Sberbank Breached

Banks are located throughout the world. They perform vital services for consumers and commercial organizations in every country they are located in. These are also connected with the respective nation’s banking systems. Another commonality is these hold a mass amount of data also. This is very attractive to the attackers for many reasons. This is also a concern for the consumers, as their personally identifiable information (PII) is in the hands of unauthorized persons. Sberbank is was targeted and data removed without their authorization. Sberbank is Russia’s largest bank, with 45% of all retail deposits within their bank and 41% of the consumer loans held. In this instance, the Russian state owns the controlling stake in the bank.

Attack

Obviously, the attack was successful, which is a problem. The organization estimates the breach occurred near the end of August 2019.  The cause of this breach is unfortunately somewhat common, in the US and abroad. With employees, there is always the chance of the internal threat with the disgruntled, greedy, or unhappy employee. In this case, the bank is reporting the breach of data was due to an employee’s intentional acts. The bank noted it has to be an internal employee due to the data’s location being impossible to breach.

Later, the speculation ended when the bank reported the attacker had been apprehended. During the investigation, the employee had been focused on and eventually confessed. The employee was the head of one of the bank’s divisions. As part of their role, they had access to databases as part of their position, which explains how this was exfiltrated given the data’s remote location and access.

Data

With the attack, millions of Sberbank’s customer's personal data was allegedly initially leaked. Fortunately for the affected persons, the target was the data. The funds in the affected person’s account(s) were not targeted. The bank initially estimated 60M Sberbank credit cardholders have had their personal data stolen and was for sale on the dark web. This estimate appears to have been a bit inflated, and the true number was far less, possibly as low as 5k. The last reported sales price per entry at $0.08/record.

Surprisingly, the data leak and data for sale was not noticed by the bank. For instance, even if the amount of data was the 5k of records, seemingly this would have triggered some form of an alarm. After all, even a division manager probably would not have a need to download 5k individual records. Their position would be more engaged with summaries and forward-looking goals. This oversight was noticed by DeviceLock Cybersecurity, a cybersecurity organization when they noticed the data for sale on the dark web. At times, the seller may make fantastic claims of the data composition for sale. In this case, however, a sample of 200 credit card holder’s data was verified, indicating this is real. The data liberated in this case included the credit card details excluding the three-digit CVV, and place of employment for the last ten years. While the affected persons do have a bit of good news with the CVV not being a part of this, they may still have been targeted for fraud due to the nature of the data itself.

Follow-Through

After the bank was notified, they contacted reported this and is working closely with law enforcement and the Central Bank of Russia to find the culprits. As noted, this was beneficial as the

Resources

Auyezov, O., & Lyrchikova, A. (2019, October 3). Russia’s sberbank investigating potential client data leak. Retrieved from https://www.reuters.com/article/us-sberbank-russia-dataprotection/russias-sberbank-investigating-potential-client-data-leak-idUSKBIN1@i0Wl

Hinchliffe, R. (2019, October 9). Russia’s sberbank catches internal culprit of data leak. Retrieved from https://www.fintechfutures.com/author/hinchliffer/

Leprince-Ringuet, D. (2019, October 4). Russia’s sberbank investigates credit card data leak. Retrieved from https://www.zdnet.com/article/russieas-sberbank-investigates-credit-card-data-leak

Ljubas, Z. (2019, October 19). Russia: Huge data leak hits sberbank. Retrieved from https://www.occrp.org/en/daily/10797-russia-huge-data-leak-hits-sberbank

PMNTS. (2019, October 4). Russia’s sberbank investigating potential client data leak. Retrieved from https://www.pymnts.com/news/security-and-risk/2019/russias-sberbank-investigating-cleint-data-leak/

Spadafora, A. (2019, October 3). Russia’s sberbank hit with huge data leak. Retrieved from https://www.techradar.com/news/russias-sberbank-hit-with-huge-data-leak

The Moscow Times. (2019, October 3). Sberbank hit by huge data breach. Retrieved from https://www.themoscowtimes.com/2019/10/03/sberbank-hit-by-huge-data-breach-a67570

The Moscow Times. (2019, October 3). Sberbank hit by huge data breach. Retrieved from https://www.wedn.com/2019/10/03/sberbank-hit-by-huge-data-breach/

Walker, J. (2019, October 8). Sberbank of Russia completes investigation into the dark web data leak. Retrieved from https://portswigger.net/daily-swig/sberbank-of-russia-completes-investigation-into-dark-web-data-leak  

Spartans compromised: MSU breached

Michigan State University (MSU), located in East Lansing, Michigan, is one of the premier institutions in the Midwest. This is a 5,300-acre campus with 563 buildings, with nearly 20,000 cares throughout Michigan used for agricultural and natural resources research and education. In Fall 2019, there were 49,809 students. With such a large number of students, the amount of data generated by the students and administration staff is massive year after year. This data, including the confidential data from the students, provided a significant target for the attackers. This proved to draw these persons to the University’s servers and data.

Attack

Ransomware has been a nasty part of our environment from the last few years. This is a good attack tool due to its low operational overhead and potential large payoff. With this mode, it simply takes the right person in the right department to click on the malware or link. Unfortunately for MSU, the tool was used against the university successfully. The attackers were able to breach the network, access the targeted data, and exfiltrate this. The attackers have demanded a ransom to be paid within a week of the successful attack or they will publish the stolen files. If the university happens not to pay the ransom, the attackers are willing to leak the documents.

Data

The university believes, but is not certain, that the breach and subsequent intrusion was to one (1) isolated unit on the campus. While this is a good thing, the breach itself is still an issue. The files included student, e.g. passport scans, and other private, confidential data, along with university financial documents.

Attackers

The attackers apparently used Netwalker, sometimes referred to as Mailto, ransomware. The ransomware variant was coded to attack the enterprise, in comparison to individual user stations. With this ransomware variant, once the clock runs down to zero, the data and the decrypt key are automatically published.

Mitigation

This is a rather significant issue. There is a prominent university pwned, and their data is being held for ransom. After this was detected, the IT Department took offline the affected systems and servers. This was done to prevent further exposure. MSU’s IT Department notified law enforcement, including the MSU Police Department and Michigan State Police, of the successful attack and threats to begin the investigation.

The latest successful attack is yet another clear indication that we need more cybersecurity training that is relevant. Without this, these attacks will continue to be successful and cause an abundance of harm to the organization, staff, and other parties as part of the collateral damage.

Resources

Cimpanu, C. (2020, May 28). Michigan state university hit by ransomware gang. Retrieved from https://www.zdnet.com/article/michigan-state-university-hit-by-ransomware-gang/

Dissent. (2020, May 28). Michigan state hit by ransomware threatening leak of student and financial data. Retrieved from https://www.databreaches.net/michigan-state-hit-by-ransomware-threatening-leak-of-student-and-financial-data/

Freed, B. (2020, May 27). Michigan state hit by ransomware threatening leak of student and financial data. Retrieved from https://edscoop.com/michigan-state-hit-by-ransomware-threatening-leak-of-student-and-financial-data/

Guzman, W. (2020, May 28). Michigan state target of ransomware attack threatening to release university data. Retrieved from https://statenews.com/article/2020/05/michigan-state-target-of-ransomware-attack-threatening-to-release-university-data?ct=content_open&cv=cbox_latest

Marowski, S. (2020, May 28). Ransomware attack threatens to release stolen Michigan state university files. Retrieved from https://www.mlive.com/news/jackson/2020/05/ransomware-attack-threatens-to-release-stolen-michigan-state-university-files.html

Michigan State University. (n.d.). MSU facts. Retrieved from https://msu.edu/about/thisismsu/facts.php

Home Chef’s customer data for sale: Come and get it!

Home Chef, a US-based company, is a meal kit delivery service. If you don’t have time to go to the grocery store and am looking for healthy meals, you can contract with them for meal deliveries to your home. The ingredients show up in a box and you are ready to go! While not an overly complex process, this is still pertinent.

Data Breach

As part of the service, you would pay for the deliveries with your credit card. The company isn’t going to ship your food and hope you pay the bill. The organization does collect certain data from its clients to facilitate this, which is part of the standard operating procedure. Nearly all companies follow this model.  

In this case, there was a successful attack. The compromised customer information included the customer’s name, email address, phone number, and last four digits of the credit card numbers. This would be a much bigger issue; however, the Home Chef does not retain full credit card numbers. In addition, the encrypted passwords and certain account details (e.g. frequency of deliveries and mailing addresses) were also compromised.

Home Chef has not stated how many customers were affected. As a clue to the general number, the attackers responsible for this, Shiny Hunters, claim to be selling approximately 8M records. The price of this database was $2,500. Given the number of records and the data for each record, this is not that bad of a deal. To authenticate, Shiny Hunters also provided a sample.

The attack itself also is a bit of a mystery. The company is not stating this occurred, which is unfortunate. We could use this information as a learning tool. Curiously, Home Chef did not know this had occurred, which is a bit strange as the SIEM should have picked up a bit of unusual activity since, you know, a few records (8M) were compromised and exfiltrated. Home Chef learned of this after they discovered the records were being sold on the dark web. Oops. The InfoSec group probably should have picked up on this. It is also notable, in order to complete this compromise, there would need to be a bit of time involved. It is likely the attackers had access to the systems and data for an extended period as they completed their attack.

Mitigation

Naturally, when this occurs, there is a lot of activity very quickly. The company did state they were taking quick and aggressive actions to investigate the breach.

Follow-Up

Too frequently, companies are not overly aggressive in their timeline to contact law enforcement. Home Chef on the other hand handled this efficiently. And contacted them quickly. The company did email the affected customers, which was done quicker than other firms in like circumstances, which is a good thing. The company is also is recommending the customers change their passwords out of an abundance of caution. Remember, the passwords were encrypted, however, the company may have used weak encryption, which would be a problem.  If these were to be decrypted, there would be a big problem for the customers. This is a good idea also due to the potential for credential stuffing, or the attackers using your password to try access for other accounts. If the users did use the same password across several domains these also should be changed. The customers should also use MFA (multi-factor authentication) moving forward as an additional feature.

Resources

Abrams, L. (2020, May 20). Home chef announces data breach after hacker sells 8M user records. Retrieved from https://www.bleepingcomputer.com/news/security/home-chef-announces-data-breach-after-hacker-sells-8m-user-records/

GearBrain Editorial Team. (2020, May 21). Data breach weekly security report: Which company lost control of your information this week. Retrieved from https://www.gearbrain.com/data-breach-cybersecurity-latest-hacks-2633724298.html

Home Chef Help Center. (2020). Home chef data security incident. Retrieved from https://support.homechef.com/hc/en-us/sections/360008878052-Home-Chef-Data-Security-Incident

Mihalcik, C. (2020, May 20). Home chef confirms data breach after customer info reportedly sold on dark web. Retrieved from https://www.cnet.com/news/home-chef-confirms-data-breach-after-customer-info-reportedly-sold-on-dark-web/

S, G. (2020, May 21). Home chef hacked-Hackers selling 8M user records on a dark web marketplace. Retrieved from https://gbhackers.com/home-chef-hacked/

Whitney, L. (2020, May 21). How home chef’s sensitive data was compromised by a cyberattack. Retrieved from https://www.techrepublic.com/article/how-home-chefs-sensitive-customer-data-was-compromised-by-a-cyberattack/

Canadian University Breached

Universities have been targeted for well over a decade. These institutions are the steward of their student’s data and information. As this is valuable for the persons attacking the institutions, the attacks tend to be rather frequent. Recently, York University, a university in Canada was successfully attacked.

Attack Timing

When you are planning an attack, you probably don’t want to begin this when the cybersecurity staff is there, monitoring the systems, and ready to address the attack right after it is detected. It would be much better to wait until there is not a full staff present to work to stop the attack.

The attackers took the page from the standardized attack playbook and began their attack on Friday evening. At this point, the staff was headed home for the weekend and not thinking about cybersecurity.

Attack

The attackers were focused on the areas which were holding the data, which they were seeking to exfiltrate. The target, in this case, were the servers and workstations at the University.

Mitigation

While the attack was timed well, the staff was able to detect this quickly. Without their work, the attack effects would have been much worse. The staff was able to directly address this to limit the successful aspects of the attack. The primary method to resolve this was to shut down the University’s computer systems, disconnecting these from the internet.

After the attack, they also contracted with external computer forensic professionals. Their role was to fully research the attack. The attack, per the University, was complex. Regardless of this, the research work will take a fair amount of time to fully complete.

Over the weekend the University was able to restore the Office 365, password change, on-campus student access to the internet, and the University website.

The University also worked on restoring the VPN for HR and Finance, central mail, and the remaining faculty websites.

The University is requiring everyone with the University to reset their passwords. This was directly due to the successful attack.

Additional Information?

At this stage, there has not been much information provided. The forensic examination would require the time needed to fully explore the attack. As much as possible, every facet needs to be detailed and correct.

While this is the standard operating procedure, the University has not provided much information regarding the attack. This should be released so that the industry can learn from this.

One aspect the students did not appreciate was the lack of communication from the attack. The University did not communicate this to the students. The students had to learn of this from statements posted online and on social media. With an attack of this nature, potentially having their data compromised to whoever did the attack, really should have had an official communication.

Resources

Cameroon Magazine. (2020, April 5). York university falls victim to a serious attack. Retrieved from https://fr.cameroonmagazine.com/actualite-internationale/york-university-falls-victim-to-a-serious-cyber-attack-news/

CBC News. (2020, May 4). Students, experts call for explanation after York university suffers ‘extremely serious’ cyber attack. Retrieved from https://www.cbc.ca/news/canada/toronto/york-university-cyber-attack-1.5555106  

DH Toronto Staff. (2020, May 4). York university falls victim to a “serious cyber attack”. Retrieved from https://dailyhive.com/toronto/york-university-serious-cyber-attack  

GoDaddy continues with its cybersecurity issue trend

Everyone knows of GoDaddy (https://www.godaddy.com/) and their services. Years ago, the business became a household name with their commercials. Since this time, the business has grown and become a bit more conservative, as evidenced by their website. This growth has made GoDaddy the world’s largest domain registrar with 19 million customers, 7 million managed domains, and millions of hosted websites. In comparison to GoDaddy’s peers, this is huge.

Breach

The short summary is there was a data breach focused on the web hosting account credentials. This is a rather serious issue for GoDaddy. With the amount of data held with the credentials and other confidential information held by GoDaddy from their clients, the targeting was no surprise.

The breach came to light in an indirect manner. The breach itself was not identified, but odd activity on a portion of the GoDaddy servers on April 17, 2020. Six days later on April 23, 2020, the customers affected were identified.

The breach itself allegedly occurred on October 19, 2019, or over six months ago, per the State of California Department of Justice. A notice was filed per the California Civil Code section 1798.29(e). This was disclosed by GoDaddy on May 4, 2020. The business only published and began to inform the affected persons in early May 2020.

This was confirmed by Demetrius Comes, the CISO and vice-president of engineering.

Method

Naturally, GoDaddy initiated an investigation. The parties concluded the unauthorized person acquired the login credentials. This meant they could connect to the SSH for the compromised accounts. Access makes the attack specifically useful.  Until the password was reset, the least the attacker could do would be to modify the websites with profane language, or inappropriate images.

Scope

Fortunately, this did not affect all the accounts. This did affect approximately 28k customers. This affected only the hosting accounts and did not involve the customer accounts, main GoDaddy.com customer account, or the personal information held within these. They do note, for what it’s worth, it does not appear any files were modified or added to the affected accounts. They were not able to definitely state if any of the files had been viewed or copied though. The latter is really where the issue is focused. If the files had been modified, this is clearly not a good thing. Since the business doesn’t know if these were viewed or copied, the conservative view is these were at least viewed and should be treated as such.

Mitigations

The business did take the conservative route, fortunately, and presumed there was access. To remove future issues on this specific point, the affected hosting account logins were toggled to require a reset. To assist and answer questions for the customers so the helpline was not inundated, an email was sent to the affected customers directing them to log in and the procedures to follow this. Without the reset, the customers would not have access to their hosting account. GoDaddy also, as a follow-up, the customers audit their hosting accounts for any anomalies. One of these may be admin accounts that were created by the unauthorized attacker.

When will this be over?

While the incident began over six months ago and the forensic work has been mostly completed, the investigation continues. It does appear GoDaddy’s actions did cease the attacker’s potential for access, GoDaddy is continuing to evaluate the breach’s effect across its environment. GoDaddy is not releasing much other information than what has been published already, unfortunately. The disclosure would be useful, as the other persons in the industry could learn from this.

Issues

Indeed, the breach on its own is an issue for obvious reasons. There are other significant, legitimate concerns though.

One of these is it is not known how many customers actually know their web hosting account credentials have been compromised. This is a problem, in that while the affected GoDaddy customers are unaware of their credentials floating through the internet we know and love, these may be used for malicious activities. In theory, if they wanted to bother the customers, they could log in, change the credentials and other information, and make it very difficult for the authentic owner to log into their account unless funds were to exchange hands. They may also access other information that they could use to the real owner’s detriment.

To investigate these matters certainly takes a significant amount of time. The evidence would be sparse and possibly spread among different systems, and difficult to correlate. The well-versed attacker would also attempt to remove their footprint from the attack(s) to further complicate the detection and forensic work. With all the factors combined, this is not such a simple task. Bearing this in mind, GoDaddy should have detected this well before the end of April 2020.  Perhaps their SIEM should have picked some form of anomalous activity up prior to the over six-month mark. Having their private information simply on sale or possibly being used for other, unauthorized means is not acceptable. Once the baseline breach information was accumulated and work done forensically on the system, the users should have been notified. Granted this should not have been immediate, and done at the appropriate time. It does appear this time was extended for some reason. Possibly the business wanted to be conservative and wait an extended period in the hope other evidence would come to rise. Instead of attempting to balance this, the customers really should have been notified earlier.

GoDaddy is offering a year of complimentary security and malware removal for the affected customers, which it should. A year though is a minimum amount of time. If I were the attacker, I now know what the benchmark is and would game the system with starting the individual attacks a year and a few days later.

Trend?

This isn’t the only oversight reported in recent weeks. On March 31, 2020, the illustrious yet distinguished Brian Krebs reported a GoDaddy staff member was a victim of a spear-phishing attack. The attack, post establishing a foothold, pivoted and successfully attacked a limited number of other GoDaddy domain customers.

Last year also, attackers used hundreds of compromised GoDaddy accounts to create 15k subdomains. A portion of these was designed to impersonate popular website accounts. Or to redirect possible victims to spam pages. Earlier in 2019, GoDaddy was inserting JavaScript into its US customer’s websites, without their authorization.

In 2018, GoDaddy publicly exposed high-level configuration data for tens of thousands of systems in AWS. This was due to a cloud storage misconfiguration.

Resources

Admin. (2020, May 5). GoDaddy hack breaches hosting account credentials. Retrieved from https://www.burhani.co/godaddy-hack-breaches-hosting-account-credentials/

Ahmed, D. (2020, May 5). GoDaddy admits data breach affecting web hosting account credentials of unknown number of customers. Retrieved from https://www.hackread.com/godaddy-data-breach-hackers-access-ssh-accounts/

Chamberland, C. (2020, May 5). 28,000 GoDaddy hosting accounts compromised. Retrieved from https://www.wordfence.com/blog/2020/05/28000-godaddy-hosting-accounts-compromised/

Comes, D. (2020, May). Notification letter. Retrieved from https://www.documentcloud.org/documents/6882021-GoDaddy-Customer-Notification.html?/6882021-letter.html

Corfield, G. (2020, May 5). GoDaddy hack: Miscreant goes AWOL with 28,000 users’ SSH login creds after vandalizing server-side file. Retrieved from https://www.theregister.co.uk/2020/05/05/godaddy_ssh_login_details_compromised/

Digital Bulletin. (2020, May 6). GoDaddy suffers data breach to 28,000 customer accounts. Retrieved from https://www.digitalbullet.in/news/godaddy-suffers-data-breach-to-28000-customer-accounts

DigitalMunition. (2020, May 6). GoDaddy hack breaches hosting account credentials. Retrieved from https://www.digitalmunition.me/godaddy-hack-breaches-hosting-account-credentials/

Duckett, C. (2020, May 5). GoDaddy reports data breach involving SSH access on hosting accounts. Retrieved from https://www.zdnet.com/article/godaddy-reports-data-breach-involving-ssh-access-on-hosting-accounts/

Editor. (2020, May 5). GoDaddy hack breaches hosting account credentials. Retrieved from https://flizzyy.com/godaddy-hack-breaches-hosting-account-credentials/

Gatlan, S. (2020, May 4). GoDaddy notifies users of breached hosting accounts. Retrieved from https://www.bleepingcomputer.com/news/security/godaddy-notifies-users-of-breached-hosting-accounts/

GoDaddy. (2020, May). GoDaddy help. Retrieved from https://www.godaddy.com/help/my-website-was-hacked-what-should-i-do-19945

Krebs, B. (2020, March 31). Phish of GoDaddy employee jeopardized escrow.com, among others. Retrieved from https://krebsonsecurity.com/2020/03/phish-of-godaddy-employee-jeopardized-escrow-com-among-others/

Montti, R. (2020, May 6). GoDaddy hosting breach undetected for 6 months. Retrieved from https://www.searchenginejournal.com/godaddy-hosting-exploit/366324/#close

Nelius, J. (2020, May 5). GoDaddy was apparently hacked last year, so check your hosting account credentials. Retrieved from https://gizmodo.com/godaddy-was-apparently-hacked-last-year-so-check-your-1843265524

Plato. (2020, May 6). GoDaddy hack-Attackers gained SSH access to customer hosting accounts. Retrieved from https://zephyrnet.com/godaddy-hack-attackers-gained-ssh-access-to-customer-hosting-accounts/

Rushax. (2020, May). GoDaddy hack 2020. Retrieved from https://rushax.com/godaddy-hack-2020/

Seals, T. (2020, May 5). GoDaddy hack breaches hosting account credentials. Retrieved from https://milled.com/aranet-llc/new-post-godaddy-hack-breaches-hosting-account-credentials-KJta5z1ytxueGwNC

Sebenius, A. (2020, May 5). GoDaddy breach compromised credentials of 28,000 customers. Retrieved from https://www.bloomberg.com/news/articles/2020-05-05/godaddy-breach-compromised-credentials-of-28-000-customers and https://news.bloomberglaw.com/privacy-and-data-security/godaddy-breach-compromised-credentials-of-28-000-customers

Security Magazine. (2020, May 6). GoDaddy confirms data breach-28,000 customers affected. Retrieved from https://www.securitymagazine.com/articles/92314-godaddy-confirms-data-breach---28000-customers-affected

ThreatPost. (2020, May 5). GoDaddy hack breaches hosting account credentials. Retrieved from https://www.itsecuritynews.info/godaddy-hack-breaches-hosting-account-credentials/

Whitney, L. ( 2020, May 5). GoDaddy data breach shows why businesses need to better secure their customer data. Retrieved from https://www.techrepublic.com/article/godaddy-data-breach-shows-why-businesses-need-to-better-secure-their-customer-data/

Winder, D. (2019, May 5). GoDaddy confirms data breach: What customers need to know. Retrieved from https://www.forbes.com/sites/daveywinder/2020/05/05/godaddy-confirms-data-breach-what-19-million-customers-need-to-know/#3a91a6051daa