Hello 2019, Hello Breaches

This week, it was all fun and games until the Town of Salem game maker got breached, an Irish tram service dealt with ransom, and German politicians were besieged by cyber criminals.

Dark Web ID Trends:
Top Source Hits: ID Theft Forums (98%)
Top Compromise Type: Domains
Top Industry: Manufacturing 
Top Employee Count: 11-50 employees (36%)


United States – BlackMediaGames (Town of Salem)

https://www.scmagazine.com/home/security-news/town-of-salem-breach-affects-7-million-accounts/
Exploit: LFI/RFI attack that injected malicious code into database.
BlankMediaGames: Game maker of ‘Town of Salem’.

correct severe gauge Risk to Small Business: 2 = Severe: With a number as high as 7.6M users exposed, this cyberattack has the potential to be game-changing. News broke that DeHashed, a commercial breach indexing service, discovered the successful attack before Christmas and tried alerting the company, but no actions were made to secure the hacked servers and notify users until later on. Cybersecurity experts are claiming that the company’s hashing technique (PHPBB) for securing passwords was relatively weak, meaning that it is only a matter of time until hackers were able to crack them.
correct moderate gauge Individual Risk: 2.428 = Severe: Stolen user data included usernames, email addresses, hashed passwords, IP addresses, and game/forum activities. Payment information or credit card details were not exposed, but compromised information can still be leveraged to gain access to payment details on other similar accounts.

Customers Impacted: 7.6M users of ‘Town of Salem’.
How it Could Affect Your Business: Although BlankMediaGames clarified that it does not handle payment information, users may not fully grasp what this means. When they hear breach, they feel exposed. To further compound the issue, the company admitted that its hashing platform for passwords was not as secure as it could be. Overall, video game services are becoming “low hanging fruits” for cybercriminals due to the emphasis of user experience over security and increasingly growing value of digital “in-game” goods or purchases.
ID Agent to the Rescue: SpotLight ID™ is backed by our $1M identity theft restoration policy, and can help MSPs’ clients proactively protect customers while enhancing overall cyber security awareness. Learn more at:https://www.idagent.com/identity-monitoring-programs.

Risk Levels:
1 – 1.5 = Extreme Risk
1.51 – 2.49 = Severe Risk
2.5 – 3 = Moderate Risk
*The risk score is calculated using a formula that takes into account a wide range of factors related to the assessed breach.

France and Spain – Orange

https://www.zdnet.com/article/over-19000-orange-modems-are-leaking-wifi-credentials/

Exploit: Device vulnerability in modems that reveals Wi-Fi credentials.
Orange: Telecommunications operator that offers a router product.

correct severe gauge Risk to Small Business: 2.333= Severe: Although such an attack can be contained by finding all the hardware products with vulnerabilities, the breach can negatively impact customers and result in the erosion of brand loyalty.
correct moderate gauge Individual Risk: 2.571= Moderate: Such a compromise can be dangerous because it enables hackers to execute on-location proximity attacks, which means they can travel to a company headquarters or home to access a network and then hack into connected devices nearby. Also, Wi-FI passwords might be reused elsewhere, such as the backend administration panel, allowing hackers to control the system infrastructure and create online botnets.

Customers Impacted: 19,500 customers using Orange Livebox modems.
How it Could Affect Your Business: Security vulnerabilities in hardware can be financially catastrophic, as they usually result in expensive patches, product recalls, reinvention, and customer churn.
ID Agent to the Rescue: Dark Web ID™ monitors the Dark Web and can help discover this form of breach before it hits the news cycle. We work with MSP and MSSPs to strengthen their security suite by offering industry-leading detection. Find out more here: https://www.idagent.com/dark-web/.

Risk Levels:
1 – 1.5 = Extreme Risk
1.51 – 2.49 = Severe Risk
2.5 – 3 = Moderate Risk
*The risk score is calculated using a formula that takes into account a wide range of factors related to the assessed breach.

Ireland – Luas

https://www.independent.co.uk/travel/news-and-advice/luas-website-down-dublin-tram-hacked-not-working-data-leak-bitcoin-a8709446.html

Exploit: Website compromise via newsletter hack.
Luas: Light rail system in Dublin.

correct severe gauge Risk to Small Business: 2.111 = Severe: Since the investigation is ongoing, the extent of damage is not determined. However, the hacker responsible for the attack threatened to publish all compromised data if the demanded ransom of 1 bitcoin was not met within 5 days. Currently, no financial information has been exposed, but complete access to a company’s website can result in theft of IP, IT system interference, and entry into sensitive data.
correct moderate gauge Individual Risk: 3 = Moderate: Given that the attack was limited to the 3,226 that signed up for the Luas newsletter and did not include payment details, the threat to individual compromises is relatively low. Nevertheless, it remains to be seen if there will be other repercussions.

Customers Impacted: 3,226 people who signed up for the Luas newsletter.
How it Could Affect Your Business: Situations where ransom is involved can be sticky, since there is no assurance that the hacker will not leak the data even if the ransom is paid. On the other hand, the group or person responsible has threatened to publish all data and send emails to the users, which could cause customers to avoid visiting the website or trusting their payment information with the tram service. Also, the hacker could virtually destroy the website, resulting in the company having to rebuild their entire platform.
ID Agent to the Rescue: Dark Web ID can help you proactively monitor if customer data is being leaked on the Dark Web, helping reduce the impact of such a breach. See how you can benefit here: https://www.idagent.com/dark-web/.

Risk Levels:
1 – 1.5 = Extreme Risk
1.51 – 2.49 = Severe Risk
2.5 – 3 = Moderate Risk
*The risk score is calculated using a formula that takes into account a wide range of factors related to the assessed breach.

Australia – Victorian Government

https://www.abc.net.au/news/2019-01-01/victorian-government-employee-directory-data-breach/10676932

Exploit: Phishing attack on government employee directory.
Victorian Government: State government of Victoria.

correct severe gauge Risk to Small Business: 2.333 = Severe: Even though the stolen directory included work details for 30,000 government employees, the list only contained work emails, job titles, work phone numbers, and in some cases, mobile phone numbers. However, there is the possibility that public servants who were compromised may feel exposed and choose to leave, causing employee turnover.

 

correct moderate gauge Individual Risk: 2.714 = Moderate: Payment and banking information was not compromised, but the compromised information can still be manipulated by hackers to orchestrate future phishing, spam, and social engineering attacks. Those who were affected should remain vigilant in order to protect themselves.

Customers Impacted: 30,000 government employees.
How it Could Affect Your Business: Following last week’s coverage of the Nova Entertainment compromise, it is clear that data breach notifications are piling up in Australia after the introduction of the Notifiable Data Breaches (NDB) scheme. Businesses and consumers alike are beginning to realize the magnitude of breaches that are seemingly benign but can be leveraged to execute complex cybercrime.
ID Agent to the Rescue: Dark Web ID by ID Agent can help proactively monitor stolen employee and customer data, mitigating losses from this breach type. Learn more at: https://www.idagent.com/dark-web/.

Risk Levels:
1 – 1.5 = Extreme Risk
1.51 – 2.49 = Severe Risk
2.5 – 3 = Moderate Risk
*The risk score is calculated using a formula that takes into account a wide range of factors related to the assessed breach.


In Other News:

German Politicians and Celebrities are Under Attack
Hundreds of German parliament members, most notably Chancellor Angela Merkel, and celebrities are having their personal details leaked in what seems to be a politically motivated cyber-attack. Information including financial details, contact information, private conversations, and more was originally leaked in December on a Twitter account, which was only recently discovered and suspended.

Although six of seven main political parties were among those affected, no members from the far-right Alternative party (AfD) seem to be impacted. Officials are saying that the data could have been obtained by hackers using stolen passwords to log into email accounts, social networks, and cloud-based services.
https://www.bankinfosecurity.com/hackers-leak-hundreds-german-politicians-personal-data-a-11915

What We’re Listening To
Know Tech Talks
The Continuum Podcast
Security Now
Defensive Security Podcast 
Small Business, Big Marketing – Australia’s #1 Marketing Show!
TubbTalk – The Podcast for IT Consultants
Risky Business
Frankly MSP
CHANNELe2e


How Work-From-Home Can Open Your Business Up to Breach

As the historical debate surrounding work-from-home (WFH) policies continues to reach news headlines, an additional consideration has surfaced: IT security. Home networks in WFH environments can expose your company to security risks, as devices are connected to the internet and can serve as an entry point for hacks.

With the advent of remote working arrangements and rising adoption of smart devices, employees are accessing enterprise software such as cloud-based apps, video conferencing software, and file sharing regularly, resulting in vulnerabilities that black hats can tap into with little to no difficulty.

Of course, this doesn’t necessarily mean you should discontinue your WFH policy. Instead, consider how you can arm your employees with best practices for securing their devices and networks to avoid breach possibilities.
https://www.trendmicro.com/vinfo/us/security/research-and-analysis/predictions/2019

Advertisements

What Security Measures are Most Effective at Fighting Ransomware

 

In response to the announcements today from both the US and UK governments about significant persistent cyber threats from state actors, I though it would be important to bring in an expert.

Here is a guest post from Stu Sjouwerman from KnowBe4– out preferred vendor for cyber awareness training. We just had our staff go through some of the training modules- and we were amazed. Amazed may be the wrong word- scared s#*&less may be more accurate. The threats out there are so deadly for businesses and organizations of all sizes and industries.

The Spiceworks staff wrote: “Years after CryptoLocker raised its ugly head — setting off an unfortunate security trend — ransomware continues to be a rather painful thorn in the side of IT professionals and organizations around the world. phishing

In 2017, we saw entire companies and government agencies shut down for days thanks to WannaCry and NotPetya, sometimes costing a single organization hundreds of millions of dollars. And things haven’t gotten that much better recently.

For example, in March 2018, the city of Atlanta fell victim to ransomware that brought city services down (airport Wi-Fi, online bill pay systems, police warrant systems, job application forms, and more) and forced many employees to shut down their systems for five days. Similar attacks have been launched against cities in the U.S. and around the world.

A ransomware security poll

There isn’t one magic bullet that can solve all IT security problems. Instead, companies must employ a layered strategy to reduce the risk of a ransomware infection. But are all security measures created equal?

Ideally, organizations would be able to follow all security best practices; in reality, however, organizations have to prioritize. Here’s our question: If you landed in a brand new environment and had to choose, where would you start or focus your security efforts? That is, which security measures do you think are most important / are most effective when it comes to fighting ransomware?

Pick your favorites in our anonymous poll below (you can choose up to three options) and join the conversation in the comments!”

The poll asked: “What security measures are most effective in fighting ransomware?” and 2209 IT pros answered, including me which are the bolded options:

Spiceworks_Poll_results

 


I strongly suggest you get a quote for new-school security awareness training for your organization and find out how affordable this is. You simply have got to start training and phishing your users ASAP. If you don’t, the bad guys will, because your filters never catch all of it. Get a quote now and you will be pleasantly surprised.

Don’t like to click on redirected buttons? Cut & Paste this link in your browser: https://info.knowbe4.com/kmsat_quote-request_partner?partnerid=0010c00001wis6gAAA

If you would like to test out some free cyber awareness training tools, please visit our landing page: http://downloads.primetelecommunications.com/CyberAwareness-Free-Tools

If you want to be really proactive, we can run a free Dark Web search for your company domain and tell you how many of your domain emails are on over 600,000 sites on the Dark Web- and tell you the email address, the password and the date it was discovered. http://downloads.primetelecommunications.com/Dark-WeB

 

Prime Telecommunications Partners with ID Agent to Heighten Cybersecurity

 

Prime Telecommunications, a leader in managed technology services, announced today that the company has partnered with ID Agent, to enhance the security of SMBs (small to mid-sized businesses) across the nation. ID Agent and this partnership will enable business owners, to prevent identity theft and thwart cybercriminals from gaining access to sensitive data.

“We’re thrilled to announce this partnership. It’s going to have a huge effect on the business owners we serve,” stated Vic Levinson, President of Prime Telecommunications. “This partnership allows business owners to get a very clear and immediate picture of how their cybersecurity is currently performing. When owners are made aware of the threats and risks that are facing their business, they’re capable of bringing in the right infrastructure to protect themselves from cyber-attacks. This partnership is so important because it gives a very clear picture of the company’s risks.”

The partnership between Prime Telecommunications and ID Agent will combine human and sophisticated Dark Web intelligence with search capabilities to identify, analyze and proactively monitor an organization’s compromised or stolen employee and customer data. Business owners will receive real-time alerts, so they can focus on running their organizations. This partnership will not only allow businesses to monitor the dark side of the web, but it also provides the option to monitor an organization’s supply chain, third party partners and vendors that may have access to sensitive data, as well.

“At the end of the day it’s all about protecting employees who don’t realize the threats they face when executing their day-to-day responsibilities,” added Levinson. “Employees who spend time browsing the Internet, who share their email passwords freely, or use unsecured, cloud-based tools to do their work may not necessarily realize all of the potential vulnerabilities facing their network. We consider it to be our duty to educate the marketplace on these types of solutions to prevent as many cyberattacks from happening as possible.”

 

About ID Agent

ID Agent provides Dark Web monitoring and identity theft protection solutions, available exclusively through the reseller channel, to private and public organizations and millions of individuals at risk of cyber incidents. Its flagship product, Dark Web ID, delivers Dark Web intelligence to identify, analyze and monitor for compromised or stolen employee and customer data, mitigating exposure to enterprise clients’ most valuable asset – their digital identity. The company’s SpotLight ID provides personal identity protection and restoration for employees and customers while enhancing their overall cybersecurity awareness as well as further safeguarding corporate systems.

Ransomware Virus Alert

Another report just out from United States Computer Emergency Readiness Team (US- CERT) regarding crypto ransomware malware that affects all Windows PC’s.

 

NCCIC / US-CERT

National Cyber Awareness System:

10/22/2014 05:28 PM EDT
Original release date: October 22, 2014

Systems Affected

Microsoft Windows

Overview

Ransomware is a type of malicious software (malware) that infects a computer and restricts access to it until a ransom is paid to unlock it. This Alert is the result of Canadian Cyber Incident Response Centre (CCIRC) analysis in coordination with the United States Department of Homeland Security (DHS) to provide further information about crypto ransomware, specifically to:

  • Present its main characteristics, explain the prevalence of ransomware, and the proliferation of crypto ransomware variants; and
  • Provide prevention and mitigation information.

Description

WHAT IS RANSOMWARE?

Ransomware is a type of malware that infects a computer and restricts a user’s access to the infected computer. This type of malware, which has now been observed for several years, attempts to extort money from victims by displaying an on-screen alert. These alerts often state that their computer has been locked or that all of their files have been encrypted, and demand that a ransom is paid to restore access. This ransom is typically in the range of $100–$300 dollars, and is sometimes demanded in virtual currency, such as Bitcoin.

Ransomware is typically spread through phishing emails that contain malicious attachments and drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and malware is downloaded and installed without their knowledge. Crypto ransomware, a variant that encrypts files, is typically spread through similar methods, and has been spread through Web-based instant messaging applications.

WHY IS IT SO EFFECTIVE?

The authors of ransomware instill fear and panic into their victims, causing them to click on a link or pay a ransom, and inevitably become infected with additional malware, including messages similar to those below:

  • “Your computer has been infected with a virus. Click here to resolve the issue.”
  • “Your computer was used to visit websites with illegal content. To unlock your computer, you must pay a $100 fine.”
  • “All files on your computer have been encrypted. You must pay this ransom within 72 hours to regain access to your data.”

PROLIFERATION OF VARIANTS

In 2012, Symantec, using data from a command and control (C2) server of 5,700 computers compromised in one day, estimated that approximately 2.9 percent of those compromised users paid the ransom. With an average ransom of $200, this meant malicious actors profited $33,600 per day, or $394,400 per month, from a single C2 server. These rough estimates demonstrate how profitable ransomware can be for malicious actors.

This financial success has likely led to a proliferation of ransomware variants. In 2013, more destructive and lucrative ransomware variants were introduced including Xorist, CryptorBit, and CryptoLocker. Some variants encrypt not just the files on the infected device but also the contents of shared or networked drives. These variants are considered destructive because they encrypt user’s and organization’s files, and render them useless until criminals receive a ransom.

Additional variants observed in 2014 included CryptoDefense and Cryptowall, which are also considered destructive. Reports indicate that CryptoDefense and Cryptowall share the same code, and that only the name of malware itself is different. Similar to CryptoLocker, these variants also encrypt files on the local computer, shared network files, and removable media.

LINKS TO OTHER TYPES OF MALWARE

Systems infected with ransomware are also often infected with other malware. In the case of CryptoLocker, a user typically becomes infected by opening a malicious attachment from an email. This malicious attachment contains Upatre, a downloader, which infects the user with GameOver Zeus. GameOver Zeus is a variant of the Zeus Trojan that steals banking information and is also used to steal other types of data. Once a system is infected with GameOver Zeus, Upatre will also download CryptoLocker. Finally, CryptoLocker encrypts files on the infected system, and requests that a ransom be paid.

The close ties between ransomware and other types of malware were demonstrated through the recent botnet disruption operation against GameOver Zeus, which also proved effective against CryptoLocker. In June 2014, an international law enforcement operation successfully weakened the infrastructure of both GameOver Zeus and CryptoLocker.

Impact

Ransomware doesn’t only target home users; businesses can also become infected with ransomware, which can have negative consequences, including:

  • Temporary or permanent loss of sensitive or proprietary information;
  • Disruption to regular operations;
  • Financial losses incurred to restore systems and files; and
  • Potential harm to an organization’s reputation.

Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.

Solution

Infections can be devastating to an individual or organization, and recovery can be a difficult process that may require the services of a reputable data recovery specialist.

US-CERT and CCIRC recommend users and administrators take the following preventive measures to protect their computer networks from ransomware infection:

  • Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
  • Maintain up-to-date anti-virus software.
  • Keep your operating system and software up-to-date with the latest patches.
  • Do not follow unsolicited web links in email. Refer to the Security Tip Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
  • Use caution when opening email attachments. For information on safely handling email attachments, seeRecognizing and Avoiding Email Scams.
  • Follow safe practices when browsing the web. See Good Security Habits and Safeguarding Your Data for additional details.

Individuals or organizations are not encouraged to pay the ransom, as this does not guarantee files will be released. Report instances of fraud to the FBI at the Internet Crime Complaint Center or contact the CCIRC .

References

Revision History

  • Initial Publication, October 22, 2014