Woesnotgone Meadow; December 5, 2018

Woesnotgone (Woes-not-gone) Meadow
December 5, 2018
#

All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth. Today in the meadow we had a bit of excitement. Aunt Marjie, who really isn’t anyone’s aunt, had a visit to the town’s doctor. Although the doctor only accepts the local insurance, there are the usual patient files. A hospital outside of the Meadow had a little problem with this.

Valley Health is the parent company of a number of hospitals, including the Winchester Medical Center and five other regional hospitals. Valley Health had the opportunity to mail notifications to 857 patients of these medical facilities. This was to let them know their private, confidential data may have been compromised.  The data included the patient’s name, address, date of birth, social security number, the medical record number, and patient identification number.

This issue is related to a third party Valley Health contacted with to host the electronic medical records (EMR). The hospitals initiated a contract with Inova Health Systems in 2013 for a seven-year term. On October 24, 2018, Inova notified Valley Health that they had been notified by law enforcement of the underlying issue.

On September 5, 2018, an unauthorized person had accessed a portion of the patient records. After Inova had received the notice, the business initiated its own forensic review. Valley Health followed the course of action and launched their own forensic review. Valley Health’s investigations indicated 12,331 patient files were accessed.

The compromise was possible due to the unauthorized party using the credentials of an employee who no longer was with the business. The access was to the Inova billing system along with Valley Health’s electronic medical records in January 2017 and from July to November 2017. This unauthorized person had a relationship with the former Inova employee.

The circumstances of this lead to at least two germane questions. Did the former Inova employee write down and allow a third party, with whom there was a relationship, to see their credentials? In this junction, the employees and former employees should not do this, especially when password managers are readily available. Also, the unauthorized party accessed the system during two separate periods. The other person had to be logged in at suspicious times or while the authorized person was logged. Either way, the logs would have indicated an issue which should have been noted by the security team or SIEM. How was this missed by the humans and programs? Inova had to be warned by law enforcement after the second compromise.

With these and other issues, the situation certainly indicates an opportunity for growth and improvement with InfoSec.

Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.


Resources
Merod, a. (2018, November 23). Valley health sending letters to 857 patients possibly affected by security breach. Retrieved from http://www.winchesterstar.com/winchester_star/valley-health-sending-letters-to-patitients-possibly-affected-by-security/

Woesnotgone Meadow; December 3, 2018

All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth. A portion of the residents are very familiar with one aspect of internet usage-email. They use this mostly for family communications, share pictures, or just bugging one another. One area that has been a problem and continues to be is phishing, and not the kind by Margie’s pond, by the south side of her home. New York Oncology Hematology recently experienced this.

Phishing has become such a lucrative and easy attack method, it's no wonder its prevalence has skyrocketed. The methodology for the attack is relatively straightforward and is not an overly complex situation.

Attack
The phishing attack itself was launched and continued between April 20-27, 2018. The attackers sent their fraudulent emails with a link to be clicked on. Once the unfortunate user did this, the process of credential harvesting started. Of the mass number of emails sent, the attackers were successful with 14 users. Sometimes, all it takes is a handful of people clicking. The emails naturally appeared to be legitimate. The targets provided their username and passwords. The attack, clearly, was successful and compromised the system. The 14 email accounts were locked down once the issue was noted. The attack was detected and shut down. The triggering event was not published though. This could have been user detected, a user reported, or the enterprise (e.g. SIEM) detected this.

Affected Parties
There were 128,400 employees and patients affected by this. Overall, this did not affect the employees and patients who joined NYOH after April 27, 2018. As of November 2018, NYOH was not aware of any patient’s data being misused. These issues for the affected parties may not appear immediately, as the unauthorized parties with the data may choose to use this at their leisure. These may be used or sold without a time limit.

Remediation
NYOH contracted with a third party to conduct a forensic review. The report was delivered to NYOH on October 1, 2018. The report indicated one or more of the email accounts had PHI accessible to the attackers, and confidential and private health information was compromised to an unauthorized party. NYOH, due to the compromise, is offering the affected parties credit reporting services.

Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.


Resources
Daily Gazette Reporter. (2018, November 16). New york oncology hematology hit by email scam. Retrieved from https://dailygazette.com/article/2018/11/16/new-york-oncology-hematology-hit-by-email-scam

Dissent. (2018, November 17). New york oncology hematology notifying more than 128,400 employees and patients after phishing attack. Retrieved from https://www.databreaches.net/new-york-oncology-hematology-notifying-more-than-128400-employees-and-patients-after-phishing-attack/ 

New York Oncology Hematology. (2018). Phishing incident: What you need to know. Retrieved from https://newyorkoncology.com/security/

WGY News. (2018, November 17). New york oncology hematology reports data breach. Retrievd from https://wgy.iheart.com/content/2018-11-17-new-york-oncology-hematology-reports-data-breach/

Woesnotgone Meadow; December 2, 2018

Woesnotgone Meadow
December 2, 2018

All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth. This time of year the air begins to become a bit chilly as the reason starts to change from fall to winter, as the dogs bring the mud into the house. In Woesnotgone Meadow, our watering hole is Maggie’s on Main Street. This is the only watering hole in the meadow, however, in Southeast Asia, it happens another watering hole has surfaced. This, however, is not as pleasant.

This latest issue was discovered by ESET researchers. This was a new watering hole campaign, termed OceanLotus, using several websites. This has also been termed APT32 and APT-C-OO in certain circles. The geographic focus of this malware has been users and websites in Southeast Asia and has been in operation since September 2018. From all appearances, this seems to be well planned.

Differentiation
The watering hole attack protocol is not new to the environment or industry. One aspect which makes this unique is a large number of compromised websites, at least 21, involved with this attack. On a secondary level, this is also unique due to the handful of compromised websites being a high profile (e.g. Ministry of Defense of Cambodia, Ministry of Foreign Affairs, and International Cooperation of Cambodia).

Also, curiously this also targeted several Vietnamese newspapers and blog websites. These attackers usually focus on websites their targets regularly visit. This attack however focussed on websites visited by many people.

Evolving Attack
As noted, this is not a fresh attack format. This began operating in 2014 with the OceanLotus Advanced Persistent Threat (APT) group. This specific attack appears to have begun as OceanLotus Framework B in 2017, with updates creating the latest version. This includes using public key cryptography to exchange an AES session key. This indicates improved communication, and to prevent any security products from intercepting the payload.

Stealth
On the range of complexity with attacks, this is not on the basic end of the spectrum. To produce this more complex attack, the attackers for the compromised websites used a first and second stage process.

Responsible Reporting
This was noted by the researchers and they did notify the compromised websites in October 2018. This was not however fixed until late October 2018.

Attack
The attack process for this is relatively straightforward. The person visits the compromised site. The users are tricked into installing a fake installer or updater for commonly used software. The attackers at this point added a small amount of JavaScript on the index page or in the alternative the JavaScript file hosted on the same server. The code then loads a new script from a server controlled by the attackers.

Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.



Resources
Abel, R. (2018, November 20). Watering the ocean lotus: New watering hole attacks target southeast asia. Retrieved from https://www.scmagazine.com/home/security-news/for-the-last-few-months-the-threat-group-oceanlotus-also-knwon-as-apt32-and-apt-c-00-has-been-carrying-out-a-watering-hole-campaign-targetting-

Arghire, I. (2018, March 3). “OceanLotus” spies use new backdoor in recent attacks. Retrieved from https://www.securityweek.com/oceanlotus-spies-use-new-backdoor-recent-attacks

AlienVault. (2018, November 21). OceanLotus new watering hole attack in southeast asia. Retrieved from https://otx.alienvault.com/pulse/

Mitre Corporation. (n.d.). APT32. Retrieved from https://attack.mitre.org/groups/G0050/

Woesnotgone Meadow; November 30, 2018

All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth. The weather has been unusually cold earlier this week. This has kept many of the residents inside. With the activities limited by the cold, many people worked on their online banking, but not with HSBC Bank.

HSBC Bank has a presence in several countries. Notably for this case is the HSBC Bank subsidiary located in the US. Their system was attacked and compromised. The bank learned of this unauthorized access between October 4 through the 14th, 2018. The attackers were able to exfiltrate data, which was the target, with the client’s names, addresses, date of birth, account numbers, transaction histories, payee details, and balances. With this data, the attackers and whomever the data is sold to on the darkweb, have the ability to make the affected parties life “interesting” for over the next decade. This data allows for the unauthorized parties to use the identity to falsely open accounts, access other websites the clients may have accounts, and overall keep the persons monitoring their credit reports.

This affected thousands of online customers of HSBC Bank USA. The bank did not publish the full amount but did state this number was less than 1% of the US customers. Based on this, the affected parties could number up to 12,000 persons. This was the initial estimate and may increase as time passes and the forensic review continues. The bank, per California state law, notified the California Attorney General, as the breach affected 500 or more California residents.

The bank, attempting to be the good corporate citizen and limit liability, suspended the affected online accounts. The bank also in response to the compromise worked to improve their client authentication process. They also recommended the clients update their passwords and add security features to their login. This included the usual recommendation of using a unique password and changing these regularly.

The compromise was due to some form of a lack of cybersecurity. HSBC Bank has not however published how this occurred. The details noted so far seem to indicate this was a credential stuffing attack. This vulnerability is so usable for the attackers due to the users reusing the same username and passwords with the different website logins. Here, the credentials from one login and tried in other likely used websites and services.

If anyone in the Meadow is using the same logins or passwords for multiple websites, you may want to change these to something unique.

Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.

Resources

E Hacking News. (2018, November 7). HSBC online banking customers’ data compromised: Confirms the bank. Retrieved from https://www.ehackingnews.com/2018/11/hsbc-online-banking-customers-data.html

HSBC. (2018, November 2). Notice of data breach. Retrieved from https://oag.ca.gov/system/files/Res%20102923?20PIB%20Main%20v3_1.pdf

Nichols, S. (2018, November 6). HSBC now stands for hapless security, became compromised: Thousands of customer files snatched by crims. Retrieved from https://www.theregister.co.uk/2018/11/06/hsbc_security_broken/

Winder, D. (2018, November 6). HSBC bank USA admits breach exposing account numbers and transaction history. Retrieved from https://www.forbes.com/sites/daveywinder/2018/11/06/hsbc-bank-usa-admits-breach-exposingaccount-numbers-and-transaction-history/#394417d35af3

Woesnotgone (Woes-not-gone) Meadow; November 28, 2018

All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth. It seems as though winter has crept in like the wind. This has limited our activities somewhat as the roads have a not-so-nice layer of ice, which at times can be difficult to see, let alone drive on.

Seems as though the city of Muscatine, Iowa had their own event slowing down workflow also. As with most industries, nearly everyone with assets with value is a target. Local municipalities are not sheltered from this risk. Thankfully, the Meadow has not been targeted in recent years. In Muscatine, Iowa however several of their servers were targeted, including one used by the finance department.

The attackers used ransomware as their tool. This occurred at approximately 1am on October 17, 2018. This was very successful for the attackers. The servers were targeted and compromised. One of these included in the pool was used by the finance department, which was the Springbrook server. The other servers were used by the city hall departments and library. As this was successful, the affected departments had to use pen and paper for over a week. As of the latest report, the city officials were still reviewing what happened to allow the ransomware in. This has not been published yet.

The city officials did publish a press release on October 18, 2018, describing in general terms what happened. Fortunately, the critical servers were still operating. It is notable that the city did not pay the ransom. Years ago, the city decided to purchase cyber insurance, and this proved to be a benefit, from not only being insured, however, also the insurance company was very active in the response.

To remediate this, the city or insurance company contracted with a third party to assist with the issue. They believe they were able to isolate the ransomware and move forwards. Perhaps it would be prudent to provide additional training for the staff to be alert for general phishing attacks, USB sanitary practices, and what to not click on in the future.

Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.

Resources

City of Muscatine. (2018, October 18). [Archived] City of muscatine servers hit with ransomware attack. Retrieved from https://www.muscatineiowa.gov/CivicAlerts.aspx?AID=760&ARC=1030

City of Muscatine. (2018, November 2). City slowly recovering from ransomware attack. Retrieved from https://www.muscatineiowa.gov/CivicAlerts.aspx?AID=770

Coleman, S.B. (2018, November 2). Update: City of muscatine “well on the way” to return of normal operations after ransomware attack. Retrieved from https://www.kwqc.com/content/news/City-of-Muscatine-reports-ransomware-attack-497981371.html

Hanson, A. (2018, October 23). City of muscatine responds to cyber attack. Retrieved from https://www.kwqc.com/content/news/City-of-Muscatine-responds-to-cyber-attack-498364541.html

Journal Staff. (2018, November 2). Muscatine still recovering from ransomware attack. Retrieved from https://muscatinejournal.com/muscatine/news/local/muscatine-still-recovering-from-ransomware-attack/

Loging, S. (2018, November 15). Muscatine coming back online after cyber attack left them in the dark. Retrieved from https://www.ourquadcities.com/news/muscatine-coming-back-online-after-cyber-attack-left-them-in-the-dark/1600554261

WQAA Digital Team. (2018, October 19). Muscatine cyber attack targets government financial server. Retrieved from https://wqad.com/2018/10/19/muscatine-cyber-attack-targets-government-financial-server/

WQAD Digital Team. (2018, November 2). Muscatine government cyber attack recovery ‘a slow process’. Retrieved from https://wqad.com/2018/11/02/muscatine-government-cyber-attack-recovery-a-slow-process/

PageUp Breach

PageUp is an Australian firm. Their business is a Human Resources software provider. PageUp has a global presence with 2M users across 190 countries. The vast number of these clients are corporate. These include Wesfarmers (Coles, Target, Kmart, and Officeworks), NAB, Telstra, Commonwealth Bank, Lindt, Aldi, Linfox, Reserve Bank of Australia, Australia Post, Medibank, ABC, Australian Red Cross, University of Tasmania, AGL, and Jetstar.


Attack
PageUp, unfortunately, was on the receiving end of a successful malware attack. This took the form of an unauthorized person gaining access to its system. The precise method or attack point has not been published yet.

Exfiltrated
The focus with this attack was not, in this case, encrypting their servers or destroying the data, as with ransomware or other malicious acts. Data acquisition was the end-goal. As noted, the attack was successful. The attackers were able to access their customer’s information. This was the data relating to the client’s personal data (i.e. names, street address, email address,   telephone numbers, bank details, tax file numbers, diversity information, and emergency contact information), placement agencies, applicants, references, and own employees. The passwords may have been accessed, however per the company these were hashed.

Detection
For this attack to be successful, there was a significant amount of activity. PageUp detected what the company noted as “unusual” activity with its IT infrastructure in May 2018. PageUp began their forensic investigation on May 23, 2018. The detection took the form of malware being detected on its systems. Fortunately, the investigation confirmed this as the issue five days later. The business is working with the Australian Cyber Security Centre, several third-party cybersecurity firms, and the Australian Federal Police.

Remediation
This was a substantial issue. As noted, this was detected internally by their systems. Until this was resolved the business did not accept new apps. Due to the level of penetration into the business, a portion of the customers was still wary and treating the situation cautiously.

GDPR
Nearly every person is familiar with GDPR. This new set of laws in the EU is focused on the data security for the people in the EU and is rather far-reaching. This affects not only businesses in the EU, but anyone holding, managing, or processing any of this data.

PageUp has interests and works in the EU. The breach and compromise may be considered a violation of the GDPR. PageUp may possibly face a massive fine of up to 4%of their global turnover. The business is also dealing with other issues, including reputational problems, costs associated with the forensic work, and potential for a class action lawsuit.

Affected
The data exfiltrated was confidential and personal, and marketable by the attackers. The data and amount of data were great for a person’s seeking to perpetrate identity fraud. The affected clients have years of potential issues to deal with including monitoring their credit for fraudulent charges and accounts.


Resources
Bunker, G. (2018, June 11). What the pageup data breach means in a post-GDPR world. Retrieved from https://www.informationsecuritybuzz.com/expert-comments/what-the-pageup-data-breach/

Crozier, R. (2018, June 12). PageUp people all but confirms personal data ‘accessed’. Retrieved from https://www.itnews.com.au/news/pageup-people-all-butconfirms-personal-data-accessed-493481

Davies, A. (2018, June 7). PageUp data breach: Thousands of job seekers’ details potentially exposed. Retrieved from https://www.theguardian.com/technology/2018/jun/07/thousands-of-job-seekers-details-potentially-exposed-in-hack

Duerden, J. (2018, June 12). Blame pageup breach on security industry. Retrieved from https://www.theaustralian.com.au/business/technology/blame-pageup-breach-on-security-industry/news-story/

Duke, J. (2018, June 11). PageUp data breach: ABC, Asoki, Myer, Macquarie pull jobs pages. Retrieved from https://www.smh.com.au/business/companies/pageup-data-breach-abs-asaki-myer-macquerie-pull-jobs-pages-20180611-p4zktj.html

McLean, A. (2018, June 12). PageUp says it is ‘probable’ customer data was externally accessed. Retrieved from https://www.zdnet.com/article/pageup-says-it-is-probable-customer-data-was-externally-accessed/

Paganini, P. (2018, June 6). HR software firm pageup is the last victim of a data breach, the company has 2.6 million active users across over 190 countries. Retrieved from https://securityaffairs.co/wordpress/73242/data-breach/pageup-data-breach.html

PageUp. (2018, June 12). Unauthorized activity on IT system. Retrieved from https://www.pageuppeople.com/unauthorized-activity-on-it-system/

Air Canada Compromised!

Each country has its own set of airlines servicing its area. Based on the market, certain countries have more or less than the others. These fly throughout their respective nation and world. Most persons, as a national course of business, go online, enter their information, including credit card numbers, to purchase the airline tickets. This occurs throughout the globe every single day without an issue. An option also is to do this with a mobile device.

Issue
Air Canada has a number of users purchasing tickets. A portion of these purchases are done on a mobile device using the mobile app. These were the focus of the attack. A subset of these, who had entered into the system their passport information, may have had their data stolen.

Attack
Air Canada had been previously criticized for their weak password system. The prior convention used was 6-10 characters (letters and numbers), but no other symbols. With this possibly short passwords in place, there are two issues. One is the lack of complexity with the acceptable passwords, and the other is the potential for the users to use these passwords across multiple domains. In comparison, the official guidance from the Canadian government is for passwords to have a minimum length of eight characters and at least one character that is not a letter or number. Seemingly, Air Canada would have followed the guidance from their own government.

After the attack Air Canada required the password to be at least 10 characters and one symbol. Air Canada was not sure yet how the mobile app breach occurred. This was a relatively serious issue as approximately 20k account’s data is believed to have been stolen. This is approximately 1% of their clientele. The data did not include the credit card details, as these were encrypted. This did include the client’s name, email address(es), phone numbers, passport numbers, passport country of issuance, expiration date, nationality, gender, and country of residence.

This list is rather substantial and the data someone would need to assume another’s identity. Also the attackers, or persons subsequently with this data could set up other accounts at banks, open credit cards, and other actions which would negatively impact the user’s credit scores.

On a tangent, Air Canada did however respond quickly to the issue. Their effort is applauded. The business also updated the password convention to a more appropriate level.

Indications
The attack and compromise would not have been something unknown for an extended period. There had been a large, unusual level of activity between August 22-24, 2018. This was in the form of the large number of log-ins during this period. The volume was well outside of the normal value, even with a margin of error attached.

Remediation
The airline, to be thorough, locked down the entirety of the 1.7M accounts. The management did not want subsequent issues continuing if a handful of the accounts were missed. In order to continue to use the service, the users would need to reset their password to access their account again.

Lessons
Passwords are a touchy subject with users. The users want passwords that are easy to remember and short. In the alternative, the users would like to not use passwords at all. However, some form of authentication is required. For the users, dependent on the use case, a password manager or generator may work well. Also using MFA would be beneficial.




Resources

BBC News. (2018, August 29). Air canada app data breach involves passport numbers. Retrieved from https://www.bbc.co.uk/news/technology-45349056

Constantin, L. (2018, August 30). Hackers access data. Retrieved from https://securityboulevard.com/2018/08/air-canada-resets-customers-passwords-after-hackers-access-data/

Dunn, J.E. (2018, August 30). Air canada resets 1.7 million accounts after app breach . Retrieved from https://nakedsecurity.sophos.com/2018/08/30/air-canada-resets-1-7-million-accounts-after-app-breach/

Evans, P. (2018, August 29). Air canada mobile app breach affects 20,000 people. Retrieved from https://www.cbc.ca/news/business/air-canada-mobile-app-1.4802879

Johnson, B. 92018, August 30). All 1.7 million air canada app users must reset passwords after breach. Retrieved from https://www.itworldcandda.com/article/all-1-7-million-air-canada-app-users-must-reset-password-after-breach/

Osborne, C. (2018, August 30). Air canada reveals mobile data breach, passport numbers potentially exposed. Retrieved from https://www.zdnet.com/article/air-canda-reveals-mobile-data-breach-passport-numbers-potentially-exposed/

Reynolds, C. (2018, August 29). Air canada says mobile app breach may affect up to 20,000 customers. Retrieved from https://www.ctvnews.ca/business/air-canda-says-mobile-app-breach-may-affect-up-to-20-000-customers-1.4072467

Seals, T. (2018, August 30). Travel breaches hit air canada and asia-pac hotelier. Retrieved from https://threatpost.com/travel-breaches-hit-air-canda-and-asia-pac-hotelier/137059/

Security Experts. (2018, August 30). Air canada breach. Retrieved from https://www.informationsecuritybyzz.com/expert-comments/security-experts-comments-air-canada-breach/

Whittaker, Z. (2018, August 29). Air canada confirms mobile app data breach. Retrieved from https://techcrunch.com/2018/08/29/air-canada-confirms-mobile-app-data-breach/

British Airways Targeted

In this age, credit cards are required for many aspects of our culture. To rent a car, hotel room, or purchase airline tickets, a credit or debit card is required. To purchase these services without a credit card is problematic. One airline providing the travel service is British Airways, a major international airline. Unfortunately, the airline system was breached. This affected 380,000 credit card payments. These were used on the British Airways website and mobile app in August 2018. British Airways did contact the affected parties on September 7, 2018. A large number of affected parties, there are a number of questions of attack methodology. The attackers must have had a clear and in-depth penetration into their system.

Attack
With this attack and compromise, they were able to note when, including the time, the attack occurred. During August 21, 2018 (10:58p) through September 5, 2018 (9:45p), the company’s website and mobile app were successfully attacked and breached. Curiously, BA stated this was a data theft, versus calling this a breach. This may indicate this was an internal threat versus originating from a third party.

Data
The attackers could have targeted a variety of data based on the attack and potential points to pivot from. The attackers were able to access valuable data with the customer’s name, address, email addresses, credit card expiration dates, and other credit card details, including the CVV code. Fortunately for the affected parties, the attackers were not able to exfiltrate the customer’s passport data.

Vulnerability
Throughout several industries, web applications tend to be a valid, robust attack point. This is due to security not being included through the process, new vulnerabilities, and insecure coding, among other issues. BA did remediate the vulnerability.

With these issues, it would be beneficial to know exactly what the vulnerability exploited was, or if there were multiple, what these were. In this case, others could learn from the oversights so that these errors would not be done repeatedly by others in the same and other industries. Unfortunately, in this case, BA had refused to answer any further questions relating to the breach.

Through the issue, BA worked with cybersecurity firms through the forensic review period. The attack period itself is notable. The attackers had over two weeks of full access. Perhaps the SIEM did not detect the compromise in a timely manner, or the logs and reports were not examined at length. This was too long for the compromise, which increased the number of their clients affected by this.

Lessons
The information security teams should have detected this individually or through their tools in place on the systems. The data should have been reviewed prior to the time this was. This is a lesson for others, not only in the airline industry. The logs should be regularly reviewed for anomalies and other unusual activities.


Resources
Buchanan, B. (2018, September 7). British airways hacking? How not to respond to a cyber attack. Retrieved from https://theconversation.com/british-airways-hacking-how-not-to-respond-to-a-cyber-attack-102857

Calder, S. (2018, September 7). BA data breach: What does the british airways hack mean for customers? Retrieved from https://www.independent.co.uk/travel/news-and-advice/british-airways-flights-ba-hacked-data-theft-customers-a8526516.html

Cuthbertson, A. (2018, September 8). British airways hacked: Scale of customers ‘astounding’, security experts say. Retrieved from https:www.independent.co.uk/life-style/gadgets-and-tech/news/british-airways-hacked-customer-data-breach-astounding-ba-security-experts-98527071.html

Davies, R. (2018, September 7). Hacked data-including CVV codes-worth about 20m on dark web, cybersecurity experts say. Retrieved from https://www.theguardian.com/business/2018/sep/07/ba-british-airways-customers-hacked-credit-card-details-dark-web

Detrixhe, J. (2018, September 7). British airways massive data breach has given tech upstarts a chance to promote themselves. Retrieved from https://qz.com/1382301/british-airways-data-breach-monzos-quick-response/

Duckett, C. (2018, September 7). British airways hit with customer data theft. Retrieved from https://www.zdnet.com/article/british-airways-hit-with-customer-data-theft/

Dungay, D. (2018, October 9). British airways announces cyber security breach. Retrieved from https://commsbusiness.co.uk/news/british-airways-announces-cyber-security-breach/

E Hacking News. (2018, September 8). British airways security breach: Credit card details of 380,000 customers stolen. Retrieved from http://www.ehackingnews.com/2018/09/british-airways-security-breach-credit.html

Gulliver. (2018, September 9). British airways admits that over 380,000 customers had their data stolen. Retrieved from https://www.economist.com/gulliver/2018/09/09/british-airways-admits-that-over-380000-customers-had-their-data-stolen

Khandelwal, S. (2018, September 6). British airways hacked-380,000 payment cards compromised. Retrieved from https://thehackernews.com/2018/09/british-airways-data-breach.html

Leyden, J. (2018, September 7). Revealed: British airways was in talks with ibm on outsourcing security just before hack. Retrieved from https://www.theregister.co.uk/2018/09/07/ba_security_outsourcing_consultation_memo/

O’Donnell, L. (2018, September 7). British airways website, mobile app breach comprises 380k. Retrieved from https://threatpost.com/british-airways-website-mobile-app-breach-compromise-380k/137291/

PYMNTS. (2018, September 10). British airways data hack a test case for GDPR. Retrieved from https://www.pymnts.com/news/regulation/2018/british-airways-data-breach-gdpr-compliance-data-security/

Telegraph Reporters. (2018, September 7). British airways hacking: Customers cancel credit cards as airline defends handling of ‘sophisticated’ cyber attacks. Retrieved from https://www.telegraph.co.uk/news/2018/09/07/british-airways-hacking-customers-cancel-credit-cards-airline/

V3 Newsdesk. (2018, September 7). British airways security breach compromises 380,000 credit cards. Retrieved from https://www.V3.co.uk/v3-uk/news/3062330/british-airways-security-breach-compromises-380-000-credit-cards

Whitaker, Z. (2018, September 6). British airways customer data stolen in data breach. Retrieved from https://techcrunch.com/2018/09/06/british-airways-customer-data-stolen-in-data-breach/

Leave the breweries alone! Arran Brewery compromised

Unfortunately, ransomware is quite common as an attack vector across the business. This is partially due to the delivery method being low impact, cost-efficient, and easily done. This form of attack has the capability to provide for a large ROI (return on investment) when the attack is marginally effective. Any business with capital or data of value is a viable target.

One particular attack point not used significantly as it could have been being the Human Resources Department. The Human Resource Department staff expect dozens of resumes and documents daily from persons seeking positions with the business. The Human Resources staff are trained in human resource matters and have not exactly been trained to watch for malware. The staff may open the documents without actually thinking about it. This, unfortunately for the business, may have unintended results.

Arran Brewery
There is a small brewery in Scotland. The brewery sells Arran Blonde and Arran Red Squirrel. The business is based on the Isle of Arran. Through the year the business has multiple job openings and accepts resumes and other documents from the various applicants.

Attack
As noted, the business was the victim of ransomware. The business termed this as a sophisticated attack. Most ransomware attacks are labelled as such when these may be a normal strain. As with ransomware, the target opened the email with the resume as the attachment. Reportedly with this incident, the ransomware was in the PDF. This ransomware was a variant of the Dharma ransomware. This functions to rename files with the .bip extension.

The Human Resource Department member would have had no idea of the ransomware. With the dozens of documents, they would receive, it would have been difficult to discern which resume was the malware-ridden one. The attacker had the job posting placed in several other career sites to increase the number of resumes received. This should have been noted as a symptom of an issue when the business began to receive resumes from across the country and globe. This worked brilliantly to camouflage the email with malware among the large numbers received from various sources, which normally would not have been received.

This locked the brewery out of their system. This also worked to encrypt a portion of their back-ups. The decryption key ransom was two bitcoins. Arran Brewery declined to pay. The business lost three months of sales data from one server. They had been attempting to restore the data. In order to relatively ensure the malware was not present on the servers going forward, the business contracted with a consultant to purge this.

Effects
As you would expect, there was a rather significant disruption to the business. This includes, but was not limited to the lost sales data, the direct labour and overhead associated with the staff working on this issue, and also the contracted parties fees. This was not a cheap endeavour to remediate this. In a non-financial sense, the management lost partially their confidence in the cybersecurity system.

When the Human Resources staff member opened the malicious file, the staff member was just following the standard operating procedures with receiving the resumes, opening these, and reviewing the qualifications. Of the hundreds of resumes received, at least one made it through the malware filter and was opened. This shows the need for the blue (defensive) team to think more creatively to defeat those that would attack the system.

This also highlights the need for additional training to remove as much as possible the potential for ransomware in the enterprise.

Resources
BBC. (2018, September 20). Arran brewery hit by ransomware attack. Retrieved from https://www.bbc.com/uk-scotland-scotland-business-45587903

Burton, G. (2018, September 21). Arran brewery attacked with ransomware under cover recruitment-ad CV spam. Retrieved from https://www.computing.co.uk/ctg/news/3063224/arran-brewery-attacked-with-ransomware-under-cover-of-recruitment-ad-CV-spam

Dissent. (2018, September 21). UK: Arran brewery blackmailed by hackers as scottish beer firm becomes latest victim of sophisticated ransomware attack. Retrieved from https://www.databreaches.net.net/uk-arran-breery-blackmailed-b7-hackers-as-scottish-beer-firm-becomes-latest-victim-of-sophisticated-ransomware-attack/

French, P. (2018, September 21). Arran brewery victim of ‘very devious’ cyber attack. Retrieved from https://www.thedrinksbusiness.com/2018/09/arran-brewery-victim-of-very-devious-cyber-attack/

Leyden, J. (2018, September 21). Scottish brewery recovers from ransomware attack. Retrieved from https://www.theregister.co.uk/2018/09/21/arran_brewer_ransomware/

N., B. (2018, September 24). Arran brewery hits massive ransomware attack-Warned other companies to stay safe. Retrieved from https://gbhackers.com/arran-brewery/

Nexit. (2018, September 21). Scotland’s arran brewery slammed by dharma bip ransomware. Retrieved from https://www.next-it.net/scotlands-arran-brewery-slammed-by-dharma-bip-ransomware/

Olenick, D. (2018, September 21). Scottish brewery ransomware attack leverages job opening. Retrieved from https://www.scmagazine.com/home/news/scottish-brewery-ransomware-attack-leverages-job-opening/

Schwartz, M.J. (2018, September 21). Scotland’s arran brewery slammed by dharma bip ransomware. Retrieved from https://www.bankinfosecurity.com/scottish-brewery-slammed-by-dharma-ransomware-variant-a-11537

Smith. (2018, September 23). Brewery became victim of targeted ransomware attack via job vacancy ad. Retrieved from https://www.csoonline.com/article/3307193/security/brewery-became-victim-of-targeted-ransomware-attack-via-job-vacancy-ad.html

Sussman, B. (2018, September 21). Tear in my beer: Brewery hit by ransomware. Retrieved from https://www.secureworldexpo.com/industry-news/ransomware-hr-case

Whitelaw, J. (2018, September 20). ‘Pay up’ arran brewery blackmailed by hackers as scottish beer firm becomes latest victim of sophisticated ransomware attack. Retrieved from https://www.thescottishsun.co.uk/tech/3235218/arran-brewery-blackmailed-hackers-ransomware-attack/

Hacking from Prison: Yes, it's a thing

Prison has the mission to rehabilitate the person who had committed the crime which warranted the stay in the prison. The prisoners, while being rehabilitated, are able to contact their families, play games, learn a trade, work, receive therapy, and other activities. One option for the incarcerated person is to use tablets for a few of these functions. These pieces of equipment have become more popular with the inmates.

JPay

This option for the prisoners involves basic technology. The inmates have the option to, towards this end, use JPay tablets. JPay has been working with the prison system to provide these since 2002 across 35 states. These are supplied to the prison system and prisoners by CenturyLink and JPay. The inmate’s family or friends purchase these for the inmates. In limited instances, JPay has given these to the inmates. JPay did this for 53k inmates in the New York State prison system recently. The others have had to pay for this.

The tablets function to allow prisoners to email their families and friends, video chat with these persons, watch videos of an educational nature, and download and play games and music, which had been purchased. The inmates could also use this for ebooks and news. The prisoner’s family and friends are able to put their funds, to pay for the non-free items, on the JPay account for the inmate. As an example, the inmate may send one page of an email for 50 cents. This is very useful for the inmates.

Vulnerability Exploited

Seemingly, the process for using the technology should have worked rather smoothly, which it did for years. Recently, however, the inmates using these detected a vulnerability and exploited this to the extreme. The exploitation was detected by the Idaho Department of Corrections on July 2, 2018. The inmates were able to add $225k in credits to their accounts while the families and friends had actually not added the funds to their accounts. This involved 364 inmates.

Remediation

The vulnerability has been resolved. Unfortunately, the specific steps for the exploit or the point of the vulnerability has not been published. This is due to JPay claiming this is proprietary information. This also does not allow others to learn from their errors or oversights.

The inmates involved with this issue may still use the email on their tablets. They are however not able to download games or music until the respective inmates repay what was stolen. Of the $225k, $65k has been recovered. The involved inmates did receive disciplinary offense reports.

Lessons

This current incident emphasizes the need for SecDevOps, or adding cybersecurity into the development cycle. Without the sufficiently trained and experienced staff, there will continue to be issues. The people will continue to look for different methods to break the hardware and software.

Resources

And one, D. (2018, July 27). Idaho prisoners hacked tablets and gave themselves $225,000 in credit. Retrieved from https://www.cnn.com/2018/07/27/us/idaho-inmates-hack-tablets/index.html

Digital Trends. (n.d.). Idaho prisoners hack $225,000 in credits from jpay computer tablets. Retrieved from https://www.digitaltrends.com/mobile/inmates-hacks-jpay-tablets/

Fortin, J. (2018, July 27). Idaho inmates hacked prison service for $225,000 in credit. Retrieved from https://www.nytimes.com/2018/07/27/us/idaho-prison-hack-jpay-nyt.html

Fussell, S. (2018, July). Inmates ‘hack’ prison issued tablets, swiping $225,000 in app bucks for music and games.

Hatmaker, T. (2018, July 27). Idaho inmates hacked prison-issued tablets for $225,000 in credits. Retrieved from https://techcrunch.com/2018/07/27/inmates-idaho-jpay-hack/

KTVB. (2018). After tablet hack-or glitch?-many rooting for Idaho inmates. Retrieved from https://www.ktvb.com/articles/news/local/idaho/after-tablet-hack-or-glitch-many-rooting-for-idaho-inmates/277-578135801

Law, V. (2018, July 27). How a group of imprisoned hackers introduced jpay to the world. Retrieved from https://www.wired.com/story/how-a-group-of-imprisoned-hackers-introduced-jpay-to-the-world/

McDermid, B. (2018, July 27). Idaho inmates hacked prison tablets and stole $225,000. Retrieved from https://www.engadget.com/2018/07/27/inmates-jpay-tablet-hack-email-music-games-idaho/  

Statt, N. (2018, July 26). Idaho prison inmates exploited tablet vulnerability to steal $225,000 in credits. Retrieved from https://www.theverge.com/2018/07/26/17619972/idaho-prison-inmates-tablet-hacks-jpay-stolen-credits-250-thousand

Vaas, L. (2018, July 30). Prisoners exploit tablet vulnerability to steal nearly $225k. Retrieved from https://nakedsecurity.sophos.com/2018/07/30/prisoners-exploit-tablet-vulnerability-tosteal-nearly-225k/

Insider Threats Still Viable

The InfoSec team for a business plan at length for attacks from the various sources, and compromises, if these were to occur, in the form of incident response. These external threats are from across the globe and take a significant amount of time to plan for. The teams may harden the network, provide training, and other measures against these external threats. One area, however, that has not been significantly examined has been the insider threat. This is difficult to plan for the defense. The Admins may attempt to limit the rules to the employee’s role, or other measures. There may, however, be an issue if this were to not be configured correctly. The system could log the workflow; however, this may be problematic as the logs require some level of analysis, which requires time. Also, certain persons may have access to the logs, and write access, which could modify these to show there had been no wrong-doing. A recent issue much like this involved the Chicago Public Schools.

Perpetrator

The issue started with Kim Sims, a 28-year-old contract worker. Her unauthorized access was discovered, she was fired and later charged with computer tampering and four felony counts of identity theft. Her access was allowed due to her position with the Chicago Public Schools (CPS).

There are contract workers in the CPS in varying capacities, working with various data throughout the school year. Most of the time, there is not an issue.

Acts

The contractor’s responsibilities included conducting background checks on CPS employees. This would give the person access to gather certain germane data to upload into the system. This would not, however, give the person access to download data from other files. In this case, Sims was not authorized for this function as this was not part of her role. She unfortunately illegally downloaded the personal data of district employees she had access to. There were approximately 80,000 CPS employees, contractors, volunteers, and vendors affected by this. She was fired and the CPS Board of Education found that she had accessed and downloaded the personal data.

Data

The affected person’s data has value to many others, much to the person’s detriment. The data downloaded and exfiltrated included the employee’s name, addresses, date of birth, criminal background information and history, employee ID numbers, phone numbers, and potential information from the state Department of Children and Family Services.

Fortunately, this did not include the affected person’s social security number. The investigators noted they were not aware of the data had not been shared with other unauthorized parties. Once the law enforcement authorities executed their search warrant, the files were retrieved.

Follow-Up

As a result of the issue, CPS conducted a forensic audit. The focus of the audit was on computers and cell phones.

The insider threat is problematic. The business wants to fully trust the employees, but this can be difficult in certain instances. When the company over-monitors the employees, there is a perceived trust issue. Although this compromise was rather low-tech, the issue still caused a mass amount of work to correct, and the contractor has legal issues for an extended period of time.

There should be a greater level of rules set in place to reduce the opportunity for this to occur in the future.

Resources

Chicago Sun-Times. (2018, November 4). Ex-cps employee steals info on 80,000 people in latest data breach. Retrieved from https://wsoe.org/ex-cps-employee-steals-info-on-80000-people-in-latest-data-breach/

Crews, J. (2018, November 2). Ex-CPS employee stole personal info on 80,000 people in data breach. Retrieved from https://wgntv.com/2018/11/02/ex-CPS-employee-stole-personal-info-on-80000-people-in-data-breach/

Dissent. (2018, November 2). Ex-chicago public schools worker accused of stealing info on 80,000 people in latest data breach. Retrieved from https://www.databreaches.net/ex-chicago-public-schools-worker-accused-of-stealing-info-on-80000-people-in-latest-data-breach/

Edwards, b. (2018, November 1). Fired CPS employee steals personal data of 70,000 people, charged with multiple felonies. Retrieved from https://chicago.cbslocal.com/2018/11/01/cps-employee-data-theft/

Spoerre, A., & Crepeau, M. (2018, November 3). CPS worker charged with illegally downloading personal data of district employees. Retrieved from https://www.chicagotribune.com/news/local/breaking/ct-met-crime-hickory-hills-woman-charged-school-identity-theft-2018-1102-story.html

The Associated Press. (2018, November 4). Worker charged with illegally downloading personal data. Retrieved from https://www.thestate.com/news/business/national-business/article221113415.html

Victory, L. (2018, November 2). Fired CPS employee charged with stealing database containing files on 70,000 people. Retrieved from https://chicago.cbslocal.com/2018/11/02/cps-data-breach-fired-employee-kristi-sims-charged-stolen-database-personal-information-identity-theft/

Insider threats still viable

There are colleges and universities located throughout the nation in small and large communities. One of these of special notice is the Savannah College of Art and Design (SCAD), located in Georgia. The school naturally has to monitor and secure the campus. The area could not be open and accessible to anyone without having some form of a staff there to protect the students. SCAD, to accomplish this, contracted with G4S Secure Solutions.

Unauthorized Data Exfiltration
There were dozens of social security numbers associated with work hours and pay rates for the G4S employees that were accessed by a supervisor. The supervisor sent this data to other G4S workers via an unsecured email on yahoo and Gmail accounts. The supervisor also happened to have left hard copies in one of the patrol vehicles. This affected nearly 60 persons. After G4S discovered the issue, allegedly the company attempted to hide that the data had been mishandled.

Actions After the 3rd Party Actions
Naturally, the affected people were exceptionally upset. These parties are suing G4S Secure Solutions due to their personal data and information being treated like a crossword puzzle. Of these 60 persons, 39 were involved with the lawsuit. Two items being sued for are damages and years of credit monitoring.

Insider Threats
This is a blatant example of an insider threat. Companies have to trust their staff to do the right thing. At times, this trust is misplaced. Allegedly, the superior access these records emailed these, and printed these off, leaving the hard copy in a patrol vehicle used by others. The intent or lack thereof shall be elucidated as the lawsuit progresses. This does, however, show what could happen at a minimum. This applied insider threat could have been much expansive, and the data could have spread much further than a few yahoo and gmail accounts.


Resources
Davis, A. (2018, October 15). SCAD security contractor facing lawsuit. Retrieved from https://www.wsav.com/news/local-news/only-on-3-scad-security-contractor-facing-lawsuit/1526250688

WTOC. (2018, October 17). Security company sued after alleged information leak. Retrieved from https://www.wtoc.com/2018/10/17/security-company-sued-after-alleged-information-leak/

Water processing utilities under attack!

There are a number of high-value targets in the market for the attackers to pursue. The attackers have the opportunity for 15 minutes of fame, and data to exfiltrate. One industry not given the positive attention by cybersecurity community has been the water utility industry. The service they provide is required by civilization. Any issue with the process has the potential to be a disaster for anyone or business using the water after processing.

A recent issue occurred in North Carolina at the Onslow Water and Sewer Authority. The water utility’s computers, including PCs and servers were attacked. The perpetrator attempted to use ransomware.

This was not a complete success for the attackers. The utility’s customer information was not compromised during the attack, however, other databases were affected. The attacks began on October 3, 2018. Fortunately, the compromise was limited. If this had pivoted to other points within the business, which could have managed the water purification process.

This does, however, highlight an issue. The water processing industry has not been receiving the attention it should have been. The issues presented by the industry are rather pertinent to consumers and the commercial sector. With adulterated water, the effects have the tendency to be rather serious.

Resources
AP. (2018, October 15). Feds investigate after hackers attack water utility. Retrieved from http://www.hastingstribune.com/feds-investigate-after-hackers-attack-water-utility/

AP. (2018, October 16). Feds investigate after hackers attack water utility. Retrieved from https://www.securityweek.com/feds-investigate-after-hackers-attack-water-utility

Associated Press. (2018, October 15). Feds investigate after hackers attack water utility. Retrieved from https://www.washingtontimes.com/news/2018/oct/15/feds-investigate-after-hackers-attack-water-util/

Associated Press. (2018, October 15). Feds investigate after hackers attack water utility. Retrieved from https://www.wsoctv.com/news/north-carolina/feds-investigate-after-hackers-attack-wate-utility/853625381/

The State. (2018, October 15). Feds investigate after hackers attack water utility. Retrieved from https://www.thestate.com/news/business/national-business/article220064300.html

Sutter Health Medical Records Issue

Medical records hold a mass amount of data. These include not only the medical diagnosis but may also include payment information along with health insurance data. Per each individual record, the sales price may not be large, however, the value resides more in the data itself. The price depends on not only the data in each file but also how these are bundled.

The medical records are limited as to the access. Not every person in the medical facility requires access to these. The data may lure staff members of the medical facility to view these records, when not authorized, to gain knowledge. Certainly, this could be more of a curiosity issue or more of a malicious slant with the exfiltration and sale of the data. In prior years, this had occurred with celebrities or other prominent figures.

Another incident of this type occurred recently. Sutter Health in California recently fired two employees after they accessed medical records. Normally this would not be an issue as many persons are allowed to view medical records as part of their role and responsibility for their position, however, the staff members were not authorized to do so. The two employees allegedly accessed the medical records of Joseph DeAngelo. He is suspected to be the Golden State Killer.

Naturally, medical records are to be held in an exceptionally secure manner and accessed by authorized parties only when required for their position. This not only includes data segregation and encryption but also authorization.

Minnesota Department of Human Services Email Compromise

The state agencies tend to be in a rather unique circumstance. The revenue source is relatively stable year after year. Their circumstances are not like a retailer which can have a sale and generate additional revenue/income periodically through the year. On the other side are the expenses. These generally increase annually at various levels based on the products or services. Inflation does not stop, increasing the expenses or inputs to the product or service. The municipality or state, if there were to begin to be a shortfall, would need to be creative or raise taxes, which tends to be very unpopular. This leads to various issues and cost-cutting. These measures may be in training for the staff, or may take the form of the inverse with the agency not being fiscally able to train their staff on certain measures, e.g. phishing awareness training. Recently an expensive issue arose during the state of Minnesota Department of Human Services.

Attack Vector
With many industries and businesses across the nation, phishing continues to be an issue, and successful for the attackers. This was also recently the case with the Minnesota Department of Human Services. In this specific circumstance, the department was the victim of a successful phishing attack. With this attack, all it takes is one person in the correct department, and the successful attack is completely able to stop workflow. In this case, two employees clicked on the phishing link or attachment. This successful attack was on two employee email accounts. This allowed, once the email accounts were compromised, the attackers access to the confidential data held within. The department had the opportunity to work through this in the summer of 2018, specifically on June 28th and July 9th.

In this issue, the circumstances warrant a simple, yet direct question. The first attack was noted, managed, and worked through by the department, management, and the IT department. This was a rather significant issue and took a mass amount of time and resources to analyze, review, and remediate issues (if done correctly). As this was the case, and the total cost was more than minimal, the circumstances would appear to warrant additional training so it would not occur again. Curiously though, there was a second successful phishing attack. This also occurred very soon after the first successful attack. It almost seemed as though the IT security team did not notice the first attack.

Once the 2nd attack was detected, naturally the account email was secured. As with any phishing attack, this did not involve only focussing on one user. There were many others who were targeted during the phishing campaign.

Target
As noted the state of Minnesota Department of Human Services was targeted. The department stores a mass amount of data on thousands of persons. This data is communicated throughout the department from user to user, through the different systems, and through various other channels. This data, while used day in and day out by the users, almost desensitized to its pertinence, has intrinsic value to attackers. This is marketable to many other, unauthorized persons across the globe.

Data Exfiltrated
Unfortunately for the department, there was data accessed. This data included the client’s social security numbers, medical information, employment records, and their financial details. Other information, while marketable but on a second tier but useful, included the person’s full names, telephone numbers, and addresses. This is still pertinent although the attackers could gather this information from other sources with moderate ease.

While the emails were accessed, the department was not able to fully verify the data had been exfiltrated or not. Although bad enough operationally and the far-reaching effects, this could have been much worse. It is notable the state was unsure if the data had been exfiltrated. The attackers would not have gone through the full operation and effort of the full attack cycle to compromise the emails just to note they did it. The attackers treat this like a business. The more probably result is the attackers accessed and exfiltrated the data for their use or to sell this.

Remediation
As the PHI was involved, the department was required to notify the persons affected by the oversight. The notifications had to be done by October 9th. There was a significant level of forensic work involved with this. The attackers would have compromised the email system, exfiltrated what they could from here, and attempted to pivot to other systems to further gain access into the systems. The department appears to have a systemic issue, as evidenced by the two attacks, which were proximate. There should be additional training as to phishing awareness.


Resources

Brown, D. (2018, October 12). Minnesota department of human services issues notice to residents after data breach. Retrieved from https://www.clinical-innovation.com/topics/privacy-security/minnesota-dhs-issues-notice-residents-data-breach

Davis, J. (2018, October 12). Two phishing attacks on Minnesota DHS breach 21,000 patient records. Retrieved from https://www.healthcareitnews.com/news/two-phishing-attacks-minnesota-dhs-breach-32-patient-records

HIPAA Editor. (2018, October 12). Phishing attacks on minnesota dhs potentially compromised phi of 21,000 patients. Retrieved from https://www.hipaanswers.com/phishing-attacks-n-minnesta-dhs-potentially-compromised-phi-of-21000-patients/

HIPAA Journal. (2018, October 12). Minnesota dhs notifies 21,000 patients that their PHI has potentially been compromised. Retrieved from https://www.hipaajournal.com/minnesota-dhs-21000-patients-phishing-attack/

Rodgers, B. (2018, October 11). Minnesota DHS subject to two data breaches, officials say. Retrieved from https://kstp.com/news/minnesota-dhs-subject-to-two-data-breaches-officials-say/5104784/

Schubert, K. (2018, October 18). Phishing scam hits minnesota state agency: 21,000 accounts affected. Retrieved from http://www.brainerddispatch.com/news/government-and-politics/4516152-phishing-scam-hits-minnesota-state-agency-21000-accounts

Smith, K. (2018, October 12). About 21,000 minnesotan’s information affected in data breach from department of human services. Retrieved from http://m.startribune.com/about-21-000-minnesotans-information-affected-in-data-breach-from-department-of-human-services/497266381

Cosmos Bank Compromise

Banks are a universal feature throughout the world. These are present in the varied governmental forms, in various asset sizes, and to make loans in various amounts. The loan sizes vary from the micro-loan of a few hundred dollars to millions of dollars in most cases. India is no different than the other countries as it relates to banking. One of the banks in India is Cosmos Bank, which is the 2nd largest cooperative bank. The bank is based in the western city of Pune.

Attack
Banks are attacked and compromised for two primary reasons. There is ample personal data for the clients. This includes but is not limited to legal name, address, credit score, social security number, account numbers with balances, and an epic amount of further data. There is also the little issue of money, which may be exfiltrated physically or digitally.

This attack occurred from August 11 to 13, 2018. Malware was placed on the bank’s ATM servers, which approve the transactions. In this case, which made this work so well, the main banking system received debit card payment requests through a “switching system”. With the attack, this system was bypassed after the firewall in place had been bypassed. The attackers put a proxy switch in the network. The approvals for the fraudulent payments were made through this alternative, unauthorized false proxies.

The attack operation itself occurred within the three days and was well-planned. This attack was intended to be carried out in multiple phases. First, there were 12k-15k withdrawals done within a relatively short time period from the affected accounts. The fraudulent proxy server approved the transactions without verifying the card’s authenticity. These 12k withdrawals added up to a rather significant amount. Of the 12k transactions, a majority occurred overseas. All of the countries in which these occurred had not been released yet. A sample of these includes Canada, Hong Kong, India, and other countries. The ATM portion of the overall attack operation occurred within 7 hours in these 22-28 countries with 450 cloned cards. Curiously many of these transactions occurred in Canada. Even with merely these specific security issues, the bank’s chairman stated the bank’s security systems had not been compromised. Clearly, this process was well-managed.

Later in the day on August 11, 2018 there were another 2,800 card transactions used to steal 2.5 crore rupees. Also, 944m rupees or $13.5M USD was wired to a Hong Kong-based entity. On August 13, 2018, the last day of the attack $2.1m USD or 13.94 crore rupees was wired to the ALM Trading Ltd., a Hong Kong company. The wires or transfers were done within the SWIFT system.

After the Attack
As a natural standard operating procedure, the bank filed a complaint with the police. The bank alleged in the complaint the malware used by the attackers to breach the system was also used to clone the customer’s cards. With the extent of the breach and what attackers were able to accomplish, the situation makes one question what fraud and cybersecurity processes were in place at the bank and “actively” working.

The bank’s response, in a statement, was the bank had adequate IT security in place, although the facts discourage this interpretation. The bank also contracted with a professional cybersecurity forensic agency. The firm began reviewing the logs. As the investigation continues, there are a number of questions left to be answered. These include:
How many ATMs were used for the withdrawals across the various countries?
A mass number of people had to be involved to operate and manage the attacks. What entity was the primary managing entity for the operation across all the countries?
With this large number of cards used in so many countries, who created and distributed these cards?
There should have been a fraudulent activity monitoring system in place, yet there were no issues noted through a majority of the attack. Was this actively monitoring the system’s transactions in real time?
The attack and exfiltration were unfortunate, however, this was a well-planned and distributed attack. There are many areas to be reviewed.


Resources

Dimitrova, M. (2018, August 16). Indian cosmos bank malware attack ends with theft of $13.5 million. Retrieved from https://securityboulevard.com/2018/08/indian-cosmos-bank-malware-attack-ends-with-theft-of-13-5-million/

Goswami, S. (2018, August 17). Police investigate cosmos bank hack. Police investigate cosmos bank hack. Retrieved from https://www.bankinfosecurity.com/police-investigate-cosmos-bank-hack-a-11379

Hindu Business Line. (2018). Cosmos bank’s server hacked; Rs 94 cr siphoned off in 2 days. Retrieved from https://www.thehindubusinessline.com/money-and-banking/cosmos-banks-server-hacked-rs-94-cr-siphoned-off-in-2days/article24675

Inamdar, N. (2018, August 14). 15,000 transactions in 7 hours: Cosmos bank’s server hacked, Rs 94 cr moved to Hong Kong. Retrieved from https://www.hindustantimes.com/india-news/15-000-transactions-in-7-hours-cosmos-bank-s-server-hacked-rs-94-cr-moved-to-hong-kong/story-wazUXZs3LRhcbPlg7Lyx

Jadhav, R. (2018, August 14). India’s cosmos bank loses $13.5 mln in cyber attack. Retrieved from https://www.reuters.com/article/cyber-heist-india/indias-cosmos-bank-loses-135-mln-in-cyber-attack-idUSL4N1V55l1G

Nichols, S. (2018, August 15). India’s cosmos bank raided for $13m by hackers. Retrieved from https://www.tgheregister.co.uk/2018/08/15/cosmos_bank_raided/

PTI. (2018, August 14). Cosmos bank’s server hacked; $s 94 crore siphoned off in 2 days. Retrieved from https://enconomictimes.com/industry/banks-server-hacked-rs-94-crore-siphoned-off-in-2=days/articleshow/65399477/cms

Tanksale, M., & Iyer, S. (2018, August 14). Pune-based cosmos bank loses rs 94 crore in cyber attack. Retrieved from https://timesofindia.indiatimes.com/busienss/india-business/pune-based-cosmos-bank-loses-rs-94-crore-in-cyber-hack/cyber-hack/articleshow/65399204.cms

PDQ breached!

PDQ is a chain restaurant in several states in the US. Although based in Florida, the chicken chain had grown through many states northward. Although popular, there was recently an issue affecting primarily the restaurants in the Triangle in North Carolina (NC).

Attack
If you enjoyed eating at the restaurant within the last year and paid with a credit card, it would be prudent to check your credit accounts in detail, as the credit card information may have been affected by an attack. The business was targeted, the attackers went through their cycle of reconnaissance and other steps, and successfully attacked and compromised their credit card system. Naturally, since this is where the data is located, the attackers focussed their attention on this area.

After the breach was successful, and the attackers removed the data they wished, the compromise was discovered much later, and PDQ hired a cybersecurity firm for the forensic work. The firm assuredly would be much better equipped to research the specifics of the attack and compromise. The focus of this may not be overly singular, as the breached restaurant credit card data may be much more expansive, as in the case the attackers were able to pivot from this point into other data-intensive areas. The restaurant, in response to the confirmed breach, informed the North Carolina Department of Justice on June 23, 2018.

Time Frame
After the forensic team analyzed the breach, the team determined the time frame the attackers had unfettered access was May 19, 2017, to April 20, 2018. The attackers had complete access for the 11 months to the credit card system. The attackers were done with their data gathering in late April 2018. The company learned of the breach on June 8, 2018. If the attackers had not gathered as much data as they did, they would have continued until at least June 8th.

With the expanse of the overall breach, it would be difficult to detail how many of their clients actually were affected. Presumptively, the attackers would work to secure all of the credit card information, however, they may not have gathered everything through the entire time of the compromised system.

Attack Vector
Clearly, the attack was successful, as the attackers had an extended amount of time in the system, unknown to the company, and exfiltrated a large amount of data, also unknown to the cybersecurity team.

The attackers is believed to have gained entry into the system through a third party vendor’s remote connection tool. This is much like so many other compromises of larger company’s systems, including a retail establishment from years ago. Here also the entry to the credit card was through the vendor’s system.

This issue also brings to the forefront the issue of trusting vendors, while not asking them for cybersecurity questionnaires. Seemingly the companies would need to vett the other companies being used for work as a third party. The lack of cybersecurity applied here has been costly to many retail establishments.

Data Exfiltrated
The attackers, of course, had planned on securing the data possible for them to market. This included all or a portion of the client's names, credit card numbers, expiration dates, and cardholder verification values. This data is perfectly useful to sell on the dark web and other places and creates a bit of a bother for the affected parties.

Client Recommendation
As the company was breached and data exfiltrated, the situation obligated some form of guidance for the affected parties to be provided. Not all of the affected parties would be savvy and know what to do, or possibly even have an inclination. The North Carolina Department of Justice recommended freezing their credit with the credit reporting agencies (Equifax, Experian, and Transunion). This is a good step, however, there are issues with this. If the client were to apply for additional credit, the client would need to unfreeze their credit, wait 3-5 days, apply, and later re-freeze their credit. Although this does work well, it tends to be problematic in third-party functionality.

The clients also need to regularly check their credit report, if they do not freeze their credit. This provides for a regular review. If the client’s identity were to be used fraudulently, any issues could be managed early on. Although still requiring effort to remediate, this would contain the on-going issue.

Thoughts
The attackers had access for 11 months. This is clearly by far too long of a time for unauthorized parties to have unfettered access. The InfoSec team or in the least their SIEM should have noticed the strange IP addresses accessing the system at rather unique times, or the data being exfiltrated night after night.

The breach was not visited after April 20, 2018, yet this was not discovered until June 8. This is indicative of the attackers securing their quota of credit card numbers. It may be the attackers had all the data they could use. This interim lag in the time allowed the attackers to begin marketing the data unchecked and unknown to PDQ. Had this been found much earlier, any damage could have been limited in some form or manner.


Resources

CBS 17 Staff. (2018, June 25). PDQ restaurant customer credit card info hacked in ‘cyber attack,’ officials say. Retrieved from http://www.cbs17.com/

Charles, A. (2018, June). Restaurant chain PDQ says customer’s credit card info was hacked. Retrieved from https://www.wral.com/restaurant-chain-pdq-says-customer-s-credit-card-info-was-hacked/17649050/

Derickson, C. (2018, June 26). Chicken chain customers’ credit card information at risk. Retrieved from https://www.newsobserver.com/news/business/article2138644864.html

Goud, N. (2018, June). Database of PDQ restaurant hacked and sensitive info leaked. Retrieved from https://www.cybersecurity-insiders.com/database-of-pdq-restaurant-hacked-and-sensitive-infoleaked 

Malik, J. (2018, June 27). Popular US fast food chain hit by data breach. Retrieved from https://www.informationsecuritybuzz.com/expert-community/popularus-fast-food/

Spectrum News Staff. (2018, June 23). Cyberattack impacts NC PDQ restaurant. Retrieved from https://spectrumlocalnews.com/nc/triangle-sandhills/news/2018/06/23/cyberattack-impacts-nc-pdq-restaurants

WTVD. (2018, June 23). PDQ data breach exposes customers’ credit card information. Retrieved from http://abc11.com/pdq-data-breach-exposes-customers-credit-card-information/3643475

Verdict Food Service. (2018, June 26). Restaurant chain pdq reports data breach incident. Retrieved from https://www.verdictfoodservice.com/news/restaurant-chain-pdq-data-breach/

Zombies, power outage, and phishing: Oh my!

Lake Worth is much like any other community working through the daily operations. Every day was nearly the same as the day before. Unfortunately, there was a power outage on May 20, 2018. As part of the protocol, an alert was sent to the residents. Unfortunately, along with the alert was a message the power outage was due to zombie activity. This was sent at 1:141a-1:45a on Sunday, May 20, 2018. This enduring message was sent to approximately 7,880 residents.

The message was intended to be cute, however, this was indicative of a much larger problem. The city's notification system had been compromised, and not by 'extreme zombie activity'.

Attack
On the surface, this appears to take the form of an old-school attack, perpetrated not for profit, but for notoriety. This would work to better the attacker(s) credibility among peers. This attack and compromise are worthy of a much deeper analysis. This clearly is indicative of a significant vulnerability in the system.

What makes this compromise worse was the second event of this nature in a week. The other involved the online utility payment systems.

In the subject case, a city's employee email was compromised and used to access the system. The attack point was verified. To get this point, a phishing attack was probably used.

Lessons Hopefully Learned
Granted this was a funny message that was sent. Certainly all involved are glad this was not a message destructive in nature. If the attackers were to have been malicious, the outcome could have been much worse. If the message would have been further adulterated to note a hurricane or tornado was headed for the municipality within an hour and everyone was required to leave now, there would have been mass hysteria and potential for auto accidents, in the least.

The compromise is indicative of the underlying issue, however. With the successful phishing attack, the attacker knows there is and will be the opportunity for further successful attacks. The municipality truly needs to step up its employee training to more than the once a year, mandatory, which bores most of the staff, to periodic, more engaging training regiments. Perhaps even an internal phishing campaign would be relevant to gauge the level of success the internal training was reaching towards.


Resources
Alanez, T. (2018, May 21). South florida city warns residents of extreme zombie activity. Retrieved from http://www.sun-sentinel.com/local/palm-beach/fl-pn-zombie-alert-lake-worth-20180521-story.html

Capozzi, J. (2018, October 10). Lake worth 'zombie alert' hacker used a city email to breach system. Retrieved from https://www.mypalmbeacpost.com/news/lake-worth-zombie-alert-hacker-used-city-email-breach-system/

Palm Beach Post. (2018, May 23). national, social media has way too much fun with lake worth's 'zombie alert'. Retrieved from https://www.palmbeachpost.com/news/new-nation-social-media-has-way-too-much-fun-with-lake-worth-zombie-alert/

Rodriguez, D. (2018, May 22). A fake 'zombie outbreak' alert alarms lake worth residents. Retrieved from https://www.tampabay.com/news/A-fake-Zombie-Outbreak-alert-alarms-Lake-Worth-residents-_168461999

Ross, M. (2018, May 22). Lake worth falsely sends out 'zombie' alert during power outage. Retrieved from https://www.palmbeachpost.com/news/breaking-news-breaking-lake-worth-falsely-sends-out-zombie-alert-during-power-outage/

Shatzman, M. (2018, May 22). Where did the zombies come from in lake worth? Retrieved from http://www.sun-sentinel.com/local/palm-beach/fl-pn-lakeworth-zombie-alert-05222018-story.html

Sputnik International. (2018, May 23). Florida apocol-lapse: US city's residents mistakenly warned of zombie attack. Retrieved from https://sputniknews.com/viral/201805231064710940-zombie-alert-warning-message/