Did I do that? Twitter data leakage

We have all heard of and probably use Twitter. Everyone recognizes the corporate logo and symbol. While there have been other social media outlets, Twitter has stayed the course and continues to be a social media giant.

Breach

Recently, Twitter had an issue with a breach, aka “data security incident” in corporate speak. The problem was detected by Twitter on May 20, 2020.

Affected Users

This did not affect all of the users, which would have been a disaster and epic fail. This only affected the business users who paid for advertisements on the platform, using Twitter Ads and Analytics Manager.

Data

The data involved was not critical, however, it should not have been leaked. This included the business user’s email address, billing address, phone numbers, and the last four digits of their credit card numbers. This could have been much worse for the clients if more of the information, including full credit card numbers, would have been included. What further limits the issue is the attacker would require access to the user’s browser to steal this information. This would have to occur one user at a time with the attacker physically sitting at each machine. With the full method to retrieve the data, this attack, while an issue, is practical in very limited circumstances. If retrieving the data was much easier on a grander scale and more confidential information was available, the story would be totally different.

How?

In this day and age of continued data loss, seemingly there would be a data leakage program in place to check systems, configurations, and just about everything else to ensure, as much as you can, that this does not happen. Unfortunately, there was an issue. If the business were to check their billing information on ads.twitter.com or analytics.twitter.com, which would not be that unusual, the data was stored in the browser’s cache. While this is not the end of the world for the affected parties, it should probably be treated as more of a teachable learning experience. The future employees know not to allow this, and this provides a real-life example of what can happen if you let this go.

Remediation

Clearly, this is a problem. Once Twitter detected the issue, they did resolve it. Twitter needed to update their headers to set to no-store and no-cache. This would in effect disable the data from being stored locally at the machine. One issue with this, other than the configuration allowed this, was the timing. This was detected by Twitter on May 20, 2020. This was not reported to the users for more than a month. While the data leakage issue was limited, as noted, this really should have not taken a month to resolve to notify the affected parties.  

 

Resources

Adhikari, R. (2020, June 24). Twitter apologizes for data security incident. Retrieved from https://www.technewsworld.com/story/86726.html

Admin1. (2020, June 26). Twitter suffered a major data breach-but this is why you’re probably safe. Retrieved from https://marijuanapy.com/twitter-suffered-a-major-data-breach-but-this-is-why-youre-probably-safe/

Financial Press. (2020, June 25). Twitter hack: Social media giant suffers ‘huge’ billing information data breach. Retrieved from https://financial-press.uk/2020/06/23/twitter-hack-social-media-giant-suffers-huge-billing-information-data-breach-world-news/

Ians. (2020, June 24). Twitter sorry for data breach involving business clients. Retrieved from https://kalingatv.com/technology/twitter-sorry-for-data-breach-involving-business-clients/

Jay, J. (2020, June 23). Twitter says business users’ data leaked in security fiasco. Retrieved from https://www.teiss.co.uk/twitter-says-business-users-data-leaked-in-security-fiasco/

McLoughlin, B. (2020, June 23). Twitter hack: Social media giant suffers ‘huge’ billing information data breach. Retrieved from https://www.express.co.uk/news/world/1299728/Twitter-data-breach-hack-latest-billing-information-twitter-business-update-twitter-search

McLoughlin, B., & Wilson, R. (2020, June 23). Twitter businesses’ billing information is hacked in data breach. Retrieved from https://www.examinerlive.co.uk/news/uk-world-news/twitter-businesses-billing-information-hacked-18471270

Riley, D. (2020, June 23). Twitter apologizes after exposing business customer information. Retrieved from https://siliconangle.com/2020/06/23/twitter-apologizes-exposing-business-customer-information/

Security Experts. (2020, June 24). Twitter suffers billing information data breach. Retrieved from https://www.informationsecuritybuzz.com/expert-comments/comment-twitter-suffers-billing-information-data-breach/

Sharma, A. (2020, June 24). Twitter discloses billing info leak after ‘data security incident’. Retrieved from https://news.knowledia.com/IN/en/articles/twitter-discloses-billing-info-leak-after-data-security-incident-1dc82af759dc4c7451ea428b26c622dc5f438e6e

Techradar.com (2020, June 26). Twitter suffered a major data breach-but this is why you’re probably safe. Retrieved from https://www.thetechstreetnow.com/tech/twitter-suffered-a-major-data-breach--but-this-is-why-youre-probably-safe/10326781581085137573/10326781581085137573/

Municipalities targeted: City of Florence pwned!

Municipalities have a very distinct problem. They are frequently targeted for ransomware and other attacks, as the attackers know their systems generally are not fully secure unless they been recently successfully attacked and have corrected and mitigated the issues. This is driven by budgetary constraints, not allowing the city, county, etc. to be able to hire exceptional talent, purchase the tools needed in a timely manner, and other requisite uses for cybersecurity. While this is a Catch-22, it leaves these organizations in the wind, hoping to be obscure enough so that they are not noticed and attacked. Even a failed attack can have negative effects on the operations for many reasons.

 

One of these targeted was the city of Florence, located in Alabama. Florence, much like the city in Italy, sounds like an amazing place to live, located on the banks of the Tennessee River with many festivals and other attractions. This is not a massive metropolis, with nearly 40k residents. Of all the places to target, you have to wonder why Florence?

 

Attack

As you can guess, the city’s computer system had been successfully attacked. The entry points were through the email system. Specifically, this was a phishing attack, and the unfortunate phishee was Steve Price, the IT Manager. His credentials were acquired as part of the attack. The phishing email was one of the many samples of the DHL email, where there are dozens of email recipients, all receiving the same package with the same tracking number on the same day. These emails are pretty obvious as to what they really are there for.

 

The illustrious, yet distinguished Brian Krebs notified the mayor’s office of their system’s compromise on May 26. From the published accounts, the city somehow did not know of the breach prior to this. This is odd, as seemingly someone in the IT Department maybe should have noticed a strange IP address accessing the system and pulling data from the network. The following day the System Administrator did contact Mr. Krebs to let him know the computer and network account affected has been isolated and is not in service. It appears the SysAdmin did not quite understand the capabilities of the attackers at this point. On June 5, 2020, the attackers finished deploying the ransomware and began their demand for the ransom payment. The city has 12 days to fully defend against the attack, however, unfortunately only did a part of the work required to address the issue.

 

When the city began to review the situation, it did not appear any of the affected system’s data had been deleted or exfiltrated. This was probably a little too optimistic for the city.

 

On a side note, the attack occurred while the IT department was attempting to have the City Council approved the expense for a third party to do a penetration test of the IT systems.

 

Ransom

The attackers are not going to work through the attack cycle for practice and their mental gymnastics in an attack. The system has been operationalized into a business, and a rather profitable one measured by the return on investment (ROI). In this case, the attackers were DoppelPaymer. The attackers have demanded the ransom $378k in bitcoin. The amount was negotiated down to $330k by a third-party firm, still in bitcoin. This does seem like a rather large sum, given the size of the city. The attackers, however, have realized the power of their leverage on the systems.

 

Post-Attack

Once the city had the opportunity for a quick review, the city’s IT department and a third-party, contracted by the city (Arete Advisors), began to adequately investigate the issue. As time had passed and more effort was placed into the investigation, the city realized the attackers may have at least a portion of the data on the affected systems. The city noted they just don’t know. One would presume they had sufficient access, such that if they wanted, they could have taken the data they wanted to. On this note, the investigation noted the attackers had access beginning in early May 2020 and continued this for nearly the remainder of the month. During this time, the attackers had free access to roam about and check out the network. They did borrow without authorization the personal information on the city’s employees and customers.

 

As the city saw the writing on the wall, the city council voted unanimously to pay the ransom. The funds were to be paid from the insurance fund available for these types of issues.

 

A curious point with this is the city required the attackers, DoppelPaymer, to provide proof they will delete the stolen information they have. The curiosity is, other than promising or a pinky-swear, there really isn’t a way to prove they will delete the data. This is one of the many problems with paying the ransom. The organization is depending on the attackers to follow through and not leave a back-door or recurring malware on the system. Historically, the attackers have followed through and have not left any surprises behind for later easier attacks. They say there is honor among thieves, however, I would not bet on it. The city naturally is also working with law enforcement in the matter.

 

Update

As of June 13, 2020 (10:46 EST), the online network was down. While the website did note an apology, no reason was given.

 

Afterthought

If you are management, SysAdmin, or on the cybersecurity team, please consider this occurrence or any of the thousands of other successful ransomware attacks as examples of why training and an adequate SIEM is so important. While cybersecurity is the focus of the cybersecurity department or team, it is still everyone’s job to be vigilant and not be click-happy. If they aren’t expecting an email, don’t know the person or organization it is from, or it simply leaves them wondering if the link or attachment is appropriate, don’t do it. This will save so much time, energy, frustration, etc. for the staff and budget.

 

Resources

Associated Press. (2020, June 11). Alabama city to pay $300,000 ransom in computer system hack. Retrieved from https://www.newsobserver.com/news/business/article243452091.html

 

Associated Press. (2020, June 12). Alabama city to pay $30,000 ransom in computer system hack. Retrieved from https://www.securityweek.com/alabama-city-pay-300000-ransom-computer-system-hack

 

Brown, M., & Delinski, B. (2020, June 11). City of Florence out nearly $300,000 after ransomware hack. Retrieved from https://www.waff.com/2020/06/11/city-florence-out-nearly-after-ransomware-hack/

 

City of Florence. (n.d.). Florence, alabama. Retrieved from https://florenceal.org/

 

Delinski, B. (2020, June 11). Florence pays nearly $300,000 in bitcoin ransom. Retrieved from https://www.timesdaily.com/news/local/florence-pays-nearly-300-000-in-bitcoin-ransom/article_5dd1200e-58f6-53a5-a3e1-5d7b90edf179.html

 

Erazo, F. (2020, June 10). Alabama city plans to pay ransomware group despite warnings. Retrieved from https://cointelegraph.com/news/alabama-city-plans-to-pay-ransomware-group-despite-warnings

 

Freedman, L. (2020, June 12). Alabama city hit with ransomware. Retrieved from https://www.jdsupra.com/legalnews/alabama-city-hit-with-ransomware-40970/

 

Goud, N. (2020, June). Ransomware attackers demanding $300,000 from florence city of alabama. Retrieved from https://www.cybersecurity-insiders.com/ransomware-attackers-demanding-300000-from-florence-city-of-alabama/

 

Jackson, J. (2020, June 10). City of Florence agrees to pay nearly $300,000 ransom after cyberattack. Retrieved from  https://whnt.com/news/shoals/city-of-florence-agrees-to-pay-nearly-300000-ransom-after-cyberattack/

 

Krebs, B. (2020, June 9). Florence, Ala. Hit by ransomware 12 days after being alerted by KrebsOnSecurity. Retrieved from https://krebsonsecurity.com/2020/06/florence-ala-hit-by-ransomware-12-days-after-being-alerted-by-krebsonsecurity/

 

Lincoln Journal Star. (2020, June 11). Alabama city to pay $300,000 ransom in computer system hack. Retrieved from https://journalstar.com/business/alabama-city-to-pay-300-000-ransom-in-computer-system-hack/article_70114db5-92bd-5ecb-9a5e-edf5f3cf3b24.html

 

Paganini, P. (2020, June 12). City of Florence to pay $300,000 ransom after ransomware attack. Retrieved from  https://securityaffairs.co/wordpress/104666/breaking-news/city-of-florence-ransomware.html

 

SANS. (2020, June 12). Newsletters: Newsbites. Retrieved from https://www.sans.org/newsletters/newsbites/xxii/47

 

Schwartz, M.J. (2020, June 12). City pays ransom despite pre-ransomware outbreak hack alert. Retrieved from https://www.bankinfosecurity.com/city-pays-ransom-despite-pre-ransomware-outbreak-hack-alert-a-14427

 

 

 

This doesn’t add up: Chartered Professional Accountants Canada Breached!

With most industries, there is a trade association or group. The focus with these is to bring together leaders and members to discuss issues, communicate messages to the membership and be a portal for the industry. Accounting is no different. In the US, we have the AICPA which functions to administer these tasks. This is accomplished is a timely, exceptionally professional manner. Canada is no different in that the accounting industry likewise has this for our northern friends. Another commonality is these are generally targets due to the data they hold for their clients. The Chartered Professional Accountants Canada (CPA Canada) recently found this out, as they were breached.

CPA Canada

Just as the name implies, the organization is involved with Canadian accountants, representing the over 210k members. The organization provides accounting and guidance for its membership. This service is vital for business, accounting firms, and the stock market.

 

Attack

 The organization was unfortunately the victim of a successful phishing attack. The organization on June 3, 2020 notified the affected parties of the breach. Curiously, the organization was aware of the attack on April 24^th, meaning it took over a month to notify the persons. The organization will not be disclosing the methodology used in the attack. On a level, this is understandable. The organization may not want the details published as these may be used in other attacks as indications of their security posture. After the issue is corrected though, this could be used as a learning tool or use case for others.

 

Data

CPA Canada definitely held useful information for the attackers to focus on. This included the member's personal information. This included their contact details (names, addresses, email addresses, and employer name). The passwords and credit card numbers, fortunately, were encrypted. The list of persons was primarily composed of the CPA Magazine subscribers. This wasn’t just on the members, but also the stakeholders, totaling over 329k persons.  Granted the data involved was confidential. However, this could have been much worse if the other data was not encrypted, or if the attackers were able to pivot from this point and gain access elsewhere.

 

Post-Breach

The organization has notified its members and others whose data was affected, of the breach. The members and stakeholders were recommended to change their passwords. The organization is also working with cybersecurity personnel to verify the system is secure and exactly what data was copied from them. In addition, they naturally also contact the appropriate law enforcement, the Canadian Anti-Fraud Centre, and other privacy authorities.

 

One point from this to be used is phishing continues to and will be for the foreseeable future, an absolutely viable attack. This has proven to be successful and will not slow down. The organizations need to continue training for this with their employees. The system may be completely secure, however, all it takes is the right person in the right department to click the link, attachment, etc., and we are off to the races.

 

References

Solomon, H. (2020, June 4). Canadian accounting association website gets hacked. Retrieved from https://www.itworldcanada.com/article/canadian-accounting-association-website-gets-hacked/431712

 

Solomon, H. (2020, June 8). Canadian accounting association website gets hacked. Retrieved from https://business.financialpost.com/technology/tech-news/canadian-accounting-association-website-gets-hacked

 

The Canadian Press. (2020, June 4). Canadian accountants’ association suffers cyberattack; data of nearly 330k affected. Retrieved from https://globalnews.ca/news/7025862/cpa-canada-accountants-cyberattack/

 

The IJ Staff. (2020, June 4). CPA Canada hacked, subscriber information exposed. Retrieved from https://insurance-portal.ca/article/cpa-canada-hacked-subscriber-information-exposed/