fbpx

InForce Cyber

Threat Report April 2020

The month of April appears to be heavily dominated by data leaks and ransomware attacks. Here are some topics to support this statement:

135 Million Online Records Leaked from a Backup company.

A company claiming to provide “the world’s most secure online backup” leaked metadata and customer information in over 135 million records after misconfiguring an online database.

It was traced to Californian-headquartered SOS Online Backup, which claims to be a multi-award winning provider with 12 data centers around the globe. The firm was contacted on December 10 and again seven days later. Although it never replied to the researchers, the incident was mitigated on December 19.

“The exposed database contained over 135 million records, totalling almost 70GB of metadata related to user accounts on SOS Online Backup.”

A database containing 337,384 records of Maltese voters’ personal information has been exposed

The data includes names, addresses, ID card details and phone numbers and appears to be from the electoral register. It is no longer accessible online.

In 2017, there were 341,856 registered voters in Malta and Gozo.

Online monitoring service Under The Breach first announced the breach, tweeting on Tuesday that data had been left exposed by a Maltese IT company. 

Zoom loosing the battle of securing your privacy yet again.

Thousands of recorded Zoom meetings are floating around the open web — available for anyone to watch.

At issue is the file-naming convention used by Zoom to label recorded meetings. It is unique enough that security researcher Patrick Jackson, who alerted the Post to the issue, found 15,000 examples when he ran a scan of unsecured cloud storage.

Emotet Needs only 8 Days to take down an entire organization.

Microsoft has shared details of an Emotet attack on an organization referred to by the fake name, Fabrikam. The incident is described in Microsoft’s Detection and Response Team (DART) Case Report 002, where Fabrikam is an alias for the victim organization.

Within eight days, the entire network of the organization had crashed despite the best efforts from the IT department of the entity. All the PCs connected to the network experienced overheating, freezing, abrupt shutdowns, and reboots due to the Blue Screen of Death (BSOD).

The attack had brought down the entire organization to its knees including the 185-surveillance camera networks.

About the attack

According to Microsoft’s account of incident response for a company it refers to as Fabrikam, the attack began with a phishing email that was opened by an internal employee. Later, this resulted in a series of events that led to a week-long shut down of the organization’s core services by maxing out CPUs. 

Private information of 14 million Key Ring users exposed

Five misconfigured Amazon Web Services (AWS) S3 buckets revealing private data of Key Ring users were discovered by vpnMentor researchers in January.

Like many similar apps, Key Ring lets users store digital copies of their loyalty cards, create a shopping list, receive weekly deals, and benefit from new loyalty programs. Some users, however, use the app to upload their personal ID and credit cards to avoid digging through their wallets.

Instead of setting the S3 buckets storing user files to “private,” Key Ring developers misconfigured the buckets, allowing 44 million images to be accessed by any individual with a browser.

RagnarLocker ransomware hits EDP energy giant, asks for €10M

Attackers using the Ragnar Locker ransomware have encrypted the systems of Portuguese multinational energy giant Energias de Portugal (EDP) and are now asking for a 1580 BTC ransom ($10.9M or €9.9M).

EDP Group is one of the largest European operators in the energy sector (gas and electricity) and the world’s 4th largest producer of wind energy.

The company is present in 19 countries and on 4 continents, it has over 11.500 employees and delivers energy to more than 11 million customers.

Attackers threaten to leak 10 TB of stolen documents

Malware infects 1.69m Android devices in SA

Some 1.69 million Android devices were infected with malware in South Africa last year.

This was revealed by mobile security company Upstream in its ‘Mobile Ad Fraud 2019 Report: The Invisible Threat’, which is based on data sourced from deployments of its Secure-D solution.

Google Confirms New Security Threat For 2 Billion Chrome Users

Google has warned of yet more security vulnerabilities in Chrome 81, which was only launched three weeks ago.

Google has confirmed two new high-rated security vulnerabilities affecting Chrome, prompting yet another update since the release of Chrome 81 on April 7. These new security threats could enable an attacker to take control of an exploited system, which is why the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has advised users to apply that update now.

Data Breaches

Foreign hackers breached local email provider for targeted attacks (Estonia)
State-sponsored hackers have used a zero-day vulnerability to hijack a small number of high-profile email accounts at Estonian email provider Mail.ee.The attacks took place last year and the vulnerability in Mail.ee’s service has been fixed, the Estonian Internal Security Service (KaPo) said in an end-of-year report published this month.“This vulnerability was only exploited [against] a small number of email accounts belonging to persons of interest to a foreign country,“ KaPo said, without naming the victims.The agency said the attacks took place with the help of malicious code hidden in emails sent to Mail.ee recipients.The code executed when the user opened the email in the Mail.ee web portal. No user interaction was needed beyond opening the email.
 
GoDaddy reports data breach involving SSH access on hosting accounts (Global)
GoDaddy on Tuesday reported [PDF] an October data breach to Californian authorities, stating that an unauthorized individual was able to access SSH accounts used in its hosting environment.“We have no evidence that any files were added or modified on your account,“ the company said while omitting evidence that files could have been viewed and exfiltrated.“The unauthorized individual has been blocked from our systems, and we continue to investigate potential impact across our environment.“GoDaddy said the breach did not impact the „main GoDaddy.com customer account“ and that any information within that account was not accessed.The company said it has reset passwords and would provide impacted customers with a year of its website security and malware removal service for free.“These services run scans on your website to identify and alert you of any potential security vulnerabilities,“ it said.“With this service, if a problem arises, there is a special way to contact our security team and they will be there to help.“The domain giant also said customers should audit their hosting accounts.
 
Breach Exposes Data of 774,000 Australian Migrants (Australia)
Personal details of 774,000 individuals in Australia’s migration system have been exposed in a data breach.The data was made publicly available via the Home Affairs Department’s SkillsSelect platform, which invites skilled workers and entrepreneurs to express interest in moving Down Under.Partial names, ADUserIDs, and the outcome of applications made by people wishing to migrate to Australia were discovered online by Guardian Australia via a publicly available app hosted on the employment department’s domain. Other information uncovered by the newspaper included the age, country of birth, and marital status of applicants.In total, the breach revealed 774,326 unique user IDs and 189,426 completed expressions of interest, dating back to 2014. By applying filters, the Guardian was able to narrow down an expression of interest to a single entry, then discover other details relating to that particular applicant. 
 
Tarkett hit by cyberattack, shares fall (France)
PARIS (Reuters) – French floor surfaces company Tarkett said on Monday that it had been the victim of a cyberattack, which had resulted in an ongoing disruption to its operations, causing its shares to fall.“Tarkett is the victim of a cyber-attack that has affected part of its operations since April 29th despite the IT security measures implemented by the group,” Tarkett said in a statement.“Tarkett’s teams are currently fully mobilized with the support of leading third-party IT experts and forensics to return operations to normal as soon as possible. Commercial and production operations currently remain disrupted,” it added.Tarkett’s shares fell around 4.9 percent in early session trading.

Security Threats By Trend

Recommendations

  1. Update vulnerable services
  2. Only allow traffic to necessary and well secured ports
  3. Update AV solutions
  4. Phishing training for the employees.
  5. Regular pentests would identify possible weak points
  6. Encrypt data in transit and in rest

 Sources:
Exploit-DB
McAfeee
TrendMicro
Symantec
NIST
Google
FireEye