Posts

TARGET – AUSTRALIAN PRIME MINISTER’S DOMAIN HIJACKED

An individual at DigitalEagle’s Digital Marketing Agency based out of Australia was able to purchase the rights to domain “scottmorrison.com.au,” the domain that hosted the official website of Scott Morrison, the current Prime Minister of Australia. The individual purchased the rights to the domain at an auction for expiring domains for fifty US dollars.

After the purchase of the domain, the individual created a fresh WordPress site hosted on the domain and placed humorous content poking fun at the prime minister including references to the song “Scotty Doesn’t Know” from the 2004 film Eurotrip.

It appears that the new website was up for two days from October 18th to October 20th and went viral receiving over 340,000 visitors. The individual that hijacked the site blogged the experience and detailed other alternate scenarios that could’ve ensued if a malicious attacker would have taken control of the domain. This could have included using the domain to phish for sensitive information, receive sensitive emails, or continue to maintain the site and deliver fake content regarding political opinions of the PM. After two days, the hijacker gladly gave back the domain and the original website has since been restored. No crimes appear to have been committed in this particular situation and no arrests have been made.

Proficio Threat Intelligence Recommendations:

  • Validate a procedure is in place to renew domains owned by the organization.
  • Have a monitoring solution in place to look for major content changes to hosted websites.


Personal Blog of Events – Click Here

TARGET – FACEBOOK DATA BREACH

Facebook has returned to the headlines again for issues regarding user privacy and personal information exposure after an alleged attack on their network. The social media giant admitted at least 50 million users may have had their personal information compromised due to the attack, which has been touted as the largest breach in the company’s 14 year history. And if the exposure of user data wasn’t bad enough, the attackers were also able to gain control of user accounts, allowing them to potentially pose as users or view their private information.

The breach has been traced to code vulnerabilities in the “View As” feature that allows users to view their profile as someone else, and code related to uploading birthday videos. Once exploited, these vulnerabilities allowed attackers to steal account access tokens. Some industry experts are also suggesting affiliated services, such as Spotify and Instagram, may have been compromised as a result of this breach. Investigation of the extent of the breach is still underway, and it is unclear whether certain individuals were targeted. Likewise, it is still unknown whether this attack was carried out by nation state actors or a hacker collective. Facebook has confirmed that they are working with law enforcement and that all vulnerabilities have now been patched. They have also forced access token resets for all accounts that were observed using the “View As” feature during the last year, requiring users to manually login to their accounts where they will be greeted with a security notification. Additionally, Facebook has temporarily disabled the “View As” feature while they conduct further security assessments.

The news comes as Facebook is still recovering from the Cambridge Analytica scandal, which lead to a congressional hearing involving Facebook’s senior executives and revealed millions of users had their information collected by third parties for political campaigns. This latest breach has renewed calls for government regulation of social media policies and procedures. As more developments emerge, this story is likely to weigh heavily on the future of social media platforms.

Proficio Threat Intelligence Recommendations:

  • Consider the possible risks of allowing employees access social media at work, and make appropriate guidelines and/or changes to your organization’s AUP.
  • Review the social media accounts your organization uses and develop policies regarding what information can be shared via social media accounts.
  • Individuals should read the FTC’s recommendations for consumers, located here:
    https://www.consumer.ftc.gov/blog/2018/10/facebook-breach-what-do-next

Facebook Security Update Announcement – Click Here

TARGET – British Airways Credit Card Data Breach

On September 7th, it was publicly disclosed that 380,000 customer transactions processed by the British Airways website between August 21st to September 5th were compromised by attackers. The information believed to be obtained in the transactions included the name, email address, and credit card information for the transaction including the credit card CVV code.

Details of exactly how the British Airways site was hacked is not publicly available at this time. Because the CVV code was obtained as part of the stolen data, security researchers believe that the hackers may have copied customer data as they inserted it into the British Airways website.

Users affected are currently being notified. British Airways disclosed the breach within 72 hours of when the breach became known as part of new GDPR regulations. For GDPR regulations, if British Airways is found to have not done enough to protect consumer information, it could face a fine of up to 4 percent of annual revenue which is by some estimates around 500,000 pounds.

Proficio Threat Intelligence Recommendations:

  • Validate public facing web services that process payment information are patched.
  • Make sure a continuous monitoring solution around intrusions into websites that process payment information have a continuous monitoring solution in place.

General Info on Breach – Click Here

TARGET – 20,000 USERS FROM AIR CANADA’S MOBILE APP BREACHED

Air Canada is requesting a password reset of its entire 1.7 million user base for its mobile app. This was caused from the detection of unusual login behavior between August 22nd to August 24th, leading to suspect that 20,000 user accounts held within the aircraft’s mobile app had been compromised.

The information that may have been leaked within the breach possibly included customer’s passport number; passport expiration date; passport country of issuance and residence; NEXUS number; Aeroplan account number; and personal details such as gender, date of birth, and nationality. Payment card information was protected and not believed to have been exposed in the breach.

It should be noted that Air Canada was able to detect the suspicious login activity almost immediately, which then led to the discovery of the breach.

Proficio Threat Intelligence Recommendations:

  • Log hosted web application activity to enable monitoring and auditing of the app.
  • Have a monitoring solution in place for web application authentication activity.
  • Have a breach notification procedure in place for hosted web applications
  • Users should use secure and complex passwords to protect their accounts


Summary of Details of Breach – Click Here

TARGET – Democratic National Committee Phishing Mix-up

On August 22nd, the Democratic National Committee made a press release stating that a cybersecurity service provider had alerted them of a phishing page that was stood up to target their Votebuilder website. The investigation was escalated to the FBI and immediately Russia was suspected due to previous attack activity from 2016.

A day later, the Democratic National Committee came out and stated that the event had been a false alarm and was actually an authorized penetration test being performed against the Michigan Democratic Party.

While some bad press was received regarding the matter, many cybersecurity professionals attempted to give some praise for the DNC gaining the capability to quickly detect and report the attack. Because of the miscommunication between the DNC and Michigan Democratic Party, penetration tests and red team activity will likely be coordinated between the groups in the future.

Proficio Threat Intelligence Recommendations:

  • Validate that any red team or penetration test activity performed is coordinated in some way with subsidiaries and business partners that might be affected.
  • Employ two factor authentication for public facing web services that might be a target for hackers to use in a phishing campaign.

Reporting before discovery of mix-up – Click Here

Reporting after discovery of mix-up – Click Here

TARGET – Cosmos Global Bank Hack

Cosmos Bank, a co-operative bank based in India with an over 100 year-old history was hit with a globally coordinated attack between August 11th to August 13th. Attackers appeared to coordinate with what is suspected to be several individuals to siphon $13.4 million dollars (Rs 94 crore).

Although many details are not confirmed regarding the incident, reporting so far details that over 14,000 ATM transactions within 28 countries are under investigation that were suspected to steal Rs 78 crore from the bank. The ATM transactions took place in various countries such as Canada, Hong Kong, and India. Additionally, around Rs 13.92 crore ($1.8 milion) was transferred on August 13th to Hong Kong using fraudulent transactions targeting the SWIFT system the bank uses for financial transactions.

It is unconfirmed but suspected that the attackers may have compromised the firewall that protects the servers that authorize ATM transactions. There may have been a some type of setup or redirection that may have allowed ATM withdrawals without actually checking whether cards were genuine that were being used to make the withdrawals. The bank has alerted the authorities and a police investigation is taking place.

Please note the level of complexity and coordination for this attack is extremely advanced. The coordinated withdrawals of ATMs all over the world would likely indicate the presence of several individuals involved with this particular campaign.

Proficio Threat Intelligence Recommendations:

  • Monitor government agencies for intelligence around global hacking campaigns that may affect the organization
  • Validate infrastructure that processes SWIFT transactions and ATM withdrawals cannot be hacked through organized penetration testing..

General Information – Click Here

TARGET – GoDaddy information Exposed on Amazon AWS Cloud

Researchers at UpGuard recently discovered a data breach affecting GoDaddy, considered the world’s largest domain name registrar and web host by market share to date. The leaked information was found in June on a publicly accessible AWS S3 bucket named “abbottgodaddy” and referenced the company’s infrastructure running in the Amazon AWS cloud. Majority of the exposed documents were multiple versions of the same Excel file containing data used for configuring thousands of systems as well as pricing options for the same, the researchers said. Fields included hostname; operating system; workload; AWS region, memory and CPU specs, among others.

GoDaddy was not the one to blame for the leak. According to an Amazon statement itself, human error appeared to be the cause of the data breach and an unnamed AWS salesperson was responsible for the misconfiguration. Amazon S3 buckets should be private by default, with access restricted to account owner and root administrator. Nevertheless, occasional misconfigurations or misunderstandings by both the customers and providers can compromise the privacy setting of the storage bucket, leading to unintentional exposure of data.

In this particular instance, Amazon reassured no GoDaddy customer information was revealed. However, configuration information can prove to be not only extremely valuable to malicious actors performing reconnaissance to increase the effectiveness of future attacks, but also to business competitors leveraging this kind of data to their own advantage.

Proficio Threat Intelligence Recommendations:

  • Regularly check the security posture on your cloud storage, enforcing tools for data loss prevention and promoting security awareness among your employees.
  • Consider performing regular audits on your service providers to reduce the risks associated with the digital supply chain.

General Information – Click Here

TARGET: Valve Game in Marketplace Distributed Cryptocurrency Miner

Valve pulled the game “Abstractism” from the Steam store after several sources on the internet stated the game was suspected to contain a cryptocurrency-mining bot. Youtube user SidAlpha and other bloggers on the internet flagged the game for very suspicious behavior such as the gaming package being flagged by antivirus software, the authors stating that the game should be left running in yhe background for extended periods of time, and the game taking up an extraordinary amount of GPU and CPU system resources at run time.

Steam is a digital distribution platform owned by the Valve Corporation that allows video game developers to publish to their platform. In this particular instance, it looks like a group of developers were able to compromise the supply chain of the platform and release a bogus game that performs cryptomining.

When the developers of the game were confronted with the findings that the game mines Bitcoin, the developer “Okalu Union” stated “Bitcoin is outdated, we currently use Abstractism to mine only Monero coins.” The developer then went on to contract the prior statement with “Abstractism does not mine any of cryptocurrency. Probably, you are playing on high graphic settings.”

Something very important to note is that in this case, developers went after a lack of controls in the software supply chain of the Valve platform to perform cybercriminal activity. All organizations depend on a variety of software supply chains to deliver legitimate software downloads and updates. The software supply chain will likely be a target for cybercriminal threat actors in the future and this trend will likely increase with progression of the threat landscape.

Proficio Threat Intelligence Recommendations:

  • Make sure your organization has an acceptable use policy that bans the usage of applications that introduce risk to your organization such as gaming applications.
  • Keep endpoint security controls such as antivirus and EDR (endpoint detection and response) up to date and and validate they work as a preventative control.
  • Assess if your organization has MDM (mobile device management) software and assess if it allows the installation of unauthorized applications that may introduce risk to the organization.


General Information – Click Here

TARGET: SingHealth Patient Data Breach

Singapore authorities reported on a cyber-attack affecting SingHealth, the largest group of healthcare institutions in Singapore. This cyber-attack is the largest known cyber-attack targeting organizations based in Singapore that has been reported by Singapore news media. The cyber-attack appears to have resulted in a data breach affecting around 1.5 million patients who visited SingHealth between May 1, 2015 to July 4, 2018. The data breach included personally identifiable information such as names, NRIC, address, gender and race. Around 160,000 of these patients also had their outpatient prescriptions stolen. The Prime Minister of Singapore’s personal information was targeted as part of the attack.

The attack was first identified by database administrators from the Integrated Health Information System (IHIS) on July 4, 2018, when they identified anomalous activity on one of SingHealth’s IT databases. By July 10th, investigators confirmed it was a cyber-attack, with data stolen between June 27 and July 4.

Although attribution to the exact party that performed the attack is speculative with the data that is publicly available, a statement by the Singapore Health Ministry stated that “It [the attack] was not the work of casual hackers or criminal gangs.” We expect to be able to understand more about the attackers once more technical data is available.

Proficio Threat Intelligence Recommendations:

  • Ensure that any sensitive data is encrypted, and limit access of employees and other stakeholders by their roles using the principle of least privilege. Passwords that are stored should be encrypted, and strong password policies should be enforced.
  • Review the organization’s data retention policies on the duration and the types of PII data that should be stored. To further limit data exposure, companies are advised to purge customer’s PII if it is unneeded for business purposes and not required anymore to be retained by law.
  • Any potential victim can check if their data have been compromised by accessing the following website: https://datacheck.singhealth.com.sg.


General Information – Click Here

TARGET: Labcorp Ransomware Attack

LabCorp, one of the largest clinical laboratory networks in the US, reported to the SEC that it had many of its assets infected with ransomware. The 50 minute attack that occurred on July 13th beginning at midnight was suspected to be caused by the attackers entering the network via brute force with public RDP and then spreading a variant of SamSam ransomware. Although the attack was contained in 50 minutes, according to CSO Online, the attackers were able to infect 7,000 systems, 1,900 server, and 350 production servers. The attack only is thought to have compromised Windows servers on the LabCorp network.

The attackers behind the RDP brute force attacks leading to SamSam ransomware used the same methods that led to many successful attacks within the last year on multiple healthcare organizations, government entities, and schools. The best known of the recent victims was the City of Atlanta.

This is an additional major company breach where public facing RDP was likely overlooked and enabled massive damage to an organization.

Proficio Threat Intelligence Recommendations:

  • Implement two-factor authentication to any public facing RDP services required for business
  • Implement monitoring use cases to look for any newly detected public RDP services open to the internet and take appropriate action to mitigate each new detection
  • Implement and test rapid responses that can contain spreading ransomware attacks through MDR services or an EDR platform.
  • Validate any public facing Windows servers are up-to-date on patching and endpoint security controls


General Information – Click Here