Amazon in the Dark...

This week, Black Friday and Cyber Monday are in the spotlight, along with the healthcare and non-profit charity sectors.

Dark Web Data Breaches* this past week: Total Compromises: 881 Top Source Hits: ID Theft Forums (730) Top Industry: Medical & Healthcare Top Employee Count: 11-50 employees (42%) Top Compromise Type: Domains (881)

Top Industries Targeted* this Past Week:

Software Hits: 223 | Targets: Cambridge Analytica, Google, LinkedIn, Yahoo, Facebook

Information Technology Hits: 210 | Targets: Amazon.com, Google, Sony Corp, Apple, LinkedIn

Internet Hits: 124 | Targets: Amazon.com, LinkedIn, Twitter, Facebook, Alibaba

Retail Hits: 122 | Targets: Amazon.com, Apple, WHSmith plc, Gabbana, IKEA

eCommerce Hits: 102 | Targets: Amazon.com, PayPal, Alibaba

Top Threat Actors* active this Past Week.

APT28 Fancy Bear Hits: 118 | Targets: Democratic National Convention, United States, Democratic National Committee, Germany, United States Senate

Hezbollah Hits: 65 | Targets: Israel, Iran, Lebanon, Syria, United States

Lazarus Group Hits: 24 | Targets: Sony Corp, South Korea, United States, Central Bank of Bangladesh, Bitcoin

APT29 The Dukes Hits: 18 | Targets: White House, U.S. Department of State, United States, Democratic National Committee, Democratic National Convention

Magecart Hits: 12 | Targets: British Airways, Ticketmaster Entertainment, Newegg, Feedify, Magento

Top Malware Discoveries* made this Past Week.

KCloud Hits: 202 | Targets: Microsoft Internet Explorer, Mozilla Firefox, troj.bublik.bf

Cannon Hits: 39 | Targets: United States

Mirai Hits: 38 | Targets: Internet of Things, Dynamic Network Services, Inc (Dyn), Deutsche Telekom, Germany, United States

Wcry Hits: 23 | Targets: Boeing, Microsoft Windows, United Kingdom, Bitcoin, North Korea

In Other News:

AMAZON keeps customers in the dark;

Amazon informed some customers this week that their name and email address were exposed due to a “technical error,” but the company provided very few other details.

The e-commerce giant claims the issue has been addressed and has told users that they do not need to change their password or take any other action. It has also revealed that the incident is not a result of something customers have done.

Many recipients initially believed the emails were part of a scam as the message did not address them by name and its signature included a link to “http://Amazon.com” – some found the lack of HTTPS and the capital “a” suspicious.

It’s unclear what caused the technical error and how many users are impacted. Twitter has been flooded by people saying they received the email, including individuals from the United States, the United Kingdom and Australia.

Unsurprisingly, many users are unhappy with the lack of transparency. Amazon has refused to share any additional details with customers or the press.

“Make a Wish” comes true for Crypyojackers*.

Visitors of the international website of the US-based non-profit Make-A-Wish Foundation have had their computing power misused to covertly mine cryptocurrency, Trustwave researchers have found.

The compromise: In-browser cryptomining is not illegal and many website owners prefer using as a money-making substitute for ads, but they usually inform the visitors about it. In the majority of cases, though, covert cryptomining is a sign that cybercrooks have compromised the website, injected their own cryptomining script in it and are reaping the benefits. And this is exactly what happened to the Make-A-Wish Foundation website. The cryptojacking CoinIMP script injected into the website, which has been associated with a known campaign that has been exploiting a critical vulnerability to compromise websites since May 2018. CoinIMP is a JavaScript miner that, similarly to the one offered by the infamous CoinHive service which mines Monero. (a variant of Bitcoin). “What’s interesting about this particular campaign is that it uses different techniques to avoid static detections,” Trustwave SpiderLabs researcher Simon Kenin pointed out. As the Foundation’s site runs on Drupal – one of the most popular CMSs today – it’s highly likely that the attackers took advantage of a remote code flaw to gain access and inject the offending script. “We made attempts to contact the Make-A-Wish organisation, and while they didn’t respond to us, we’re happy to note that the injected script was removed from their site shortly after our outreach attempt,” Kenin noted. Administrators of Drupal-based websites are urged to update their installations to the latest version available if they don’t want their website to suffer a similar fate. If they failed to do so by now, they are advised to make sure their websites haven’t been compromised already with cryptojacking scripts (or worse!).

A Match Made in Heaven: Dating profiles are being bought and sold on the web, but not on the Dark Web. There are organizations that are selling the data over the clear-net. Someone interested in this data could purchase a bundle of dating profiles on an online auction. The data is sold in ‘packs’ categorized by race, sex, sexuality, and other factors. What is done with these profiles is up to the buyer.

Rogue Robots worry users. The modern world relies heavily on industrial robots. But is the current robotics ecosystem secure enough to withstand a cyber attack?

Industrial robots have replaced humans in a lot of large-scale production and manufacturing activities because of their efficiency, accuracy, and safety. These mechanical, programmable devices can now be seen in practically all industrial sectors―making cars, fabricating airplane parts, assembling food products, and even providing critical public services. Soon enough, robots will become a ubiquitous feature of modern factories that we must ask now whether the current ecosystem of industrial robots is secure enough to withstand a cyber attack.

This is the question we—the Forward-looking Threat Research (FTR) team and our collaborators from the Politecnico di Milano (POLIMI) had in mind when we started examining the attack surface of today’s industrial robots. More importantly, we wanted to demonstrate whether it is actually possible to compromise them. The attack demonstration, was done in a laboratory setting on an actual working industrial robot. Due to the architectural commonalities of most modern industrial robots and the existence of strict standards, the robot chosen for our case study is representative of a large class of industrial robots. An industrial robot is an “automatically controlled, reprogrammable, multipurpose manipulator programmable in three or more axes, which can be either fixed in place or mobile for use in industrial automation applications.”

Operating an industrial robot requires several parts working together properly. A programmer or operator typically controls it by issuing high-level commands through the network (via a remote access interface like a teach pendant) to a controller. The controller, which is nothing but a computer, then translates the commands into low-level inputs for the different components of the robotic arm to interpret and execute. Industrial robots are expected to perform with a high degree of safety, accuracy, and integrity. Any violation of these operational requirements, if initiated through a digital attack, can allow a cyber attacker to take control of a robot. We were able to determine five classes of attacks that are possible once an attacker is able to exploit any of the several weaknesses that we found in industrial robot architectures and implementations. In our comprehensive security analysis, we found that the software running on industrial robots is outdated; based on vulnerable OSs and libraries, sometimes relying on obsolete or cryptographic libraries; and have weak authentication systems with default, unchangeable credentials. Additionally, the Trend Micro FTR Team found tens of thousands industrial devices residing on public IP addresses, which could include exposed industrial robots, further increasing risks that an attacker can access and compromise them. The vendors, with whom we are working closely, have taken our results very responsibly, showing a positive attitude toward securing the current and future generation of industrial robots.

Threat Focus: The Southwest Washington Regional Surgery Centre, USA

Exploit: Phishing attack. The Southwest Washington Regional Surgery Center: A Vancouver-based surgery center specializing in orthopedic, spine, podiatry, pain management and plastic surgery. Risk to Small Business: 1.444 = Extreme: An organization that fails to secure the sensitive payment and medical data of its customers will lose both its standing with customers and a significant amount of money when handling the result of a damaging breach. Individual Risk: 2.142 = Severe: Those affected by this breach have an increased risk of identity theft and having their medical data sold on the Dark Web. Customers Impacted: 2,393 Patients. Effect On Customers: The Organization did a good job reacting to the breach, offering identity monitoring services to victims and setting up a hotline for questions. This breach is like another breach in the region with another health organization in the same building as the Regional Surgery Center. Whether or not these breaches are related is unclear, but health organizations should stay alert, especially with what is allegedly the SAM SAM ransomware being sold openly on the Dark Web.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

Threat Focus: KARS4KIDS – USA

Exploit: Exposed MongoDB database. KARS4KIDS: A New Jersey-based charity where people donate their cars to support youth and educational programs. Risk to Small Business: 1.777 = Severe: Non-profit organizations often make sacrifices in cyber security due to budget constraints, however as demonstrated by the KARS4KIDS breach, non-profits are far from invulnerable to hacking. Individual Risk: 2.428 = Severe: Those affected by the breach are at a higher risk of identity theft and phishing attacks due to the exposure of emails between the organization and the donors. Customers Impacted: 21,612 customers. Effect On Customers: This is a damaging breach especially due to the evidence that the exposed database was accessed, found in the form of a ransom note in the database.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

POSTSCRIPT: Hands Off My Data! Magecart is a credit card skimming malware, used by different unrelated groups that attack in a similar fashion. Magecart is defined by targeting online retailers and has been in the spotlight recently due to several high-profile breaches such as Ticketmaster and British Airways.

With Black Friday and Cyber Monday coming up, there will be a huge bump in online purchases. This time will be open hunting season for hackers trying to get a shot at the billions spent on those days. Here are statistics about Magecart to put into perspective how dangerous the threat is this holiday season.

1/5 = how many breached organizations by Magecart became infected again. 127 Days = Average number of days skimmers remained active on a site. 5,400 = Number of domains found to be infected with Magecart in August, September, and October.

Paul Nielsen CCSRA, Managing Director, Avantia Corporate Services Pty Ltd & Avantia Cyber Security

CYBER RISK IS BUSINESS RISK

"Wee've Got Your Back"

INDEPENDENT CYBER SECURITY RISK MITIGATION STRATEGY & CYBER SECURITY MANAGEMENT.

If your organisation does not have an 'in house' CISO we offer an affordable alternative.

* Independent Board Non Executive Director (NED) for Cyber Security.

*Development of an Enterprise Information Security Policy (EISP)

*Risk Assessment Strategy for Operational, Legal & Reputational Risk Minimisation.

*Develop and Implement an Incident response Plan.

*Develop and Manage Metrics for Operational Cyber Security.

*Manage Compliance for Regulatory, State, National & International Legal Obligations.

*Manage Stakeholder Engagement.

*Represent and Manage Media Engagement.

CALL +61 7 3010 9711 for a no obligation discussion of your requirements.

* Disclaimer: Avantia Corporate Services Pty Ltd provides the content in this publication to the reader for general information only and has compiled the content from a number of sources in the USA and up to 56 other countries who provide cyber breach information to us in real time. Given their international focus and experience in the cyberspace arena we believe their data to be accurate and reliable, however, we give no warranty (implied or otherwise), as to the contents accuracy or fitness for use. No validation or investigation has been performed by Avantia Corporate Services or the Author as to its accuracy or reliability. Readers should conduct their own investigation and come to their own conclusions before taking any action.