At a glance.
- Data leak at TVSmiles.
- Amtrak's data breach and the risk of credential stuffing.
- Data taken in ransomware attacks offered for sale on the dark web.
- Collaboration on a data leak platform.
Unsecured database exposes user information at TVSmiles.
UpGuard reports that the quiz app by TVSmiles (also a multi-device advertising app) has secured an Amazon Web Services S3 bucket. In the database was “unencrypted personally identifiable information matched to individual users, profiling insights about users’ interests based on quiz responses, associations to smart devices, and accounts and login details for TVSmiles’ business relationships.” TVSmiles, a German firm, has upwards of three-million users, mostly in Europe.
Amtrak's data breach and the risk of credential stuffing.
The data breach Amtrak disclosed in its Guest Rewards system may not have included the more obviously troubling data (pay cards, Social Security Numbers, etc.) it did include usernames and passwords. Those can be changed, and Amtrak has asked its customers to do so, but users should be aware of the possibility that such information could be used in credential-stuffing attacks. Jason Kent, Hacker in Residence at Cequence Security, commented in an email:
"We've watched credential stuffing attacks escalate over the past few months, and sympathize with the impacted organizations who have to work to respond and reposition their platforms as 'secure and private.' While end-users certainly have a role to play in securing their accounts with strong passwords and multi-factor authentication, we believe that organizations also need to take a close look at the risk profile of their APIs to ensure that they are not an easy and attractive target for hackers. These API-centric attacks will only continue to escalate as long as insecure endpoints are easily discovered, analyzed, and abused. "
Data taken in ransomware attacks offered for sale on the dark web.
Ars Technica reports that REvil, the ransomware gang also known as Sodinokibi, opened bidding yesterday on their cynically named site the Happy Blog for two tranches of confidential data stolen in the course of attacks on two separate companies. Some of the data are business information. Other data for sale include personal information like scanned driver’s licenses.
This represents an ongoing development in the history of ransomware. First, begin by encrypting files, thereby denying them to the victim. But this has limited potential. Once the targets realize the threat and start taking the precaution of routinely backing up their data, ransomware drops to the level of a nuisance.
Second came data theft. The extortionists exfiltrated data and threatened to dox the victims by releasing sensitive or embarrassing information if the victim didn’t pay the ransom by the deadline. This threat to dox is a way of achieving leverage over the victim, increasing the pressure to pay.
And now, in the third phase, the extortionists simply add another revenue stream. They’ll not just release the victim’s files, but sell them in the criminal-to-criminal underground markets.
Ilia Kolochenko, Founder & CEO of web security company ImmuniWeb, emailed some animadversions concerning the quality and credibility of the offers made on auction sites like this.
"An Interesting trend that one may observe in today's cybercrime landscape are fake threats to publish allegedly stolen data. Many organizations, whose business largely depends on its reputation, are well prepared to pay a fortune to avoid negative publicity.
"Another relatively new but rapidly growing scenario is exaggeration of nature or value of data stolen and encrypted by a ransomware. Organizations have limited visibility of their 'attack surface', including corporate data which is chaotically dispersed across organization’s computers and servers. Once a machine is hacked and encrypted, victims may well believe that attackers will find a backup of their database, critical source code or other important trade secrets. However, prior to paying a ransom, you should carefully investigate, analyze and assess the situation to avoid falling victim to manipulative fraudsters.
"Sadly the coronavirus pandemic has pushed many beginners in the IT field to become cybercriminals amid unemployment and lack of finding a well-paid job in their field. Thus, we will likely see a surge of fake extortion campaigns ventured by the newbies and aimed to strip organizations out of cash in a simple and swift manner."
Collaboration on a data leak platform.
Another development has been observed, this one attributable to a known innovator in the underworld. The gang behind Maze ransomware last November pioneered the now routine criminal practice of stealing data to gain leverage against their victims. BleepingComputer reports that Maze is now leading the formation of a cartel that would enable ransomware gangs to cooperate and share information.
That this is happening may be seen in the appearance on the Maze leak site of files taken from an architectural firm. These files, however, weren’t taken by Maze, but rather by LockBit, a different ransomware-as-a-service operation.
BleepingComputer, which is often remarkably successful in getting criminals at large to return their emails, contacted Maze and received an explanation of what’s up:
"In a few days another group will emerge on our news website, we all see in this cooperation the way leading to mutual beneficial outcome, for both actor groups and companies.
"Even more, they use not only our platform to post the data of companies, but also our experience and reputation, building the beneficial and solid future. We treat other groups as our partners, not as our competitors. Organizational questions is behind every successful business.”
It’s not how or even whether money is changing hands. Maze declined to answer a question asking whether they would receive a cut of LockBit’s take. They “couldn’t share those details,” maybe because, hey, they’re proprietary.
In any case, Maze led the way in moving extortion from simple ransomware to a combination of ransomware and doxing. It may now be leading the way in cartelization.