Monthly Archives: May 2017

Chipotle says hackers hit most restaurants in data breach

Hackers used malware to steal customer payment data from most of Chipotle Mexican Grill Inc’s (CMG.N) restaurants over a span of three weeks, the company said on Friday, adding to woes at the chain whose sales had just started recovering from a string of food safety lapses in 2015.

Chipotle said it did not know how many payment cards or customers were affected by the breach that struck most of its roughly 2,250 restaurants for varying amounts of time between March 24 and April 18, spokesman Chris Arnold said via email.

A handful of Canadian restaurants were also hit in the breach, which the company first disclosed on April 25.

Stolen data included account numbers and internal verification codes. The malware has since been removed.

The information could be used to drain debit card-linked bank accounts, make “clone” credit cards, or to buy items on certain less-secure online sites, said Paul Stephens, director of policy and advocacy at the non-profit Privacy Rights Clearinghouse.

The breach could once again threatens sales at its restaurants, which only recently recovered after falling sharply in late 2015 after Chipotle was linked to outbreaks of E. coli, salmonella and norovirus that sickened hundreds of people.

An investigation into the breach found the malware searched for data from the magnetic stripe of payment cards.

Arnold said Chipotle could not alert customers directly as it did not collect their names and mailing addresses at the time of purchase.

The company posted notifications on the Chipotle and Pizzeria Locale websites and issued a news release to make customers aware of the incident.

Linn Freedman, an attorney at Robinson & Cole LLP specializing in data breach response, said Chipotle was putting the burden on the consumer to discover possible fraudulent transactions by notifying them through the websites.

“I don’t think you will get to all of the customers who might have been affected,” she said.

Security analysts said Chipotle would likely face a fine based on the size of the breach and the number of records compromised.

“If your data was stolen through a data breach that means you were somewhere out of compliance” with payment industry data security standards, Julie Conroy, research director at Aite Group, a research and advisory firm.

“In this case, the card companies will fine Chipotle and also hold them liable for any fraud that results directly from their breach,” said Avivah Litan, a vice president at Gartner Inc (IT.N) specializing in security and privacy.

Chipotle did not immediately comment on the prospect of a fine.

Retailer Target Corp (TGT.N) in 2017 agreed to pay $18.5 million to settle claims stemming from a massive data breach in late 2013.

Hotels and restaurants have also been hit. They include Trump Hotels, InterContinental Hotels Group (IHG.L) as well as Wendy’s (WEN.O), Arby’s and Landry’s restaurants.

Shares in Chipotle Mexican Grill ended marginally lower at $480.15 on Friday following the announcement.

 

Homeland Security Issues Warning on Cyberattack Campaign

The Department of Homeland Security is warning IT services providers, healthcare organizations and three other business sectors about a sophisticated cyberattack campaign that involves using stolen administrative credentials and implanting malware, including PLUGX/SOGU and RedLeaves, on critical systems.

The alert notes that DHS’ National Cybersecurity and Communications Integration Center “has become aware of an emerging sophisticated campaign, occurring since at least May 2016, that uses multiple malware implants. Initial victims have been identified in several sectors, including information technology, energy, healthcare and public health, communications and critical manufacturing.”

Mac McMillan, president of the security consulting firm CynergisTek, says the threat is serious. “These attacks could lead to full network compromise, long-term undetected attacks, and compromise/exploitation of systems and data, essentially putting both operations and patient safety at risk,” he says.

The April 27 alert, which was updated on May 2, says preliminary analysis has found that threat actors appear to be leveraging stolen administrative credentials – local and domain – and certificates.

“Some of the campaign victims have been IT service providers, where credential compromises could potentially be leveraged to access customer environments,” the alert notes. “Depending on the defensive mitigations in place, the threat actor could possibly gain full access to networks and data in a way that appears legitimate to existing monitoring tools.”

Under Investigation

DHS says the activity is still under investigation. “The threat actors in this campaign have been observed employing a variety of tactics, techniques, and procedures,” according to the alert. “The actors use malware implants to acquire legitimate credentials then leverage those credentials to pivot throughout the local environment. NCCIC is aware of several compromises involving the exploitation of system administrators’ credentials to access trusted domains as well as the malicious use of certificates.”

Additionally, the adversary makes heavy use of PowerShell and the open source PowerSploit tool to enable assessment, reconnaissance, and lateral movement, the alert notes.

“Command and control primarily occurs using RC4 cipher communications over port 443 to domains that change IP addresses. Many of these domains spoof legitimate sites and content, with a particular focus on spoofing Windows update sites. Most of the known domains leverage dynamic DNS services, and this pattern adds to the complexity of tracking this activity.”

In addition to leveraging user impersonation via compromised credentials the attackers are using malware implants left behind on key relay and staging machines, the alert states. “In some instances, the malware has only been found within memory with no on-disk evidence available for examination. To date, the actors have deployed multiple malware families and variants, some of which are currently not detected by anti-virus signatures. The observed malware includes PLUGX/SOGU and RedLeaves.”

The attackers have modified the malware to “improve effectiveness and avoid detection by existing signatures,” the alert notes.

DHS warns successful network intrusion involving these attacks could result in temporary or permanent loss of sensitive or proprietary information, disruption to regular operations, financial losses incurred to restore systems and files and potential harm to an organization’s reputation.

Earlier Warning

The DHS alert follows a blog posted in early April by researchers at BAE Systems and PwC about the firms’ investigation into a campaign of intrusions against several major managed services providers.

“These attacks can be attributed to the actor known as APT10 – a.k.a. CVNX, Stone Panda, MenuPass, and POTASSIUM,” the blog states. “Their activity seems to have increased in mid-2016, and has focused on compromise of MSPs as a stepping stone into victim organizations.”

APT10 is a Chinese cyber espionage group that the security firm FireEye has been tracking since 2009.

The blog from BAE and PwC notes that the current campaign linked to APT10 can be split into two sets of activity: Attacks targeting MSPs, engineering and other sectors with common as well as custom malware, and attacks targeting Japanese organizations with the ‘ChChes’ malware.

The attacks linked to APT10 targeting managed services providers use a custom dropper for their various implants, the researchers note. “This dropper makes use of dynamic-link library side-loading to execute the main payload.” The researchers write their analysis shows the attackers have used several payloads, including:

  • PlugX, a well-known espionage tool in use by several threat actors;
  • RedLeaves, a newly developed, fully-featured backdoor, first used by APT10 in recent months.

“Whilst these attackers have skill, persistence, some new tools and infrastructure – there is nothing about the techniques themselves that should make this hard to detect or mitigate. The lessons learned from these incidents should be used as an opportunity for security improvements for both MSPs and their customers,” the blog says.

DHS in its alert notes: “All organizations that provide IT services as a commodity for other organizations should evaluate their infrastructure to determine if related activity has taken place. Active monitoring of network traffic for the indicators of compromise … as well as behavior analysis for similar activity, should be conducted to identify command and control traffic.”

In addition, DHS notes, “Frequency analysis should be conducted at the lowest level possible to determine any unusual fluctuation in bandwidth indicative of a potential data exfiltration. Both management and client systems should be evaluated for host indicators provided.”

Precautionary Moves

McMillan suggests that healthcare entities take steps to prevent falling victim to these attacks.

“Healthcare organizations should ensure that their service provider is actually looking for the indicators,” he says. “Within their own network they should be assessing for the presence of the detailed indicators in the NCCIC report. If an indicator of compromise is detected they should take appropriate action to remediate and reach out to NCCIC for assistance and further details. Secondarily, they should be reviewing the service provider contracts to ensure the vendor is monitoring actively.”

About the Author:

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

Marianne Kolbasuk McGee is executive editor of Information Security Media Group’s HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek’s healthcare IT media site.

Google Docs users hit with sophisticated phishing attack in their inboxes

Google said it was investigating an email scam winding its way through inboxes across the country and had disabled the accounts responsible for the spam.

The scheme emerged Wednesday afternoon, when spammers dispatched malicious email, appearing to come from people the recipients knew, beckoning them to click on what appeared to be a shared Google document.

Recipients who clicked on the links were prompted to give the sender access to their Google contact lists and Google Drive. In the process, victims allowed spammers to raid their contact lists and send even more email.

“We are investigating a phishing email that appears as Google Docs,” Google said statement posted on Twitter. “We encourage you to not click through and report as phishing within Gmail.”

It is not clear who created the spam email or how many people it has affected.

In a second statement, on Wednesday evening, Google said that it had disabled the accounts responsible for the spam, updated its systems to block it and was working on ways to prevent such an attack from recurring.

If you receive suspicious email, here are some tips:

1. Do not click, even when the email is from your mother.

Even when you receive links from trusted contacts, be careful what you click. Spammers, cybercriminals and, increasingly, nation-state spies are resorting to basic email attacks, known as spear phishing, which bait victims into clicking on links that download malicious software, or lure them into turning over their user names and passwords.

A quarter of phishing attacks studied last year by Verizon were found to be nation-state spies trying to gain entry into their target’s inboxes, up from the 9 percent of attacks reported in 2016.

In this case, the malicious emails all appeared to come from a contact, but were actually from the address “hhhhhhhhhhhhhhhh@mailinator.com” with recipients BCCed.

2. Turn on multifactor authentication.

Google and most other email, social media and banking services offer customers the ability to turn on multifactor authentication. Use it. When you log in from an unrecognized computer, the service will prompt you to enter a one-time code texted to your phone. It is the most basic way to prevent hackers from breaking into your accounts with a stolen password.

3. Shut it down.

If you accidentally clicked on the Google phishing attack and gave spammers third-party access to your Google account, you can revoke their access by following these steps:
https://myaccount.google.com/permissions

Revoke access to “Google Docs” (the app will have access to contacts and drive).

4. Change your passwords … again.

If you’ve been phished, change your passwords to something you have never used before. Ideally, your passwords should be long and should not be words that could be found in a dictionary. The first things hackers do when breaking into a site is use computer programs that will try every word in the dictionary. Your email account is a ripe target for hackers because your inbox is the key to resetting the passwords of, and potentially breaking into, dozens of other accounts.

Make your password long and distinctive at least 12 characters. Security specialists advise creating acronyms based on song lyrics, movie quotations or sayings. For example, “StarWars” becomes !!$t@r|W@rz!!

5. Report it.

Report any phishing attacks to Google by clicking the downward arrow at the top right of your inbox and selecting “Report Phishing.” Companies count on those reports to investigate such scams and stop them.