Highlights from The Week in Breach: May 30 to June 6 2018

Highlights from The Week in Breach:

– Finance sector attacks ramping up
– BackSwap JavaScript injections effectively circumventing detection
– Honda has leaky buckets too

This week in breach has all been about money, money, money. The finance sector is getting pelted with attacks recently – even more than usual – and Mexico, Canada, and Poland have been hit the worst.

In other news…

North Korea is still up to their old tricks, targeting South Korean websites with advanced zero-day attacks.
https://www.bleepingcomputer.com/news/security/activex-zero-day-discovered-in-recent-north-korean-hacks/

School is letting out which means grade changing breaches are in season! Two students at Bloomfield Hills High School attempted to fudge their report card and refund lunches for themselves and 20 other students.
https://www.forbes.com/sites/leemathews/2018/05/22/school-hackers-changed-grades-and-tried-to-get-a-free-lunch/#478b6d026e7d

The government of Idaho was hacked 2 times in 3 days which is not a very good look.
https://idahobusinessreview.com/2018/05/22/state-government-hacked-twice-in-three-days/

Coca-Cola had a breach that compromised 8,000 employees’ personal data, but they are also providing identity monitoring for a year at no cost. Ahh… refreshing, isn’t it?
https://www.infosecurity-magazine.com/news/no-smiles-for-cocacola-after-data/


 What we’re STILL listening to this week!

Security Now – Hosted by Steve Gibson, Leo Laporte

Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)

Small Business, Big Marketing – Australia’s #1 Marketing Show!

Simplii Financial (CIBC) & Bank of Montreal
Exploit: Spear Phishing
Type of Exploit Risk to Small Business:  High: Personal and account information from a large number of customers were compromised, opening up the possibility of identity theft for business owners or employees.

Risk to Exploited Individuals: High: A large number of both personal and account information was breached from both banks including social insurance numbers and account balances. 

Simplii Financial: Owned by CIBC, Simplii Financial is a Canadian banking institution offering a wide array of services for their customers such as mortgages and investing.

BMO (Bank of Montreal): BMO is also a Canadian banking institution that offers investing, financial planning, personal accounts, and mortgages.

Date Occurred/
Discovered
The weekend of the 25th
Date Disclosed May 28, 2018
Data Compromised Personal and account information of the two bank’s customers. The hackers provided a sample of the breached data, containing the names, dates of birth, social insurance number and account balances of two customers.
How it was Compromised It is believed that both bank data breaches have been carried out by the same group of fraudsters, due to the time frame and ‘blackmail’ strategy of the group rather than selling of the data. It is suspected that a spear phishing attack was used, focusing on individual employees with targeted phishing attempts rather than a ‘dragnet’ approach typically seen in phishing attacks.
Customers Impacted
Between the two banks over 90,000 people’s personal and account information was compromised during the breach. CIBC owned Simplii Financial reported 40,000 accounts compromised compared to BMO who declared 50,000 accounts compromised later on the same day.
Attribution/Vulnerability Undisclosed at this time.

http://www.cbc.ca/news/business/simplii-data-hack-1.4680575

Honda Car India
Exploit: Misconfigured/ Insecure Amazon S3 buckets
Type of Exploit Risk to Small Business: High
Risk to Exploited Individuals: Moderate: Presumably low-risk PII and vehicle information exposed.
Honda Car India: Honda is an international cooperation from Japan that specializes in cars, planes, motorcycles and power equipment.

Date Occurred/
Discovered
The details were left exposed for at least three months. A security researcher who was scanning the web for unsecured servers left a message of warning timestamped February 28.
Date Disclosed May 30 2018
Data Compromised
Names
User gender
Phone numbers for both users and their trusted contacts
Email addresses for both users and their trusted contacts
Account passwords
Car VIN
Car Connect IDs, and more
How it was Compromised
A researcher who was scanning the web for AWS S3 buckets with incorrect permissions left a message in Honda Car India’s server to try and warn them to secure their server. Honda was not even aware that the note was added, signaling a complete lack of monitoring on the companies part.
Customers Impacted
50,000 of Honda Car India’s customers have had their personal info exposed on the internet for three months at the minimum.
Attribution/Vulnerability Negligence. Once the researcher noticed that Honda had still not secured their buckets, he reached out to them but it still took the company 2 weeks to respond.

https://www.bleepingcomputer.com/news/security/honda-india-left-details-of-50-000-customers-exposed-on-an-aws-s3-server/

SPEI
Exploit: Man in the Middle Attack
Type of Exploit Risk to Small Business: Severe: Security certificate exploit, website login spoofing, traffic re-direct. Significant financial loss. Threat intelligence/ data share fail.
Risk to Exploited IndividualsLow:  Financial Institutions will absorb the loss.

SPEI: Mexican domestic payment system.

Date Occurred/
Discovered
A breach was first detected on April 17th, with 5 more financial institutions being breached on April 24th, 26th, and May 8th.
Date Disclosed May 2018
Data Compromised
$15 Million stolen
How it was Compromised The central bank of Mexico experienced a man in the middle attack in April that it was able to stop, but failed to warn other financial institutions in the country about the severity of the incident. This led to 5 other financial institutions being compromised except the attacks were successful. It is unclear exactly how the hackers were able to enter the network, but the situation is constantly developing.
Attribution/Vulnerability Outside actors/ not disclosing breach possibly facilitated more breaches.
Customers Impacted Multiple financial institutions in Mexico

https://www.bloomberg.com/news/articles/2018-05-29/mexico-foiled-a-110-million-bank-heist-then-kept-it-a-secret

Polish Banks
Exploit: JavaScript malware injection named BackSwap
Type of Exploit Risk to Small Business: High: Sophisticated JavaScript injection designed to bypass advanced security/ injection detection.
Risk to Exploited Individuals: High: those who used the polish banks targeted by the new malware will take a financial loss, 2FA does not combat this.

Polish Banks: 5 Polish banks are being targeted

Date Occurred/
Discovered
The banking malware was first introduced in March 2018. The malware has been increasingly active since then.
Date Disclosed May 2018
Data Compromised Banking account information and funds
How it was Compromised
A new malware family. This family of banking malware uses an unfortunately elegant solution to bypass traditional security measures, using Windows message loop events rather than process injection methods to monitor browsing activity. When an infected user begins banking activities, the malware injects malicious JavaScript directly into the address bar. The script hides the change in recipient by replacing the input field with a fake one displaying the intended destination.
Attribution/Vulnerability Outside actors, deployed through spam email campaign

https://www.welivesecurity.com/2018/05/25/backswap-malware-empty-bank-accounts/

The last couple of months has seen an increase in the number of attacks on financial institutions around the world. Both the Bank Negara Malaysia and Bancomext were targeted in SWIFT-related attacks while two Canadian banks’ data was held at ransom in a massive breach. The largest three banks in the Netherlands were hit by DDoS attacks, the Swiss Financial Market Supervisory Authority stated that cyber-attacks were the greatest threat to their banks, while at the same time British banks spending on fighting financial crime sits at 5 billion pounds.

While no sector is immune from cyber-attack, the nature of the financial industry makes an attractive target. The sector is made up of institutions that store large quantities of sensitive data that can be sold on the Dark Web, as well as institutions that have access to large sums of capitol.

Additional Sources:
https://www.hstoday.us/uncategorized/cyber-attacks-on-banking-infrastructure-increase/

Advertisements

Which Users Will Cause The Most Damage To Your Network And Are An Active Liability?


by Stu Sjouwerman

The statistic that four percent of employees will click on almost anything, with “Free Coffee” and “Package Delivery” taking some of the top spots among phishbait subject lines, may not sound like much.

However, keep in mind the most successful marketing campaigns only achieve around two percent. With double the response of most marketing initiatives, it’s no wonder that the phishing attacks keep coming.

That statistic comes from Verizon’s 2018 Data Breach Investigations Report. The report showed that the number of phishing emails continues to grow. The victims include government agencies that house some of our most sensitive records. The report also reveals that one quarter of all malware detected was ransomware, and it indicated that 68 percent of breaches go undetected for months.

The answer to fending off phishing campaigns may lie in the same employees who choose to click. Using a type of crowd-sourced security that turns employees into human sensors, could be the answer. One example of this approach is the US Department of Defense Cyber Security/Information Assurance program, where contractors share intelligence with each other and the DOD.

With the right training, employees can learn to recognize phishing attempts and alert others of the impending threat. This type of information gives the IT team an advantage leading to a faster response.

Here are a few steps that can empower your employees to be human sensors using a Phish Alert Button:

– An aware victim can be a good sensor. Encourage employees to ask how reading a suspicious email makes them feel. Rushed, pressured, exploited? Then be wary. Train your employees to recognize how the email makes them feel.

– Build an intelligence network. If you make it easy to report potential threat emails, you’ll build a steady stream of alerts.

– But don’t overuse the “Abuse Box.” Phishing needs to be reported. Flooding an underprepared IT department with messages that need to be checked, may be counterproductive. Make sure the IT department is ready to handle the volume. So build user awareness as you build capacity.

The number of phishing emails can be expected to grow. But with a change in the way your organization perceives and responds to social engineering, users can become your best defense and not your weakest leak. As always, consider interactive, new-school security awareness training. It’s effective and extremely affordable.

GCN has the story, written by Lex Robinson who works at Cofense.

Free Phish Alert Button
When new spear phishing campaigns hit your organization, it is vital that IT staff be alerted immediately. One of the easiest ways to convert your employees from potential targets and victims into allies and partners in the fight against cybercrime is to roll out KnowBe4’s free Phish Alert Button to your employees’ desktops. Once installed, the Phish Alert Button allows your users on the front lines to sound the alarm when suspicious and potentially dangerous phishing emails slip past the other layers of protection your organization relies on to keep the bad guys at bay.

Don’t like to click on redirected links? Cut & Paste this link in your browser:

https://info.knowbe4.com/free-phish-alert-partner?partnerid=0010c00001wis6gAAA

Our friend, Kevin Lancaster from ID Agent, continues in his weekly posting of the week in breaches and phishing attacks. This is important- not just for enterprises, but also for small and medium sized businesses. Attacks are coming in from all directions- here are some highlights from his post:

Protection from Hacks

Two-factor Authentication Hackable?
Our friends at KnowBe4 show 2 Factor may not be enough in some cases.

Student of The Month in California!
Phish Teacher, Change Grades, Get Felony!  You can’t make this stuff up!

Good on ya Mate, Good on ya!
Crikey! Australians appear to have better password hygiene than the rest of us?


What we’re listening to this week:   

Security Now – Hosted by Steve Gibson, Leo Laporte

Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)

Small Business, Big Marketing – Australia’s #1 Marketing Show!


Highlights from The Week in Breach

  • Retail Point of Sale Systems (POS) can’t catch a break! can’t get their s*** together.
  • Healthcare insider threat strikes again.
  • Your legal case may have been closed… or deleted.
  • Your personality is revealing and, it may have been revealed.

Chili’s Restaurants
Retail

Small Business Risk: High (Malware/ Forensics, Brand Reputation/ Loyalty)
Exploit: Malware-based Point of Sale Exploit
Risk to Individuals: Moderate (Replacement of Credit/ Debit Cards with limited liability)

What you need to know:  Small business retailers should take the time to educate themselves on POS exploits and how they typically occur. Since most systems do not reside within the traditional network environment, processing systems are most commonly exploited via compromised trusted 3rdparty vendors, common credential stuffing and exploit kits delivered via email.

Chili’s Restaurants

Date Occurred/Discovered March-April 2018 / Discovered 5/11/18
Date Disclosed 5/14/18
Data Compromised Preliminary investigation indicates that malware was used to gather payment card information, including credit and debit card numbers, as well as names of cardholders who made in-restaurant purchases.
How it was Compromised Malware
Customers Impacted Chili’s has not disclosed the restaurants impacted and/or the number of customers impacted.
Attribution/Vulnerability Undisclosed at this time.

http://time.com/money/5276047/chilis-data-breach-2018/

Note: Breaches have huge repercussions, often resulting in customers losing trust in the brands. According to a study from KPMG, 19% percent of consumers said they would stop shopping at a breached retailer, and 33% would take a long-term break.

https://www.sfgate.com/technology/businessinsider/article/Chili-s-restaurants-were-hit-by-a-data-breach-12911248.php

Nuance Communications
Healthcare

Small Business Risk: High (PII Exposure, Brand Damage, Compliance Violation & Fines)
Exploit: Former Employee/ Insider Knowledge Exploit.  System and security control failure
Risk to Individuals: Moderate (Compromised Data Contained and not posted for exploit)

What you need to know:  Coming on the heels of a costly malware outbreak in 2017, it seems that Nuance had the limited ability to detect on-network anomalous behavior. With such a large percentage of its target market comprised of organizations that operate in regulated industries including Healthcare, Nuance should have invested in aggressive insider threat/insider mishap detection.

Organizations operating in regulated markets should take a more aggressive approach to both inside threat detection and threats originating within the supply chain as was demonstrated in this case.

Nuance Communications (speech recognition software)

Date Occurred/Discovered 11/20/17 – 12/9/17
Date Disclosed 5/14/18
Data Compromised Exposed data included names, birth dates, medical record and patient numbers, as well as service details such as patient conditions, assessments, treatments, care plans and dates of service. The incident did not include information such as social security number, driver’s license number or financial account numbers.
How it was Compromised An unauthorized third party, possibly a former Nuance employee, accessed one of its medical transcription platforms, exposing 45,000 individuals’ records.
Customers Impacted Personal information of thousands of individuals from several contracted clients, including the San Francisco Department of Public Health. The Justice Department said that it does not appear that any of the information taken was used or sold for any purpose. All the data has been recovered from the former employee.
Attribution/Vulnerability  Unknown/undisclosed at this time.

Note: News of the data breach follows the company having been hit by the NotPetya malware outbreak in June 2017. Earlier this year, Nuance reported that the outbreak cost it $92 million. “For fiscal year 2017, we estimate that we lost approximately $68 million in revenues, primarily in our healthcare segment, due to the service disruption and the reserves we established for customer refund credits related to the malware incident,” Nuance reported in a Feb. 9 form 10-Q filing to the SEC. “Additionally, we incurred incremental costs of approximately $24 million for fiscal year 2017 as a result of our remediation and restoration efforts, as well as incremental amortization expenses.”

The incident is a reminder that Insider breaches remain one of the most difficult kinds of improper access attacks to defend against. There are a variety of tools and methods to monitor which resources an employee accesses, but preventing insiders from stealing data or intellectual property remains challenging.

https://www.bankinfosecurity.com/nuance-communications-breach-affected-45000-patients-a-11002

Mason Law Office
Legal

Small Business Risk: High (Compliance Violation & Fines, Brand/ Reputation Damage)
Exploit: Apparent Credential- based, account take-over exploit
Risk to Individuals: High: Sensitive PII and Legal Information loss and/ or deletion  

What you need to know:  It’s not 100% clear that this was an insider threat-based exploit. Regardless, Mason Law Office suffered an all-too-common account-based takeover compromise.  Legal firms leveraging 3rd party case management systems should take the time to review their security controls and procedure.  They should also conduct a full audit to determine who has access to what data within these 3rd party systems and make the required corrections.

Mason Law Office – Sacramento, CA (mycase.com)

Date Occurred/Discovered Discovered 5/5/18
Date Disclosed 5/14/18
Data Compromised Client data was potentially accessed, client case information was deleted, and other administrative changes were made to the system. Generally, any information uploaded to mycase.com was potentially accessed, and information has been deleted. Information potentially accessed includes client names, social security numbers, driver’s license numbers, phone numbers, email addresses, as well as legally privileged/protected information, including legal documents, case notes, disclosures, financial statements, evidence, photos, invoices, transcripts, trust balances, and attorney-client communications.
How it was Compromised The firm discovered evidence of unauthorized access to mycase.com by an unknown individual or group of individuals. It is unclear how this access was made.
Customers Impacted Clients of Mason Law Firm using mycase.com.
Attribution/Vulnerability Unknown/undisclosed at this time.

https://www.databreaches.net/mason-law-office-notifies-clients-of-hack-involving-mycase-com/

myPersonality app
Information Technology / Lifestyle

Small Business Risk: High (Forensic, Data Loss via GitHub Post, Brand / Reputation Damage, Fines and Damages)

Exploit: Application security misconfiguration resulting in credential-based exploit

Risk to Individuals: High (PII, Psychological Characteristics & Profile,)

What you need to know: The developers of the personality app failed committed several major blunders in this case.

  1. Poor website/application security allowed for easy and unmonitored access to their website and underlying datasets.
  2. They failed to notice that their data set had been sitting out in the open for 4 years.
  3. The data stored within the platform was easily unkeyed and de-anonymized.

myPersonality app

Date Occurred/Discovered Exact dates unknown – 2014 – 2018
Date Disclosed 5/14/18
Data Compromised The data was highly sensitive, revealing personal details of Facebook users, such as the results of psychological tests. The credentials gave access to the “Big Five” personality scores of 3.1 million users. These scores are used in psychology to assess people’s characteristics, such as conscientiousness, agreeableness and neuroticism. The credentials also allowed access to 22 million status updates from over 150,000 users, alongside details such as age, gender and relationship status from 4.3 million people.
How it was Compromised Academics at the University of Cambridge distributed the data from the personality quiz app myPersonality to hundreds of researchers via a website with insufficient security provisions, which led to it being left vulnerable to access for four years. Each user in the data set was given a unique ID, which tied together data such as their age, gender, location, status updates, results on the personality quiz and more. With that much information, de-anonymizing the data can be done very easily.
Customers Impacted 3 million users of the app
Attribution/Vulnerability Publicly available credentials allowed access to the data. For the last four years, a working username and password has been available online that could be found from a single web search. Anyone who wanted access to the data set could have found the key to download it in less than a minute. The publicly available username and password were sitting on the code-sharing website GitHub. They had been passed from a university lecturer to some students for a course project on creating a tool for processing Facebook data. Uploading code to GitHub is very common in computer science as it allows others to reuse parts of your work, but the students included the working login credentials too.

 

https://www.databreaches.net/mypersonality-app-data-leak-exposed-intimate-details-of-3m-users/

https://www.newscientist.com/article/2168713-huge-new-facebook-data-leak-exposed-intimate-details-of-3m-users/

 

The Pillars of Cyber Security Explained

Network Security

The cyber threat landscape changes on a daily basis.  There is no one size fits all solution and there are no magic bullets. It has been said that the price of liberty is eternal vigilance. The same holds true for cyber security. There are four pillars of security- end point protection, perimeter protection, monitoring and end user vigilance.

They say that those who don’t learn from history are doomed to repeat it, and matters of cyber security are no exception. Threats will often follow trends, and so by reviewing what has happened in the past, we may be able to glean some insight into what will be important in the future.

If the first half of 2018 was any indication, there are a few things that will be of most concern to IT professionals and end users. My friend and colleague, Tommy Vaughn from Central Technology Solutions, provided a lot of the inspiration for this post!

Ensure All Endpoints Have Appropriate Security Measures

It’s staggering to consider how many end points any given business could have, each providing a route in for threat actors. Between company-provided devices, personal mobile devices, and Internet of Things devices, there are plenty of opportunities for a company to be attacked.

As a result, as 2018 progresses, businesses must be aware of what threats exist, as well as better prepared to protect themselves against them. This includes strategies that ensure your organization’s digital protections are properly maintained while remaining cognizant of physical security best practices. Pairing encryption and access control, as well as mobile device management, can create a much safer environment for your data.

Cover your 6’s

Your network needs to have not just the firewall appliance – but a comprehensive suite of tools that can help you recognize suspicious behavior. It is more than just a static device. It has to be paired with analytical tools as a service that can give you insight into your network. Additionally, an external firewall or web filtering service can protect you from unseen threats on a multitude of levels. It is not just hardware and software anymore. You need to have the resources available to alert you to threats, cut down the noise from repeated alerts and investigate areas that you should not be in yourself – e.g. the Dark Web.

Get Back to Basics With Security and End User Education – Cyberawareness Training

While it may sometimes be tempting to focus on the massive attacks and breaches that too-often dominate the headlines, no business can afford to devote their full attention to those vulnerabilities and overlook the more common threats. This is primarily because once they do, they become exponentially more vulnerable to these attacks through their lack of awareness and preparation.

Part of being prepared for the threats of the coming weeks and months is to make sure that your employees are also up to speed where security is concerned. Educating them on best practices before enforcing these practices can help to shore up any vulnerabilities you may have and maintain your network security. This includes restricting employee access to certain websites, requiring passwords of appropriate strength, and encouraging your employees to be mindful of exactly what they’re clicking on. A comprehensive program of cyberwareness training- delivered to the employees over the course of a year in small incremental sessions is key. Use controlled mistakes as teachable moments to correct dangerous behavior. Once trained, your employees become your “human firewall”. As they say with shampoo, “rinse and repeat”. Often.

Continuing to Improve Security Measures

Finally, it is important to remember that implementing security features isn’t a one-time activity. Threats will grow and improve in order to overcome existing security measures, and so if they are going to remain effective, these security measures must be improved as well.

While regulatory requirements can provide an idea of what security a network should feature, they shouldn’t be seen as the endpoint. Instead, those requirements should be the bare minimum that you implement, along with additional measures to supplement them.

We are here to help. If you would like to explore the options of a completely managed firewall, DNS filtering, or cyber awareness training- we can assist. First- get a baseline of where your organization is at. We have a suite of FREE tools that can help show you your susceptibility to phishing, spoofing and whether your organization’s credentials are for sale on the Dark Web.  We can also do an onsite security assessment to analyze your network’s vulnerabilities.

For your free tools, please visit:  http://downloads.primetelecommunications.com/CyberAwareness-Free-Tools or give us a call at 847 329 8600.

We are your managed technology solutions professionals and we are here to listen!

Here is the last week in Data Breaches

Kevin Lancaster from ID Agent publishes a weekly summary of data breaches that occur. No matter how much we protect our own networks- perimeter and endpoints- our valuable information can be compromised off of a third party site. Here is his summary of breaches from the past week:

 

It’s the little things that give you away.

This past week brought us a diverse set of incidents. Unfortunately, several of the high-profile compromises could have been easily prevented. From database misconfigurations to Phishing exploits, this week was the busiest week in disclosure since the week of March 19th.

Here are a few items to note from this week’s report:

  1. Compromised credentials are still #1: Several incidents leverage compromised credentials from 3rd party data breaches to initiate their attack.
  2. Amazon buckets are still leaking: Two of the incidents reviewed this week leverage flaws in Amazon S3 configurations. It’s surprising to see these very easy-to-fix issues still impacting organizations that hold very sensitive data.
  3. Global reach of data breaches noted: Data breaches are getting more coverage globally. This week demonstrates that massive exploits are not just targeted towards the US.
  4. Financially motivated breaches on the rise: Insider Threat and “Accidental Loss” of high-value data are on the rise.
  5. The healthcare sector targeted:  Healthcare organizations are clearly in the crosshairs.

Kevin
Chief Executive Officer


1. TaskRabbit

Business Vulnerability: High: Network Exploit, Compromised Credential Exploit, Customer PII Loss, Website Defacement, Phishing email generation using company CRM/customer database.
Individual Risk: High: Compromised PII, Password Re-use/3rd Party Compromise, Phishing Exploit

Date Occurred: April 15th, 2018
Date Disclosed: April 17th, 2018
Data Compromised: Personally Identifiable information of users including clear-text passwords.

How Compromised: 
Incident first appeared to be a technical glitch that redirected users to a WordPress site when they tried to visit TaskRabbit

Customers Impacted: TaskRabbit Users: Customers posting jobs and “Taskers”

Attribution/Vulnerability: Network & Website Exploit via Compromised Credentials.

https://techcrunch.com/2018/04/18/taskrabbit-ceo-posts-statement-as-its-app-returns-following-a-cybersecurity-breach/

 What you need to know:
Given its complexity, I’m surprised that the SecOps space has given this incident very little attention.  This is a great case study in compromise and lateral exploit.

It appears that a compromised credential allowed the attacker to gain network access AND access to TaskRabbit’s website and customer database. TaskRabbit acknowledges that it needs to do a better job with its “network intrusion detection” and that it stored more PII on its customers than needed.

Here’s what seems to have happened:

  1. Attacker uses a compromised email and password to gain access to the network
  2. Attacker defaces, then re-directs the website to a bogus WordPress landing page
  3. Attacker uses the company’s CRM/CMS to send Phishing emails from the domain to customers.

If anything, this highlights how a single credential can be used to create a large attack surface. For MSPs, these scenarios can be particularly complex to deal with and have long-term downstream damage since most MSPs are not tasked with or provide services to host and secure their customers’ websites.

2. Localblox (data scraping/collection firm)Business Vulnerability: High: Unsecured Amazon S3 Bucket Exploit

Individual Risk: Moderate: Harvested data already & still widely available on the surface web

Date Occurred: Early 2018

Date Disclosed: April 18, 2018

Data Compromised: The data was found in a human-readable, newline-delimited JSON file. The data collected includes names and physical addresses, and employment information and job histories data, and more, scraped from Facebook, LinkedIn, and Twitter profiles. Localblox would use to cycle through email addresses that it had collected through Facebook’s search engine to retrieve users’ photos, current job title and employer information, and additional family information.

How it was Compromised: The company left a massive store of profile data on a public but unlisted Amazon S3 storage bucket without a password, allowing anyone to download its contents. The bucket, labeled “lbdumps,” contained a file that unpacked to a single file over 1.2 terabytes in size. The file listed 48 million individual records, scraped from public profiles, consolidated, then stitched together.

Customers Impacted: Localblox claims it has more than 650 million records in its device ID database, and 180 million records in its mobile phone database, which includes mobile phone numbers and carriers. The company also says it has a US voter database with 180 million citizens.

Attribution/Vulnerability: Localblox Misconfiguration

https://www.hackread.com/localblox-exposes-millions-of-facebook-linkedin-data/

What you need to know: Most companies using S3 (including Localblox in this case), do not realize that they had to go back and re-configure their access settings within Amazon’s S3 service to prevent anyone with access to Amazon’s platform from finding and accessing any bucket.

By default, the S3 service is highly prone to misconfiguration that can give almost anyone looking the ability to access or modify information in a non-password protected bucket. Attackers can gain access to list and read files, write/upload files, or change access rights to all objects and control the content of the files in a bucket.

The S3 issue is well known and easily fixed.  It’s concerning that a company scraping social and web data to build profiles on people would be this negligent with their data storage and security.

As for the data they are scraping… it’s still widely available and easily accessed.  By anyone…

3.  FastHealth Interactive Healthcare (Website programming and hosting for hundreds of hospitals and other healthcare organizations) 

Business Vulnerability: High: Compromised Default Password, Unsecured/internet database

Individual Risk: High: Compromised PII, Compromised PHI, Compromised Financial Data

Date Occurred: 2016 & 2017  (2 incidents)

Date Disclosed: April 2018

Data Compromised: Incident 1: Patient billing and health-related information entered via online patient web forms. Incident 2: Patient Health Information. At this time, it is unknown whether the databases were breached or if information was actually retrieved.

How it was Compromised: Attackers used credential stuffing to access the accounts, this means that hackers attempted to access the accounts by using credentials leaked from other data breaches.

Customers Impacted: At least 9200.

Attribution/Vulnerability: Compromised Default Password – Law Enforcement Observation

What you need to know: Compromised default password exploits are still very common. What’s concerning about this group is that it has experienced 2 incidents over a 2-year period.  It looks like the organization fell asleep at the wheel, as the second incident was identified by Law Enforcement.  There are very few details on what LE noticed.  There is little chatter about this data being for sale.

http://www.insurancefraud.org/IFNS-detail.htm?key=27891       

4. True (Thai telecommunications company)

Business Vulnerability: High: Unsecured Amazon S3 Bucket Exploit

Individual Risk: High: Impacted Thai citizens with PII exposed

Date Occurred: Unknown/March 2018

Date Disclosed: March 2018

Data Compromised: True said stored copies of national identification cards belonging to 11,400 customers who bought “TrueMove H” mobile packages via True’s e-commerce platform iTruemart, run by True’s digital arm Ascend Commerce, had been made public.

How it was CompromisedThe data leak came to light after Norway-based security researcher Niall Merrigan said in his personal blog on Friday that he was able to access 32 gigabytes of True’s customer data, including identification cards, and that he notified True in March about the security breach.

Customers Impacted: 11,400 TRUE Customers.

Attribution/Vulnerability: Exposed by Norway-based researcher Niall Merrigan

What you need to know: Sound familiar? Thai communications is lucky that Niall decided to put his white hat on and notify them that their bucket is leaking!

https://www.reuters.com/article/us-true-corporation-data/thai-telco-true-defends-security-measures-after-user-data-breach-idUSKBN1HO2D5 

5. Blue Shield of California

Business Vulnerability: High: Potential PII Exploit for Financial Gain or Accidental Data Loss

Individual Risk: Low: Dataset isolated/ impacted individuals contacted

Date Occurred: Breach had occurred in November 2017 during the 2018 Medicare Annual Enrollment Period

Date Disclosed: The Blue Shield of California Privacy Office received confirmation on March 23, 2018

Data Compromised: The PHI included names, home addresses, mailing addresses, Blue Shield subscriber identification numbers, telephone numbers, and subscribers’ Blue Shield Medicare Advantage plan numbers.

How it was CompromisedA Blue Shield employee emailed a document containing PHI to an insurance broker “in violation of Blue Shield policies.” Blue Shield of California said that it believes the insurance broker may have contacted some of the individuals identified in the document to sell a Medicare Advantage Plan offered by another health insurance company.

Customers Impacted: Blue Shield CA customers.

Attribution/Vulnerability: Insider Threat/ Blue Shield employee

What you need to know: It’s not entirely clear if this incident was an exploit for financial gain or just a case of accidental data loss. It does come on the heels of a success for Phishing exploit that exposed the PHI of 21,000 people. It’s interesting that several reports suggest that the 3rd party that received the data tried to use it to sell a Medicare Advantage plan. I would not be surprised if there is a criminal inquiry under way.

 https://iapp.org/news/a/blue-shield-of-california-confirms-phi-data-breach/ 

6. American Esoteric Laboratories

Business Vulnerability: High: Stolen Laptop Potential PII Exploit for Financial Gain or Accidental Data Loss

Individual Risk: High: Sensitive Patient Data (PHI), Payment Data

Date Occurred: On or after October 15, 2017

Date Disclosed: April 20, 2018

Data Compromised: Data breach may have resulted in the exposure of the personal and protected health information of patients of a medical lab chain with multiple Alabama locations.

How it was CompromisedEmployee’s laptop containing a wide range of personal information about patients may have been stored on the laptop, including names, addresses, Social Security numbers, dates of birth, health insurance information, and/or medical treatment information.

Customers Impacted: American Esoteric Lab patients.

Attribution/Vulnerability: Unknown

What you need to know: It appears that the organization, even though it knew it had PHI, did not use an endpoint protection nor did it encrypt their laptops.  AEL states that it’s taking steps to make sure this type of incident does not happen again. “These steps include increasing the security of the AEL systems and networks through the use of encryption technology, updating relevant policies and procedures, and retraining staff.”

http://www.al.com/news/birmingham/index.ssf/2018/04/data_breach_could_impact_some.html

 Do you want to know if your business domain’s emails have been exposed? We will do a free Dark Web scan that will show you when, where and what was exposed.

Here is the link: http://downloads.primetelecommunications.com/Dark-WeB

What Security Measures are Most Effective at Fighting Ransomware

 

In response to the announcements today from both the US and UK governments about significant persistent cyber threats from state actors, I though it would be important to bring in an expert.

Here is a guest post from Stu Sjouwerman from KnowBe4– out preferred vendor for cyber awareness training. We just had our staff go through some of the training modules- and we were amazed. Amazed may be the wrong word- scared s#*&less may be more accurate. The threats out there are so deadly for businesses and organizations of all sizes and industries.

The Spiceworks staff wrote: “Years after CryptoLocker raised its ugly head — setting off an unfortunate security trend — ransomware continues to be a rather painful thorn in the side of IT professionals and organizations around the world. phishing

In 2017, we saw entire companies and government agencies shut down for days thanks to WannaCry and NotPetya, sometimes costing a single organization hundreds of millions of dollars. And things haven’t gotten that much better recently.

For example, in March 2018, the city of Atlanta fell victim to ransomware that brought city services down (airport Wi-Fi, online bill pay systems, police warrant systems, job application forms, and more) and forced many employees to shut down their systems for five days. Similar attacks have been launched against cities in the U.S. and around the world.

A ransomware security poll

There isn’t one magic bullet that can solve all IT security problems. Instead, companies must employ a layered strategy to reduce the risk of a ransomware infection. But are all security measures created equal?

Ideally, organizations would be able to follow all security best practices; in reality, however, organizations have to prioritize. Here’s our question: If you landed in a brand new environment and had to choose, where would you start or focus your security efforts? That is, which security measures do you think are most important / are most effective when it comes to fighting ransomware?

Pick your favorites in our anonymous poll below (you can choose up to three options) and join the conversation in the comments!”

The poll asked: “What security measures are most effective in fighting ransomware?” and 2209 IT pros answered, including me which are the bolded options:

Spiceworks_Poll_results

 


I strongly suggest you get a quote for new-school security awareness training for your organization and find out how affordable this is. You simply have got to start training and phishing your users ASAP. If you don’t, the bad guys will, because your filters never catch all of it. Get a quote now and you will be pleasantly surprised.

Don’t like to click on redirected buttons? Cut & Paste this link in your browser: https://info.knowbe4.com/kmsat_quote-request_partner?partnerid=0010c00001wis6gAAA

If you would like to test out some free cyber awareness training tools, please visit our landing page: http://downloads.primetelecommunications.com/CyberAwareness-Free-Tools

If you want to be really proactive, we can run a free Dark Web search for your company domain and tell you how many of your domain emails are on over 600,000 sites on the Dark Web- and tell you the email address, the password and the date it was discovered. http://downloads.primetelecommunications.com/Dark-WeB

 

The Latest Round Up of Data Breaches for March 2018 and up to April 4 2018

Here is the latest round up of data breaches that can compromise your network’s credentials. As you know, after the data is stolen, it appears on the Dark Web for sale. Whereas individuals should use products like LifeLock or Experian; IT managers/CISOs/CFO’s for small and midsize businesses can use our Dark Web search for free to see if they are compromised. http://downloads.primetelecommunications.com/Dark-WeB. 

If you find that you have credentials exposed, we can help you by monitoring and educating your end users.

Warning:

We do not recommend that you access the Dark Web on your own. Exploring this hidden network of sites without the necessary expertise is extremely dangerous and can expose you, your network, company and data to a large number of threats. Let experienced professionals specializing in cyber security help you access the necessary intelligence to safely bolster your defenses.


 

  1. MyFitnessPal

Date Occurred: February 2018

Date Disclosed: March 2018

Data Compromised: May include usernames, emails addresses, and hashed passwords. Payment information NOT affected.

How it was Compromised :  Unauthorized party access

Customers Impacted: 150 million users

Attribution: None at this time

Business Risk: Moderate (Data Exploit, Compromised Credentials, Weak Encryption)

Since motivation is unknown at this time its hard to determine how the data may be used and its direct impact on individuals compromised. The data set holds 3 key data elements: Email, Username and Password.  “Most” Password were encrypted using becrypt, however, it appears a large percentage were simple SHA-1. Financial data was collected and housed separately, a solid best-practice.

https://www.cnbc.com/2018/03/29/under-armour-stock-falls-after-company-admits-data-breach.html

  1. Ohio Applebee’s

Date Occurred: December 6, 2017 – January 2, 2018

Date Disclosed: March 2, 2018

Data Compromised: Certain guests’ names, credit or debit card numbers, expiration dates and card verification codes processed during limited time periods could have been affected.

How it was Compromised: Unauthorized software placed on the point-of-sale system at certain RMH-owned and -operated Applebee’s restaurants was designed to capture payment card information and may have affected a limited number of purchases made at those locations.

Customers Impacted:  Only impacted stores within the RMH network of restaurants and not the broader Applebee’s network.

Attribution:  None at this time

Business Risk: Low (POS exploit, Regional)

This POS compromise was regional in scope and would have more of a direct impact to individuals rather than businesses. We will continue to monitor for chatter/ uptick in online financial fraud levering this data set.

https://www.rmhfranchise.com/dataincident/

  1. Boeing

Date Occurred: Early 2018

Date Disclosed:  March 2018

Data Compromised: Not disclosed at this time

How it was Compromised : “Limited intrusion of Malware” WannaCry, Supply Chain

Customers Impacted: “A small number of systems”; older systems

Attribution: Nation State leanings. WannaCry, Crypto-malware

Business Risk: High (External / Persistent Targeting, Crypto, Vulnerability Exploit)

Although Boeing is publicly downplaying its impact, the company called for a sent company-wide alert calling for “All hands-on deck.” Its apparent that the infections caused major disruptions to airplane production and significant internal resources were spent on determining downstream impacts.

There has been significant chatter regarding alternate payload distribution and kill switch circumvention.  Boeing most certainly would have beefed up its resiliency to WannaCry after its initial outbreak in 2017.  This suggests that supply chain access to Boeing core systems was exploited to deliver the payload.

https://www.seattletimes.com/business/boeing-aerospace/boeing-hit-by-wannacry-virus-fears-it-could-cripple-some-jet-production/

  1. Active.com

Date Occurred: December 2016 – September 2017

Date Disclosed: March 2018

Data Compromised: PII used in registration/checkout process for races

How it was Compromised: Unauthorized access by 3rd parties

Customers Impacted: Potentially hundreds of runners in Great Britain affected; full affects not known.

Attribution: None at this time

Business Risk: Low (POS exploit, Regional)

Small scale POS exposure impacted several hundred individuals in the UK.  3rd party intel firms suggest data has been sold on dark web markets in TOR. However, we have not validated the sale or exploit of this data as of 4/2/18.

https://www.runnersworld.co.uk/events/credit-card-details-from-runners-potentially-at-risk-in-a-security-breach

  1. Loganville, Gwinnett County, GA

Date Occurred: March 15, 2018

Date Disclosed: March 2018

Data Compromised: May include PII such as social security numbers and/or banking information

How it was Compromised: City server breached by outside person or entity

Customers Impacted: Specifics unknown

Attribution: None at this time

Business Risk: Moderate (External / Persistent Targeting, Vulnerability Exploit)

The city’s announcement on Facebook suggest that its systems were left open to public access. It has yet to be determined/ disclosed if access was the result of an individual leveraging default password access or if systems were left unpatched and open to automated exploit. It does not appear to be related to the City of Atlanta’s Samsam ransomware compromise from March 22.

https://www.wsbtv.com/news/local/gwinnett-county/metro-atlanta-city-reports-its-own-data-breach-warns-customers/722204765

  1. Baltimore 911 Dispatch System

Date Occurred: March 24-25, 2018

Date Disclosed: March 2018

Data Compromised: Hack affected messaging functions within the Computer Aided Dispatch (CAD) system which supports 911 and 311 functions in the city.

How it was Compromised : Crypto-malware hack prompted temporary shutdown of automated 911 dispatching services and forcing reversion to manual operations

Customers Impacted: Specifics unknown

Attribution: Unknown actors – assumed Eastern European, Crypto-malware

Business Risk: Severe (External / Persistent Targeting, Human Error, Vulnerability Exploit)

Attack shows constant scanning and targeting of public sector systems.  Attackers performed an automated scan of the city’s firewall/ ports within a few hours of a technician manually changing firewall settings on the its computer-aided dispatch system.

https://technical.ly/baltimore/2018/03/28/cyber-breach-baltimores-911-dispatch-system-investigation/

  1. Orbitz

Date Occurred: October 1, 2017 – December 22, 2017

Date Disclosed: March 1, 2018

Data Compromised: Potentially wide range of PII including full names of customers, credit card numbers, birth dates, phone numbers, mailing addresses, billing addresses and email addresses.

How it was Compromised: Hackers able to breach one of the company’s legacy booking platforms to access records that cover dates between January 2016 – December 2017.

Customers Impacted: Orbitz customers and potentially customers who used Amextravel.com to book.

Attribution: Unknown actors

Business Risk: High (Vulnerability Exploit, potential for widespread online fraud)

It took Orbitz almost 3 months to discover that attackers exploited a legacy version of their travel booking platform between October 1, 2017 and December 22, 2017.

Data impacts more than 880,000 individuals.  The string of PII compromised combined with business itinerary information provides the ability to effectively social engineer impacted individuals.  Individuals should proactive monitor their personal data for misuse.

https://thehackernews.com/2018/03/expedia-data-breach.html

  1. Hudson’s Bay Co. (Saks /Lord & Taylor)

Date Occurred: “Preliminary analysis” found credit card data was obtained for sales dating back to May 2017

Date Disclosed: April 1, 2018

Data Compromised: Hackers stole information for more than 5 million credit and debit cards used at Saks Fifth Avenue, Saks Off 5th and Lord & Taylor stores. Cards used for in-store purchases. “No indication” online purchases were affected.

How it was Compromised : Not known at this time.

Customers Impacted: The breach likely impacted more than 130 Saks and Lord & Taylor locations across the country, but the “majority of stolen credit cards were obtained from New York and New Jersey locations.”

Attribution: Hacking syndicate JokerStash or Fin7 began boasting on dark websites last week that it was putting up for sale up to 5 million stolen credit and debit cards. The hackers named their stash BIGBADABOOM-2.

Business Risk: High (POS compromise, potential for widespread online fraud)

Chatter about data sets began to surface 2 weeks back but were largely discounted.  The Joker’s Stash site has been touted several comprehensive sets of validated credit card data going back to 2016 including Hilton and BeBe Stores.

The data set contains more than 5 million credit and debit cards (all card types with complete data strings). This data set will produce significant online credit and debit card fraud.  Any organization running ecommerce platforms are urged to add additional card validation requirements until card issuers are able to invalidate all cards identified in the harvest.

https://www.nytimes.com/2018/04/01/technology/saks-lord-taylor-credit-cards.html 

  1. ATI Physical Therapy

Date Occurred: Unknown – discovered in January 2018.

Date Disclosed: Early March 2018

Data Compromised:  ATI Holdings discovered in January that some employees’ direct deposit information had been changed in its payroll system. At least one of the hacked email accounts included patient names, birth dates, driver’s license numbers, Social Security numbers, credit card numbers, diagnoses, and medication and billing information, among other data.

How it was Compromised: May have been compromised after hackers got ahold of email accounts belonging to the Bolingbrook, Illinois-based chain’s employees.

Customers Impacted: As many as 35,000 patients of ATI Physical Therapy and its subsidiaries. ATI Physical Therapy has more than 100 clinics in Illinois and hundreds of others across 24 other states.

Attribution:  Not known at this time.

Business Risk: High (Compromised Email Accounts, Lateral movement, Downstream Exploit)

With the hallmarks of organized crime, this compromise was able to extract and manipulate both employee and customer data.  The downstream impacts are widespread and will have adverse impacts on impacted individuals.  Privilege access was leveraged to re-route banking information and extract comprehensive medical records/ data sets on thousands of patients.

This is a devastating compromised that allowed attackers to move laterally within their victim’s network for an undetermined length of time.

https://www.hipaajournal.com/ati-physical-therapy-data-breach-impacts-35000-patients/

  1. CareFirst

Date Occurred:  Unknown
Date Disclosed: Discovered March 12, 2018; disclosed late March 2018

Data Compromised:  The breached email account allowed the attackers access to the employee’s emails, the attack could have compromised personal information on about 6,800 CareFirst members — including names, member identification numbers and dates of birth. The company said the information did not include medical or financial data. CareFirst also disclosed, in the case of eight members, social security numbers may have been compromised.

How it was Compromised : CareFirst employee was the victim of a phishing attack, which compromised their email account. In this case, the compromised CareFirst email account was used to send spam messages to an email list of individuals, which the insurer said were not associated with CareFirst.

Customers Impacted: Potentially 6,800 CareFirst members

Attribution: Not known at this time.

Business Risk: High (Phishing, Compromised Credentials)

Well-crafted Phishing attack harvesting compromised credentials. Expect more information on this compromise to surface in the coming week. The public response to this compromise falls inline with how most large organizations are messaging their exposures. It’s becoming common place for organization generalize the numbers impacted to minimize negative public reaction.

https://www.databreachtoday.com/carefirst-bluecross-blueshield-hacked-a-8248

11. DELTA Airlines

Date Occurred:  Unknown
Date Disclosed: Discovered March 12, 2018; disclosed late March 2018

How it was compromised: [24]7.ai–a company that provides online chat services for a variety of companies including Delta–was involved in a “cyber incident.” This cyber incident allowed Delta customer payment information to be accessed during the period from September 26, 2017 to October 12, 2017

https://www.inc.com/peter-economy/delta-air-lines-just-revealed-stunning-data-breach-and-your-payment-information-may-have-been-exposed.html

Prime Telecommunications Partners with ID Agent to Heighten Cybersecurity

 

Prime Telecommunications, a leader in managed technology services, announced today that the company has partnered with ID Agent, to enhance the security of SMBs (small to mid-sized businesses) across the nation. ID Agent and this partnership will enable business owners, to prevent identity theft and thwart cybercriminals from gaining access to sensitive data.

“We’re thrilled to announce this partnership. It’s going to have a huge effect on the business owners we serve,” stated Vic Levinson, President of Prime Telecommunications. “This partnership allows business owners to get a very clear and immediate picture of how their cybersecurity is currently performing. When owners are made aware of the threats and risks that are facing their business, they’re capable of bringing in the right infrastructure to protect themselves from cyber-attacks. This partnership is so important because it gives a very clear picture of the company’s risks.”

The partnership between Prime Telecommunications and ID Agent will combine human and sophisticated Dark Web intelligence with search capabilities to identify, analyze and proactively monitor an organization’s compromised or stolen employee and customer data. Business owners will receive real-time alerts, so they can focus on running their organizations. This partnership will not only allow businesses to monitor the dark side of the web, but it also provides the option to monitor an organization’s supply chain, third party partners and vendors that may have access to sensitive data, as well.

“At the end of the day it’s all about protecting employees who don’t realize the threats they face when executing their day-to-day responsibilities,” added Levinson. “Employees who spend time browsing the Internet, who share their email passwords freely, or use unsecured, cloud-based tools to do their work may not necessarily realize all of the potential vulnerabilities facing their network. We consider it to be our duty to educate the marketplace on these types of solutions to prevent as many cyberattacks from happening as possible.”

 

About ID Agent

ID Agent provides Dark Web monitoring and identity theft protection solutions, available exclusively through the reseller channel, to private and public organizations and millions of individuals at risk of cyber incidents. Its flagship product, Dark Web ID, delivers Dark Web intelligence to identify, analyze and monitor for compromised or stolen employee and customer data, mitigating exposure to enterprise clients’ most valuable asset – their digital identity. The company’s SpotLight ID provides personal identity protection and restoration for employees and customers while enhancing their overall cybersecurity awareness as well as further safeguarding corporate systems.