At a glance.
- Capital One fined $80 million for 2019 data breach.
- Unpatched VPN server may have exposed retailer's data.
- Canon said to have been hit with Maze ransomware.
2019 Capital One data breach draws $80 million fine.
The US Office of the Comptroller of the Currency (OCC) has fined Capital One $80 million over the data breach the financial services firm sustained in 2019, the Washington Business Journal reports. 106 million records of customers and credit card applicants were exposed in the incident. The Wall Street Journal writes that consent orders from the OCC and the Federal Reserve will "require the bank to make risk-management changes and beef up its cybersecurity defenses." Capital One says it's already made many of the changes the consent orders require.
On August 28th, 2019, the US Attorney for the Western District of Washington secured an indictment against Paige Thompson, charging the former computer engineer with "wire fraud and computer fraud and abuse for the intrusion into data of Capital One and more than 30 other entities."
Report: Monsoon suffers a data exposure incident from an unpatched enterprise VPN server.
An unpatched vulnerability in Pulse Connect Secure VPN servers has affected the large British retailer Monsoon. A scan by VPN Pro determined that the following information was accessible to unauthorized users:
- "A list of employees’ usernames, unique IDs and MD5 crypt hashed passwords"
- "Encrypted administrator details"
- "Observed VPN logins, which include the login date, time and device, along with the usernames and plaintext passwords"
- "VPN session cookies, both active and inactive"
- "Daily sales data"
- "Meeting minutes"
- "Business intelligence data"
- "Other internal documents"
- 45,000 customer names, emails, countries and what appears to be store codes"
- "Roughly 650,000 reward card and voucher numbers, many still active until 2021, with initial and remaining balances. According to Monsoon’s FAQ page, customers can redeem these voucher codes online as long as they’ve linked their Reward Card to their account"
- "A sample file containing 10,000 customer records, including names, email addresses, phone numbers and mailing and billing addresses"
Much of the data at risk represent intellectual property and sensitive business information as opposed to personally identifiable information, but there's enough PII in the list to raise privacy concerns.
Canon may have sustained a Maze ransomware attack.
BleepingComputer reports that Canon, the Tokyo-based multinational imaging and optics firm, has been hit with Maze ransomware, and a number of its internal services appear to have suffered disruption. The Maze gang contacted BleepingComputer and claimed responsibility. They also claim to have obtained ten terabytes of company data, which they intend to release if they’re not paid the ransom they’ve demanded. Claims by criminal gangs should always be received with an appropriate degree of skepticism, but in this case Maze may indeed have what they claim. Canon says it’s investigating.
We received comments from Coalition, a cyber insurance startup that specializes in ransomware risk management. Tiago Henriques, Coalition’s GM of Customer Security, said:
“Ransomware has been taking businesses hostage (literally), and the tools, tactics, and procedures criminal actors are using have become even more advanced in recent months. The Canon breach, reportedly the result of a Maze ransomware attack, is the latest such attack. In the first half of 2020 alone, we observed a 279% increase in the frequency of ransomware attacks amongst our policyholders. Maze is a particularly malicious strain of ransomware, the criminal actors claim to steal their target’s data each time, and threaten to release it publicly if they refuse to pay the ransom. Its ransom demands are also particularly costly -- the average Maze demand we’ve seen is approximately ~5.5x larger than the overall average."
We also heard from two security firms, KnowBe4 and Cerberus Sentinel. James McQuiggan, Security Awareness Advocate at KnowBe4, commented:
"While it's not been entirely evident, this attack is not one that happened quickly. Cybercriminals would have been inside the infrastructure and systems for some time, not hours, but most likely d"ays, to access this many domains of the organization. Ransomware continues to be the favorite attack vector of cybercriminals. They gain access to organizations either through social engineering phishing attacks or through misconfigurations on unpatched systems found available on the internet. Considering that 70-90% of ransomware attacks are successful due to phishing attacks, organizations want to take the proper steps to secure their environment. To effectively secure their infrastructure, data, and employees, they want to establish a defense-in-depth or layered security model to protect, identify, and react promptly to any attacks. Organizations should provide security awareness and training to their employees to ensure that they have the knowledge and understanding to make security decisions and relay the phishing emails to the relevant department."
Chris Clements, VP of Solutions Architecture at Cerberus Sentinel, offered some perspective from the white-hat point-of-view:
"In our ethical hacking engagements we are typically able to gain complete control of networks in 1 to 3 days and the presence of security products rarely alerts the IT teams of the customers that hire us much less prevent us from exploiting computer systems. The Maze group has proven themselves as good as professional security testing organizations and the significant bounty the collect from extorting their victims means they are well funded to develop their own exploits and bypass methods. Given this, it’s not surprising that they have been able to compromise many large high-profile targets. The reality is that it is very difficult to protect yourself from a skilled adversary. Often all that’s required to completely compromise an organization is to miss one security patch, fail to change an insecure default setting, or trick just one user through social engineering. The size and complexity of enterprise IT networks makes it very likely that once an attacker gains an initial foothold, they will be off to the races identifying other vulnerable or misconfigured systems. In short order, most skilled offensive security professionals or cyber criminals are able to gain complete administrative access to entire organizations. The difference is that the ethical hacking team reports their findings with suggestions for improvement while the cyber criminals will steal data and attempt to find and delete backups in order to trap a victim with ransomware encryption malware.
"Organizations seeking to protect themselves from such skilled cyber criminals must adopt a culture of security that includes multiple important areas. Critical items include regular information security training for all personnel, a strong IT team capable of effectively hardening computer systems and quickly patching when vulnerabilities are discovered, real time monitoring for suspicious activity and regular penetration testing by skilled ethical hackers. The reality is that effective information security is difficult. It requires skilled personnel, vendors, and supporting budget to ensure that you can both prevent and quickly recover from cyber-attacks from experienced adversaries like Maze."