You are not even safe Down Under!

Throughout the nation, every municipality has some form of government. This may be minor with only a handful of people working, such as with a small town, or hundreds with the large cities. Within this range, any municipality has IT. This may be a few desktop computers or a massive network. This is the same in other countries. Australia is not an exception. A recent breach occurred in Australia. The attack and subsequent breach was directed at the Victorian government employees.

Attack

The breach occurred when the Victorian government directory was accessed without authorization, and downloaded by the attackers. Although this is rather serious and a teachable moment, the details were not disclosed.

Data

In the broad scope of the environment and industry, the breach has a relative level of seriousness due not only to the breach, but also the data. There were approximately 30,000 Victorian public servant’s work details accessed and downloaded. This included the list of government employees, work emails, job titles, and work phone numbers. The data may have also included their mobile phone numbers. Fortunately for the affected employees, this did not include any banking or financial information. Other private or sensitive data was likewise not included.

Uses

This list, while it does not include any financial information or sensitive PII, still is rather useful for the attackers. The set of uses, while still viable, is somewhat limited in scope. For instance, this may be used by anyone seeking to apply influence to any government decision (e.g. legislative, contracts, etc.). The list has all the attackers need to directly contact the appropriate parties for their inappropriate uses. This also could be used for phishing, spear phishing, and social engineering. With the list, the attacker would have a certain level of information that would be a good start to engineer a phishing or spear phishing attack, along with applying the information to a spear phishing attack. With this data, that attackers have the information they need to be successful in another attack. With the phishing and spear phishing attacks, there would be a payload assumptively with malware or other malicious programs.

Resources

ABC News. (2018, December 31). Data breach sees Victorian government employees’ details stolen. Retrieved from https://www.abc.net.au/news/2019-01-01/victorian-government-employee-directory-dta-breach/10676932

Cyware. (2019, January 1). Hackers stole almost 30,000 Victorian public servants work details. Retrieved from https://cyware.com/news/hackers-stole-almost-30000-victorian-public-servants-work-details-3987b2fd

Watch for supply chain management vulnerabilities

Blue Cross Blue Shield of Michigan is a medical insurer located in MI. Their clients are varied, work for employers- small to large-sized, and are located through the state.

Issue

BCBS uses contractors for various roles throughout the company. One vendor is COBX Co. COBX is a wholly-owned subsidiary of BCBS. The subsidiary is tasked with the Medicare Advantage Services for its clients. An employee of COBX had their laptop stolen on October 26, 2018. BCBS of Michigan notified approximately 15,000 Medicare Advantage members of a potential breach. The notification was done via letter. While this is not a good thing, it is pertinent that at least the laptop was encrypted and did have the password required. Normally, this would be fine if the encryption was above a certain baseline protocol. The problem was the employee’s credentials could have been compromised, meaning the person with the laptop would still be able to access the data.

Data

The affected BCBS customer’s social security numbers and financial information was not accessible from the stolen laptop, fortunately. The data that was available was includes the customer’s first name, last name, date of birth, gender, medication, diagnosis, provider information, and enrollee identification numbers.

Remediation

There had been no direct evidence the customer’s data had been accessed. With this type of issue, although there is no direct type of evidence of this being used for malicious means, it does not mean it has not been used and no guaranty it won’t be used in the near future. BCBS of Michigan noted there is a low chance of identity theft due to the nature of the data involved. BCBS is offering the affected parties AllClearID identity protection services. The term for this service is two years and is free to the customers potentially at risk. The contractor involved did have his credentials changed once the issue came to light. BCBS of Michigan is working with COBX in reviewing its policies and procedures. They are also putting additional safeguards in place.

Comments, Concerns, etc.

The laptop required a password for access and was encrypted, which required another password. Normally, this may be a non-issue, as with most industry-accepted encryption protocols to brute force this or decrypt the data would require several lifetimes. Due to the announcement with the notice of the contractor’s credentials may have been compromised, this nearly leads me to believe the credentials may have been openly accessible as in written on a post-it note on the laptop or otherwise easily acquired.

Resources

BCBS of Michigan. (2019, January 2). Data breach affects 15,000 medicare customers of blue cross blue chield of Michigan. Retrieved from https://www.cisomag.com/data-breach-affects-15000-medicare-customers-of-blue-cross-blue-shield-of-michigan/

Dissent. (2019, January 3). Double whammy: BCBS of Michigan policyholders hit by two breaches in December. Retrieved from https://www.databreaches.net/double-whammy-bcbs-of-michigan-policyholders-hit-by-two-breaches-in-December/

Haefner, M. (2018, December 31). BCBS of Michigan: Data breach may have affected 15,000 medicare members. Retrieved from https://www.beckershospitalreview.com/player-issues/bcbs-of-michigan-data-breach-may-have-affected-15-000-medicare-members.html

HIPAA Journal. (2018, December 31). 15,000 customers notified about blue cross blue shield of Michigan data breach. Retrieved from https://www.hipaajournal.com/15000-customers-notified-about-blue-cross-blue-shield-of-michigan-data-breach/

Livengood, C. (2018, December 28). Blue cross alerts 15,000 medicare customers of potential data breach. Retrieved from https://www.crainsdetroit.com/insurance/blue-cross-alerts-15000-medicare-customers-potential-data-breach

More attention needs to be paid to supply chain management

The Dental Center of Northwest Ohio provides dental services and is based in Toledo, OH. In order to focus on dentistry, the practice contracted with Arakyta to manage their IT services.

Breach

 The Dental Center of Northwest Ohio’s vendor experienced a breach. Arakyta was breached on September 1, 2018. Arakyta contracted with a third party to investigate the issue. They found that an unauthorized person had accessed their server. They may have viewed and copied their patient data. This also affected employees.

Attack

The attackers used ransomware to attack the dental center’s vendor. This infected the vendor’s computer systems. During this time it appears the systems were open to the attackers. It is notable that there were security measures in place, however, these were avoided by the attacker, much like a football player avoiding a tackle. The center is not sure how many patients were affected by this breach.

Data

As an additional issue for the practice, it appears the data may have been accessed. The disclaimer is there, as of January 2019, no evidence the data had been used in a malicious manner. While this is intended to calm the waters, there may not be signs for months or a year later. The data potentially accessed would be excessively useful for identity theft, fraud, and other nefarious uses. The data included the patient’s name, address, date of birth, social security number, state ID number, driver’s license number, medical treatment, medical history, diagnosis, clinical treatment information, medical record number, patient number, health insurance, and benefits information, and financial account information. The data could be used in several different ways by different parties for many malicious purposes.

Remediation

Dental Center of Northwest Ohio is offering free credit monitoring and ID theft restoration services to the possibly affected parties and staff. While this is great and a step in the right direction, this does not solve the overall issue. People are not allowed to change certain information about themselves, i.e. social security number, and historical static data won’t change, i.e. medical treatments. These data points will available for unauthorized use indefinitely. The Dental Center of Northwest Ohio and Arakyta are also reviewing policies and procedures and implementing additional security measures.

Comments, Concerns, Etc.

There are teachable moments to share with most things. This would be one of those occasions. Granted this would not be shared until the issue would be resolved, however, this would have still been a lesson for others in the industry. Of course, the CISO/CTO does not want to have further light cast on the oversight, however, the issue once resolved should be documented and put in the past.

Resources

Barth, B. (2019, January 3). Dental center of NW ohio feels bite of ransomware attack on IT vendor. Retrieved from https://www.scmagazine.com/home/security-news/dental-center-of-nw-ohio-feels-bite-of-ransomware-attack-on-it-vendor/

Bratton, M. (2019, January 2). Data breach puts personal information at risk for patients, employees, of dental center of northwest ohio. Retrieved from https://www.13abc.com/content/news/Data-breach-puts-personal-information-at-risk-for-patients-employees-of-Dental-Center-of-Northwest-Ohio-503811171.html

Data Center of Northwest Ohio. (2018, December 28). RE: Dental center of northwest ohio, notice of data privacy event. Retrieved from https://www.prnewswire.comp/news-releases/re-dental-center-of-northwest-ohio-notice-of-data-privacy--event-300771300.html

HIPAA. (2019, January 2). Vendor of dental center of northwest ohio suffers ransomware attack. Retrieved from https://www.hipaajournal.com/vendor-of-dental-center-of-northwest-ohio-suffers-ransomware-attack/

Tivit's Breach

There are IT firms across the globe on every continent. Even on Antarctica there is an IT function for their networks and other technical equipment. Brazil is no different. Tivit is a Brazilian IT services provider. In addition to this line of business, they also provide other business processes.

Attack

Any attack generally is focused on the target’s data or money. This instance was no different. The attack focused on the Tivit client’s data. There were nine Tivit employees who fell victim to a phishing email campaign. This exposed the client’s credentials online. The successful attack was confirmed by Tivit. For this to be so successful, all it took were the nine employees clicking on a link. The attack was able to gain access to data from 19 other companies. These included the kitchen appliance manufacturer Faber, Swiss insurance company Zurich, Brazilian financial organization Banco Original, software firm SAP, and many more. The attackers were successful enough so that they had gained access to Tivit’s database. Fortunately, the attack scope was limited only to the nine systems breached. The datacenters and client networks were not affected.

Detection

One would think, an IT service provider would have some form of a SIEM present and actively managed. The logs would simply be too huge for a human to make much sense of it. There should be a staff sufficiently supported so when there is an issue, it may be detected and resolved. This was not the case apparently. The breach was not detected by Tivit, but was by DefCON Lab. The signs included this affected various databases and servers in the cloud. DefCON Lab found nearly one thousand lines of code contained internal company routines and credentials of different large enterprise clients. The data appears to have internal process documents for the organization.

Remediation

Tivit was working through the issue. The organization also contracted with legal resources and IT support firm to ensure this did not happen again.

Comment

It is interesting that an IT company fell victim to a phishing attack. The number of victims was also notable. This issue continues to emphasize the need for employee training, through the year, even for IT companies.

Resources

Cyware. (2018, December 17). Massive data breach hits Brazilian IT firm tivit. Retrieved from https://cyware.com/news/massive-data-breach-hits-brazilian-it-firm-tivit-d47dc056

Mari, A. (2018, December 14). Brazilian IT firm tivit suffers data breach. Retrieved from https://www.zdnet.com/article/brazilian-it-firm-tivit-suffers-data-leak

Not even games are safe!

Fortnite is an excessively popular video game manufactured by Epic Games. This is played online with other players. There are more than 80M users across the world. In this game, as with many others, the goal is to stay alive and survive.

Issue

While the game is widely played, there should have been a thorough security testing for this. It appears this was not the case, as a security flaw provided a vulnerability for the Fortnite users. This allowed the users to be recorded during play without their knowledge and access to other sensitive data. The issue was discovered by CheckPoint in November 2018.

Operation

The attackers appear to have leveraged an insecure webpage created in 2004, created by Epic Games. They sent phishing emails to Fortnite users using this old website. The phishing emails indeed did appear to be from Epic. The attackers made it very easy for the users, in that all the targets had to do is click a link. This would allow the attackers access to the user’s accounts. This did not require the user to login. This was done through the tried and true XSS attack.

Effects

When exploited, this vulnerability allowed the attackers to:

a)      Take over the Fortnite accounts,

b)      Make unauthorized purchases with the user’s game virtual currency,

c)       Eavesdrop on player’s chat, and record the player’s chat.

This may have also exposed the user’s credit card data and other personal information. Due to this, complaints were filed with the Better Business Bureau. The users alleged Epic Games did not protect the user’s data.

Remediation

Epic Games took down the 2004 website which caused these issues. The company also recommended the players not reuse passwords, use strong passwords, and not share account information with others, or basic security recommendations.

Lessons Learned

Our environment is not static. This changes all too often. We need to monitor this frequently to check for issues and updates. The company needs to know its web apps and endpoints, and scan these periodically.

Resources

Knoop, J. (2019, January 17). Epic patches fortnite security hack that may have exposed more than 200 million players’ accounts. Retrieved from https://finance.yahoo.com/news/epic-patches-fortnite-security-hack-210300634

Oliver, M. (2019, January 18) Fortnite security flaw exposed 80 million players to hacking risk. Retrieved from https://kslnewsradion.com/1896932

Silverstein, J. (2019, January 19). Fortnite security flaw exposed millions of users to being hacked. Retrieved from https://www.cbsnews.com/news/fortnite-security-flaw-exposed-millions-of-users-to-being-hacked/

Tribune Media Wire. (2019, January 18). Fortnite security flaw exposed 80 million accounts. Retrieved from https://wnep.com/2019/01/18/fortnite-security-flaw-exposed-80-million-accounts/

WGNWeb Desk. (2019, January 16). Fortnite security flaw exposed 80 million accounts. Retrieved from https://wentv.com/2019/01/16/fortnite-security-flaw-exposed-80-million-accounts/

Oh, the irony: Anti-ransomware firm pwned with ransomware

PerCSoft is a Wisconsin business. The organization provides online data backup services for dental offices. This operates by placing data in the cloud. They had hundreds of dental offices as clients. The focus was to secure the patient medical records and other data from the various attacks, including ransomware.

Irony

The irony of this pwnage has not fallen on deaf ears. In this industry, it’s not often the irony though has this much depth. The firm’s function was to secure backups for their clients. In certain instances where there would be an issue with the client’s data, such as with a natural disaster or a successful ransomware attack. In their marketing materials, the safety of ransomware is emblazoned. The organization, whose function was to secure data from ransomware had their files encrypted with ransomware, making them not accessible.

Ransomware

PerCSoft, the online data backup service, was successfully attacked with ransomware. This attack encrypted files for approximately 400 US dental offices. It appears the tool used was Sodinokibi, a ransomware variant aka Sodin or REvil malware. This was addressed as a critical vulnerability with Oracle WebLogic Servers, and with CVE-2019-2725 with a severity score of 9.8/10. This operates as a deserialization remote code execution vulnerability. This was designed to encrypt files and delete the shadow copy backups. This prevents the victim from recovering the data from other sources and puts the victim in a very difficult situation.

Attack

The ransomware was detected on August 26. This was, relatively, a very successful attack, and apparently profitable for the attackers, as they were paid. There were over 400 dental practices affected. To appreciate the full extent of just this aspect, imagine the number of patients seen every day, multiplied by two weeks, and then multiply this by 400, to be conservative. This attack did not merely affect a few offices, but also all the people that work there and the patients. The practices were not able to access patient history, charts, schedules, x-rays, or patient balances. I can only imagine how difficult this was to work through for the affected staff members and patients.

Remediation

PerCSoft ended up paying the attackers. While not published, this course may have been required as their primary files and all of their backups being encrypted or deleted, and they simply had no choice. It was not reported who was paid or how much. As of 8/29/2019, 80-100 of the 400 dental office files had not been decrypted. In these instances, the decrypt key did not work, which is an issue. The restoration of the other offices was a bit slow. On a positive note, the organization did communicate on a regular basis with their clients and interested parties through, among other means, Facebook from their postings.

Defenses

Perhaps PerCSoft should have followed a few of the basic industry standards and processes to reduce the potential for an epic fail. The practices include:

·        Backing up your data. This can be done on- or off-site. Dedup is an option, dependent on the circumstances and budget.

·        System inventory. Over time, we tend to become complacent with the network. Periodically we should take an inventory of the assets on the network. This reduces the opportunity for missed patches and also detects any unknown or shadow assets using your equipment and network.

·        Conduct cybersecurity training throughout the year and make it relevant. The once a year cybersecurity mandatory training to check the box simply still does not work. This needs to be done through the year with relevant, current training. Granted, your task is not to entertain the staff during these, however, you still need to attract and retain their attention. This will assist with them internalizing the message and applying it, as some level, to their work, when the need presents itself. The alternative is to play the same VHS tape from the 1990s and having your staff in an infinite loop of mass password resets, patching vulnerabilities, scanning for issues, and headaches.

·        Patch cycle. While this may not directly impact the ransomware attack, it is still prudent and an industry-standard to address this with regularity, in addition to the critical and time-sensitive patches requiring immediate attention.

Lessons Learned?

PerCSoft paid the ransom, as noted previously. This may have been their only option given the germane circumstances. The organization may not have backups of their client’s data. The organization having to pay the ransomware fee to operate is bad enough. This, however, should ask you, in a researcher role, to wonder why they had to pay the attackers only to operate. There generally are so many issues with this avenue, it is hardly recommended.

Resources

Kobialka, D. (2019, August 29). Ransomware attack hits backup provider, US dental offices. Retrieved from https://www.msspalert.com/cybersecurity-breaches-and-attacks/ransomware/dental-offices-hit/

Krebs, B. (2019, August 29). Ransomware bites dental data backup firm. Retrieved from https://krebsonsecurity.com/2019/08/ransomware-bites-dental-data-backup-firm/

Kumar, M. (2019, May 1). Hackers found exploiting oracle WebLogic RCE flaw to spread ransomware. Retrieved from https://thehackernews.com/2019/05/ransomware-oracle-weblogic.html

Percsoft Dental Technology Consulting. (2019). Facebook posts. Retrieved from https://www.facebook.om/pg/percsoft/posts

Wei, W. (2019, August 30). Ransomware hits dental data backup service offering ransomware protection. Retrieved from https://thehackernews.com/2019/08/dds-safe-dental-ransomware-attack.html

Mitsubishi PLC targeted

Mitsubishi Electric (ME) manufactures various products through their lines. One of these is the programmable logic controller (PLC). PLCs are not singularly used in one industry or another. These have many uses across many industries. The units are used across the world, in Mitsubishi Electric’s case, in manufacturing facilities.

PLC Targeted

ME has several different PLC models manufactured and actively used. Of the many PLCs manufactured, the subject model is MELSEC-Q series QJ71E71-100 Ethernet Interface modules with serial numbers 20121 and prior were subject to the vulnerability. While this is only one model, these are placed in service in a myriad of locations.

Vulnerability

The vulnerability has been noted with ICSA-19-141-02 and CVE-2019-10977. This has a high severity with a CVSS score of 7.5. This indicates the organizations employing this hardware should have paid strict attention to this. This issue being left open would create the potential for a significant problem. The issue involves the denial of service (DoS) attack vector. The vulnerability may be exploited remotely. This makes the vulnerability especially interesting for the organizations using this. The attack is done through sending malicious TCP packets. These are sent to the target’s FTP service. This ends up, when exploited, in placing the PLC into fault mode, which ceases its operations. The only option to correct this is to restart the PLC. While not as detrimental as other successful attacks, this shuts down the PLC and any other services or functions dependent on it.

Attack

The attacker could exploit the issue, from anywhere with a good internet connection. One saving grace with this is the PLCs are not detectable using Shodan or a like tool.

Remediation

Fortunately, ME resolved the vulnerability issue with firmware update version 20122. With this downloaded and into each PLC, there could have been rather significant issues causing many headaches.

Resources

CISA. (2019, May 21). ICA advisory (ICSA-19-141-02). Retrieved from https://www.us-cert-gov/ics/advisories/ICSA-19-141-02

Kovacs, E. (2019, May 22). Flaw exposes Mitsubishi PLCs to remote DoS attacks. Retrieved from https://www.securityweek.com/flaw-exposes-mitsubishi-plcs-remote-dos-attacks

SecuriTeam. (2019, July 15). Mitsubishi electric MELSEC-Q series Ethernet module ZJ71E71-100 serial number 20121 remote code execution vulnerability. Retrieved from https://securiteam.com/securitynews/mitsubishi-electric-melser-q-series-ethernet-module-qq71e71-100-serial-number-20121-remote-code-execution-vulnerability/