Category Archives: Hacking

PlayStation suffers social media hack, possible data breach

Posted on August 23, 2017 | Leave a comment

PlayStation’s official social media accounts have been temporarily exposed, with the gaming company’s Twitter account showing messages from a hacking group who claim responsibility.

Screenshots of the tweets, posted on the morning of Monday 21 August, suggest that PlayStation Network databases were leaked, but this has neither been confirmed or denied by Sony.

The tweets have now been deleted by PlayStation, which quickly took back control of its social media. The messages, which allegedly came from a hacking group known as OurMine, directed readers to the group’s contact web page and called for PlayStation employees to get in touch.

The group pledges not to share the leaks, stating that it is a security organization.

OurMine is a security hacker group based in Saudi Arabia. According to its website, it is a White Hat group that looks to help companies protect their security by exposing vulnerabilities.

Its website states that the group can ‘help you secure your network, show you all available vulnerabilities, and fix them all.’ It also notes that it has the capability to crack anything from a social media account to an entire network.

While the only confirmed security breach so far has been on PlayStation’s social media accounts, the tweeted threat that database information has also been leaked is likely to worry Sony and its customer base.

It is not the first time that Playstation has suffered a breach. The gaming giant suffered a leak in 2011, in which personal details from 77 million accounts were compromised and caused Sony to turn off the Playstation Network for 23 days.

Following the breach, Sony faced criticism over the way it handled the leak and was slow to warn users.

Another high-profile entertainment breach was under the spotlight recently which saw HBO suffer an attack and the loss of 1.5 terabytes of data, including a script for hit show Game of Thrones.

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Security

Tagged ,

Hackers are aggressively targeting law firms’ data

Posted on August 3, 2017 | Leave a comment

Behind every splashy headline is a legal industry that’s duking it out – helping to support entrepreneurs and big corporations in a power struggle to dominate their industry. From patent disputes to employment contracts, law firms have a lot of exposure to sensitive information.  Because of their involvement, confidential information is stored on the enterprise systems that law firms use.

This makes them a juicy target for hackers that want to steal consumer information and corporate intelligence.

For an example of this, look no further than the Panama Papers – “…an unprecedented leak of 11.5m files from the database of the world’s fourth biggest offshore law firm, Mossack Fonseca.”

This was devastating, but it is only one example among many. Just a few weeks ago news broke that a ransomware attack was successfully executed against yet another multinational firm – DLA Piper. This ransomware attack left the firm, with estimated revenues of $2.5 billion, completely without access to its own data.

“Law firms are the subject of targeted attacks for one simple reason,” says John Sweeney, President of LogicForce. “Their servers hold incredibly valuable information. That includes businesses’ IP, medical records, bank information, even government secrets. For hackers looking for information they can monetize, there is no better place to start.”

These headlines, buried among the others, make it clear that the legal industry is facing an unprecedented cyber-security challenge. And solving this problem starts with helping firms realize they’ve been victims.

40% of firms did not know they were breached in 2016

The Law Firm Cybersecurity Scorecard includes an array of assessments – from cyber defenses, crisis management procedures, and post-hack responses. The report comes to a chilling conclusion: “…40% of surveyed law firms had experienced a data breach in 2016 and did not know about it.”

Part of the challenge is the skyrocketing cost of cybersecurity. Hiring an in-house team simply isn’t feasible for most firms. Instead they rely on consumer-grade technology that is ill-equipped for the threats they are facing.

The solution, as we’ve seen in many industries, is to outsource cybersecurity to trusted firms that can offer heavy-hitting, managed solutions at an affordable rate. SaaS (Software as a Service) is long overdue in this space, and thankfully it’s becoming more and more available.

An evolving threat matrix

Real-time industry expertise is an important part of the solution – something software alone can’t handle.

Today’s hackers hold a strategic advantage because of the growing numbers of devices and associated vulnerabilities. Every access point is a potential breach. A knowledgeable, sophisticated team can create security solutions specially crafted to meet the challenges that law firms face.

One of the greatest challenges in modern security is the Internet of Things (IoT). Everything from the appliances in the breakroom to the smartphones in the pockets of employees create dynamic networks – communicating information in a way that opens up opportunities to hackers.

The threat goes beyond teams. An individual attorney uses a plethora of electronic devices, all networked together to provide a more streamlined work environment. And human intelligence, served up to hackers through social media, only makes targeted cyber-attacks easier.

Preparing for data breaches

There are things attorneys and other legal professionals can do to start upping their defenses.

  1. The American Bar Association has published a comprehensive guide for law firms – including both methods for preventing and responding to cyber-attacks.
  2. Firm managers need to create a data security plan that speaks to every member of their team. Educate employees on strategies for identifying phishing attacks and other dangerous threats aimed at fooling people into compromising networks.
  3. Engage outside IT security experts and have risk assessments completed on a regular basis. If you can identify vulnerabilities, you can put a plan in place to minimize or eliminate them.
  4. Communicate and enforce a password policy that limits access and requires authorized users to regularly change their credentials.
  5. Conduct a weekly check for patches or other updates to computer security software.
  6. Develop a comprehensive breach response plan. After you’ve been hacked, it will be too late to develop a competent response that protects the Firm’s reputation.

It’s my hope that companies will wake up to the realities of cyberthreats.  I’ve witnessed the horrible pain and anguish that comes from the breach of an unprepared company. If you understand the threat, and then use honest assessment to develop improvements and response plans, you will find that operating in the digital age doesn’t have to be a nightmare.

 

 

Leave a comment

Posted in Cyber Security, Data Breach, Forensic, Hacking, Security

Tagged , , ,

HBO Says It Was Hacked, Some Programming Stolen

Posted on August 1, 2017 | Leave a comment

Hackers claim to have stolen information related to HBO’s Game of Thrones, allegedly including written material from an upcoming episode. HBO has confirmed a hack occurred, but not what information was acquired. Here, Samwell Tarly (John Bradley) sits with some written material of his own. Helen Sloan/courtesy of HBO

HBO says it has been hacked, and that the perpetrators have acquired some programming.

The premium cable channel won’t confirm what materials were acquired in the cyber breach. But the alleged perpetrators claim to have acquired text related to the popular — and famously spoiler-plagued — Game of Thrones.

“Hackers claimed to have obtained 1.5 terabytes of data from the company. So far, an upcoming episode of Ballers and Room 104 have apparently been put online. There is also written material that’s allegedly from next week’s fourth episode of Game of Thrones. More is promised to be ‘coming soon.’ ”

It’s not clear if the hackers do actually have any Game of Thrones material.

NPR’s Eric Deggans reports:
” HBO is so secretive about spoilers involving its hit series Game of Thrones, journalists weren’t even given advance copies of new episodes before the new season began July 16.

“Now HBO has acknowledged that a ‘cyber incident’ resulted in stolen proprietary information, including some programming. … HBO says it is working with law enforcement and cybersecurity firms to investigate the breach.”

HBO has had material prematurely leaked online — including screeners, clips from overseas distributors and a Game of Thrones trailer.  But none of those incidents involved hacking.

“Hacking Hollywood can have significant repercussions,” The Associated Press notes. “Sony struggled in the aftermath of its huge hack in 2014, which leaked employee emails as well as films.”

 

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Security

Tagged ,

Casino hacked through fish tanks private officer

Posted on July 25, 2017 | Leave a comment

Most people know about phishing — but one casino recently learned about the dangers of actual fish tanks.

Hackers attempted to steal data from a North American casino through a fish tank connected to the internet, according to a report from security firm Darktrace.

Despite extra security precautions set up on the fish tank, hackers still managed to compromise the tank to send data to a device in Finland before the threat was discovered and stopped.

“Someone used the fish tank to get into the network, and once they were in the fish tank, they scanned and found other vulnerabilities and moved laterally to other places in the network,” Justin Fier, director for cyber intelligence and analysis at Darktrace, explained to CNN Tech.

As internet-connected gadgets and appliances become more common, there are more ways for bad guys to gain access to networks and take advantage of insecure devices. The fish tank, for instance, was connected to the internet to automatically feed the fish and keep their environment comfortable — but it became a weak link in a the casino’s security.

The unnamed casino’s rogue fish tank is one of nine unusual threats that Darktrace identified on corporate networks published in a report Thursday.

The report cites examples compiled from Darktrace’s threat detection technology. Darktrace makes security technology that sits on a company’s network and monitors the activity taking place. That could be anything from data transferred between computers or actions taken by a connected coffee maker.

When the technology notices an anomaly — like a device that doesn’t belong or data being sent somewhere it shouldn’t — it alerts the company’s security team.

In another example of an unusual attack, smart drawing pads connected to insecure wifi were used to send data to websites around the world in what’s called a “denial of service” attack. A hacker had scanned the internet looking for vulnerable devices, and exploited them to try and flood other websites with too much traffic.

We’ve seen cybercriminals leverage connected devices for destructive purposes before.

Last year, the Mirai botnet took control of smart home devices, like security cameras, all over the world, effectively turning them into zombie machines directing web traffic to take down popular websites like Netflix and Twitter.

Fier, a former U.S. intelligence contractor, says he anticipates threats coming from more unexpected places. Phishing emails will be one way hackers can get onto systems. But things like insecure fish tanks connected to the internet will be another.

“In the current cyber climate with political and corporate espionage, I think you’re going to start to see attackers, whether nationstate or criminal, having to get more creative in their attack vectors,” Fier said.

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Security

Tagged ,

Travel Giant Sabre Confirms Its Reservation System Was Hacked

Posted on July 6, 2017 | Leave a comment

Just two months ago, the Sabre Corporation announced that it had hired security firm Mandiant to investigate a possible hacking incident. Now the company has publicly announced the results of that investigation. An unauthorized third party breached Sabre systems and was able to access customer payment data.

That’s not great news, considering the Texas-based company processes reservations for around 100,000 hotels and more than 70 airlines worldwide to the tune of $120 billion. If there is a silver lining, it’s that Sabre says that only the Sabre Hospitality System — which handles bookings for hotels from both consumers and travel agents — data was compromised. A company spokesperson also confirmed to me that “less than 15 percent of the average daily bookings on the SHS reservation system were viewed” while the attackers had access.

An Intercontinental hotel in New York City.

It’s still a very significant breach, especially since both payment card information and reservation details were accessed. In some cases, that included the customer’s name, email address, phone number, and address.

Like most industries, the travel sector has had to deal with a steady rise in cyber attacks in recent years. In 2016, InterContinental Hotels Group reported that more than 1,000 of its properties had been hit with “malicious software designed to siphon customer debit and credit card data,” according to security expert Brian Krebs. Earlier in the year, HEI Hotels & Resorts reported a similar incident at some of its Hyatt, Marriott, Sheraton, and Westin locations.

On June 6, once Mandiant had concluded its investigation, Sabre began notifying payment card providers, partners, and customers. The company says that it “has enhanced the security around its access credentials and the monitoring of system activity to further detect and prevent unauthorized access.” Sabre has also set up a call center to handle inquiries about the breach.

 

Leave a comment

Posted in Cyber Security, Hacking, Security

Tagged , ,

Network Safety: Experts Weigh In

Posted on July 5, 2017 | 1 comment

If you missed our Cybersecurity Session “Cybersecurity for CEO’s- The Game Has Changed” at The NAA Education Conference, no worries. Our friends at Multi-Housing News have published a great article for you. Special thanks to Sanyu Kyeyune for attending our session and writing the article.

At NAA’s recent conference in Atlanta, panelists shared best practices for keeping vital network information safe from attack.

The panel included Chad Hunt, supervisory special agent with the FBI; Dave McKenna, CEO of ResMan; Frank Santini, cybersecurity attorney of Trenam Law; Jeremy Rasmussen, cybersecurity director of Abacode; and Michael Reese, Chief Information Officer of USA Properties Fund, who moderated the session.

Reese opened the talk by underscoring the commercial real estate industry’s vulnerability to cyber-attacks: “Real estate sits on a goldmine of information, including intellectual property, personally identifiable information—things hackers want to go after.”

Understand Data Value

The cost of stolen information for a single customer can fetch $10-20 on the dark net, but the liability to an organization is $158 or more. This greater figure reflects the cost to recover data, the value of this information to competitors and regulatory fines incurred. Multiply this number by 50,000 customers and the cost amounts to $7.9 million—enough to put some property management firms out of business.

C-suite leaders that understand the total costs of cybersecurity are in better shape to manage a firm’s cyber health. “As a leader, you can’t be afraid to raise the red flag. It’s your responsibility to defend your company and your partners.”

Crafting a risk-based approach helps companies decide on what to defend and how much to spend. This plan should include a guide for CEOs interacting with the media and attorneys working with incident response companies. “There is always a tradeoff between usability and security. That’s why you need to engage with a firm that can bake security into a product from chip to the enterprise level,” Rasmussen warned. “Don’t try to bolt it on at the end.”

Improve Network Visibility

Once the value of data has been quantified, the next step to addressing a company’s cyber health is to ask how secure networks currently are, because on average, noted Rasmussen, by the time a threat has been identified, it has been active for up to 270 days.

A majority of clients lack visibility into their own networks,” Rasmussen explained. “In today’s world, it’s not a matter of if, it’s when. And not only that, but, are they already in?

One of the most common software attacks uses ransomware, which encrypts files—effectively eliminating access to important data—and threatens to delete or publish them until the victim pays an agreed-upon sum. However, organization that already has solid system backups in place can combat ransomware by reverting back to previously stored versions. Along with ransomware, phishing attempts, social engineering, attacks on crucial infrastructure, financial fraud and “zero-day” vulnerability (a hole in security unknown to the vendor, typically identified and exploited by hackers over a short time frame) have emerged as some of the most damaging cybersecurity threats.

For some organizations, the expenses associated with downtime and productivity could be crippling. Therefore, advised McKenna, it is crucial to be proactive ahead of time, rather than after a threat has surfaced, to mitigate the cost of recovering from a cyber-attack. “It still comes down to your people not being victims,” he said. “The technology won’t do it all for you.”

According to Hunt, email is the most common point of entry for a cyber-attacker. Because emailing and phone calls already poke holes into a security system, organizations must be vigilant in managing these activities to avoid a breach. One way to do this is by focusing security training on individuals with elevated privileges, such as system administrators and C-suite users, which are hot targets for hackers.

Know Who to Call

An order of operations might be to call your IT people to stop and contain the threat, contact your attorney to find out what the legal implications are around reporting, call your public relations firm to control the event in the media and then to contact law enforcement,” Rasmussen offered.

Company leadership should also rally IT teams to mandate routine password changes for all users and to require people to upgrade software instead of patching outdated platforms. It is also crucial to keep a list of key personnel to contact when an infiltration occurs. “Locally, the FBI is a good place to start, but you can also call the Secret Service in your area,” Hunt advised. “In either case, develop this personal relationship ahead of time, as local law enforcement has little authority at a corporate level.

He also suggested that if a particular individual within an organization becomes the victim of a cyber-attack, then this person should file a police report to avoid being implicated as a perpetrator. When interacting with local authorities, Hunt added, it is most effective to do so in a controlled, documented manner.

Thirteen years ago, there was much less information-sharing with law enforcement, but now it’s more of a two-way street,” Hunt explained. “The FBI can gather information without necessarily having to open a federal investigation.

Santini encouraged leadership to secure a forensic investigator that will supervise the handling of evidence and assist in documentation—actions that can be helpful in the event of legal repercussions—and to ensure that attorney-client privilege keeps these interactions private.

Rally Vendors

Another important questions that C-suite leaders need to ask themselves is, “What are your partners and their partners doing to ensure cyber safety?

McKenna emphasized that having a conversation with vendors and suppliers will help reinforce the company priorities, identify the degree of protection already in place and define a plan for handling an intrusion in the future. “You need to know if your vendor will indemnify you for the cost of a breach, if there is a mutual indemnification clause and what level of insurance the vendor requires of its partners,” Santini encouraged. “Make sure you have written agreements with your cloud provider and other suppliers, and negotiate these terms with the help of a lawyer.

Ultimately, it is up to C-level employees to develop vendor relationships, rather than making cybersecurity a grassroots effort led by an IT department. “There needs to be a separation of duties, just like how a company might hire one accounting team for auditing and another for taxes,” said Rasmussen. “Cybersecurity should be handled the same way.

Prioritize Efforts

The panel discussion concluded with a punch list of items to help C-level leaders put a cybersecurity plan into action. Here are some key features:

  • Detection using 24/7 monitoring and incident response to gain immediate feedback on the effect of a network security initiative
  • Implementation of organizational policy/procedures, which requires a cultural shift and buy-in from all members of an organization
  • Add-in of other annual assessments, such as penetration testing, phishing, etc., to improve visibility into a network
  • Engagement of IT teams to support continuous improvement and governance
  • Understanding of “zero-day” threats
  • Encouraging collaboration across all stakeholders

 

 

 

 

 

1 Comment

Posted in Cyber Security, Data Breach, Hacking, Security, Technology

Tagged ,

Latest Ransomware Hackers Didn’t Make WannaCry’s Mistakes: PETYA

Posted on June 28, 2017 | Leave a comment

PETYA RANSOMWARE

The latest sweeping ransomware assault bares some similarity to the WannaCry crisis that struck seven weeks ago. Both spread quickly, and both hit high-profile targets like large multinational companies and critical infrastructure providers. But while WannaCry’s many design flaws caused it to flame out after a few days, this latest ransomware threat doesn’t make the same mistakes.

Originally identified as Petya, a ransomware that first started circulating in 2016, the current attack now appears to be a Petya offshoot, with added refinements such as stronger encryption. Some researchers call this new iteration “NotPetya” or “GoldenEye,” while others still refer to it as Petya. Regardless of the name, it has already hit 2,000 targets, seizing the systems of high-profile victims like Danish shipping giant Maersk, US pharmaceutical company Merck, and multiple private and public institutions in Ukraine.

And while it owes its rapid spread in part to EternalBlue, the same stolen NSA exploit WannaCry leveraged, it lacks several of the traits that made WannaCry—which turned out to be an unfinished North Korean project gone awry—easier to stop.

WannaBreak

“The quality of the code improves from iteration to iteration—this GoldenEye ransomware is pretty solid,” says Bogdan Botezatu, a researcher at the security firm Bitdefender. “We don’t get to catch a break.”

The most important WannaCry pitfall that this current round sidesteps? A kill switch that allowed researchers to neuter the ransomware around the world and drastically reduce the spread. The mechanism was a low-quality, possibly unfinished feature meant to help the ransomware avoid analysis. It backfired spectacularly. So far, GoldenEye shows no signs of containing such a glaring error.

Additionally, WannaCry spread between networks across the internet like a worm, relying almost entirely on EternalBlue to get in and hitting systems that hadn’t yet downloaded Microsoft’s patch for that vulnerability. This new ransomware also targets devices that somehow still aren’t secured against EternalBlue, but can deploy other infection options as well. For example, the attackers seem to be spreading the ransomware through the software update feature of a Ukrainian program called MeDoc, and possibly through Microsoft Word documents laced with malicious macros.

Along with exploiting EternalBlue to gain access when possible, the ransomware can also leverage an additional Shadow Brokers-leaked NSA exploit known as EternalRomance (patched by Microsoft in March) for  remote access. And some researchers have also found unconfirmed evidence that the ransomware may take advantage of yet another tool published by the ShadowBrokers, known as EsteemAudit, that specifically targets computers running Windows XP and Windows Server 2003. Microsoft patched that vulnerability two weeks ago as part of its unprecedented effort to secure its old, unsupported operating systems against leaked NSA exploits.

Once inside the network, the ransomware steals administrative credentials, giving it control over powerful system management tools like Windows PsExec and Windows Management Instrumentation.

“If a system with enough administrative privileges is compromised, it will simply instruct all other PCs it has access to run the malware as well,” says Fabian Wosar, a security researcher at the defense firm Emsisoft, which specializes in malware and ransomware. “That is why a lot of system administrators are freaking out right now.”

Smarts, Not Scale

Because GoldenEye appears to take a more targeted approach to infection, rather than barreling around the internet, it has so far resulted in fewer infections: it has affected 2,000 targets versus the hundreds of thousands that WannaCry hit. But don’t read that as a weakness necessarily. WannaCry’s ability to spread over the internet led to out-of-control infections, and its creators were ill-equipped to handle that volume of potential payments.

In fact, WannaCry hackers proved incapable of tracking payments whatsoever. Attackers had victims send ransoms to one of four set bitcoin addresses, instead of assigning each target a unique address. This made incoming payments difficult to track, and left it to the criminals to figure out which victims (among hundreds of thousands) had paid and should be sent a decryption key.

Payment happens to be GoldenEye’s current weakness as well, though not due to WannaCry-level incompetence. It relies on manual payment validation, meaning that when victims pay the ransom they must email proof of payment to an email address, after which hackers send a decryption key. Not only does a manual system make it harder for attackers to get paid, it can reduce victim faith that paying the ransom will result in decryption.

Also? The hackers’ email provider, Posteo, pulled the plug on their account, making payment confirmation pretty much impossible.

No Easy Fix

This latest round of ransomware appears to be here to stay. The diversity of delivery options means that no single patch can necessarily provide complete protection against it. Still, administrators can take some steps to protect their systems. Analysts agree that while patches don’t solve everything in this situation, they are still crucially important and do offer real defense. “Very, very important to patch,” says MalwareHunter, a researcher with the MalwareHunterTeam analysis group.

Researchers also note that the ransomware runs on boot, meaning that if you can disrupt a system before Windows boots, or if you encounter a “Check Disk” message, you can avoid having your files encrypted by quickly powering down.

Additionally, for the current variant of ransomware, administrators can stop the spread within a network from the Windows Management Instrumentation by blocking the file C:\Windows\perfc.dat from running.

“The problem is, patching is only one method of defense,” says David Kennedy, CEO of threat detection firm Binary Defense. “Credential harvesting and using that for lateral movement was the big impact in this situation.”

All of which provides cold comfort for those already impacted. And based on how many companies ignored the EternalBlue patch, even after the WannaCry threat, it may not end up slowing down the current outbreak at all.

First place to start make sure your systems have the latest patches and updates !!!

Leave a comment

Posted in Cyber Security, Encryption, Hacking, Security

Tagged , ,

CoPilot settles with New York AG for delaying breach notification for over one year

Posted on June 19, 2017 | Leave a comment

This is only the beginning of what will happen in the future.

It took over a year to notify 220,000 individuals of a breach to its website. HHS is determining if it’s a HIPAA-covered business associate.

CoPilot Provider Services has settled with New York for $130,000 in penalties for waiting more than a year to notify its customers of a breach to the company’s website, NY Attorney General Eric Schneiderman announced Thursday.

The attorney general determined the healthcare administrative services and IT provider violated general business law, in its delayed breach notification to its 221,178 customers. CoPilot agreed to the monetary settlement and to reform its notification and legal compliance program.

The breach occurred in October 2015, when an unauthorized individual accessed confidential patient reimbursement data through the administration site. The hacker downloaded data that included names, birthdates, addresses, phone numbers and medical insurance card details.

However, CoPilot waited until January 2017 to begin formally notifying its customers of the breach.

The FBI began investigating the incident in February at CoPilot’s request, focusing on a former employee they believed was responsible.

CoPilot blamed the breach notification delay on the FBI investigation, but law enforcement didn’t say that customer notification would hinder the ongoing investigation and didn’t instruct CoPilot to delay. General business law instructs that companies must provide timely breach notification.

The Department of Health and Human Services is still looking into whether CoPilot is considered a covered business associate under HIPAA.

Thursday’s agreement also states that CoPilot will comply with New York’s consumer protection and data security laws.

“Healthcare services providers have a duty to protect patient records as securely as possible and to provide notice when a breach occurs,” said Schneiderman in a statement. “Waiting over a year to provide notice is unacceptable. My office will continue to hold businesses accountable to their responsibility to protect customers’ private information.”

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Security

Tagged , ,

Chipotle says hackers hit most restaurants in data breach

Posted on May 30, 2017 | Leave a comment

Hackers used malware to steal customer payment data from most of Chipotle Mexican Grill Inc’s (CMG.N) restaurants over a span of three weeks, the company said on Friday, adding to woes at the chain whose sales had just started recovering from a string of food safety lapses in 2015.

Chipotle said it did not know how many payment cards or customers were affected by the breach that struck most of its roughly 2,250 restaurants for varying amounts of time between March 24 and April 18, spokesman Chris Arnold said via email.

A handful of Canadian restaurants were also hit in the breach, which the company first disclosed on April 25.

Stolen data included account numbers and internal verification codes. The malware has since been removed.

The information could be used to drain debit card-linked bank accounts, make “clone” credit cards, or to buy items on certain less-secure online sites, said Paul Stephens, director of policy and advocacy at the non-profit Privacy Rights Clearinghouse.

The breach could once again threatens sales at its restaurants, which only recently recovered after falling sharply in late 2015 after Chipotle was linked to outbreaks of E. coli, salmonella and norovirus that sickened hundreds of people.

An investigation into the breach found the malware searched for data from the magnetic stripe of payment cards.

Arnold said Chipotle could not alert customers directly as it did not collect their names and mailing addresses at the time of purchase.

The company posted notifications on the Chipotle and Pizzeria Locale websites and issued a news release to make customers aware of the incident.

Linn Freedman, an attorney at Robinson & Cole LLP specializing in data breach response, said Chipotle was putting the burden on the consumer to discover possible fraudulent transactions by notifying them through the websites.

“I don’t think you will get to all of the customers who might have been affected,” she said.

Security analysts said Chipotle would likely face a fine based on the size of the breach and the number of records compromised.

“If your data was stolen through a data breach that means you were somewhere out of compliance” with payment industry data security standards, Julie Conroy, research director at Aite Group, a research and advisory firm.

“In this case, the card companies will fine Chipotle and also hold them liable for any fraud that results directly from their breach,” said Avivah Litan, a vice president at Gartner Inc (IT.N) specializing in security and privacy.

Chipotle did not immediately comment on the prospect of a fine.

Retailer Target Corp (TGT.N) in 2017 agreed to pay $18.5 million to settle claims stemming from a massive data breach in late 2013.

Hotels and restaurants have also been hit. They include Trump Hotels, InterContinental Hotels Group (IHG.L) as well as Wendy’s (WEN.O), Arby’s and Landry’s restaurants.

Shares in Chipotle Mexican Grill ended marginally lower at $480.15 on Friday following the announcement.

 

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Security

Tagged ,

Homeland Security Issues Warning on Cyberattack Campaign

Posted on May 10, 2017 | Leave a comment

The Department of Homeland Security is warning IT services providers, healthcare organizations and three other business sectors about a sophisticated cyberattack campaign that involves using stolen administrative credentials and implanting malware, including PLUGX/SOGU and RedLeaves, on critical systems.

The alert notes that DHS’ National Cybersecurity and Communications Integration Center “has become aware of an emerging sophisticated campaign, occurring since at least May 2016, that uses multiple malware implants. Initial victims have been identified in several sectors, including information technology, energy, healthcare and public health, communications and critical manufacturing.”

Mac McMillan, president of the security consulting firm CynergisTek, says the threat is serious. “These attacks could lead to full network compromise, long-term undetected attacks, and compromise/exploitation of systems and data, essentially putting both operations and patient safety at risk,” he says.

The April 27 alert, which was updated on May 2, says preliminary analysis has found that threat actors appear to be leveraging stolen administrative credentials – local and domain – and certificates.

“Some of the campaign victims have been IT service providers, where credential compromises could potentially be leveraged to access customer environments,” the alert notes. “Depending on the defensive mitigations in place, the threat actor could possibly gain full access to networks and data in a way that appears legitimate to existing monitoring tools.”

Under Investigation

DHS says the activity is still under investigation. “The threat actors in this campaign have been observed employing a variety of tactics, techniques, and procedures,” according to the alert. “The actors use malware implants to acquire legitimate credentials then leverage those credentials to pivot throughout the local environment. NCCIC is aware of several compromises involving the exploitation of system administrators’ credentials to access trusted domains as well as the malicious use of certificates.”

Additionally, the adversary makes heavy use of PowerShell and the open source PowerSploit tool to enable assessment, reconnaissance, and lateral movement, the alert notes.

“Command and control primarily occurs using RC4 cipher communications over port 443 to domains that change IP addresses. Many of these domains spoof legitimate sites and content, with a particular focus on spoofing Windows update sites. Most of the known domains leverage dynamic DNS services, and this pattern adds to the complexity of tracking this activity.”

In addition to leveraging user impersonation via compromised credentials the attackers are using malware implants left behind on key relay and staging machines, the alert states. “In some instances, the malware has only been found within memory with no on-disk evidence available for examination. To date, the actors have deployed multiple malware families and variants, some of which are currently not detected by anti-virus signatures. The observed malware includes PLUGX/SOGU and RedLeaves.”

The attackers have modified the malware to “improve effectiveness and avoid detection by existing signatures,” the alert notes.

DHS warns successful network intrusion involving these attacks could result in temporary or permanent loss of sensitive or proprietary information, disruption to regular operations, financial losses incurred to restore systems and files and potential harm to an organization’s reputation.

Earlier Warning

The DHS alert follows a blog posted in early April by researchers at BAE Systems and PwC about the firms’ investigation into a campaign of intrusions against several major managed services providers.

“These attacks can be attributed to the actor known as APT10 – a.k.a. CVNX, Stone Panda, MenuPass, and POTASSIUM,” the blog states. “Their activity seems to have increased in mid-2016, and has focused on compromise of MSPs as a stepping stone into victim organizations.”

APT10 is a Chinese cyber espionage group that the security firm FireEye has been tracking since 2009.

The blog from BAE and PwC notes that the current campaign linked to APT10 can be split into two sets of activity: Attacks targeting MSPs, engineering and other sectors with common as well as custom malware, and attacks targeting Japanese organizations with the ‘ChChes’ malware.

The attacks linked to APT10 targeting managed services providers use a custom dropper for their various implants, the researchers note. “This dropper makes use of dynamic-link library side-loading to execute the main payload.” The researchers write their analysis shows the attackers have used several payloads, including:

  • PlugX, a well-known espionage tool in use by several threat actors;
  • RedLeaves, a newly developed, fully-featured backdoor, first used by APT10 in recent months.

“Whilst these attackers have skill, persistence, some new tools and infrastructure – there is nothing about the techniques themselves that should make this hard to detect or mitigate. The lessons learned from these incidents should be used as an opportunity for security improvements for both MSPs and their customers,” the blog says.

DHS in its alert notes: “All organizations that provide IT services as a commodity for other organizations should evaluate their infrastructure to determine if related activity has taken place. Active monitoring of network traffic for the indicators of compromise … as well as behavior analysis for similar activity, should be conducted to identify command and control traffic.”

In addition, DHS notes, “Frequency analysis should be conducted at the lowest level possible to determine any unusual fluctuation in bandwidth indicative of a potential data exfiltration. Both management and client systems should be evaluated for host indicators provided.”

Precautionary Moves

McMillan suggests that healthcare entities take steps to prevent falling victim to these attacks.

“Healthcare organizations should ensure that their service provider is actually looking for the indicators,” he says. “Within their own network they should be assessing for the presence of the detailed indicators in the NCCIC report. If an indicator of compromise is detected they should take appropriate action to remediate and reach out to NCCIC for assistance and further details. Secondarily, they should be reviewing the service provider contracts to ensure the vendor is monitoring actively.”

About the Author:

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

Marianne Kolbasuk McGee is executive editor of Information Security Media Group’s HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek’s healthcare IT media site.

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Security

Tagged ,