16 October 2017

Week in review: major security incidents in October 9-15


Week in review: major security incidents in October 9-15

Last week we have observed 14 major cybersecurity incidents, involving data breaches in large corporate consulting and management firm Accenture, Irish retail giant the Musgrave Group and services Bitly and Kickstarter, new APT activities from FIN7 (also known as Carbanak or Anunak) and ALF and campaign targeting banks in post-Soviet states. Below is the list of the most noticeable cybersecurity events along with brief description and commentary.

Monday

-         A security researcher Troy Hunt found that data of Bitly and Kickstarter users are publicly accessible. Bitly compromise in May 2014 affected over 9 mln customers. During attack against Kickstarter in February 2014 hackers compromised about 5.2 mln accounts. Though both security breaches happened 3 years ago, users of services are still being advised to change their passwords.

Tuesday

-         A deputy of the South Korea parliament reported that North Korean cybercriminals could have stolen a large amount of military data, including the newest operational plan for the South Korean Armed Forces and the United States.

In September 2016 hackers broke into the system of South Korean Department of Defense and stole over 235 GB of secret documents. In-depth analysis of only 20% of revealed documents showed that there were secret plans for joint actions of Seoul and Washington, including “Operational Plan 5015” (the most up-to-date blueprint for a US/South Korean war with Pynongyang, including a ‘decapitation strike’ against Kim Jong-un) and “Operational Plan 3100”.

-         One of the world’s largest corporate consulting and management firms Accenture confirmed that it left 4 cloud-based storage servers publicly visible. Disclosed data included secret API data, authentication credentials, certificates, decryption keys, customer information that could be used to attack Accenture and its clients.

Unprotected Amazon Web Services S3 storage buckets were found on September 17, 2017 by Chris Vickery, UpGuard Director of Cyber Risk Research.

-         Australian Cyber Security Centre in its threat report informed that hacking group APT ALF broke the network of the Australian military contractor and stole about 30 GB of classified military documentation regarding combat aircraft, bombs and naval vessels.

The Australian Signals Directorate (ASD) received a warning about hacking activity against an aerospace engineering company in November 2016. However, the researchers found that the attackers had access to the contractor's network at least from the middle of July 2016. Investigation showed that hackers were exploiting 12-year-old vulnerability to gain access to the domain administrator account and subsequently to the domain controller, the remote desktop server and compromise the entire network.

-         Security experts for Kaspersky Lab revealed a new malicious ATMii software targeting ATMs running under Windows 7 and Windows Vista. To install ransomware a malicious actor needs network or USB-connection to the device.

The first version of ATMii ransomware was discovered in April 2017. After affecting an ATM, а hacker can perform three malicious operations: scan cash cassettes for information on the exact number of bills in the ATM, program the ATM to issue the desired amount of money, and remove the malicious file from the ATM.

-         Trustwave SpiderLabs notified about a massive campaign targeting banks mainly located in post-Soviet states. By using a well-developed attack scheme hackers managed to steal over $40 mln from 5 banks.

Every attack involved both cyber and physical activities. One group of people (or mules) opened the bank account using fake documents, got the debit cards and pass them to hackers. The cyber team compromised computers of the banking staff and changed overdraft limit on the debit cards that allowed another group of mules to collect a large amount of money from ATMs located in foreign countries.

-         Musgrave, the parent company of SuperValu, Centra and Mace became the victim of cyberattacks. The retail group has already urged customers to review their statements as a precautionary measure.

Hackers tried to steal credit card and debit card numbers and expiry dates. However, no attempts to extract cardholders' names, PIN numbers, or CCV numbers had been made.

Wednesday

-         Research by Cisco’s Talos team showed that Eastern European hacking group FIN7 APT (also known as Carbanak or Anunak) hijacked U.S. state government servers to spread phishing emails allegedly on behalf of the Securities and Exchange Commission.

The messages were sent to a small, select group of U.S. businesses in several different industry sectors, including finance, insurance and information technology. Emails included malicious Microsoft Word documents with information about EDGAR data disclosure.

-         IT systems of two Swiss transport agencies suffered from DDoS attacks in the mornings on Wednesday, 11 and Thursday, 12.

The first issue affected the IT system that manages train orders and road traffic maps of Sweden Transport Administration (Trafikverket). The agency reported about the problem on its Facebook page.

The second attack hit the website of the Sweden Transport Agency (Transportstyrelsen), and public transport operator Västtrafik, who provides train, bus, ferry, and tram transport for parts of Western Sweden.

Thursday

-         Security Service of Ukraine warned about a possible massive cyberattack targeting state and private organizations.

The hacker's goal is to disrupt the functioning of the staff information systems, which can lead to destabilization of the situation in Ukraine. The mechanism of cyberattack will be similar to the one, conducted in June 2017.

On June 27, 2017 Ukrainian banks, energy companies, government Internet resources and local networks suffered from large scale ransomware NotPetya.

-         Hyatt Hotel alerted its customers about the second security breach. The first one takes back to December 2015.

Hackers had unauthorised access to the payment card information between March 18, 2017 and July 2, 2017. The attack resulted in the payment system hack and consumer data (cardholder name, card number, expiration date and internal verification code) theft.

Friday

-         ESET researchers identified the first-ever Android ransomware which locks the device as well as encrypts data. DoubleLocker is based upon mobile banking Trojan. If affected the system, ransomware changes device's PIN that prevents the victim form using it and encrypts files appending the extension “.cryeye”. Access both to the device and information can be resumed only after payment in an amount of 0.0130 BTC (approximately $54).

Saturday

-         Namaste Health Care in Ashland sent notifications about the security incident dating back to August 12-13. Unknown attackers launched a ransomware virus/attack on Namaste's file server and encrypted data of about 1600 patients. Affected information could potentially include names, addresses, dates of birth, Social Security numbers, and limited clinical information, such as diagnoses and treatments received.

-         Pizza Hut informed customers about “temporary security intrusion” that affected its website on October 1-2. Malicious actors accessed credit cards data of about 60,000 customers across the USA.

PizzaHutEmail.png

At least 5 clients have reported about fraudulent banking transactions in their Twitter and suspect Pizza Hut incident of it.

By Olga Vikiriuk
Analyst at Cybersecurity Help

Back to the list

Latest Posts

Free VPN apps on Google Play turned Android devices into residential proxies

Free VPN apps on Google Play turned Android devices into residential proxies

The threat actor behind this scheme profits by selling access to the residential proxy network to third parties.
28 March 2024
Cyber spies strike Indian government and energy sectors

Cyber spies strike Indian government and energy sectors

The operation involved phishing emails delivering the HackBrowserData info-stealer.
28 March 2024
Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024