The Week in Breach: 4/9 – 4/15
Greetings from Fabulous Las Vegas! If you are at the Channel Partners Expo, stop by booth #3073 to say hi to the team! We hope you were able to check out our session yesterday: Massive Data Breaches: A Love Story? If you are interested in getting the presentation, let us know and we’ll send it to you!
There are a few points I want to get across with this week’s update:
- It’s ALL about the password! Password compromises dominated this week!
- Green Hats are popping up all over the place. Check out my buddy Ralph Sita’s site Cybrary.it for a basic list of the types of hackers.
- MSPs need to get a better grasp on what’s accessing their customers’ networks. It’s time to become IoT aware!
Here’s what I see as interesting from the Zuckerberg show in DC last week:
The ability to harvest data on billions of Facebook users is not big news…
You don’t need a Facebook API to scrape and profile most of its 2 billion users. Profiles set to “public” have been harvested for years, and 3rd party data aggregators have built mountainous datasets on each and every one of these profiles. I’ve spoken publicly about the fact that data aggregators like Spokeo, Intellius, PeopleFinders, TruthFinder, etc have done this for years!
Active data aggregation on both users AND non-users is BIG AND SCARY NEWS!
It makes total sense. Anyone can be tracked on any site. This is IP Address and Cookie 101. However, Zuckerberg’s admission/non-admission that it’s actively aggregating IP information from sites that have a Facebook “Like” button/Cookie on it is pretty interesting.
Here’s how Facebook is able to track EVERYONE!
- Obviously, if you are logged into Facebook on your computer or mobile device, they are tracking every move you make, every page you hit, picture you like, video you watch, etc… This should come as no big surprise.
- If you are NOT a Facebook user and land on any page with a Facebook “Like” button, code or cookie, they can associate your IP Address to that page/search. They can then buy, sell or aggregate that data with any other company that is tracking IP addresses and begins to build profiles on who is behind that IP address. Do that in real time with multiple data aggregators and you can pretty easily out anyone hiding behind an IP address.
- If you are a Facebook user and are NOT signed into Facebook and land on any page with a Facebook “Like” button, code or cookie they can associate your IP Address to that page/search. Once you log back into Facebook, their algorithms can quickly tie your “off Facebook” activity to your IP Address/profile and serve up highly targeted data, ad, videos… leaving you to wonder… how the hell they did that? Well, now you know!
It’s important to note that Facebook is not the only group doing this. Hundreds, if not thousands of organizations and data brokers are building profiles on individuals and their behaviors. Facebook just happens to be the scariest because of what they know about you on their platform.
Business Vulnerability: High (Shared Account Access, Credential Compromise, Phishing/ Password Brute Force/ Guessing Lack of 2 Factor Authentication (2FA))
Individual Risk: Low
Date Occurred: April 10, 2018
Date Disclosed: April 11, 2018
Data Compromised: Vevo can confirm that a number of videos in its catalog were subject to a security breach today, which has now been contained,” a Vevo spokeswoman said in a statement. Artists’ videos that disappeared from YouTube included Luis Fonsi’s “Despacito”, Taylor Swift, Selena Gomez, Drake and Shakira. Tuesday’s security breach solely affected a handful of video that originates on Vevo.
How it was Compromised: “Pilfered Access Credentials Could Be to Blame. After seeing unusual upload activity on a handful of Vevo channels, we worked quickly with our partner to disable access while they investigate the issue,” a YouTube spokeswoman said in a statement.
Customers Impacted: Vevo users. Vevo, which is a joint venture of several major music labels, uses YouTube as a publishing outlet.
Attribution/Vulnerability: Two hackers going by the nicknames Prosox and Kuroi’sh claimed credit for the attack against Vevo. Prosox, who posts some messages in French, appears to maintain the Vevo attack was a prank. At least one of the hackers claim that they used a “script” to alter the video titles.
What you need to know: The attackers behind this compromise exploited a common vulnerability MSPs face when it comes to protecting accounts that are shared by multiple people within an organization. In this case, several people had access to this shared account to upload videos to YouTube. These “shared access” accounts often lack 2FA and use easy to remember credentials shared across team. It’s highly probable that one of the individuals that shared access to this account was Phished, revealing the password.
Put Prosox and Kuroi’sh in the “Green Hat” category. They seemingly didn’t realize how much damage they could have caused and how much they could have gained out of their little exercise.
- CISCO Business
Business Vulnerability: High (Cisco configuration exploit, IoT Exploit Scripting, Service Disruption, Data Loss, Total System Takedown)
Individual Risk: Moderate (Downstream service disruption, Data Exploit/ Loss)
Date Occurred: April 6, 2018
Date Disclosed: April 9, 2018
Data Compromised: The impact of the attack, including data loss, is not yet clear.
How it was Compromised: The hackers apparently reset the targeted devices, making them unavailable for reconfiguration and leaving a message that reads: “Do not mess with our election,” displaying a U.S. flag on some screens, Kaspersky Lab explains.
Customers Impacted: Large ISPs and data centers globally, especially in Iran, Russia, the United States, China, Europe and India, according to an Iranian government official.
Attribution/Vulnerability: Social/ Geopolitical hacktivists making political statements. Kaspersky Lab states: “It seems that there’s a bot that is searching for vulnerable Cisco switches via the IoT search engine Shodan and exploiting the vulnerability in them (or, perhaps, it might be using Cisco’s own utility that is designed to search for vulnerable switches). Once it finds a vulnerable switch, it exploits the Smart Install Client, rewrites the configuration and thus takes another segment of the Internet down. That results in some data centers being unavailable, and that, in turn, results in some popular sites being down.”
Given that the Cisco Smart Install device enables easy plug-n-play configuration and image management functionality, attackers can change TFTP, Trivial File Transfer Protocol, server address on clients and also copy client’s configuration file, while executing random commands on the client device, he notes.
What you need to know: Automation is the most impressive part of this attack. Attackers used the IoT search engine Shodan to search for exposed/ vulnerable Cisco switches and automated the exploit.
**** Although not directly related to this story, MSPs really need to get a better grasp on what internet exposed devices are on their customer’s networks. IoT and consumer-grade devices that your customers are bringing online are increasingly likely to suffer an exploit leading to a compromise. Most of these devices’ default passwords are never changed and the devices themselves are rarely patched or updated.
I know it’s easier said than done but, restrict access, control supply chain/customer technology acquisition at all costs! And, for god sakes, if they said they went to Staples, Best Buy or Office Depot to buy a new router, smack them in the back of the head for me! Do yourself a favor, get to know Shodan!
- U.K.’s Great Western Railway
Business Vulnerability: High ( 3rd party credential compromise exploit, automated credential stuffing, site scripting)
Individual Risk: High (Password re-use, 3rd party credential compromise)
Date Occurred: During the week of April 2, 2018
Date Disclosed: April 11, 2018
Data Compromised: Account details
How it was Compromised: Attackers used credential stuffing to access the accounts, this means that hackers attempted to access the accounts by using credentials leaked from other data breaches.
Customers Impacted: The train company said circa 1,000 accounts were directly affected out of more than a million.
Attribution/Vulnerability: Unknown at this time.
What you need to know: This attack highlights how easy it is for attackers to exploit soft targets through scripts. The attackers clearly demonstrate why individuals must NEVER use the same password across multiple accounts – even if the accounts are “throw away” accounts you don’t care about.
- Texas Health Resources
Business Vulnerability: High (Compromised Email Accounts, Unauthorized 3rd party access)
Individual Risk: High (PHI (Personal Health Information), PII (Personally Identifiable Information)
Date Occurred: October 2017
Date Disclosed: April 14, 2018
Data Compromised: Texas Health’s own investigation concluded that the email accounts at risk contained patients’ names, addresses, medical record numbers, dates of birth, insurance information, clinical information and, in some instances, Social Security numbers, driver’s license and state identification numbers.
How it was Compromised: Compromised Email Accounts.
Customers Impacted: Less than 4,000.
Attribution/Vulnerability: Unknown at this time.
What you need to know: Since law enforcement was first to notify the organization, this looks like it was an exploit targeting the medical industry at large. It’s looking like compromised credentials from 3rd party site was most likely used to initiate the exploit. The organization is stating that there is “no indication that any information has been misused in any way.”
- Inogen, Medical Device Supplier
Business Vulnerability: High (Compromised Email Accounts, Unauthorized 3rd party access, lack of 2FA)
Individual Risk: High (PHI and PII)
Date Occurred: Between January 2 and March 14th, 2018
Date Disclosed: April 14th, 2018
Data Compromised: Involved rental customers’ personal information such as names, contact details, Medicare identification numbers and insurance policy information. Affected data did not include payment card information or medical records.
How it was Compromised: Undisclosed at this time.
Customers Impacted: 30,000 existing and former customers.
Attribution/Vulnerability: “Unknown persons” from outside the company obtained unauthorized access to employee emails.
What you need to know: This attack involves unauthorized email account access by a former employee (my speculation) or compromised credential exploit by a low-level Green Hat. The exploit demonstrates the perils of not having multi-factor authentication and transmitting customer PII via email.
- Nova Scotia Freedom of Information Website
Business Vulnerability: High (Public Site Configuration Error/Vulnerability, Site Scripting)
Individual Risk: High (PII)
Date Occurred: March 2018
Date Disclosed: April 2018
Data Compromised: Between March 3 and March 5 more than 7,000 documents were accessed and downloaded by a “non-authorized person. ” The province says that 250 of the documents contain highly sensitive personal information such as birth dates, addresses and social insurance numbers.
How it was Compromised: The province says they were informed on April 5 by a provincial employee after they were able to inadvertently access documents through the portal. Officials said the documents were accessed through a “vulnerability in the system” and not through a hack. They said someone wrote a script of computer code that allowed them to sequentially access “every document available on the portal.”
Customers Impacted: Unknown number.
Attribution/Vulnerability: Police say that on Wednesday morning, they executed a search warrant at an address in Halifax, took a 19-year-old man into custody and seized a number of items. That the man has been charged with unauthorized use of a computer.
What you need to know: The hallmarks of a low-level “Script Kiddie” but, clearly demonstrates how a single site misconfiguration can lead to a vulnerability. Blame is certainly shared by the individual who noticed the error and waited to report it, buy that time, the attacker was able to script the site to extract all accessible documents.
Are you an ID Agent Partner? Feel free to re-use this blog post (in part or in entirety) for your own social media and marketing efforts! Just send an email to [email protected] to let us know!