incident 3

Incindent Articles - H 2020 1 2 3 4 5 6 7 8 9 10 Incindent List - H 2021 2020 2019 2018 1 Incident blog Incident blog

FICO reports a 39 Percent Rise in Debit Cards Compromised in US
3.9.2017 Securityaffairs Incindent

The analytic software firm FICO Reports a 39 Percent Rise in Debit Cards Compromised at ATMs and Merchants in the United States.
According to a report published by the analytic software firm FICO, US Debit Cards compromised raise up to 39% in the first six months of 2017 compared to the same timeframe one year prior.
In the same period, FICO reported an increase in the number of ATMs and point-of-sale devices (+21%) in the US.

One year ago, FICO reported a 30 percent increase in compromised devices for 2016, compared to 2015, and a 70 percent rise in cards compromised for that period. These figures are related to payment card fraud occurring at physical devices, not online card fraud.

Cards Compromised

FICO’s Card Alert Service monitors hundreds of thousands of ATMs and card readers in the US it confirms the rate of fraud pattern changes has accelerated in the last 24 months.

FICO helps financial institutions in identifying fraud patterns and trends and take necessary actions to halt card fraud.

“The rate of fraud pattern changes has accelerated in the last 24 months, requiring us to continuously adapt our predictive analytics to stay on top of this criminal behavior,” said TJ Horan, vice president and heads of FICO’s fraud solutions. “We have introduced new AI technology into our FICO Falcon Fraud Manager platform, which protects most of the payment cards in the U.S.”

Below the list of recommendations provided by FICO:

If an ATM looks odd, or your card doesn’t enter the machine smoothly, consider going somewhere else for your cash.
Never approach an ATM if anyone is lingering nearby. Never engage in conversations with others around an ATM. Remain in your automobile until other ATM users have left the ATM.
If your plastic card is captured inside of an ATM, call your card issuer immediately to report it. Sometimes you may think that your card was captured by the ATM when in reality it was later retrieved by a criminal who staged its capture. Either way, you will need to arrange for a replacement card as soon as possible.
Ask your card issuer for a new card number if you suspect that your payment card may have been compromised at a merchant, restaurant or ATM. It’s important to change both your card number and your PIN whenever you experience a potential theft of your personal information.
Check your card transactions frequently, using online banking and your monthly statement.
Ask your card provider if they offer account alert technology that will deliver SMS text communications or emails to you in the event that fraudulent activity is suspected on your payment card.
Update your address and cell phone information for every card you have, so that you can be reached if there is ever a critical situation that requires your immediate attention.

6 Million Celebrities Instagram High-Profiles Data available for sale on DoxaGram
2.9.2017 securityaffairs Incindent

Doxagram website claims to be selling the email addresses and phone numbers of 6M High-Profiles Instagram accounts ranging from POTUS to Taylor Swift.
The story began with the hack of the Selena Gomez Instagram account, a hacker hijacked it and published three nude photos of Justin Bieber.

A few days later, it was reported a vulnerability in the Instagram application that allowed hackers to access information for high-profile users including phone numbers and email addresses.

Stolen data could be used by hackers to target victims with social engineering attack aimed to access their accounts and leak their video and photos.

The vulnerability affects the Instagram application programming interface (API) that is used to interact with other apps.

Ido Naor @IdoNaor1
Reported the #instagram mobile API "bug" in password reset, before publication, to #Facebook.
6:39 AM - Sep 1, 2017
Replies 3 3 Retweets 4 4 likes
Twitter Ads info and privacy
The company confirmed it is investigating a data breach, an unknown hacker has stolen personal details of more than 6 million Instagram accounts.

The situation appears to be more serious than initially thought, 6 million Instagram users, including sports and pop stars, politicians, and media companies, were affected.
Now their Instagram profile information, including email addresses and phone numbers, are available for sale on a website called Doxagram.

Experts believe Doxagram was created by the same Instagram hacker, the website allows anyone searching for stolen information only for $10 per account.

doxagram website Instagram hack

According to THN, a researcher at Kaspersky Labs also found the same vulnerability in the Instagram’s mobile API and reported it to Instagram.

The flaw affects the Instagram code since 2016, according to Kaspersky Lab researchers, it is likely the attackers exploited it manually.

“So far we’ve had 12 deposits totaling around $500,” Doxagram operator told Ars early Friday morning, about six hours after the service went live. “Not a horrible start.”

The hacker initially provided a sample of 10,000 of stolen records, 9,911 of them include either a phone number or e-mail; 5,341 include a phone number, and 4,341 include a phone number and e-mail.

The flaw affected the password reset option that exposed mobile numbers and email addresses of the users in the JSON response, but not passwords.
To secure Instagram accounts, users are highly recommended to enable two-factor authentication on their accounts and always secure them with a robust and different password.

Be vigilant about possible phishing attacks, avoid clicking on suspicious links and attachments you receive in an email and never provide your data to unverified interlocutors.

Former Columbia Sportswear IT Worker Admits to Illegally Accessing Company Network

31.8.2017 securityweek Incindent
A former employee of Columbia Sportswear pleaded guilty on Wednesday to intentionally accessing the Columbia Sportswear IT network without authorization.

Michael Leeper of Tigard, Oregon had been an employee of the company from May 2000 to February 2014, and became Columbia’s Director of Technical Infrastructure in 2012. In March 2014, he resigned from his position and began working for Denali Advanced Integration, a reseller of computer hardware and software.

Before leaving Columbia, Leeper created an unauthorized account called jmanning, under the false name “Jeff Manning,” and allegedly used it to access the company’s network for over two years. The intrusion was discovered in the summer of 2016, when Columbia performed a software upgrade.

The fraudulent activity provided him with insight into the company’s business transactions and commercial and private information, a complaint filed in March 2017 claims.

“Over approximately the next two and a half years, and without Columbia’s knowledge or consent, Leeper secretly hacked into the private company email accounts of numerous Columbia employees, and, on information and belief, into other parts of Columbia’s private computer network. He did so hundreds of times.”

“During the intrusions, Leeper illegally accessed a wide variety of confidential business information belonging to Columbia. That information included emails concerning business transactions in which Denali had a financial interest; emails concerning transactions between Columbia and Denali’s competitors; and confidential budget documents related to the IT Department’s long-range planning,” the complaint reads (PDF).

The suit also names Denali and its parent company, 3MD Inc., for involvement in the hack. In March 2017, however, Denali denied any involvement in Leeper’s fraudulent activity and also fired him from his position as Chief Technology Officer. The company also said it was fully cooperating with investigators in this case.

On Wednesday, the company issued another statement, reiterating that it played no role in Leeper’s misconduct, while also saying that the investigation of Leeper and Denali by the FBI and the Department of Justice brought no charges against the company.

“As the criminal charge and plea confirms, Denali played no role in – nor benefited from – Leeper’s misconduct. The company takes pride in its integrity. It does not condone unfair business practices, and will not tolerate illegal conduct,” Denali said.

41-year-old Leeper could receive a maximum sentence of 10 years in prison, along with a $250,000 fine and three years of supervised release. Sentencing is scheduled for December 7, 2017.

“As a result of the Columbia Sportswear Company’s cooperation and a thorough investigation by the FBI’s Oregon Cyber Task Force, we have secured an appropriate conviction. Unauthorized computer intrusion is a serious crime, and those that unlawfully gain sensitive or proprietary information must be held accountable for their illegal conduct,” Billy J. Williams, United States Attorney for the District of Oregon, said.

Instagram Suffers Data Breach! Hacker Stole Contact Info of High-Profile Users

31.8.2017 thehackernews Incindent

Instagram has recently suffered a possibly serious data breach with hackers gaining access to the phone numbers and email addresses for many "high-profile" users.
The 700 million-user-strong, Facebook-owned photo sharing service has currently notified all of its verified users that an unknown hacker has accessed some of their profile data, including email addresses and phone numbers, using a bug in Instagram.
The flaw actually resides in Instagram's application programming interface (API), which the service uses to communicate with other apps.
Although the company did not reveal any details about the Instagram's API flaw, it assured its users that the bug has now been patched and its security team is further investigating the incident.
"We recently discovered that one or more individuals obtained unlawful access to a number of high-profile Instagram users' contact information—specifically email address and phone number—by exploiting a bug in an Instagram API," Instagram said in a statement.
"No account passwords were exposed. We fixed the bug swiftly and are running a thorough investigation."
Instagram declined to name the high-profile users targeted in the breach, but the news comes two days after some unknown hacker hijacked most followed Instagram account belonged to Selena Gomez and posted her ex-boyfriend Justin Bieber's nude photographs.
Selena's Instagram account with over 125 Million followers was restored later in the day and the photos were removed.
However, Instagram did not mention if the recent data breach was related to Selena's hacked account.
With email addresses and phone numbers in their hands, the hackers next step could be used the information in tandem with social engineering techniques in an effort to gain access to verified users' Instagram accounts to embarrass them.
The company notified all verified users of the issue via an email and also encouraged them to be cautious if they receive suspicious or unrecognised phone calls, text messages, or emails.
Instagram users are also highly recommended to enable two-factor authentication on your accounts and always secure your accounts with a strong and different password.
Also, avoid clicking on any suspicious link or attachment you received via an email and providing your personal or financial information without verifying the source properly.

Someone Hacked Selena Gomez Instagram, Shared Nude Justin Bieber Photos
30.8.2017 thehackernews Incindent

The highest followers account on Instagram owned by Selena Gomez has recently been hacked with unknown hackers posting a bunch of nude photographs of her ex-boyfriend Justin Bieber on her account.
The latest hack is not part of the ongoing Fappening events affecting a majority of celebrities by targeting their iCloud accounts, rather in the case of Selena, some hacker managed to breach her Instagram account and posted Bieber's photos.
Bieber's three full-frontal shots of naked photos were visible to Selena's 125 million Instagram followers for a short duration of time, after which her account was swiftly taken down Monday night.
A post from Selena's official Instagram account went up Monday showing 3 pics of Bieber with a caption that read:
"LOOK AT THIS N***A LIL SHRIMPY."
Selena's team has since re-secured her Instagram account, which was back online minutes after it was taken down, with the photos of Bieber deleted.
The Bieber nude images were not part of any stolen celebs photo dump, instead, they were clicked during his 2015 holiday in Bora Bora and also published online in 2015, when Bieber was dating model Jayde Pierce.
At that time, censored photos of Bieber were published by several websites, but uncensored versions also reached the Internet, which was posted on Selena's hacked Instagram account, claims Variety.
There's no detail about hackers or how they got into Selena's Instagram account available at the moment, but as we have previously seen many celebrities tricking into handing over their account credentials in phishing emails, the same could be the case with the "Good For You" singer.
It seems like celebrities are not taking the security of their accounts seriously, which once again resulted in the hack of social media account of an A-listed celebrity.
Just last week, dozens of intimate photos of Anne Hathaway, Miley Cyrus, Kristen Stewart, Katharine McPhee, and golfer Tiger Woods reportedly surfaced on the Internet after unidentified hackers gained access to celebs' iCloud accounts and stole their private photos and videos.
Today it's Selena, but tomorrow it could be you. So, users are highly recommended to enable two-factor authentication on your accounts and always secure your accounts with a strong and different password.
Also, avoid clicking on any suspicious link or attachment you received via an email and providing your personal or financial information without verifying the source properly.

Breach at Used Tech Goods Seller CeX Exposes Two Million Customers

30.8.2017 securityweek Incindent
CeX, a second-hand technology goods chain, is notifying up to 2 million of its online customers that their personal details may have been compromised.

CeX operates more than 350 shops in the UK, and more than 100 overseas (including around a dozen in America, 20 in Australia, and 20 in India). The data appears to have been stolen from a database accessed via the company's WeBuy website rather than in-store POS devices.

Neither the emailed notification nor a brief online statement provides much information. They both say, "we have recently been subject to an online security breach." They do not say when the breach occurred, nor when it was discovered.

The statement says, "The [stolen] data includes some personal information such as first name, surname, addresses, email address and phone number if this was supplied. In a small number of instances, it may include encrypted data from expired credit and debit cards up to 2009. No further financial information has been shared."

CeX stresses that there is no loss of current financial data: "We would like to make it clear that any payment card information that may have been taken, has long since expired as we stopped storing financial data in 2009." The firm does not comment on why it should still be storing expired card data that is at least eight years old.

It would seem that the breach has not affected all the firm's customers; and any customers who do not receive the warning email can assume their details were not stolen. The only advice given to the affected customers is to change their WeBuy password, and "to change their password across other services where they may have re-used their WeBuy website password."

The passwords were apparently hashed. The statement merely says, "your password has not been stored in plain text," without giving any indication on how it was stored. However, it warns that if the user's password "is not particularly complex then it is possible that in time, a third party could still determine your original password and could attempt to use it across other, unrelated services."

This is an understatement, and would more accurately be stated as, 'unless your password is particularly complicated, it will be discovered by a third-party in a very short period of time.' Under such circumstances it could be more expedient for the company to force a password reset across all customers, since so many have been affected, rather than ask the affected customers to do it themselves.

Completely missing from the statement is any warning about subsequent phishing attempts. Although no financial details were taken, name, email and phone numbers together with a known interest in technology would be enough for the attackers to produce compelling and targeted phishing and or vishing attacks -- and all affected customers should be aware of this possibility.

Ilia Kolochenko, CEO at High-Tech Bridge, explains the issue. "The core problem is the continuing ramifications of each breach -- attackers may use compromised credentials, or other sensitive data, in password reuse and social engineering attacks years after the original breach. And the more breaches that occur, the more successful further attacks become as cybercriminals accumulate a huge amount of data about us. To minimize the domino effect of unavoidable breaches," he continues, "users should use strong and unique passwords, and provide as little sensitive, or confidential, information about themselves as reasonable in all their online accounts."

There is one further possible consideration for some customers. In 2014, CeX started accepting payment and paying customers in bitcoins. However, its statement says that it is unable to tell customers exactly what data about them was stolen. It is possible that the stolen data could indicate customers who have a bitcoin wallet. At this stage of the investigation into the breach, it would be advisable for any CeX customers with bitcoin wallets to take extra precautions to protect those wallets since personal wallets are increasingly targeted by cyber criminals.

When asked for clarification on the bitcoin issue, a spokesperson for CeX provided a generic statement to SecurityWeek.

"Late last year, we suffered what we believed to be a low-level breach in our online UK website security, along with a phishing attempt. It was swiftly identified and fixed, and we immediately put in place additional security measures," the statement said. "No further security breach has since taken place and we would like to stress that at the time, there was no evidence that there had been any unauthorised access to customer data.

"However, in August this year we received communication from a third party claiming to have access to some of our online UK website data from the security breach," the statement continued. "We immediately informed the relevant authorities, including the ICO and NCA who are in the process of investigating and our cyber security specialists have implemented additional, advanced security measures to prevent this from happening again. We can confirm the breach was not connected to high street store data and as a priority, we are in the process of contacting all online customers who might be affected. As we are currently investigating this we are unable to provide further information at this stage."

*Updated with statement from CeX.

Breach at Used Tech Goods Seller CeX Exposes Two Million Customers

30.8.2017 securityweek Incindent
CeX, a second-hand technology goods chain, is notifying up to 2 million of its online customers that their personal details may have been compromised.

SecurityWeek has asked CeX for clarification on the bitcoin issue, and will update this article with any response.

Swedish web hosting Loopia suffered severe data breach
30.8.2017 securityaffairs Incindent

The major Swedish web hosting provider Loopia has been compromised and the entire customer database leaked.
Loopia confirmed the data breach yesterday, the incident has happened on August 22 and the company notified customers on August 25.

The company explained that the delay in the public disclosure was necessary to secure the systems and protect its customers.

“Security is very important to Loopia and something we work intensively with every day. On Tuesday, 22 August, Loopia was subjected to a criminal offense. With the attack, the hackers have had access to parts of the customer database, including personal and contact information and encrypted (hashade) passwords to Loopia Kundzon.” reads the announcement.
“The violation has not affected your services such as email, web pages, databases or passwords to your email at Loopia. We also want to emphasize that payment card information is not saved in Loopia’s environment and is thus not affected by the infringement.“

In response to the data breach, the company is forcing a password reset and is urging customers to update their personal information. Loopia clarified that stolen passwords were encrypted, but did not reveal the hashing algorithm.

“Although passwords to Loopia’s Customer Zone are stored encrypted (hashade), we have, as an additional security measure, changed all customer numbers and passwords to all customer accounts. Information has been sent to all customers by e-mail.” continues the announcement.

loopia data breach
Source nyteknik.se

Hackers did not access financial data, according to Loopia customers’ hosted sites and e-mail services weren’t compromised.

“We were not sure how the attackers had gone, and needed a clearer picture of it before we went out with information. Now all customers have been informed. As an additional security measure, we have changed all customer numbers and passwords to all customer accounts”. CEO Jimmie Eriksson told Swedish outlet NyTeknik.

“We will evaluate whether we could have done otherwise. We then made great efforts in a short period of time. We take the intrusion seriously, but no system is safe to 100 percent”

At the time there is no information on the way hackers breached the company systems, an internal investigation is under way.

“An internal investigation is under way. In parallel, we will continue to review our systems. We have already implemented a number of measures to increase security, and more efforts may be made if the investigation shows more weaknesses in the system.” said CEO Jimmie Eriksson.

Neutralization reaction
29.8.2017 Kaspersky Incindent
Incident Response Guide (PDF)

Despite there being no revolutionary changes to the cyberthreat landscape in the last few years, the growing informatization of business processes provides cybercriminals with numerous opportunities for attacks. They are focusing on targeted attacks and learning to use their victims’ vulnerabilities more effectively while remaining under the radar. As a result, businesses are feeling the effects of next-gen threats without the appearance of new malware types.

Unfortunately, corporate information security services often turn out to be unprepared: their employees underestimate the speed, secrecy and efficiency of modern cyberattacks and do not recognize how ineffective the old approaches to security are. Even with traditional prevention tools such as anti-malware products, IDS/IPS and security scanners combined with detection solutions like SIEM and anti-APT, this costly complex may not be used to its full potential. And if there is no clear understanding of what sort of incident it is, an attack cannot be repelled.

More detailed information on the stages involved in organizing a cyberattack and responding to incidents can be found in the full version of this guide or obtained within the framework of Kaspersky Lab’s educational program. Here we will only focus on the main points.

Planning an attack

First of all, it should be noted that by targeted attacks we are referring to serious operations prepared by qualified cybercriminals. Cyber hooliganism such as defacing the homepage of a site carried out to attract attention or demonstrate capabilities, are not considered here. As a rule, successful activities of this kind means a company has no information security service to speak of, even if one exists on paper.

The basic principles of any targeted attack include thorough preparation and a stage-by-stage strategy. Here we will investigate the sequence of stages (known as the kill chain), using as an example an attack on a bank to steal money from ATMs.

1. Reconnaissance

At this stage, publicly available information about the bank and its data assets is collected. In particular, the attacker tries to determine the company’s organizational structure, tech stack, the information security measures as well as options for carrying out social engineering on its employees. The last point may include collecting information on forums and social networking sites, especially those of a professional nature.

2. Weaponization

Once the data is collected, cybercriminals choose the method of attack and select appropriate tools. They may use new or already existing malware that allows them to exploit detected security vulnerabilities. The malware delivery method is also selected at this stage.

3. Delivery

To deliver the necessary malware, email attachments, malicious and phishing links, watering hole attacks (infection of sites visited by employees of the targeted organization) or infected USB devices are used. In our example, the cybercriminals resorted to spear phishing, sending emails to specific bank employees on behalf of a financial regulator – the Central Bank of the Russian Federation (Bank of Russia). The email contained a PDF document that exploited a vulnerability in Adobe Reader.

4. Exploitation

In the event of a successful delivery, for example, an employee opening the attachment, the exploit uses the vulnerability to download the payload. As a rule, it consists of the tools necessary to carry out the subsequent stages of the attack. In our example, it was a Trojan downloader that, once installed, downloaded a bot from the attacker’s server the next time the computer was switched on.

If delivery fails, cybercriminals usually do not just give up; they take a step (or several steps) back in order to change the attack vector or malware used.

5. Installation

Malicious software infects the computer so that it cannot be detected or removed after a reboot or the installation of an update. For example, the above Trojan downloader registers itself in Windows startup and adds a bot there. When the infected PC is started next time, the Trojan checks the system for the bot and, if necessary, reloads it.

The bot, in turn, is constantly present in the computer’s memory. In order to avoid user suspicion, it is masked under a familiar system application, for example, lsass.exe (Local Security Authentication Server).

6. Command and control

At this stage, the malware waits for commands from the attackers. The most common way to receive commands is to connect the C&C server that belongs to the fraudsters. This is what the bot in our example did: when it first addressed the C&C server, it received a command to carry out further proliferation (lateral movement) and began to connect to other computers within the corporate network.

If infected computers do not have direct access to the Internet and cannot connect directly to the C&C server, the attacker can send other software to the infected machine, deploy a proxy server in the organization’s network, or infect physical media to overcome the ‘air gap’.

7. Actions on objective

Now, the cybercriminals can work with the data on a compromised computer: copying, modifying or deleting it. If the necessary information is not found, the attackers may try to infect other machines in order to increase the amount of available information or to obtain additional information that allows them to reach their primary goal.

The bot in our example infected other PCs in search of a machine from which it could log on as an administrator. Once such a machine was found, the bot turned to the C&C server to download the Mimikatz program and the Ammyy Admin remote administration tools.

Example of Mimikatz execution. All the logins and passwords are entered in clear view, including the Active Directory user passwords.
If successful, the bot can connect to the ATM Gateway and launch attacks on ATMs: for example, it can implement a program in an ATM that will dispense cash when a special plastic card is detected.

The final stage of the attack is removing and hiding any traces of the malware in the infected systems, though these activities are not usually included in the kill chain.

The effectiveness of incident investigation and the extent of material and reputational damage to the affected organization directly depend on the stage at which the attack is detected.

If the attack is detected at the ‘Actions on objective’ stage (late detection), it means the information security service was unable to withstand the attack. In this case, the affected company should reconsider its approach to information security.

My network is my castle

We have analyzed the stages of a targeted attack from the point of view of cybercriminals; now let’s look at it from the point of view of the affected company’s information security staff. The basic principles behind the work of both sides are essentially the same: careful preparation and a step-by-step strategy. But the actions and tools of the information security specialists are fundamentally different because they have very different objectives, namely:
Mitigate the damage caused by an attack;
Restore the initial state of the information system as quickly as possible;
Develop instructions to prevent similar incidents in future.
These objectives are achieved in two main stages – incident investigation and system restoration. Investigation must determine:
Initial attack vector;
Malware, exploits and other tools used by the attackers;
Target of the attack (affected networks, systems and data);
Extent of damage (including reputational damage) to the organization;
Stage of attack (whether it is completed and goals are achieved);
Time frames (time the attack started and ended, when it was detected in the system and response time of the information security service).
Once the investigation is completed, it is necessary to develop and implement a system recovery plan, using the information obtained during investigation.

Let’s return to the step-by-step strategy. Overall, the incident response protection strategy looks like this:

Incident response stages
As with the stages of the targeted attack, we will analyze in more detail each stage involved in combating an attack.

1. Preparation

Preparation includes developing processes and policies and selecting tools. First of all, it means the creation of a multi-level security system that can withstand intruders using several attack vectors. The levels of protection can be divided into two groups.

The first includes the installation of tools designed to prevent attacks (Prevention):
security solutions for workstations;
intrusion detection and intrusion prevention systems (IDS/IPS);
firewall to protect the Internet gateway;
proxy server to control Internet access.
The second group consists of solutions designed to detect threats (Detection):
SIEM system with integrated threat reporting component that monitors events occurring in the information system;
Anti-APT system that compares data on detected threats delivered by various security mechanisms;
Honeypot – a special fake object for cyberattacks that is isolated and closely monitored by the information security service;
EDR-systems (tools for detecting and responding to threats on endpoints) that raise awareness of events occurring on endpoints and enable automatic containment and elimination of threats.
The organization we chose as an example was ready for unexpected attacks. The ATMs were separated from the main network of the bank, with access to the subnet limited to authorized users.

Network of the attacked organization
The SIEM system was used to monitor and analyze events occurring on the network. It collected:
information about network connections to the proxy server that was used by all employees to access the Internet;
integrated threat data feeds provided by Kaspersky Lab specialists;
notifications of emails that passed through the Postfix mail server, including information about headers, DKIM signatures, etc.;
SIEM also received information about security solution activation on any workstation in the corporate IT infrastructure.

Another important preparation element is penetration testing to predict the possible vector of a cyberattack. Penetration of the corporate network can be simulated by both the company’s IT specialists and third-party organizations. The latter option is more expensive, though preferable: organizations that specialize in pen tests have extensive experience and are better informed about the current threat vectors.

The last – but by no means least – important element is educating the organization’s employees. This includes internal cybersecurity training for all employees: they should be aware of the corporate security policies and know what to do in the event of a cyberattack. It also includes targeted training for specialists responsible for the company’s information security, as well as the accumulation of information about security incidents inside and outside the company. This information may come from different sources such as internal company reports or third-party organizations that specialize in analyzing cyberthreats, for example, Kaspersky Threat Intelligence Portal.

2. Identification

At this stage, it is necessary to determine whether it is actually an incident or not. Only then can the alarm be raised and colleagues warned. In order to identify an incident, so-called triggers are used – events that indicate a cyberattack. These include attempts by a workstation to connect to a known malicious C&C server, errors or failures in security software performance, unexpected changes to user rights, unknown programs on the network, and much more.

Information about these events can come from a variety of sources. Here we will consider two key types of triggers:
Triggers generated by EPP management systems. When a security solution on one of the workstations detects a threat, it generates an event and sends it to the management system. However, not all events are triggers: for example, an event that indicates the detection of a malicious program can be followed by an event about its neutralization. In this case, investigation is not necessary, except when the situation occurs regularly on the same machine or with the same user.
Incident triggers generated by SIEM systems. SIEM systems can accumulate data from a huge number of security controls, including proxy servers and firewalls. Triggers are only considered to be those events that are created based on comparing incoming data and threat reports.
To identify an incident, the information available to the information security service is compared with a list of known indicators of compromise (IOC). Public reports, threat data feeds, static and dynamic sample analysis tools, etc. can be used for this purpose.

Static analysis is performed without launching the test sample and includes collecting various indicators, such as strings containing a URL or an email address, etc. Dynamic analysis involves executing the program under investigation in a protected environment (sandbox) or on an isolated machine in order to identify the sample’s behavior and collect indicators of compromise.

Cycle of IOC detection
As seen from the picture above, collecting IOCs is a cyclic process. Based on the initial information from the SIEM system, identification scenarios are generated, which leads to the identification of new indicators of compromise.

Here is an example of how threat data feeds can be used to identify a spear-phishing attack – in our case, emails with an attached PDF document that exploits an Adobe Reader vulnerability.
SIEM will detect the IP address of the server that sent the email using IP Reputation Data Feed.
SIEM will detect the request to load the bot using Malicious URL Data Feed.
SIEM will detect a request to the C&C server using Botnet C&C URL Data Feed.
Mimikatz will be detected and removed by a security solution for workstations; information about the detection will go to SIEM.
Thus, at an early stage, an attack can be detected in four different ways. It also means the company will suffer minimal damage.

3. Containment

Suppose that, due to a heavy workload, the information security service couldn’t respond to the first alarms, and by the time there was a response, the attack had reached the sixth stage, i.e., malware had successfully penetrated a computer on the corporate network and tried to contact the C&C server, and the SIEM system had received notice of the event.

In this case, the information security specialists should identify all compromised computers and change the security rules to prevent the infection from spreading over the network. In addition, they should reconfigure the information system so that it can ensure the company’s continuous operation without the infected machines. Let’s consider each of these actions in more detail.

Isolation of compromised computers

All compromised computers should be identified, for example, by finding in SIEM all calls to the known C&C address – and then placed in an isolated network. In this case, the routing policy should be changed to prevent communication between compromised machines and other computers on the corporate network, as well as the connection of compromised computers to the Internet.

It is also recommended to check the C&C address using a special service, for example, Threat Lookup. As a result, this provides not only the hashes of the bots that interacted with the C&C server but also the other addresses the bots contacted. After that it is worth repeating the search in SIEM across the extended list of indicators, since the same bot may have interacted with several C&C servers on different computers. All infected workstations that are identified must be isolated and examined.

In this case, the compromised computers should not be turned off, as this can complicate the investigation. Specifically, some types of malicious program only use the computer’s RAM and do not create files on the hard disk. Other malware can remove an IOC once the system receives a turn-off signal.

Also, it is not recommended to disconnect (primarily physically) the local network connections of the affected PC. Some types of malware monitor the connection status, and if the connection is not available for a certain period of time, malware can begin to remove traces of its presence on the computer, destroying any IOCs. At the same time, it makes sense to limit the access of infected machines to the internal and external networks (for example, by blocking the transfer of packets using iptables).

For more information on what to do if the search by a C&C address does not provide the expected results, or on how to identify malware, read the full version of this guide.

Creation of memory dumps and hard disk dumps

By analyzing memory dumps and hard disk dumps of compromised computers, you can get samples of malware and IOCs related to the attack. The study of these samples allows you to understand how to deal with the infection and identify the vector of the threat in order to prevent a repeat infection using a similar scenario. Dumps can be collected with the help of special software, for example, Forensic Toolkit.

Maintaining system performance

After the compromised computers are isolated, measures should be taken to maintain operation of the information system. For example, if several servers were compromised on the corporate network, changes should be made to the routing policy to redirect the workload from compromised servers to other servers.

4. Eradication

The goal of this stage is to restore the compromised information system to the state it was in before the attack. This includes removing malware and all artifacts that may have been left on the infected computers, as well as restoring the initial configuration of the information system.

There are two possible strategies to do this: full reinstallation of the compromised device’s OS or simply removing any malicious software. The first option is suitable for organizations that use a standard set of software for workstations. In this case, you can restore the operation of the latter using the system image. Mobile phones and other devices can be reset to the factory settings.

In the second case, artifacts created by malware can be detected using specialized tools and utilities. More details about this are available in the full version of our guide.

5. Recovery

At this stage, those computers that were previously compromised are reconnected to the network. The information security specialists continue to monitor the status of these machines to ensure the threat has been eliminated completely.

6. Lessons learned

Once the investigation has been completed, the information security service must submit a report with answers to the following questions:
When was the incident identified and who identified it?
What was the scale of the incident? Which objects were affected by the incident?
How were the Containment, Eradication, and Recovery stages executed?
At what stages of incident response do the actions of the information security specialists need to be corrected?
Based on this report and the information obtained during the investigation, it is necessary to develop measures to prevent similar incidents in the future. These can include changes to the security policies and configuration of corporate resources, training on information security for employees, etc. The indicators of compromise obtained during the incident response process may be used to detect other attacks of this kind in the future.

In order of priority

Troubles come in threes, or so the saying goes, and it can be the case that information security specialists have to respond to several incidents simultaneously. In this situation, it is very important to correctly set priorities and focus on the main threats as soon as possible – this will minimize the potential damage of an attack.

We recommend determining the severity of an incident, based on the following factors:
Network segment where the compromised PC is located;
Value of data stored on the compromised computer;
Type and number of other incidents that affected the same PC;
Reliability of the indicator of compromise for the given incident.
It should be noted that the choice of server or network segment that should be saved first, and the choice of workstation that can be sacrificed, depends on the specifics of the organization.

If the events, originating from one of the sources, include an IOC published in a report on APT threats or there is evidence of interaction with a C&C server previously used in an APT attack, we recommend dealing with these incidents first. The tools and utilities described in the full version of our Incident Response Guide can help.

Conclusion

It is impossible in one article to cover the entire arsenal that modern cybercriminals have at their disposal, describe all existing attack vectors, or develop a step-by-step guide for information security specialists to help respond to every incident. Even a series of articles would probably not be sufficient, as modern APT attacks have become extremely sophisticated and diverse. However, we hope that our recommendations about identifying incidents and responding to them will help information security specialists create a solid foundation for reliable multi-level business protection.

Fappening 2017 – Private pictures of Miley Cyrus, Stella Maxwell, and others leaked
24.8.2017 securityaffairs Incindent

Fappening 2017 – Private pictures of Miley Cyrus, Stella Maxwell, Kristen Stewart, Tiger Woods and Lindsey Vonn have been posted online by a celebrity leak website.
It has happened again, another wave of Fappening makes the headlines. Once again celebrities have been targeted by crooks, and unfortunately, they continue to ignore security fundamentals.

Once again their nude photos have been leaked online.

Dozens of personal and intimate images of Anne Hathaway, Miley Cyrus, Kristen Stewart, Katharine McPhee, Tiger Woods and his ex Lindsey Vonn have reportedly been leaked on the Internet.

“Tiger Woods and Katharine McPhee have been hacked — private nude photos have surfaced — and their lawyers are vowing to destroy anyone who posts them.” reported TMZ sport.

“A website has posted graphic selfies of various naked stars, including Tiger, Lindsey Vonn, Miley Cyrus, Kristen Stewart and Stella Maxwell.

We’ve learned Woods has already unleashed attorney Michael Holtz, who’s threatening to sue the site if it doesn’t remove the Woods photo STAT.”

The list of the victims also includes Amanda Seyfried, Demi Lovato, Lucy Hale, Kate Hudson, Rose McGowan, Rosario Dawson, Suki Waterhouse and Alison Brie.

The images are rapidly circulating online, users are sharing links on forums and social media, including Reddit, Tumblr, and Twitter.

Celebrities’ lawyers are reported to be working to get pictures and link removed from principal websites, but it is very hard.

“Kristen Steward and her girlfriend Stella Maxwell are reported to be taking legal action against the websites that have posted the personal pictures. Kristen’s lawyer, Scott Whitehead, is saying that her client owns the pictures and the websites are violating the copyright laws, according to TMZ.” states Fossbytes.com.

“In case of Tiger Woods, his lawyers have threatened to go ahead with a lawsuit if the private pictures aren’t removed from the website. His photos, which were taken several years ago, are believed to be hacked from his ex-girlfriend Lindsey Vonn’s smartphone. “

The incident comes a few months after “The Fappening 2.0” images appeared online and private images of many celebrities, including Emma Watson and Amanda Seyfried, were published on Reddit and 4chan.

fappening 2017

The latest Fappening release was made by an unidentified group of hackers that managed to access the celebrities’ Apple iCloud accounts and stolen their data and documents, including photos and videos.

Nothing is changed since the first Fappening release back 2014, it was too easy to gain celebrities’ credentials even after Apple introduced the two-verification process to iCloud.

The crooks behind Fappening 2014 have since been identified and jailed.

Back to the present, stolen pictures were posted on the Celeb Jihad website.

While 2014 Fappening hackers gained login credentials via phishing attacks, it is still unclear which technique they employed.

Below the list of recommendations to keep your iCloud account secure.
Do not click on any suspicious links or attachments in unsolicited emails you received, even if they appear to have been sent by Google, Apple or Microsoft.
Enable two-factor authentication on your accounts.
Never provide sensitive and personal information via email.
Use strong passwords and change them regularly. Use different passwords for all your accounts.

Four Arrested in India for Leaking 'Game of Thrones' Episode

15.8.2017 securityweek Incindent
Four people have been arrested in India for leaking an episode from HBO's "Game of Thrones" television series before it was aired in the country, police said Monday.

Already the most pirated show in TV history, the popular fantasy drama -- which tells the story of noble families vying for the Iron Throne -- has been plagued by leaks in recent weeks following the premiere of the seventh season.

After receiving a complaint for a company "we investigated the case and have arrested four individuals for unauthorised publication of the fourth episode from season seven," Deputy Commissioner of Police Akbar Pathan told AFP.

He said the four -- accused of criminal breach of trust and computer-related offences -- would be detained until August 21 amid an investigation.

The case was filed by a Mumbai-based company responsible for storing and processing the TV episodes for an app, local media said.

The four arrested were company employees who possessed official credentials giving them access to the episodes, the reports added.

Game of Thrones has more Emmy Awards than any narrative show in history and airs in 170 countries, with viewership figures shattering records across the world.

As well as being a hit globally, it has a massive fan base in South Asia.

Showrunners David Benioff and D.B. Weiss last year announced the shortened run of seven and six episodes for the final two seasons and confirmed the summer return for season seven, a departure from the usual April premieres.

The show has been teasing winter's arrival since its pilot episode in 2011, and in the latest episode preview "Death Is The Enemy" has finally moved closer to showcasing a battle between a horde of undead "White Walkers" from the frozen North and a troop of warriors led by hero Jon Snow (Kit Harington).

How Top Companies Accidentally Leaking Terabytes of Sensitive Data Online
10.8.2017 thehackernews Incindent

An anti-malware detection service provider and premium security firm has been accused of leaking terabytes of confidential data from several Fortune 1000 companies, including customer credentials, financial records, network intelligence and other sensitive data.
However, in response to the accusations, the security firm confirmed that they are not pulling sensitive files from its customers; instead, it's up to companies—who are accidentally (but explicitly) sharing their sensitive data to leverage an optional cloud-based anti-malware service.
On Wednesday, Information security firm DirectDefense published a blog post, claiming that they found a major issue with endpoint detection and response (EDR) solution offered by US-based company Carbon Black, alleging that the company is leaking hundreds of thousands of sensitive files from its customers.
Carbon Black is a leading incident response and threat hunting company that offers security products to nearly thirty of the largest 100 public and privately held companies in the US, including Silicon Valley leaders in internet search, social media, government, and finance.
DirectDefense Claims 'Carbon Black' Leaking Data
According to DirectDefense, the company's CB Response is responsible for leaking a massive amount of its customers' data—from cloud keys and app store keys to credentials and other sensitive trade secrets—due to its dependence on third-party multi-scanner services.
Carbon Black specialises in next-generation antivirus plus endpoint detection and response (EDR) solutions in one cloud-delivered platform that stops malware and other cyber attacks.
The product works by identifying "good" and "bad" files and then creating their whitelist to prevent its clients from running harmful files on their systems. So, the tool continuously evaluates an enormous and ever-expanding pool of files for a potential infection.
DirectDefence claims whenever the tool encounters a new file on its clients' computer that it has never seen before, it first uploads the file to Carbon Black servers, and then company forwards a copy of that file to VirusTotal multiscanner service (owned by Google) that contains dozens of antivirus engines to check if the file is good or bad.
But according to DirectDefense President Jim Broome:
"Cloud-based multi-scanner service [VirusTotal] operate as for-profit businesses. They survive by charging for access to advanced tools sold to malware analysts, governments, corporate security teams, security companies, and basically whomever is willing to pay."
So, anyone who is willing to pay would get access to the multiscanner and eventually access to the files submitted to its database.
Broome called the scheme as "the world's largest pay-for-play data exfiltration botnet."
Broome says he discovered this issue in mid-2016 when his company was working on a potential breach on its client’s computer.
While using the VirusTotal cloud-based multi-scanner to search for a possible piece of malware which it suspected of infecting its client, his staff came across a batch of internal applications belonging to a "very large telecommunications equipment vendor."
After digging deeper, the team discovered that the files were uploaded by Carbon Black, as identified by its unique API key (32d05c66). Once the team had that primary key, it was able to locate "hundreds of thousands of files comprising terabytes of data."
"We downloaded about 100 files (we found JAR files and script files to be the easiest to analyse by script), and ran these files through some simple pattern matching," Broome writes.
"When we got hits, we’d try to extrapolate where they came from. We were not trying to be exhaustive in the analysis, and only repeated this operation a few times to see if it still held true."
DirectDefense Found Sensitive Data Leaked From Top Companies

Broome says he identified three companies to whom the files his team downloaded belonged, though he doesn't disclose the names of the affected companies.
Here is some information DirectDefense revealed about the three affected companies:
Large Streaming Media Company

The first company was a large streaming media firm, and files associated with this company contained, among other sensitive files:
Amazon Web Services (AWS) Identity and Access Management (IAM) Credentials
Slack API Keys
The Company’s Crowd (Atlassian Single Sign On)
Admin Credentials
Google Play keys
Apple Store ID
Social Media Company

The second company was a social media company, and files associated with this firm included:
Hardcoded AWS and Azure keys
Other internal proprietary information, like usernames and passwords
Financial Services Company
The third firm is a financial services provider, for which researchers discovered:
Shared AWS keys that granted access to customer financial data
Trade secrets that included financial models and possibly direct consumer data
"Our intention with releasing this information was not to attack customers or security vendors," Broome writes, and we don’t pretend that we’ve performed an exhaustive analysis of the breadth of the leaks. We only know that every time we looked, we found this same serious breach of confidentiality."
Carbon Black Explains the Origin of Data Leak

However, in response to DirectDefence allegations, Carbon Black Co-founder and CTO Michael Viscuso published a blog post today explaining that their CB Response tool doesn't upload all files automatically to VirusTotal; instead, the feature comes disabled by default, leaving the choice to users to use its multiscanner service.
"Cb Response has a feature that allows customers to send their unknown or suspicious binaries to these cloud-based multi-scanners (specifically VirusTotal) automatically," Viscuso writes.
"We allow customers to opt into these services and inform them of the privacy risks associated with sharing."
"If the customer enables the second option (complete binaries with VirusTotal) Cb Response ensures that the customer understands the risks associated with uploading full binaries to a public multi-scanner service with an explicit warning"
This means, at first place, top-notch companies are accidentally (but explicitly) leaking their sensitive files on VirusTotal database.
Broome also suspects that this issue is not unique to Carbon Black, other EDR providers may also be leaking its customers' data in the same way.

FireEye Says Network Secure After Analyst Accounts Compromised

8.8.2017 securityweek Incindent
On July 31, 2017, a hacker claimed to have been deep inside Mandiant's infrastructure. FireEye, which bought Mandiant for $1 billion in January 2014, responded: "Our investigation continues, but thus far we have found no evidence FireEye or Mandiant systems were compromised."

Yesterday FireEye published its preliminary findings. "The Attacker did not breach, compromise or access our corporate network, despite multiple failed attempts to do so." Investigations will continue, but "we do not anticipate any significant new discoveries," wrote Steven Booth, FireEye VP & CSO.

Booth explains that Adi Peretz, whom FireEye describes as the 'Victim', had some personal on-line accounts compromised by the unknown Attacker; but neither the FireEye corporate network nor the Victim's personal or corporate devices were either breached or compromised.

All of the data released by the Attacker came from the online accounts, including Peretz' LinkedIn, Hotmail and OneDrive accounts. This data included three FireEye corporate documents, which the Attacker obtained from the Victim's personal online accounts. "All of the other documents released by the Attacker were previously publicly available or were screen captures created by the Attacker." writes Booth."

The interesting part of FireEye's account of the data loss is not stated, but can be inferred. "We confirmed the Victim's passwords and/or credentials to his personal social media and email accounts were among those exposed in at least eight publicly disclosed third party breaches (including LinkedIn) dating back to 2016 and earlier."

But while LinkedIn and Hotmail have both been subject to past breaches, there is no such public account of a OneDrive breach. If there has been no OneDrive breach, there are two implications: first, Peretz shared his credentials across multiple accounts; and secondly, he did not routinely and regularly change them. Both should be highly recommended. (SecurityWeek has reached out to Microsoft for information on any previous OneDrive breach.)

We can also assume that Peretz did not automatically use two-factor authentication where it was available. "We worked with the Victim to secure his personal online accounts, including implementing multi-factor authentication where possible," writes Booth. Peretz, it would seem, did not practice strong password hygiene for his own accounts.

SecurityWeek reached out to Steven Booth for confirmation on this, and to ask whether FireEye staff are or will be subject to specific corporate policy rules over password use and management. We received a brief statement from the communications team: "Normally we'd be happy to comment on something like this, but in this case we can't add additional comment to the blog post."

FireEye's corporate security is clearly stronger. Although the Attacker claimed to have gained access to the corporate network, the investigation identified only failed login attempts. We can expect that staff practices will also be stronger in future.

FireEye Provides Update on the alleged data breach revealed late July
7.8.2017 securityaffairs Incindent

Late July, hackers posted details alleged stolen from a system belonging to a Senior Analyst at security firm FireEye/Mandiant. The company provides update.
Late July, hackers have posted details alleged stolen from a system belonging to Adi Peretz, a Senior Threat Intelligence Analyst at security firm FireEye/Mandiant.

The leaked archive is a 337MB PST file containing the expert’s emails. Leaked archive also includes images of its accounts, including One Drive, Live, LinkedIn, geo-tracking of personal devices for at least a year, billing records and PayPal receipts.

OpLeakTheAnalyst

“In addition to that are images detailing the compromise of their One Drive account, Live account, LinkedIn account, geo-tracking of personal devices for at least a year, billing records and PayPal receipts, credentials for an engineering portal at FireEye, WebEx and JIRA portals, as well as Live and Amazon accounts. There are also records related to an alleged customer, Bank Hapoalim, and internal documentation and presentations, including one for the IDF (Israel Defense Forces) from 2016.” reported Salted Hash.

The security firm has denied any intrusion in its systems, while the hackers who published the alleged Mandiant Internal Leaks claimed it was part of the ongoing campaign #OpLeakTheAnalyst.

Today FireEye provides an update on the event following its investigation into allegations made earlier this week that FireEye had been breached. As background, on July 31,

According to the security firm, the hackers did not hack the company network or the Adi Peretz’s personal or corporate computers.

The login credentials used by Peretz were exposed in the past in numerous data breaches, including LinkedIn.

The experts discovered that the attackers started using the stolen credentials to access several of the Victim’s personal online accounts (LinkedIn, Hotmail and OneDrive accounts) in September 2016.

The documents publicly released were obtained from the Victim’s personal online accounts and many of them were already available online.

Below the list of conclusions published by FireEye in a blog post.

The Attacker did not breach, compromise or access our corporate network, despite multiple failed attempts to do so.
The Attacker did not breach, compromise or access the Victim’s personal or corporate computers, laptops or other devices.
We confirmed the Victim’s passwords and/or credentials to his personal social media and email accounts were among those exposed in at least eight publicly disclosed third party breaches (including LinkedIn) dating back to 2016 and earlier.
Starting in September 2016, the Attacker used those stolen passwords and/or credentials to access several of the Victim’s personal online accounts, including LinkedIn, Hotmail and OneDrive accounts.
The Attacker publicly released three FireEye corporate documents, which he obtained from the Victim’s personal online accounts.
All of the other documents released by the Attacker were previously publicly available or were screen captures created by the Attacker.
A number of the screen captures created by the Attacker and posted online are misleading, and seem intentionally so. They falsely implied successful access to our corporate network, despite the fact that we identified only failed login attempts from the Attacker.
FireEye highlighted that the Victim supports a small number of customers, only two of them were impacted by the leak.

Below the actions conducted by FireEye:

We contacted the two identified customers as soon as we learned of this incident and have kept them apprised of the situation throughout the week.
We immediately contained the Victim’s systems.
We collected and reviewed forensic data from the Victim’s systems.
We disabled the Victim’s FireEye corporate accounts.
We worked with the Victim to regain control of his personal online accounts.
We worked with the Victim to secure his personal online accounts, including implementing multi-factor authentication where possible.
We communicated to all FireEye employees, both verbally and in writing, a reminder to be vigilant and provided detailed steps to best secure their personal accounts.
We worked with the Victim and his online third party service providers to obtain any available log data that could assist our investigation.
We reviewed all data sent to and from FireEye email to the Victim’s online accounts.
We reviewed authentication and access activity on the Victim’s corporate, single sign-on (SSO), multi-factor, and third-party accounts.
The investigation is still ongoing.

Former Bupa employee offered 1 million customer records for sale on dark web
3.8.2017 securityaffairs Incindent

Former Employee of the Healthcare giant Bupa offered for sale records of 1 Million clients on Dark Web.
A former employee of healthcare giant Bupa was selling between 500,000 and 1 million medical records on the dark web. The former employee whose identity remains undisclosed had sold several batches of hundreds of thousands of medical records managed by Bupa.

Analysts at DataBreaches found a first batch of medical records stolen by the former employee on June 23, the man was offering them on a dark web marketplace. DataBreaches revealed the vendor MoZeal was offering for sale at least 500,000 medical records, the man listed between 500,000 to 1 million insurance records.

Below the official statement issued by the company.

“All of the information and statements we have made public this week, remain valid,” read the statement. “We are aware of a report by Databreaches.net that suggest ‘a former employee claimed to have 1m records for sale’. Our thorough investigation established that 108,000 policies, covering 547,000 customers, had been copied and removed. The disparity in numbers claimed and those taken, relates to duplicate copies of some records.”

The Bupa’s Managing Director Sheldon Kenton downplayed the incident claiming that only 103,000 medical records of Bupa UK clients were sold.

“I wanted to let you know that we recently discovered that an employee had taken some customer information from one of our systems. I know that this will be concerning, so wanted to explain the situation,” Kenton said.

“The information that was taken does not include any financial or medical information. This data comes from one particular part of Bupa – Bupa Global – which handles international health insurance, mainly for people who work overseas or travel on a regular basis. To be fair, this does not affect Bupa’s other local businesses.”

bupa dark web

The listing contained insurance data from 122 countries and customers’ personal information including member and registration IDs, names, birthdates, contact information and information about intermediaries.

Bupa, of course, fired the employee and is currently pursuing legal actions against him and is trying to discover the real identity of the vendor MoZeal.

Medical records are a hot commodity on dark web marketplaces, the healthcare industry was the number one target for cybercriminals. Previously, the banking industry held the top position.

In 2015, more than 100 million healthcare records were compromised, according to IBM’s “2016 Cyber Security Intelligence Index.”

The non-profit organization Institute for Critical Infrastructure Technology revealed that 47 percent of US-based residents have had their medical records stolen, their data were offered for sale on the dark web in 2015.

Sweden Data Scandal Costs Two Ministers Their Jobs

27.7.2017 securityweek Incindent
Two Swedish ministers lost their jobs on Thursday over a huge leak of sensitive data that has rocked the fragile centre-left government.

But Prime Minister Stefan Lofven vowed he would be staying on despite speculation he could call a snap election.

Interior Minister Anders Ygeman, a political heavyweight previously seen as a likely future prime minister, has resigned, Lofven said at a press conference, adding that Infrastructure Minister Anna Johansson will also step down.

Ygeman reportedly knew about the leak from the national transport agency, which made the private data of millions of citizens accessible abroad, but failed to tell the prime minister.

The scandal has blown up in recent weeks after it emerged that an entire database on Swedish drivers' licences was made available to technicians in the Czech Republic and Romania, with media reporting that the identities of intelligence agents may have been jeopardised.

Lofven's Social Democrat-led minority government has been badly rattled by one of Sweden's largest data breaches in decades, and opposition parties had threatened the coalition with a vote of no confidence.

Some political commentators had expected Lofven to call an early election at Thursday's press conference -- but he insisted said he intends to serve his full term, which ends in 2018.

"I have no intention of plunging Sweden into a political crisis," he said, pointing to "formidable challenges" the country is facing including tensions in the Baltic region, Brexit as well as the government's plans for social and economic reforms.

"I looked at several alternatives, and I chose the best one for the country," Lofven said.

The data leak stems from the Swedish transport agency's hiring of IBM in 2015 to take over its IT operations.

IBM in turn used subcontractors in the Czech Republic and Romania -- making the sensitive information accessible by foreign technicians who did not have security clearance.

The Swedish military said information on its personnel, vehicles as well as defence and contingency planning could have been included in the leak, although the transport agency denied having a register on military vehicles and said there was no indication the data had been "spread in an improper way".

- Defence minister next? -

Swedish Defence Minister Peter Hultqvist kept his job in the reshuffle despite facing claims that, like the interior minister, he knew about the scandal but failed to tell the premier.

However, Hultqvist still faces the threat of being forced out in a censure motion launched by the opposition on Wednesday against all three ministers caught up in the scandal.

"There is no longer any confidence in the defence minister," Ebba Busch Thor, leader of the Christian Democrats, wrote on Twitter.

"The prime minister will not take responsibility, which is why we will hold him to account in parliament."

The far-right Sweden Democrats signalled they would support the censure motion, which would need a parliamentary majority to remove Hultqvist from office.

Maria Agren, head of the transport agency at the centre of the leak, quit in January for undisclosed reasons but has since confessed to violating data handling. She accepted a fine of 70,000 Swedish kronor (around 7,000 euros, $8,000).

Hultqvist and Ygeman reportedly found out about the leak last year, but the prime minister was only informed in January.

Johansson, who oversees the transport agency, said her former state secretary had known about the leak but kept the information hidden from her -- triggering heavy criticism among opposition parties who said she should have known what was happening.

UniCredit bank breach – Data of 400,000 loan applicants exposed due to the hack of a partner
27.7.2017 securityaffairs Incindent

UniCredit bank breach – Data of 400,000 loan applicants exposed due to the hack of a partner. Italian media outlets downplay the risk, is it correct?
The Italian bank UniCredit admitted a series of security breaches occurred in the last year, personal data of 400,000 loan applicants have been exposed.

The Italian bank confirmed that hackers compromised the systems of an unnamed third-party provider for exposing Italian customer data. – including International Bank Account Numbers (IBANs).

“UniCredit today announced it has been the victim of a security breach in Italy due to unauthorised access through an Italian third party provider to Italian customer data related to personal loans only.” reads the statement published by Unicredit.

“A first breach seems to have occurred in September and October 2016 and a second breach which has just been identified in June and July 2017. Data of approximately 400,000 customers in Italy is assumed to have been impacted during these two periods. No data, such as passwords allowing access to customer accounts or allowing for unauthorised transactions, has been affected, whilst some other personal data and IBAN numbers might have been accessed.”

The financial institution confirmed that a first security breach occurred in late 2016, between September and October, while the second violation was detected between June and July 2017.

Data of approximately 400,000 Italian customers might have been exposed, according to Unicredit it doesn’t include financial data or passwords.
The company confirmed to have discovered and fixed the breach, an investigation is still ongoing.

UniCredit bank breach
Italy’s largest bank UniCredit is pictured in downtown Milan September 12, 2013. REUTERS/Stefano Rellandini ( ITALY – Tags: BUSINESS) – RTX13ISW

UniCredit is one of the major Italian banks, as part of Transform 2019, the bank is investing 2.3 billion euro in upgrading and strengthening its IT systems.

According to UniCredit, the breach at Italy’s biggest lender was detected 10 months after the initial compromise.

As you know I’m Italian, and I can tell you that the first reaction of the Italian media outlets was to say that there is no risk for the Unicredit customers because login credentials were not exposed.

This is not correct in my humble opinion and spread such kind of false sense of security is very dangerous.

Even if crooks cannot use stolen data to access Unicredit customer accounts, users must be informed of frauds that can be conducted by cyber criminals to deceive them.

It is easy to predict a spike in spear phishing attacks against Unicredit customers, and information stolen by hackers could make malicious messages hard to detect to common people, especially when the media outlets ensured them by saying that there is no risk.

Spear phishing campaigns could also allow crooks to bypass security measures like two-factor authentication systems. Let’s think of a phishing message including a link to a clone of the legitimate bank website. The bogus website could trick victims into providing the login credentials and also the 2FA code, then the attacker can impersonate the victim and make transactions on his behalf.

There is also the concrete risk that crooks will offer stolen data on black marketplaces allowing hackers to use them in many fraud scheme.

Even if stolen data doesn’t include email addresses, it is quite easy for hackers to use retrieve them from data dumps from other data breaches once the name of a bank customer is exposed.

Another disconcerting aspect of the UniCredit bank breach is the fact that the attack started several months ago and was disclosed only now?

This means that companies face severe difficulties in detecting fraudulent activities and raises the debate on the level of security for the entire supply chain. Once again, hackers targeted a subcontractor or a partner to violate the security of a biggest organization.

Let me close suggesting Unicredit users stay vigilant on their bank accounts, reporting any suspicious activity. Be careful to any kind of unsolicited message from the bank.

Hacker Steals $8.4 Million in Ethereum from Veritaseum

26.7.2017 securityweek Incindent

An unknown hacker stole around 37,000 VERI tokens from Veritaseum peer-to-peer platform and sold them for around $8.4 million in Ethereum during the company’s ICO (Initial Coin Offering).

Veritaseum's founder and CEO Reggie Middleton had posted details on the hack on the BitcoinTalk forums, where he also revealed that the compromise came through a company Veritaseum was working with.

“We were hacked, possibly by a group. The hack seemed to be very sophisticated, but there is at least one corporate partner that may have dropped the ball and be liable,” he noted in one post. “A company that we use was compromised, the vulnerability was closed, and we are investigating whether we should move against that company or not,” he mentioned in another.

Apparently, the hacker was able to steal the VERI tokens during the ICO and took advantage of their high demand to sell them immediately. The company had issued 100 million tokens, meaning that the stolen amount, 37,000, represented only around 00.07% of the total. While “the amount stolen was miniscule,” Middleton said, “the dollar amount was quite material."

“The hacker(s) made away with $8.4M worth of tokens, and dumped all of them within a few hours into a heavy cacophony of demand. This is without the public knowing anything about our last traction,” Middleton revealed.

Veritaseum's founder pointed out that, because the tokens were stolen from the company, no user was affected. The also noted that the company doesn’t consider it necessary to buy the tokens back and that they won’t fork VERI either, although they had the option to.

What Middleton didn’t reveal was who the corporate partner supposedly involved in the heist was. He did say, however, that the company will “let the lawyers sort that out, if it goes that far.”

The $8.4 million the hacker sold the VERI tokens for ended up in two Ethereum wallets that have been already emptied.

This is the latest in a series of several high-profile hacking incidents involving the crypto-currency, starting with a breach at the Bithumb crypto-currency exchange. Last week, $7 million worth of Ethereum was stolen from CoinDash during the company's ICO, along with $30 million worth of crypto-currency from multi-sig wallets created with Ethereum Parity clients 1.5.

Hacker Steals $8.4 Million in Ethereum (4th Heist In A Month)
26.7.2017 thehackernews Incindent
More Ethereum Stolen!
An unknown hacker has just stolen nearly $8.4 Million worth of Ethereum – one of the most popular and increasingly valuable cryptocurrencies – in yet another Ethereum hack that hit Veritaseum's Initial Coin Offering (ICO).
This incident marks as the fourth Ethereum hack this month and second cyber attack on an ICO, following a theft of $7 Million worth of Ether tokens during the hack of Israeli startup CoinDash's initial coin offering last week.
A few days ago, a hacker also stole nearly $32 Million worth of Ethereum from wallet accounts by exploiting a critical vulnerability in Parity's Ethereum Wallet software, which followed a $1 Million worth of Ether and Bitcoins heist in crypto currency exchange Bithumb earlier this month.
Now, Veritaseum has confirmed that a hacker stole $8.4 Million in Ether (ETH) from its ICO this Sunday, July 23.
"We were hacked, possibly by a group. The hack seemed to be very sophisticated, but there's at least one corporate partner that may have dropped the ball and be liable. We will let the lawyers sort that out if it goes that far," Veritaseum founder Reggie Middleton confirmed the theft on the BitcoinTalk forum.
Middleton has called the recent Ethereum hack "inconsequential," saying some of his partners (unnamed corporate third party services) may be responsible for the attack.
Middleton said that due to the high demand of the VERI tokens during the ICO held over the weekend, the hacker first managed to steal those tokens and then immediately sold them to other buyers "within a few hours" for the cryptocurrency.
The hacker made off an estimated $8.4 million in ETH during that a relatively short period of time. The stolen funds were first dumped into two separate Ethereum wallets and then were moved to other accounts.
It looks like around 37,000 VERI tokens were stolen out of 100 Million in the recent theft, though the good news is that the Ethereum theft does not affect actual ICO investors, as Middleton says the stolen tokens belonged to him and his team members.
"There are 100M tokens issued; the hackers stole about 37k. As I said, it is quite disconcerting, but it is not the end [of] the world. In the scheme of things, this is small," Middleton says.
"The tokens were stolen from me, not the token buyers. I am not downplaying the seriousness of the heist either, but I am looking at the heist for what it is. A company that we use was compromised, the vulnerability was closed, and we are investigating whether we should move against that company or not."
At the moment, Middleton did not disclose the attack vector that was exploited to sweep out $8.4 Million in ETH, though he assured users that his team had taken necessary measures to prevent the attack from happening in the future.

Veritaseum – Hacker Steals $8.4 Million in Ethereum, for the second time during the ICO
26.7.2017 securityaffairs Incindent

Veritaseum – An unknown hacker has stolen nearly $8.4 Million worth of Ethereum cryptocurrency, for the second time during the ICO.
A clamorous cyber heist makes the headlines, an unknown hacker has stolen nearly $8.4 Million worth of Ethereum cryptocurrency, the hack hit Veritaseum Initial Coin Offering (ICO).

This is the fourth Ethereum cyber heist this month, for the second time hackers exploited the ICO to steal the precious crypto currencies.

Last week, a hacker stole $7 Million in Ethereum from CoinDash in just 3 minutes after the ICO launch, he tricked investors into sending ETH to the wrong address.

Veritaseum

A few days ago, a hacker stole nearly $32 Million worth of Ethereum from wallet accounts by exploiting a critical flaw in the Parity’s Ethereum Wallet software. A third cyber heist of $1 Million worth of Ether and Bitcoins affected the currency exchange Bithumb earlier June.

Back to the present, Veritaseum confirmed the security breach, a hacker stole $8.4 Million in Ether (ETH) from its ICO on July 23. Further investigation is ongoing, it is still unclear which vulnerability was exploited by the hacker.

“We were hacked, possibly by a group. The hack seemed to be very sophisticated, but there’s at least one corporate partner that may have dropped the ball and be liable. We will let the lawyers sort that out if it goes that far.” said Veritaseum founder Reggie Middleton.

“The hacker(s) made away with $8.4M worth of tokens, and dumped all of them within a few hours into a heavy cacophony of demand. This is without the public knowing anything about our last traction.

I would like to make it known that we had the option to fork VERI, but chose not to. At the end of the day, the amount stolen was miniscule (less than 00.07%) although the dollar amount was quite material.”

Middleton speculates that an unnamed third-party company may be responsible for the attack. According to Middleton, due to the high demand of the VERI tokens during the ICO held over the weekend, the hacker first managed to steal those tokens and then immediately sold them to other buyers “within a few hours.”

The hacker first dumped the stolen funds into two separate Ethereum wallets and then moved them to other accounts.

The hacker has stolen 37,000 VERI tokens out of 100 Million in the cyber heist, this means that the event will not impact ICO investors.

“There are 100M tokens issued; the hackers stole about 37k. As I said, it is quite disconcerting, but it is not the end [of] the world. In the scheme of things, this is small,” added Middleton.
“The tokens were stolen from me, not the token buyers. I am not downplaying the seriousness of the heist either, but I am looking at the heist for what it is. A company that we use was compromised, the vulnerability was closed, and we are investigating whether we should move against that company or not.”

Millions of Dow Jones Customer Records Exposed Online

19.7.2017 securityweek Incindent

American news and financial information firm Dow Jones & Company inadvertently exposed the details of millions of its customers. The data was found online by researchers in an Amazon Web Services (AWS) S3 bucket that had not been configured correctly.

Chris Vickery of cyber resilience firm UpGuard discovered on May 30 an AWS data repository named “dj-skynet” that appeared to contain the details of 4.4 million Dow Jones customers. Dow Jones disabled access to the files only on June 6.

The files included names, customer IDs, physical addresses, subscription details, the last four digits of credit cards and, in some cases, phone numbers belonging to individuals who subscribed to Dow Jones publications such as The Wall Street Journal and Barron’s.

One of the exposed files stored 1.6 million entries for Dow Jones Risk and Compliance, a risk management and regulatory compliance service for financial institutions.

According to UpGuard, the data was accessible because Dow Jones employees had configured the repository’s permissions to allow access to anyone with an AWS account. There are over one million Amazon cloud users and anyone can register an account for free.

Dow Jones confirmed the data leak, but claimed only 2.2 million of its customers were affected, not 4.4 million as UpGuard claims. The security firm has admitted that there could be some duplicate entries.

It’s unclear if affected customers will be notified, but in a statement to The Wall Street Journal the company downplayed the incident, arguing that there is no evidence the data was taken by anyone else and the exposed information does not pose a significant risk to users.

UpGuard disagrees and points out that the data could be highly valuable to malicious actors for phishing and other social engineering schemes.

In recent weeks, the security firm reported finding exposed databases storing data belonging to the U.S. National Geospatial-Intelligence Agency (NGA), American voters, and Verizon customers. Unprotected Amazon S3 buckets were involved in all incidents.

“Yet another demonstration of how services such as AWS are missing basic steps that ensure their data and services are configured in a secure fashion,” Bitglass CEO Rich Campagna told SecurityWeek.

“It’s seems like a no-brainer to implement data-centric security tools on any sensitive information that could get out to the public. This approach could ensure that cloud services deny unauthorized access, and organizations could take it one step further and encrypt sensitive data at rest,” Campagna added. “Companies like Dow Jones, Verizon and anyone else using the public cloud for their infrastructure can easily enforce policies that require internal teams and third-parties to adequately protect any customer data that touches the cloud.”