Here are highlights from The Week in Breach:
It’s no surprise that this week has been busy for cyber-attacks on the web, targeting big events such as the World Cup but also continuing to pursue small-and medium-sized businesses across the globe.
- Google is still leaking!
- Another Dark Web marketplace down in a big win for French authorities.
- Do androids dream of electric… rats? A new malware for Android!
- Going phishing at the World Cup.
In other news… Google has announced that Chromecast and Google Home devices, that are easily scripted to reveal precise location data to the public, will be patched in the coming weeks. Disclosed by a researcher at Tripwire, the simple script running on a website can collect location by revealing a list of internet connections available to the device. Researchers go on to describe how easy it would be to remote into an exposed individual's device and network.
The Dark Web marketplace known as ‘Black Hand’ was shut down by French authorities this week. The marketplace was used to sell drugs, weapons, stolen personal information and banking data, as well as fake documents. The site had over 3,000 users from France and was highly active for selling illicit materials.
Researchers have come across a new malware family that takes form as an Android remote administration tool (or RAT). The malware uses the messaging app Telegram both to spread and to operate the RAT. When an attacker gains access to a device, he or she operates it by using Telegram’s bot functionality and can intercept text messages, send text messages, make calls, record audio or screen, and locate the device.
With the World Cup in full swing this week, bad actors are taking advantage of the attention on the event and spinning up malicious email campaigns. The idea is that people are less vigilant about clicking emails from unknown sources when related to an event that only occurs every couple of years. Sites selling fake tickets, offering fictitious giveaways and luring unsuspecting induvial to click on malicious links related to the World Cup are popping up all over the place.
A network worm called ‘Olympic Destroyer’ that debuted at the 2018 winter Olympics is still doing damage across Europe. Since the Olympics, the group has taken an interest in financial and biochemical organizations and oftentimes uses spear phishing as a way to gain illegal access to systems. The group has so far remained anonymous, using a complex combination of false flags and other deceptive behavior to avoid being revealed.
Exploit: Leaky websites, lack of basic website/ internet security controls.
Risk to Small Business: High: Demonstrates that poor cyber hygiene and complete disregard for basic website/ internet security can be highly damaging.
Risk to Exploited Individuals: High: Sensitive personally identifiable information that can be used for identity theft.
Indian Government: The Republic of India’s government.
The government has experienced a wide variety of breaches over a long span of time, but with their websites being audited in May of 2018, their continuing lack of security with such highly sensitive information proves to be a continuing problem.
June 20, 2018
· Names and phone numbers of those who bought various medicines from state-run pharmacies
Recently but not this week:
· Aadhaar number
· Data collected in ‘Smart Pulse Survey’
· Geolocation of people based on caste/religion
· Geolocation of ambulances, why they were summoned, and the hospital destination
How it was compromised
Leaky websites and dashboards allowing anyone to look up HIGHLY sensitive medical and personal information.
Anyone who has purchased medicine from the state-run pharmacies.
Poorly configured database.
Exploit: Supply Chain/Trusted Vendor Compromise
Compromised Workstation, most likely compromised credentials and a lack of multi-factor authentication.
Risk to Small Business: High: At least 42 physician practices had their customer’s PII compromised. Lack of situational awareness within the supply chain will create significant challenges for the vendors that replied on the claims processing vendor.
Risk to Exploited Individuals: High: This breach has disclosed a massive amount of HIGHLY sensitive personal and health information leaving customers impacted significant risk of identity theft and fraud.
Med Associates: A New York-based claims processing company.
· Patient names
· Dates of Birth
· Dates of service
· Diagnosis codes
· Procedure codes
· Insurance information, such as insurance ID numbers
How it was compromised
Not disclosed, but it was specified that the attack did not involve ransomware or phishing.
Still under investigation, but the third party gained remote access to the workstation without phishing or ransomware.
Chicago Public Schools
Risk to Small Business: High: If a breach of this magnitude happened to a small business, it is unlikely it would recover. This kind of negligence causing a breach tarnishes a name to a great degree, but people do not have a choice but to continue using Chicago public schools because it is a government-run program.
Risk to Exploited Individuals: High: Unfortunately, a minor’s personally identifiable information is highly sought after and valuable as its often not monitored.
Chicago Public Schools: School district in the Illinois city of Chicago
June 16, 2018
June 16, 2018
· Children’s names.
· Home phone numbers.
· Cell phone numbers.
· Email addresses.
· School ID numbers
How it was compromised
When sending out an email about applications to selective enrollment schools, an employee attached a spreadsheet containing the sensitive data which was then sent out to families in the district. The person who made the critical mistake is going to lose their job according to the superintendent.
3,700 students and families
An important takeaway from this week is how easy it is to unsuspectingly leak personal information. A study conducted by Positive Technologies found some alarming statistics when researching the vulnerabilities of something that is often overlooked; web applications.
The study uncovered that almost half (48%) of the web applications tested were vulnerable to unauthorized access from a third party, with 17% of the tested applications being so unsecured that full control could be acquired. Every single web app that the study looked had vulnerabilities with just over half of them (52%) being high risk. A little under half (44%) of web apps examined that processed personal data leaked that personal data and 70% of all applications were at risk of leaking critical information to the business. The study found an average of two critical vulnerabilities per web application, and where the researchers had access to the source code of the web app they uncovered high-severity vulnerabilities 100% of the time. The industries used in this study of web applications include: finance, IT, e-commerce, telecom, government, mass media, and manufacturing.
Make sure to consider what web applications you are using in both your professional and personal life, otherwise, your information could end up on the Dark Web.