Augusta, ME Targeted and Successfully Pwned

Cities are being targeted at greater levels. Atlanta, Albany in New York, Baltimore, and Flint are merely a few of the recent examples. These successful attacks are not inexpensive, as the costs for the consultants, forensic cybersecurity subject matter experts, hardware, and other costs add up. While a portion or majority of the costs may be recouped by the insurance company, the direct labor to re-enter data or apply the prior back-ups affect also the operations for a varied amount of time.

Target

For this round, Augusta, Maine was targeted and successfully attacked. Specifically, the Augusta City center was targeted and pwned.

Attack

In this case, the attacker’s tool was ransomware. This has been such a successful tool to use for these attacks. All it takes is one employee. For Augusta, it appears an employee clicked on a file or link they really should not have. The attackers demanded over $100k for the decrypt key. If they did not receive the funds, the threat was the entire computer system would be shut down. One defensive measure against ransomware is the simple, yet pertinent, back-up. The city stored its data on a mass storage device. Thankfully this was not compromised as part of the attack.

Mitigations

As the attack’s symptoms were felt by the city, to mitigate the issue the IT department began pulling cables from the computer equipment. This is somewhat basic, however, this was sufficiently effective. The immediate effect was to close the offices for two days. The IT department also froze the systems responsible for the municipal financial systems (i.e. payroll, accounts payable, and accounts receivable), billing, automobile services, assessor records, and general assistance. The plan was solid, as the IT department did not want this to spread further through the system.

Payment and Beyond

The city did not pay and had no intention of paying the ransom. In general, this is the preferential plan. For this option to work, however, there have to be viable back-ups, and these had to have been tested. The total costs for this were significant. Most of these costs were for the staff of five persons in the IT department for overtime. They had to put in 80-100 hours over eight days. The staff also was tasked with entering data which was lost due to the outage. The system may have been down for 1-1.5 weeks. The city also investigated the issue in order to attempt to find the attackers. This endeavor was not successful.

What We Can Learn

The attack vector was a seemingly inconspicuous email with a happy, little attachment or link. The click-happy staff member’s action took down the city’s systems. There is always an opportunity for cybersecurity training and updates on different attacks, which may be directed at the staff.

Resources

AP Maine. (2019, April 29). Hacker wanted more than $100k to restore city computers. Retrieved from https://www.fosters.com/article/20190429/AP01/304299990

AP News. (2019, April 29). Hacker wanted more than $100k to restore city computers. Retrieved from https://www.caledonianrecord.com/news/region/hacker-wanted-more-than-k-to-restore-city-computers/article_  

Edwards, K. (2019, April 28). Augusta cyberattacker sought over $100,000 in ransom. Retrieved from https://www.pressherald.com/

The Associated Press. (2019, April 29). Hacker wanted more than $100k to restore main city’s computers. Retrieved from https://bangordailynews.com/2019/04/29/news/augusta/hacker-wanted-more-than-100k-to-restore-maine-citys-computers/ and https://www.usnews.com/news/best-states/maine/articles/2019-04-29/hacker-wanted-more-than-100k-to-restore-city-computers

Misconfigurations abound: This oversight affects 120 million Brazilians

For better or worse, there seem to be more instances of misconfigurations. This may be on servers, AWS, or other targets. The issues range from minor to rather significant (i.e. forgetting about application security and allowing anyone with an AWS account to log in for your instance). At this point, significant misconfigurations really should not be occurring. There are many opportunities and sources to learn from. One such oversight occurred in Brazil. This provided for a massive oversight. Brazil is known for its celebrations. Unfortunately, this country is also becoming known for cybersecurity issues.

Affected

The issue with this particular breach is a misconfigured Apache server with CPF (Cadastro de Pessaoas Fisicas) numbers for nearly 120M Brazilians being exposed. The CPF is their identification number provided by the Brazilian Federal Reserve to Brazilian citizens and taxpaying residents. This is much like the US social security numbers. This number is not optional and is required for the monetary tasks of daily life (e.g. opening a bank account, opening a business, paying taxes, getting a loan, and other functions). The length of time these were exposed is unknown. As no one is sure how long the server was misconfigured, this period could have been a lengthy period. It is notable and odd that this period of time is not able to be estimated. Seemingly there should be a record memorializing when the server was configured.  The data exposed includes the person’s name, birth date, email, phone number, address, employment details, bank account details, loans and repayment history, debit and credit history, voting history, voting registration number, and more. This is a wonderful collection for phishing and to take over someone’s identity for fraudulent uses. To top off the issue, all of this data is able to be sold quite easily on the dark web.

Misconfiguration

The issue was discovered in March 2018. The web server was misconfigured to allow public access. Within its database, the file “index.html”, a default file, was renamed to “index.html_bkp”. For someone viewing the files, this would provide for a point of attention. This caused the webserver to complete a directory listing of the files located within the file. The files ranged in size from 27MB to 82GB. While the researchers at InfoArmor were working to understand who the owner of the server was, so they could be notified, the researchers noted an 82GB file was replaced with a raw 25GB sql file. The file name stayed the same. What may have happened is the directory file was used to store a database backup, and the person creating and configuring this did not understand the files were publicly available.

Notification

The researchers were able to find the email addresses associated with the server, and naturally emailed one of these. The email bounced back with the “User Unknown” response. Two further attempts were done. Finally, the researchers received a reply stating the hosts had contacted their clients about the legal issues with leaving the data exposed. The data, however, remained exposed and wide open for several weeks after this. Later that month, the server was secured.

Thoughts

Once the point of contact for the server was notified, it is curious why this took so long to correct the issue. This required the researchers attempting contact three times and still took several weeks to correct. One question is why the data was on a third-party server. This should not have been the case. This is clearly rather significant confidential and sensitive data. It also is difficult to know who accessed the data and for how long.

Resources

Abrams, L. (2018, December 12). Taxpayer ID numbers for 120 million Brazilians exposed online. Retrieved from https://www.bleepingcomputer.com/news/security/taxpayer-id-numbers-for-230-million-brazilians-exposed-online/

Cyware. (2018, December 13). Misconfigured cloud server exposed taxpayer ID numbers of 120 million Brazilians. Retrieved from https://cyware.com/news/misconfigured-cloud-server-exposed-taxpayer-id-numbers-of-120-million-brazilians-91298892

InfoArmor. (n.d.). InfoArmor reports identification numbers of 120 million Brazilians exposed online. Retrieved from https://cdn2.hubspot.net/nubfs/3836852/PCOs/InfoArmor_Brazilian%20Exposure%20Report.pdf

Muncaster, P. (2018, December 13). Apache misconfig leaks data on 120 million Brazilians. Retrieved from https://www.infosecuritymagazine.com/news/apache-misconfig-leaks-data

S., Gurubaran. (2018). 120 million unique taxpayer ID numbers exposed online from misconfigured servers. Retrieved from https://gbhackers.com/120-million-unique-taxpayer/amp

Lengthy Time to Report Compromise: 8 Months for PHI Theft

Sharecare Health Data Services (SHDS) offers a secure method for electronic exchanges of data. The organization also manages healthcare business medical records. The organization is located in San Diego, CA. 

Compromise 

The attack began with the usual activity detected on June 26, 2018. The detected data was abnormal when compared to the normal baseline. This red-flag began their investigation. The initial analysis was the attackers had breached the defenses. The attackers had gained access to the systems which contained protected health information (PHI). This access may have started at the earliest on May 21, 2018. This unauthorized access includes 18,416 insurance members of  Blue Shield of California. AltaMed patients, approximately 5,767 each, were also affected. The data included a buffet of data the attackers would use and sell. This included the name, address, birth date, unique patient number, address where the health services were provided, internal SHDS processing notes, and medical record numbers. The attackers had unfettered access from May 21, 2018, to June 26, 2018, or over a month. On June 26, 2018, the attackers accessed the data and exfiltrated this to sites overseas. This was reported to the other healthcare organizations directly affected by this on December 31, 2018. Fortunately, the patient’s social security number, financial information, and detailed clinical information were not accessed. 

Notification

The unauthorized access occurred on at least May 21, 2018, and was detected on June 26, 2018. The reporting to the other affected healthcare organizations was December 31, 2018. The notice to the affected patients occurred on February 15, 2019. In addition to the client, the FBI was also notified. 

The notification for the other healthcare organizations was for the breach and potential for the data to have been accessed by these unauthorized parties. From the timeline, the extended period, over five months, for the other healthcare organizations to be notified was odd. There was no reason given for the five-month + reporting period. One of these affected healthcare organizations was AltaMed, with 5,500 of its patients being included in the compromised records pool. Oddly, to add confusion to the rationale, the patients affected by the breach were notified an additional 2.5 months later. 

Mitigation 

After this was detected SHDS contacted with Mandiant, the cybersecurity consultant, to help SHDS with the forensic analysis and review. On a positive note, once this was detected immediate steps were put in place to cease the unauthorized access. SHDS enhanced its security to minimize the potential for further successful attacks. They also revised their data retention policies. The business contracted with a third party to monitor its data systems 24 hours a day, seven days a week. SHDS offered the affected patient’s a year of free credit monitoring and identity theft protection services through AllClear ID. 

Questions/Lessons Learned

With a breach and compromise, time is of the essence. In most cases, it is not prudent to wait for extended periods to report a breach. In this instance, it took over five months to report this to the other healthcare organizations, whose patients were affected by this SHDS issue. Overall, it took nearly eight months to notify the affected patients. This is simply unacceptable. The organization had the list of affected parties and still elected not to inform them in even a remotely timely manner. 

It is difficult to imagine how their InfoSec team did not detect unauthorized access for over a month. It seems as though their SIEM would have detected this well before the mass amount of data was exfiltrated. The issue begs the question, was the SIEM fully integrated into the system, or the filters/scripts not fully utilized? 

Resources

Davis, J. (2019, February 19). Blue shield, altamed patient data breached in business associate hack. Retrieved from https://healthitsecurity.com/news/blue-sheild-altamed-patient-dta-breached-in-business-associate-hack 

Dissent. (2019, February 16). AltaMed, blue shield of california notify patients and regulators after breach at sharecare health data systems. Retrieved from https://www.databreaches.net/altamed-blueshield-of-california-notify-patients-and-regulators-after-breach-at-sharecare-health-data-services/ 

Garrity, M. (2019, April 29). AltaMed alerts 5,500 patients of data breach. Retrieved from https://www.beckershospitalreview.com/cybersecurity/altamed-alerts-5-500-patients-of-data-breach.html 

HIPAA Journal. (2019, February 19). Patients receive notification of PHI theft 8 months after business associate data breach was detected. Retrieved from https://www.hipaa.journal.com/patients-receive-notification-of-phi-theft-8-months-after-business-associate-data-breach-was-detected/ 

Of all the targets, they chose a church!

The business email compromise (BEC) had been widely and wildly popular over the last three years. This is partially due to how very easy this is to execute, low technical skills required, low cost, and high reward when the attack is successful. This has been used as the attack method across many industries with varied success. The attack template is very simple. The attackers send the phishing email. One or more targets click the link or the other specific attack mechanism. Their system becomes infected, allowing unauthorized access. The emails sent to the appropriate parties, generally in finance or accounting, directing them to change the bank account information for payments. 

Target

The Saint Ambrose Catholic Parish was targeted in this case. This is the second-largest church in the Diocese of Cleveland. This is also the largest church in Brunswick, OH. There are 16,000 members and 5,000 families with the church. 

Attack

The attackers used the tried and true BEC attack, successfully. The attack was done with a phishing email. In this instance, two employee accounts had been compromised. The fraudulent email tricked the person into believing the contractor’s bank account information had changed and provided the new account information. This was discovered on April 17, 2019. The payments had been made, as they thought, for their Vision 2020 project. The payments were meant for one of the contractors (Marous Brothers Construction). There were not, obviously, received. The attackers were only focussed on the money and did not attempt to pivot from the BEC attack to access the parish database or other areas of the system. 

Post-Successful Attack 

Father Bob Stec sent a letter to the parish regarding the issue. This indicated the contacted him and informed him the payments had not been received for the prior two months. The total payments not received by the legitimate party totaled $1.75M. The parish did file a claim with their insurance company. They also contacted the FBI and continued to work with them. The church also contracted with IT consultants to review their security stance. They had the staff all also change their passwords, and verified the integrity of their database. 

Thoughts 

With the BEC, the primary social engineering tool which makes this so useful is the lack of communication and staff not wanting to bother management and the C-level. The BEC depends on the targetted user not communicating with the alleged user sending the email These maybe strongly-worded indicating the transfer has to be done right away, and there are financial implications if this is not done (e.g. significant lost discounts). All the person has to do is pick up their phone and call the other person for verification. This should be a standard operating procedure when working with the accounts payable, and especially when dealing with cash or other liquid assets. It’s curious why these two users, whose email accounts were compromised, did not notice anything wrong with the transaction. 

Resources 

Digital Munition. (2019, April 30). $1.75 million stolen by crooks in church BEC attack. Retrieved from https://www.digitalmunition.me/2019/04/1-75-million-stolen-by-crooks-in-church-bec-attack/ 

Gatlan, S. (2019, April 29). $1.75 million stolen by crooks in church BEC attack. Retrieved from https://www.bleepingcomputer.com/news/security/175-million-stolen-by-crooks-in-church-bec-attack/ 

Paginini, P. (2019, April 30). Saint ambrose catholic parish-crooks stole $1.75M in BEC attack. Retrieved from https://securityaffairs.co/wordpress/84689/cyber-crime/church-bec-attack.html 

University of Alaska Pwned!

Colleges and universities continue to be targeted based on the treasure of data stored in their system. This includes the students, faculty, and administrative staff’s names, addresses, email addresses, social security numbers, and many more data points per person, which are readily marketable on the dark web. While this is required for the university operations, this also has the tendency to bring unwanted attention from attackers, seeking their data. One such university is the University of Alaska. 

Breach

In the recent past, there have been many different attacks used against colleges and universities. In this case, the simplistic email phishing attack was successfully used. This was noticed by the staff when a portion of the users noticed their passwords had changed and there had been unauthorized access. The attackers were able to gain their unauthorized access to names and social security numbers for the students, staff, and faculty. The attack itself took place in December 2016. As with most average or better phishing attacks, the email did appear to be legitimate. The attackers were able to gain access to many accounts though to be secure. These accounts had student and employee information within each. The university was not completely sure if any person’s information was accessed. The university also stated they found no evidence of the emails with sensitive information being directly accessed. 

Notification

The affected parties were significant in number for the University. There were approximately 25,000 students, staff, and faculty members’ data involved with this. The University sent letters to notify the affected students, staff, and faculty at the end of April. 

Mitigations 

On or about March 28, 2018 the review indicated the unauthorized party had accessed the account from January 31, 2018 to February 15, 2018. Once this was detected, the access was terminated and the system locked down. The breach was analyzed and reviewed. The affected persons receiving the notification letter may enroll in the free Identification Theft Loss Reimbursement Insurance Program. The policy insures up to $1M of losses. The persons though, in the case of a loss, are required to prove the loss was due to the breach. This does not sound too difficult. To prove and document this is very difficult given the circumstances. How would one document where exactly the attacker secured the data from? What if there is a loss and the fraudulent acting person cannot be found? To remove the potential for this to occur again, the University was training the staff to be more aware of phishing attacks, better methods to handle and store sensitive and confidential data. 

Questions and Lessons Learned 

 The breach occurred in December 2016. The affected parties were not notified for five months. This gave the attackers five months of time to sell and otherwise work with the data without any interruption. This should have been addressed earlier so the affected persons would have the opportunity to minimize the potential negative effects. 

Resources

Associated Press. (2019, April 29). University of alaska seeking people affected by data breach. Retrieved from https://www.usnews.com/news/best-statesalaska/articles/2019-04-29/university-of-alaska-seeking-people-affected-by-data-breach 

Dissent. (2019, April 27). University of alaska discovered a breach in february, 2018 that they are revealing now? Retrieved from https://www.databreaches.net/university-of-alaska-notice-of-data-breach/ 

E-Hacking News. (2019, April 29). Data breach at university of alaska exposes personal information of students online. Retrieved from https://www.ehackingnews.com/2019/09/data-breach-at-university-of-alaska.html 

Polk, L. (2019, May 31). University of alaska: Thousands affected by data breach, including names, social security numbers. Retrieved from https://www.ktuu.com/content/news/University-of-Alaska-thousands-affected-by-data-breach-including-social-security-information-425538543.html 

Newspaper attacked!

Although print newspapers are having issues due to the online outlets, these are still present and noticeable throughout the communities and provide a valuable service. The newspapers have not been targetted over the last few years, as frequently as others. These organizations don’t have PII or PHI to the extent others, e.g. doctor’s officed or hospitals. These also don’t have a mass amount of money laying about. While there are other more viable targets, the newspapers certainly may have their systems focussed on by the attackers. 

Incident 

When the attack was first noticed, the management termed the issue as a “glitch”. The attack ended up being detected on Saturday. Due to the attack, the organization was not able to print and deliver the Sunday paper. The attack itself was detected by the IT staff, as it affected the servers and computers had been breached by malware. This acted by encrypting the files. The malware also was infecting the systems for Tribune Publishing. 

Ransomware 

The paper was a victim of ransomware. The systems and data were encrypted. The attackers used the Ryuk ransomware. This particular version was largely successful in late 2018. Generally, the attack operates such that the files are encrypted, and a ransom is paid for the decrypt key. 

Thoughts

Ransomware can be a real nightmare for the direct victims and indirect persons affected by the organization’s lack of operations. This has the ability to encrypt an entire system and data sets. If there are no viable back-ups in place, the situation has the unfortunate ability to be very interesting for the target. This highlights the need for a properly trained incident response team. 

Resources

Hand, L. (2019, April 28). Watertown newspaper hacked, cannot print sunday edition. Retrieved from https://cnycentral.com/news/local/watertown-newspaper-hacked-cannot-print-sunday-editions 

WWNY. (2019, April 28). Watertown times attacked by malware; Sunday paper not printed. Retrieved from https://www.wwnytv.com/story/40279959/watertown-times-attacked-by-malware-sunday-paper-not-printed 

San Diego USD Pwned Hard!

High schools are much like universities and colleges, in that these hold a mass amount of data which may easily be sold. This assists in making them more of a target. This coupled with their budgetary constraints makes InfoSec difficult at times, much like this recently especially was for the San Diego USD.

Attack

This compromise is a bit different than most of the others. The reports are the school district is not sure of the attack vector, however, they believe this was the effect of a relatively simple, yet effective, phishing attack. The attackers gained access through securing the authorized user’s credentials. For this case, the attackers gained and maintained their access for 11 months (January through November). This is odd. Seemingly, the school district’s SIEM would note the access from odd hours, the number of accesses being odd, the IP being unique to the other general log ins, and the amount of data being exfiltrated. This would be the case, unless the school district did not have one in place during the attack. The school district finally became aware of this in October 2018.

Data

Generally, data is the end goal for the attacker. With this, they are able to generate revenue through sales of the data, use this as leverage for the target, etc. Through the compromise and process, the attackers were able to exfiltrate a significant amount of data. This encompassed 10 years of data, from the 2008-2009 school year to 2019, when the attack was detected. There were approximately 500k of students and staff affected. In addition to the length the breach was open, and the number of years of data exfiltrated, there is also the depth of data per affected person. This includes the first name, last name, date of birth, mailing address, home address, telephone number, student enrollment information (schedule, discipline incident information, health information, schools of attendance, transfer information, legal notices on file attendance dates), social security number or state student number, emergency contact information, staff benefit information, and staff payroll and compensation data.

Notification

The notice for the affected parties was filed the Friday before Christmas in 2018. The breach would probably be one of the last things they would want to hear about just before the holiday. The post stated the school district had reason to believe their system was breached and the attackers may have accessed the data. This could not have been what the students and staff were hoping for as their Christmas gift!

Detection

With a phishing attack, the timing of the attack may be delayed based on the attacker’s code. The staff began to note emails that appeared to be odd. They naturally, and appropriately, reported these to their IT Department. As the next step should go, this was addressed by the IT Department as they recognized this really should not be happening. They ended up discovering the breach in October 2018.

The school district, once they knew of the breach, did not immediately shut down the attack. This does seem counter-intuitive. Once you know the attacker is in and exfiltrating a mass amount of data, seemingly prudence would dictate shutting down the attack vector. There was a rationale reason for this. The school district wanted not only to clear the access, but also identify the attacker and allow law enforcement to do their job. The did later reset the compromised accounts. From this point forward, they have been working to prevent unauthorized access.

Thoughts

The attacker had access for approximately 10 months. The SOC or in the least any SIEM they had in place should have noted some abnormal activity as the mass amount of data was being removed from their servers. Since the SIEM is automated, possibly the search parameters had not been put in place. This compromise emphasizes the need for phishing training for the staff. This should not be the once a year training where staff nod off while the canned presentation is playing. These need to be periodic (e.g. quarterly) and with current information. Without some form of connection, the staff will probably view this as yet another mandatory training session, and start working on other things instead of listening.

Resources

Allen, T. (2018, December 27). Notice of data breach. Retrieved from https://www.sandiegounified.org/sites/default/files_link/district/files/

Cimpanu, C. (2018, December 25). Hacker steals 10 years’ worth of data from san diego school district. Retrieved from https://www.zdnet.com/article/hacker-steals-10-years-worth-of-data-from-san-diego-school-district/

Lilly, P. (2018, December 26). Hacker exploits san diego school district school network, steals personal data on 500k students and staff. Retrieved from https://hothardware.com/news/hacker-exploits-san-diego-school-districts-network-steals-data

Malafronte, K. (2018, December 27). San diego USD hacked, 10 years’ worth of data stolen. Retrieved from https://www.campussafetymagazine.com/technology/san-diego-school-district-hacked/

San Diego Unified School District. (2018, December). Data safety. Retrieved from https://www.sandiegounified.org/datasafety

Security Woes Department. (2018, December 26). Hacker steals ten years’ worth of data from san diego school district. Retrieved from https://it.slashdot.org/story/18/12/26/1248222/hacker-steals-ten-years-worth-of-data-from-san-diego-school-district