spammers directly.”

“What was legal and illegal isn’t for me to decide,” said Vickery. “But there are plenty of logs where they discuss illegal scripts and research into basically attacking mail servers and tricking the mail servers into doing things that would be against the law.”

Expect additional information to be reported in the coming weeks as the researchers and reporters comb through all of the data that was exposed.

Weekly Cyber Risk Roundup: Services Get Disrupted and Hacking Elections

Distributed denial-of-service (DDoS) attacks and other incidents leading to service interruption have been widely discussed in the cybersecurity community ever since the October attack against DNS provider Dyn. This past week saw Marai-driven attacks that reportedly knocked out Internet access for the entire county of Liberia; however, security researchers such as Brian Krebs noted that those news articles may have exaggerated the facts as there is little evidence “anything close to a country-wide outage” occurred as a result of the attack.

2016-11-11_ITT.png

“While it is likely that a local operator might have experienced a brief outage, we have no knowledge of a national Internet outage and there are no data to [substantiate] that,” Daniel Brewer, general manager for the Cable Consortium of Liberia, told Krebs.

Nevertheless, concerns around DDoS attacks remain high, and some have speculated that the attacks against Liberia and others may be test runs for a larger attack in the future.

In other service interruption news, two apartment buildings located in Lappeenranta, Finland, and managed by facilities services company Valtia had the systems that controlled central heating and warm water circulation disabled by a DDoS attack. The systems tried rebooting the main control circuit in response to the attack, the CEO of Valtia said, and this was repeated in an endless loop resulting in the heat not working for the properties. Also, a unspecified malware infection caused three UK hospitals to cancel operations, outpatient appointments and diagnostic procedures for three days while staff access to patient records was restored. According to The Sun, approximately 3,300 patients at hospitals in Grimsby, Scunthorpe and Goole were affected. The attacks led to a high-severity alert being issued to National Health Service providers reminding “all users of the need for proactive measures to reduce the likelihood of infection and minimise the impacts of any compromise.”

2016-11-11_groups

Other trending cybercrime events from the week include:

  • Fraud and financial loss continue: Tesco Bank said the widespread criminal activity that led to the halting of online transactions has been narrowed down to £2.5 million in losses across 9,000 accounts – a drop from the 20,000 accounts previously reported. Sentinel Hotel is notifying customers of a breach after reports of unauthorized charges on guests payment cards led to the discovery of malware on a point-of-sale terminal. City of El Paso officials revealed the city was scammed out of more than $3 million via a phishing attack. The city has recovered about half of the money. A ransomware infection recently locked up several government systems in Madison County, Indiana, and county commissioners voted to pay the extortion demands in order to regain control of those systems.
  • Poor security leads to potential breaches: Researchers discovered that 128 car dealership systems were being backed up to a central location without any encryption or security, potentially exposing the personal information of both customers and employees. Cisco is warning job applicants that information on the Cisco Professional Careers mobile website may have been exposed as a result of an incorrect security setting following system maintenance. Newfoundland and Labrador’s privacy commissioner is ordering Eastern Health to examine controls around employees logging out of accounts after an incident in which a doctor failed to log out of Meditech patient information software and patient information was accessed and printed by an unknown person.
  • More breaches and data dumps: Two hackers claim to have used SQL injection to steal personal information from seven Indian High Commission websites and published the stolen databases in a Pastebin post. Anonymous Italia has defaced several police websites and leaked 70 megabytes of data presumably stolen from the databases of the Sindacato Autonomo Polizia Penitenziaria’s blog and its official monthly magazine. Integrity Transitional Hospital, based in Texas, recently reported a health data hacking incident that potentially affects the information of more than 29,000 patients.
  • Cybercrime leads to arrests: A man has been arrested for compromising more than a thousand university email accounts and then using that access to further compromise other social media and online accounts. The man allegedly accessed one university’s password reset utility approximately 18,640 different times between October 2015 and September 2016 and successfully changed the passwords for 1,035 unique accounts. An employee of Lex Autolease Limited pleaded guilty to selling the personal information of hundreds of customers to a third party. A 19-year old hacker plead guilty to creating and running the Titanium Stresser booter service, which has been used in more than 1.7 million DDoS attacks worldwide.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2016-11-11_ittnew

Cyber Risk Trends From the Past Week

2016-11-11_risk

Most industry sectors saw a slight decline in their SurfWatch Labs’ cyber risk scores this week. The biggest story of late, naturally, was the U.S. presidential election, and now that it is over, pundits from both sides are reflecting on how their candidates managed to win or lose the race. That examination includes the role that cybersecurity, hacking and data leaks may have played in the outcome.

In fact, back in August we posed that very question: would 2016 be the first presidential campaign ultimately swung by information obtained in a data breach? The answer remains uncertain. What is certain is that cyber-issues were put front-and-center in a way we have never seen in any other presidential election.

For example, in the days leading up to the election, WikiLeaks published 8,000 more leaked emails from the Democratic National Committee, dubbed #DNCLeak2. That dump came after a previous release of 20,000 emails from the DNC as well as 50,000 emails from Hillary Clinton aide John Podesta. The effect of those stolen emails being steadily leaked — and other cyber-issues such as Clinton’s personal email server — may be impossible to quantify, but they likely contributed in some way to nearly 60 percent of voters who perceived Clinton as a dishonest and untrustworthy candidate.

WikiLeaks founder Julian Assange wrote an election day post defending his actions and stating that publishing the stolen emails was not an attempt to influence the outcome of the election.

“We publish material given to us if it is of political, diplomatic, historical or ethical importance and which has not been published elsewhere,” Assange wrote. “At the same time, we cannot publish what we do not have. To date, we have not received information on Donald Trump’s campaign, or Jill Stein’s campaign, or Gary Johnson’s campaign or any of the other candidates that fulfills our stated editorial criteria.”

Clearly, Assange is saying if WikiLeaks did have information on other political candidates then that information would be made public as well — as it has in the past with the release hundreds of thousands of emails related to the government of Turkey. WikiLeaks claims to be non-partisan, but other threat actors do have a biased agenda and those actors are likely to be emboldened by the success of this year’s election-related hacks.

As Wired wrote: “For Russia, [Trump’s win] will also be taken as a win for the chaos-injecting tactics of political hacks and leaks that the country’s operatives used to meddle in America’s election — and an incentive to try them elsewhere. … That Russia perceives those operations as successful, experts say, will only encourage similar hacks aimed at shifting elections and sowing distrust of political processes in Western democracies, particularly those in Europe.”

Those efforts are already underway, researchers have noted, with at least a dozen European organizations being targeted by groups linked to the Russian state since that hacks against the DNC. Whether this election was ultimately swayed by breaches and other cyber-issues may be up for debate, but what is clear is that political and advocacy organizations are actively being targeted and that threat actors will likely try to influence future elections across the globe to align with their goals.

WADA, Presidential Election Highlight Threat of Data Being Altered

Last week the World Anti-Doping Agency (WADA) released an update about its investigation into the recent hack and subsequent leaks of Olympic Athletes’ confidential information, and one of the more interesting revelations was that some of the stolen data may have been manipulated prior to being leaked.

“WADA has determined that not all data released by Fancy Bear (in its PDF documents) accurately reflects ADAMS [Anti-Doping Administration and Management System] data,” the agency wrote in a blog post. “However, we are continuing to examine the extent of this as a priority and we would encourage any affected parties to contact WADA should they become aware of any inaccuracies in the data that has been released.”

WADA did not elaborate on which athletes’ data may have been altered or provide any other explanations for the discrepancies, but it does highlight a unique cybersecurity concern that has surfaced recently: threat actors manipulating stolen data in order to increase the fallout from a breach.

A History of Fake and Exaggerated Breaches

Hackers have a long history of re-purposing data in order to claim new attacks.

Just last week the actor known as Guccifer 2.0 posted a dump of data allegedly stolen from the Clinton Foundation, claiming that “it was just a matter of time to gain access to the Clinton Foundation server.” However, a variety of news outlets have since reported the data appears to be from a previous hack of the Democratic Congressional Campaign Committee and the Democratic National Committee — not the Clinton Foundation. Prior to that there was a Pastebin post alleging a “full database leak” at cryptocurrency exchange Poloniex. Once again, the company was quick to dispute the claim, posting on social media that the data was actually from another company’s breach a year prior.

poloneix.PNG
Tweet from Poloniex Exchange

Claims of fake or exaggerated data breaches are troublesome for organizations, but they’re not as insidious as the manipulation of legitimate data.

“Imagine trying to explain to the press, eager to publish the worst of the details in [leaked] documents, that everything is accurate except this particular email. Or that particular memo,” security blogger Bruce Schneier wrote last month. “It would be impossible. Who would believe you? No one.”

WikiLeaks, Sputnik News and Donald Trump

An example of this potential issue was highlighted yesterday through a combination of WikiLeaks, Russia’s Sputnik News, and Donald Trump. On Monday morning, WikiLeaks released 2,000 emails that appear to be from the account of Hillary Clinton’s campaign chairman, John Podesta. One of those emails was from Clinton ally Sidney Blumenthal and contained a Newsweek article about the Benghazi hearings. Sputnik News then incorrectly reported on the email — either intentionally or as a result of sloppy journalism — quoting the Newsweek article email as if it were Blumenthal’s own thoughts on the subject. Hours later, Donald Trump quoted that false Sputnik News article at a rally in Wilkes Barre, Pennsylvania, telling the crowd that Blumenthal said the “attack was almost certainly preventable” and that Blumenthal was “now admitting they could have done something about Benghazi.”

That falsehood could be the result of the miscommunication inherent in a game of telephone — from Podesta’s email to WikiLeaks to Sputnik News to Donald Trump to the booing crowd — or it could be, as the author of the original Newsweek article suggested, an intentional effort from Russia.

This is not funny. It is terrifying. The Russians engage in a sloppy disinformation effort and, before the day is out, the Republican nominee for president is standing on a stage reciting the manufactured story as truth.  How did this happen? …

The Russians have been obtaining American emails and now are presenting complete misrepresentations of them—falsifying them—in hopes of setting off a cascade of events that might change the outcome of the presidential election.

It was just last week that Congressman Adam Schiff put forth this very idea in The New York Times. Russia could take already-stolen emails, alter them, and give the impression that one of the presidential candidates had done something outrageous or illegal, potentially altering the election.

The Blumenthal story was quickly corrected by viewing the source email on WikiLeaks, but what if the source itself had been altered? In a dump of 2000 legitimate-looking emails, who would believe that one email or one line within an email was altered.

As Schneier wrote: “No one.”

Tactic Beyond Nation-States?

The examples cited above have been extremely high-profile events. Leaked data tied to the Olympics or a presidential race faces a far higher level of journalistic scrutiny than an ordinary dump of company documents, communications or other internal data. For those breached organizations, proving that leaked data was altered may be more difficult, and it may prove harder still to spread news of that proof without a media echo chamber to amplify that message.

While altering data may not be the most profitable avenue for cybercriminal groups, not all threat actors are concerned about profits. Hacktivists could alter data to create a scandal for political purposes. Malicious insiders may manipulate leaked communications to embarrass an executive or otherwise harm their organization. Competitors may tweak stolen documents to damage their rivals’ reputation and steal customers.

Even those motivated by profit may find ways to incorporate data alteration into their toolset. Data destruction has quickly become a common tag in SurfWatch Labs’ cyber threat intelligence data due to the surge in ransomware infections in recent years, and actors who are demanding tens or hundreds of thousand of dollars in extortion are likely to use every tool available to them to push organizations towards paying ransoms.

Many of the stories related to altered data currently revolve around nation-states, but like everything in cybersecurity, copycats can be expected if it proves to be a successful tactic. It’s just one more cyber risk facing organizations — and one more reason to prioritize keeping your organization’s data safe from malicious actors.

Hacking the Presidency: Will Data Breaches Help Decide the 2016 Presidential Election?

The 2016 presidential election hasn’t been without controversy. Both candidates have blemishes on their records that have left many Americans with a bitter pill to swallow when voting comes in November, and cybersecurity has been put front and center in a way never before seen in a U.S. election. Email hacks, data breaches, cybersecurity ineptitude — they’re not just conversation topics among infosec wonks; but major campaign talking points.

Cybercrime has already infiltrated many facets of our everyday lives. Account information, payment card information, trade secrets, and more are regularly obtained and sold like merchandise on underground markets. Cyber-espionage also remains a huge threat as organizations and governments attempt to secure their precious secrets. With such a divided nation over who will become our next president, could the recent data breach of Democratic National Committee (DNC) data be a sign of what’s to come in this election?

More importantly, could this be the first presidential campaign ultimately swung by leaked information obtained in a data breach?

The information released by WikiLeaks from the DNC email breach caused an uproar from American citizens as the emails released showed a clear bias for Hillary Clinton over Bernie Sanders — a claim made by the Sanders campaign months before the DNC data breach. While none of the DNC information shows correspondence from Hillary Clinton directly, the DNC breach– along with other related cybersecurity issues — has had a big impact in Clinton’s polling numbers. However, the latest polls show Clinton above Trump by a favorable margin.

Clinton isn’t out of hot water yet. WikiLeaks founder Julian Assange told PBS’s Judy WoodRuff in a recent interview there would be more information released that will negatively affect Clinton’s campaign:

It’s a wide range of material. It covers a number of important issues. There’s a variety of natural batches and some thematic constellations that we’re working on.

It’s interesting material. We have done enough work now that we are comfortable with the material’s authenticity. And so now it’s a matter of completing the format, layout to make it easy and accessible and so that journalists can easily extract material from it, extract stories from it, and also the general public.

DNC Fallout from Breach

DNC chairwoman Debbie Wasserman Schultz announced her resignation as national party chair following the leak of the stolen DNC emails. Since the Democratic National Convention has wrapped up, more high-profile DNC officials have announced their resignation as well.

Chief Executive Amy Dacey, Chief Financial Officer Brad Marshall, and Communications Director Luis Miranda have all resigned just days after a new chair took over for Schultz. Luis Miranda was one of the key figures whose email account was breached and leaked by WikiLeaks.

The rest of the DNC members whose accounts were hacked have not resigned, including National Finance Director Jordon Kaplan, Finance Chief of Staff Scott Comer, Finance Director of Data & Strategic Initiatives Daniel Parrish, Finance Director Allen Zachary, Senior Advisor Andrew Wright, and Northern California Finance Director Robert Stowe.

Donald Trump in the Mix

During the DNC breach investigation, evidence was discovered linking Russia to the cyber-attack. Based off of this information, Trump called for Russia to conduct cyber-espionage against Hillary Clinton:

“Russia, if you’re listening, I hope you’re able to find the 30,000 emails that are missing,” Trump said referencing Clinton’s email scandal. “I think you will probably be rewarded mightily by our press.”

Trump later said he was kidding about his comment.

Not every politician found his remarks funny. Democratic Senators Chris Coons of Delaware and Sheldon Whitehouse of Rhode Island recently petitioned Senator and former Presidential candidate Ted Cruz to conduct an investigation into Trump’s support of involvement from Russia in U.S. elections. The Senators wrote the letter to Cruz because he chairs the Senate Judiciary Subcommittee on Oversight, which potentially could have jurisdiction in the matter. Cruz has not responded to the letter and his involvement in the matter is not likely.

Still, the damage has been done to Trump as the Clinton campaign is alleging him of having ties with Russian President Vladimir Putin, which makes his “joke” no laughing matter.

The data breach of the DNC, the controversy surrounding Clinton’s emails, accusations that Russia is trying to directly influence the election — this is the first time a presidential election cycle has been so heavily dominated by cybersecurity events.

The effects, at least for the candidates, have been relatively mild so far, but with WikiLeaks promising more leaks painting Hillary Clinton in a bad light, there is the potential that a close election in November could ultimately be decided based on cybersecurity.

No matter the outcome, cybersecurity has gained a national stage and everyone should take notice. Understanding cyber threats and the potential consequences of those threats is vital, whether you’re an employee, an executive, or a presidential candidate.