Thought leadership. threat analysis, news and alerts.
Whole Foods Becomes the Latest Victim of a Cyber Attack
Whole Foods, the supermarket chain recently acquired by Amazon, becomes the latest victim of a cyber attack.
The supermarket chain officially acknowledged that the cyber attack potentially compromised its customers’ credit card details. The data breach, according to Whole Foods, affected only the point of sale system used in taprooms (bars) and restaurants located within some of the Whole Foods stores. As of November 2016, The Mercury News reported that 180 of Whole Foods’ 464 stores had bars and restaurants.
In its official statement, Whole Foods stressed that Whole Foods’ bars and restaurants use a different point of sale system from the company’s supermarket point of sale system. The company said that payment cards used at the supermarket point of sale system were not affected. It added that the Amazon systems, which acquired the supermarket chain last month, don’t connect to the Whole Foods’ bars and restaurants system. As such, transactions on Amazon.com haven’t been affected.
Whole Foods’ public statement didn’t reveal how many customers may have been affected, how many bars and restaurants may have been involved or when the data breach was discovered.
The Whole Foods data breach came just heels after the Sonic Drive-in cyber security breach. The American drive-in fast-food restaurant chain, with over 3,500 restaurants in 45 US states, confirmed that there's been some “unusual activity” on credit cards used at some of its restaurants. Similar to Whole Foods, the company didn’t disclose how many credit cards were potentially affected or when the data breach took place.
Krebs on Security reported that Sonic Drive-In cyber security breach may have impacted millions of credit and debit cards.
“The first hints of a breach at Oklahoma City-based Sonic came last week when I began hearing from sources at multiple financial institutions who noticed a recent pattern of fraudulent transactions on cards that had all previously been used at Sonic,” Krebs on Security wrote.
About 5 million credit and debit card details recently put up for sale on the underground online site Joker’s Stash has been tied to a breach at Sonic Drive-In, according to Krebs on Security.
“I should note that it remains unclear whether Sonic is the only company whose customers’ cards are being sold in this particular batch of five million cards at Joker’s Stash,” Krebs on Security said. “There are some (as yet unconfirmed) indications that perhaps Sonic customer cards are being mixed in with those stolen from other eatery brands that may be compromised by the same attackers.”
Cyber criminals typically steal credit card details from merchants that accept cards by hacking into their point of sale systems.
What is Point of Sale
Point of sale, also known as POS, is a system used by merchants where customers pay for goods or services. The POS system consists of hardware and software. The POS hardware refers to the device used to swipe a credit or debit card and the computer or mobile device attached to it. The POS software refers to the computer program that instructs the hardware what to do with the data it captures.
Through the years, there have been a number of vulnerabilities identified in the POS system. The vulnerability of the POS system was highlighted with the arrest and conviction of Albert Gonzalez, leader of the group that stole more than 90 million card records from retailers.
The Gonzalez group took advantage of the lack of point to point encryption of POS system. If you pay using your credit card at a POS terminal, your credit card data housed in the card’s magnetic stripe is read, passed through a series of systems and networks before reaching the store’s payment processor.
In 2005, credit card details transmitted over a public network from a POS device are required to be encrypted using network-level encryption, for example, the Secure Sockets Layer (SSL). Within the internal network of the store, however, credit card details weren’t required to be encrypted except when stored.
The Gonzalez group took advantage of this lack of point to point encryption at the internal network level by installing network-sniffing tools that allowed him and his group to steal over 90 million card details. As a result of the Gonzalez group’s criminal activities, many stores today use POS system with encryption even at the internal network level.
Through the years though, POS attackers have honed their skills and a number of POS attack methods have been developed. Big companies like Target Corporation succumbed to POS attackers. In May of this year, 47 US states and the District of Columbia have reached a $18.5 million settlement with Target that resolves the states' investigation into the company's 2013 data breach, which affected more than 41 million customer payment card accounts.
How to Prevent POS Attacks?
Customers’ credit card data in the POS system passes through the following:
In each of these stages, customers’ credit card data becomes vulnerable to POS attackers. On the terminal level, attackers can insert hardware like skimmers or firmware to steal credit card details. As data passes from terminal to cash register or cash register to central payment processing server, the data may be stolen using network traffic sniffing tools like the one used by the Gonzales group. From the terminal to the internet exchange, there can be exposure of the encryption key. Credit card details may also be stolen via RAM scrapping malware from the cash register level or at the central payment processing server level.
From terminal to internet exchange, mitigation strategy includes a firewall. At the cash register level or central payment processing server level, mitigating strategy includes endpoint security software. From cash register to central payment processing server, mitigating strategies include data encryption and the use of SSL. From terminal to internet exchange, mitigating strategy includes security information and event management (SIEM).
Network segmentation is also one of the mitigating strategies to counter POS attacks. The network segmentation of the Whole Foods’ bars and restaurants from Whole Foods supermarket and Amazon.com has prevented attacks on the other two Amazon assets. Target, meanwhile, in the 2013 data breach didn’t implement network segmentation.
When you need help protecting your missing critical applications and infrastructure, give us a call to speak with one of our cyber security and compliance experts.
Major Accounting Firm Deloitte Admits It Suffered Cyber Attack
Deloitte, one of the world’s “big four” accountancy firms, admitted that it suffered a cyber attack. The company, however, downplayed the cyber attack saying that "only very few clients were impacted" and "no disruption" to client businesses happened.
Deloitte’s clients include 80% of the Fortune 500 companies and more than 6,000 private and middle market companies.
British news outlet The Guardian and cyber security journalist Brian Krebs have come out with a different take on Deloitte’s cyber attack.
Sources told the British news outlet that an estimated 5 million emails have been accessed by the hackers in the Deloitte cyber attack. A source close to the Deloitte cyber attack investigation, meanwhile, told Krebs that the Deloitte hacking incident involved the compromise of all administrator accounts at the company as well as the company’s entire internal email system.
“In addition to emails, the Guardian understands the hackers had potential access to usernames, passwords, IP addresses, architectural diagrams for businesses and health information,” Nick Hopkins of The Guardian wrote. “Some emails had attachments with sensitive security and design details.”
The Guardian reported that Deloitte discovered the hack in March of this year but the hackers may have had access to the company’s systems since October or November 2016. This hacking period was confirmed by Krebs who said that the Deloitte hacking dates back to at least the fall of 2016.
“Deloitte has sought to downplay the incident, saying it impacted ‘very few’ clients,” Brian Krebs wrote. “But according to a source close to the investigation, the breach dates back to at least the fall of 2016, and involves the compromise of all administrator accounts at the company as well as Deloitte’s entire internal email system.”
“As part of the review, Deloitte has been in contact with the very few clients impacted and notified governmental authorities and regulators,” Deloitte said in a statement. “The review has enabled us to understand what information was at risk and what the hacker actually did, and demonstrated that no disruption has occurred to client businesses, to Deloitte’s ability to continue to serve clients, or to consumers.
A source told Krebs that Deloitte “does not yet know precisely when the intrusion occurred, or for how long the hackers were inside of its systems.”
Cause of the Cyber Attack
Sometime in October 2016, Deloitte may have sense that something was wrong as the company sent out an email to all its employees in the US calling for a mandatory password reset. The notice includes an advice to pick complex passwords and a warning that employees who fail to change their passwords or personal identification numbers (PINs) by Oct. 17, 2016 wouldn’t be able to access email or other Deloitte applications.
According to The Guardian, Deloitte’s global email server was compromised through an “administrator’s account” – an account that has unrestricted access to all aspects of the email server. The administrator’s account required only a single password and didn’t have 2-step verification, sources of The Guardian said.
By relying only on a password – single factor authentication, Deloitte’s email system became highly vulnerable to cyber attack.
Hackers nowadays find is easy to hack emails using only a single factor of authentication or a password due to the following reasons:
Prior to the massive hack at Equifax where personal identifiable information like names, Social Security numbers, birth dates, addresses of 143 million Americans, 100,000 Canadians and 400,000 UK residents were stolen, Equifax was a victim of an earlier hacking incident.
On May 15 of this year, the Counsel for TALX Corporation – a wholly owned subsidiary of Equifax – informed the Attorney General of New Hampshire about a hacking incident that harvested W-2 tax forms of the employees of the corporate clients of TALX. According to the Counsel for TALX, hackers gained access to the website of TALX and harvested W-2 tax forms of customers by successfully answering personal questions used to reset “PlNs” or passwords to access the website.
“Because the accesses generally appear legitimate (e.g., successful use of login credentials), TALX cannot confirm forensically exactly which accounts were, in fact, accessed without authorization, although TALX believes that only a small percentage of these potentially affected accounts were actually affected,” the Counsel for TALX said.
“It’s pretty unbelievable that a company like Equifax would only protect such sensitive data with just a PIN,” Avivah Litan, a fraud analyst with Gartner, told Krebs, in reaction to the TALX-Equifax data breach. “That’s so 1990s.”
What is a 2-Step Verification
Many companies like Google, Facebook and Apple have adopted the 2-step verification, also known as two-factor authentication.
The 2-step verification is one of the security measures to help keep bad guys out. An example of the 2-step verification is that of Gmail where you'll be asked to enter your password as usual. In addition to the password, you'll be asked for something else. A code will be sent to your smartphone via text, voice call or mobile app. You can sign in using this code. You can also sign in using a USB security key – a small device that connects to your computer.
Can the 2-step verification totally keep the bad guys away? The two-factor authentication offers more protection than logging into an email account without it. This added layer of security can stop certain group of hackers. It can’t, however, stop other sophisticated cyber attacks.
The USB security key is considered as more secure compared to the code sent via smartphone. There’s, however, the danger of this device being lost or stolen. Cyber criminals, in the past, have infected mobile devices to steal 2-step verification security codes.
Your organization’s entire internal email system could be full of sensitive information. Protecting your company’s email system goes beyond a password – single factor authentication. Email security also goes beyond the two-factor authentication.
Contact us today if you need further protection for your organization’s internal email system.
Wall Street’s Top Regulator Discloses Own Data Breach
The US Securities and Exchange Commission (SEC) – Wall Street’s top regulator – is the latest entity that publicly acknowledged that it was a victim of a cyber attack.
SEC Chairman Jay Clayton, who took office in May of this year, admitted that in August 2017, the Commission learned that a hacking incident detected way back in 2016 “may have provided the basis for illicit gain through trading”.
“Cybersecurity is critical to the operations of our markets and the risks are significant and, in many cases, systemic,” said Chairman Clayton. “We must be vigilant. We also must recognize – in both the public and private sectors, including the SEC – that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.”
This recent cyber attack disclosure came just two weeks after the massive data breach at credit monitoring company Equifax, affecting 143 million Americans – almost all of the adults in the US, and affecting 100,000 Canadians and 400,000 UK residents.
This recent SEC hacking incident puts the Commission in an uneasy position given that it’s the government body that’s responsible for enforcing securities laws, issuing rules and regulations and ensuring that securities markets are fair, honest and provide protection for investors. The Commission, in particular, has the power to fine private entities for failing to safeguard customer information.
In June 2016, Morgan Stanley Smith Barney LLC paid a $1 million SEC fine over stolen customer data. The Morgan Stanley case originated from the act of then-employee who accessed and transferred the data of nearly 730,000 accounts to his personal server, which was then eventually hacked by third parties.
The Commission found Morgan Stanley violated Regulation S-P, a regulation that requires registered investment companies, broker-dealers and investment advisers to "adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information." Morgan Stanley agreed to settle the charges without denying or admitting the SEC findings.
In September 2015, a St. Louis-based investment adviser firm paid a $75,000 SEC fine for failing to establish the needed cyber security policies and procedures, resulting in a data breach that compromised the personally identifiable information (PII) of nearly 100,000 individuals, including thousands of the clients of the firm. SEC, in its decision, said the firm “failed to conduct periodic risk assessments, implement a firewall, encrypt PII stored on its server, or maintain a response plan for cybersecurity incidents.”
Patch, Patch, Patch
According to SEC Chairman Clayton, hackers exploited the software vulnerability of the Commission’s corporate filing system known as “EDGAR”, short for electronic data gathering, analysis and retrieval. The software vulnerability was patched after discovery, the SEC Chairman said.
The Commission’s EDGAR system, performs automated collection, validation, indexing, acceptance and forwarding of data submitted by companies and others required to file certain information with the Commission. The system, in particular, receives, stores and transmits nonpublic information, including data which relates to the operations of credit rating agencies, issuers, investment advisers, broker-dealers, clearing agencies, investment companies, municipal advisors, self-regulatory organizations ("SROs") and alternative trading systems ("ATSs").
What is a Patch
A patch is a piece of code that’s added into a software program to fix a defect also known as software bug, including a security vulnerability. Patches are created and released by software creators after defects or security vulnerabilities are discovered. If a patch isn’t applied in a timely manner or if a software creator no longer offers a patch, cyber criminals can exploit a known vulnerability.
The Common Vulnerabilities and Exposures (CVE), an international industry standard, lists and assigns names to all known cyber security vulnerabilities. The United States Computer Emergency Readiness Team (US-CERT) provides an up-to-date list of known vulnerabilities and patches.
“Federal agencies consistently fail to apply critical security patches on their systems in a timely manner, sometimes doing so years after the patch becomes available,” Gregory Wilshusen, Director for Information Security Issues, said in a written statement before the Subcommittee on Research and Technology, Committee on Science, Space, and Technology, House of Representatives in February 2017. “We also consistently identify instances where agencies use software that is no longer supported by their vendors. These shortcomings often place agency systems and information at significant risk of compromise, since many successful cyberattacks exploit known vulnerabilities associated with software products. Using vendor-supported and patched software will help to reduce this risk.”
The 2 major cyber attacks in 2017 – WannaCry and Equifax data breach – exploited known vulnerabilities in computers that were unpatched.
WannaCry ransomware, which affected thousands of computers worldwide in May of this year, exploited the vulnerability in Microsoft Windows. This particular vulnerability could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.
Microsoft, for its part, released a patch or security update for this known vulnerability in March 2017 – two months before WannaCry was released into the wild.
For the Equifax data breach, the identified cause was the vulnerability in the Apache Struts in the US online dispute portal web application of Equifax. According to Equifax, the data breach happened from May 13, 2017 to July 30, 2017.
The Apache Software Foundation, a not-for-profit corporation that manages and provides patches for Apache Struts, released 4 patches for 4 known vulnerabilities from March 2017 to July 2017.
Even as cyber vulnerabilities are made public and patches are released, many organizations still fall victim to cyber attacks for failing to simply apply the available patches. According to the Apache Software Foundation, majority of the breaches that came to its attention are “caused by failure to update software components that are known to be vulnerable for months or even years.”
Days after the patch for CVE-2017-5638 – a critical vulnerability in Apache Struts that allows attackers to take almost complete control of web servers used by banks and government agencies – was made available to the public, security researchers still noticed a spike of attacks exploiting this vulnerability.
Patching known vulnerabilities in a timely manner is important as cyber criminals are quick to make use of newly published cyber security vulnerabilities, using them to launch cyber attacks within days.
Monitoring and managing vulnerabilities and threats is only effective when done regularly. Identifying security vulnerabilities is an onerous task generally assigned to your company's IT department. We can save you time and money by proactively scanning your infrastructure and networks, helping you prevent a data breach. Connect with us today to learn more and protect your business.
Apache Struts Vulnerability: There’s More to It Than Patching
Equifax claimed in its latest announcement that the vulnerability in the Apache Struts in its US online dispute portal web application caused the massive data breach affecting 143 million Americans – almost all of the adults in the US.
What is Apache Struts?
Apache Struts is an open-source framework for developing web applications in the Java programming language. It’s used by a significant number of organizations for developing publicly-accessible web applications like airline booking systems and internet banking applications.
The Apache Software Foundation, a not-for-profit corporation, manages, provides organizational, legal and financial support for the Apache open-source software projects, including Apache Struts.
According to Equifax, the data breach that harvested names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers of 143 million US citizens occurred from May 13, 2017 to July 30, 2017.
During this period, hackers also accessed credit card numbers for nearly 209,000 US customers, certain dispute materials with personal identifying information for almost 182,000 US customers and personal information for certain Canadian and UK residents.
From March 2017 to September 2017, security researchers have identified several critical vulnerabilities in Apache Struts. These include:
Notable Apache Struts Vulnerability #1: CVE-2017-5638
CVE-2017-5638 is a remote code execution vulnerability in Apache Struts that particularly affects the Jakarta Multipart parser. Hackers exploiting this vulnerability can attack a web application, take full control of the web server and inject it with commands of their choice.
Nick Biasini, threat researcher at Cisco Talos, said they observed and blocked several attacks exploiting this vulnerability in Apache Struts. According to Biasini, one type of attack exploiting this vulnerability initially stops the firewall protecting the server and ultimately downloads and executes malware of their choice.
Notable Apache Struts Vulnerability #2: CVE-2017-9805
CVE-2017-9805 is another critical remote code execution vulnerability in Apache Struts. All web apps using the popular REST plugin of Apache Struts are particularly vulnerable. Security researchers at lgtm discovered this vulnerability. If this vulnerability is exploited, hackers can run malicious code on the app server, either take full control of the machine or launch further attacks.
“This vulnerability poses a huge risk, because the framework is typically used for designing publicly-accessible web applications,” Man Yue Mo, one of the lgtm security researchers who discovered this vulnerability, said. “Struts is used in several airline booking systems as well as a number of financial institutions who use it in internet banking applications. On top of that, it is incredibly easy for an attacker to exploit this weakness: all you need is a web browser.”
Citing analyst Fintan Ryan at RedMonk, lgtm noted that at least 65% of the Fortune 100 companies are actively using web apps built with the Apache Struts framework.
Common Patching Versus Web App Patching
All of the above-mentioned vulnerabilities in Apache Struts have already been patched by the Apache Software Foundation. Many organizations, however, still haven’t patched their vulnerable web apps.
While most vulnerability fixes require only downloading a patch, installing it and rebooting a machine, fixing an Apache Struts vulnerability is different as it needs each web app to be recompiled using a patched version. In fixing an Apache Struts vulnerability, the web app code will have to be changed as opposed to just applying the vendor patch.
In addition to the complexity of patching a web app, organizations also have problems in getting trusted and skilled personnel to patch the web apps since most of the original web app developers have moved on to other projects or to other companies.
The time element between waiting for the right personnel to patch the web app and waiting for the code modification is critical. One of the preventive measures that your organization can use is virtual patching.
“Instead of leaving a web application exposed to attack while attempting to modify the code after discovering a vulnerability, virtual patching actively protects web apps from attacks, reducing the window of exposure and decreasing the cost of emergency fix cycles until you’re able to patch them,” Imperva said.
Additional Preventive Measures
The Apache Software Foundation said in a statement, “We are sorry to hear news that Equifax suffered from a security breach and information disclosure incident that was potentially carried out by exploiting a vulnerability in the Apache Struts Web Framework.”
The not-for-profit organization, however, said that majority of the breaches that came to the organization’s attention are “caused by failure to update software components that are known to be vulnerable for months or even years.”
The Apache Software Foundation offers the following additional recommendations to prevent data breaches arising from Apache Struts vulnerabilities:
“1. Understand which supporting frameworks and libraries are used in your software products and in which versions. Keep track of security announcements affecting this products and versions.
“2. Establish a process to quickly roll out a security fix release of your software product once supporting frameworks or libraries needs to be updated for security reasons. Best is to think in terms of hours or a few days, not weeks or months.
“3. Any complex software contains flaws. Don't build your security policy on the assumption that supporting software products are flawless, especially in terms of security vulnerabilities.
“4. Establish security layers. It is good software engineering practice to have individually secured layers behind a public-facing presentation layer such as the Apache Struts framework. A breach into the presentation layer should never empower access to significant or even all back-end information resources.
“5. Establish monitoring for unusual access patterns to your public Web resources. Nowadays there are a lot of open source and commercial products available to detect such patterns and give alerts. We recommend such monitoring as good operations practice for business critical Web-based services.”
New Bluetooth Malware Puts Billions of Devices at Risk
A new malicious software dubbed as “BlueBorne” puts billions of Bluetooth-enabled devices at risk.
Dr. Jaap Haartsen invented the Bluetooth while working at Ericsson in the 1990s. Bluetooth was named after the 10th-century king of Denmark King Harald Blåtand (blue-tooth in English), who famously united Scandinavia. Just as King Bluetooth united Scandinavia, Dr. Haartsen’s invention unites or connects devices.
Bluetooth is currently the most widely-used protocol for short-range communications. It's used in a wide range of devices, from personal computers to smart phones, consumer electronics devices (smart TVs, printers), medical and health devices, home automation and autonomous cars.
Bluetooth is now licensed, managed and maintained by the Bluetooth Special Interests Group (SIG). Tech giants Google, Microsoft, Apple, Intel and IBM are some of the group members.
How BlueBorne Works
1. BlueBorne attacks devices via Bluetooth.
The security research firm Armis first identified the BlueBorne malware. Researchers at the research firm found that BlueBorne malware specifically exploits the security flaw in Bluetooth-enabled devices running on Windows, Android, pre-version 10 of iOS and Linux operating systems, regardless of the Bluetooth version in use.
This means that every single computer, mobile device or IoT device running on one of the above-mentioned operating systems is at risk. There are currently 2 billion Android users, 500 million Windows 10 users, 1 billion Apple users, and 8 billion IoT users.
Affected devices include all Android phones, tablets and wearables (except those using only Bluetooth Low Energy), all Windows computers since Windows Vista and all Linux devices like Samsung Gear S3, Samsung Smart TVs and Samsung Family Hub.
2. BlueBorne spreads through the air.
BlueBorne is alarming as it operates through the air. Unlike traditional cyber attacks, no action is required from the victim to enable the BlueBorne attack – no need to download a malicious file or click on a link.
Once the malware detects the Bluetooth is active on a device that runs on Windows, Android, pre-version 10 of iOS or Linux operating system, it attacks it despite the fact that the targeted device isn’t paired with the attacker’s device or set on discoverable mode.
“Unlike the common misconception, Bluetooth enabled devices are constantly searching for incoming connections from any devices, and not only those they have been paired with,” Armis said.
To initiate BlueBorne, the attacker must be near the targeted user and the Bluetooth feature of the target user's device must be turned on. Billions of devices are at risk as Bluetooth is turned on by default on many devices. Many users also prefer to turn on Bluetooth most of the time to conveniently connect it to keyboards, headphones and other various IoT devices.
The airborne operation of BlueBorne is problematic in the following ways:
a) Highly Infectious
Spreading from one device to another through the air makes BlueBorne highly infectious since the Bluetooth process enjoys high privileges on all operating systems. Exploiting Bluetooth gives hackers full control over the device.
b) Bypasses Traditional Cyber Security Measures
As BlueBorne is spread through the air, it bypasses traditional cyber security measures. Typical security measures are defenseless against airborne attacks. BlueBorne attackers can bypass secure internal “air-gapped” networks – a security measure that isolates a computer or network and prevents it from establishing an external connection.
"These silent attacks are invisible to traditional security controls and procedures. Companies don't monitor these types of device-to-device connections in their environment, so they can't see these attacks or stop them," Yevgeny Dibrov, CEO of Armis, said in a statement. "The research illustrates the types of threats facing us in this new connected age."
3 Ways BlueBorne Attackers Could Exploit Your Device
1. Take Full Control of Your Device for Criminal Activities
BlueBorne attackers could remotely execute code on your vulnerable device, allowing the attackers to take full control over your device, access corporate networks, systems and data. With full access to your device, hackers could perform criminal activities, including ransomware and data theft.
2. Create Large Botnets Similar to the Mirai Botnet
Mirai botnet uses compromised IoT devices to carry out crippling Distributed Denial of Service attacks (DDoS) attacks. In 2016, crippling DDoS attacks were waged against the website of cyber security blogger Brian Krebs and a French web hosting company. BlueBorne attackers, for instance, could use your compromised device, together with other compromised devices, to execute DDoS against a particular website.
3. Perform Man-in-The-Middle Attack
BlueBorne attackers could perform a man-in-the-middle attack on your device.
Man-in-the-middle attack happens when attackers redirect the communication between two users to the attackers’ computer without the knowledge of the original two users.
“An attacker who successfully exploited this vulnerability could perform a man-in-the-middle attack and force a user's computer to unknowingly route traffic through the attacker's computer,” Microsoft said in its September 12, 2017 security bulletin. “The attacker can then monitor and read the traffic before sending it on to the intended recipient.”
Microsoft calls this Bluetooth vulnerability as "Microsoft Bluetooth Driver Spoofing Vulnerability".
How to Prevent BlueBorne Attacks
1. Turn Bluetooth Off
The safest way to prevent a BlueBorne attack is by turning off the Bluetooth feature on your device. This malware can access your device only when it’s in the active mode. If it’s turned off, the malware can’t successfully infiltrate your device.
2. Update Your Operating System
It’s advisable to keep your operating system up-to-date. Not all operating systems though have patched or issued a security update that fixes BlueBorne vulnerability.
According to Armis, it informed Google about the BlueBorne issue on April 19, 2017. Google released a public security update and security bulletin on September 4th, 2017.
Microsoft was informed by Armis about the BlueBorne issue on April 19, 2017. Microsoft released security updates on July 11, 2017.
Apple was informed about BlueBorne on August 9, 2017. Apple corrected this vulnerability with its latest iOS and tvOS.
Linux was informed by Armis on August 15 and 17, 2017 and on September 5, 2017. As of September 12, 2017, Armis said, Linux hasn't yet issued a public security update to patch the BlueBorne malware.
Gov’t of Canada Moves Closer to Implementing Mandatory Data Breach Reporting by Publishing the Proposed “Breach of Security Safeguards Regulations”
The Government of Canada published last Sept. 2 the proposed “Breach of Security Safeguards Regulations” in the Canada Gazette. The official publication signals the approaching implementation of the mandatory data breach reporting under Canada’s Digital Privacy Act.
The Digital Privacy Act, a law that amended Canada’s private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), was passed by the Canadian Parliament on June 18, 2015. While it has been over two years since the passage of the Act, the law is still not in force in the absence of “Regulations” that lays out the specific details of the law.
Digital Privacy Act
Under the Digital Privacy Act, every Canadian organization is required to do the following in case of a data breach:
Proposed Breach of Security Safeguards Regulations
The proposed Breach of Security Safeguards Regulations specifically laid out the specific steps on how to notify the Privacy Commissioner, the affected individuals and the particulars of maintaining a record of the data breach.
Under the proposed Breach of Security Safeguards Regulations, an organization affected by the data breach must notify the Privacy Commissioner in writing and provide the following details:
The proposed Breach of Security Safeguards Regulations also requires an organization to inform the affected individuals directly via by email, letter, telephone or in person. Indirect notice via a message posted on the organization’s website for at least 90 days or advertisement that’s likely to reach the affected individuals is an option under the proposed Breach of Security Safeguards Regulations in the following circumstances:
Under the proposal, notice to individuals – whether direct or indirect notice –must contain the following information:
The proposed Breach of Security Safeguards Regulations further requires an organization to maintain a record of every data breach for a period of 24 months. Under the proposed Regulations, it isn’t clear when it will come into effect. Both the Digital Privacy Act and Breach of Security Safeguards Regulations will, however, take effect on the same day.
Interested persons have until October 2, 2017 to give feedback regarding the proposed Regulations.
Benefits of Mandatory Data Breach Reporting and Mandatory Data Breach Record-Keeping
The enforcements of the Digital Privacy Act and Breach of Security Safeguards Regulations or the mandatory data breach reporting and mandatory data breach record-keeping are expected to bring about the following benefits:
1. Prevent Identity Fraud
Mandatory data breach reporting is expected to “contribute positively to the privacy and security of individuals” according to Charles Taillefer, Director for Innovation, Science and Economic Development Canada. He said, “Mandatory breach reporting allows individuals who are affected by a breach to take immediate action to protect themselves against further compromise that may lead to fraud, identity theft, humiliation, loss of employment or other forms of significant harm.”
Based on the 2015 Identity Fraud Study conducted by Javelin Strategy and Research, two-thirds of individuals who were impacted by a data breach become victims of identity theft or fraud. The research group defines identity fraud as the “unauthorized use of another person’s personal information to achieve illicit financial gain”. Examples of identity fraud include using a stolen payment card account to opening new accounts, making a fraudulent purchase or to taking control of existing accounts.
2. Help Organizations Improve Data Security
According to the Global Internet Report 2016 (PDF) by the Internet Society, mandatory data breach reporting increases transparency about data breaches – what are likely targets, what data is taken, how the breaches are carried out, what cyber security works and what doesn’t.
“Sharing information responsibly has a number of benefits – it could help organisations globally improve their data security, help policymakers improve policies and regulators pursue attackers, and help the data security industry produce better solutions,” Internet Society said. “All this can help protect the data ecosystem as a whole.”
3. Motivate Organizations to Track and Analyze Data Breaches
According to the Director for Innovation, Science and Economic Development Canada, the requirement to maintain a record for every data breach for the period of two years will “incentivize organizations to track and analyze the impact of all data security incidents”.
According to EY’s 19th Global Information Security Survey (PDF), 62% of organizations wouldn’t increase their cyber security spending after experiencing a breach that didn’t appear to do any harm.
“Cyber criminals often make ‘test attacks,’ lie dormant after a breach, or use a breach as a diversionary tactic to throw organizations off the trail of what they are really up to,” EY said. “Organizations should assume that harm has been done every time there is an attack, and if they have not found it, they should consider that they have not found it yet.”
Equifax Says Cyber Attack May Expose Data of 143 Million Customers
Equifax, one of the top consumer credit reporting agencies in the US, UK and Canada, publicly acknowledged that it was a victim of a cyber attack that may have exposed data of 143 million US customers – almost half of the total population of the US.
The consumer credit reporting agency added that hackers have gained access to limited personal information for certain Canadian and UK customers. The agency further revealed that credit card numbers of close to 209,000 US customers and certain dispute documents with personal identifying information for nearly 182,000 US costumers were accessed by cyber criminals.
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes,” Richard F. Smith, Chairman and Chief Executive Officer of Equifax, said in a statement.
While this recent Equifax data breach isn’t the biggest data breach on record – the Yahoo data breach affected one billion customers, this recent Equifax data breach may be the worse in terms of severity.
“On a scale of 1 to 10 in terms of risk to consumers, this is a 10,” Avivah Litan, a fraud analyst at Gartner told the New York Times.
Aside from credit card numbers, personal identifying information such as names, Social Security numbers, birth dates, addresses and driver’s license numbers were harvested by the hackers in the recent Equifax cyber attack. According to Equifax, cyber criminals gained access to the sensitive files of its customers from mid-May 2017 to July 2017. The company said it discovered the data breach only on July 29 of this year.
The May 2017-July 2017 cyber attack wasn’t the only data breach that Equifax experienced. The company has experienced two other data breaches prior to this incident in the past two years.
Another data breach incident occurred on the website of TALX – a wholly owned subsidiary of Equifax – between the period of April 17, 2016 to March 29, 2017. Hackers harvested W-2 tax forms of the employees of corporate clients of TALX. On May 15 of this year, the Counsel for TALX Corporation, informed the Attorney General of New Hampshire about the data breach incident. TALX offers payroll-related services for companies.
Another data breach incident happened on W-2 Express website, a site owned and managed by Equifax. Hackers again stole W-2 tax forms of the employees of corporate clients of Equifax, including Kroger (the second largest private employer in the US with 443,000 employees) and Stanford University. Between May 2016 to April 2016 Kroger and Stanford informed their current and former employers that they may be vulnerable to tax fraud after hackers downloaded W-2 tax forms from Equifax’s W-2 Express website.
W-2 tax forms are used by cyber criminals to file fraudulent tax refunds before the US Internal Revenue Service (IRS). According to the US Department of Treasury (PDF), the US Government issued refunds worth $490 million on 63,000 fraudulent tax returns.
Causes of Data Breaches
1. W-2 Express Data Breach
Based on a letter sent by Kroger to its employee, as reported by Krebs on Security, hackers gained access to Equifax’s W-2 Express website by using two default log-in information: Social Security number and date of birth.
A default login using Social Security number and date of birth is a dangerous practice as many customers don’t change this default login. The use of Social Security number and date of birth as login details are also considered as security risk as many data breaches in the past have already gotten hold of these two personally identifiable information.
2. TALX Data Breach
According to TALX, cyber criminals gained access to the website of TALX and harvested W-2 tax forms of customers by successfully answering personal questions used to reset “PlNs” or passwords to access the website.
“Because the accesses generally appear legitimate (e.g., successful use of login credentials), TALX cannot confirm forensically exactly which accounts were, in fact, accessed without authorization, although TALX believes that only a small percentage of these potentially affected accounts were actually affected,” TALX said.
A PIN or one password authentication is an outdated and insecure cyber security measure. A two-factor authentication is a better option, such as one-time tokens sent to a mobile device or email address.
3. The 143-Million Data Breach
For the recent data breach, Equifax said that hackers gained access to millions of its customers’ sensitive data by exploiting its US “website application vulnerability”. The company didn’t name the specific vulnerability.
According to a New York Times article, Equifax was criticized for not learning from past data breaches and for failing to stop thieves “to get the company’s crown jewels through a simple website vulnerability.”
Equifax could have put in place multi-layered cyber security defense system on its website so that when hackers manage to break into one layer of defense, it could be stopped by other subsequent defense systems.
“We may think one layer of security will protect us – for example, antivirus. Unfortunately for that approach, history has proven that, although single-focus solutions are useful in stopping specific attacks, the capabilities of advanced malware are so broad that such protections inevitably fail,” SANS in its whitepaper "Layered Security: Why It Works" said. “Organizations operating in the digital world today need layers of security ...."
The consumer credit reporting giant is currently under scrutiny after three of its managers sold their Equifax shares days after the major data breach at the company was discovered.
According to Bloomberg, Chief Financial Officer John Gamble sold shares worth $946,374; president of US information solutions Joseph Loughran exercised options to dispose of stock worth $584,099; and president of workforce solutions Rodolfo Ploder sold $250,458 worth of stock on August 2 of this year – four days after the data breach discovery.
Just hours after the official data breach announcement, Equifax shares tumbled 13%, this according to Bloomberg.
Canadian University Loses $11.8 Million to BEC Scammers
An Edmonton, Alberta-based university publicly acknowledged that it was a victim of a recent cyber attack.
According to the Alberta-based university, a series of bogus emails tricked university staff into changing the electronic banking information for one of the university’s major supplier. This resulted in the money transfer worth $11.8 million to a bank account that the university staff believed belonged to the supplier.
The university traced over $11.4 million of the money to bank accounts in Canada and Hong Kong. According to the university, the traced bank accounts have been frozen and the university is working with its legal counsel in Montreal and Hong Kong to pursue civil action to recover the money. The remaining balance of these accounts is, however, unknown at this time.
“There is never a good time for something like this to happen but as our students come back to start the new academic year, we want to assure them and the community that our IT systems were not compromised during this incident,” the university spokesperson said.
The incident that occurred at the Alberta-based university is an example of the cyber attack called business email compromise (BEC).
What is a Business Email Compromise (BEC)
BEC is a cyber attack that targets organizations that have regular dealings with foreign suppliers and regularly perform wire transfer payments.
According to the FBI’s Internet Crime Complaint Center (IC3), from October 2013 to December 2016, a total of 40,203 BEC incidents were reported worldwide, with the total financial loss amounting to $5.3 billion. The IC3 said that the scam has been reported in 131 countries, with victims ranging from non-profit organizations to small businesses and large corporations. These businesses offer a variety of goods and services, signifying that no specific sector is targeted more than another. Tech giants Google and Facebook succumbed to BEC scams.
"Ransomware has been drawing much of the attention in the security world lately,” Cisco 2017 Midyear Cybersecurity Report (PDF) said. “However, a threat that’s not nearly as high-profile is raking in far more for its creators than ransomware: Business email compromise, or BEC."
According to the FBI’s Internet Crime Complaint Center, some of the organizations affected by BEC reported being a victim of ransomware attack before the BEC incident.
How BEC Works
BEC is an elaborate deception scheme.
First, attackers study the organization they want to target.
Attackers spend weeks and even months to study the organization’s suppliers, billing systems, top executive or CEO’s writing style and his or her travel schedule.
Attackers get the above-mentioned information from public online resources such as social media accounts and by using malicious software that’s capable of infiltrating the organization’s networks, gain access to passwords, financial account information and email threads relating to billing and invoices.
Second, attackers establish a relationship with a target employee.
When the time is right, for instance, when the CEO isn’t in his or her office, BEC scammers contact a specific employee – bookkeeper, accountant, controller or chief financial officer – in an organization who’s responsible for directly transferring money to suppliers.
Attackers exploit the target employee through email spoofing, phishing email and telephone calls.
A spoofing tool is also used by the attackers to direct email replies to a different account that the attackers control. At this stage, the target employee is tricked into thinking that he or she is corresponding with the organization’s CEO.
Third, attackers send instructions for money transfer.
For this third stage, attackers further deceive the target employee, for instance, by convincing the employee that the supplier has a new bank account number and instruct the employee to send payment to this new account. Attackers may also send a bogus email from a CEO to release the money to the new bank account.
Fourth, money sent is drained to different accounts.
In this fourth stage, money is sent to “money mules” in different parts of the world. Some of these accounts are difficult to trace. If the scam isn’t uncovered in time, it may be hard to recover the money.
How to Prevent BEC Scams
Here are some of the ways to prevent BEC scams:
1. Verify the authenticity of the money transfer request.
“The best way to avoid being exploited is to verify the authenticity of requests to send money by walking into the CEO’s office or speaking to him or her directly on the phone,” said FBI Special Agent Martin Licciardo.
Also, confirm the money transfer request by calling the supplier with the previously known company numbers, not the one provided in the email request. In the case of the Alberta-based university, based on the preliminary assessment of the university’s internal audit group, the BEC scammers were able to succeed in deceiving the university staff as “controls around the process of changing vendor banking information were inadequate”.
2. Use an email intrusion detection system.
This automated system can flag emails with extensions that are similar to your organization’s email. For example, an intrusion detection system for legitimate email of xyz-corporation.com can flag bogus emails from xyz_corporation.com.
Massive Locky Ransomware Campaign Attempts to Infect Millions of Computers in 24 Hours
Locky is the first ransomware to make $1 million per month based on a Google-led study (PDF). After lying low in the first half of 2017, this notable ransomware made a massive comeback last August 28th, unleashing 23 million malicious emails in just 24 hours.
"In the past 24 hours we have seen over 23 million messages sent in this [Locky Ransomware] attack, making it one of the largest malware campaigns that we have seen in the latter half of 2017," researchers at AppRiver said.
How the Latest Locky Ransomware Works
Millions of workers who returned to work on Monday, August 28th, received an email with subject lines “please print”, “documents”, “photo”, “images”, “scans” and “pictures”.
Each email comes with a ZIP attachment containing a Visual Basic Script (VBS) file. Once opened, this VBS file initiates the downloading of the latest version of Locky ransomware. All the files on the infected computer are then encrypted –conversion of computer data into ciphertext, a data form that can only be read using a decryption secret key or password. After the data encryption, victims are instructed to install the TOR browser and provided with a .onion, also known as dark web site. Below is the screencap of the dark web site.
The dark web site shows a victim how to purchase Bitcoins. It also tells the victim to send .5 Bitcoin – equivalent to a staggering $2,381 – to a certain Bitcoin address as payment to supposedly unlock the encrypted files.
The latest Locky strain was reported last August 17th this year by researchers at Fortinet. The latest strain uses “.lukitus”, which means “locking” in Finnish, as the extension for the encrypted files. Rommel Joven, one of the Fortinet researchers who discovered the latest Locky variant, tweeted last August 17th that this variant is the second modification of Locky in over a week.
Last August 14th, Fortinet researchers identified the predecessor of the Lukitus Locky variant called "Diablo6", named after the “.diablo6” extension to its encrypted files.
“It’s still too early to say if this campaign signals the start of Locky diving back into the ransomware race or if it is just testing the waters," Fortinet researchers said about the Diablo6 Locky variant. This variant similarly spreads through spam emails – each containing a VBS attachment. Once clicked, the VBS file downloads the Locky variant from a compromised URL or webpage.
History of Locky Ransomware
Locky ransomware was first distributed into the wild in early February 2016. Based on the Google-led study, Locky was the highest grossing ransomware in 2016, earning a total of $7.8 million.
Locky’s notoriety rose when it victimized an American hospital in early February 2016. The hospital publicly acknowledged (PDF) that it was a victim of a malware that locked access to certain hospital computers by encrypting the files and demanding ransom payment worth 40 Bitcoins (equivalent to $17,000 at that time) for the decryption key. The hospital said that it paid $17,000 as it was the “quickest and most efficient way to restore our systems and administrative functions”.
According to Fortinet researchers, from February 19, 2016 to September 15, 2016, Locky's total hits reached 36,314,789, mostly affecting computer users in the U.S., France, Japan, Kuwait, Taiwan and Argentina.
Modifications of Locky ransomware aren’t limited to the Lukitus and Diablo6 variants. In its more than a year existence into the wild, creators of Locky ransomware periodically make changes to this malicious software. Aside from “.lukitus”, “.diablo6”, Locky’s creators also used “.locky”, “.zepto” and “.odin” as names of extension to its encrypted files.
Different variants of Locky were spread in 2 ways: 1) spam emails and 2) compromised websites.
One of the main paths of Locky infection is through spam email campaigns. The following are some of the subject lines used in spam emails to the spread the Locky ransomware:
An email with the subject line "Scanned image from MX-2600N” may look innocent enough. But the use of such subject line is a product of a sophisticated campaign – a plan to mislead many employees into clicking the spam email.
The term “MX-2600N” is actually the most popular model of Sharp scanner/printer that’s used by many offices. Many employees use this model to scan documents and email them to themselves or other people. So, when they see an email with the subject “MX-2600N”, they’re tricked into thinking that they’re opening an email that they’ve sent to themselves.
According to Fortinet researchers, Locky’s spam email campaigns in the past contained the following attachments:
The other attack path used by Locky ransomware is via compromised websites that redirect to Nuclear or Neutrino Exploit Kit. Unlike in a malicious email campaign whereby the victim has to open an email and click on the attachment, an exploit kit like Nuclear or Neutrino doesn’t require added action from the end user. An exploit kit works like a ghost while a potential victim is browsing a compromised website. In the case of Locky ransomware, the exploit kit acts as the distributor of the malware to the victim’s computer.
How to Prevent Locky Ransomware Attacks
Here are some of the ways to block Locky ransomware attacks:
1. Use Up-to-Date Browser and Software
“Using up-to-date browser and software remains to be the most effective mitigation against exploit kits,” Microsoft said. “Upgrading to the latest versions and enabling automatic updates means patches are applied as soon as they are released.
2. Exercise Caution When Opening Emails and Attachments
Be wary about opening emails from unknown senders. When in doubt about an email, ignore it, delete it and never open attachments or click on URLs.
When you need help protecting your infrastructure and your data, connect with our team and we will be more than happy to help.
Steve E. Driz, I.S.P., ITCP