Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for November 2018

Marriott Starwood Hack: Data of 500 Million Hotel Guests 'Compromised'

Marriott Starwood Hack: Data of 500 Million Hotel Guests 'Compromised'

Hotel chain Marriott has confirmed widespread reports of a significant data breach with the sensitive details of 500 million customers possibly compromised.

In an online statement, the company said: “On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. Marriott quickly engaged leading security experts to help determine what occurred.

“Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014. Marriott recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.

“Marriott has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property.”

The statement explained that the information copied from the Starwood guest reservation database over time includes information about guests who made a reservation at a Starwood property, including names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest (“SPG”) account information, dates of birth, gender, arrival and departure information, reservation dates, and communication preferences.

“For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.”

“Marriott deeply regrets this incident happened,” the company added. “From the start, we moved quickly to contain the incident and conduct a thorough investigation with the assistance of leading security experts. Marriott is working hard to ensure our guests have answers to questions about their personal information with a dedicated website and call center. We are supporting the efforts of law enforcement and working with leading security experts to improve. Marriott is also devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.” 

Javvad Malik, security advocate at AlienVault, said: “This seems like a particularly big breach, not just because of the number of records taken, but also the details that were contained within. It appears as if detection capabilities were not adequate, taking several weeks to notice the breach and extraction of records. It is good that the credit card database was encrypted, but if, according to the company, the attackers were able to take the decryption key, then it was of no use. The digital equivalent of leaving the key for the front door under the mat.”

Jake Moore, cybersecurity expert at ESET UK, advised victims of the breach to keep a watchful eye on where their data may end up.

“Be alert to the idea that hackers may well target you for the final few pieces of information that they couldn’t get hold, perhaps in follow-up phishing emails, in an attempt to take over your identity in the coming days – if they haven’t done so already in the past,” he said. “This is particularly something to be mindful of if you visited one of the effected hotels on business and may not necessarily remember which hotels you visited.”

Source: Information Security Magazine

Undervalued Assets Put Business at Risk

Undervalued Assets Put Business at Risk

New research from the Ponemon Institute, in partnership with DocAuthority, found that IT security departments are underestimating the value of business documents by hundreds of thousands of dollars.

In a newly published report, the Ponemon Institute found that despite being responsible for their management and protection, IT security departments are undervaluing a range of business assets, from research and development to financial reports. In contrast, they are over-prioritizing less-sensitive data related to personally identifiable information (PII).

The study found that IT security departments predicted that it would cost a business $306,545 to reconstruct an R&D document, while the R&D department estimated the reconstruction cost at $704,619, more than double what the IT security department estimated.  

Additionally, IT security departments estimated that the impact of a financial report being leaked at $131,570, compared to the $303,182 that the finance department believes it would incur from a security incident.

“The recent Ponemon report about data value illustrates the importance of understanding the relationships between organizations and third parties and the value of the information being shared. Only by doing so can organizations fully understand risk and properly prioritize effort and control,” said Matan Or-El, CEO of Panorays.

When IT security departments undervalue these assets, they also underestimate the safeguards that should be put in place in order to protect the business assets, thereby increasing the security risk.

The report also found that when organizations underinvest in protecting the more critical data, the result is money wasted on protecting meaningless data or the mishandling of access rights for employees.

"Typically, the security and protection of business data is considered to be the responsibility of the IT security department. Yet it’s clear from this research that IT security does not have the vitally important context required to understand the true value of that data and, in turn, create an effective strategy for defending it,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute in a press release. “Rather than being relegated to IT, data and its protection should be the concern of not only management level, but the business as a whole.”

Source: Information Security Magazine

Request for Gift Card Purchases in Phishing Emails

Request for Gift Card Purchases in Phishing Emails

Hackers are deep in the spirit of exploiting the holidays for financial gain, which is why it’s unsurprising that yet another new type of spear phishing attack has emerged, in which attackers are posing as CEOs to trick office managers, executive assistants and receptionists into sending them gift cards, according to email security researchers at Barracuda Networks.

Since early October, the researchers have reportedly seen an uptick in these types of attacks. Unlike other phishing campaigns that include attachments, these emails do not have malicious links or files included. What also seems to be working effectively is that they are often sent from trusted email domains.

As a result, traditional email filters often do not recognize them as threats. Additionally, the attackers capitalize on the urgency of the holidays and poses the request as a company surprise to discourage the victim from confirming the legitimacy of the request.

Using the social engineering tactics of CEO impersonation, requests for secrecy, researching relevant details and implied urgency, the attackers are specifically and intentionally exploiting people’s good cheer during the holidays.

Credit: Barracuda Networks
Credit: Barracuda Networks

In another example, an email message sent “from my Sprint Wireless 4G LTE Smartphone” asks the recipient to pick up gift cards to be distributed to staff but requests that she keep the transaction confidential.

“In all of these attacks, the emails were sent from free personal email services with a relatively high reputation. In addition, they do not contain any type of malicious payload, such as links or attachments,” wrote Barracuda’s Asaf Cidon, VP of content security services.

“Instead the emails rely solely on social engineering and impersonation to trick their targets. These types of attacks are very hard for traditional email filters to pick up because they are targeted, have a high reputation, and do not contain any obvious malicious signals.”

Source: Information Security Magazine

Cisco Offers Cyber Training to UK Police Officers

Cisco Offers Cyber Training to UK Police Officers

Cisco is trumpeting a new initiative designed to improve the cybersecurity skills of UK police officers.

The US tech giant claimed its partnership initiative will see 120,000 officers in England, Scotland, Wales and Northern Ireland gain access to the Cisco Networking Academy.

This will provide training for individuals at all levels. The learning platform runs both in-person and online courses including: Introduction to Cybersecurity, Cybersecurity Essentials, CCNA [Cisco Certified Network Associate] Cybersecurity Operations and CCNA Security.

Andy Beet, futures lead at the Data Communications Group of the National Police Chiefs’ Council, welcomed the news.

“By joining the program, forces can access training designed to raise awareness and increase their understanding of cybercrime and cyber-threats, while also gaining insights into the procedures used to defend networks,” he explained.

“It’s important for all police officers to understand cybersecurity as fully as possible; by doing so they can develop their knowledge in this increasingly important area, improving security in both their professional and personal lives."

The police are certainly in need of extra resources to improve skills levels, but getting the funding is a struggle at a time of continued government-imposed austerity.

Two years ago, then-home secretary Theresa May announced new plans to draft in volunteers to help regular officers on cybercrime cases without the need to become special constables first.

Sixteen forces that responded to a recent FOI request from think tank Parliament Street spent an average of just £82,500 each on training over the past three years. However, a large proportion of this was accounted for by just a handful of forces, including North Wales Police (£375K), West Mercia & Warwickshire (£126K), and Lincolnshire (£120,000).

Cisco claims its Networking Academy has helped to train over eight million people globally since its launch 20 years ago.

A Cisco spokesperson told Infosecurity that while the program will have a strong focus on cybersecurity and networking, it will also look at areas such as the Internet of Things, programming and operating systems.

It’s believed that access to the academy is being offered pro bono.

Source: Information Security Magazine

NVRmini2 Network Video Recorder Vulnerabilities

NVRmini2 Network Video Recorder Vulnerabilities

The vulnerability research team at Digital Defense announced that it has discovered a zero-day vulnerability in the Nuuo NVRmini 2 network video recorder (NVR) firmware, software used by hundreds of thousands of surveillance cameras worldwide.

Reportedly caused by “improper sanitization of user-supplied inputs and lack of length checks on data used in unsafe string operations on local stack variables,” the flaw ("lite_mv" Remote Stack Overflow in NUUO NVRmini2 3.9.1) would allow an attacker to gain remote access as an unauthenticated user. The attacker could then execute arbitrary code with root privileges.

According to the researchers, NVRmini2 firmware version 3.9.1 and prior is vulnerable to an unauthenticated remote buffer overflow that could potentially be leveraged by an attacker. Exploiting the vulnerability could allow an attacker to modify the camera feeds to the NVR and change its configuration or recordings.

A patch has since been issued, and Digital Defense commended NUUO for its swift response in providing fixes to the security issue.

In related news, Tenable researcher David Wells recently disclosed a vulnerability (CVE-2018-15715) in Zoom applications for Windows and macOS that could also be exploited by an unauthorized user to invoke functions normally reserved for Zoom servers.

The two disclosed vulnerabilities in NVRs are indicative of the potential security problems in these internet of things (IoT) devices. According to Craig Young, computer security researcher for Tripwire’s vulnerability and exposure research team (VERT), NVRs are one of the earliest types of connected devices to be successful in the market.

Because they were so early to market, many of these systems haven’t evolved, making them vulnerable to the same types of basic flaws, Young said. “Anyone using the Nuuo NVRmini 2 needs to prioritize patch deployment for affected systems, regardless if the device is directly exposed to the Internet.

"This can be exploited with an unauthenticated HTTP request, and attackers can craft malicious web pages which search local networks for affected systems to compromise. This type of attack is known as cross-site request forgery and can come from malicious emails, advertisements, and even comment spam.”

Source: Information Security Magazine

Attackers Run on Dunkin's DD Perks Rewards

Attackers Run on Dunkin's DD Perks Rewards

Boston-based Dunkin’, the brand formerly known as Dunkin Donuts, has released a warning to its customers stating that DD Perks reward account holders were potentially hacked by a third party in a credential-stuffing attack wherein hackers were trying to steal the rewards points to sell and trade them on the dark web.

The incident was discovered on October 31, 2018, by one of Dunkin’s security vendors, and it is believed that malicious third-party actors used credentials stolen from other breaches to access user accounts.

According to a statement shared with Infosecurity Magazine by a Dunkin’ spokesperson, “Dunkin’ Brands has issued notification letters to certain DD Perks account holders who may have experienced unauthorized access to their accounts.”

Additionally, the company's incident advisory warned that the attackers might have accessed the first and last names of impacted account holders, along with their email addresses and 16-digit DD Perks account number and their DD Perks QR code. Dunkin’ said it forced a password reset so that all potentially affected account holders would have to log out and use a new password to log back in to their accounts.

“Just when you thought that hackers could not come between you and your morning coffee, they get you right in the rewards points. NuData Security has found that 90% of cyberattacks start with some sort of automation, credential stuffing being a prominent one like the one perpetrated on Dunkin’,” said Ryan Wilk, VP of customer success for NuData Security, a Mastercard company.

“The software for credential stuffing is now so affordable that this type of attack is becoming accessible for almost anyone. What this means is that adversaries can automatically cycle through username and password pairs against login portals. This technique, known as credential stuffing, is a type of brute force attack whereby large sets of credentials are automatically inserted into login pages until a match with an existing account is found."

While customers are advised to change their passwords, Wilk said this is only a temporary fix that fails to address the root of the problem. “One effective way to stop this type of attack is to implement security solutions that detect this sophisticated automated activity at login and other placements. By using technologies that include behavioral biometrics, automated activity is flagged at login before it can even test any credentials in the company's environment.”

Source: Information Security Magazine

NSA Exploits Not Silent but Eternally Problematic

NSA Exploits Not Silent but Eternally Problematic

It’s been over a year since patches to protect against the leaked NSA exploits were released, yet Akamai has published research revealing the continued use of the Eternal family of exploits with evidence of a new version of the UPnProxy vulnerability targeting unpatched computers behind the router’s firewall.

In a new and widely distributed campaign, a family of injections dubbed EternalSilence has been leveraging the Eternal family of exploits. According to the research, exploiting the vulnerability allows attackers to burrow through the router, infecting individual computers on the network. The UPnProxy vulnerability affords attackers deeper insight into the devices they can target while strengthening the malicious network. 

Researchers discovered more than 45,000 devices have been compromised, which is estimated at over a million computers waiting for commands, but they have not been able to gain insight into what happens post-injection. “They can only see the injections themselves and not the final payloads that would be directed at the machines exposed. However, a successful attack could yield a target rich environment, opening up the chance for such things as ransomware attacks, or a persistent foothold on the network,” Akamai’s Chad Seaman wrote.

Victims of the attack may very well not know that they have been targeted, particularly if their existing machines on the internet have already been segmented, the research said. As a result, any unpatched machines within the network will be easy targets.

“It was only a matter of time before the leaked NSA exploits would be used yet again for malicious purposes. It’s been over a year since these hacking tools first came on the scene, and even despite the number of successful attack methods that have since ensued, many organizations are still vulnerable to these exploits,” said Tyler Moffitt, senior threat research analyst, Webroot. “Unless properly patched, cyber-criminals are only going to continue using them in attacks for profit.

“There will always be zero-day vulnerabilities, but it’s worth noting that the vast majority of exploit attacks seen in the wild involve cyber-criminals targeting known vulnerabilities. These vulnerabilities have already been fixed by the vendor, but the fix has not been deployed and installed by the end user. There is without doubt a window of opportunity for cyber-criminals to take advantage.”

Source: Information Security Magazine

Attackers Keen on Automated Browsers

Attackers Keen on Automated Browsers

Google Chrome has long been a popular web browser, but since the introduction of the headless mode functionality, the browser has grow in popularity not only among software engineers and testers but also with attackers, according to Imperva.

According to recently published research, "Headless Chrome: DevOps Love It, So Do Hackers, Here’s Why," the headless technique has grown more popular, particularly since Chrome introduced the functionality last year. Additionally, malicious actors are using the technique to target specific sites and exploit newly released vulnerabilities.

When Chrome is running without its “head," or GUI, the latest full version of the Chrome browser is executed with the added perk of being able to control it programmatically on servers without dedicated graphics or display.

“In headless mode, it’s possible to run large scale web application tests, navigate from page to page without human intervention, confirm JavaScript functionality and generate reports,” wrote Imperva’s Dima Beckerman.

While DevOps appreciates the ability to benignly run large scale tests, attackers are able to leverage the same functionality for malicious purposes by evaluating JavaScript or emulating browser functionality.

“We observe more than 10K unique IP addresses daily performing scraping, sniping, carding, blackhat SEO and other types of malicious activity where JavaScript evaluation is necessary to perform the attack,” Beckerman said.

While automation in web browsers isn’t exclusive to Chrome, said Beckerman, “in comparison to other headless browsers and automation frameworks, Headless Chrome overtook the previous leader, PhantomJS, within a year of its release.”

Automated browser trends over the last year. Credit: Imperva
Automated browser trends over the last year. Credit: Imperva

In addition to Chrome constantly adding new features and introducing new trends in web development, Headless Chrome has also become popular because of its support for a wide range of operating systems. DevOps appreciates Chrome’s convenient development tools and features, according to Imperva.

However, as much as DevOps has embraced Headless Chrome, “Chrome occupies the top of the 'attackers’ podium,' with half of the malicious traffic divided evenly between execution in headless and non-headless mode,” Beckerman wrote.

Because Headless Chrome is used for both malicious and legitimate purposes, Beckerman said blocking the automated browser should be done on a case-by-case basis, depending on the intent and behavior of each individual IP address.

Source: Information Security Magazine

US Indicts Two Iranians for SamSam Campaign Blitz

US Indicts Two Iranians for SamSam Campaign Blitz

Two Iranian men have been indicted for a string of ransomware attacks over the past three years, causing $30m in losses to over 200 organizations, mainly in the US.

Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27, are accused of operating the infamous SamSam ransomware variant which targeted notable organizations including the Hollywood Presbyterian Medical Center, City of Atlanta, MedStar Health, Kansas Heart Hospital and the City of Newark.

The two are said to have made over $6m from their scheme to date, creating the first version of the malware in December 2015 before updating it in June and October 2017.

The attacks differed from many ransomware campaigns in being highly targeted, with the duo researching their victims, scanning for vulnerabilities and then striking outside of business hours to cause maximum disruption, all while disguising attacks as legitimate network traffic.

The two are charged with: one count of conspiracy to commit wire fraud; one count of conspiracy to commit fraud and related activity in connection with computers; two substantive counts of intentional damage to a protected computer; and two substantive counts of transmitting a demand in relation to damaging a protected computer.

They’re unlikely to be brought to justice, as the duo remain in Iran. However, the US Treasury has decided to impose sanctions on two more men, Ali Khorashadizadeh and Mohammad Ghorbaniyan, whose accounts are said to have been used to receive the stolen Bitcoin funds.

The move is more a statement of intent than anything else, as the two could simply open new cryptocurrency accounts elsewhere.

FireEye cybercrime analysis manager, Kimberly Goody, claimed the two may have targeted critical infrastructure organizations to improve their chances of receiving a pay-out.

“In our SamSam investigations, we observed activity consistent with that noted in the indictment including the exploitation of external servers as well as updates to their initial infection vectors over time. Deploying ransomware post-compromise also allows attackers the ability to better understand victim environments and to both deploy ransomware payloads more broadly and to identified high value systems – putting additional pressure on organizations to pay,” she added.

“It is also important to note that while the actors named in the indictment are associated with the SamSam ransomware, this may just be their most lucrative operation. We have some evidence to suggest that they were investigating the possibility of stealing card payment data, and we have also seen the deployment of cryptocurrency miners in victim environments.”

Sophos principal research scientist, Chester Wisniewski, argued that SamSam may be just the start of a new wave of targeted ransomware.

“Once in, they move laterally, working one step at a time to steal domain admin credentials, manipulate internal controls, disable back-ups and more to hand-deliver the ransomware,” he continued. “By the time most IT managers notice what’s happening, the damage is done. Other cyber-criminals have taken note, and in 2019 we expect copycat attacks.”

Source: Information Security Magazine

Elasticsearch Snafu Exposes Data on 82 Million Americans

Elasticsearch Snafu Exposes Data on 82 Million Americans

The personal information of nearly 82 million Americans was exposed online for at least two weeks thanks to another cloud misconfiguration error, although it’s not clear which company is at fault.

Researchers from security firm HackenProof discovered the publicly available Elasticsearch servers via a simple Shodan search. Elasticsearch is an open source search engine used for private networks.

At least three IPs associated with the same Elasticsearch clusters were left open for public access, exposing a whopping 73GB of personal data. Part of this related to 56,934,021 US citizens.

Exposed information included first name, last name, employer, job title, email, address, state, zip, phone number, and IP address. Another 25 million trove was a more detailed directory with a business slant, including: name, company details, zip address, carrier route, latitude/longitude, census tract, phone number, web address, email, employee count, revenue numbers, NAICS codes, SIC codes, and more.

Combined, over 114m records were affected.

The data was made private on November 28, two weeks after it was first indexed by Shodan, although it’s unknown how long it was exposed for before that. It could have been obtained by hackers, or theoretically the owner of the Elasticsearch instances could have been extorted.

HackenProof also warned that in cases like this, full access could have allowed for remote code execution on the system.

“While the source of the leak was not immediately identifiable, the structure of the field “source” in data fields is similar to those used by a data management company Data & Leads Inc,” said HackenProof.

Adding to the mystery, that company’s website is now offline and the researchers have not been able to establish contact with any representatives.

Balaji Parimi, CEO of CloudKnox Security, argued firms need to proactively manage privileged accounts to reduce the risk of human error like this.

“Over-privileged identities are one of the biggest threats facing enterprises with complex, multi-cloud environments, and we will continue to see database leaks like this one until companies get better at assessing and managing unused, high-risk privileges,” he added.

“This latest data breach should serve as a wake-up call to IT security operations teams. Poorly secured, internet-facing infrastructure will be discovered and exploited. The developing threat landscape reinforces the notion that all organisations have targets firmly on their backs at all times and threat actors will continue to innovate attack methods to secure valuable data and possibly leverage that data for more nefarious purposes.” 

Cofense director of sales engineering, David Mount, argued that those affected may have been exposed to phishing campaigns.

“It’s extremely important for end-users to stay vigilant when monitoring email inboxes for any messages that may seem unexpected, strange or suspicious and report them immediately for further analysis," he added.

“Remember that mitigating risk doesn’t end with addressing the vulnerable server. As important as security software and firewalls are, technology alone is not enough to stop active phishing attacks.”

Source: Information Security Magazine