Category Archives: Breach

Security News Bytes for the Week Ending June 7, 2019

More Information on the Baltimore Cyberattack

Baltimore estimates that it will wind up spending $18 million to recover from the cyberattack – which is why many organization just pay the ransom.  The attackers only wanted $103,000 or less than 1 percent of what they are going to spend.  Of course, if an organization does that, they will still be vulnerable to another attack and will have no idea whether the attacker will remain inside their systems, slowly stealing data, for the rest of eternity.

The city is blaming the feds for the breach due to the use of NSA’s leaked spy tool EternalBlue and want federal aid to fix their mess, although there are also conflicting reports that say that EternalBlue evidence was not found in the city’s network.

Baltimore’s information technology office issued a[n undated] detailed warning that the city was using computer systems that were out of date, highly vulnerable to attack and not backed up, calling them “a natural target for hackers and a path for more attacks in the system. (based on contents of the memo, it was likely written in late 2017 or 2018)”

The reality is that patches for EternalBlue have been out for more than a year – but not installed in Baltimore.   Who’s fault is that?  Like many organizations, Baltimore just chose to prioritize spending money on other things rather than protecting their systems and their customer’s data.  Source: Cyberwire (no link) and the Baltimore Sun.

GandCrab Ransomware Shutting Down After Getting $2.5 BILLION

Smart people know when to stop.  Apparently the hackers behind GandCrab have decided that $2.5 billion is enough and have ordered their “affiliates” to stop distributing the  ransomware after an 18 month run.  The operators claim to have generated $2.5 million a week over those 18 months and cashed out $150 million, which they have “invested”.  Of course, other malware will replace it, but the sheer magnitude of this one is amazing.  Source:  Bleeping Computer.

Two Different Medical Labs Announce Breach – Both Use the Same Third Party Billing Vendor

First it was Quest Diagnostics announcing that 12 million customer records including credit card and bank account information, medical information and Socials were compromised.  Now it is Lab Corp saying that almost 8 million of their customer records were exposed.

Both tie back to the same vendor – AMCA – American Medical Collection Agency.  Given both of these biggies used it, likely there are many more small companies that also used it.

Labcorp said, in an SEC filing, that the hackers were inside for 9 months before they were detected at AMCA.

One more time, third party vendors put companies that trusted them at risk.   In this case, there is the added pain that this is a HIPAA violation and a pretty big one at that.  That is why vendor cyber risk management is so important.

Quest says that it has fired the vendor and hired its own investigators; they say that they have not gotten sufficient information from AMCA.  Remember, you can outsource the task, but not the liability.  Hopefully everyone has a lot of cyber-risk insurance.

Source: Brian Krebs.

Millions of EXIM Mail Agents Are At Risk

What could go wrong.  Millions of EXIM mail transfer agents, typically used on Unix-like systems, are vulnerable to both remote and local attacks.  The attack allows a hacker to remotely execute commands on the target system with the permissions of root.

The bug was patched in February, but it was not listed as a security fix, so likely many sysadmins did not install the patch.  Shodan shows 4.8 million servers running the software and only 588,000 running the fix.  Most of those servers are in the U.S.  Source: Bleeping Computer.

The AMCA Data Breach Keeps Growing

AMCA is a company you probably never heard of before this week.  They are a medical claims collection agency.  As I said above, first it was Quest with 12 million customers affected;  then it was LabCorp with another 7+ million customers.

One assumes that AMCA has lots of customers and depending on the nature of their systems, probably all of their customers were compromised, although it is possible that each customer was isolated from all of the others – but that doesn’t seem to be the case.

Now OPKO Health is saying that 400,000 of their customers information was compromised.  Expect that there will be more customers coming forward in the weeks ahead.

This is the risk that you have when you use outside parties – breaches that you don’t control but have to pay for anyway – both financially and in brand damage.  If you have not already figured out how to protect yourself as best as possible, now is the time to do it because once you get that phone call from your vendor – it is too late.  Source: Bleeping Computer.

Facebooktwitterredditlinkedinmailby feather

Self Inflicted Cyber Breaches Still Huge Problem Along with Third Party Risk

And it continues to be a major issue for some reason.

This week researchers found 85 gigabytes of security log data (talk about a nightmare for a business to expose that) in an elastic search database.

The server was discovered on May 27th and the data goes back to April 19th, so that might be the exposure window.

The sever has been connected to the Pyramid Hotel Group.  Their web site says they provide superior operations, owner relations and support services to hotels and their investors.  IT DOESN’T SAY ANYTHING ABOUT PROVIDE SECURE SERVICES TO THEM.

The data was locked down after Pyramid was informed but they have not publicly admitted to the breach.


It is unknown what the contracts between these hotel owners and Pyramid say, but for our clients who engage us to review outsourcing contracts, Pyramid would have a huge liability in this case – probably in the tens of millions or more due to the amount of emergency work that will be required to mitigate the damage – see below.

Pyramid manages hotels for franchises of Marriott, Sheraton, Aloft and many independents.

What’s in the data?

  • Information on hotel room locks and room safes .
  • Physical security management equipment.
  • Server access API keys
  • Passwords
  • Device names
  • Firewall and open port data
  • Malware alerts
  • Login attempt information
  • Application errors
  • Hotel employee names and usernames
  • Local PC names and OS details
  • Server names and OS details
  • security policy details
  • and a bunch of other information.

In other words, a veritable road map for the bad-peops.

Businesses need to create processes to manage new cloud instances and ensure they are secure as well as audit existing cloud instances.

Likely in this case, this instance was created by an employee to do a particular task and probably never even considered security.

Servers will now need to be rekeyed and automation edited to accommodate that and companies will need to figure out the security implications and mitigations of the rest of the data that was exposed.

And of course, since this is an outsource vendor, these company’s vendor cyber risk management program are, apparently, defective.

Information for this post came from ZDNet.





Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending May 17, 2019

Be Thankful That You Are Not Equifax – Costs Reach $1.4 Billion So Far

Two years after the big breach, Equifax reported financials for the first quarter.   They reported a loss of $555.9 million compared to a net income of $90 million for the same period in 2018 on basically flat revenue.

Equifax had $125 million in cyber risk insurance with a $7.5 million retained liability.  The insurance has paid out the full amount.

So far, the company has accrued $1.35 Billion in data breach costs and this game is far from over.  The say it is not possible to estimate the full costs.  For more information, read the Bank Info Security article.

Boost Mobile Announces Breach – Two Months Ago

Boost mobile apparently got some customer data boosted.  Two months ago.  An undated letter to the California AG and an undated web page on Boost’s website says that the breach happened on March 14, 2019.  We don’t know what the bad guys took, how many customers were affected or even when people were notified.  The only thing we can guess is that since it hit the media today, the notifications were very recent.

If any of the people affected were in Colorado, the notifications came 15-30 days late.  There are probably other states for which the notification was late as well.  Stay tuned- we may see some AGs getting upset.  Source: Techcrunch.

Supply Chain Attacks Get Bigger and Badder

Last week it was WebPrism and 200 college bookstores.   This week it is Picreel, the analytics firm, Alpaca Forms (open source-so much for open source is more secure) and over 4,600 hacked websites.

The attack is still going on; the sites are still infected and the problem is only getting worse.  If you are loading third party code on your website, you need to rethink your security.  Source: ZDNet .

Intel Announces New Family of Speculative Execution Attacks

Intel seems to be challenged to catch a breach.  Err, a break.    After last year’s Spectre and Meltdown attacks comes this year’s ZombieLoad and Fallout attacks.  This is not a surprise – experts predicted more speculative execution attacks would be found.

Other than some new Intel 8th and 9th generation chips, all Intel chips made in the last decade are vulnerable, but ARM and AMD chips are not.  Some older chips will be patched while others, which are likely out of patch space on the chip, will never be fixed.

Apple, Intel, Microsoft and others have all released patches to mitigate these attacks on the chips for which there are fixes.  The attacks can be made either by planting malware on the device or remotely over the Internet.

The good news FOR THE MOMENT is the attack seems to be complex, so likely it will be used in targeted situations, but if used, everything on the device can be compromised including passwords and encryption keys.

Disabling Simultaneous Multi-Threading will significantly reduce the impact of this attack.

Source: Security Week.

For $600 A Hacker Could Confuse Any Commercial Plane’s Instrument Landing System

From a Cessna to a jumbo jet, every commercial plane built in the last 50 years uses a radio based system to guide it to land when it can’t see the runway – such as in rain or in fog.

These radios were not designed to be secure from hacking.

There is no encryption.  There is no authentication.  The system in the plane assumes that any radio signals that come from the ground are legit.

Unfortunately, for $600 a hacker can purchase a software defined radio that can tell the plane that it is off course.  A little high.  A little to the side.

In theory, if the pilot can see the runway, he or she will execute a “missed approach” and go around.  Given how busy the US airspace is, that decision may be at 50 feet off the ground – not a lot of time to react.

Probably, right now, this is an  unlikely attack.  Right now.  But remember, attacks never get less probable, only more probable as attackers figure out how to manipulate things.  Source: Ars Technica.

Facebooktwitterredditlinkedinmailby feather

77% of Orgs Lack a Cybersecurity Incident Response Plan

The fourth annual benchmark on cyber resilience authored by  Larry Ponemon and paid for by IBM shows that 77% of the organizations surveyed do not have a cybersecurity incident response program applied consistently across the organization.

Does your organization have an effective, trained and tested cybersecurity incident response program (CSISP) that works across all parts of your organization?

For organizations that said that they do have an CSIRP,  54% said that they do not test it regularly.   Not testing it regularly is the equivalent of not having one.  That is more than half.

Other results from the study include:

  • Less than 25% of the organizations say that they use significant automation in responding to breaches.
  • Only 30% said that they had sufficient cybersecurity staffing.
  • 62% said that aligning cybersecurity and privacy is critical to achieving cyber resilience.

There are some pretty clear recommendations that can be drawn from these results:

1. The three-quarters of organizations that do not have incident response plans need to create one (having one reduces the cost of a breach significantly according to another study).

2. Organizations need to test their plans regularly. 

3. Automation improves the speed and consistency of response.  Not having automation makes response more problematic.

4.  Staffing is still an issue and staffing with the right skills is a problem.

5. With all of the new privacy regulations (such as CCPA, GDPR and others), privacy incident management and security incident management need to be tightly aligned.

How well does your organization do?

Contact us if you need assistance in improving your program.

For more information on the study, go to Help Net Security‘s web site.

Facebooktwitterredditlinkedinmailby feather

More Info on the Wipro Hack

Last week, I wrote about the Wipro hack (if you didn’t see that post, click on the search box and enter Wipro).  While Wipro is being pretty close-mouthed about what happened due to the inevitable lawsuits, SLA complaints and even claims of breached contracts, it isn’t stopping the media from reporting on it.

In fact, Wipro would probably have been better off addressing the issue rather than attempting, unsuccessfully, to stonewall the media.

When Brian Krebs, who was the first to report on this, reached out Wipro for a comment, they took several days and then came back with a non-answer that said how wonderful their security was.

Apparently their incident response program didn’t include how to deal with the media.

After Brian’s story broke, Wipro decided to talk to an (perhaps more friendly) Indian media outlet and reported that they had a breach.  They did not reach out to Brian.

The next day they had a quarterly investor conference call (bad timing for them) and their CEO said that many of Brian’s details were in error.  They basically said that the issue was handled.

Brian then asked Wipro’s CEO what parts of the story were in error, instead of responding, he read some PR statement about their response to the incident.

Note that if you are going to call a reporter a liar, you probably ought to be able to back that up, because the reporter is likely to call you out on it otherwise. 

The CEO did agree to have a one on one call with Brian, a statement that another reporter recorded and posted on twitter.

During the follow up call, the CEO took issue with Brian’s statement that the incident lasted months.  When Brian asked when it did start, the CEO said he didn’t know but surely it wasn’t months.

It would seem that if you are going to put your CEO on a one on one call with a reporter, you probably ought to make sure that the CEO is prepared.

The CEO also claimed that the company was hit by a zero-day attack.  Given that they are a very large IT services firm, that doesn’t seem like a great defense.  Certainly, no one is bulletproof, but you need evidence.

When asked about the details of the zero-day, they have been quiet other than to say that they shared the details with their anti-virus vendor- and apparently no one else.

That is very unusual for zero-days.  Generally, if you think you have uncovered something new, you want to let others know so that they don’t get hit by the same attack.

In reality, they probably meant, according to Brian, that zero-day in this context means an attack that their anti-virus software didn’t catch. Unfortunately, nowadays, that is not much of a surprise.  Anti-virus software, unless it is very special (and there are a few such products but not any of the typical mainstream ones) it will only catch basic attacks.

A few hours after the call, Brian heard from one of Wipro’s customers in the US.  They decided to sever all electronic communications with Wipro as a result of the attack since Wipro was found to be attacking this customer.  This is the exact right thing to do.  Disconnect now and then figure out IF and WHEN you should reconnect.  This should only happen after the customer is sure they are safe.

A large retailer who is a Wipro customer said that the attackers used the compromise to execute a gift card fraud attack.  Something that would generate cash right away.

India has no laws requiring a company to disclose a breach, so anyone who is outsourcing to India (and other countries) needs to make sure that contractually the outsourcer must report and report within, say, 24 hours, any cyber incident to the customer.  That way, if it doesn’t happen, it is a breach of contract that be dealt with in any number of ways.  Source: Brian Krebs.

Since this story won’t go away, Brian reported the next day that not only was Wipro attacked, but other Indian outsourcers were attacked.  Specifically, Infosys and Cognizant were also attacked.

It appears that some of the companies the hackers were after were Sears, Green Dot (the prepaid credit card company), Evalon (credit card processor), Rackspace, Avanade, Capgemini and others.  Looking at this list, it is clear the attackers want fast money (Sears) but also more victims by attacking a bunch of outsourcers like Rackspace, Avanade and Capgemini.

Sourcces are saying that the attack may have been initiated by hacking a remote desktop software, Screen Connect.  That is consistent with an alert I got from Homeland Security over the weekend that said that hackers were using remote access software to perpetrate attacks and mentioned Screen Connect by name.  Possibly that is a coincidence, but I doubt it due to the timing.

Some of the companies mentioned confirmed the attack in this additional post of Brian’s, here.

Bottom line is that when it comes to breaches, stonewalling DOES NOT WORK. Period.  Plan your response long before you are going to need it.    That is just smart.  The media will keep reporting on it until you either deal with the core issues or look like a bumbling idiot,  Wipro opted for the second in my opinion.


Facebooktwitterredditlinkedinmailby feather

Hackers Want to Own Your Systems Longer

Gee, in one sense, that is not a big surprise.

On the other hand, given all the money and effort, you would think we would be winning.

According to security vendor Carbon Black, in just the last 3 months, they found that the percentage of time hackers used methods to cover their tracks jumped 5 percent.  It jumped 10 percent in the last 6 months.  Up to 56 percent of the time.

They did stuff like deleting logs, disabling anti-virus, hijacking legitimate programs and disabling firewalls.  Among other nasty stuff.

By hiding they get to steal more stuff.  Own the system.  Own the entire network.

Part of the reason is that they are stealing intellectual property.  22 percent of the time.  Up from 5 percent the previous quarter.

Also, the hackers are island hopping – a term meaning that once they own one network, they use that beachhead to compromise another company.   They say that 50 percent of the reports for last quarter used island hopping as a technique to gain access.

Bottom line – the bad guys are evolving.  You need to evolve too.

Unless you are okay with them stealing all of your intellectual property.  And your customers.

Installing anti-virus and a firewall is NOT going to stop them anymore.

Part of what you need to do is get your employees to change their habits.  That, unfortunately, is not easy.  

For the most part, people want to do what is easy.  That is why Google says that less than ten percent of their customers use two factor authentication, for example.  It is not the easiest way to log in.

Then you need to lock down your systems (servers) and your network.  The good news is that this will not impact your users very much but it will mean a lot of work for your IT team.

Since the hackers want to remain inside your network undetected, you need to need to try and detect them.

If they are good, a traditional SIEM won’t find them.  Network Detection and Response tools are the next generation of SIEM.

Sorry for harping on this, but you have to protect yourself.  No one else can.

The hackers are playing to win.   You need to play to win also.

Source: The Register.

Facebooktwitterredditlinkedinmailby feather