Category Archives: Breach

Sometimes Fixing A Breach is Not Easy

Nutribullet, the company that makes those fancy blenders, has a problem.

In general, the problem is not a lot different than a lot of other companies.  Their website was hacked and one of the magecart family of credit card skimmers was installed.  It turns out that was only the beginning of their problem.

The first infection was discovered on February 20th and was removed on March 1.  While 10 days seems quick, in this case it seems a little long.  But it did not end there.

Five days later another credit card skimmer was found on the website.  The security firm RiskIQ worked with AbuseCH and Shadowserver  to get the command and control server taken down.

But on March 10th yet another skimmer was found, pointing to a different command and control server to send the stolen credit cards to.

But here is the problem.

Removing the skimmer – or skimmers – is not enough.

Taking down the command and control servers is not enough.

The first attack compromised a JQuery JavaScript library.  This particular compromise has been detected on over 200 websites.

The second attack compromised a different JQuery resource.

And the third attack compromised yet another script.

At the time RiskIQ made the announcement of the breach they had tried to reach someone at Nutribullet for three weeks with no luck.  In the announcement they told people not to use the web site.

Finally on March 17th, someone at Nutribullet got the message and the spin doctors in their PR department said that IT team sprung into action upon hearing about the breach.  Three weeks late to the party.

ZDNet reached out to Nutribullet for a comment but has not heard back.  Source: ZDNet

Okay.  Lets see if we can learn some lessons here.  What went wrong?

I often ask how come security researchers can contact a company and they ignore them?  Lets talk about your company.  How would some employee deal with that?  Is there a process?  Is it documented? 

After all of the Magecart attacks over the last year why are they still happening?

How did the hackers get in there in the first place to modify the web pages and libraries?  There are two likely possibilities – compromised credentials or missing patches.  It is always possible that there is a zero day – an unknown, unpatched vulnerability, but that is the least likely.

More likely than a zero day is that the website could be accessed by support people using only a userid and password?  It is not that hard to phish an employee’s credentials.  What about your websites?  Do you require two factor authentication for all admin access?

Alternatively, maybe there is a missing patch.  Are you confident that every single library on your web server is current with every single available patch?  Equifax missed one and it didn’t turn out so good for them.

And of course being able detect malware in realtime, as I wrote in the client alert last night – that is pretty important.

Right now it looks like the hackers are winning.  Companies like Nutribullet will come out the other side of this battered and bruised but they will survive.

What about you?  How would you fare?

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending February 14, 2020

Feds Say 4 Chinese Hackers Took Down Equifax

The Department of Justice indicted 4 members of the Chinese People Liberation Army, saying that they were responsible for detecting the fact that Equifax did not patch their some of their servers and thus were easily hackable.  This, of course, means that the hack did not require much skill and may have even been a coincidence.

While it is highly unlikely that the 4 will ever see the inside of an American courtroom, it is part of this administration’s blame and shame game – a game that does not seem to be having much of an effect on cybercrime.  Source: Dark Reading

 

Malwarebytes Says Mac Cyberattacks Doubled in 2019

For a long time, the story was that Macs were safer than PCs from computer malware and that is likely still true, but according to Malwarebytes anti-virus software, almost twice as many attacks were recorded against Mac endpoints compared to PCs.

They say that Macs are still quite safe and most of the attacks require the attacker to trick a user into downloading or opening a malicious file. One good note is that Mac ransomware seems to be way down on the list of malware. Source: SC Magazine

Feds Buy Cell Phone Location Data for Immigration Enforcement

The WSJ is reporting that Homeland security is buying commercial cell phone location data in order to detect migrants entering the country illegally and to detect undocumented workers. In 2019, ICE bought $1 million worth of location data services licenses. There is likely nothing illegal about the feds doing this, but it is a cat and mouse game. As people figure out how the feds are using this data, they will likely change their phone usage habits.

Note that this data is not from cell towers, but likely from apps that can collect your location (if you give them permission) as much as 1400 times EACH DAY (once a minute) – a pretty granular location capability. Source: The Hill

FBI Says Individual and Business Cybercrime Losses Over $3 Billion in 2019

The FBI’s Internet Crime Complaint Center or IC3 says that people reported 467,000 cyber incidents to them last year with losses of $3.5 billion.

They say that they receive, on average over the last five years, 1,200 complaints per day.

During 2018, the FBI established a Recovery Asset Team and in 2019, the first full year of operation, the team recovered $300 million. They say they have 79% success rate, but they don’t explain that bit of new math. I suspect that means that over the small number of cases they cherry pick, they are very successful.

Still, overall, that seems to be less than 10% of the REPORTED losses.

Also, it is important to understand that this data only draws from cybercrime reported to the IC3. No one knows if that is 10% of all cybercrime or 90%. Just based on anecdotal evidence, I think it is closer to the 10% number, and, if true, that means the $3.5 billion in losses is really closer to $35 billion. Source: Bleeping Computer

Facebooktwitterredditlinkedinmailby feather

DoD Contractor Hit by Ransomware Infection

Electronic Warfare Associates (EWA), a well known defense contractor in DC, was hit by a ransomware attack.  The tagline on the homepage of their website says that they are enabling a more secure future.

A Google search last week for the company brought up these results:

ewa-ransomware.png

The researcher who discovered the problem said it seems to have affected, at least, EWA Government Systems Inc,  EWA Technologies Inc. , Simplickey and Homeland Protection Institute.

EWA has not made any public announcement of the issue.  As I write this, the EWATech web site does not respond.

The current information suggests this is the Ryuk ransomware.  It is used for high value targets and is known to exfiltrate data.  Exfiltrate is a big word for steal.  Source: ZDNet

One more thing we know.  When ZDNet called the company and spoke to their spokesperson asking for a comment on the story, he or she hung up on the reporter.

So what might we speculate?

You may remember that another Navy contractor lost over 600 gigabytes of very sensitive electronic warfare data (from project Seadragon) to the Chinese in 2018.  Were the Chinese looking for more EW data?  Certainly could be.  That data is very valuable in building better offensive weapons (figuring out how to defeat our weapons) and building better defensive weapons (it is cheaper to steal it than to invent it).

The Navy went crazy after the Seadragon breach.  This makes them look even more incompetent.

DoD contractors are required to notify the Pentagon within 72 hours of a breach.  Assuming they followed the law, the Pentagon’s people (NSA, for example) could be all over this.

Much of the information that the government eventually classifies starts out as commercial research and isn’t classified until later.  Which COULD mean that whoever hacked them was after high value, not-yet classified information.

All of this is speculation, but reasonable speculation.

Which brings us up to the Pentagon’s efforts to require defense contractors to get an independent, third party cybersecurity certification called CMMC.  Would a certifier have discovered a problem which allowed this to happen?   Assuming the Pentagon is in the middle of this investigation, we may never hear.  But I bet folks are looking at the forensics right now.

But this certainly bolsters the logic behind the CMMC certification requirement.  And it is on track for starting later this year.

For those of you who sell to the government – both civilian and military, this is just one more warning to protect your ass.ets.

And more ammunition for Katie Arrington (who runs the CMMC project).

Oh.  One last thing.

The spokesperson who hung up on the media.  That is a GREAT way to get even more media attention on the worst day of your career.

There is something called an Incident Response Plan.  Part of an IRP is a Crisis Communications Plan.

Perhaps they should think about writing one.  And training people.

PS – It is probably required by CMMC.

 Facebooktwitterredditlinkedinmailby feather

Feds Say GE Medical Devices Vulnerable to Hackers Changing Settings

Medical devices have never been subjected to much security testing – a fact that the FDA may argue with, but which is visibly accurate.

This time it is GE’s CIC Pro, a workstation that hospital staff uses to manage multiple GE patient devices on a ward.  They can use the device to monitor patients or change patient settings.

Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) published an alert for a series of 6 vulnerabilities together called MDHex.  These vulnerabilities would allow a hacker to compromise the CIC Pro and from there, the patient information.

CISA rates vulnerabilities on a 1 to 10 scale with 10 being the scariest.  FIVE OUT OF SIX of the vulnerabilities were rated 10.  The other was rated 8.5 – pretty serious.

The number of devices vulnerable was not disclosed by GE but is thought to be in the hundreds of thousands.

GE plans to release patches “in the coming months”.  In the mean time, hope your hospital isn’t hacked.

This is a rampant problem with Internet of Things (IoT) devices because they are cost sensitive and Industrial Internet of Things (IIoT) devices (like the patient monitor) because they were never designed to be on the Internet.  The workstation line was launched in 2007, well before anyone worried about the Internet of Things and apparently it runs on Windows XP, which has not been supported by Microsoft since 2014.

There are some things you can do if you have IoT or IIoT devices in your company:

  • Make sure you have a complete and current inventory of all of your IoT and IIoT devices
  • Understand what software runs in them, who is responsible for patching them, whether patches are even available.  This includes what libraries were used by the developers.  An old unsupported library is the source of one of the vulnerabilities above
  • Isolate all IoT and IIoT devices from your IT network
  • Consider whether any individual IoT or IIoT device is sensitive enough or its software is risky enough to separate it from everything else
  • Build a patching program for your IoT and IIoT devices – whether it is the responsibility of you or a vendor.  If it is a vendor, manage the vendor closely.
  • Watch for alerts for vulnerabilities published – by vendors, researchers, the government and others – for devices that are part of your network.
  • If you have a vendor supporting the devices (could be the manufacturer or someone else), review your contract to see what it says about who is responsible for security, privacy and even more importantly, who is liable in case of an attack or a breach.

At least this is a start.

 

Source: ZDNet Dark ReadingFacebooktwitterredditlinkedinmailby feather

Security News for the Week Ending January 10, 2020

Albany Int’l Airport Hit By Ransomware via MSP

In what is becoming an all too common story, the Managed Service Provider that supported Albany, NY’s airport, Logical Net of Schenectady, NY, was hacked and from there, the hackers were able to connect to the airports administrative network and infect it with REvil ransomware, the same ransomware that hit Travelex (see below).  I say supported because after the airport paid the under 6 figure ransom (? $99,000), they fired the MSP.  The ransomware encrypted the airport’s backups in addition to the live data.  Given that we are hearing about these attacks against outsourced service providers almost weekly, customers need to start putting pressure on these providers to improve their security.  Source: Bleeping Computer

Cyber Attack Events From Iran Nearly Tripled

Soon after the attack that killed General Soleimani, attacks originating from Iran were up 50% and grew from there.  Cloudflare says that for their little piece of the world Internet, there were a half billion attack attempts in a 48 hour period.  Source: MSN

Info on 56 Million U.S. Residents Sits Exposed – On a Server in China

This does not appear to be a hack.  22 gigabytes of data on 56 million U.S. residents is sitting exposed on a server in China.  The data appears to belong to CheckPeople.com, one of those for a fee information sites;  It is hosted on a web farm run by the Chinese giant Alibaba.  While this data is not super valuable, it could be useful for any number of foreign adversaries because of the volume and that whoever created it did all of the work of aggregating and organizing it.  Did CheckPeople license it to the Chinese? Or did the Chinese steal it?  Or does CheckPeople use servers in China?   If so, that is something we should stop.  Source: The Register

Travelex Woes Continues

NOTE: I am providing a bit of a blow by blow of the Travelex attack because it is a useful learning lesson for everyone on what to do, what not to do and how to communicate about it.  We usually don’t get as much direct information about these attacks are as are seeing here, even though most of the information is NOT coming from Travelex.

 

This has got to be one of the worst incident response examples I have seen since, say Equifax.  Really, really bad and getting worse by the day. They said this won’t have a material effect on their business, but that is hard to believe.

FRIDAY January 10, 2020

As of Friday night, Travelex’s website is still down.

Given the size of the organization, it is surprising that 10 days into the ransomware attack, the company is still offline.

According to Bleeping Computer, the hackers originally demanded $3 million not to sell Travelex’s data but have now upped the number to $6 million.

While Travelex’s public position is that no “structured” personal data has been  stolen, the hackers say that Travelex is negotiating a price with them.

Hackers behind the REvil ransomware say, on a Russian hacker forum, that if Travelex does not pay the ransom, they will sell the data on the black market.

As we watch this dumpster fire of an attack from a distance, one of the many lessons to learn is about alternate providers.  Travelex provides services to a number of banks such as Barklays, Lloyds and Westpac.  Those banks have had to shut down currency services to their customers.

As part of your disaster recovery and business continuity plan, you need to consider the impact on YOUR business not only if you are hit by a ransomware attack but what if one of your key providers is taken offline for a week or two or more from an attack.

In this case, the banks have had to refund customer orders and customers have gone to competing banks for their currency needs, possibly never coming back.

THURSDAY January 9, 2020

The NY Times is reporting that the hackers claim to have uploaded 5 gigabytes of “sensitive customer information” and have been in Travelex for 6 months.  They say that if Travelex doesn’t pay them $6 million by January 14th, they will publish the data (AKA Ransomware 2.0).  Their web site is still down. Banks like Barclays and Royal Bank of Scotland that use Travelex as their foreign currency provider are also still down.

WEDNESDAY January 8, 2020

Travelex finally admitted they were hit by the REvil ransomware.  London’s Met (Metropolitan Police) said that their elite cyber team was not contacted until January 2, 3 days after the attack.

They are also saying that there is no EVIDENCE that STRUCTURED personal customer data has been encrypted.  I am not quite sure how to read between those lines.

They also say that, 9 days into the attack, they still don’t have a complete picture of all the data that was encrypted.

Their web site is still down, although there is a new press release on it, updated from the old one.

Finally, they say that they don’t currently anticipate any material financial impact from the breach.  (British Airways was fined $230 million for their breach – not counting lawsuits, remediation, etc.  Not sure what they are thinking).

TUESDAY January 7, 2020

The Travelex web site still shows the message that says they were hit by malware with no explanation and no expected up time.

MONDAY, January 6, 2020

I wrote in Last weekend’s newsletter that Travelex, who had an IT incident (likely ransomware, but unconfirmed), seemed to have recovered by last Sunday night.  At least their web site was back up.  It turns out that I spoke too soon and as of Monday, their website is still/again down.

Still being tight-lipped about things, information is leaking out around the edges – something that businesses would be well advised to understand.   They cannot keep these things under wraps.

What we do know is that booths at airports are still operating, although they are doing it with a pen and a pocket calculator.

Travelex says that they don’t know when things will be back online.  I assume this means that people who took Travelex’s advice and put their money in a Travelex cash card still do not have access to their money.  This is the perfect stuff for lawsuits – actual harm.

The Register is reporting that Travelex had/has public facing Windows servers with Remote Desktop Protocol (RDP) enabled with no network authentication.  This is kind of like playing Russian Roulette with 5 live bullets – not recommended.

The servers are running Windows Server 2008 R2, which will be officially unsupported on January 15th – just a few days from now.  The servers are also running .Net 4.0.30319, which is also “rather old”.

I am sure that regulators on both sides of the Atlantic will be asking some uncomfortable questions.  This may also be a GDPR violation.

Stay tuned for details.  Source: The Register

Computer Weekly says the attack is ransomware, specifically the REvil Ransomware and the bad guys are asking $3 million for the decryption key.   They are also saying that Travelex waited 8 months to patch a critical flaw in Pulse VPN servers. Source: Computer Weekly.Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending January 3, 2020

Starbucks Leaves Their API Key in a Public Github Repository

Vulnerability hunter Vinoth Kumar found a Starbucks API key in a public Github repo.

The flaw was set to CRITICAL after they verified that the key gave anyone access to their Jumpcloud (An AD alternative) directory.

The problem was reported on October 17th and it took Starbucks several weeks to understand how bad the damage was.  The key was revoked within 4 days, but still, best practice would like that to be more like 60 minutes.  That, to me, is a failure on Starbucks’ (and probably most company’s) part.  After all, the key, as demonstrated in a proof of concept, would have allowed a hacker to take over Starbucks AWS account.  They paid Kumar a bug bounty of $4,000.  They definitely got away cheap.  Source: Bleeping Computer

 

Location Data Can Put Employee Safety At Risk

On the heels of a story that reporters were able to identify Secret Service agents who were travelling with the President, including figuring out where they lived, using available location data (see story from earlier this week about colleges collecting thousands of location data points per day on each student), comes another story regarding the hazards of location data.

As companies isolate teams to mask R&D, M&A and other sensitive activities, location data that is being sent by apps allows anyone with access to that data to de-compartmentalize those activities and understand exactly what companies are doing, who they are talking to, who their vendors are, possibly what technology areas they are interested in, etc.  Executives are often the worst behaved users and often generate the biggest digital exhaust because of lack of understanding of how the apps work and the consequences.

Since companies have moved to BYOD devices and can no longer control what apps a user installs or what data those apps exhaust, they have very little control over the problem.  Some apps have been found to send out over a thousand data points per app, per person, per day.  To servers in China.  What could possibly go wrong.

The only way to counteract this is via employee education.   Source: ZDNet

 

Travelex Knocked Offline by Cyber Attack

Travelex, the currency exchange company, was knocked offline by some sort of cyber attack.  As seems to be the case much of the time, the company decided that staying silent and not telling anyone what is going on will make things better.  In one way they are right since they are not giving the lawyers who will be suing them any information now.  That will wait until the lawsuits are filed.

One of the services that Travelex offers is stored value credit card called the Money Card.  They sell it to travelers as the safest to travel with money.  Only for current Travelex Money Card customers, it is super safe, because they cannot get their money.  Which could be a problem if you are traveling and need access to your cash.

In addition, banks that use Travelex as their currency exchange service are also offline.  Travelex is a huge player in this space, so their being down is a big problem.

The attack hit them on New Year’s eve and as of the night of January 3rd, they are still offline.  This could have a long term impact on their business and some commercial customers might choose to leave them.

The silence only makes it worse.  They likely did not have a disaster recovery/business continuity plan – at least not one that works.  And, I am sure that regulators in many, many countries will be asking questions.  Source: Threatpost

 

Guess How Long It Takes For Hackers to Test Your Stolen Credit Card Once it is on the Dark Web?

A researcher decided to test how long it takes for your credit card to be tested after it is posted for sale on the dark web.  It turns out the test was a little harder to conduct than the researchers thought since everyone buying and selling on the dark web is, how shall I say this, A TAD BIT SUSPICIOUS OF EVERYONE ELSE.

Once he got past that problem, it turns out the answer is about two hours.  That is not very comforting.  Hackers buying the stolen cards want to know if they are any good, so they make very small purchases, thinking most people won’t bother to trace down a $0.50 transaction that they don’t recognize.

Two Hours is not very long and a bit of a surprise to me.  Source: Bleeping ComputerFacebooktwitterredditlinkedinmailby feather