The Week in Breach: 06/25/18 – 6/29/18

Hacks this week showed no mercy or regard to international boundaries. From North America to Australia, businesses of all sizes, across all industries were targeted. Malware injection and insecure databases were some of the most damaging compromises highlighted this week. At least 230 million individuals and 110 million businesses exposed on the dark web… YIKES.

Highlights from The Week in Breach:

  • Ransomware be gone!
  • Comcast’s leaky API
  • Another Intel CPU vulnerability?
  • Massive breach exposes how many kids you have and where you live.

In other news…
A popular Australian medical appointment booking app called HealthEngine is receiving negative attention from privacy advocates and cyber security professionals alike this week. It has come to light that they have been sharing patients’ personal information with a third-party law firm. The information sharing occurred daily as part of a referral partnership.
https://cyware.com/news/popular-medical-appointment-booking-app-healthengine-reportedly-patient-data-with-law-firm-3aba7747

Researchers at Cisco Talos have developed a tool that decrypts files affected by the ransomware Thanatos. This news is only made better by the fact that they are releasing it at no cost. The less ransomware out there, the better.
https://www.zdnet.com/article/thanatos-ransomware-free-decryption-tool-released-for-destructive-file-locking-malware/

Comcast’s website has been leaking account information, including whether a home security setup is in place. Anyone on the customer’s network could trick one of the company’s APIs into returning customer information. Comcast was quick to shut down the API after the vulnerability was revealed to them.
https://www.zdnet.com/article/comcast-fixes-another-xfinity-website-data-leak/

At Black Hat USA this year, it was revealed that Intel CPUs have a side-channel vulnerability that could be used to leak encryption keys for signing a message. Researchers at the Systems and Network Security Group at Vrije Universitet Amsterdam constructed an attack that can reliably extract an encryption key using Intel’s Hyper-Threading technology. To exploit the flaw, a hacker would need to already have malware on the system or use compromised credentials to log in.
https://www.zdnet.com/article/tlbleed-is-latest-intel-cpu-flaw-to-surface-but-dont-expect-it-to-be-fixed/

Podcasts:

Know Tech Talks – Hosted by Barb Paluszkiewicz
The Continuum Podcast
Security Now – Hosted by Steve Gibson, Leo Laporte
Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)
Small Business, Big Marketing – Australia’s #1 Marketing Show!

Exactis
Exploit: Elasticsearch insecure database exploit.
Risk to Small Business: High: Demonstrable gross negligence while aggregating and normalizing PII. This increasingly common exploit (insecure/ publicly accessible database). This compromise will cross state and international boundaries.
Risk to Exploited Individuals: High: The data breached could be used to execute extremely effective spear phishing campaigns.
Exactis: A marketing and data aggregation firm based in Florida.
Date Occurred/Discovered: June, 2018
Date Disclosed: June 27, 2018
Data Compromised: 

  • Names
  • Address
  • Email address
  • Telephone number
  • Interests
  • Habbits
  • Number of children, their ages and gender
  • Whether the individual smokes
  • Religion
  • Pets

Etc… over 400 variables per person
How it was compromised: Negligence
Customers Impacted: 230 million Americans and 110 million businesses

https://www.wired.com/story/exactis-database-leak-340-million-records/
https://info.idagent.com/blog/big-data-big-breach

People Dedicated to Quality (PDQ)
Exploit: Hackers gained entry by exploiting an outside technology vendor’s remote connection tool. Demonstrates supply chain-based vulnerabilities.
Risk to Small Business: High: Remote session / access tools are frequently targeted. Outsourcing and the cost-effectiveness of remote support makes this a very effective attack vector for hackers. This should be top of mind especially if an organization holds PII or any customer data of value.
Individual Risk: Low: Victims of this breach are highly vulnerable to financial fraud and identity theft.
PDQ: People Dedicated to Quality, or PDQ for short, is a chicken focused food stop founded in Florida.
Date Occurred/Discovered: May 19, 2017 – April 20, 2018
Date Disclosed: June 22, 2018
Data Compromised: 

  • Credit card information
  • Expiration dates
  • CVV
  • Names

How it was compromised: PDQ believes that a hacker gained access to their customer’s credit card information using an outside technology vendor’s remote connection tool.
Customers Impacted: Unknown, but all 70 PDQ locations were compromised.
https://www.eatpdq.com/promos/news/2018/06/22/guestinfo

FastBooking
Exploit: Web Application Exploit, Remote Access, Malware injection.
Risk to Small Business: High: There seems to be several layers to this exploit. Remote access was achieved to download the data scraping malware. This breach is far-reaching globally impacting businesses and individuals globally. The forensics, mandatory credit monitoring, brand damage will be costly and will linger to years.
Risk to Exploited Individuals: High: Personal data and credit card information was compromised during the breach, leaving individuals vulnerable to identity theft.
FastBooking: Based in France, the company sells hotel booking software globally.
Date Occurred/Discovered: Occurred on June 14, 2018, discovered on June 19, 2018.
Date Disclosed: June 26, 2018
Data Compromised: 

  • Full name
  • Nationality
  • Home address
  • Email address
  • Booking information

In some cases:

  • Credit card details
  • Name on card
  • Card number
  • Expiration date

How it was compromised: Malware installed on their server which granted remote access.
Customers Impacted: 4,000 hotels in 100 countries.
Prince Hotels is the first to inform customers, with 123,963 of their customers affected. Of these, 58,003 are instances of personal information compromised. 66,960 involved credit card information.

https://www.bleepingcomputer.com/news/security/hundreds-of-hotels-affected-by-data-breach-at-hotel-booking-software-provider/

https://www.japantimes.co.jp/news/2018/06/26/business/corporate-business/prince-hotels-hack-results-loss-124000-customers-credit-card-numbers-data/#.WzOvIdVKjIW

Best Sleep Centre
Exploit: Ransomware
Risk to Small Business: High: Significant impact to business operations if data not properly encrypted and backed up.
Risk to Exploited Individuals: Moderate: Data was encrypted by the ransomware. At this point, there is no public evidence that it was also exfiltrated.
Best Sleep Centre: Winnipeg based mattress store
Date Occurred/Discovered: June 2018
Date Disclosed: June 26, 2018
Data Compromised: The company’s server was encrypted.
How it was compromised: Ransomware. The owner decided to pay the ransom, but negotiated it down to $2,000 CAD.
Customers Impacted: Unknown at this time, but the business is impacted.

https://globalnews.ca/news/4298279/hacker-hits-local-mattress-store-with-ransomware/

Ticketmaster
Exploit: JavaScript chatbot with data scraper injected in to supply chain systems.
Risk to Small Business: High: Highlights how supply chain vulnerabilities can lead to massive data loss and exposure. Companies dealing with customer data / PII should have elevated security controls in place to prevent supply chain vulnerabilities.
Risk to Exploited Individuals: High: This breach leaves Ticketmaster customers vulnerable to identity theft.
Ticketmaster: A ticket purchasing website that is used globally for many types entertainment.
Date Occurred/Discovered: Discovered on June 23, 2018. Could have occurred as early as September 2017.
Date Disclosed: June 27, 2018
Data Compromised: 

  • Names
  • Address
  • Email address
  • Telephone number
  • Payment details
  • Ticketmaster login details

How it was compromised: Malware hosted on a customer support product hosted by a third-party supplier which sent data to a remote location.
Customers Impacted: Ticketmaster has been telling the media that about 400,000 customers have been affected, but in their alert to customers they claim that ‘less than 5% of their customer base have been affected. 5 percent of their customer base comes out to 11.5 million, so we will have to see if their investigation into the breach will reveal more affected customers.

https://www.govinfosecurity.com/ticketmaster-breach-traces-to-embedded-chatbot-software-a-11144
https://security.ticketmaster.co.uk/

Facebook (yes again)
Exploit: Unsecured JavaScript file/ supply chain
Risk to Small Business: High: A supply chain vendor that leaks data will tarnish the reputation of business.
Risk to Exploited Individuals: Moderate: The data the quiz app is leaking could be used in spear phishing attacks.
Facebook: A social media site that has over 2 billion monthly active users.
Date Occurred/Discovered: End of 2016-present
Date Disclosed: June 28, 2018
Data Compromised: 

  • Facebook ID
  • First name
  • Last name
  • Language
  • Gender
  • Date of birth
  • Profile picture
  • Cover photo
  • Currency
  • Devices used
  • When your information was last updated
  • Posts
  • Statuses
  • Photos
  • Friends on Facebook

How it was compromised: Any third party can view.
https://techcrunch.com/2018/06/28/facepalm-2/

Advertisements

Ransomware Virus Alert

Another report just out from United States Computer Emergency Readiness Team (US- CERT) regarding crypto ransomware malware that affects all Windows PC’s.

 

NCCIC / US-CERT

National Cyber Awareness System:

10/22/2014 05:28 PM EDT
Original release date: October 22, 2014

Systems Affected

Microsoft Windows

Overview

Ransomware is a type of malicious software (malware) that infects a computer and restricts access to it until a ransom is paid to unlock it. This Alert is the result of Canadian Cyber Incident Response Centre (CCIRC) analysis in coordination with the United States Department of Homeland Security (DHS) to provide further information about crypto ransomware, specifically to:

  • Present its main characteristics, explain the prevalence of ransomware, and the proliferation of crypto ransomware variants; and
  • Provide prevention and mitigation information.

Description

WHAT IS RANSOMWARE?

Ransomware is a type of malware that infects a computer and restricts a user’s access to the infected computer. This type of malware, which has now been observed for several years, attempts to extort money from victims by displaying an on-screen alert. These alerts often state that their computer has been locked or that all of their files have been encrypted, and demand that a ransom is paid to restore access. This ransom is typically in the range of $100–$300 dollars, and is sometimes demanded in virtual currency, such as Bitcoin.

Ransomware is typically spread through phishing emails that contain malicious attachments and drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and malware is downloaded and installed without their knowledge. Crypto ransomware, a variant that encrypts files, is typically spread through similar methods, and has been spread through Web-based instant messaging applications.

WHY IS IT SO EFFECTIVE?

The authors of ransomware instill fear and panic into their victims, causing them to click on a link or pay a ransom, and inevitably become infected with additional malware, including messages similar to those below:

  • “Your computer has been infected with a virus. Click here to resolve the issue.”
  • “Your computer was used to visit websites with illegal content. To unlock your computer, you must pay a $100 fine.”
  • “All files on your computer have been encrypted. You must pay this ransom within 72 hours to regain access to your data.”

PROLIFERATION OF VARIANTS

In 2012, Symantec, using data from a command and control (C2) server of 5,700 computers compromised in one day, estimated that approximately 2.9 percent of those compromised users paid the ransom. With an average ransom of $200, this meant malicious actors profited $33,600 per day, or $394,400 per month, from a single C2 server. These rough estimates demonstrate how profitable ransomware can be for malicious actors.

This financial success has likely led to a proliferation of ransomware variants. In 2013, more destructive and lucrative ransomware variants were introduced including Xorist, CryptorBit, and CryptoLocker. Some variants encrypt not just the files on the infected device but also the contents of shared or networked drives. These variants are considered destructive because they encrypt user’s and organization’s files, and render them useless until criminals receive a ransom.

Additional variants observed in 2014 included CryptoDefense and Cryptowall, which are also considered destructive. Reports indicate that CryptoDefense and Cryptowall share the same code, and that only the name of malware itself is different. Similar to CryptoLocker, these variants also encrypt files on the local computer, shared network files, and removable media.

LINKS TO OTHER TYPES OF MALWARE

Systems infected with ransomware are also often infected with other malware. In the case of CryptoLocker, a user typically becomes infected by opening a malicious attachment from an email. This malicious attachment contains Upatre, a downloader, which infects the user with GameOver Zeus. GameOver Zeus is a variant of the Zeus Trojan that steals banking information and is also used to steal other types of data. Once a system is infected with GameOver Zeus, Upatre will also download CryptoLocker. Finally, CryptoLocker encrypts files on the infected system, and requests that a ransom be paid.

The close ties between ransomware and other types of malware were demonstrated through the recent botnet disruption operation against GameOver Zeus, which also proved effective against CryptoLocker. In June 2014, an international law enforcement operation successfully weakened the infrastructure of both GameOver Zeus and CryptoLocker.

Impact

Ransomware doesn’t only target home users; businesses can also become infected with ransomware, which can have negative consequences, including:

  • Temporary or permanent loss of sensitive or proprietary information;
  • Disruption to regular operations;
  • Financial losses incurred to restore systems and files; and
  • Potential harm to an organization’s reputation.

Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.

Solution

Infections can be devastating to an individual or organization, and recovery can be a difficult process that may require the services of a reputable data recovery specialist.

US-CERT and CCIRC recommend users and administrators take the following preventive measures to protect their computer networks from ransomware infection:

  • Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
  • Maintain up-to-date anti-virus software.
  • Keep your operating system and software up-to-date with the latest patches.
  • Do not follow unsolicited web links in email. Refer to the Security Tip Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
  • Use caution when opening email attachments. For information on safely handling email attachments, seeRecognizing and Avoiding Email Scams.
  • Follow safe practices when browsing the web. See Good Security Habits and Safeguarding Your Data for additional details.

Individuals or organizations are not encouraged to pay the ransom, as this does not guarantee files will be released. Report instances of fraud to the FBI at the Internet Crime Complaint Center or contact the CCIRC .

References

Revision History

  • Initial Publication, October 22, 2014