The Week in Breach: 5/21/18 – 5/27/18
Breach news to share with your customers!
Highlights from The Week in Breach:
– You’d better reboot your router… NOW!
– Nation states injecting malicious apps into play stores to steal your stuff.
– Malware infects healthcare system impacting 500,000 Marylanders.
– Time from detection to acknowledgment and response getting slower and slower and slower.
It’s back to business as usual in the world of breach, and we are seeing no signs of it slowing down this summer. This week’s headlines have been dominated by targeted attacks of SOHO Routers. “SOHO” was coined to describe “small office – home office” routers used to set up local area networks by small businesses. According to DHS, “The size and scope of this infrastructure impacted by VPNFilter malware is significant. The persistent VPNFilte malware linked to this infrastructure targets a variety of SOHO routers and network-attached storage devices.” The initial exploit vector for this malware is currently unknown. Here is the link to US-CERT’s alert TA18-145A detailing the threat and what you should do the protect yourself from exploit!
What we’re STILL listening to this week!
Security Now – Hosted by Steve Gibson, Leo Laporte
Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)
Small Business, Big Marketing – Australia’s #1 Marketing Show!
TeenSafe (Update)
Small Business Risk: High: App server hosted on AWS accessible by anyone without a password.
Exploit: AWS/Suspected Misconfiguration
Risk to Exploited Individuals: High: Even though less than 10,000 individuals were impacted, this is a highly vulnerable segment of the population.
TeenSafe: The TeenSafe app allows parents access to their children’s web browser history, text messages (including deleted SMS and iMessages and messages on WhatsApp and Kik), call logs, and device location, plus lets them observe which third-party apps have been installed.
Date Occurred Discovered |
|
|
Date Disclosed | May 21, 2018 | |
Data Compromised | Highly personal data including Apple IDs. The compromised data did not include photos, messages, or location data. The server stores parents’ email address used for their TeenSafe account and their child’s email address, the child’s device name, and the device’s identifier. | |
How it was Compromised | At least one of the app’s servers, which are hosted by Amazon’s cloud service, was accessible by anyone without a password. The data, including passwords and user IDs, were reportedly stored in plaintext, even though TeenSafe claims on its website that it uses encryption to protect user data. TeenSafe requires two-factor authentication to be switched off for the app to work, so anyone with just a password can easily gain access to compromised accounts. The app is available for both iOS and Android and doesn’t require parents to seek their child’s consent for access to their phone. | |
Customers Impacted |
|
|
Attribution/Vulnerability | Undisclosed at this time. |
https://www.theverge.com/2018/5/21/17375428/teensafe-app-breach-security-data-apple-id
https://www.zdnet.com/article/teen-phone-monitoring-app-leaks-thousands-of-users-data/
Google Play
Small Business Risk: Low: Targeted nation state exploit.
Exploit: Mobile Device Malware Exploit
Risk to Exploited Individuals: High: Nation-state exploit targeting defectors.
North Korean Defectors / Google Play malware
Date Occurred Discovered |
The apps had been live in the Google Play store for three months — from January to March. | |
Date Disclosed | May 2018 | |
Data Compromised |
|
|
How it was Compromised |
|
|
Customers Impacted |
|
|
Attribution/Vulnerability | Back in January, McAfee noted that it had found malicious apps intended to infect North Korean journalists and defectors’ devices. The group behind these apps was subsequently named Sun Team and is apparently the same group behind these latest apps. The apps were all linked to the same developer email address. McAfee found that the words used in the control servers were common in North Korea. There was also a North Korean IP address discovered in a test log file of some Android devices connected to account used to send out the malware. |
https://www.digitaltrends.com/mobile/mcafee-malware-google-play/
LifeBridge Health
Small Business Risk: Extreme: Malware designed to inject healthcare systems and extract PHI/PII.
Exploit: Server/Security Exploit with Malware Injection
Risk to Exploited Individuals: Extreme: Although data has not been validated for sale on the Dark Web, the extracted data included “lifelong” PII & PHI that can be used to profile and/or exploit an individual for decades.
Lifebridge Health
Date Occurred Discovered |
The breach occurred more than a year ago; discovered May 18. | |
Date Disclosed | May 2018 | |
Data Compromised |
|
|
How it was Compromised | An unauthorized person accessed the server through LifeBridge Potomac Professionals on Sept. 27, 2016. Malware infected the servers that host LifeBridge Potomac Professionals’ electronic medical records, and LifeBridge Health’s patient registration and billing systems. | |
Attribution/Vulnerability | Outside actors |
Customers Impacted | More than 500,000 Maryland patients. |
https://healthitsecurity.com/news/data-on-500k-patients-exposed-in-lifebridge-healthcare-data-breach
T-Mobile
Small Business Risk: High: Website configuration error revealing customer data for anyone to exploit.
Exploit: Website, Database & Security Misconfiguration
Risk to Exploited Individuals: Moderate: A threat actor would really have to develop a targeted threat plan to fully exploit the exposed population.
T-Mobile
Date Occurred Discovered |
Research done by ZDNet indicates that this T-Mobile.com web data breach was likely active as far back as October of last year. | |
Date Disclosed | April 2018 | |
Data Compromised | Allowed people to access the following info easily by attaching a cell phone number to the end of the web address:
|
|
How it was Compromised |
|
|
Attribution/Vulnerability | Outside actors / undisclosed at this time. |
Stay tuned for next week’s edition of The Week in Breach. And Partners, please remember to share this much-needed information with your customers! Email us at [email protected] and let us know how you’re spreading this week’s breach news!
Not a Partner? Find out how Dark Web ID™ can help you protect your customers’ credentials, upsell your services and close new deals. Learn about ID Agent’s Partner Program now!
[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section][et_pb_section admin_label=”section”][et_pb_row admin_label=”row”][et_pb_column type=”4_4″][et_pb_text admin_label=”Text”]
Breach news to share with your customers!
Highlights from The Week in Breach:
– You’d better reboot your router… NOW!
– Nation states injecting malicious apps into play stores to steal your stuff.
– Malware infects healthcare system impacting 500,000 Marylanders.
– Time from detection to acknowledgment and response getting slower and slower and slower.
It’s back to business as usual in the world of breach, and we are seeing no signs of it slowing down this summer. This week’s headlines have been dominated by targeted attacks of SOHO Routers. “SOHO” was coined to describe “small office – home office” routers used to set up local area networks by small businesses. According to DHS, “The size and scope of this infrastructure impacted by VPNFilter malware is significant. The persistent VPNFilte malware linked to this infrastructure targets a variety of SOHO routers and network-attached storage devices.” The initial exploit vector for this malware is currently unknown. Here is the link to US-CERT’s alert TA18-145A detailing the threat and what you should do the protect yourself from exploit!
What we’re STILL listening to this week!
Security Now – Hosted by Steve Gibson, Leo Laporte
Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)
Small Business, Big Marketing – Australia’s #1 Marketing Show!
TeenSafe (Update)
Small Business Risk: High: App server hosted on AWS accessible by anyone without a password.
Exploit: AWS/Suspected Misconfiguration
Risk to Exploited Individuals: High: Even though less than 10,000 individuals were impacted, this is a highly vulnerable segment of the population.
TeenSafe: The TeenSafe app allows parents access to their children’s web browser history, text messages (including deleted SMS and iMessages and messages on WhatsApp and Kik), call logs, and device location, plus lets them observe which third-party apps have been installed.
Date Occurred Discovered |
|
|
Date Disclosed | May 21, 2018 | |
Data Compromised | Highly personal data including Apple IDs. The compromised data did not include photos, messages, or location data. The server stores parents’ email address used for their TeenSafe account and their child’s email address, the child’s device name, and the device’s identifier. | |
How it was Compromised | At least one of the app’s servers, which are hosted by Amazon’s cloud service, was accessible by anyone without a password. The data, including passwords and user IDs, were reportedly stored in plaintext, even though TeenSafe claims on its website that it uses encryption to protect user data. TeenSafe requires two-factor authentication to be switched off for the app to work, so anyone with just a password can easily gain access to compromised accounts. The app is available for both iOS and Android and doesn’t require parents to seek their child’s consent for access to their phone. | |
Customers Impacted |
|
|
Attribution/Vulnerability | Undisclosed at this time. |
https://www.theverge.com/2018/5/21/17375428/teensafe-app-breach-security-data-apple-id
https://www.zdnet.com/article/teen-phone-monitoring-app-leaks-thousands-of-users-data/
Google Play
Small Business Risk: Low: Targeted nation state exploit.
Exploit: Mobile Device Malware Exploit
Risk to Exploited Individuals: High: Nation-state exploit targeting defectors.
North Korean Defectors / Google Play malware
Date Occurred Discovered |
The apps had been live in the Google Play store for three months — from January to March. | |
Date Disclosed | May 2018 | |
Data Compromised |
|
|
How it was Compromised |
|
|
Customers Impacted |
|
|
Attribution/Vulnerability | Back in January, McAfee noted that it had found malicious apps intended to infect North Korean journalists and defectors’ devices. The group behind these apps was subsequently named Sun Team and is apparently the same group behind these latest apps. The apps were all linked to the same developer email address. McAfee found that the words used in the control servers were common in North Korea. There was also a North Korean IP address discovered in a test log file of some Android devices connected to account used to send out the malware. |
https://www.digitaltrends.com/mobile/mcafee-malware-google-play/
LifeBridge Health
Small Business Risk: Extreme: Malware designed to inject healthcare systems and extract PHI/PII.
Exploit: Server/Security Exploit with Malware Injection
Risk to Exploited Individuals: Extreme: Although data has not been validated for sale on the Dark Web, the extracted data included “lifelong” PII & PHI that can be used to profile and/or exploit an individual for decades.
Lifebridge Health
Date Occurred Discovered |
The breach occurred more than a year ago; discovered May 18. | |
Date Disclosed | May 2018 | |
Data Compromised |
|
|
How it was Compromised | An unauthorized person accessed the server through LifeBridge Potomac Professionals on Sept. 27, 2016. Malware infected the servers that host LifeBridge Potomac Professionals’ electronic medical records, and LifeBridge Health’s patient registration and billing systems. | |
Attribution/Vulnerability | Outside actors |
Customers Impacted | More than 500,000 Maryland patients. |
https://healthitsecurity.com/news/data-on-500k-patients-exposed-in-lifebridge-healthcare-data-breach
T-Mobile
Small Business Risk: High: Website configuration error revealing customer data for anyone to exploit.
Exploit: Website, Database & Security Misconfiguration
Risk to Exploited Individuals: Moderate: A threat actor would really have to develop a targeted threat plan to fully exploit the exposed population.
T-Mobile
Date Occurred Discovered |
Research done by ZDNet indicates that this T-Mobile.com web data breach was likely active as far back as October of last year. | |
Date Disclosed | April 2018 | |
Data Compromised | Allowed people to access the following info easily by attaching a cell phone number to the end of the web address:
|
|
How it was Compromised |
|
|
Attribution/Vulnerability | Outside actors / undisclosed at this time. |
Stay tuned for next week’s edition of The Week in Breach. And Partners, please remember to share this much-needed information with your customers! Email us at [email protected] and let us know how you’re spreading this week’s breach news!
Not a Partner? Find out how Dark Web ID™ can help you protect your customers’ credentials, upsell your services and close new deals. Learn about ID Agent’s Partner Program now!
[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section]