Misconfigured servers an issue across the globe

Banks maintain and secure a mass amount of data for their clients and employees. This stewardship should not be taken lightly. This not only includes the customer’s confidential data, but also the client’s confidential financial data. In addition to the statutory issues, there may be civil liability issues. The data and leverage that is a product of a breach have significant value.

Target/Opportunity

India, as with any nation, has banks throughout its borders. India’s largest and highly rated bank, State Bank of India (SBI), recently experienced an issue. SBI had 500M clients across the globe with 740M accounts. They also had an insecure server. This was, thankfully, detected by a security researcher. Anyone could have accessed the server. This might have turned out much differently, as the server held the financial data on millions of its clients. This included bank balances and recent bank transactions for two months. This data was from SBI Quick. This is a text message and call-based system. People are able to call in to get their data on their account(s). Each day the service archives the data. Each day contained millions of text messages. The server was based in Mumbai in a data center.

Misconfigurations

The server contained relatively important data. This should have been secured in some form, however, it was not. The server did not utilize a password. All the potential attackers had to know was the server’s address. If this simple task was done, they would be able to see all the text messages, client phone numbers, bank balances, recent transactions, and partial account numbers. It, unfortunately, is unknown how long the server was not protected. SBI was quick in their response once they were informed and secured the server.

Questions

It’s curious why the server was misconfigured in the first place. With this type of data and the direct harm, it could have inflicted, seemingly more care would have been applied to this. Also, it is unknown how long the server was in this state. In theory, this could have been since it was placed online. This builds and adds to the case for a secondary review of the work done. The second set of eyes would definitely have assisted in removing or minimizing the risk.

Resources

Beau HD. (2019, January 31). India’s largest ban SBI leaked account data on millions of customers. Retrieved from https://it.slashdot.org/story/19/01/31/0426238/indias-largest-bank-sbi-leaked-account-data-on-millions-of-customers

Kolochenko, I. (2019, February 1). India’s largest bank sbi leaked account data on millions of customers. Retrieved from https://www.informationsecuritybuzz.com/

Modupe, B. (2019, January 31). Account data of millions of sbi customers, the largest bank in india leaked. Retrieved from https://www.btcnn.com/general-news/account-data-of-millions-of-sbi-customers-the-largest-bank-in-india-leaked/

BaseCamp successful defense against credential stuffing

Many corporations use applications to track projects. These can be on-premises or in the cloud. These services tend to be very useful for the collaboration required for these projects. One such service is BaseCamp. While focused on helping with communication and collaboration, BaseCamp did experience an attack in early 2019.

Attack

It's not often that there is the opportunity to write about a successful defense. Either there is the breach/compromise, or the company breaks down and pays for new equipment or a ransom. In this case, the defense was successful. They defended the system against a massive credential stuffing attack. This occurred on January 30, 2019 @ 12:45p Central. The SOC was monitoring the systems and noticed a significant increase in login attempts. This continued as the attack focused on approximately 30k accounts. In an hour, there were more than 30k login attempts from a vast array of IP addresses.

Successful Defense Methods

The first step was to start to block the IPs associated with the attack. With this form of attack, depending solely on this was merely a folly. This acted only to start the process, not as a panacea. There would need to be a large number of people simply doing this activity for hours to have even an insignificant effect, given the attackers would just use new IPs. The second step was much more helpful. They enabled the CAPTCHA, which blocked further attacks. While this did work and was very useful in the defense, there were 124 users who did have their accounts breached. These were reset and the users were emailed.

Resources

Getlan, S. (2019, January 31). Basecamp successfully defends against credential stuffing attack. Retrieved from https://www.bleepingcomputer.com/news/security/basecamp-successfully-defends-against-credential-stuffing-attack/

Hashim, A. (2019, February 2). Basecamp endured a brute force attack. Retrieved from https://latesthackingnews.com/2019/02/02/basecamp-endured-a-brute-force-attack/ 

Newman, L.H. (2019, February 17). Hacker lexicon: What is credential stuffing? Retrieved from https://wired.com/story/what-is-credential-stuffing/

OWASP. (2019, February). Credential stuffing prevention cheat sheet. Retrieved from https:/github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.md

Toulas, B. (2019, February 1). Basecamp defends an hour-long credential stuffing attack. Retrieved from https://www.technadu.com/basecamp-credential-stuffing-attack/56537/

Ransomware in Canada-Olympia Pwned

Olympia Financial Group is a publicly-traded corporation in Canada under OLY. The Olympia Financial Group Inc. does most of the business operations through Olympia Trust Company. The Olympia Trust Company manages self-directed registered accounts, works with foreign currency exchanges, and various corporate shareholder services. Olympia Financial Group sells private health care plans through its wholly-owned subsidiary Olympia Benefits Inc. Clearly, there is much activity in the office individually and in total with all of the entities. With all of this activity with the entities, there certainly is a mass amount of data that the companies would need to operate. This activity made the entities a fair target.

Attack

The businesses were a victim of a successful ransomware attack. This was announced on 2/2/2019. The attackers were able to gain access and encrypt the data on Olympia’s network. This only affected a part of the network, fortunately. Once the issue was detected, Olympia addressed the issue. This manifested itself with preventing any additional infection into the network. They contacted the Royal Canadian Mounted Police (RCMP) Cybercrime Division and contracted with malware response and recovery industry specialists.

Post-Attack

Through the dedicated efforts of the staff, the business did recover. As of 2/3/2019, all of the businesses were up and running. Nearly all of the IT systems affected by the attack were operating. The investigation into the attack continues. There was no evidence their client’s personal information was compromised. They will continue to explore and implement ways to protect the business and its client’s personal data.

Thoughts

Ransomware continues to be a rather significant issue. This has the potential for devastating effects. Luckily for Olympia Financial, the spread of the infection was contained. This continues the need for employee training for ransomware and other attacks. With the level of devastation, ransomware has the ability to do, businesses need this training. This training cannot just be the annual security training, where people get the deer in the headlights looks or start playing on their phones. This needs to be through the year and interactive to be effective.

Resources

Bloomberg. (2019, February 20). OLY-Toronto stock quote. Retrieved from https://www.bloomberg.com/quote/OLY:CN

Olympia Financial Group Inc. (2019, February 11). Olympia financial group inc. announces recovery from ransomware cyber attack. Retrieved from https://globenewswire.com/news-release/2019/02/11/1716817/0/en/Olympia-Financial-Group-Inc-announces-Recovery-from-Ransomware-Cyber-Attack.html

Reuters. (2019, February). Brief-Olympia financial group inc. announces recovery from ransomware cyber attack. Retrieved from https://ca.investing.com/news/stock-market-news/briefolympia-financial-group-inc-announces-recovery-from-ransomware-cyber-attack-1396461

Watch your PoS!

Seemingly, a restaurant or restaurant chain would not be a high value target, placed near the top of the target list as they don’t have or retain any PII (e.g. name, social security number, medical records, and other confidential data). Curiously though, this industry has much the same data that others do, which is very sale-able. The primary data here for the attackers are the credit card numbers. These may be monetized in a few different ways which we have seen time and time again with bulk sales or simply creating new physical credit cards via placing the data on the magnetic strip. One such restaurant facing these difficulties in 2019 was the Huddle House. The Huddle House, headquartered in Atlanta, is a casual dining and fast food operations. 

Attack

Huddle House was targeted for an attack, which was very successful. They released a statement on February 1st  of the malware infection. The specific system breached was the point-of-sale (PoS) system, just like other retailers, which was infected with malware at various locations. The PoS system was a third party’s. The malware was coded to allow attackers to steal credit card information used by Huddle House’s clients (name, credit or debit card number, expiration date, cardholder verification number, and service code). With this data, you could have a great shopping experience, on someone else’s dime.

Unfortunately the variant of malware was not disclosed. This would have been very useful not only for research purposes, but also for other businesses to learn from. This would include what to watch for, how it worked, etc. 

The malware delivery system was interesting, as the attackers gained remote access by exploiting the 3rd party’s assistance tools, allowing the third party to deploy the malware. This was deployed throughout every Huddle House, but this did make it to an estimated 341 locations. With the malware being spread across all of these locations, the reach was extended every time a client used their credit or debit card. 

This was noticed after a bit of time has lapsed. The infection span was from August 1, 2018 to February 1, 2019. In essence, anyone using their card for the seven months during the infection, their credit card information is probably at risk 

Detected 

Another interesting aspect to this is the Huddle House did not detect the malware or issue. They perceived no indication of an issue. This was however detected by law enforcement and the Huddle House’s credit card processor. Seemingly, the Huddle House would have noticed something in the logs. 

Post-Attack 

After the notification, the investigation began. Initially the business had no idea of how many of their locations were involved or the number of customers affected. They contracted with a third party forensics company and working with law enforcement within 24 hours of becoming aware. 

The business notification was for their client’s to monitor their credit card statements and possibly call the credit card companies to request new cards. While this is helpful, yet obvious, this still created work for their clients now and in the future. 

Lessons (Not) Learned (Still) 

The Huddle House story is much like most other breaches. There is nothing exciting above the other breaches. What does make this a bit more interesting is the attack. The old saying is you are only as strong as the weakest link. This continues to be the case. When a business allows another organization (3rd party) access to their network and/or data, the business is allowing not only the third party into the network, but also the baggage and issues with their system come along for the ride. These likewise have full access to all the 3rd party does, and much more. 

There is a massive retailer, with stores throughout the US, allowing access to third parties to their network. They are allowed to use this authorize access to upload invoices or various other functions. As they connect and log in, any infection they have may be shared with your system. This is the issue facing cybersecurity and supply chain management. While the business certainly has some level of transparency into their network, in general, this is not prevalent with 3rd parties. Gaining access to cybersecurity data for the 3rd parties is difficult as this is new ground for the vendors, and naturally, they don’t want to tell others of their vulnerabilities for fear this information could be accessed by unauthorized parties and exploited. The SOC report, and other reports show, at a certain day in time, what their vulnerable points were. This in the wrong hands could create a large issue. 

As time passes and these requests become greater in number and frequency, the attitude will slowly change. Until then, start and continue to ask for these and put this in our contracts. The business and the 3rh party vendor have to understand this is a vulnerability attack point. If everyone continuing to keep their head in the sand hoping all will be well, all won’t be well. Just ask the national retailer whose AC vendor introduced malware into their system, which breached the PoS system just before the largest, in dollars and people. 

Also, it is notable that the Huddle House had no idea there was a problem...until they received the call. If an estimated 341 sites are affected, and the credit card data is being sent to the C&C servers in small or large blocks of data, it would seem that the cybersecurity team would have been able to look at the log and notice the activity due either to the amount of data or frequency. Granted the data logs can be large, however, that’s why they sell SIEMs and the person can also code a program to parse through this looking for trends. 

Resources 

Abrams, L. (2019, February 5). Huddle house fast food chain suffers data breach in POS system. Retrieved from https://www.bleepingcomputer.com/news/security/huddle-house-fast-food-chain-suffers-data-breach-in-pos-systems/

Cutoday. (2019, February 6). Restaurant chain announces data breach. Retrieved from https://www.cutoday.info/Fresh-Today/Restaurant-Chain-Announces-Data-Breach 

Huddlehouse. (2019, February 1). Important security and personal data protection notification. Retrieved from https://www.huddlehouse.com/data-protection-notification/ 

Muncaster, P. (2019, February). Huddle house suffers POS malware breach. Retrieved from https://www.infosecurity-magazine.com/news/huddle-house-suffers-pos-malware/ 

NNT. (2019, February 5). Huddle house restaurant chain suffers POS malware breach. REtrieved from https://www.newnettechnologies.com/huddle-house-restaurant-chain-suffers-pos-malware-breach.html 

The Paypers. (2019, February 5). Huddle house announces security breach, POS system is affected. Retrieved from https://www.thepaypers.com/digital-identity-security-online-fraud/huddle-house-announces-security-breach-pos-system-is-affected/777240-26 

Yet another lesson for misconfiguring cybersecurity in servers

When a person donates blood, the donation center collects data from the people. This is recorded and retained. This is done throughout the planet. Singapore likewise is involved with this process. Early in 2019, blood donor’s data, located in a database, was breached. While this was broadcast across the globe within the first few weeks after, most people read the headline and the high-level summary, and may not have dug into the details.

Vulnerability

The attack used was not excessively complex. There was an unsecured database that was available. Also, given the circumstances, this also was not likely encrypted. The database was located on an internet-facing server. The clearly incorrectly configured, openly accessible server information was leaked on the internet for two months prior to this being reported. The data was exposed for nine weeks beginning January 4, 2019, as reported by the Health Sciences Authority (HSA). The HAS provided the data to the 3^rd party organization, SecurSolutions Group, to update the database. This prominent issue was detected by a cybersecurity subject matter expert (SME).

The SME contacted Singapore’s Personal Data Protection Commission (PDPC) on March 13^th. The HSA, once alerted to the issue, worked with SecurSolutions Group to disable access to the account. The HAS is working with the SME to delete the data. As a coincidence, the cybersecurity researcher was based outside of Singapore. One report stated it appeared there was no unauthorized access during the subject period to the database, while another stated the data was access by an unauthorized party and possibly exfiltrated.

Affected

There were 808,201 blood donors who were affected by this negligent act. This exceptionally large number represented the blood donors since 1986, or to put this in perspective, the blood donors over the last 30+ years. The data possibly/probably accessed and exfiltrated included the names, NRIC, gender, number of blood donations, dates of the last three blood donations, and may have included the blood type, height, and weight. The odd coincidence with this instance was this was not the first time SSG (SecurSolutions Group Pte Lt.) noted its servers had been accessed by other unknown IP addresses.  

Lessons Learned

This issue brings up so many areas of concern.

a)      The data on the internet-facing server. In general, they should have thought twice about this. While this occurs all the time across the globe, there are inherent issues, especially when this is not configured correctly. As this was the case, the data was not secured. There was nothing present to prevent any unauthorized access, as this was openly accessible.

b)      You need to know the scope. The third-party contactor posted the data on the server. This was done without HAS’s knowledge or approval. In a review of the contract, this was not allowed. As with any agreement, the parties need to read the contract to know the scope of the project, and what may and may not be done.

c)       SCM. The supply chain management is still not fully addressed as a part of cybersecurity. When data is entrusted to a third party, they really should be vetted well before the contract’s execution. Without properly addressing cybersecurity in the supply chain, the business is allowing for a massive mountain of problems. SSG clearly breached its contractual agreement. This is especially notable since the service provider’s (SSG) had been accessed by unknown IP addresses since late 2018. This was also not the first occurrence of an attack. In 2017, the same server was attacked. With the same server being targeted, was the 2017 excursion used in the recon process, instead of a one-time attack? Overall, the business needs to ask or require a 3^rd party to assess your vendor’s security posture.

d)      The database was not encrypted. Seemingly, if you are going to have this off-premises, and accessible you might want to have some form of encryption on the data. If this database contained data not attributable to the persons and was a generic aggregation, that’s one case. This had confidential data for persons directly attributable to them.

In closing…

This certainly was not the first error in judgment and most certainly won’t be the last time this happens in the industry. These instances keep occurring across the globe. Somehow we need to publish not only the error but also the remediation methods so others do not keep perpetuating the idiocracy. Please pass this along. After a configuration, the admin should check the configuration to make sure it is within the industry’s norms and guidelines. If it is not, the subject hardware should be reconfigured and retested. This isn’t quantum mechanics. Let stop the cycle of stupidity.

Resources

CAN. (2019, March 30). Blood donor data leak: HAS’s vendor says information that went online was accessed illegally and possibly extracted. Retrieved from https://www.channelnewsasia.com/news/singapore/personal-data-of-800-000-blood-donors-accessed-illegally-hsa-ssg-11395364

Choo, F. (2019, March 16). 800,000 blood donors’ data put online by HAS vendor. Retrieved from https://www.straitstimes.com/singapore/health/800000-blood-donors-data-pmt-online-by-hsa-vendor

Gatlan, S. (2019, March 15). Insecure database exposes 800,000 singapore blood donors. Retrieved from https://www.bleepingcomputer.com/news/security/insecure-database-exposes-800-000singapore-blood-donors/

Johnston, M. (2019, March 18). Personal data of 800,000 blood donors exposed in singapore. Retrieved from https://sg.channelasia.tech/artricle/6518921/personal-dta-800-000-blood-donors-exposed-singapore/

Paganini, P. (2019, March 16). Secur solutions group data leak exposes 800,000 singapore blood donors. Retrieved form https://securityaffairs.co/wordpress/82452/data-breach/secur-solutions-group-data-leak.html

Siew, A. (2019, March 19). More than 800,000 blood donors had personal data exposed, in latest leak in singapore. Retrieved from https://www.techgoondu.com/2019/03/19/more-than-800000-blood-donors-had-personal-data-exposed-in-latest-leak-in-singapore/

Watch the Supply Chain for Vulnerabilities!

At one point or another, we all need healthcare during our life. The facilities are located in every state, in rural and metropolitan areas. One aspect which seems to be pervasive through these is the supply chain implementing 3^rd parties into the system. For a healthcare facility to have a full vertical integration of the supply chain, excluding all vendors for everything is a rarity in these days. The vendor integration allows the vendor’s communication, invoicing, and other necessities a little more convenient. This, unfortunately, has the potential to bring risk to your organization. One area not addressed to a significant extent is supply chain management. When the business allows its vendors access to its system for efficiency or convenience, there should be a full vetting process. It does not appear this was the case with Spectrum Health of Lakeland. The medical facility is located in St. Joseph, MI.

Attack

The supply chain has been a completely viable attack point for over a decade. While this is a risky point, not enough attention has been paid to it. This is the point when you apply a common saying to the circumstances; you are only as strong as your weakest link. This is truly applicable to the supply chain. As you grant access to or contract with services outside of the organization, unless the senior management has the vendor fully vetted and this regularly updated, the organization is inviting a significant amount of risk into the organization.

These issues occurred with their billing functions. The management contracted with the medical billing to Wolverine Services Group. The vendor was pwned. They were a victim of a very successful ransomware attack. The attackers gained access to the data and encrypted this. Later they did decrypt it. These fateful events occurred in September 2018. Spectrum Health was notified on December 17, 2018. They announced a press release on March 14, 2019. As you can tell by the dates, there is a rather significant lag in time. Normally, this would not take this amount of time. In this instance, verifying the attack’s symptoms took a bit time. Both Spectrum Health and Wolverine Solutions Group did also conduct their own separate investigation. This assuredly was costly and required many people’s time.

Affected

This directly impacted and affected approximately 60k Spectrum Health Lakeland patients. Fortunately this affected only the patients of this specific facility. There are many other facilities, which could also have been involved. The company has stated they cannot confirm nor deny if the patient’s confidential data was exfiltrated. If you think through this however, would an attacker spend the time to complete the reconnaissance and other steps to be confident in their ability to breach and steal data?

This also affected other organizations who were clients of Wolverine Services Group. So far, this also affected the North Ottawa Community Health System, Mary Free Bed Rehabilitation Hospital, Health Alliance Plan, Blue Cross Blue Shield of Michigan

Data

The evidence does appear to indicate the data was accessed by unauthorized parties. The data included names, social security numbers, addresses, health services provided, insurance companies, and amounts due. This information would be very helpful in social engineering or identity theft.

Thoughts

For a business working with confidential, sensitive data, especially in the age of HIPAA, one would think the Wolverine Services Group (WSG) would have a relatively sophisticated cybersecurity system in place. This may include log analysis, a SIEM, and other monitoring. In the case at hand, it took 2-3 months for the WSG to realize they had been breached. Even with advanced techniques to cover their tracks, WSG still should have been able to detect the issue.

The company cannot confirm or deny the confidential data had been stolen. While this may be true, in the last the attackers viewed this. They could have copied it and exfiltrated this with no issue. The attackers not attempting to steal the data after spending the time and money to learn their system and breach does not hold water, especially when you consider the risk being arrested and jailed and the attacker has 2-3 months of availability.

This emphasizes the need to examine the business supply chain in depth. If there are any vendors that connect to your system, their cybersecurity stance truly needs to be evaluated. There is absolutely no need to accept or introduce any risk not completely understood unless you want your organization in the Sunday paper.  

Resources

Garrity, M. (2019, March 15). Spectrum health is the 3^rd provider affected in wolverine vendor cyberattack. Retrieved from https://www.beckershospitalreview.com/cybersecurity/spectrum-health-is-the-third-provider-affected-in-wolverine-vendor-cyberattack.html

Kransz, M. (2019, March 14). 60k patients at spectrum health Lakeland possibly impacted by data breach. Retrieved from https://www.mlive.com/news/kalamazoo/2019/03/60k-patients-at-spectrum-health-lakeland-possibly-impacted-by-data-breach.html

Wittkowski, T. (2019, March 15). Spectrum health Lakeland announces data breach-Officials say cyber attack happened through vendor. Retrieved from https://www.heraldpalladium.com/news/local/spectrum-health-lakeland-announces-data-breach/

WSJM. (2019, March 14). Spectrum health Lakeland affected by healthcare data breach. Retrieved from https://www.wsjm.com/2019/03/14/spectrum-health-lakeland-affected-by-healthcare-data-breach/

Ransomware paid in Jackson County!

Ransomware is a nightmare for business. All it takes is one user in the targeted department and the workday becomes very interesting, very quickly. One set of targets are the government units throughout the states. This includes massive cities, towns, counties, and other units. These entities have limited resources, which seem to be diminishing relatively every year. A recent successful attack occurred against Jackson County in Georgia. Jackson County is located in southeast Georgia, approximately 60 miles from Atlanta.

Ransomware

Ransomware, unfortunately, is everywhere. This is executed at different levels with the basic variants and much more advanced with many more functions. Clearly, there was a breach. The staff began to notice an issue when computers, services, websites, and email addresses ceased operating on March 1^st. The county let the public know on March 5 there was an issue. On March 6, the county posted their email system was down with a Facebook post. It took them a few days to understand what had happened. In particular, this attack was rather advanced, using the Ryuk ransomware strain. This was coded to sever their online communications in addition to the usual symptoms. This shut down their entire computer and internet network. The county in the interim had to do everything with paper. The attackers are estimated to have been in the system for a couple of weeks prior to the ransomware being executed. The attack's focus was to gain access to the police and county records. In effect, every device connected to the internet was shut down. Fortunately, the 911 system was not affected.

Help!

The county contacted the FBI and other cybersecurity experts. After the review, they found they could not correct the attack’s effects. They did attempt to decrypt the files and systems for a week with no luck. The county decided to pay the ransom. They could have continued to try and decrypt this for months with no luck. The county hired a cybersecurity response consultant to negotiate the ransom. The ransom requested was 100 Bitcoins. At that time, this amount was approximately $400k. Unfortunately, the ransom payment was paid. They needed to do this. Without the decrypt key, all the equipment would be bricks and files not accessible. The county would need to replace all the equipment and start all over. The payment was more of a business decision. The status of backups was not published. It’s presumed there was an issue with this, as this normally would be a viable alternative.

This is not the first-time successful ransomware attack had occurred in Georgia. There was the Atlanta attack in 2018. In this instance, the city did not pay the ransom. They replaced all the equipment. The immediate cost was $2.6M. The total cost was nearly $17M.

Thoughts

Prevention…prevention…prevention. The issue may be alleviated somewhat with pertinent, sustained training. Training staff with what to look up for with these is the focus. Also, with the Ryuk strain, the attack vector may be weak RDP passwords. There may be training for this along with updating the password conventions.

Resources

Dark Reading. (2019, March 11). Georgia’s Jackson county pays $400k to ransomware attackers. Retrieved from https://www.darkreading.com/attacks-breaches/georgias-jackson-county-pays-$400k-to-ransomware-attackers/d/d-id/1334124

Ford, W. (2019, March 8). Cyber attack forces Jackson county to pay $400k ransom. Retrieved from https://www.onlineathens.com/news/20190308/cyber-attack-forces-jackson-county-to-pay-400k-ransom

Forsythe, K. (2019, March 14). Ryuk saga: County government pays nearly $400k to hackers. Retrieved from https://medium.com/@newworldoptimist/county-government-pays-nearly-400k-to-hackers-ef95ea889159

Townsend, K. (2019, March 11). Georgia county criticized over $400k ransomware payment. Retrieved from https://www.securityboulevard.com/2019/03/jackson-county-criticized-over-400k-ransomware-payment

Truta, F. (2019, March 11). Jackson county pays ransomware operators $400k to regain access to computers. Retrieved from https://securityboulevard.com/2019/03/jackson-county-pays-ransomware-operators-400k-to-regain-access-to-computers/