The DarkOverlord is a hacking group that came to light midyear when it announced it was selling 9+ million patient records on the dark web for around a half million dollars in Bitcoin. That breach apparently includes Socials, dates of birth and other information.
Now they have moved on to financial services with a slight modification of their strategy.
Their mark this time is a relatively small investment bank, Westpark Capital. Westpark says they are a full service investment banking and securities brokerage firm with offices in California, New York, Florida, Arizona and several international locations.
The hackers claim to have stolen documents from Westpark and attempted to extort their CEO, Richard Rappaport. After Mr. Rappaport apparently declined their “offer” to keep the documents secret, they posted a handful of them on Pastepin. Those documents included NDAs, contracts, stock offerings and presentations and include a handful of customer Social Security Numbers.
Whether they have more documents or not is unclear. If they do, and the company does not pay the ransom, the hackers may choose to release more documents. Whether that is 10 documents or a thousand documents is unknown.
For you geeks in the crowd, it appears that the attack vector was a publicly exposed RDP (remote desktop protocol) connection. We have told clients that public RDP is really dangerous and this is just an example of that. If your company publicly exposes RDP, we recommend that you change that immediately, because it sounds like there is an unknown vulnerability that they are exploiting.
The challenge for Westpark now is first to attempt to determine what the hackers actually have. If it is their entire document store, and it may be, then the next question is do they pay them off and HOPE they don’t release the rest of them or call the hacker’s bluff and see what happens.
For Westpark, this kind of seems like a lose-lose scenario. No matter what they do, some documents are out there and clients should be very nervous about any other documents that they have shared with Westpark. They could pay the ransom and the documents still get published or not pay the ransom and the documents get published.
For the hackers, this seems like a win-win scenario. If Westpark pays up, they get the money. If they don’t and they release more documents, likely the next financial services company that they go after will be less likely blow them off.
For smaller organizations in the financial services industry – and that means anyone smaller than, say Chase – this should be a shot across the bow to get their security in order. You may remember that Jamie Dimon of Chase said, after they got hacked last year, that they currently spend $250 million on cyber security and after the hack they plan to raise that to $500 million. Per year. Even I have to admit that this is a lot of money.
While no solution is bullet proof, what you do want to do is make yourself bullet resistant. That way, if the hackers don’t have a grudge against you, they will likely move on to an easier target. I don’t know, but I suspect that the hackers were not specifically targeting Westpark – they were just an easy mark for the hackers.
In looking at Westpark’s web site, there is no notice of a breach that I can find, so the news media is spreading the word for them. This may indicate a weakness in their incident response plan, because you never want the LA Times to be telling your customers that you have been hacked before you tell them.
Westpark’s web site can be found here.