Compromising an Electronics Giant

Mitsubishi Electric is a global leader in electronics and electrical equipment manufacturing. With their expansive product line and capabilities, they are a giant in the industry. That being said, they still are targeted!

Breach

The breach occurred on June 28, 2019. This was not announced until January 2020. This may never have been announced publicly, except for two newspapers (Nikkei and Asahi Shimbun) publishing articles on the same. This was probably not the optimal strategy. This may have led to or added onto a mistrust. With a compromise of business this size, the issue was bound to become known in public circles.

Bad Actor

The newspapers both named Tick as the malicious party behind the compromise. Tick is a Chinese-linked cyber-espionage group. While this may not be well-known in the enterprise community, this group is known in InfoSec.

Symptoms of the Issue

Everything appeared fine until that fateful day. The Mitsubishi Electric staff detected a suspicious file on one of their servers. Also, at this time there was unusual network behavior and irregular activity, which added to the suspicion. Once determined there was an issue, this was traced back to a compromised user’s account. Through this avenue, the attack continued. They gained access to approximately 14 other company department networks, including sales and head administration networks. The attack ended up compromising tens of PCs and services in Japan and other locations. In a stroke of genius, the attackers also deleted access logs, in an attempt to cover their tracks.

Data

Once the abnormal behavior was noted, external access was restricted immediately. While this action was heroic, there was data exfiltrated from the internal network. The estimate is 200 MB of data was stolen. There is a mixture of reports on what was exfiltrated. The data pool, for the most part, consists of mostly business documents relating to government agencies, and other business partners. This may have also included email exchanges with the Defense Ministry, Nuclear Registry Authority, and projects with private firms (e.g. utilities, railway operators, communications, and automakers). This also involved personal information and recruitment application information and new graduate recruitment applications for 1,987 persons. Lastly, there were 2012 survey results regarding personnel treatment for 4,566 employees and 1,569 retirees in the data pool exfiltrated. While not in the several hundred thousand affected, this is still a rather large number of persons affected.

???

One question that comes to mind is why this took so long to report. The investigation itself was complex. The attackers thought through the attack and deleted activity logs. This coupled with the attack method would make the investigation an interesting activity. Simply investigating the compromise on its own footing takes a bit of time due to the many opportunities for attack.

It’s not likely more substantive details will follow. This would have been another opportunity to learn from, so others would be able to build their defenses against like attacks.

Resources

Cimpanu, C. (2020, January 20). Mitsubishi electric discloses security breach, china is main suspect. Retrieved from https://www.zdnet.com/article/mitsubishi-electric-discloses-security-breach-china-is-main-suspect/

Gatlan, S. (2020, January 20). Mitsubishi electric warns of data leak after security breach. Retrieved from https://www.bleepingcomputer.com/news/security/mitsubishi-electric-warns-of-data-leak-after-security-breach/

Japan Times. (2020, January 20). Mitsubishi electric data likely compromised in massive cyberattack blamed on Chinese group. Retrieved from https://www.japantimes.co.jp/news/2020/01/20/business/corporate-business/mitsubishi-electric-cyberattack-china/?mid=1#cid=9238821

National Cybersecurity. (2020, January 20). Mitsubishi electric discloses information leak. Retrieved from https://nationalcybersecurity.com/infosec-mitsubishi-electric-discloses-information-leak/

Nikkei. (2020, January 20). Mitsubishi electric data may have been compromised in cyberattack. Retrieved from https://asia.nikkei.com/Business/Companies/Mitsubishi-Electric-data-may-have-been-compromised-in-cyberattack

Paganini, P. (2020, January 20). Mitsubishi electric discloses data breach, media blame china-linked APT. Retrieved from https://securityaffairs.co/wordpress/96636/data-breach/mitsubishi-electric-data-breach.html

Photography service pwned!

Photography has been a hobby for decades. People take pictures on vacation, of their friends,
pets, and virtually everything else. For special events, e.g. a wedding, graduation, or other events,
they may hire a professional to not only take but also print the pictures with quality paper.

Target

In this instance, the Target was 500px. This is a photography website used, among other
services, to store portfolios. The breach occurred at approximately Jul 5, 2018. This directly
affected 14,870,304 of the service’s user accounts, or nearly all the accounts. Put another
way, if the user had an account on or before July 5, 2018, they were impacted.

Attack

The organization was the victim of a successful attack, breach, and compromise. The data
exfiltrated included names, user names, email addresses, birth date if the user provided it,
city, state, country, and gender. This data is easily sold or otherwise used maliciously. This
could be easily sold, used by the attackers, or simply used for credential stuffing attacks.

???

The timing seems unique for the breach and detection. The detection appears to have taken
nearly 7.3 months to notice. This seems a bit long for any timeline. Seemingly any SIEM
would have detected not only the unauthorized IP, but also the mass amount of data being
floated from the organization. Nearly 15M users involves a mass amount of data. Also,
the organization did not indicate how the attack happened. By now, the hole or vulnerability
would have been fixed at this point. The publication would not have hurt the organization.
Management could have disclosed something about, even at a high level, a successful attack.

Remediation

There was a password reset for the 14.8M affected users. To correct this required a mass
amount of time, which was compounded by calls from the users questioning what happened.

Resources

Digital Trends. (2019, February). 500px reveals almost 15 million users are caught up in
security breach. Retrieved from
https://www.digitaltrends.com/computing/500px-almost-15-million-users-caught-up-in-security-breach/  

Dunn, J.E. (2019, February 15). Photography site 500px resets 14.8 million passwords after
data breach. Retrieved from https://nakedsecurity.sophos.com/2019/02/15/photography-site-600px-resets-14-8-million-passwords-after-data-breach/

Page, C. (2019, February 13). 500px confirms 2018 data breach that exposed data on
15 million users. Retrieved from https://www.theinquirer.net/inquirer/news/3070980/500px-data-breach

Attacked down under: Hospitals pwned!

In our lifetimes, we may visit the hospital two or three times, or more. With the medical facilities, they require data and information to operate. This is presently in the form of EHR and EMR (electronic health records and electronic medical records). These allow the doctors to complete their tasks, nurses to pass medications, physical therapists to provide therapy, etc. Without the services being available, there is a mortal danger. There were a number of hospitals attacked in 3Q2019 whose operations were affected.

Targets

For this set of attacks, the medical facilities were located in the Australian state of Victoria. In particular, this affected two large health systems. These were the Gippsland Health Alliance and South West Rural Health Alliance (SWARH). SWARH provides health care services for approximately 23k square miles. This range is from West Melbourne to the border of south Australia. While this is substantial, this also affected Barwon Health, a regional network in the Geelong region, and West Gippsland Healthcare Group. Overall, at least seven major hospitals were breached. There were also unfortunately, other servers across the state compromised during this set of attacks. The hospitals needed to segregate and disconnect systems to stop the wave of compromised systems. In effect, the hospitals quarantined the systems from the internet.

Attack

The hospitals were already prepped to some extent for cyber-attacks. While this is the case, the attackers were able to bypass the security controls which were already in place. The means for this was ransomware. This has become an epidemic in the industry. Through the attack, they were able to gain unauthorized access. The ransomware was used, as with the myriad of other attacks, to encrypt the hospital’s respective files. The attacks focused on patient booking and financial systems. The attack was designed to bring down their operations. With any patient booking system that is down, unless you have the next few days or weeks printed, you can’t know for certain what appointments are in the future, or the types of procedures. Due to this, the hospitals were not able to plan for the operations. Without the financial system able to be used, the hospital could not pay salaries or bills. Their budgeting processes would not work, and the finance department also would not be able to ensure the departments are within their spending limits. As of 10/2/2019, there was no specific ransom demanded.

Effects

At least one hospital was forced to resort to using pen and paper systems for booking appointments and procedures. During the outage, the hospitals were not able to access patient histories, charts, images, and other data. This did not affect every department and bypassed the emergency departments.

Data

The press release stated there was no evidence the personal patient information had been accessed. The data, however, is timeless. This could be used for years to come by the unauthorized parties.

Remediation

While this successful attack is significant, the hospitals and other affected systems were assisted by the Victorian Cyber Incident Response Service and the Australian Cyber Security Center. The management for the Victorian Government Cyber Incident Response Service recommended not paying the ransom. This is generally the best route for the breached organizations.

Resources

Australian Associated Press. (2019, September 30). Systems shut down in victorian hospitals after suspected cyber attack. Retrieved from https://www.theguardian.com/australia-news/2019/oct/01/systems-shut-down-in-victorian-hospitals-after-suspected-cyber-attack

Department of Premier and Cabinet. (2019, September 30). Cyber health incident. Retrieved from https://www.vic.gov/au/cyber-health-incident

Gatlan, S. (2019, October 1). U.S. and Australian hospitals targeted by new ransomware attacks. Retrieved from https://www.bleepingcomputer.com/news/security/us-and-australian-hospitals-targeted-by-new-ransomware-attacks/

Goodin, D. (2019, October 1). Ransomware forces three hospitals to turn away all but the most critical patients. Retrieved from https://arstechnica.com/information-technology/2019/10/hamstrung-by-ransomware-10-hospitals-are-turning-away-some-patients/

Hattersley-Gray, R. (2019, October 1). New ransomware attacks hit U.S., Australian hospitals. Retrieved from https://www.campussafetymagazine.com/news/new-ransomware-attacks-hit-u-s-australian-hospitals/

Kirk, J. (2019, October 2). Australian medical facilities hit by ransomware. Retrieved from https://www.govinfosecurity.com/australian-medical-facilities-hit-by-ransomware-a-13167

Not even dating sites are excluded!

The prominence of the internet has permeated most industries. One notable example is dating applications. These provide the opportunity for people to meet based on personal choices. There are many choices for this with consenting adults. One of these, OKCupid, had the opportunity to practice implementing their incident response plan with expertise! Of the population of industries to attack, what makes the dating applications an attractive target is the data they hold. This may include the names, email addresses, possibly payment information, and other pertinent data. This may be sold on the dark web, but also possibly used for credential stuffing.

Attack

This was a successful attack. A portion of OKCupid’s user accounts appears to have been compromised. The users did state their accounts had been accessed by an unauthorized party and the password had been changed along with the email address for the account. Effectively, this locked the users out of their own accounts. This does appear to be a credential stuffing attack. OKCupid has stated there had been no hacking of the user accounts. This may actually be the case, as the accounts taken over were sporadic, and without a trend. This may have been simply due to user negligence.

Could have, would have, and should have

To decrease the opportunity for this to happen to other organizations, there are a few things the business could do. These are relatively simple, yet effective. One is to have the system set up so that when there is a change in the account, the user receives an email prior to this taking effect. This would serve to notify the user, in case of an attack, of what is occurring with their account. The organization could also use MFA (multi-factor authentication) to assist with this. Generally, there is a cost with this, however, this is used by many businesses and works well.

Resources

Cyware. (2019, February 12). Dating site OKCupid potentially hit by a credential stuffing attack. Retrieved from https://cyware.com/news/dating-stie-okcupid-potentially-hit-by-a-credential-stuffing-attack-6aa9e21f

Dark Reading Staff. (2019, February 11). OKCupid denies data breach amid account hack complaints. Retrieved from https://www.darkreading.com/endpoint/okcupid-denies-data-breach-amid-account-hack-complaints/d/d-id/1333842

Information Security Buzz. (2019, February 12). OKCupid hit by hackers. Retrieved from https://www.itsecuritynews.info/okcupid-hit-by-hackers/

PYMNTS. (2019, February 11). OKCupid user accounts are hacked. Retrieved from https://www.pymnts.com/news/security-and-risk/2019/okcupit-user-accounts-hacked/

Security Experts. (2019, February). OKCupid hit by hackers. Retrieved from http://www.hackbusters.com/news/stories/4348667-okcupid-hit-by-hackers

Security Experts. (2019, February 12). OKCupid hit by hackers. Retrieved from https://www.informationsecuritybuzz.com/expert-comments/okcupid-hit-by-hackers/#disqus_thread