Avantia Threat Update
THE CARNIVAL IS OVER FOR 500,000 BRAZILIANS.
Updated: Jan 11, 2019
This week the party is over in Brazil after a massive data breach, myths about the ‘cloud’ busted and more about ioT security. Also the Quora Q&A breach and Humble Bundle Credential stuffing.......
This Past Week’s Dark Web Trends*
Top Source Hits: ID Theft Forums (55%) Top Compromise Type: Domains Top Industry: High- Tech & IT Top Employee Count: 11-50 employees (32%)
This Week Top Targeted Industries*:
Consumer Goods Hits: 596 | Targets: Marriott International, Starwood Hotels & Resorts Worldwide, Inc., Sony Corp, Huawei Technologies, Home Depot
Service Hits: 578 | Targets: Marriott International, Starwood Hotels & Resorts Worldwide, Inc., Davis Polk & Wardwell, JPMorgan Chase & Co., Cloudera
Hospitality Hits: 574 | Targets: Marriott International, Starwood Hotels & Resorts Worldwide, Inc., Panera Bread Company
Tourism Hits: 508 | Targets: Marriott International
Finance Hits: 227 | Targets: Equifax Inc, PayPal, JPMorgan Chase & Co., MasterCard Inc.
This Past Week’s Top Threat Actors:*
Hezbollah Hits: 83 | Targets: Israel, Lebanon, Iran, Syria, United States
APT35 Newscaster Team Hits: 82 | Targets: Saudi Arabia, United States, Ben-Gurion University of the Negev, U.S. Department of Defense, Home Box Office
Syrian Electronic Army Hits: 21 | Targets: Skype, Twitter, United States Army, Facebook, Microsoft
MuddyWater Hits: 17 | Targets: Government of Saudi Arabia, Saudi Arabia, Turkish government, United Arab Emirates, Israel
Ministry of State Security (China) Hits: 16 | Targets: Australia, Marriott International, United States, United States Office of Personnel Management, People's Liberation Army (China)
This Past Week’s Top Malware Discoveries:*
Shamoon Wiper Hits: 59 | Targets: Saudi Arabia, Saudi Aramco, Europe, Sony Corp, Petroleum
Duuzer Hits: 27 | Targets: South Korea, Symantec, Japan, Government of South Korea
Wcry Hits: 23 | Targets: Boeing, Microsoft Windows, United Kingdom, Bitcoin, North Korea
Zegost Hits: 20 | Targets: Microsoft Windows, Adobe, Microsoft Internet Explorer, Honeypot
Novidade Hits: 9 | Targets: SOHO Router, Home Router, Domain Name System, Brazil, Router
In Other News:
Brazilian Personal Data Exposed - The Carnival is over for 500,000 Brazilians*.
Brazil has always been one of those countries where cybersecurity issues are hard to report. Back in September, a big breach was reported by a Brazilian online booking system exposing personal data of almost 500,000 users. The company behind the exposure was really hard to identify and contact, but at the end of the day, the database was secured mainly due to Twitter followers support.
On November 12th, when auditing the search results for open/exposed Elasticsearch databases, researchers found what appeared to be a collection of personal records compiled by FIESP, the Federation of Industries of the State of São Paulo. FIESP is the largest class entity in Brazilian industry. It represents about 130 thousand industries in various sectors, of all sizes and different production chains, distributed in 131 employers’ unions.
Records were stored in Elasticsearch with the total count of 180,104,892 - At least 3 indices (FIESP, celurares and externo) that were analysed contained the personal info of Brazilian citizens. The largest collection of data (FIESP collection) had 34,817,273 personal records with exposed info like: Name; Personal ID number (RG number); Taxpayer Registry Identification (CPF); Sex ;Date of Birth; Full Address; Email; Phone Number
Notifications were immediately sent to FIESP contacts but without response. The database was taken offline only after a Brazilian-based follower managed to get in touch with a FIESP representative over the phone and inform them about the exposure.
The lack of authentication allows the installation of malware or ransomware on the Elasticsearch servers. The public configuration allows the possibility of cybercriminals to manage the whole system with full administrative privileges. Once the malware is in place criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains.
How Secure is “the cloud”*?
As more and more organizations embrace the migration to the cloud, there are the inevitable questions that arise around its safety. Specifically, enterprises need to know that their data is going to be secure if they choose to embrace a cloud-based model, particularly a public cloud. The biggest myth heard over and over among customers is that “the public cloud is not safe because it’s easier to attack, and then anyone can access my data.” What we’re seeing, however, is that this statement is simply not true. The simplest way to debunk a myth is to break it apart and look at each component.
MYTH: “The public cloud is not safe.
TRUTH: When public cloud technology was new, there were concerns that it did not provide the requisite levels of security to keep data safe. These concerns were valid as the technology was not yet proven; however, this is no longer the case. Cloud providers now have years of experience, dating back to the early 1990s when modern cloud computing was first introduced. Over the decades, they’ve fine-tuned data and application access, ensuring strong governance, rights management and systems monitoring.
While the focus for on-premise and cloud-based IT is the same – to ensure application availability and security – cloud providers are able to scale this approach across multiple businesses and geographies. This scale and experience means that public cloud solutions, as long as they are well-managed, can actually prove more secure and reliable than their on-premise counterparts.
MYTH: “The public cloud is easier to attack.”
TRUTH: Many enterprises think that embracing the public cloud is tantamount to placing all of their digital eggs in one basket. The concern here is that if the provider is attacked, all access to their data – and therefore the ability to conduct business – could be lost. In most cases, however, a successful attack requires there to be an unpatched vulnerability in order to gain access. As we know, keeping up-to-date with patches is one of the biggest challenges for any organization today.
A key benefit of the public cloud is that the provider takes the responsibility for patching and monitoring the network, as well as adding extra layers of security to separate internal network systems from externally accessible applications and data. By adding in this third-party vendor whose responsibility is to keep their systems up to date, it actually can bolster security and help keep data more secure than it may otherwise be if held within your organization.
MYTH: “In the public cloud, anyone can access my data.”
TRUTH: One of the biggest concerns people have with public cloud is the worry that they will lose control if they entrust it with their data. By essentially relinquishing a stronghold on the data, there are understandable questions about how secure it could possibly be. However, one of the key benefits that SaaS (Software As A Service) providers grant is data privacy. In fact, data in the public cloud is harder for the “wrong people” to access than on-premise data.
For example, public cloud data is protected by authentication controls, which are constantly monitored by the cloud provider. And remember, it’s not just your data they are monitoring, but it’s many other customers as well. This ensures that should anyone try to breach your data for any cloud application instance, changes can be made in near real-time to automatically enhance cloud protection for all of the cloud provider’s customers. At the same time, individual businesses’ data is protected from access by others, such as competitors, as it is multi-tenanted. That means each data instance is unique and unaware of other data, using secure keys to obfuscate and prevent leakage. That makes it extremely difficult for an unwanted entity to access your information.
The bottom line
In the end, the biggest truth about security in public cloud is that it provides security at scale. As a single organization, everything you do is at a scale of one. You might learn from peers, monitor systems and patch and update applications, but there is no shared benefit to this approach. And, with the widely-documented shortage of skilled cybersecurity professionals available, it can be hard to keep up.
DNA For Pay * The Leaders of Genomics England has revealed that foreign hackers have attempted to access the DNA data the organization is collecting. The reality that hackers could steal DNA data if they successfully access a network is a scary thought. As the general population becomes more aware that their data is valuable, it should also become apparent that handing over data and in this case, DNA, could result with it ending up on the Dark Web or in the hands of a nation state. While no breach occurred to this organization, the fact that they are regularly under attack should be a wake-up call.
Threat Focus: Quora – USA*.
Exploit: Unclear at this time. Quora: A popular question and answer site that boasts 300 million monthly active users.
Risk to Small Business: 2.333 = Severe: People are not soon to forget that the question and answer site was unable to keep their data safe. This could cause a migration from any site to another similar one, something that is common among social media sites in particular.
Individual Risk: 2.857 = Moderate: Those affected by this breach are at an increased risk of phishing attacks.
Customers Impacted: Unclear at this time. Effect On Customers: Quora handled the breach very well, with the CEO releasing a blog post detailing what they know and apologizing to their users. The amount of time it will take for the organization to regain their users’ trust is unclear. The transparency by the organization’s leadership will greatly help it bounce back sooner than if they hadn’t responded as such.
Risk Levels: 1 - Extreme Risk 2 - Severe Risk 3 - Moderate Risk *The risk score is calculated using a formula that takes into account a wide range of factors related to the assessed breach.
Threat Focus: Humble Bundle - USA*
Exploit: Credential Stuffing. Humble Bundle: Humble Bundle, Inc. is a digital storefront for video games, which grew out of its original offering of Humble Bundles, collections of games sold at a price determined by the purchaser and with a portion of the price going towards charity and the rest split between the game developers.
Risk to Small Business: 2.333 = Severe: The breach only contained user’s subscription status, but it is believed that this could be the first part of a more extreme breach. Because the bad actor knows if user’s subscriptions are active, inactive, or paused, they could send out spear-phishing emails about the subscriptions that would trick users into clicking.
Individual Risk: 3 = Moderate: No information directly related to the individual has been compromised other than the subscription status of users. Customers Impacted: A “very limited” number of people. Effect On Customers: This breach is a good lesson in how it is important to report any breach, as this seemingly minor breach is most likely the first step in a spear phishing campaign.
Risk Levels: 1 - Extreme Risk 2 - Severe Risk 3 - Moderate Risk *The risk score is calculated using a formula that takes into account a wide range of factors related to the assessed breach
Be Ready for The Breach* Since Marriot International was breached, it has been hit with two lawsuits that claim the organization delayed the breach disclosure and weren't transparent. How an organization handles a breach makes a significant impact on public opinion and customers trust. An organization that is seen to be forthcoming, transparent, and honest to their customers is much less likely to see a serious migration of customers.
Here are some common mistakes made when reporting breaches:
Not having a plan – Not being prepared for a breach can lead to a panicked, unorganized response that is half-baked. Just like every organization should have a fire response plan, every organization should have response procedures in place for a breach.
Downplaying the incident – Your customers deserve to know if they are at risk. Also downplaying the incident is likely illegal.
Delaying disclosure – Delaying disclosure can compromise the trust of your customers and may be illegal.
Oversharing / Under sharing – Sharing too much information can lead to bad actors taking note of the vulnerability and can put other organizations at risk. Sharing too little information can leave your customers at risk.
Not contacting the authorities – Involving law enforcement is free and can help significantly with the investigation.
* Disclaimer: Avantia Corporate Services Pty Ltd and Avantia Cyber Security provides the content in this publication to the reader for general information purposes only and has compiled the content from a number of sources in Australia, the USA, and up to 56 other countries who provide cyber breach information to us in real time. Given their international focus and experience in the cyberspace arena we believe their data to be accurate and reliable, however, we give no warranty (implied or otherwise), as to the contents accuracy or fitness for use. No validation or investigation has been performed by Avantia Corporate Services or the Author as to its accuracy or reliability. Readers should conduct their own investigation and come to their own conclusions.