This Week in Breach August 10 to August 17 2018

Dark Web Inforgraphic

This week we saw mobile apps making headlines. Tinder was used by a potential spy to unsuccessfully bait military secrets out of an airman and Snapchat’s source code was published on Github. The marketing campaign for the PGA championship has hit a speed bump in the form of a ransomware attack and an Australian hospital specializing in maternal health exposed treatments on the web.

Highlights from The Week in Breach:

  • Samsung Meets Meltdown
  • Snapchat Source Code
  • Think of the Children
  • The PGA is in the Sand Trap

In Other News:

Catfished
A hacker recently tried a new take on an old trick, utilizing the dating app Tinder in a honeypot scheme. The bad actor set out to steal military secrets from the British Royal Air Force, using a compromised RAF airwomen’s dating profile to try and trick a serviceman into revealing the details of the F-35 stealth fighter. The brand-new fighter is the result of a £9 billion project . China and Russia are eager to get their hands on any details they can about the plane. The airwomen realized almost immediately that her account was hacked and informed RAF, who was able to confirm that no information was disclosed, and the airman targeted was not connected to the F-35 program.
https://www.telegraph.co.uk/news/2018/08/05/honeytrap-hacker-attempted-steal-raf-fighter-jet-secrets-using/

Galaxy Meltdown
Samsung phones are not invulnerable to the microchip security flaw known as Meltdown as previously thought. Researchers at an Austrian University uncovered a way to exploit the vulnerability on the popular smartphone. The researchers plan on testing other phones in the future and believe that they will have similar results with other devices. With as much damage as Spectre exploits have done since its discovery, the same kind of exposure in smartphones could wreak havoc.
https://www.irishexaminer.com/breakingnews/business/samsung-galaxy-s7-phones-vulnerable-to-being-hacked-860965.html

Oh Snap!
A hacker got ahold of some of the source code for the popular photo-messaging service Snapchat, publishing the valuable code on Github. The hacker is believed to be from Pakistan and the code has since been taken down by the company. It is likely that the repo contained part of or all of their iOS app but because the code was removed from Github. There is no way to verify the amount of source code published. The validity of the source data is also questionable, but given Snapchats all-caps DMCA request, (seen below) it seems like there’s a good chance the code was the real deal.

“SNAPCHAT SOURCE CODE. IT WAS LEAKED AND A USER HAS PUT IT IN THIS GITHUB REPO. THERE IS NO URL TO POINT TO BECAUSE SNAP INC. DOESN’T PUBLISH IT PUBLICLY.”
https://thenextweb.com/security/2018/08/07/hacker-swipes-snapchats-source-code-publishes-it-on-github/

Podcasts:
Know Tech Talks – Hosted by Barb Paluszkiewicz
IT Provider Network – The Podcast for Growing IT Service
The Continuum Podcast
Security Now – Hosted by Steve Gibson, Leo Laporte
Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)
Small Business, Big Marketing – Australia’s #1 Marketing Show!


 

United States – The Professional Golfers’ Association (PGA)
Exploit: Ransomware.
Risk to Small Business: High: Ransomware is highly disruptive to any organization.
Individual Risk: High: Loss of data and possibly exfiltration of personal information can result from a ransomware attack.
The Professional Golfers Association: A golfing association that hosts the PGA Championship.
Date Occurred/Discovered: August 7, 2018
Date Disclosed: August 9, 2018
Data Compromised:

  • Creative material for the PGA Championship
    • Promotional banners
    • Logos
    • Digital signage
  • Creative material for the Ryder’s Cup in France
    • Abstracts of logos

Customers Impacted: With the PGA championship around the corner, this breach could affect golf fans all over the country.
https://cyware.com/news/pga-of-america-hit-by-ransomware-attack-days-before-championship-e16f53a7

Mexico – Hova Health
Exploit: Exposed the MongoDB database.
Risk to Small Business: High: Carelessness with customers’ sensitive data can cause irreparable damage to an organizations image.
Individual Risk: High: The information exposed on the internet could be used in identity theft.
Hova Health: Technology company that services the Mexican health care sector.
Date Occurred/Discovered: August 2018
Date Disclosed: August 7, 2018
Data Compromised:

  • Name
  • Gender
  • Date of birth
  • Insurance information
  • Disability status
  • Home address

Customers Impacted: 2 million individuals.
https://www.bleepingcomputer.com/news/security/health-care-data-of-2-million-people-in-mexico-exposed-online/

Australia – The Women’s and Children’s Hospital
Exploit: Negligence.
Risk to Small Business: High: The sensitive nature of the data exposed as well as the scope of the breach will cost the organization the trust of its customers and could possibly result in hefty fines.
Individual Risk: High: The data exposed by the organization could be extremely useful for bad actors to impersonate them, in addition to the high value of personal medical information on the Dark Web.
The Women’s and Children’s Hospital: An Adelaide based health care facility that provides treatment for women, babies and children.
Date Occurred/Discovered: Occurred over the last 13 years
Date Disclosed: August 6, 2018
Data Compromised:  

  • Names
  • Date of birth
  • Test results

Customers Impacted: 7,200 individuals.
https://cyware.com/news/7200-womens-and-childrens-hospital-patient-records-test-results-exposed-online-for-13-years-1d384ef4

United States – Comcast
Exploit: Web vulnerability.
Risk to Small Business: High: The loss of customer trust and the expense of providing identity monitoring for the affected individuals could damage any organization.
Individual Risk: High: Key data needed for identity theft was exposed.
Comcast: One of the United States largest cable providers.
Date Occurred/Discovered: August 2018
Date Disclosed: August 8, 2018
Data Compromised:

  • Social Security Numbers
  • Partial home addresses

Customers Impacted: 26.5 million individuals.
https://www.buzzfeednews.com/article/nicolenguyen/a-comcast-security-flaw-exposed-millions-of-customers



Go Phish.
Phishing emails have evolved far past the misspelled words and suspicious email addresses that most people use to help judge the validity of an email. The phishing email of today can look like an exact copy of the communications coming from the imitated company. With the constant PII saturation of dark web, personal details can be added to the phishing email to make it look even more convincing. The malicious emails will continue to get better and more refined, so how do you counter them? The best way to keep your organization safe is by training employees about social engineering attacks, encouraging employees to be skeptical of suspicious emails and to report them, and utilizing technologies such as an antivirus and simulated phishing awareness training and using constant credential monitoring with Dark Web ID™. A properly executed phishing email could result in a business’s operations suspended due to ransomware, the theft of IP or the exposure of customer data… so why wouldn’t any organization proactively get prepared?

Advertisements

The Week in Breach

spearphishing

Russian Dark Web
A reporter from The Guardian recently dove into a popular Russian Dark Web hacking forum known as FreeHacks, which aims to maximize efficiency in the attacks of its members and to disperse information on ‘quality’ hacking. On the surface it looks like any other forum, and (in essence) it is, with a twisted turn provided by the malicious nature of the subject matter. The categories of the forum are split into a wide variety of specific types of hacking and some ‘lifestyle’ forums as well.

Hacker news, humor, botnet, DDoS, programming, web development, malware and exploits, and security are examples of some of the topics discussed on the site. Some of the markets on the site include stolen credit cards, password cracking software, a clothing market to launder money, and a document market where members can buy passports and citizenships. The forum has about 5,000 active members and claims that a hacker is not a ‘computer burglar’ but rather ‘someone who likes to program and enjoy it.” Given the kind of information and marketplaces available on the site, this seems more like mental gymnastics rather than a nuanced examination of one’s own criminality. After passing the registration to get into the site, the reporter found step-by-step directions for finding someone’s physical address, among other nefarious ways to penetrate companies’ networks or to extort individuals.
https://www.theguardian.com/commentisfree/2018/jul/24/darknet-dark-web-hacking-forum-internet-safety

Gamer Recognize Game
The website for Kaiser Permanente was hijacked this week by hackers, defacing the site to include a variety of Game of Thrones quotes, which is a popular book series turned TV show. The American integrated care consortium based in Oakland, California had their pictures of happy healthy families on their front page replaced with a black screen and a declaration that a hacking group known as the faceless men was responsible for the act. The hacking group appears to be somewhat amateur in nature, and Turkish in origin. An investigation into the group’s members reveals that a few of the hackers listed are active Turkish gamers, which raises the question about how an organization that handles sensitive medical information was able to be hacked by a group of Turkish gamers with very little hacking experience. It is unclear whether any personal information has been accessed in the hack … the organization has declined to comment as of the writing of this Week in Breach.
https://www.databreaches.net/hear-me-roar-kaiser-permanente-site-defaced-by-got-fans/

Security > Convenience
More customers value security over convenience than professionals in the UK, according to a new study. 83% of customers prefer security, compared to only 60% of cybersecurity professionals. The study explores the reason for the disparity in the concern, citing organizations desire for frictionless customer experience as a reason for not having tight security. This could contribute to the UK scoring an unimpressive 56 out of 100 points on the Digital Trust Index which is one of the lowest in the world and 5 points lower than the global average. This disconnect is likely to continue in the future considering 88% of UK executives believe they are doing a good job protecting consumer data while over half of their organizations have been breached in the past year.
https://www.infosecurity-magazine.com/news/uk-consumers-prefer-security-to/

Hacking from The Inside
Across 5 different correctional facilities in Idaho, hundreds of inmates were able to add thousands of dollars’ worth of credits to their JPay accounts, which allows inmates to buy music or send emails. Over 300 inmates were able to exploit a vulnerability in the JPay system to add $224,772 across the group. One of those involved managed to gain nearly $10,000 using the exploit. Those who hacked their JPay accounts are being punished, and the vulnerability is being fixed, but this raises questions about the security of programs used by the U.S. prison system.
https://www.nytimes.com/2018/07/27/us/idaho-prison-hack-jpay-nyt.html

Podcasts:
IT Provider Network – The Podcast for Growing IT Service
Know Tech Talks – Hosted by Barb Paluszkiewicz
The Continuum Podcast
Security Now – Hosted by Steve Gibson, Leo Laporte
Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)
Small Business, Big Marketing – Australia’s #1 Marketing Show!


United States – Reddit
Exploit: SMS intercept.
Risk to Small Business: High: Could have damaging effects on the trust of clients, as well as highlighting the vulnerabilities of SMS 2FA.
Individual Risk: Moderate: The nature of the data is not particularly harmful due to the age and the scope but affected users could be at risk for spam.
Reddit: Extremely popular forum, one of the 5 most popular sites on the internet.
Date Occurred/Discovered: June 14 – 18, 2018
Date Disclosed: August 1, 2018
Data Compromised:

• Old Reddit user data (before May 2007)
• Usernames
• Salted hashed passwords
• Email addresses
• Public content
• Private messages
• Email digests
Customers Impacted: Users with accounts made before 2007, subscribers to email digests between June 3 and June 17, 2018.
https://www.reddit.com/r/announcements/comments/93qnm5/we_had_a_security_incident_heres_what_you_need_to/

United States – UnityPoint Health
Exploit: Phishing.
Risk to Small Business: High: A huge breach of customer trust, also this organization will be fined heavily because medical data was breached.
Individual Risk: High: The content breached is valuable on the Dark Web and is vital in identity theft.
UnityPoint Health: Multi hospital group operating in Iowa, Illinois and Wisconsin.
Date Occurred/Discovered: March 14 – April 3, 2018
Date Disclosed: July 31, 2018
Data Compromised:
• Protected health information
• Names
• Addresses
• Medical data
• Treatment information
• Lab results
• Insurance information
• Payment cards
• Social Security Number
Customers Impacted: 1.4 Million.
https://www.healthcareitnews.com/news/14-million-patient-records-breached-unitypoint-health-phishing-attack

New Zealand – Hāwera High School
Exploit: Phishing.
Risk to Small Business: High: Ransomware attacks can be very disruptive.
Individual Risk: High: Students could lose files stored locally on computers. High risk of identity theft if PII is stored.
Hāwera High School: A New Zealand High School.
Date Occurred/Discovered: August 2018
Date Disclosed: August 2, 2018
Data Compromised:
• Local files stored on school computers
Customers Impacted: Students at the school.
https://www.theregister.co.uk/2018/08/02/new_zealand_school_hit_by_ransomware_scum/

India – CreditMate.in
Exploit: Exposed database.
Risk to Small Business: High: The exposed database was found during a routine google search, this kind of breach would seriously damage an organizations image.
Individual Risk: High: Data key for identity theft were exposed in this breach.
CreditMate: Helps customers obtain loans to purchase motorbikes.
Date Occurred/Discovered: July 27, 2018
Date Disclosed: August 2, 2018
Data Compromised:
• Member reference number
• Enquiry number
• Enquiry purpose
• Amount of loan being sought
• Full name
• Date of birth
• Gender
• Income tax ID number
• Passport
• Driver’s license
• Universal ID number
• Telephone number
• Email address
• Employment information
• Employment income
• CIBIL credit score
• Residential address
• Payment history of other loans/credit cards
Customers Impacted: 19,000.
https://www.databreaches.net/exclusive-creditmate-in-developers-goof-left-19000-consumers-credit-reports-unsecured/

United States – Yale University
Exploit: Unclear.
Risk to Small Business: High: Highly sensitive personal information was leaked which would damage consumer trust.
Individual Risk: High: The data accessed would be highly useful for bad actors looking to steal someone’s identity.
Yale University: A prestigious American University.
Date Occurred/Discovered: April 2008 – January 2009
Date Disclosed: June 2018
Data Compromised:
• Social security numbers
• Dates of birth
• Email addresses
• Physical addresses
Customers Impacted: 119,000
https://www.zdnet.com/article/yale-discloses-old-school-data-breach/

A note for your customers:
Texts from a Hacker.
With the breach of Reddit being disclosed this week, it’s key to remember the importance of robust cybersecurity, given that the hacker of the site was able to bypass 2FA. The actor was able to do this by using a method called ‘SMS intercept’ which is when the hacker is able to receive the text that contains the code for authentication. One way this is done is by SIM-swap, which is when the attacker convinces the phone provider that he is the target and applies their service to a new SIM card. Another method of attack is when bad actor impersonates the target and tricks the phone provider into transferring the target’s number to a new provider where the attacker is then able to access any 2FA codes coming into the phone.

A more secure alternative to SMS 2FA is app-based authentication through organizations such as Duo, which is not subject to the same vectors of attack. Stay vigilant out there, because SMS-intercept attacks are going to become more and more prevalent as they have been shown to be successful, and publicly too considering Reddit is one of the most popular sites on the internet.

This Week in Data Breaches 7/27 to 08/1 2018

Phishing

This week there were a few troubling breaches that stood out, especially the identity theft company LifeLock. When a company deals with sensitive information like the data LifeLock stores, customer trust is paramount…. so, when a breach occurs it really makes one reevaluate the effectiveness of the organization. A U.S. bank was also breached, with customer accounts drained at hundreds of ATMs across the country: a clear sign of a highly organized and effective attack. Bad actors are becoming smarter and getting better at attacking organizations, and the barrier to entry into this career of crime is getting lower and easier.

Thanks to our friends at ID Adgent!

 

Highlights from The Week in Breach:
– Banking Trojan.
– Life-UnLocked!
– Cyber Bank Heist.
– Huge Supply Chain Breach!

In Other News:

This Trojan is Galloping
The increasing popularity of ‘malware as a service,’ which is pre-packaged malware, developed by authors with technical skill and leased to less advanced cybercriminals, has made it easier for cybercriminals to launch advanced attacks on victims across the globe. A top-shelf malware as a service known as Exobot has had its code leaked after the author of the malware sold the banking trojan’s source code to interested parties. Once the source code is sold to enough people, eventually someone posts it publicly or it leaks in other ways. Authors of these ‘service’ malware rarely sell off the source code, that is unless they are finished with the project and moving on to other things. This is concerning in multiple ways, first being that a new more powerful malware may be in the works by the same author, second being that the sophisticated Android banking trojan is now becoming more available to bad actors. Researchers fear that the availability of the source code on underground hacking forums and its inevitable spread across the web will trigger a surge of malicious Android applications. History lends to this conclusion, as the leak of Android banking trojan ‘BankBot’ on the web lowered the barrier of entry into the world of malware and resulted in an explosion of the use of the trojan.
https://www.bleepingcomputer.com/news/security/source-code-for-exobot-android-banking-trojan-leaked-online/

The Best Test to Fail
Penetration testers are useful for assessing the strength and weaknesses in the cybersecurity of an organization, and according to new research these testers are mostly successful. Penetration testers can gain control over the network in question 67% of the time. The study in question was conducted by Rapid7 and examined organizations across industries and sizes, providing a supple sample size for finding two main points of vulnerabilities. The main vulnerabilities proved to be software and credentials. Software has increasingly been used to infiltrate networked resources, and credentials have always been a route of entry for bad actors. Only 16% of the organizations examined did not have a vulnerability, which is less than last year’s study, where 32% were vulnerability-free.
https://www.darkreading.com/threat-intelligence/new-report-shows-pen-testers-usually-win/d/d-id/1332368

I Ain’t Afraid of No PowerGhost
There is a new cryptocurrency mining malware out in the wild, and instead of using an individual’s devices, this malware has been targeting business PCs and servers. The cryptojacker is fileless, utilizing PowerShell and EternalBlue to spread through a business like a disease. PowerGhost is what researchers have begun calling the malware, and it can start on a single system and then spread to other organizations. As of the writing of This Week in Breach, South America is mainly affected by the cryptojacker, but PowerGhost also has a presence in North America and Europe.
https://www.zdnet.com/article/this-new-cryptomining-malware-targets-business-pcs-and-servers/

Podcasts:
IT Provider Network – The Podcast for Growing IT Service
Know Tech Talks – Hosted by Barb Paluszkiewicz
The Continuum Podcast
Security Now – Hosted by Steve Gibson, Leo Laporte
Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)
Small Business, Big Marketing – Australia’s #1 Marketing Show!


Canada – GM, Toyota, Tesla, More – Exposed by Level One Robotics

Exploit: Unprotected server/supply chain vulnerability.
Risk to Small Business: Extreme: A breach of this magnitude and depth would more than likely end a small business due to the extremely sensitive information that was leaked. Most companies would not choose to do business with an organization that leaked their trade secrets.
Individual Risk: Extreme: Passport photos and driver’s license scans of some employees were leaked, which puts them at extreme risk for identity theft.
Level One Robotics: Ontario-based business that provides industrial automation services for automotive suppliers.
Date Occurred/Discovered: July 10, 2018
Date Disclosed: July 23, 2018
Data Compromised:

  • Blueprints
  • Factory schematics
  • Robotic configurations
  • Non-disclosure agreements
  • Employee data
    • Names
    • ID numbers
    • Driver’s license scans
    • Passport scans
    • ID photos
  • Invoices
  • Contracts
  • Price negotiations
  • Insurance policies
  • Customer agreements
  • Banking information for the company
    • Account
    • Routing numbers
    • SWIFT codes

Customers Impacted: Over 100 manufacturing companies.
https://cyware.com/news/trade-secrets-of-gm-toyota-tesla-and-others-from-last-10-years-exposed-in-major-data-leak-d707fe02

United States – LifeLock

Exploit: Lack of website authentication and security.
Risk to Small Business: High: Email addresses were exposed, which allows bad actors to target customers. The exploit also allowed a hacker to unsubscribe from all communication with the company, which could be devastating to small businesses.
Individual Risk: Low: Due diligence with opening phishy emails and being suspect of unexpected emails will go a long way to combat this breach.
LifeLock: Identity theft protection company.
Date Occurred/Discovered: July 2018
Date Disclosed: July 25, 2018
Data Compromised:

  • Email addresses

Customers Impacted: 4.5 Million.
https://krebsonsecurity.com/2018/07/lifelock-bug-exposed-millions-of-customer-email-addresses/ 

United States – The National Bank of Blacksburg

Exploit: Phishing.
Risk to Small Business: High: The cybercriminals got away with a great deal of money in this hack. Most small businesses would not be able to stay afloat after a hit like the one detailed here.
Individual Risk: Extreme: The money taken was from customer accounts.
The National Bank of Blacksburg: A banking organization located in Virginia.
Date Occurred/Discovered: May 2016 and January 2017
Date Disclosed: Not disclosed, but discovered when a lawsuit was filed June 28, 2018
Data Compromised:  

  • Was able to disable anti-theft systems
  • $1,833,984 USD

Customers Impacted: Hundreds of customers’ accounts were used to steal money from the bank.
https://krebsonsecurity.com/2018/07/hackers-breached-virginia-bank-twice-in-eight-months-stole-2-4m/

United States – COSCO
Exploit: Ransomware.
Risk to Small Business: High: The Company’s email is down, forcing employees to use Yahoo mail to communicate with customers as well as internally.
Individual Risk: Low: Customers of the shipping company are not affected due to the continuing operation of the company, but it may be more difficult to coordinate with them.
COSCO: COSCO is an acronym for China Ocean Shipping Company and is a Chinese state-owned shipping services company. It is the 4th largest shipping company in the world.
Date Occurred/Discovered: July 24, 2018
Date Disclosed: July 25, 2018
Data Compromised: A ransomware attack has taken down their American network. The organization is keeping the breach under wraps, for now, so most details are not disclosed.
Customers Impacted: All the organization’s customers are affected by this attack. The difficulty in contacting the company could disrupt its customers’ business.
https://www.bleepingcomputer.com/news/security/ransomware-infection-cripples-shipping-giant-coscos-american-network/

http://lines.coscoshipping.com/home/News/detail/15325081261286611042/50000000000000231?id=50000000000000231

United States – Blue Spring Family Care

Exploit: Ransomware.
Risk to Small Business: High: Ransomware would be highly disruptive to any sized business.
Individual Risk: Moderate: There is no indication that any customer’s data was exfiltrated.
Blue Spring Family Care: Family healthcare provider.
Date Occurred/Discovered: May 12, 2018
Date Disclosed: July 26, 2018
Data Compromised: Ransomware attack encrypted the organization’s data. The extent of the attack is not clearly defined.
Customers Impacted: 44,979
https://www.databreaches.net/mo-blue-springs-family-care-notifies-44979-patients-after-ransomware-attack/



Supply Pain.
Supply chain attacks are extremely prevalent and costly, and most organizations are not prepared for them. A recent study found that less than 40% of organizations in the US, UK and Singapore have properly vetted their suppliers in the last year. Two-thirds of organizations have suffered a supply chain breach within the same time-frame, and almost three quarters (71%) don’t require the same level of security from their suppliers as they do internally. With the global average cost of a supply chain breach at $1.1 million, do you want to take those odds?https://www.darkreading.com/attacks-breaches/two-thirds-of-organizations-hit-in-supply-chain-attacks-/d/d-id/1332352

 

Want to see if you are compromised? Get a free Live Search Dark Web Scan for your business domain!

 

The Week in Breach June 23 to June 29 2018

 

The Week in Breach

 

It’s no surprise that this week has been busy for cyber-attacks on the web, targeting big events such as the World Cup but also continuing to pursue small-and medium-sized businesses across the globe.

– Google is still leaking!
– Another Dark Web marketplace down in a big win for French authorities.
– Do androids dream of electric… rats? A new malware for Android!
– Going phishing at the World Cup.

In other news… Google has announced that Chromecast and Google Home devices, that are easily scripted to reveal precise location data to the public, will be patched in the coming weeks. Disclosed by a researcher at Tripwire, the simple script running on a website can collect location by revealing a list of internet connections available to the device. Researchers go on to describe how easy it would be to remote into an exposed individual’s device and network.
https://krebsonsecurity.com/2018/06/google-to-fix-location-data-leak-in-google-home-chromecast/

The Dark Web marketplace known as ‘Black Hand’ was shut down by French authorities this week. The marketplace was used to sell drugs, weapons, stolen personal information and banking data, as well as fake documents. The site had over 3,000 users from France and was highly active for selling illicit materials.
https://www.hackread.com/authorities-shut-down-dark-web-marketplace-black-hand/

Researchers have come across a new malware family that takes form as an Android remote administration tool (or RAT). The malware uses the messaging app Telegram both to spread and to operate the RAT. When an attacker gains access to a device, he or she operates it by using Telegram’s bot functionality and can intercept text messages, send text messages, make calls, record audio or screen, and locate the device.
https://www.welivesecurity.com/2018/06/18/new-telegram-abusing-android-rat/

With the World Cup in full swing this week, bad actors are taking advantage of the attention on the event and spinning up malicious email campaigns. The idea is that people are less vigilant about clicking emails from unknown sources when related to an event that only occurs every couple of years. Sites selling fake tickets, offering fictitious giveaways and luring unsuspecting induvial to click on malicious links related to the World Cup are popping up all over the place.
 https://www.darkreading.com/attacks-breaches/wallchart-phishing-campaign-exploits-world-cup-watchers/d/d-id/1332080

A network worm called ‘Olympic Destroyer’ that debuted at the 2018 winter Olympics is still doing damage across Europe. Since the Olympics, the group has taken an interest in financial and biochemical organizations and oftentimes uses spear phishing as a way to gain illegal access to systems. The group has so far remained anonymous, using a complex combination of false flags and other deceptive behavior to avoid being revealed.
https://www.darkreading.com/vulnerabilities—threats/olympic-destroyer-reappears-in-attacks-on-europe-russia/d/d-id/1332094


What we’re listening to this week!

Know Tech Talks – Hosted by Barb Paluszkiewicz
The Continuum Podcast
Security Now – Hosted by Steve Gibson, Leo Laporte
Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)
Small Business, Big Marketing – Australia’s #1 Marketing Show!

Indian Government

Exploit: Leaky websites, lack of basic website/ internet security controls.

Risk to Small Business: High: Demonstrates that poor cyber hygiene and complete disregard for basic website/ internet security can be highly damaging.

Risk to Exploited Individuals: High: Sensitive personally identifiable information that can be used for identity theft.

Indian Government: The Republic of India’s government.

Date Occurred/Discovered The government has experienced a wide variety of breaches over a long span of time, but with their websites being audited in May of 2018, their continuing lack of security with such highly sensitive information proves to be a continuing problem.
Date Disclosed June 20, 2018
Data Compromised · Names and phone numbers of those who bought various medicines from state-run pharmacies

Recently but not this week:

· Aadhaar number

· Data collected in ‘Smart Pulse Survey’

· Geolocation of people based on caste/religion

· Geolocation of ambulances, why they were summoned, and the hospital destination

How it was compromised Leaky websites and dashboards allowing anyone to look up HIGHLY sensitive medical and personal information.
Customers Impacted Anyone who has purchased medicine from the state-run pharmacies.
Attribution/Vulnerability Poorly configured database.

http://www.newindianexpress.com/specials/2018/jun/19/in-wake-of-data-leaks-andhra-pradesh-orders-audit-of-all-government-websites-1830571.html

https://www.huffingtonpost.in/2018/06/19/caught-leaking-information-on-people-buying-viagra-from-government-stores-ap-orders-security-audit_a_23463256/

Med Associates

Exploit: Supply Chain/Trusted Vendor Compromise
Compromised Workstation, most likely compromised credentials and a lack of multi-factor authentication.

Risk to Small Business: High: At least 42 physician practices had their customer’s PII compromised. Lack of situational awareness within the supply chain will create significant challenges for the vendors that replied on the claims processing vendor.

Risk to Exploited Individuals: High: This breach has disclosed a massive amount of HIGHLY sensitive personal and health information leaving customers impacted significant risk of identity theft and fraud.

Med Associates: A New York-based claims processing company.

Date Occurred/Discovered March 2018
Date Disclosed June 2018
Data Compromised · Patient names

· Dates of Birth

· Addresses

· Dates of service

· Diagnosis codes

· Procedure codes

· Insurance information, such as insurance ID numbers

How it was compromised Not disclosed, but it was specified that the attack did not involve ransomware or phishing.
Customers Impacted 270,000
Attribution/Vulnerability Still under investigation, but the third party gained remote access to the workstation without phishing or ransomware.

https://www.govinfosecurity.com/hacking-incident-at-billing-vendor-affects-270000-patients-a-11116


Chicago Public Schools

Exploit: Negligence

Risk to Small Business: High: If a breach of this magnitude happened to a small business, it is unlikely it would recover. This kind of negligence causing a breach tarnishes a name to a great degree, but people do not have a choice but to continue using Chicago public schools because it is a government-run program.

Risk to Exploited Individuals: High: Unfortunately, a minor’s personally identifiable information is highly sought after and valuable as its often not monitored.

Chicago Public Schools: School district in the Illinois city of Chicago

Date Occurred/Discovered June 16, 2018
Date Disclosed June 16, 2018
Data Compromised · Children’s names.

· Home phone numbers.

· Cell phone numbers.

· Email addresses.

· School ID numbers

How it was compromised When sending out an email about applications to selective enrollment schools, an employee attached a spreadsheet containing the sensitive data which was then sent out to families in the district. The person who made the critical mistake is going to lose their job according to the superintendent.
Customers Impacted 3,700 students and families
Attribution/Vulnerability Negligence

https://chicago.suntimes.com/news/cps-data-breach-exposes-private-student-data/

An important takeaway from this week is how easy it is to unsuspectingly leak personal information. A study conducted by Positive Technologies found some alarming statistics when researching the vulnerabilities of something that is often overlooked; web applications.

The study uncovered that almost half (48%) of the web applications tested were vulnerable to unauthorized access from a third party, with 17% of the tested applications being so unsecured that full control could be acquired. Every single web app that the study looked had vulnerabilities with just over half of them (52%) being high risk. A little under half (44%) of web apps examined that processed personal data leaked that personal data and 70% of all applications were at risk of leaking critical information to the business. The study found an average of two critical vulnerabilities per web application, and where the researchers had access to the source code of the web app they uncovered high-severity vulnerabilities 100% of the time. The industries used in this study of web applications include: finance, IT, e-commerce, telecom, government, mass media, and manufacturing.

Make sure to consider what web applications you are using in both your professional and personal life, otherwise, your information could end up on the Dark Web.

https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Web-application-vulnerabilities-2018-eng.pdf

https://www.darkreading.com/attacks-breaches/most-websites-and-web-apps-no-match-for-attack-barrage/d/d-id/1332092

 

The Week In Breach! June 15 to June 22 2018

Dark Web

It should serve as no surprise, two of the breaches profiled this week occurred as the result of compromised email address and passwords. The particular events highlight the need to make password hygiene and compromised credential monitoring front and center.

This week also demonstrates that healthcare organizations are increasingly targeted by bad actors. Heathcare related PII/PHI is increasingly valuable and sought after in dark web markets and forums.  

A few more highlights…

– Malware on the move!  New Malware targeting Android phones making the rounds 

– Cortana… the weakest link? An exploit in Windows 10 was patched on Tuesday that allowed one to change passwords

– AI startup working on the United States drone program finds Russian malware on their server

– The Nigerian princes are back! This time, they want to be business partners…

There is a new mobile malware targeting Android phones, containing a banking Trojan, keyloggers, and ransomware. The malware, called MysteryBot will exfiltrate your data and send it back to LokiBot assets. While it’s still not in wide circulation, Android users should exercise caution when downloading apps both in and out of the play store.
https://www.bleepingcomputer.com/news/security/new-mysterybot-android-malware-packs-a-banking-trojan-keylogger-and-ransomware/

A vulnerability that used Cortana to access computer files even if the device was locked was revealed this week… just after patch Tuesday.
https://securingtomorrow.mcafee.com/mcafee-labs/want-to-break-into-a-locked-windows-10-device-ask-cortana-cve-2018-8140/

Across the globe, email scammers are a consistent source of problems for those who use the web. This week the FBI made 74 arrests across 7 countries and an email scam bust that targeted mid-sized businesses. The scam originated in Nigeria, the same country where the notorious ‘Nigerian prince’ email scam comes from.
https://www.cnet.com/news/fbi-busts-international-email-fraud-ring-that-stole-millions/

Look out for suspicious .men! Some top-level domains are more likely to be malicious than others, with .men .gdn and .work being the most abused. If you open a .men link there is about a 50/50 chance that you are going to a site loaded with spam or malware. Check those hyperlinks!
https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/

What we’re listening to this week!

Know Tech Talks – Hosted by Barb Paluszkiewicz

Security Now – Hosted by Steve Gibson, Leo Laporte

Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)

Small Business, Big Marketing – Australia’s #1 Marketing Show!

Elmcroft Senior Living

Exploit: Outside actor.

Risk to Small Business: High: Lack of Data Loss Protection (DLP) and chain of custody leading to breach

Risk to Exploited Individuals: High: Elevated probability for Identity theft and fraud based on PII compromised.

Elmcroft: Recently ending its management of more than 70 assisted living, memory care, and inpatient hospital rehabilitation, Elmcroft was in wind-down mode when the breach occurred.

Date Occurred
Discovered
Occurred May 10th 2018, Discovered on May 12th
Date Disclosed Elmcroft made an official statement on June 8th, 2018
Data Compromised Names

Date of birth

Social Security Numbers

Personal health information

How it was Compromised A third party had access to information being transferred from Elmcroft to the new management company
Customers Impacted
Residents

Residents family members

Employees

Possibly others

Attribution/Vulnerability Undisclosed at this time.

https://www.mcknightsseniorliving.com/news/data-breach-puts-personal-information-of-residents-workers-at-risk-elmcroft-senior-living-says/article/772385/

Terros Health

Exploit: Phishing scam that compromised one account.

Risk to Small Business: High: Demonstrates phishing is still a primary tactic to generate exploits and how one compromised email account can end in a major breach.

Risk to Exploited Individuals: High: Sensitive personal information, Social Security numbers and medical information were leaked all of which can be used maliciously by an outside actor.

Terros Health: Phoenix-based mental health and addiction services provider.

Date Occurred
Discovered
April, 2018
Date Disclosed June 8th, 2018
Data Compromised
Patient names

Date of birth

Social Security number

How it was Compromised
Phishing scam that compromised a single email account
Customers Impacted
1,600 patients
Attribution/Vulnerability One compromised email due to a phishing scam

https://www.bizjournals.com/phoenix/news/2018/06/10/terros-healthwarns-of-patient-data-breach.html

Clarifi
Exploit: Malware exploit to steal IP

Risk to Small Business: High: Demonstrates the need to harden security when dealing with Intellectual Property and being targets as a Federal Contractor/Supply Chain Sub-contractor.

Risk to Exploited IndividualsHigh: Highly sensitive military information is located at the company, making individuals who work their targets for state-sponsored hacking.

Clarifi: An artificial intelligence startup based in New York involved in improving U.S. military drones.

Date Occurred
Discovered
November, 2017
Date Disclosed June 2018
Data Compromised
Possibly customer data, although Clarifi denies that any data was compromised.
How it was Compromised Unclear, although the origin of the malware is believed to be Russian.
Attribution/Vulnerability Malware
Customers Impacted The company assures that no customer data was compromised

https://www.wired.com/story/startup-working-on-contentious-pentagon-ai-project-was-hacked

https://cyware.com/news/ai-startup-clarifai-working-on-pentagons-project-maven-was-allegedly-hacked-by-russian-source-8a171b30

HealthEquity
Exploit: Compromised email.

Risk to Small Business: High: Demonstrates the need for compromised credential monitoring and implementing stronger authentication tools.

Risk to Exploited Individuals: High: sensitive personal information and Social Security numbers were accessed during the breach.

HealthEquity: Utah based firm that handles millions of health savings accounts.

Date Occurred
Discovered
April 11, 2018
Date Disclosed June  2018
Data Compromised Names of members

HealthEquity ID numbers

Names of employers

Employers HealthEquity IDs

Social Security numbers

How it was Compromised
An email account of a HealthEquity employee was compromised, and the outside actor was able to gather data for two days before the malicious activity was noticed by the company.
Attribution/Vulnerability Compromised employee email.
Customers Impacted 23,000

https://www.infosecurity-magazine.com/news/23000-individuals-affected-in/

https://www.darkreading.com/operations/23000-compromised-in-healthequity-data-breach/d/d-id/1332050

Dixons Carphone
Exploit: Investigation ongoing.

Risk to Small Business: High: Breach response requirements of GDPR will significantly change how quick companies must disclose breach incidents and respond.

Risk to Exploited Individuals: High: Card data of customers was accessed by an outside actor.

Dixons Carphone: Electronics company located in the UK.

Date Occurred
Discovered
July, 2017
Date Disclosed June  2018
Data Compromised Customer Cards

Names

Addresses

Email addresses

How it was Compromised
The investigation is currently ongoing into how the breach happened, but it was only just discovered a little under a year after it happened.
Attribution/Vulnerability Unauthorized access to company data
Customers Impacted 5.9 million

An important takeaway from this week is the damage that a single compromised email account can have on an organization of any size. With one compromised email account a bad actor can send countless employees malware from an unsuspicious and legitimate email, often times without the employee knowing their email is compromised. Don’t let your business end up on the next Week in Breach. Make sure you and your employees’ passwords are strong, not reused or shared, and that your credentials aren’t up for sale on the Dark Web, by monitoring with Dark Web ID™ by Prime Telecommunications.  Please share this week’s breach news with a coworker or friend.

Highlights from The Week in Breach: May 30 to June 6 2018

Highlights from The Week in Breach:

– Finance sector attacks ramping up
– BackSwap JavaScript injections effectively circumventing detection
– Honda has leaky buckets too

This week in breach has all been about money, money, money. The finance sector is getting pelted with attacks recently – even more than usual – and Mexico, Canada, and Poland have been hit the worst.

In other news…

North Korea is still up to their old tricks, targeting South Korean websites with advanced zero-day attacks.
https://www.bleepingcomputer.com/news/security/activex-zero-day-discovered-in-recent-north-korean-hacks/

School is letting out which means grade changing breaches are in season! Two students at Bloomfield Hills High School attempted to fudge their report card and refund lunches for themselves and 20 other students.
https://www.forbes.com/sites/leemathews/2018/05/22/school-hackers-changed-grades-and-tried-to-get-a-free-lunch/#478b6d026e7d

The government of Idaho was hacked 2 times in 3 days which is not a very good look.
https://idahobusinessreview.com/2018/05/22/state-government-hacked-twice-in-three-days/

Coca-Cola had a breach that compromised 8,000 employees’ personal data, but they are also providing identity monitoring for a year at no cost. Ahh… refreshing, isn’t it?
https://www.infosecurity-magazine.com/news/no-smiles-for-cocacola-after-data/


 What we’re STILL listening to this week!

Security Now – Hosted by Steve Gibson, Leo Laporte

Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)

Small Business, Big Marketing – Australia’s #1 Marketing Show!

Simplii Financial (CIBC) & Bank of Montreal
Exploit: Spear Phishing
Type of Exploit Risk to Small Business:  High: Personal and account information from a large number of customers were compromised, opening up the possibility of identity theft for business owners or employees.

Risk to Exploited Individuals: High: A large number of both personal and account information was breached from both banks including social insurance numbers and account balances. 

Simplii Financial: Owned by CIBC, Simplii Financial is a Canadian banking institution offering a wide array of services for their customers such as mortgages and investing.

BMO (Bank of Montreal): BMO is also a Canadian banking institution that offers investing, financial planning, personal accounts, and mortgages.

Date Occurred/
Discovered
The weekend of the 25th
Date Disclosed May 28, 2018
Data Compromised Personal and account information of the two bank’s customers. The hackers provided a sample of the breached data, containing the names, dates of birth, social insurance number and account balances of two customers.
How it was Compromised It is believed that both bank data breaches have been carried out by the same group of fraudsters, due to the time frame and ‘blackmail’ strategy of the group rather than selling of the data. It is suspected that a spear phishing attack was used, focusing on individual employees with targeted phishing attempts rather than a ‘dragnet’ approach typically seen in phishing attacks.
Customers Impacted
Between the two banks over 90,000 people’s personal and account information was compromised during the breach. CIBC owned Simplii Financial reported 40,000 accounts compromised compared to BMO who declared 50,000 accounts compromised later on the same day.
Attribution/Vulnerability Undisclosed at this time.

http://www.cbc.ca/news/business/simplii-data-hack-1.4680575

Honda Car India
Exploit: Misconfigured/ Insecure Amazon S3 buckets
Type of Exploit Risk to Small Business: High
Risk to Exploited Individuals: Moderate: Presumably low-risk PII and vehicle information exposed.
Honda Car India: Honda is an international cooperation from Japan that specializes in cars, planes, motorcycles and power equipment.

Date Occurred/
Discovered
The details were left exposed for at least three months. A security researcher who was scanning the web for unsecured servers left a message of warning timestamped February 28.
Date Disclosed May 30 2018
Data Compromised
Names
User gender
Phone numbers for both users and their trusted contacts
Email addresses for both users and their trusted contacts
Account passwords
Car VIN
Car Connect IDs, and more
How it was Compromised
A researcher who was scanning the web for AWS S3 buckets with incorrect permissions left a message in Honda Car India’s server to try and warn them to secure their server. Honda was not even aware that the note was added, signaling a complete lack of monitoring on the companies part.
Customers Impacted
50,000 of Honda Car India’s customers have had their personal info exposed on the internet for three months at the minimum.
Attribution/Vulnerability Negligence. Once the researcher noticed that Honda had still not secured their buckets, he reached out to them but it still took the company 2 weeks to respond.

https://www.bleepingcomputer.com/news/security/honda-india-left-details-of-50-000-customers-exposed-on-an-aws-s3-server/

SPEI
Exploit: Man in the Middle Attack
Type of Exploit Risk to Small Business: Severe: Security certificate exploit, website login spoofing, traffic re-direct. Significant financial loss. Threat intelligence/ data share fail.
Risk to Exploited IndividualsLow:  Financial Institutions will absorb the loss.

SPEI: Mexican domestic payment system.

Date Occurred/
Discovered
A breach was first detected on April 17th, with 5 more financial institutions being breached on April 24th, 26th, and May 8th.
Date Disclosed May 2018
Data Compromised
$15 Million stolen
How it was Compromised The central bank of Mexico experienced a man in the middle attack in April that it was able to stop, but failed to warn other financial institutions in the country about the severity of the incident. This led to 5 other financial institutions being compromised except the attacks were successful. It is unclear exactly how the hackers were able to enter the network, but the situation is constantly developing.
Attribution/Vulnerability Outside actors/ not disclosing breach possibly facilitated more breaches.
Customers Impacted Multiple financial institutions in Mexico

https://www.bloomberg.com/news/articles/2018-05-29/mexico-foiled-a-110-million-bank-heist-then-kept-it-a-secret

Polish Banks
Exploit: JavaScript malware injection named BackSwap
Type of Exploit Risk to Small Business: High: Sophisticated JavaScript injection designed to bypass advanced security/ injection detection.
Risk to Exploited Individuals: High: those who used the polish banks targeted by the new malware will take a financial loss, 2FA does not combat this.

Polish Banks: 5 Polish banks are being targeted

Date Occurred/
Discovered
The banking malware was first introduced in March 2018. The malware has been increasingly active since then.
Date Disclosed May 2018
Data Compromised Banking account information and funds
How it was Compromised
A new malware family. This family of banking malware uses an unfortunately elegant solution to bypass traditional security measures, using Windows message loop events rather than process injection methods to monitor browsing activity. When an infected user begins banking activities, the malware injects malicious JavaScript directly into the address bar. The script hides the change in recipient by replacing the input field with a fake one displaying the intended destination.
Attribution/Vulnerability Outside actors, deployed through spam email campaign

https://www.welivesecurity.com/2018/05/25/backswap-malware-empty-bank-accounts/

The last couple of months has seen an increase in the number of attacks on financial institutions around the world. Both the Bank Negara Malaysia and Bancomext were targeted in SWIFT-related attacks while two Canadian banks’ data was held at ransom in a massive breach. The largest three banks in the Netherlands were hit by DDoS attacks, the Swiss Financial Market Supervisory Authority stated that cyber-attacks were the greatest threat to their banks, while at the same time British banks spending on fighting financial crime sits at 5 billion pounds.

While no sector is immune from cyber-attack, the nature of the financial industry makes an attractive target. The sector is made up of institutions that store large quantities of sensitive data that can be sold on the Dark Web, as well as institutions that have access to large sums of capitol.

Additional Sources:
https://www.hstoday.us/uncategorized/cyber-attacks-on-banking-infrastructure-increase/

Which Users Will Cause The Most Damage To Your Network And Are An Active Liability?


by Stu Sjouwerman

The statistic that four percent of employees will click on almost anything, with “Free Coffee” and “Package Delivery” taking some of the top spots among phishbait subject lines, may not sound like much.

However, keep in mind the most successful marketing campaigns only achieve around two percent. With double the response of most marketing initiatives, it’s no wonder that the phishing attacks keep coming.

That statistic comes from Verizon’s 2018 Data Breach Investigations Report. The report showed that the number of phishing emails continues to grow. The victims include government agencies that house some of our most sensitive records. The report also reveals that one quarter of all malware detected was ransomware, and it indicated that 68 percent of breaches go undetected for months.

The answer to fending off phishing campaigns may lie in the same employees who choose to click. Using a type of crowd-sourced security that turns employees into human sensors, could be the answer. One example of this approach is the US Department of Defense Cyber Security/Information Assurance program, where contractors share intelligence with each other and the DOD.

With the right training, employees can learn to recognize phishing attempts and alert others of the impending threat. This type of information gives the IT team an advantage leading to a faster response.

Here are a few steps that can empower your employees to be human sensors using a Phish Alert Button:

– An aware victim can be a good sensor. Encourage employees to ask how reading a suspicious email makes them feel. Rushed, pressured, exploited? Then be wary. Train your employees to recognize how the email makes them feel.

– Build an intelligence network. If you make it easy to report potential threat emails, you’ll build a steady stream of alerts.

– But don’t overuse the “Abuse Box.” Phishing needs to be reported. Flooding an underprepared IT department with messages that need to be checked, may be counterproductive. Make sure the IT department is ready to handle the volume. So build user awareness as you build capacity.

The number of phishing emails can be expected to grow. But with a change in the way your organization perceives and responds to social engineering, users can become your best defense and not your weakest leak. As always, consider interactive, new-school security awareness training. It’s effective and extremely affordable.

GCN has the story, written by Lex Robinson who works at Cofense.

Free Phish Alert Button
When new spear phishing campaigns hit your organization, it is vital that IT staff be alerted immediately. One of the easiest ways to convert your employees from potential targets and victims into allies and partners in the fight against cybercrime is to roll out KnowBe4’s free Phish Alert Button to your employees’ desktops. Once installed, the Phish Alert Button allows your users on the front lines to sound the alarm when suspicious and potentially dangerous phishing emails slip past the other layers of protection your organization relies on to keep the bad guys at bay.

Don’t like to click on redirected links? Cut & Paste this link in your browser:

https://info.knowbe4.com/free-phish-alert-partner?partnerid=0010c00001wis6gAAA

Our friend, Kevin Lancaster from ID Agent, continues in his weekly posting of the week in breaches and phishing attacks. This is important- not just for enterprises, but also for small and medium sized businesses. Attacks are coming in from all directions- here are some highlights from his post:

Protection from Hacks

Two-factor Authentication Hackable?
Our friends at KnowBe4 show 2 Factor may not be enough in some cases.

Student of The Month in California!
Phish Teacher, Change Grades, Get Felony!  You can’t make this stuff up!

Good on ya Mate, Good on ya!
Crikey! Australians appear to have better password hygiene than the rest of us?


What we’re listening to this week:   

Security Now – Hosted by Steve Gibson, Leo Laporte

Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)

Small Business, Big Marketing – Australia’s #1 Marketing Show!


Highlights from The Week in Breach

  • Retail Point of Sale Systems (POS) can’t catch a break! can’t get their s*** together.
  • Healthcare insider threat strikes again.
  • Your legal case may have been closed… or deleted.
  • Your personality is revealing and, it may have been revealed.

Chili’s Restaurants
Retail

Small Business Risk: High (Malware/ Forensics, Brand Reputation/ Loyalty)
Exploit: Malware-based Point of Sale Exploit
Risk to Individuals: Moderate (Replacement of Credit/ Debit Cards with limited liability)

What you need to know:  Small business retailers should take the time to educate themselves on POS exploits and how they typically occur. Since most systems do not reside within the traditional network environment, processing systems are most commonly exploited via compromised trusted 3rdparty vendors, common credential stuffing and exploit kits delivered via email.

Chili’s Restaurants

Date Occurred/Discovered March-April 2018 / Discovered 5/11/18
Date Disclosed 5/14/18
Data Compromised Preliminary investigation indicates that malware was used to gather payment card information, including credit and debit card numbers, as well as names of cardholders who made in-restaurant purchases.
How it was Compromised Malware
Customers Impacted Chili’s has not disclosed the restaurants impacted and/or the number of customers impacted.
Attribution/Vulnerability Undisclosed at this time.

http://time.com/money/5276047/chilis-data-breach-2018/

Note: Breaches have huge repercussions, often resulting in customers losing trust in the brands. According to a study from KPMG, 19% percent of consumers said they would stop shopping at a breached retailer, and 33% would take a long-term break.

https://www.sfgate.com/technology/businessinsider/article/Chili-s-restaurants-were-hit-by-a-data-breach-12911248.php

Nuance Communications
Healthcare

Small Business Risk: High (PII Exposure, Brand Damage, Compliance Violation & Fines)
Exploit: Former Employee/ Insider Knowledge Exploit.  System and security control failure
Risk to Individuals: Moderate (Compromised Data Contained and not posted for exploit)

What you need to know:  Coming on the heels of a costly malware outbreak in 2017, it seems that Nuance had the limited ability to detect on-network anomalous behavior. With such a large percentage of its target market comprised of organizations that operate in regulated industries including Healthcare, Nuance should have invested in aggressive insider threat/insider mishap detection.

Organizations operating in regulated markets should take a more aggressive approach to both inside threat detection and threats originating within the supply chain as was demonstrated in this case.

Nuance Communications (speech recognition software)

Date Occurred/Discovered 11/20/17 – 12/9/17
Date Disclosed 5/14/18
Data Compromised Exposed data included names, birth dates, medical record and patient numbers, as well as service details such as patient conditions, assessments, treatments, care plans and dates of service. The incident did not include information such as social security number, driver’s license number or financial account numbers.
How it was Compromised An unauthorized third party, possibly a former Nuance employee, accessed one of its medical transcription platforms, exposing 45,000 individuals’ records.
Customers Impacted Personal information of thousands of individuals from several contracted clients, including the San Francisco Department of Public Health. The Justice Department said that it does not appear that any of the information taken was used or sold for any purpose. All the data has been recovered from the former employee.
Attribution/Vulnerability  Unknown/undisclosed at this time.

Note: News of the data breach follows the company having been hit by the NotPetya malware outbreak in June 2017. Earlier this year, Nuance reported that the outbreak cost it $92 million. “For fiscal year 2017, we estimate that we lost approximately $68 million in revenues, primarily in our healthcare segment, due to the service disruption and the reserves we established for customer refund credits related to the malware incident,” Nuance reported in a Feb. 9 form 10-Q filing to the SEC. “Additionally, we incurred incremental costs of approximately $24 million for fiscal year 2017 as a result of our remediation and restoration efforts, as well as incremental amortization expenses.”

The incident is a reminder that Insider breaches remain one of the most difficult kinds of improper access attacks to defend against. There are a variety of tools and methods to monitor which resources an employee accesses, but preventing insiders from stealing data or intellectual property remains challenging.

https://www.bankinfosecurity.com/nuance-communications-breach-affected-45000-patients-a-11002

Mason Law Office
Legal

Small Business Risk: High (Compliance Violation & Fines, Brand/ Reputation Damage)
Exploit: Apparent Credential- based, account take-over exploit
Risk to Individuals: High: Sensitive PII and Legal Information loss and/ or deletion  

What you need to know:  It’s not 100% clear that this was an insider threat-based exploit. Regardless, Mason Law Office suffered an all-too-common account-based takeover compromise.  Legal firms leveraging 3rd party case management systems should take the time to review their security controls and procedure.  They should also conduct a full audit to determine who has access to what data within these 3rd party systems and make the required corrections.

Mason Law Office – Sacramento, CA (mycase.com)

Date Occurred/Discovered Discovered 5/5/18
Date Disclosed 5/14/18
Data Compromised Client data was potentially accessed, client case information was deleted, and other administrative changes were made to the system. Generally, any information uploaded to mycase.com was potentially accessed, and information has been deleted. Information potentially accessed includes client names, social security numbers, driver’s license numbers, phone numbers, email addresses, as well as legally privileged/protected information, including legal documents, case notes, disclosures, financial statements, evidence, photos, invoices, transcripts, trust balances, and attorney-client communications.
How it was Compromised The firm discovered evidence of unauthorized access to mycase.com by an unknown individual or group of individuals. It is unclear how this access was made.
Customers Impacted Clients of Mason Law Firm using mycase.com.
Attribution/Vulnerability Unknown/undisclosed at this time.

https://www.databreaches.net/mason-law-office-notifies-clients-of-hack-involving-mycase-com/

myPersonality app
Information Technology / Lifestyle

Small Business Risk: High (Forensic, Data Loss via GitHub Post, Brand / Reputation Damage, Fines and Damages)

Exploit: Application security misconfiguration resulting in credential-based exploit

Risk to Individuals: High (PII, Psychological Characteristics & Profile,)

What you need to know: The developers of the personality app failed committed several major blunders in this case.

  1. Poor website/application security allowed for easy and unmonitored access to their website and underlying datasets.
  2. They failed to notice that their data set had been sitting out in the open for 4 years.
  3. The data stored within the platform was easily unkeyed and de-anonymized.

myPersonality app

Date Occurred/Discovered Exact dates unknown – 2014 – 2018
Date Disclosed 5/14/18
Data Compromised The data was highly sensitive, revealing personal details of Facebook users, such as the results of psychological tests. The credentials gave access to the “Big Five” personality scores of 3.1 million users. These scores are used in psychology to assess people’s characteristics, such as conscientiousness, agreeableness and neuroticism. The credentials also allowed access to 22 million status updates from over 150,000 users, alongside details such as age, gender and relationship status from 4.3 million people.
How it was Compromised Academics at the University of Cambridge distributed the data from the personality quiz app myPersonality to hundreds of researchers via a website with insufficient security provisions, which led to it being left vulnerable to access for four years. Each user in the data set was given a unique ID, which tied together data such as their age, gender, location, status updates, results on the personality quiz and more. With that much information, de-anonymizing the data can be done very easily.
Customers Impacted 3 million users of the app
Attribution/Vulnerability Publicly available credentials allowed access to the data. For the last four years, a working username and password has been available online that could be found from a single web search. Anyone who wanted access to the data set could have found the key to download it in less than a minute. The publicly available username and password were sitting on the code-sharing website GitHub. They had been passed from a university lecturer to some students for a course project on creating a tool for processing Facebook data. Uploading code to GitHub is very common in computer science as it allows others to reuse parts of your work, but the students included the working login credentials too.

 

https://www.databreaches.net/mypersonality-app-data-leak-exposed-intimate-details-of-3m-users/

https://www.newscientist.com/article/2168713-huge-new-facebook-data-leak-exposed-intimate-details-of-3m-users/

 

The Pillars of Cyber Security Explained

Network Security

The cyber threat landscape changes on a daily basis.  There is no one size fits all solution and there are no magic bullets. It has been said that the price of liberty is eternal vigilance. The same holds true for cyber security. There are four pillars of security- end point protection, perimeter protection, monitoring and end user vigilance.

They say that those who don’t learn from history are doomed to repeat it, and matters of cyber security are no exception. Threats will often follow trends, and so by reviewing what has happened in the past, we may be able to glean some insight into what will be important in the future.

If the first half of 2018 was any indication, there are a few things that will be of most concern to IT professionals and end users. My friend and colleague, Tommy Vaughn from Central Technology Solutions, provided a lot of the inspiration for this post!

Ensure All Endpoints Have Appropriate Security Measures

It’s staggering to consider how many end points any given business could have, each providing a route in for threat actors. Between company-provided devices, personal mobile devices, and Internet of Things devices, there are plenty of opportunities for a company to be attacked.

As a result, as 2018 progresses, businesses must be aware of what threats exist, as well as better prepared to protect themselves against them. This includes strategies that ensure your organization’s digital protections are properly maintained while remaining cognizant of physical security best practices. Pairing encryption and access control, as well as mobile device management, can create a much safer environment for your data.

Cover your 6’s

Your network needs to have not just the firewall appliance – but a comprehensive suite of tools that can help you recognize suspicious behavior. It is more than just a static device. It has to be paired with analytical tools as a service that can give you insight into your network. Additionally, an external firewall or web filtering service can protect you from unseen threats on a multitude of levels. It is not just hardware and software anymore. You need to have the resources available to alert you to threats, cut down the noise from repeated alerts and investigate areas that you should not be in yourself – e.g. the Dark Web.

Get Back to Basics With Security and End User Education – Cyberawareness Training

While it may sometimes be tempting to focus on the massive attacks and breaches that too-often dominate the headlines, no business can afford to devote their full attention to those vulnerabilities and overlook the more common threats. This is primarily because once they do, they become exponentially more vulnerable to these attacks through their lack of awareness and preparation.

Part of being prepared for the threats of the coming weeks and months is to make sure that your employees are also up to speed where security is concerned. Educating them on best practices before enforcing these practices can help to shore up any vulnerabilities you may have and maintain your network security. This includes restricting employee access to certain websites, requiring passwords of appropriate strength, and encouraging your employees to be mindful of exactly what they’re clicking on. A comprehensive program of cyberwareness training- delivered to the employees over the course of a year in small incremental sessions is key. Use controlled mistakes as teachable moments to correct dangerous behavior. Once trained, your employees become your “human firewall”. As they say with shampoo, “rinse and repeat”. Often.

Continuing to Improve Security Measures

Finally, it is important to remember that implementing security features isn’t a one-time activity. Threats will grow and improve in order to overcome existing security measures, and so if they are going to remain effective, these security measures must be improved as well.

While regulatory requirements can provide an idea of what security a network should feature, they shouldn’t be seen as the endpoint. Instead, those requirements should be the bare minimum that you implement, along with additional measures to supplement them.

We are here to help. If you would like to explore the options of a completely managed firewall, DNS filtering, or cyber awareness training- we can assist. First- get a baseline of where your organization is at. We have a suite of FREE tools that can help show you your susceptibility to phishing, spoofing and whether your organization’s credentials are for sale on the Dark Web.  We can also do an onsite security assessment to analyze your network’s vulnerabilities.

For your free tools, please visit:  http://downloads.primetelecommunications.com/CyberAwareness-Free-Tools or give us a call at 847 329 8600.

We are your managed technology solutions professionals and we are here to listen!

Here is the last week in Data Breaches

Kevin Lancaster from ID Agent publishes a weekly summary of data breaches that occur. No matter how much we protect our own networks- perimeter and endpoints- our valuable information can be compromised off of a third party site. Here is his summary of breaches from the past week:

 

It’s the little things that give you away.

This past week brought us a diverse set of incidents. Unfortunately, several of the high-profile compromises could have been easily prevented. From database misconfigurations to Phishing exploits, this week was the busiest week in disclosure since the week of March 19th.

Here are a few items to note from this week’s report:

  1. Compromised credentials are still #1: Several incidents leverage compromised credentials from 3rd party data breaches to initiate their attack.
  2. Amazon buckets are still leaking: Two of the incidents reviewed this week leverage flaws in Amazon S3 configurations. It’s surprising to see these very easy-to-fix issues still impacting organizations that hold very sensitive data.
  3. Global reach of data breaches noted: Data breaches are getting more coverage globally. This week demonstrates that massive exploits are not just targeted towards the US.
  4. Financially motivated breaches on the rise: Insider Threat and “Accidental Loss” of high-value data are on the rise.
  5. The healthcare sector targeted:  Healthcare organizations are clearly in the crosshairs.

Kevin
Chief Executive Officer


1. TaskRabbit

Business Vulnerability: High: Network Exploit, Compromised Credential Exploit, Customer PII Loss, Website Defacement, Phishing email generation using company CRM/customer database.
Individual Risk: High: Compromised PII, Password Re-use/3rd Party Compromise, Phishing Exploit

Date Occurred: April 15th, 2018
Date Disclosed: April 17th, 2018
Data Compromised: Personally Identifiable information of users including clear-text passwords.

How Compromised: 
Incident first appeared to be a technical glitch that redirected users to a WordPress site when they tried to visit TaskRabbit

Customers Impacted: TaskRabbit Users: Customers posting jobs and “Taskers”

Attribution/Vulnerability: Network & Website Exploit via Compromised Credentials.

https://techcrunch.com/2018/04/18/taskrabbit-ceo-posts-statement-as-its-app-returns-following-a-cybersecurity-breach/

 What you need to know:
Given its complexity, I’m surprised that the SecOps space has given this incident very little attention.  This is a great case study in compromise and lateral exploit.

It appears that a compromised credential allowed the attacker to gain network access AND access to TaskRabbit’s website and customer database. TaskRabbit acknowledges that it needs to do a better job with its “network intrusion detection” and that it stored more PII on its customers than needed.

Here’s what seems to have happened:

  1. Attacker uses a compromised email and password to gain access to the network
  2. Attacker defaces, then re-directs the website to a bogus WordPress landing page
  3. Attacker uses the company’s CRM/CMS to send Phishing emails from the domain to customers.

If anything, this highlights how a single credential can be used to create a large attack surface. For MSPs, these scenarios can be particularly complex to deal with and have long-term downstream damage since most MSPs are not tasked with or provide services to host and secure their customers’ websites.

2. Localblox (data scraping/collection firm)Business Vulnerability: High: Unsecured Amazon S3 Bucket Exploit

Individual Risk: Moderate: Harvested data already & still widely available on the surface web

Date Occurred: Early 2018

Date Disclosed: April 18, 2018

Data Compromised: The data was found in a human-readable, newline-delimited JSON file. The data collected includes names and physical addresses, and employment information and job histories data, and more, scraped from Facebook, LinkedIn, and Twitter profiles. Localblox would use to cycle through email addresses that it had collected through Facebook’s search engine to retrieve users’ photos, current job title and employer information, and additional family information.

How it was Compromised: The company left a massive store of profile data on a public but unlisted Amazon S3 storage bucket without a password, allowing anyone to download its contents. The bucket, labeled “lbdumps,” contained a file that unpacked to a single file over 1.2 terabytes in size. The file listed 48 million individual records, scraped from public profiles, consolidated, then stitched together.

Customers Impacted: Localblox claims it has more than 650 million records in its device ID database, and 180 million records in its mobile phone database, which includes mobile phone numbers and carriers. The company also says it has a US voter database with 180 million citizens.

Attribution/Vulnerability: Localblox Misconfiguration

https://www.hackread.com/localblox-exposes-millions-of-facebook-linkedin-data/

What you need to know: Most companies using S3 (including Localblox in this case), do not realize that they had to go back and re-configure their access settings within Amazon’s S3 service to prevent anyone with access to Amazon’s platform from finding and accessing any bucket.

By default, the S3 service is highly prone to misconfiguration that can give almost anyone looking the ability to access or modify information in a non-password protected bucket. Attackers can gain access to list and read files, write/upload files, or change access rights to all objects and control the content of the files in a bucket.

The S3 issue is well known and easily fixed.  It’s concerning that a company scraping social and web data to build profiles on people would be this negligent with their data storage and security.

As for the data they are scraping… it’s still widely available and easily accessed.  By anyone…

3.  FastHealth Interactive Healthcare (Website programming and hosting for hundreds of hospitals and other healthcare organizations) 

Business Vulnerability: High: Compromised Default Password, Unsecured/internet database

Individual Risk: High: Compromised PII, Compromised PHI, Compromised Financial Data

Date Occurred: 2016 & 2017  (2 incidents)

Date Disclosed: April 2018

Data Compromised: Incident 1: Patient billing and health-related information entered via online patient web forms. Incident 2: Patient Health Information. At this time, it is unknown whether the databases were breached or if information was actually retrieved.

How it was Compromised: Attackers used credential stuffing to access the accounts, this means that hackers attempted to access the accounts by using credentials leaked from other data breaches.

Customers Impacted: At least 9200.

Attribution/Vulnerability: Compromised Default Password – Law Enforcement Observation

What you need to know: Compromised default password exploits are still very common. What’s concerning about this group is that it has experienced 2 incidents over a 2-year period.  It looks like the organization fell asleep at the wheel, as the second incident was identified by Law Enforcement.  There are very few details on what LE noticed.  There is little chatter about this data being for sale.

http://www.insurancefraud.org/IFNS-detail.htm?key=27891       

4. True (Thai telecommunications company)

Business Vulnerability: High: Unsecured Amazon S3 Bucket Exploit

Individual Risk: High: Impacted Thai citizens with PII exposed

Date Occurred: Unknown/March 2018

Date Disclosed: March 2018

Data Compromised: True said stored copies of national identification cards belonging to 11,400 customers who bought “TrueMove H” mobile packages via True’s e-commerce platform iTruemart, run by True’s digital arm Ascend Commerce, had been made public.

How it was CompromisedThe data leak came to light after Norway-based security researcher Niall Merrigan said in his personal blog on Friday that he was able to access 32 gigabytes of True’s customer data, including identification cards, and that he notified True in March about the security breach.

Customers Impacted: 11,400 TRUE Customers.

Attribution/Vulnerability: Exposed by Norway-based researcher Niall Merrigan

What you need to know: Sound familiar? Thai communications is lucky that Niall decided to put his white hat on and notify them that their bucket is leaking!

https://www.reuters.com/article/us-true-corporation-data/thai-telco-true-defends-security-measures-after-user-data-breach-idUSKBN1HO2D5 

5. Blue Shield of California

Business Vulnerability: High: Potential PII Exploit for Financial Gain or Accidental Data Loss

Individual Risk: Low: Dataset isolated/ impacted individuals contacted

Date Occurred: Breach had occurred in November 2017 during the 2018 Medicare Annual Enrollment Period

Date Disclosed: The Blue Shield of California Privacy Office received confirmation on March 23, 2018

Data Compromised: The PHI included names, home addresses, mailing addresses, Blue Shield subscriber identification numbers, telephone numbers, and subscribers’ Blue Shield Medicare Advantage plan numbers.

How it was CompromisedA Blue Shield employee emailed a document containing PHI to an insurance broker “in violation of Blue Shield policies.” Blue Shield of California said that it believes the insurance broker may have contacted some of the individuals identified in the document to sell a Medicare Advantage Plan offered by another health insurance company.

Customers Impacted: Blue Shield CA customers.

Attribution/Vulnerability: Insider Threat/ Blue Shield employee

What you need to know: It’s not entirely clear if this incident was an exploit for financial gain or just a case of accidental data loss. It does come on the heels of a success for Phishing exploit that exposed the PHI of 21,000 people. It’s interesting that several reports suggest that the 3rd party that received the data tried to use it to sell a Medicare Advantage plan. I would not be surprised if there is a criminal inquiry under way.

 https://iapp.org/news/a/blue-shield-of-california-confirms-phi-data-breach/ 

6. American Esoteric Laboratories

Business Vulnerability: High: Stolen Laptop Potential PII Exploit for Financial Gain or Accidental Data Loss

Individual Risk: High: Sensitive Patient Data (PHI), Payment Data

Date Occurred: On or after October 15, 2017

Date Disclosed: April 20, 2018

Data Compromised: Data breach may have resulted in the exposure of the personal and protected health information of patients of a medical lab chain with multiple Alabama locations.

How it was CompromisedEmployee’s laptop containing a wide range of personal information about patients may have been stored on the laptop, including names, addresses, Social Security numbers, dates of birth, health insurance information, and/or medical treatment information.

Customers Impacted: American Esoteric Lab patients.

Attribution/Vulnerability: Unknown

What you need to know: It appears that the organization, even though it knew it had PHI, did not use an endpoint protection nor did it encrypt their laptops.  AEL states that it’s taking steps to make sure this type of incident does not happen again. “These steps include increasing the security of the AEL systems and networks through the use of encryption technology, updating relevant policies and procedures, and retraining staff.”

http://www.al.com/news/birmingham/index.ssf/2018/04/data_breach_could_impact_some.html

 Do you want to know if your business domain’s emails have been exposed? We will do a free Dark Web scan that will show you when, where and what was exposed.

Here is the link: http://downloads.primetelecommunications.com/Dark-WeB