Weekly Cyber Risk Roundup: Uber’s Breach Woes, Major Cybercriminals Prosecuted

Uber was the week’s top trending cybercrime target due to the announcement of a year-old breach that affects 57 million customers and drivers. In addition, the company admitted to paying the hackers $100,000 in an effort to keep the breach out the public eye.

2017-12-1_ITT

The data was stolen in October 2016, and it includes the names, email addresses, and phone numbers of 50 million Uber riders, as well as the driver’s licenses and personal information of approximately 7 million drivers. Bloomberg reported that two attackers accessed a private GitHub repository used by Uber software engineers, used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company, and then discovered an archive of rider and driver information they later used to extort the company.

The breach announcement is just the latest chapter is Uber’s security and legal woes, and Dara Khosrowshahi, who took over as chief executive officer in September, said that the company is “changing the way we do business” moving forward. The payment of $100,000 to conceal the breach and have the attackers delete the stolen information led to the firing of Uber’s chief security officer and another employee for their roles in the incident. Reuters reported that three senior managers within Uber’s security unit have since resigned as well.

Europe’s national privacy regulators have formed a task force to investigate Uber’s breach and the company’s attempt at concealing it from regulators. In addition, numerous state attorneys general have initiated investigations or lawsuits related to the breach. The breach also came a week before three senators introduced a national bill that would require companies to report data breaches within 30 days.

2017-12-1_ITTGroups

Other trending cybercrime events from the week include:

  • Organizations continue to expose data: Researchers found 111 GB of internal customer data from National Credit Federation exposed online via a publicly accessible Amazon S3 bucket. Researchers discovered three publicly accessible Amazon S3 buckets tied to Department of Defense intelligence-gathering operations that contain at least 1.8 billion posts of scraped internet content over the past 8 years. Researchers discovered data belonging to the United States Army Intelligence and Security Command (INSCOM) exposed on the internet, including internal data and virtual systems used for classified communications. A security researcher discovered a file containing 11 million email addresses and plaintext passwords for users of Armor Games and Coupon Mom. Dalhousie University is notifying 20,000 individuals that their personal information was inadvertently saved to a folder accessible by faculty, staff, and students.
  • Email incidents lead to breaches: YMCA of Central Florida is notifying individuals that an unauthorized person gained access to several employee email accounts, potentially compromising a variety of personal information including ID cards, financial information, and health information. The Medical College of Wisconsin said that 9,500 patients had their information compromised due to a spear phishing attack on the school’s email system. Ireland’s Central Statistics Office said that 3,000 former employees had their personal information exposed due to an error that resulted in their personal P45 information being sent via email.
  • More extortion attacks: The British shipping company Clarksons said that it was the victim of a data breach and that the actors behind the breach have threatened to release some of the stolen data if a ransom is not paid. The Texas Department of Agriculture, which oversees school breakfast and lunch programs, said that several East Texas school districts were affected by a ransomware infection on a department employee’s computer. A server used by USA Hoist Company, Mid-American Elevator Company, and Mid-American Elevator Equipment Company to store employee and vendor information was infected with ransomware by a group claiming to be TheDarkOverlord.
  • Other notable incidents: Imgur said that it was recently notified by a researcher of a data breach that occurred in 2014 affecting the email addresses and passwords of 1.7 million user accounts. Combat Brands is notifying customers of breach of payment card data involving cards used at fightgear.com, fitness1st.com, ringside.com, and combatsports.com between July 1, 2015 and October 6, 2017. The Australian Department of Social Services is notifying 8,500 individuals that data relating to staff profiles within the department’s credit card management system prior to 2016 has been compromised due to a breach at a contractor. Brinderson, L.P. is notifying employees that their personal information may have been compromised due to unauthorized access to one of its computer systems.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-12-1_ITTNew

Cyber Risk Trends From the Past Week

2017-12-1_RiskScoresThis past week saw several notable legal actions against cybercriminals.

The most prominent figure was Roman Valeryevich Seleznev, aka Track2, who was sentenced to 14 years in prison for his role in the 2008 defrauding of Atlanta-based payment card processor RBS Worldpay – which led to the theft of 45.5 million debit card numbers and $9.4 million in fraudulent ATM withdrawals – as well as his role in selling stolen payment card and personal data to members of carder.su – a cybercriminal website that resulted in victims losing at least 50 million dollars.

As SurfWatch Labs noted in April, Seleznev is already serving a 27-year prison sentence, the longest ever related to cybercrime, for his role in a separate $170 million payment card fraud operation. The prosecutors in that case described Seleznev as “the highest profile long-term cybercriminal ever convicted by an American jury” and a “pioneer” and “revered” point-of-sale hacker in the criminal underworld. Seleznev’s two sentences will be served concurrently.

In addition, the U.S. government has charged three Chinese nationals with hacking into Siemens AG, Trimble Inc, and Moody’s Analytics between 2011 and 2017 to steal business secrets. According to the indictment, the three defendants were associated with the Chinese cybersecurity firm Guangzhou Bo Yu Information Technology Company Ltd. Government officials told Reuters that most if not all of the firm’s hacking operations are state-sponsored and directed; however, the case is not being prosecuted as state-sponsored hacking.

The week also saw the guilty plea of one of the four men indicted earlier this year on charges related to the hacking of Yahoo. Karim Baratov, 22, a Canadian national and resident, pleaded guilty for his role in assisting the three other men who are charged and remain at large in Russia. The three other men are accused of hacking Yahoo’s network, and Baratov said in his plea agreement that he hacked more than 11,000 webmail accounts in total from around 2010 until March 2017, including accounts of individuals of interest to the FSB as directed by one of the other men. Baratov’s sentencing hearing is scheduled for February 20, 2018.

Finally, Europol announced that a joint law enforcement action across 26 countries had led to the arrest of 159 individuals and the identification of 766 money mules and 59 money mule organizers. The money mule transactions accounted for total losses of nearly €31 million, more than 90 percent of which was cybercrime related.

Weekly Cyber Risk Roundup: Yahoo Breach Expands, Equifax Grilled, Another NSA Insider

Yahoo and Equifax were both back in the news this week due to new details emerging around their respective data breaches, including Yahoo revising the number of affected accounts to three billion and Equifax’s former CEO being grilled before Congress.

2017-10-06_ITT

Yahoo had previously stated that its 2013 data breach affected one billion user accounts, which made it the most widespread data breach in history. On Tuesday Verizon Communications, which acquired Yahoo for $4.48 billion in June,  tripled the number of impacted accounts to include all three billion of Yahoo’s users accounts. The breach was particularly egregious not only because of its size, but because it involved sensitive information such as the security questions and answers and backup email addresses used to recover accounts. Yahoo’s massive 2013 breach is in addition to a separate, previously disclosed breach that affected 500 million Yahoo accounts in 2014.

This week also saw the congressional testimony of Equifax’s former CEO Richard Smith. Smith said the breach was due to a combination of “both human error and technology failures” around implementing an Apache Struts patch made available on March 6, which was not patched for months despite a policy stating patches occur within a 48-hour time period. The testimony was met with harsh criticism from some lawmakers. For example, Sen. Elizabeth Warren (D-Mass.) questioned the entire business model of Equifax, claiming that the company has no incentive to protect consumer data and highlighting various avenues through which the company is making “millions of dollars off its own screwup.” Warren said that Equifax may “actually come out ahead” financially in regards to its breach, which affects 145 million people.

Despite the ongoing fallout, the IRS renewed a $7.25 million contract with Equifax to use its services to verify taxpayer identities. The contract drew major criticism; however, IRS Deputy Commissioner Jeffrey Tribiano said it was a necessary “stop gap” so millions of taxpayers did not lose access to their transcripts.

2017-10-06_ITTGroupsOther trending cybercrime events from the week include:

  • Newly announced data breaches: Auburn Eye Care Associates of California was hacked by TheDarkOverlord and thousands of patients records were stolen from its electronic health record system. Cabrillo Community College District said that it discovered unauthorized access to a server containing a database with student orientation information. The Online Traffic School said that customer information was compromised due to an individual gaining unauthorized access to part of its network. Northwestern Mutual Life Insurance Company said that customer information was compromised due to a financial advisor falling for a scam that led to a malicious actor gaining remote access to a desktop computer multiple times. The law firm Clark Hill had its systems accessed by Chinese hackers and sensitive documents related to Chinese dissident Guo Wengui were subsequently released on Twitter. Phoenix Inn Suites is the latest hotel to issue a breach notification tied to the Sabre Hospitality Solutions SynXis Central Reservations system.
  • Organizations expose data: A misconfigured database that collected data on activity on a number of NFL-related domains such as the National Football League Players Association’s website exposed the data of 1,133 NFL players and agents. The database also included a ransom message from February 2017 similar to the ones targeting other Elasticsearch servers earlier this year — indicating that the data was accessed by cybercriminals. FlexShopper said a database containing payment and other customer information may have been exposed on the internet for several days. National Bank of Canada said that 400 customers had their personal information exposed due to a website glitch. Graton Resort and Casino, Kenco, and North Carolina A&T State University all announced breaches related to inadvertently disclosing sensitive customer, employee, and student data via email attachments.
  • Other notable incidents: U.S. government officials believe that the personal cellphone of chief of staff John Kelly was compromised, and the compromise may date back to December 2016. The R6DB gaming service, which provides statistics for Rainbow Six Siege gamers, said that an automated bot breached its PostgreSQL installation and wiped the database then demanded a ransom payment. Etherparty said it had to shut down its website for 90 minutes after discovering a fraudulent contribution address on the site just an hour after the ICO for its FUEL token went live. The City of Englewood said that it was hit with a ransomware infection. The UK National Lottery and Kazakhstan banks reported service disruptions due to DDoS attacks.
  • Arrests and legal actions: A federal indictment alleges that a former Hewlett-Packard Enterprise Corp. employee intentionally caused damage to Oregon’s Medicaid Management Information System (MMIS) after being laid off, resulting in an eight-hour loss of functionality for the system.  The former principal of Seven Peaks School in Oregon is being sued for allegedly downloading thousands of private documents related to the students and staff, including psychological evaluations of students.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-10-06_ITTNewCyber Risk Trends From the Past Week

2017-10-06_RiskScoresOn Thursday, The Wall Street Journal reported that the Russian government was able to steal highly classified NSA material from an NSA contractor who removed the classified material and put it on his home computer without the NSA’s knowledge.

The sources said that the breach, which occurred in 2015, was first discovered in the spring of 2016 and included details about how the NSA penetrates foreign computer networks, code it used for such spying, and details on how the NSA defends networks inside the U.S.

Sources told the WSJ that the hackers appear to have used the antivirus software created by Russia-based Kaspersky Lab in order to identify the files on the contractor’s computer. The paper also reported that it is the first known incident of the popular antivirus software being exploited by Russian hackers to conduct espionage against the U.S. government.

Kaspersky Lab said it “has not been provided any information or evidence substantiating this alleged incident, and as a result, we must assume that this is another example of a false accusation.”

The alleged NSA breach provides some insight into reports that the FBI has been urging private companies throughout the year to discontinue using Kaspersky products due to intelligence that indicated the company is an unacceptable threat to national security. In addition, the Department of Homeland security issued a directive in September ordering federal agencies to take actions to ultimately remove Kaspersky-related products from government computers.

The breach also appears to be separate from the incidents involving NSA contractor Harold T. Martin III, who hoarded large quantities of sensitive NSA data and hacking tools in his home, and TheShadowBrokers, a group that is best known for the April 2017 release of stolen NSA exploits such as EternalBlue, among others. As we noted in our August blog, officials have not linked TheShadowBrokers to Martin’s insider theft, and it appears the same can be said of the newly reported NSA breach. However, this new incident now makes two recent insiders who have successfully taken highly confidential NSA data home — and at least one case of that data then being successfully targeted by foreign hackers once it was in a less secure environment.

Weekly Cyber Risk Roundup: Yahoo’s Value Drops and New Regulations

Yahoo is once again back in the news for a variety of reasons, including a reported third data breach. However, it appears the reports of a “new breach” stem from additional notifications that were sent to some users on Wednesday regarding forged cookies being used to access accounts. Yahoo first disclosed that it was notifying affected users that “an unauthorized third party accessed our proprietary code to learn how to forge cookies” in its December 2016 breach announcement.

2017-02-20_ITT.png

“As we have previously disclosed, our outside forensic experts have been investigating the creation of forged cookies that could have enabled an intruder to access our users’ accounts without a password,” a Yahoo spokesperson said regarding the recent account notifications. “The investigation has identified user accounts for which we believe forged cookies were taken or used. Yahoo is in the process of notifying all potentially affected account holders.”

In addition to users potentially growing weary of Yahoo’s months-long series of breach notifications, two senators sent a letter to Yahoo questioning the company’s “willingness to deal with Congress with complete candor” about the recent breaches. Initial inquiries showed that “company officials have been unable to provide answers to many basic questions about the reported breaches” and a planned congressional staff meeting was cancelled at the last minute by Yahoo, wrote Sen. John Thune, chairman of the Senate Commerce Committee, and Sen. Jerry Moran, chairman of the Consumer Protection and Data Security Subcommittee. The letter requests answers to five questions related to Yahoo’s breaches and subsequent response by February 23.

All of that negative press may translate into hundreds of millions of dollars being cut from Yahoo’s pending deal to be acquired by Verizon. Bloomberg reported last Wednesday that the two companies were close reaching a renegotiated deal that would lower the price of the core Yahoo business from $4.8 billion to about $4.55 billion — a $250 million dollar discount. In addition, the remaining aspects of Yahoo, to be renamed Altaba Inc., will likely share any ongoing legal responsibilities related to the breaches, although the deal is not yet final.

2017-02-20_ittgroups

Other trending cybercrime events from the week include:

  • Variety of espionage campaigns: A campaign dubbed “Operation BugDrop” targeted a broad range of Ukrainian targets by remotely controlling computer microphones in order to eavesdrop on sensitive conversations, and at least 70 victims have been confirmed in a range of sectors including critical infrastructure, media, and scientific research. A phishing campaign against journalists, labor rights activists, and human rights defenders used fully-fleshed out social media accounts of a fake UK university graduate to engage with targets for months and make repeated attempts to bait the targets into handing over Gmail credentials. Spyware from the Israeli cyberarms dealer NSO Group has been found on the phones of nutrition policy makers, activists and government employees that are proponents of Mexico’s soda tax, leading to concerns over how the NSO Group is vetting potential government clients and whether a Mexican government agency is behind the espionage.
  • Actor breached dozens of organizations: A hacker going by the name “Rasputin” has breached more than 60 universities and government agencies by allegedly using a self-developed SQL injection tool. The targets included dozens of universities in the U.S. and the UK, city and state governments, and federal agencies like the Department of Health and Human Services.
  • Employee data compromised: In addition to a growing list of organizations impacted by W-2 phishing emails, Lexington Medical Center announced a W-2 breach involving unauthorized access to its employee information database known as eConnect/Peoplesoft. The city of Guelph, Ontario, is notifying some employees that their personal information was compromised when a flash drive containing sensitive documents was accidentally given to a former city employee as part of an ongoing wrongful dismissal lawsuit. A data breach at the San Antonio Symphony compromised the data of about 250 employees.
  • Ukraine accuses Russia of critical infrastructure attacks: Ukrainian officials accused Russia of targeting their critical infrastructure with malware designed to attack specific industrial processes, including modules that sought to harm equipment inside the electric grid. The attacks employed a mechanism dubbed “Telebots” to infect computers that control infrastructure. Researchers believe that Telebots evolved from BlackEnergy, a group that first attacked Ukraine’s energy industry in December 2015.
  • Other cybercrime announcements: FunPlus, the creators of the popular mobile game Family Farm Seaside, said it was the victim of a data breach, and the actor behind the attack claims to have stolen millions of email addresses as well as 16GB of product source code. Columbia Sportsware announced that it is investigating a cyber-attack on its prAna online clothing store. Hackers have stolen data on approximately 3,600 customers of Danish telecom company 3 and then attempted to blackmail the company for millions of dollars in return for not making the data public. Family Service Rochester, an organization that works with families with child welfare or family violence concerns, is notifying individuals of unauthorized access to their personal information, as well as a ransomware infection. Bingham County computer servers were infected with ransomware. The Russian Healthcare Ministry recently experienced its “largest” DDoS attack in recent years.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-02-20_ittnew

Cyber Risk Trends From the Past Week

2017-02-20_riskscoresIn addition to Yahoo, the past few weeks have seen several new regulatory announcements and fines related to data breaches.

For starters, New York Governor Andrew Cuomo announced that new regulations will go into effect on March 1, 2017, “to protect New York’s financial services industry and consumers from the ever-growing threat of cyber-attacks.” The regulation includes minimum standards organizations must meet, such as:

  • Controls relating to the governance framework for a robust cybersecurity program, including adequate funding, staffing, oversight, and reporting
  • Standards for technology systems, including access controls, encryption, and penetration testing
  • Standards to help address breaches, including an incident response plan, preservation of data, and notice to the Department of Financial Services (DFS) of material events
  • Accountability by requiring identification and documentation of material deficiencies, remediation plans, and annual certifications of regulatory compliance to DFS

In addition to the New York regulations, the Australian data breach notification law passed through the Senate and will go into effect either by a proclaimed date or a year after receiving Royal Assent. Violating these soon-to-be-implemented rules can be costly for organizations. Over just the past week organizations of various sizes announced breach-related settlements — most of which were compounded by not following required security practices.

  • Memorial Healthcare Systems will pay $5.5 million for failing “to implement procedures with respect to reviewing, modifying and/or terminating users’ right of access, as required by the HIPAA Rules.”
  • Horizon Blue Cross Blue Shield of New Jersey will pay $1.1 million over the theft of unencrypted laptops.
  • Grand Buffet restaurant will pay a $30,000 over the theft of payment card information by an employee and failing to implement corrective actions after being informed about the mishandling of credit cards.

Following the cybersecurity best practices outlined by regulatory bodies can not only help prevent many security incidents from occurring in the first place, but in the event of a breach those organizations are far less likely to face the wrath of government bodies.

Weekly Cyber Risk Roundup: New PoS Breaches and Simple Attacks

The week’s top trending event was the compromise at Freedom Hosting II, which has been estimated to host as much as 20 percent of active dark web sites. As a result, thousands of dark web sites were taken offline, and the stolen data has since been widely shared.

2017-02-12_ITT.pngSecurity researcher Troy Hunt, who reviewed some of the data, said that 381,000 email addresses were exposed along with a 2.2GB MySQL file that contained database backups of customers with “a very broad range of data from different systems.” Hunt added that “a significant amount” of that data is illegal. The hacker taking credit for the incident told Motherboard that the discovery of 10 sites hosting child pornography was the impetus for escalating the attack from read-only access to gaining system privileges, which was done using a 21-step process.

The other big news of late is the announcement of several new point-of-sale data breaches. InterContinental Hotels Group announced a point-of-sale breach affecting customers who used payment cards at the restaurants and bars of 12 properties, and fast-food chain Arby’s confirmed that malware was discovered on the payment systems of corporate locations. The incidents mirror the beginning of 2016, which saw similar breach announcement from Hyatt hotels and fast-food chain Wendy’s. The IGH breach is smaller than last year’s Hyatt announcement, which likely affected guests at 250 hotels, but the Arby’s breach may be comparable to the Wendy’s breach, which affected 1,025 locations.

More than 1,000 of the 3,300 total Arby’s restaurants are corporate owned; however, not every corporate location was affected, an Arby’s spokesperson said. Arby’s has yet to release official numbers or dates of the incident, but PSCU, a service organization that serves more than 800 credit unions, issued a non-public alert saying that more than 355,000 payment cards issued by PCSU member banks were compromised due to an incident at “a large fast food restaurant chain, yet to be announced to the public.” PCSU also estimated that the fast-food chain breach occurred between Oct. 25, 2016, and January 19, 2017.

2017-02-12_ittgroups

Other trending cybercrime events from the week include:

  • Polish financial regulator used to spread malware: A malicious actor compromised the internal systems of the Polish Financial Supervision Authority and used the financial regulator to spread malware to Polish banks. According to The Register, a modified JavaScript file likely resulted in visitors to the regulator’s site loading an external file that led to malicious payloads. A spokesperson said the regulator decided to take its entire system offline “in order to secure evidence.” Polish media have described the incident as the most serious attack ever on the Polish banking industry.
  • Extortion attacks continue: Taiwan brokerages are receiving DDoS extortion emails claiming to be from the group known as the “Armada Collective,” and several brokerages have reported DDoS attacks following those ransom demands. A malicious actor gained accessed to millions of messages and documents from the computer system of Doyen Global and leaked numerous emails from soccer star David Beckham after a failed blackmail attempt of “between €500,000 and a million.”
  • More government attacks: An attack against the Italian foreign ministry last spring compromised email communications for many months, but it did not affect the encrypted system used for classified communications. The Russian-linked APT 29 hacking group has been targeting Norwegian organizations with spear phishing emails. The attorney for Little Egg Harbor believes someone within the township is stealing data from the municipal computer systems and handing that confidential information over to a local political blogger. Hackers may have used stolen passwords to gain access to a Bureau of Consular Affairs email account that serves as a contact window to 117 Taiwanese overseas offices around the world. The former NSA contractor who faced charges in 2016 relating to the theft of 50 terabytes of highly sensitive data, allegedly stole more than 75 percent of the hacking tools belonging to the NSA’s elite hacking group known as the Tailored Access Operations.
  • Stolen and leaked databases: A database from the law enforcement forum PoliceOne was stolen in 2015 and the information of 700,000 members has been publicly distributed. A group of hackers claim to have a database of 20 million records stolen in 2014 from Bin Weevils, a British online children’s game owned by 55 Pixels. An actor using the name “zerodark70” is selling a database of 83,000 accounts from UPI.com, the website of the news agency United Press International. A large portion of the anti-piracy company Denuvo’s web database content is unsecured, and as a result information submitted via the company’s public contact form dating back to April 2014 has been posted online.
  • Other cybercrime announcements: A vulnerability in an October 2016 software update for the Michigan Data Automated System has exposed as many as 1.87 million Michigan workers’ information to a third-party vendor. UK sports retailer Sports Direct experienced a breach due to an attacker exploiting vulnerabilities in the unpatched version of the DNN platform the company was using to run a staff portal. Computer supplier Logic Supply announced there was unauthorized access to the company’s website on February 6, 2017. UK magazine publisher Future announced that its FileSilo website was breached. Singn and Arora Oncology Hematology in Michigan announced a data breach affecting 22,000 individuals.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-02-12_ittnew

Cyber Risk Trends From the Past Week

2017-02-12_riskscoresThe past week saw the continuation of several stories highlighted in recent risk reports.

For starters, malicious actors are exploiting the recently announced severe content injection vulnerability found in the WordPress REST API, which was fixed in the WordPress 4.7.2 update. At least twenty-four different campaigns are actively defacing WordPress sites. WordFence, which said that this is “one of the worst WordPress related vulnerabilities to emerge in some time,” reported that nearly 1.9 million defaced web pages have been indexed by Google as of February 10.

WordPress has an automatic update feature to protect against newly announced exploits being used by malicious actors, but a large number of websites appear to have disabled that feature and have not updated to version 4.7.2, which has been available since January 26.

As SurfWatch Labs continues to stress in blogs and articles, cyber threat intelligence clearly shows that the security threats are not as complex as some media and vendors make them out to be. Another example of simple but effective attacks is the growing number of organizations publicly tied to W-2 related breaches. Two weeks ago we wrote that the 2017 W-2 breach count had rose to 24 organizations. By last Friday that number had risen to 40. By Monday morning, it rose again to 48 – including school districts, colleges, healthcare organizations, manufacturers, payroll providers, restaurants, retailers and more.

IRS Commissioner John Koskinen warned that “this is one of the most dangerous email phishing scams we’ve seen in a long time.” These impersonation emails, also known as business email compromise scams, have proven to be effective, and they are costly for the organizations that fall victim to them. But they are not complex. They rely on three simple and straightforward aspects all good impersonators utilize:

  1. A simple backstory – The malicious actors utilize the built-in story of tax season.
  2. Appearing as though they belong – The emails matter-of-factly request information that is relevant to the payroll and human resource departments being targeted.
  3. Projecting authority – The requests appear to come from a higher-up such as a school superintendent or executive.

Many attacks that lead to data breaches are not sophisticated efforts carried out by actors using zero-day exploits; rather, they are opportunistic attacks leveraging public vulnerabilities and simple social engineering tactics. When it comes to managing cyber risk, ensure your organization can defend against these basic attacks before addressing more advanced – and often far less relevant – cyber threats.

Weekly Cyber Risk Roundup: DDoS Attacks Disrupt Services and SEC Probes Yahoo

A series of distributed denial-of-service (DDoS) attacks against financial institutions led to customers of Lloyds Banking Group experiencing intermittent outages over a 48-hour period and was the top trending cybercrime event over the past week.

2017-01-27_ITT.pngThe Guardian reported that the attacks hit Lloyds, Halifax and Bank of Scotland from January 11 to January 13. IBTimes reported that other unnamed lenders were targeted, but experienced no down time. Motherboard spoke to a hacker who claimed to be behind the attack and allegedly tried to ransom Lloyds over the incident. However, Lloyds issued a statement saying it was able to provide normal service for “the vast majority” of customers and that “only a small number” experienced any issues during the attack.

In other DDoS news, the ticketing systems for the Sundance Film Festival were taken offline due to a cyber-attack on January 21. “We have been subject to a cyberattack that has shut down our box office,” the festival tweeted. “Our artist’s voices will be heard and the show will go on.” According to The Hollywood Reporter, “although the festival was able to get its ticketing systems back online within an hour of the Saturday breach, multiple other denial-of-service (DDoS) attacks on Sundance’s IT infrastructure followed.”

Finally, the Korea Internet & Security Agency recently issued a report echoing concerns shared by other security professionals, including SurfWatch Labs Adam Meyer: expect DDoS attacks leveraging Internet-of-Things devices to rise in 2017. South Korea has recently faced political turmoil, and in December the country’s Constitutional Court began its first hearings on the impeachment of President Park Geun-hye. The agency report predicted that DDoS attacks may occur against key government agencies and social infrastructure-related facilities with the goal of stirring the political and social instability brought on by the impeachment proceedings and potential upcoming election. According to SurfWatch Labs’ data, government was the third highest trending sector related to DDoS attacks in 2016, behind only information technology and consumer goods.

2017-01-27_ittgroups

Other trending cybercrime events from the week include:

  • Another year of W-2 breaches begins: Approximately 1,400 Campbell County Health employees had their W-2 information stolen when an employee fell for a phishing email impersonating a hospital executive. Eight Missouri school districts were targeted with identical phishing messages impersonating the superintendent and requesting employee W-2 information, and an employee at the Odessa School District fell for the scam and forwarded the information. The Argyle Independent School District in Texas and the Tipton County School District also reported breaches due to similar phishing emails.
  • Media outlets hit with political attacks: The Twitter accounts of BBC Northampton and The New York Times video were both hijacked and used to spread fake messages saying that President Donald Trump was injured in the arm by gunfire at his inauguration and that Russia was planning to attack the U.S. with missiles. Crescent Hill Radio WCHQ said its FM feed was hacked and a song titled “Fuck Donald Trump” was played on repeat for 15 minutes before the station could shut down the broadcast.
  • Exposed databases reveal sensitive data: Security researchers have found nearly 400,000 audio recordings belonging to VICI Marketing exposed to the Internet, and as many as 17,649 of those recordings include customer payment card numbers and private customer information. The other 375,368 audio recordings are “cold calls,” some of which contain personal information. A misconfigured database used by The Candid Board, a subscription website dedicated to images and video of women who appear unaware they are being recorded, led to the leak more than 178,000 members’ information. The source also said that he or she is in possession of “a large chunk of data from multiple boards operated by this group,” which IBTimes explained was in reference to another leaked database holding tens of thousands of records from a website called NonNudeGirls.
  • Arrests and charges:  A former employee of First Niagara call center admitted to using his position to steal callers’ personal information and then using that information to transfer $15,492.59 from customer accounts to his own. An IT worker employed by the New York Police Department accessed personnel files of police officers and then attempted to sell that information to an undercover informant. A 32-year old Russian programmer suspected of developing the NeverQuest banking Trojan was arrested in Barcelona, according to Spanish authorities.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-01-27_ittnew

Cyber Risk Trends From the Past Week

2017-01-27_riskscoresThe fallout over two massive data breaches at Yahoo continued this past week as it was reported that the Securities and Exchange Commission (SEC) opened an investigation into the timeline of Yahoo’s data breach disclosure and that the sale of Yahoo’s main web operations to Verizon has been delayed until the next quarter.

Sources told The Wall Street Journal that the SEC issued a request for documents from Yahoo in December and is looking into whether Yahoo’s breach disclosures may have violated civil securities laws. The investigation will likely focus on Yahoo’s 2014 data breach affecting 500 million users, which was announced in September 2016. Yahoo is said to have linked the 2014 breach to state-sponsored actors two years before the public disclosure. In December 2016 Yahoo disclosed a separate breach affecting more than one billion users.

The SEC has never brought a case against a company for failing to disclose a data breach, the Wall Street Journal reported, but experts said the SEC has been looking for a case to clarify guidance issued in 2011. That guidance requires the disclosure of material information about cybersecurity risks and incidents if it could affect investors, but what is “material” is still a question – a question that this case may potentially help answer.

Those two data breaches have led to speculation over the past few months of how they may impact Verizon Communication’s acquisition of Yahoo, which was valued at $4.83 billion last July. Yahoo said it is “working expeditiously” to finish the deal; nevertheless, the sale has been pushed back until next quarter.

“Yahoo has been an interesting process,” Verizon Chief Financial Officer Matt Ellis said in an interview last Tuesday with Bloomberg. “There’s been good progress, but we are still awaiting the final reports and therefore we haven’t reached any conclusions yet.”

Weekly Cyber Risk Roundup: Unique Cyber-Attacks and Insider Theft

Yahoo remained as the top trending cybercrime target due to a data breach affecting more than a billion accounts. The breach is so large that regulators such as the FTC and SEC are facing uncharted territory when it comes to potential fines or other consequences related to the incident, Vice News reported.  

2016-12-23_ITT.pngLooking beyond the ongoing Yahoo story, there were several unique cybercrime-related events worth noting from the past week.

For starters, a data breach at Kia and Hyundai aided in the physical theft of dozens of cars, Israeli police said. Criminals were able to use the stolen data to make car keys for luxury cars and steal those cars directly from the owners’ homes. The three men who were arrested allegedly looked for the registration numbers on Kia and Hyundai models and then used those number along with stolen anti-theft protection numbers and other codes to make keys for each specific car. Once the keys were made they would visit the owners homes — the information was also in the stolen data — to steal the vehicles and then sell them on the Palestinian car market.

Another interesting story is the recent sudden shutdown of a power distribution station near Kiev, which left the northern part of the city without electricity. Vsevolod Kovalchuk, the acting chief director of Ukrenergo, told Reuters that the outage was likely due to an external cyber-attack. The outage amounted to 200 megawatts of capacity, which is about a fifth of Kiev’s nighttime energy consumption.

If definitively tied to a cyber actor, the incident would be the second time in a year that a Ukrainian power outage was attributed to a cyber-attack. The December 2015 outage at Prykarpattyaoblenergo has been frequently cited as the first power outage directly tied to a cyber-attack.

2016-12-23_groups

Other trending cybercrime events from the week include:

  • Education Information Compromised: Online learning platform Lynda.com is notifying its 9.5 million users of a data breach after a database was accessed that contained users’ contact information, learning data and courses viewed. The Columbia County School District in Georgia confirmed it was the victim of a data breach after an external actor accessed a server containing confidential employee information such as names, Social Security numbers and dates of birth. A malware infection at Summit Reinsurance Services may have compromised the information of 1,000 current and former employees at Black Hawk College, as well as those employees’ dependents. The University of Nebraska-Lincoln notified approximately 30,000 students that their names and ID numbers may have been compromised when a server hosting a math placement exam was breached.
  • More Healthcare Data Breaches: Community Health Plan of Washington is notifying 381,534 people that their information may have been compromised due to a vulnerability in the computer network of NTT Data, which provides the nonprofit with technical services. East Valley Community Health Center in California is notifying patients of a Troldesh/Shade ransomware infection on a server containing patient information. The server contained 65,000 insurance claims from the past six years, which included names, dates of birth, home addresses, medical record numbers, health diagnosis codes and insurance account numbers. A number of employees allegedly attempted to access the medical records of Kayne West during his recent week-long stay at the UCLA Medical Center.
  • OurMine Continues to Hijack Popular Accounts: The hacking group known as “OurMine” managed to hijack the Twitter accounts of both Netflix and Marvel on Wednesday. The group posted its usual message about how they were just testing security, along with their contact information.
  • DDoS Attacks Used to Protest New Law in Thailand: Thai government websites were hit with DDoS attacks in protest of a new law that restricts internet freedom. The websites of the Defense Ministry, Ministry of Digital Economy and Society, the Prime Minister’s Office, and the Office of the National Security Council were all targeted. In addition, a hacker going by the name “blackplans” posted screenshots of documents allegedly stolen from government websites.
  • Other breach announcements: A May 2016 phishing incident led to 108 employees of L.A. County handing over their email credentials, resulting in a data breach affecting 756,000 individuals. A hacker going by “1×0123” claims to have hacked PayAsUGym and is attempting to sell a database of information on 305,000 customers. A database backup from the forum of digital currency Ethereum was stolen after a malicious actor socially engineered access to a mobile phone number and gained access to accounts. About 350 Ameriprise clients had their investment portfolios exposed due to an advisor synchronizing data between between his home and work and neither drive requiring a password. The Bleacher Report announced a data breach affecting an unknown number of users who signed up for accounts on its website. The U.S. Election Assistance Commission (EAC) acknowledged a potential intrusion after a malicious actor was spotted selling information related to an unpatched SQL injection vulnerability.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2016-12-23_ittnew

Cyber Risk Trends From the Past Week

2016-12-23_riskSeveral stories from the past week once again highlighted the problem of malicious insiders stealing intellectual property and taking that stolen data directly to company rivals in order to give those rivals a leg up on the competition.

The first case involves India’s Quatrro Global Services, which recently filed a complaint with local police accusing two former employees of stealing a customer database and using that database to open a rival remote support company, MS Care Limited.

The employees left Quatrro Global Services in late 2014 and early 2015 and opened the rival company in January 2016. The complaint alleges the database was “used to derive unlawful commercial benefit by accessing our customers, leading to our commercial loss while gaining unauthorised access to our customer’s personal information, which could be used for unlawful purposes.”

A separate case involves David Kent, 41, who recently pleaded guilty to stealing more 500,000 user resumes from Rigzone.com, a company that he sold in 2010, and then using the stolen data to boost the membership of his new oil and gas networking website, Oilpro. According to the complaint, Rigzone’s database was hacked twice, and its members were subsequently solicited to join Oilpro. After building up the membership base in this manner, Kent then tried to sell the Oilpro website by stating that it had grown to 500,000 members through traditional marketing methods.

As SurfWatch Labs noted in October, insider threats are one of the most difficult challenges facing organizations. A recent survey of 500 security professionals from enterprise companies found that one in three organizations had experienced an insider data breach within the past year and that more than half of respondents believe that insider threats have become more frequent over the past year.

SurfWatch Labs data confirms those security professionals worry, having collected data on more than 240 industry targets publicly associated with the “insider activity” tag over the past year.

Weekly Cyber Risk Roundup: Largest Breach Ever and Law Firm Lawsuits

On Wednesday, Yahoo announced a data breach that affects more than one billion user accounts. The intrusion, which Yahoo believes occurred in August 2013, comes just months after the company announced a separate breach involving “at least 500 million user accounts.” The new breach was discovered after law enforcement received Yahoo data from a third party. The compromised information includes names, email addresses, telephone numbers, dates of birth, MD5-hashed passwords, and some encrypted or unencrypted security questions and answers.

2016-12-16_ITT.pngAs The New York Times noted, the breach gives Yahoo the distinction of having the largest ever data breach – on two separate occasions.

It also appears that the intruders were able to use stolen source code to forge cookies, which allowed the malicious actors to gain access to some users’ accounts without needing a password.

Yahoo said those forged cookies have been invalidated, along with any unencrypted security questions and answers. Yahoo did not make clear how many unencrypted security questions and answers were stolen, but users who used those same questions and answers on other sites may face increased risk around those accounts being compromised in the future.

The newly announced breach has also led to more speculation about the potential impact on Yahoo’s pending $4.8 billion deal to be acquired by Verizon. Sources told Reuters that Verizon is looking for “major concessions” from Yahoo, and Verizon reiterated that it would “review the impact of this new development before reaching any final conclusions” about proceeding with the deal.

The incident may also have an affect on the size of Yahoo’s user base. Reuters reported that several cybersecurity experts and bodies such as Germany’s Federal Office for Information Security are now advising Yahoo users to consider abandoning the service for email providers that may be more secure.

2016-12-16_groups

Other trending cybercrime events from the week include:

  • Russian hacking put front-and-center: U.S. intelligence officials have “a high level of confidence” that Russian President Vladimir Putin was personally involved in the effort to interfere with the presidential election. Officials told ABC News that Russian hackers targeted as many as two email systems associated with the Republican National Committee, but the incidents didn’t raise the same level of concern as similar attacks against the DNC because the systems had long been unused. Germany’s domestic intelligence agency reported that Russia is trying to destabilize German society via targeted cyber-attacks against political parties and disinformation campaigns.  The head of the Swedish Military Intelligence and Security Service said that Russian hacking is a “serious threat” that may “influence democratic decision-making.”
  • Insiders cause more cyber headaches: The February 2016 theft at Bangladesh Bank was aided by five low to mid-level employees who were negligent and careless but not directly involved in the crime, according to a Bangladesh government-appointed panel. Hong Kong officials have arrested 29 current and former employees across five financial institutions for alleged bribery and sharing of confidential customer information. A two-year investigation found that lax privacy procedures at the Ohio Department of Rehabilitation and Correction contributed to a $422,000 scheme that used prisoners’ identities to apply for federal student loans. An employee of Banner Boswell Hospital in Arizona has been arrested for allegedly stealing patients’ credit card information and using that information to buy items online.
  • More DDoS attacks amid arrests: A series of DDoS attacks aimed at disrupting updates about the pro-Russian separatist conflict brought down the websites for Ukraine’s Finance Ministry and State Treasury. Nearly three dozen users of “booter” services were arrested in a global effort dubbed “Operation Tarpit,” a law enforcement campaign aimed at weakening demand for cybercrime-for-hire services and raising awareness of the risks of engaging in cybercrime.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2016-12-16_ittnew

Cyber Risk Trends From the Past Week

2016-12-16_riskThe past week saw several legal developments involving both past breaches and possible future lawsuits.

Ruby Corp, the operator of AshleyMadison, has agreed to pay $1.6 million to settle state and Federal Trade Commission charges related to its massive July 2015 data breach. The total fine was $17.5 million, but the remaining portion was suspended based on Ruby Corp.’s inability to pay.

“I recognize that it was a far lower number frankly than I would have liked,” FTC Chairwoman Edith Ramirez said on a conference call with reporters. “We want them to feel the pain. We don’t want them to profit from unlawful conduct. At the same time, we are not going to seek to put a company out of business.”

The settlement also requires the implementation of a comprehensive data-security program, including third-party assessments.

Another interesting story of note is a lawsuit that was recently filed against the Chicago-based law firm Johnson & Bell that alleges the firm failed to protect confidential customer information. According to the lawyer that filed the case, it is the first class action lawsuit against a law firm over inadequate data security measures. The same lawyer previously said he had identified a total of 15 firms lacking basic security measures that may be targeted by lawsuits, although the others have not yet been publicly named.

The Johnson & Bell lawsuit was filed back in April 2016; however, it only recently became public and moved to arbitration. Although the complaint does not claim that any data was actually stolen, it alleges that the firm put clients at risk due to using an out of date time-entry system, a VPN that was prone to man-in-the-middle attacks, and an email system that was vulnerable to the DROWN attack.

As SurfWatch Labs noted in our whitepaper, Flipping the Script: Law Firms Hunted by Cybercriminals, law firms are attractive targets for malicious actors as they often have weaker security than the clients they represent. Breaches may also be especially damaging for law offices as confidentiality is at the core of the legal process and law firms often have access to valuable data.