Vehicle repair shops: Likely target

Vehicles are throughout society. People may have multiple vehicles at a residence for their children, spouse, or collectibles. These are also used in multiple ways for an increasing number of years.  The vehicles begin to age, they tend to need more repairs. The establishments repairing vehicles do much of the work manually. The backbone of the operations are still run with computers. Where there is an issue with the system, the garage does not operate well. This can especially be a problem when malware is introduced into the system for a chain of garages.

Kwik Fit is one of these organizations. This is a chain of garages focused on repairing vehicles. The organization had the unfortunate opportunity to be targeted, and successfully attacked. The issue became apparent when their clients began to complain on Twitter. The symptom which brought this on was their clients could not reach the business when calling. The complaints began to pick up, as it appeared the call center was down. Naturally, this was a significant issue for the business. While they began the investigation, management acknowledged via a tweet they were having technical difficulties. This was from the malware being introduced into the system. It does appear this was a ransomware attack, however, the details were not reported.

The effect of this was rather quick and direct. The business was not able to accept and schedule work, or process orders. The system was down from January 26 to at least February 1, 2019. They don’t believe any of their client’s records had been breached. On a positive note, they did state the customer’s financial information was not stored there.

It would have been much more helpful to the industry if a bit of the attack information would have been shared. Given this is not the optimal situation, however, once the damage was done and issue remediated, others could have learned from this.

Resources

Corfield, G. (2019, January 31). Kwik-fit hit by MOT fail, that’s malware on target. Retrieved from https://www.theregister.co.uk/2019/01/31/kwik_fit_malware_it_systems_down/

IT Pro. (2019). Kwik fit hit by malware, knocking out IT systems. Retrieved from https://www.itpro.co.uk/security/32880/kwik-fit-hit-by-malware-knocking-out-it-systems

Rumney, S. (2019, January 30). Kwik fit garages hit by computer virus. Retrieved from https://www.bbc.com/news/technology-47062480

Winant, D. (2019, February 1). Kwik fit hit by malware knocking out IT systems. Retrieved from https://seclists.org/dataloss/2019/q1/105

The kids are alright! But the network isn't!

K-12 schools are throughout our landscape in small towns and large cities. The number of students varies per region, requiring small buildings or one large enough for a medium-sized business. They may be located on short, two-lane roads or primary thorough-fares. When we drive by these, we know they are educational facilities teaching the next generation. While the primary focus is the same for these institutions, there is another commonality. These have some form, be it rudimentary or complex, of a network holding a mass amount of data, managing operations where needed and facilitating email communications. One issue with these networks has been cybersecurity. With constricting budgets, it has become tough to get everything done as planned. 

Attack

One such school is Wolcott Public Schools. The school system, located in Connecticut was attacked successfully. The attackers naturally had a full array of tools available to use. They chose an all familiar one, which has proven to be very effective. Their system was compromised with ransomware. The use of ransomware has proven itself over the last two years to be an epidemic. The attack started in May 2019, at the end of the school year. They, in vain, attempted to manage this issue internally. Ransomware, with select tools, may be able to be removed by the target. This is with very few cases with the early variants, which may still be in use. This issue came to a tipping point and needed to be brought in front of the town officials when they were not able to correct the issue.

Effects

The successful attack had deep-rooted effects on the school. If this affected one user’s station, there would be a much different case. They were forced to lock down several servers. While these were locked down, they were not able to access or work with any of the data secured on these. Fortunately, a portion of the files was located in other locations as back-ups. While this sounds unpleasant, analyze through all of the learning activities that could not occur as the files were encrypted. On the bright side, no student data was compromised.

Remediation

This was a rather significant issue. Having data tied up and not usable is problematic for anyone. With the school district, there are timelines involved with reporting data to the state and possibly federal agencies. Post-detection, the school district did contact the FBI after the ransomware. The focus with this, naturally, was who was behind the ransomware attack.

As noted, the affected systems were shut down for all purposes. Once the school IT workgroup decided they were not going to be able to fix the issue, they consulted with the Wolcott Board of Education. The risks and benefits of paying the ransom were discussed and debated. The Board of Education approved the ransomware payment by a vote of 6 to 1. The hope was to secure the decrypt key. The amount noted for the payment was up to the amount the town charter would allow, or $9,999. This was the ceiling amount. An amount greater than this would require a bidding process, and an extended amount of time, which is something they did not have. Without the ransom being paid and the decrypt key is provided, a portion of the middle and high school files would not be usable in any form. In this incident, of the schools in the district, the high school, middle school, and central office only had a back-up server.

Comments & Concerns

Ransomware has become an epidemic. This has become a massive issue across many industries. Any business connected to the internet is susceptible to this. One fact not covered in the publications is the method of infiltration. This may have been an employee clicking on a link or file, inviting the malware in through the front door, and allowing it to scurry about in the network. Ransomware training is a necessity in this day. The employees need to know what to look for as a constant reminder. In the case of an individual oversight, which generally is a detriment to such a significant level, the employees need to know what to do.

Resources

Backus, L. (2019, August 30). FBI probes hacking of CT school’s computer. Retrieved from https://www.ctpost.com/local/article/FBI-probles-hacking-of-CT-school-s-scomputers-14401437.php

Data Breaches. (2019, August 30). Cyber attack affects Wolcott public schools. Retrieved from https://www.wfsb.com/news/cyber-attack-affects-colcott-public-schools/

WFSB. (2019, August 30). Cyber attack affects Wolcott public schools. Retrieved from https://www.wfsb.com/news/cyber-attack-affects-wolcott-public-schools/

Johnson, K. (2019, August 28). Ransomware attack targets Wolcott public schools. Retrieved from https://www.nbcconnectictu.com/news/local/Ransomware-attack-targets-wolcott-public-schools-558610611.html

Passmore, S. (2019, August 30). Board passes motion to allow Wolcott superintendent to pay ransom after cyber attack. Retrieved from https://www.weny.com/story/40985421/board-passes-motion-to-allow-wolcott-superintendent-to-pay-ransom-after-cyber-attack

Automakers still targeted: Toyota Australia Attacked

The auto manufacturing industry maintains a mass amount of intellectual property. This is based on legacy systems and models, along with current models. A gold mine within this realm are the models being designed and the new technologies in the vehicles presently and planned for the future. This not only includes electrical engineering but also everything associated with autonomous drive vehicles. This concept has been in process for well over a decade. An attacker breaching a system and exfiltrating code, which had taken over a decade to get to a workable level, has a rather significant value. The well-used, with positive results for the attacker, ransomware attack also would be a good fit for this scenario.

With any attack vector with a reasonable potential for a breach, an auto manufacturer certainly is a viable target. An attack in early 2019 certainly exemplified.

Target

Toyota Australia is an OEM located in Australia. As with the other vehicle manufacturers, there is a wealth of data to exfiltrate or leverage for the attacker’s gain. The business was targeted and attacked in February 2019.

Methodology

The attack began on February 20, 2019. With this attack, as with many others, the details are scant. This could have been a great learning activity, especially since the defenses held, apparently. The attacker’s focus was on the email system. This was not operating for at least three days. This crippled their communication, internal and external. Fortunately, the dealer network was not affected.

With this attack, since it was not successful, it would have been useful to know at least a portion of the details. If this were to be a successful attack, one could understand why the details would not be made public until the issue was remediated.

Action

As the email system was being attacked, this mode of communication was not operational. The employees had to use other means to communicate with each other. While this was required in order to conduct business, the other methods and means may have had vulnerabilities and inherent, systemic risks. This includes having no control or monitoring over any confidential data leaving the business. This also was being sent through a third party.

The IT Department worked through the attack. At one point, they simply sent the staff home. The business also contracted with cybersecurity experts from around the globe to help with the issue.

Results

As noted, the email system was down for a few days. While a significant detriment, this was not critical. Toyota Australia released a statement noting, in part, they believe after their investigation, the private employee or customer data had not been accessed, which is a good thing. The IT Department was working diligently to have the affected systems operational ASAP.

Resources

Bites, C. (2019, February 21). Toyota Australia confirms cyber attack. Retrieved from https://www.itsecurityguru.org/2019/02/21/toyota-australia-confirms-cyber-attack/

Charlwood, S. (2019, February 21). Toyota Australia rocked by cyber attack. Retrieved from https://www.motoring.com.au/toyota-austrailia-rocked-by-cyber-attack-117076/

Duckett, C. (2019, February 21). Toyota Australia confirms ‘attempted cyber attack’. Retrieved from https://www.zdnet.com/article/toyota-australia-confirms-attempted-cyber-attack/

Moore, J. (2019, February 21). Toyota Australia confirms cyber attack. Retrieved from https://www.informationsecuritybuzz.com/expert-comments/toyota-australia-confirms-cyber-attack/

SBS News. (2019, February 21). Toyota Australia embroiled in cyber threat. Retrieved from https://www.sbs.com.au/news/toyota-austraila-embroiled-in-cyber-attack

Tan, A. (2019, February 21). Toyota Australia under cyber attack. Retrieved from https://www.computerweekly.com/news/25248-86/Toyota-Australia-under-cyber-attack

Toyota. (2019, February 21). Toyota Australia statement re attempted cyber attack. Retrieved from https://www.toyota.com.au/news/toyota-australia-statement-re-attempted-cyber-attack

Here comes the judge! Oregon Judicial Department Pwned

Throughout each state, county, and city, there are court systems in place. Oregon is no different. In this specific case, Oregon Judicial Department includes the Oregon Supreme Court, Court of Appeals, Tax Court, Circuit Courts in each of the counties, and the Office of the State Court Administrator.

Attack

Phishing attacks are the premier attack being used throughout many industries. With the low cost and tech involved with a phishing campaign, it is no wonder. The Oregon Judicial Department experienced a phishing attack and was not successful in defending itself. The attack began at 4:30am on July 15, 2019. The successful attack led to five email accounts being compromised. With any phishing attack, the level of success with the attack is dependent on who clicks the link, picture, or tool creating an attractive nuisance for the user to click. In this case, there were more than 6k persons affected. The affected parties had their personal data exposed.

Data

Each of the 6,607 affected persons, while individuals have the same issue. The data exposed included the affected person’s personal data. This included the name and full and partial dates of birth. There was also partial exposure to financial information, health information, and social security numbers. This is exactly what the attackers would need to use for identity theft or to sell on the dark web.

Remediation

The affected accounts were disabled within four hours of the issue being detected. The Oregon Judicial Department sent notices to the affected persons. The department will provide credit monitoring services to those affected by the breach. The department also did contact law enforcement and other agencies to assist with the forensic work.

Thoughts

Phishing and the subsequent associated issues (e.g. ransomware, viruses, backdoors, etc.) are a societal problem potentially affecting anyone connected to the internet. One aspect of the remediation which in theory is helpful, but may not be in the long-run regards the credit monitoring. This did not state how long with was to last. This is a bit of a moot issue. The data exfiltrated with the compromise is partially permanent (e.g. social security number). While the credit monitoring may last a year, for example, the issue will last well beyond this for the affected persons.

Resources

Associated Press. (2019, August 29). Oregon judicial department hit by phishing attack. Retrieved from https://www.seattletimes.com/seattle-news/northwest/oregon-judicial-department-hit-by-phishing-attack/

Associated Press. (2019, August 29). Oregon judicial department hit by phishing attack, personal information exposed. Retrieved from https://katu.com/news/local/oregon-judiciail-department-hit-by-phishing-attack-personal-information-exposed

Associated Press. (2019, August 29). Oregon judicial department hit by phishing attack. Retrieved from https://www.usnews.com/news/best-states/oregon/articles/2019-08-29/oregon-judicial-department-hit-by-phishing-attack

Associated Press. (2019, August 30). Oregon judicial department hit by phishing attack. Retrieved from https://democratherald.com/news/state-and-regional/oregon-judicial-department-hit-by-phishing-attack/

Breach Exchange. (2019, August 30). Oregon judicial  department hit by phishing attack. Retrieved from https://www.bradenton.com/news/business/technology/article234530047.html

Still hacking the cars! MyCar provides yet another attack vector

Vehicles are throughout society. A person can’t walk far without seeing one in place or driving. The vehicles manufactured within the last decade and going forward are and will continue to be connected. This may take the form of the GPS to alert the driver where they are located, radio, internet access, and other beneficial functions.

While this connectivity clearly is helpful for the users, there are drawbacks. The connectivity allows for additional attack points. One of these recently detected and exploited was the MyCar app. This all began when the security researcher purchased a remote car starter for his girlfriend. As he installed this, he began to think through the process and if it was secure, or not. The attack and exploitation were presented by Jmaxx at the 2019 DEFCON. Having attended the presentation, the elaborated issues were fully explored in a technical yet graspable manner.

MyCar

The app was created and is marketed by the Canadian company Automobility. The SW is rebranded and sold under various other names, including MyCarKia, Visions MyCar, Carlink, and other names. This allows the user to interact at a distance with the vehicle. This connection allows, among other functions, to start the car. This is especially useful when the user is in the office in the middle of January in the Midwest.

Vulnerability

The exploit affected over 60,000 vehicles. One vulnerability is enough of an issue. The more vulnerabilities, the greater the problematic nature of the system. The flaws noted with this MyCar issue may, among other acts, allow the attacker to steal a vehicle. With the flaws exploited, the attacker has the ability to filter by the vehicle model they would choose. The flaw allows someone to locate, identify, unlock, and start the vehicle, along with triggering the alarm. The attacker could access any user’s data. This is also open to a SQL injection, allowing access to and ability to send commands to any of the subject user’s vehicles. To document the viability of the issue and remove any opinion, Automobility issued a statement to the effect the company was addressing this.

Danger

The issue is not only with the vulnerability, but also what an attacker is able to do with this. This allows, for the subject vehicles, the unauthorized access by the attackers to start the vehicle, among other actions. This breach is significant and may also lead to life-threatening circumstances. If the vehicle were to be started in an enclosed area, e.g. a garage, this could lead to carbon monoxide poisoning for the users in the residence. Curiously, the researcher was able to collect 2k location points for the car over a 13 day period. Previously, it was unknown that the vehicle was collecting this much data.

Mitigation

Fortunately, the researcher did notify the organization so they could work on it. As of the presentation, the issues had been primarily resolved.

Resources

EHacking News. (2019, August 12). MyCar exposes thousands of vehicles to hackers. Retrieved from  https://www.ehackingnews.com/2019/08/mycar-exposes-thousands-of.html

Greenberg, A. (2019, August 10). A remote-start app exposed thousands of cars to hackers. Retrieved from https://www.wired.com/story/mycar-remote-start-vulnerabilities/

IANS. (2019, August 11). Remote-based app exposed thousands of vehicles to hackers. Retrieved from https://auto.ndtv.com/news/remote-based-app-exposed-thousands-of-vehicles-to-hackers-2083648

IANS. (2019, August 11). Remote-based app exposed thousands of vehicles to hackers-details inside. Retrieved from https://www.timesnownews.com/technology-science/article/remote-based-app-exposed-thousands-of-vehicles-to-hackers-details-inside/467106

You are not even safe Down Under!

Throughout the nation, every municipality has some form of government. This may be minor with only a handful of people working, such as with a small town, or hundreds with the large cities. Within this range, any municipality has IT. This may be a few desktop computers or a massive network. This is the same in other countries. Australia is not an exception. A recent breach occurred in Australia. The attack and subsequent breach was directed at the Victorian government employees.

Attack

The breach occurred when the Victorian government directory was accessed without authorization, and downloaded by the attackers. Although this is rather serious and a teachable moment, the details were not disclosed.

Data

In the broad scope of the environment and industry, the breach has a relative level of seriousness due not only to the breach, but also the data. There were approximately 30,000 Victorian public servant’s work details accessed and downloaded. This included the list of government employees, work emails, job titles, and work phone numbers. The data may have also included their mobile phone numbers. Fortunately for the affected employees, this did not include any banking or financial information. Other private or sensitive data was likewise not included.

Uses

This list, while it does not include any financial information or sensitive PII, still is rather useful for the attackers. The set of uses, while still viable, is somewhat limited in scope. For instance, this may be used by anyone seeking to apply influence to any government decision (e.g. legislative, contracts, etc.). The list has all the attackers need to directly contact the appropriate parties for their inappropriate uses. This also could be used for phishing, spear phishing, and social engineering. With the list, the attacker would have a certain level of information that would be a good start to engineer a phishing or spear phishing attack, along with applying the information to a spear phishing attack. With this data, that attackers have the information they need to be successful in another attack. With the phishing and spear phishing attacks, there would be a payload assumptively with malware or other malicious programs.

Resources

ABC News. (2018, December 31). Data breach sees Victorian government employees’ details stolen. Retrieved from https://www.abc.net.au/news/2019-01-01/victorian-government-employee-directory-dta-breach/10676932

Cyware. (2019, January 1). Hackers stole almost 30,000 Victorian public servants work details. Retrieved from https://cyware.com/news/hackers-stole-almost-30000-victorian-public-servants-work-details-3987b2fd

Watch for supply chain management vulnerabilities

Blue Cross Blue Shield of Michigan is a medical insurer located in MI. Their clients are varied, work for employers- small to large-sized, and are located through the state.

Issue

BCBS uses contractors for various roles throughout the company. One vendor is COBX Co. COBX is a wholly-owned subsidiary of BCBS. The subsidiary is tasked with the Medicare Advantage Services for its clients. An employee of COBX had their laptop stolen on October 26, 2018. BCBS of Michigan notified approximately 15,000 Medicare Advantage members of a potential breach. The notification was done via letter. While this is not a good thing, it is pertinent that at least the laptop was encrypted and did have the password required. Normally, this would be fine if the encryption was above a certain baseline protocol. The problem was the employee’s credentials could have been compromised, meaning the person with the laptop would still be able to access the data.

Data

The affected BCBS customer’s social security numbers and financial information was not accessible from the stolen laptop, fortunately. The data that was available was includes the customer’s first name, last name, date of birth, gender, medication, diagnosis, provider information, and enrollee identification numbers.

Remediation

There had been no direct evidence the customer’s data had been accessed. With this type of issue, although there is no direct type of evidence of this being used for malicious means, it does not mean it has not been used and no guaranty it won’t be used in the near future. BCBS of Michigan noted there is a low chance of identity theft due to the nature of the data involved. BCBS is offering the affected parties AllClearID identity protection services. The term for this service is two years and is free to the customers potentially at risk. The contractor involved did have his credentials changed once the issue came to light. BCBS of Michigan is working with COBX in reviewing its policies and procedures. They are also putting additional safeguards in place.

Comments, Concerns, etc.

The laptop required a password for access and was encrypted, which required another password. Normally, this may be a non-issue, as with most industry-accepted encryption protocols to brute force this or decrypt the data would require several lifetimes. Due to the announcement with the notice of the contractor’s credentials may have been compromised, this nearly leads me to believe the credentials may have been openly accessible as in written on a post-it note on the laptop or otherwise easily acquired.

Resources

BCBS of Michigan. (2019, January 2). Data breach affects 15,000 medicare customers of blue cross blue chield of Michigan. Retrieved from https://www.cisomag.com/data-breach-affects-15000-medicare-customers-of-blue-cross-blue-shield-of-michigan/

Dissent. (2019, January 3). Double whammy: BCBS of Michigan policyholders hit by two breaches in December. Retrieved from https://www.databreaches.net/double-whammy-bcbs-of-michigan-policyholders-hit-by-two-breaches-in-December/

Haefner, M. (2018, December 31). BCBS of Michigan: Data breach may have affected 15,000 medicare members. Retrieved from https://www.beckershospitalreview.com/player-issues/bcbs-of-michigan-data-breach-may-have-affected-15-000-medicare-members.html

HIPAA Journal. (2018, December 31). 15,000 customers notified about blue cross blue shield of Michigan data breach. Retrieved from https://www.hipaajournal.com/15000-customers-notified-about-blue-cross-blue-shield-of-michigan-data-breach/

Livengood, C. (2018, December 28). Blue cross alerts 15,000 medicare customers of potential data breach. Retrieved from https://www.crainsdetroit.com/insurance/blue-cross-alerts-15000-medicare-customers-potential-data-breach

More attention needs to be paid to supply chain management

The Dental Center of Northwest Ohio provides dental services and is based in Toledo, OH. In order to focus on dentistry, the practice contracted with Arakyta to manage their IT services.

Breach

 The Dental Center of Northwest Ohio’s vendor experienced a breach. Arakyta was breached on September 1, 2018. Arakyta contracted with a third party to investigate the issue. They found that an unauthorized person had accessed their server. They may have viewed and copied their patient data. This also affected employees.

Attack

The attackers used ransomware to attack the dental center’s vendor. This infected the vendor’s computer systems. During this time it appears the systems were open to the attackers. It is notable that there were security measures in place, however, these were avoided by the attacker, much like a football player avoiding a tackle. The center is not sure how many patients were affected by this breach.

Data

As an additional issue for the practice, it appears the data may have been accessed. The disclaimer is there, as of January 2019, no evidence the data had been used in a malicious manner. While this is intended to calm the waters, there may not be signs for months or a year later. The data potentially accessed would be excessively useful for identity theft, fraud, and other nefarious uses. The data included the patient’s name, address, date of birth, social security number, state ID number, driver’s license number, medical treatment, medical history, diagnosis, clinical treatment information, medical record number, patient number, health insurance, and benefits information, and financial account information. The data could be used in several different ways by different parties for many malicious purposes.

Remediation

Dental Center of Northwest Ohio is offering free credit monitoring and ID theft restoration services to the possibly affected parties and staff. While this is great and a step in the right direction, this does not solve the overall issue. People are not allowed to change certain information about themselves, i.e. social security number, and historical static data won’t change, i.e. medical treatments. These data points will available for unauthorized use indefinitely. The Dental Center of Northwest Ohio and Arakyta are also reviewing policies and procedures and implementing additional security measures.

Comments, Concerns, Etc.

There are teachable moments to share with most things. This would be one of those occasions. Granted this would not be shared until the issue would be resolved, however, this would have still been a lesson for others in the industry. Of course, the CISO/CTO does not want to have further light cast on the oversight, however, the issue once resolved should be documented and put in the past.

Resources

Barth, B. (2019, January 3). Dental center of NW ohio feels bite of ransomware attack on IT vendor. Retrieved from https://www.scmagazine.com/home/security-news/dental-center-of-nw-ohio-feels-bite-of-ransomware-attack-on-it-vendor/

Bratton, M. (2019, January 2). Data breach puts personal information at risk for patients, employees, of dental center of northwest ohio. Retrieved from https://www.13abc.com/content/news/Data-breach-puts-personal-information-at-risk-for-patients-employees-of-Dental-Center-of-Northwest-Ohio-503811171.html

Data Center of Northwest Ohio. (2018, December 28). RE: Dental center of northwest ohio, notice of data privacy event. Retrieved from https://www.prnewswire.comp/news-releases/re-dental-center-of-northwest-ohio-notice-of-data-privacy--event-300771300.html

HIPAA. (2019, January 2). Vendor of dental center of northwest ohio suffers ransomware attack. Retrieved from https://www.hipaajournal.com/vendor-of-dental-center-of-northwest-ohio-suffers-ransomware-attack/

Tivit's Breach

There are IT firms across the globe on every continent. Even on Antarctica there is an IT function for their networks and other technical equipment. Brazil is no different. Tivit is a Brazilian IT services provider. In addition to this line of business, they also provide other business processes.

Attack

Any attack generally is focused on the target’s data or money. This instance was no different. The attack focused on the Tivit client’s data. There were nine Tivit employees who fell victim to a phishing email campaign. This exposed the client’s credentials online. The successful attack was confirmed by Tivit. For this to be so successful, all it took were the nine employees clicking on a link. The attack was able to gain access to data from 19 other companies. These included the kitchen appliance manufacturer Faber, Swiss insurance company Zurich, Brazilian financial organization Banco Original, software firm SAP, and many more. The attackers were successful enough so that they had gained access to Tivit’s database. Fortunately, the attack scope was limited only to the nine systems breached. The datacenters and client networks were not affected.

Detection

One would think, an IT service provider would have some form of a SIEM present and actively managed. The logs would simply be too huge for a human to make much sense of it. There should be a staff sufficiently supported so when there is an issue, it may be detected and resolved. This was not the case apparently. The breach was not detected by Tivit, but was by DefCON Lab. The signs included this affected various databases and servers in the cloud. DefCON Lab found nearly one thousand lines of code contained internal company routines and credentials of different large enterprise clients. The data appears to have internal process documents for the organization.

Remediation

Tivit was working through the issue. The organization also contracted with legal resources and IT support firm to ensure this did not happen again.

Comment

It is interesting that an IT company fell victim to a phishing attack. The number of victims was also notable. This issue continues to emphasize the need for employee training, through the year, even for IT companies.

Resources

Cyware. (2018, December 17). Massive data breach hits Brazilian IT firm tivit. Retrieved from https://cyware.com/news/massive-data-breach-hits-brazilian-it-firm-tivit-d47dc056

Mari, A. (2018, December 14). Brazilian IT firm tivit suffers data breach. Retrieved from https://www.zdnet.com/article/brazilian-it-firm-tivit-suffers-data-leak

Not even games are safe!

Fortnite is an excessively popular video game manufactured by Epic Games. This is played online with other players. There are more than 80M users across the world. In this game, as with many others, the goal is to stay alive and survive.

Issue

While the game is widely played, there should have been a thorough security testing for this. It appears this was not the case, as a security flaw provided a vulnerability for the Fortnite users. This allowed the users to be recorded during play without their knowledge and access to other sensitive data. The issue was discovered by CheckPoint in November 2018.

Operation

The attackers appear to have leveraged an insecure webpage created in 2004, created by Epic Games. They sent phishing emails to Fortnite users using this old website. The phishing emails indeed did appear to be from Epic. The attackers made it very easy for the users, in that all the targets had to do is click a link. This would allow the attackers access to the user’s accounts. This did not require the user to login. This was done through the tried and true XSS attack.

Effects

When exploited, this vulnerability allowed the attackers to:

a)      Take over the Fortnite accounts,

b)      Make unauthorized purchases with the user’s game virtual currency,

c)       Eavesdrop on player’s chat, and record the player’s chat.

This may have also exposed the user’s credit card data and other personal information. Due to this, complaints were filed with the Better Business Bureau. The users alleged Epic Games did not protect the user’s data.

Remediation

Epic Games took down the 2004 website which caused these issues. The company also recommended the players not reuse passwords, use strong passwords, and not share account information with others, or basic security recommendations.

Lessons Learned

Our environment is not static. This changes all too often. We need to monitor this frequently to check for issues and updates. The company needs to know its web apps and endpoints, and scan these periodically.

Resources

Knoop, J. (2019, January 17). Epic patches fortnite security hack that may have exposed more than 200 million players’ accounts. Retrieved from https://finance.yahoo.com/news/epic-patches-fortnite-security-hack-210300634

Oliver, M. (2019, January 18) Fortnite security flaw exposed 80 million players to hacking risk. Retrieved from https://kslnewsradion.com/1896932

Silverstein, J. (2019, January 19). Fortnite security flaw exposed millions of users to being hacked. Retrieved from https://www.cbsnews.com/news/fortnite-security-flaw-exposed-millions-of-users-to-being-hacked/

Tribune Media Wire. (2019, January 18). Fortnite security flaw exposed 80 million accounts. Retrieved from https://wnep.com/2019/01/18/fortnite-security-flaw-exposed-80-million-accounts/

WGNWeb Desk. (2019, January 16). Fortnite security flaw exposed 80 million accounts. Retrieved from https://wentv.com/2019/01/16/fortnite-security-flaw-exposed-80-million-accounts/

Oh, the irony: Anti-ransomware firm pwned with ransomware

PerCSoft is a Wisconsin business. The organization provides online data backup services for dental offices. This operates by placing data in the cloud. They had hundreds of dental offices as clients. The focus was to secure the patient medical records and other data from the various attacks, including ransomware.

Irony

The irony of this pwnage has not fallen on deaf ears. In this industry, it’s not often the irony though has this much depth. The firm’s function was to secure backups for their clients. In certain instances where there would be an issue with the client’s data, such as with a natural disaster or a successful ransomware attack. In their marketing materials, the safety of ransomware is emblazoned. The organization, whose function was to secure data from ransomware had their files encrypted with ransomware, making them not accessible.

Ransomware

PerCSoft, the online data backup service, was successfully attacked with ransomware. This attack encrypted files for approximately 400 US dental offices. It appears the tool used was Sodinokibi, a ransomware variant aka Sodin or REvil malware. This was addressed as a critical vulnerability with Oracle WebLogic Servers, and with CVE-2019-2725 with a severity score of 9.8/10. This operates as a deserialization remote code execution vulnerability. This was designed to encrypt files and delete the shadow copy backups. This prevents the victim from recovering the data from other sources and puts the victim in a very difficult situation.

Attack

The ransomware was detected on August 26. This was, relatively, a very successful attack, and apparently profitable for the attackers, as they were paid. There were over 400 dental practices affected. To appreciate the full extent of just this aspect, imagine the number of patients seen every day, multiplied by two weeks, and then multiply this by 400, to be conservative. This attack did not merely affect a few offices, but also all the people that work there and the patients. The practices were not able to access patient history, charts, schedules, x-rays, or patient balances. I can only imagine how difficult this was to work through for the affected staff members and patients.

Remediation

PerCSoft ended up paying the attackers. While not published, this course may have been required as their primary files and all of their backups being encrypted or deleted, and they simply had no choice. It was not reported who was paid or how much. As of 8/29/2019, 80-100 of the 400 dental office files had not been decrypted. In these instances, the decrypt key did not work, which is an issue. The restoration of the other offices was a bit slow. On a positive note, the organization did communicate on a regular basis with their clients and interested parties through, among other means, Facebook from their postings.

Defenses

Perhaps PerCSoft should have followed a few of the basic industry standards and processes to reduce the potential for an epic fail. The practices include:

·        Backing up your data. This can be done on- or off-site. Dedup is an option, dependent on the circumstances and budget.

·        System inventory. Over time, we tend to become complacent with the network. Periodically we should take an inventory of the assets on the network. This reduces the opportunity for missed patches and also detects any unknown or shadow assets using your equipment and network.

·        Conduct cybersecurity training throughout the year and make it relevant. The once a year cybersecurity mandatory training to check the box simply still does not work. This needs to be done through the year with relevant, current training. Granted, your task is not to entertain the staff during these, however, you still need to attract and retain their attention. This will assist with them internalizing the message and applying it, as some level, to their work, when the need presents itself. The alternative is to play the same VHS tape from the 1990s and having your staff in an infinite loop of mass password resets, patching vulnerabilities, scanning for issues, and headaches.

·        Patch cycle. While this may not directly impact the ransomware attack, it is still prudent and an industry-standard to address this with regularity, in addition to the critical and time-sensitive patches requiring immediate attention.

Lessons Learned?

PerCSoft paid the ransom, as noted previously. This may have been their only option given the germane circumstances. The organization may not have backups of their client’s data. The organization having to pay the ransomware fee to operate is bad enough. This, however, should ask you, in a researcher role, to wonder why they had to pay the attackers only to operate. There generally are so many issues with this avenue, it is hardly recommended.

Resources

Kobialka, D. (2019, August 29). Ransomware attack hits backup provider, US dental offices. Retrieved from https://www.msspalert.com/cybersecurity-breaches-and-attacks/ransomware/dental-offices-hit/

Krebs, B. (2019, August 29). Ransomware bites dental data backup firm. Retrieved from https://krebsonsecurity.com/2019/08/ransomware-bites-dental-data-backup-firm/

Kumar, M. (2019, May 1). Hackers found exploiting oracle WebLogic RCE flaw to spread ransomware. Retrieved from https://thehackernews.com/2019/05/ransomware-oracle-weblogic.html

Percsoft Dental Technology Consulting. (2019). Facebook posts. Retrieved from https://www.facebook.om/pg/percsoft/posts

Wei, W. (2019, August 30). Ransomware hits dental data backup service offering ransomware protection. Retrieved from https://thehackernews.com/2019/08/dds-safe-dental-ransomware-attack.html