Acumin’s Cyber/IT/Information Security Year in Review – 2015: Q2

In Information Security ByRyan Farmer / 19th January 2016

April – “No I insist, please just take it”

In the month that acts surmounting to cyberwar unfolded, one airline went out of its way to make hackers’ jobs a lot easier. This time RyanAir wasn’t making the headlines for some new hare-brained schemes to charge for basic human rights on-board its planes (toilets, seatbelts, oxygen, and what have you). Rather they were embroiled in a transfer controversy – and no not to do with them dumping travellers miles outside of their destinations – having gained access to their funds transfer system, hackers made a single payment of €4.6m to a Chinese bank account.

The RyanAir incident could potentially be attributed to Dyre Wolf (nomenclature courtesy of IBM and nothing to do with Ghost or Jon Snow), a long-term malicious campaign combining multiple attack vectors against enterprise targets. There was much talk of dark web collaboration between crime rings, and warnings of diversion tactics (for example launching DDoS attacks to mask intended actions and targets) as the perpetrators focused their actions on organisations which regularly wire transfer large sums.

Another concerted and joined up campaign this month saw DDoS attacks with traffic of up to 45GB/s launched against a plethora of online betting providers like Unibet, Pokerstars, TonyBet, 888poker, and Betfair. The motivation behind these attacks was something that would become all too familiar a tale this year, ransom; with attackers demanding 10 bitcoins to halt their actions and allow normal connectivity to resume. The request is so modestly priced you might just be tempted!

Playing out like a tribute to Cold War espionage, Russian attackers were able to gain access to systems at the White House, including Obama’s unclassified emails and non-public schedule. The belief is that no truly classified systems were accessed, but it was certainly seen as something of a coup, especially as the entry route was apparently via a spear phish email to the State Department whose systems they had access to for some time.

This wasn’t the only conflict online focused around disparate values. Retrospectively it was like looking through a window in to the future, as Anonymous declared war on ISIS supporters online and launched #OpISIS. A number of sites and social media accounts were taken over and/or destroyed, although security services berated the heavy-handed vigilante actions as valuable evidence was lost in the process.

Finally for April we look at something which will inevitably become more commonplace, and something it seems has been happening on LinkedIn this year too (more on this later); social engineering attacks via CareerBuilder. Consider the information the standard CV holds, and then beyond this there are the inappropriate details jobseekers can often feel compelled to share. Bear in mind that short of contact details and career history, there is little of this information provided that is truly required to move job or can’t be discussed in person. It’s concerning then that individuals, including information/cyber security professionals (who would turn out to be a frequent target due to high levels of access), deemed it necessary to share: date of birth, spouse’s and children’s names and ages, National Insurance number, full address (sometimes including second home), and employer toolsets among other details on their CVs. Such details are invaluable to social engineers, so it’s surprising that they would be made so readily available particularly as some of the sites these documents are uploaded to don’t even require an employer to register details to search for them.

 

May – Third time’s a charm

Jamie. Again. Password-stealing malware presented by Naked Chef’s website was found running in the background of users’ machines this time.

Also rehashing old news this month we had Russia and Ukraine taking their conflict digital again; hotels suffering PoS attacks, Hard Rock and Intercontinental; Afognak (an Alaskan tribal entity) transferred $3.8m to cybercriminals; and (what would go on to become a reoccurring event this year) road signs and billboards being hijacked with inappropriate images began in Atlanta (PSA – don’t investigate further!). The latter of these is actually incredibly easy to do and the majority of the systems that relay these messages use stock security settings and passwords on-device; if the default password isn’t in use, fear not for a simple pattern of several button presses will restore factory settings. Ease of use and accessibility is understandable but some form of centralised read/write authentication as a minimum should be expected considering the important information these devices can be displaying.

Q2 was definitely not a good time to be a US-based hotelier or health insurer, with large organisations hit in a multitude of attacks. Blue Cross Blue Shield Health was perhaps the most notable of these for the sheer volume of financial and sensitive medical records lost, 10 million may pale in comparison to rival Anthem’s earlier achievement, but it’s certainly no small effort. Even more alarming is the disparity of when the attacks are believed to have occurred, compared to when they were detected some 6 months later. This wasn’t to be the end of it though as a second incident on Blue Cross insurers was also discovered in September at Excellus, which dated back almost two years before being spotted. The vulnerability had remained open the entirety of that time. Offering customers free credit reporting after such slow detection rates seems a little akin to trying to reattach the stable door after the horse has settled down elsewhere and started a new life.

On the subject of depressingly belated breach detection, the Hard Rock Hotel & Casino was hit by PoS malware for 7 months, whilst rival group Intercontinental Hotels was busy downloading malicious email attachments across several of its locations. Although less impressive than Hard Rock’s record, the Intercontinental chain had been attacked for 4 months until the Secret Service pointed out to them they had been getting hit. And we all thought no good could come of US mass surveillance!

I suspect few people were overly sympathetic when the Internal Revenue Service was hit in a breach that it would turn out affected 330,000 US taxpayers; the original number disclosed came in at about a third as many. With the data lost including Social Security numbers, it’s no surprise identity fraud was quick to follow and some of those affected even started legal proceedings against the IRS who they claim knowingly ignored technical vulnerabilities.

Meanwhile BitFinex could have been another footnote in the brief history of cryptocurrencies, however despite being hit by a targeted attack and losing some 1500+ Bitcoins, the fact they kept funds in separate multisig vaults spared them a further 99.5% of their digital wealth. A small step for crypto exchanges, a giant leap for damage limitation through effective security procedures.

As if further proof was needed about the simple yet impactful effect of hacktivist attacks, the World Trade Organisation fell foul of an Anonymous SQL injection against an e-learning system. Through this vector the WTO lost data for 50k+ records, including 58 admin account logins.

 

June – Government handouts

No one is safe online. Not your government, not the military, and not even security vendors. We’ve all seen tales of two-bit security start-ups overpromising on the power of their brand of snake oil, but Kaspersky are one of the household names. And not in a trading on the success of decades old antivirus products kind of way, they know their stuff and are usually on the front line of research and disclosures.

It came as something of a surprise then when it was discovered that the Russian AV firm had been breached. The attack, executed by those responsible for 2011’s Duqu APT, took advantage of a compromised digital certificate issued to Taiwanese hardware-manufacturer Foxconn as well as three simultaneous zero-day exploits to transfer malware. Due to the highly complex and costly nature of the methods used, there is a general consensus that those involved were backed by a nation state. These are people who usually try their utmost to avoid detection, so the question remains as to their motivation – Bragging rights? Capability testing? Preparation for a third iteration of Duqu? Or simply to access Kaspersky’s data?

Government website uptime around the western world took a hammering in June. This was in part due to a number of DDoS attacks launched at Canadian public sector entities including the ca.gov site, Ontario’s police association, and their Security Intelligence Service’s (CSIS) site. Things weren’t much different south of the border, with the US Army’s site taken down by the Syrian Electronic Army, and some 47 other US government agencies lost user login details. Civil servants in America were hit from all sides as 22m government employee records were lost when the Office of Personnel Management were hit in a highly targeted attack.

Over on the dark web, Akorn Inc., a pharmaceutical, found its customer database of 50,000 the subject of an online auction; considerately the firm were invited to bid to buy their own data back. This followed an earlier SQL injection against vulnerable PHP files across their server environment. You would suspect that had the data stolen included any IP, blank chequebooks would have been waved at those responsible; but this shows how fundamental information security is to an organisation’s ability to conduct its business.

Paranoia around putting all your online security eggs in one basket appeared justified, as password manager LastPass discovered unauthorised network space. They claim that vault encryption remained uncompromised but urgently encouraged all users to reset their master passwords nonetheless. This wasn’t the first of such attacks against what is a very obvious and appealing attack surface, and it won’t be the last. While using such products enables far more effective password security, there is an air of inevitability and expectation that a serious incident will occur sooner or later as the payload holds such value.

Reading like something from a Hollywood script, Polish airline LOT was forced to cancel 10 flights and reschedule 12 others when computers responsible for issuing flight plans were attacked. We’ve heard a number of things about the potential of attacks on in-flight systems, but this was certainly a wake up call to those in the aviation industry if ever one was needed about the high impact nature of any incidents on such systems. It may seem like hyperbolic media sensationalism, but it seems like it is only a matter of time before a cyber incident results in real world casualties.