Municipalities targeted: City of Florence pwned!

Municipalities have a very distinct problem. They are frequently targeted for ransomware and other attacks, as the attackers know their systems generally are not fully secure unless they been recently successfully attacked and have corrected and mitigated the issues. This is driven by budgetary constraints, not allowing the city, county, etc. to be able to hire exceptional talent, purchase the tools needed in a timely manner, and other requisite uses for cybersecurity. While this is a Catch-22, it leaves these organizations in the wind, hoping to be obscure enough so that they are not noticed and attacked. Even a failed attack can have negative effects on the operations for many reasons.

 

One of these targeted was the city of Florence, located in Alabama. Florence, much like the city in Italy, sounds like an amazing place to live, located on the banks of the Tennessee River with many festivals and other attractions. This is not a massive metropolis, with nearly 40k residents. Of all the places to target, you have to wonder why Florence?

 

Attack

As you can guess, the city’s computer system had been successfully attacked. The entry points were through the email system. Specifically, this was a phishing attack, and the unfortunate phishee was Steve Price, the IT Manager. His credentials were acquired as part of the attack. The phishing email was one of the many samples of the DHL email, where there are dozens of email recipients, all receiving the same package with the same tracking number on the same day. These emails are pretty obvious as to what they really are there for.

 

The illustrious, yet distinguished Brian Krebs notified the mayor’s office of their system’s compromise on May 26. From the published accounts, the city somehow did not know of the breach prior to this. This is odd, as seemingly someone in the IT Department maybe should have noticed a strange IP address accessing the system and pulling data from the network. The following day the System Administrator did contact Mr. Krebs to let him know the computer and network account affected has been isolated and is not in service. It appears the SysAdmin did not quite understand the capabilities of the attackers at this point. On June 5, 2020, the attackers finished deploying the ransomware and began their demand for the ransom payment. The city has 12 days to fully defend against the attack, however, unfortunately only did a part of the work required to address the issue.

 

When the city began to review the situation, it did not appear any of the affected system’s data had been deleted or exfiltrated. This was probably a little too optimistic for the city.

 

On a side note, the attack occurred while the IT department was attempting to have the City Council approved the expense for a third party to do a penetration test of the IT systems.

 

Ransom

The attackers are not going to work through the attack cycle for practice and their mental gymnastics in an attack. The system has been operationalized into a business, and a rather profitable one measured by the return on investment (ROI). In this case, the attackers were DoppelPaymer. The attackers have demanded the ransom $378k in bitcoin. The amount was negotiated down to $330k by a third-party firm, still in bitcoin. This does seem like a rather large sum, given the size of the city. The attackers, however, have realized the power of their leverage on the systems.

 

Post-Attack

Once the city had the opportunity for a quick review, the city’s IT department and a third-party, contracted by the city (Arete Advisors), began to adequately investigate the issue. As time had passed and more effort was placed into the investigation, the city realized the attackers may have at least a portion of the data on the affected systems. The city noted they just don’t know. One would presume they had sufficient access, such that if they wanted, they could have taken the data they wanted to. On this note, the investigation noted the attackers had access beginning in early May 2020 and continued this for nearly the remainder of the month. During this time, the attackers had free access to roam about and check out the network. They did borrow without authorization the personal information on the city’s employees and customers.

 

As the city saw the writing on the wall, the city council voted unanimously to pay the ransom. The funds were to be paid from the insurance fund available for these types of issues.

 

A curious point with this is the city required the attackers, DoppelPaymer, to provide proof they will delete the stolen information they have. The curiosity is, other than promising or a pinky-swear, there really isn’t a way to prove they will delete the data. This is one of the many problems with paying the ransom. The organization is depending on the attackers to follow through and not leave a back-door or recurring malware on the system. Historically, the attackers have followed through and have not left any surprises behind for later easier attacks. They say there is honor among thieves, however, I would not bet on it. The city naturally is also working with law enforcement in the matter.

 

Update

As of June 13, 2020 (10:46 EST), the online network was down. While the website did note an apology, no reason was given.

 

Afterthought

If you are management, SysAdmin, or on the cybersecurity team, please consider this occurrence or any of the thousands of other successful ransomware attacks as examples of why training and an adequate SIEM is so important. While cybersecurity is the focus of the cybersecurity department or team, it is still everyone’s job to be vigilant and not be click-happy. If they aren’t expecting an email, don’t know the person or organization it is from, or it simply leaves them wondering if the link or attachment is appropriate, don’t do it. This will save so much time, energy, frustration, etc. for the staff and budget.

 

Resources

Associated Press. (2020, June 11). Alabama city to pay $300,000 ransom in computer system hack. Retrieved from https://www.newsobserver.com/news/business/article243452091.html

 

Associated Press. (2020, June 12). Alabama city to pay $30,000 ransom in computer system hack. Retrieved from https://www.securityweek.com/alabama-city-pay-300000-ransom-computer-system-hack

 

Brown, M., & Delinski, B. (2020, June 11). City of Florence out nearly $300,000 after ransomware hack. Retrieved from https://www.waff.com/2020/06/11/city-florence-out-nearly-after-ransomware-hack/

 

City of Florence. (n.d.). Florence, alabama. Retrieved from https://florenceal.org/

 

Delinski, B. (2020, June 11). Florence pays nearly $300,000 in bitcoin ransom. Retrieved from https://www.timesdaily.com/news/local/florence-pays-nearly-300-000-in-bitcoin-ransom/article_5dd1200e-58f6-53a5-a3e1-5d7b90edf179.html

 

Erazo, F. (2020, June 10). Alabama city plans to pay ransomware group despite warnings. Retrieved from https://cointelegraph.com/news/alabama-city-plans-to-pay-ransomware-group-despite-warnings

 

Freedman, L. (2020, June 12). Alabama city hit with ransomware. Retrieved from https://www.jdsupra.com/legalnews/alabama-city-hit-with-ransomware-40970/

 

Goud, N. (2020, June). Ransomware attackers demanding $300,000 from florence city of alabama. Retrieved from https://www.cybersecurity-insiders.com/ransomware-attackers-demanding-300000-from-florence-city-of-alabama/

 

Jackson, J. (2020, June 10). City of Florence agrees to pay nearly $300,000 ransom after cyberattack. Retrieved from  https://whnt.com/news/shoals/city-of-florence-agrees-to-pay-nearly-300000-ransom-after-cyberattack/

 

Krebs, B. (2020, June 9). Florence, Ala. Hit by ransomware 12 days after being alerted by KrebsOnSecurity. Retrieved from https://krebsonsecurity.com/2020/06/florence-ala-hit-by-ransomware-12-days-after-being-alerted-by-krebsonsecurity/

 

Lincoln Journal Star. (2020, June 11). Alabama city to pay $300,000 ransom in computer system hack. Retrieved from https://journalstar.com/business/alabama-city-to-pay-300-000-ransom-in-computer-system-hack/article_70114db5-92bd-5ecb-9a5e-edf5f3cf3b24.html

 

Paganini, P. (2020, June 12). City of Florence to pay $300,000 ransom after ransomware attack. Retrieved from  https://securityaffairs.co/wordpress/104666/breaking-news/city-of-florence-ransomware.html

 

SANS. (2020, June 12). Newsletters: Newsbites. Retrieved from https://www.sans.org/newsletters/newsbites/xxii/47

 

Schwartz, M.J. (2020, June 12). City pays ransom despite pre-ransomware outbreak hack alert. Retrieved from https://www.bankinfosecurity.com/city-pays-ransom-despite-pre-ransomware-outbreak-hack-alert-a-14427

 

 

 

This doesn’t add up: Chartered Professional Accountants Canada Breached!

With most industries, there is a trade association or group. The focus with these is to bring together leaders and members to discuss issues, communicate messages to the membership and be a portal for the industry. Accounting is no different. In the US, we have the AICPA which functions to administer these tasks. This is accomplished is a timely, exceptionally professional manner. Canada is no different in that the accounting industry likewise has this for our northern friends. Another commonality is these are generally targets due to the data they hold for their clients. The Chartered Professional Accountants Canada (CPA Canada) recently found this out, as they were breached.

CPA Canada

Just as the name implies, the organization is involved with Canadian accountants, representing the over 210k members. The organization provides accounting and guidance for its membership. This service is vital for business, accounting firms, and the stock market.

 

Attack

 The organization was unfortunately the victim of a successful phishing attack. The organization on June 3, 2020 notified the affected parties of the breach. Curiously, the organization was aware of the attack on April 24^th, meaning it took over a month to notify the persons. The organization will not be disclosing the methodology used in the attack. On a level, this is understandable. The organization may not want the details published as these may be used in other attacks as indications of their security posture. After the issue is corrected though, this could be used as a learning tool or use case for others.

 

Data

CPA Canada definitely held useful information for the attackers to focus on. This included the member's personal information. This included their contact details (names, addresses, email addresses, and employer name). The passwords and credit card numbers, fortunately, were encrypted. The list of persons was primarily composed of the CPA Magazine subscribers. This wasn’t just on the members, but also the stakeholders, totaling over 329k persons.  Granted the data involved was confidential. However, this could have been much worse if the other data was not encrypted, or if the attackers were able to pivot from this point and gain access elsewhere.

 

Post-Breach

The organization has notified its members and others whose data was affected, of the breach. The members and stakeholders were recommended to change their passwords. The organization is also working with cybersecurity personnel to verify the system is secure and exactly what data was copied from them. In addition, they naturally also contact the appropriate law enforcement, the Canadian Anti-Fraud Centre, and other privacy authorities.

 

One point from this to be used is phishing continues to and will be for the foreseeable future, an absolutely viable attack. This has proven to be successful and will not slow down. The organizations need to continue training for this with their employees. The system may be completely secure, however, all it takes is the right person in the right department to click the link, attachment, etc., and we are off to the races.

 

References

Solomon, H. (2020, June 4). Canadian accounting association website gets hacked. Retrieved from https://www.itworldcanada.com/article/canadian-accounting-association-website-gets-hacked/431712

 

Solomon, H. (2020, June 8). Canadian accounting association website gets hacked. Retrieved from https://business.financialpost.com/technology/tech-news/canadian-accounting-association-website-gets-hacked

 

The Canadian Press. (2020, June 4). Canadian accountants’ association suffers cyberattack; data of nearly 330k affected. Retrieved from https://globalnews.ca/news/7025862/cpa-canada-accountants-cyberattack/

 

The IJ Staff. (2020, June 4). CPA Canada hacked, subscriber information exposed. Retrieved from https://insurance-portal.ca/article/cpa-canada-hacked-subscriber-information-exposed/

 

U of U Compromises-Uh Oh

The University system tends to focus on research in specific disciplines. These may be business, psychology, sociology, criminal justice, medical, or any of the other areas within the University system. While the staff is fulfilling their tasks, the IT area of operations is continuously working to detect attacks and put in place mitigations to reduce the opportunity for a breach. This is a daunting task for many reasons. One such target was the University of Utah Health system. The organization was unfortunately breached at least twice recently.

Attack

The system is deluged with attacks and the beginning stages of attacks, just like any other medical facility. Unfortunately, two of these recently were successful.

The first was from January 22 through February 27, 2020. This successful attack was focused on email accounts. During this period there was an unauthorized access to a portion of the University of Utah Health staff email accounts. This was accomplished through the infamous phishing attack. This attack vector is so successful with such little capital or effort, this is bound to not slow down.

The second known successful attack was in the form of malware on a system. This was detected on February 3, 2020. Once this was found, the University of Utah Health contacted a third-party cybersecurity organization to assist them with the investigation. This investigation noted the malware may have been able to access a portion of the patient’s data, which was located in the respective employee’s email.

Data

With both of these noted successful attacks, the commonality was an unauthorized access to patient data. With these breach instances, the patient data may have included the patient name, date of birth, medical record numbers, and a limited amount of treatment information.

Post-Attack Actions

The investigation into the attack was not a simple review of logs. The compromises were alleged of a complex nature and of a highly technical nature. This is not an unusual statement by the University of Utah Health. If they were to state the attack was exceptionally simple, the management would be having additional issues from many other parties, including potentially the federal government, attorneys, and others.

The organization is also mailing letters to the affected patients. This is the standard protocol. To lower the potential for this to occur again, the organization is updating InfoSec procedures with the employees. This may or may not be successful, based on the implementation. If after a few months, the management does not reinforce the idea of cybersecurity, any lessons learned will fall by the wayside.

Looking Forward

This is yet another case of where training needs to be done through the year, insightful, and have some level of entertainment. Without this in place, the organizations will continue to be reactive post-breach, instead of pro-active to minimize the potential for a breach. Having known the method for the phishing attack would have been a great step forward. The industry could have learned from this and tailored other’s training to avoid this issue.

Resources

Bennett, L. (2020, March 21). University of Utah health says some patients’ data compromised in ‘phishing’ security breach. Retrieved from https://www.ksl.com/article/46732931/university-of-utah-health-says-some-patients-data-compromised-in-phishing-security-breach

DeWitt, K. (2020, March 20). U of U health announces phishing schemes caused unauthorized access to some employee accounts. Retrieved from https://www.abc4.com/news/top-stories/u-of-u-health-announces-phishing-schemes-caused-unauthorized-access-to-some-employee-email-accounts/

Roberts, A. (2020, March 21). Hacked: Some patient information compromised in U of U Health breach. Retrieved from https://kutv.com/news/local/some-u-of-u-health-patient-information-may-be-compromised-in-data-breach

Here comes the judge! Oregon Judicial Department Pwned

Throughout each state, county, and city, there are court systems in place. Oregon is no different. In this specific case, Oregon Judicial Department includes the Oregon Supreme Court, Court of Appeals, Tax Court, Circuit Courts in each of the counties, and the Office of the State Court Administrator.

Attack

Phishing attacks are the premier attack being used throughout many industries. With the low cost and tech involved with a phishing campaign, it is no wonder. The Oregon Judicial Department experienced a phishing attack and was not successful in defending itself. The attack began at 4:30am on July 15, 2019. The successful attack led to five email accounts being compromised. With any phishing attack, the level of success with the attack is dependent on who clicks the link, picture, or tool creating an attractive nuisance for the user to click. In this case, there were more than 6k persons affected. The affected parties had their personal data exposed.

Data

Each of the 6,607 affected persons, while individuals have the same issue. The data exposed included the affected person’s personal data. This included the name and full and partial dates of birth. There was also partial exposure to financial information, health information, and social security numbers. This is exactly what the attackers would need to use for identity theft or to sell on the dark web.

Remediation

The affected accounts were disabled within four hours of the issue being detected. The Oregon Judicial Department sent notices to the affected persons. The department will provide credit monitoring services to those affected by the breach. The department also did contact law enforcement and other agencies to assist with the forensic work.

Thoughts

Phishing and the subsequent associated issues (e.g. ransomware, viruses, backdoors, etc.) are a societal problem potentially affecting anyone connected to the internet. One aspect of the remediation which in theory is helpful, but may not be in the long-run regards the credit monitoring. This did not state how long with was to last. This is a bit of a moot issue. The data exfiltrated with the compromise is partially permanent (e.g. social security number). While the credit monitoring may last a year, for example, the issue will last well beyond this for the affected persons.

Resources

Associated Press. (2019, August 29). Oregon judicial department hit by phishing attack. Retrieved from https://www.seattletimes.com/seattle-news/northwest/oregon-judicial-department-hit-by-phishing-attack/

Associated Press. (2019, August 29). Oregon judicial department hit by phishing attack, personal information exposed. Retrieved from https://katu.com/news/local/oregon-judiciail-department-hit-by-phishing-attack-personal-information-exposed

Associated Press. (2019, August 29). Oregon judicial department hit by phishing attack. Retrieved from https://www.usnews.com/news/best-states/oregon/articles/2019-08-29/oregon-judicial-department-hit-by-phishing-attack

Associated Press. (2019, August 30). Oregon judicial department hit by phishing attack. Retrieved from https://democratherald.com/news/state-and-regional/oregon-judicial-department-hit-by-phishing-attack/

Breach Exchange. (2019, August 30). Oregon judicial  department hit by phishing attack. Retrieved from https://www.bradenton.com/news/business/technology/article234530047.html

Tivit's Breach

There are IT firms across the globe on every continent. Even on Antarctica there is an IT function for their networks and other technical equipment. Brazil is no different. Tivit is a Brazilian IT services provider. In addition to this line of business, they also provide other business processes.

Attack

Any attack generally is focused on the target’s data or money. This instance was no different. The attack focused on the Tivit client’s data. There were nine Tivit employees who fell victim to a phishing email campaign. This exposed the client’s credentials online. The successful attack was confirmed by Tivit. For this to be so successful, all it took were the nine employees clicking on a link. The attack was able to gain access to data from 19 other companies. These included the kitchen appliance manufacturer Faber, Swiss insurance company Zurich, Brazilian financial organization Banco Original, software firm SAP, and many more. The attackers were successful enough so that they had gained access to Tivit’s database. Fortunately, the attack scope was limited only to the nine systems breached. The datacenters and client networks were not affected.

Detection

One would think, an IT service provider would have some form of a SIEM present and actively managed. The logs would simply be too huge for a human to make much sense of it. There should be a staff sufficiently supported so when there is an issue, it may be detected and resolved. This was not the case apparently. The breach was not detected by Tivit, but was by DefCON Lab. The signs included this affected various databases and servers in the cloud. DefCON Lab found nearly one thousand lines of code contained internal company routines and credentials of different large enterprise clients. The data appears to have internal process documents for the organization.

Remediation

Tivit was working through the issue. The organization also contracted with legal resources and IT support firm to ensure this did not happen again.

Comment

It is interesting that an IT company fell victim to a phishing attack. The number of victims was also notable. This issue continues to emphasize the need for employee training, through the year, even for IT companies.

Resources

Cyware. (2018, December 17). Massive data breach hits Brazilian IT firm tivit. Retrieved from https://cyware.com/news/massive-data-breach-hits-brazilian-it-firm-tivit-d47dc056

Mari, A. (2018, December 14). Brazilian IT firm tivit suffers data breach. Retrieved from https://www.zdnet.com/article/brazilian-it-firm-tivit-suffers-data-leak

San Diego USD Pwned Hard!

High schools are much like universities and colleges, in that these hold a mass amount of data which may easily be sold. This assists in making them more of a target. This coupled with their budgetary constraints makes InfoSec difficult at times, much like this recently especially was for the San Diego USD.

Attack

This compromise is a bit different than most of the others. The reports are the school district is not sure of the attack vector, however, they believe this was the effect of a relatively simple, yet effective, phishing attack. The attackers gained access through securing the authorized user’s credentials. For this case, the attackers gained and maintained their access for 11 months (January through November). This is odd. Seemingly, the school district’s SIEM would note the access from odd hours, the number of accesses being odd, the IP being unique to the other general log ins, and the amount of data being exfiltrated. This would be the case, unless the school district did not have one in place during the attack. The school district finally became aware of this in October 2018.

Data

Generally, data is the end goal for the attacker. With this, they are able to generate revenue through sales of the data, use this as leverage for the target, etc. Through the compromise and process, the attackers were able to exfiltrate a significant amount of data. This encompassed 10 years of data, from the 2008-2009 school year to 2019, when the attack was detected. There were approximately 500k of students and staff affected. In addition to the length the breach was open, and the number of years of data exfiltrated, there is also the depth of data per affected person. This includes the first name, last name, date of birth, mailing address, home address, telephone number, student enrollment information (schedule, discipline incident information, health information, schools of attendance, transfer information, legal notices on file attendance dates), social security number or state student number, emergency contact information, staff benefit information, and staff payroll and compensation data.

Notification

The notice for the affected parties was filed the Friday before Christmas in 2018. The breach would probably be one of the last things they would want to hear about just before the holiday. The post stated the school district had reason to believe their system was breached and the attackers may have accessed the data. This could not have been what the students and staff were hoping for as their Christmas gift!

Detection

With a phishing attack, the timing of the attack may be delayed based on the attacker’s code. The staff began to note emails that appeared to be odd. They naturally, and appropriately, reported these to their IT Department. As the next step should go, this was addressed by the IT Department as they recognized this really should not be happening. They ended up discovering the breach in October 2018.

The school district, once they knew of the breach, did not immediately shut down the attack. This does seem counter-intuitive. Once you know the attacker is in and exfiltrating a mass amount of data, seemingly prudence would dictate shutting down the attack vector. There was a rationale reason for this. The school district wanted not only to clear the access, but also identify the attacker and allow law enforcement to do their job. The did later reset the compromised accounts. From this point forward, they have been working to prevent unauthorized access.

Thoughts

The attacker had access for approximately 10 months. The SOC or in the least any SIEM they had in place should have noted some abnormal activity as the mass amount of data was being removed from their servers. Since the SIEM is automated, possibly the search parameters had not been put in place. This compromise emphasizes the need for phishing training for the staff. This should not be the once a year training where staff nod off while the canned presentation is playing. These need to be periodic (e.g. quarterly) and with current information. Without some form of connection, the staff will probably view this as yet another mandatory training session, and start working on other things instead of listening.

Resources

Allen, T. (2018, December 27). Notice of data breach. Retrieved from https://www.sandiegounified.org/sites/default/files_link/district/files/

Cimpanu, C. (2018, December 25). Hacker steals 10 years’ worth of data from san diego school district. Retrieved from https://www.zdnet.com/article/hacker-steals-10-years-worth-of-data-from-san-diego-school-district/

Lilly, P. (2018, December 26). Hacker exploits san diego school district school network, steals personal data on 500k students and staff. Retrieved from https://hothardware.com/news/hacker-exploits-san-diego-school-districts-network-steals-data

Malafronte, K. (2018, December 27). San diego USD hacked, 10 years’ worth of data stolen. Retrieved from https://www.campussafetymagazine.com/technology/san-diego-school-district-hacked/

San Diego Unified School District. (2018, December). Data safety. Retrieved from https://www.sandiegounified.org/datasafety

Security Woes Department. (2018, December 26). Hacker steals ten years’ worth of data from san diego school district. Retrieved from https://it.slashdot.org/story/18/12/26/1248222/hacker-steals-ten-years-worth-of-data-from-san-diego-school-district

Woesnotgone Meadow; May 2, 2019

All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth.

Universities and colleges have been targeted for years by attackers across the globe. These are known for not necessarily having the most current technology, yet having a mass amount of PII, which is readily marketable.

Two Nigerian citizens, Olayinka Olaniyi and Damilola Soloman Ibiwoye, living in Kuala Lumpur, were targeting colleges and universities in the US. The focus was to steal paychecks and tax returns. To compromise the targeted systems, the two attackers were phishing 130-140 universities and colleges a day. The attackers took the time and effort to produce emails which appeared to be legitimate, including the actual logos.

To achieve the end goal, the attackers needed system credentials. The fraudulent emails would direct the user to a non-college or university website, which appeared again to be completely legitimate. Here, the user provided credentials would be harvested. With this data, the attackers were able to reroute paychecks and access certain financial documents. The attackers, unfortunately, were successful with 20 different schools. Specifically, with Georgia Tech, the attack was noted quickly. This quick detection was definitely a bonus. Due to the quick work, the FBI was notified and they were on-site the next day. They were able to monitor the attacker’s traffic once present.

To assist with the identification of the person(s) responsible for this unlawful endeavor, Georgia Tech continued to work with the authorities. The IP addresses were traced to Malaysia. The authorities secured search warrants for the “alleged” attackers’ email accounts to provide evidence for legal actions. From this evidence, the two suspects were clearly identified by their respective names.

It is notable the US does not have an extradition agreement with Malaysia. To work with this, the FBI’s legal attache’ contacted the Malaysian royal police. The local Malaysian authorities also confirmed the attacker’s individual identities. Curiously, the two attackers were living in Malaysia on expired visas. The two were arrested. The evidence gathered also indicated the attackers were using the PII to file fake tax returns.

The two were sentenced to federal prison. Ibiwoye pleaded guilty and received 39 months in January 2018. Olaniyi was convicted with a jury trial and received six years.

This case emphasizes two aspects of a breach. The breached party needs to be fully aware, as much as possible, of the breach and extent of the breach. There also needs to be a fully cooperative stance with a breach. Anything short of this merely adds more time to the open window for the attacker(s) to steal and use the data.

Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.

Resources

11 Alive. (2019). Nigerian hackers convicted after trying to break into Georgia tech’s payroll system. Retrieved from https://www.11alive.com/article/news/nigerian-hackers-convicted-after-trying-to-break-into-georgia-techs-payrollsystem/

FBI. (2019, February 4). Hackers targeted universities. Retrieved from https://www.fbi.gov/news/stories/cyber-thieves-sentenced-for-hacking-scheme-targetting-universities-020419