Capital One fined in 2019 breach. Enterprise VPN server exploited. Maze ransomware gang claims it successfully hit Canon.

Summary

By the CyberWire staff

At a glance.

Capital One fined $80 million for 2019 data breach.
Unpatched VPN server may have exposed retailer's data.
Canon said to have been hit with Maze ransomware.

2019 Capital One data breach draws $80 million fine.

The US Office of the Comptroller of the Currency (OCC) has fined Capital One $80 million over the data breach the financial services firm sustained in 2019, the Washington Business Journal reports. 106 million records of customers and credit card applicants were exposed in the incident. The Wall Street Journal writes that consent orders from the OCC and the Federal Reserve will "require the bank to make risk-management changes and beef up its cybersecurity defenses." Capital One says it's already made many of the changes the consent orders require.

On August 28th, 2019, the US Attorney for the Western District of Washington secured an indictment against Paige Thompson, charging the former computer engineer with "wire fraud and computer fraud and abuse for the intrusion into data of Capital One and more than 30 other entities."

Report: Monsoon suffers a data exposure incident from an unpatched enterprise VPN server.

An unpatched vulnerability in Pulse Connect Secure VPN servers has affected the large British retailer Monsoon. A scan by VPN Pro determined that the following information was accessible to unauthorized users:

"A list of employees’ usernames, unique IDs and MD5 crypt hashed passwords"
"Encrypted administrator details"
"Observed VPN logins, which include the login date, time and device, along with the usernames and plaintext passwords"
"VPN session cookies, both active and inactive"
"Daily sales data"
"Meeting minutes"
"Business intelligence data"
"Other internal documents"
45,000 customer names, emails, countries and what appears to be store codes"
"Roughly 650,000 reward card and voucher numbers, many still active until 2021, with initial and remaining balances. According to Monsoon’s FAQ page, customers can redeem these voucher codes online as long as they’ve linked their Reward Card to their account"
"A sample file containing 10,000 customer records, including names, email addresses, phone numbers and mailing and billing addresses"

Much of the data at risk represent intellectual property and sensitive business information as opposed to personally identifiable information, but there's enough PII in the list to raise privacy concerns.

Canon may have sustained a Maze ransomware attack.

BleepingComputer reports that Canon, the Tokyo-based multinational imaging and optics firm, has been hit with Maze ransomware, and a number of its internal services appear to have suffered disruption. The Maze gang contacted BleepingComputer and claimed responsibility. They also claim to have obtained ten terabytes of company data, which they intend to release if they’re not paid the ransom they’ve demanded. Claims by criminal gangs should always be received with an appropriate degree of skepticism, but in this case Maze may indeed have what they claim. Canon says it’s investigating.

We received comments from Coalition, a cyber insurance startup that specializes in ransomware risk management. Tiago Henriques, Coalition’s GM of Customer Security, said:

“Ransomware has been taking businesses hostage (literally), and the tools, tactics, and procedures criminal actors are using have become even more advanced in recent months. The Canon breach, reportedly the result of a Maze ransomware attack, is the latest such attack. In the first half of 2020 alone, we observed a 279% increase in the frequency of ransomware attacks amongst our policyholders. Maze is a particularly malicious strain of ransomware, the criminal actors claim to steal their target’s data each time, and threaten to release it publicly if they refuse to pay the ransom. Its ransom demands are also particularly costly -- the average Maze demand we’ve seen is approximately ~5.5x larger than the overall average."

We also heard from two security firms, KnowBe4 and Cerberus Sentinel. James McQuiggan, Security Awareness Advocate at KnowBe4, commented:

"While it's not been entirely evident, this attack is not one that happened quickly. Cybercriminals would have been inside the infrastructure and systems for some time, not hours, but most likely d"ays, to access this many domains of the organization. Ransomware continues to be the favorite attack vector of cybercriminals. They gain access to organizations either through social engineering phishing attacks or through misconfigurations on unpatched systems found available on the internet. Considering that 70-90% of ransomware attacks are successful due to phishing attacks, organizations want to take the proper steps to secure their environment. To effectively secure their infrastructure, data, and employees, they want to establish a defense-in-depth or layered security model to protect, identify, and react promptly to any attacks. Organizations should provide security awareness and training to their employees to ensure that they have the knowledge and understanding to make security decisions and relay the phishing emails to the relevant department."

Chris Clements, VP of Solutions Architecture at Cerberus Sentinel, offered some perspective from the white-hat point-of-view:

"In our ethical hacking engagements we are typically able to gain complete control of networks in 1 to 3 days and the presence of security products rarely alerts the IT teams of the customers that hire us much less prevent us from exploiting computer systems. The Maze group has proven themselves as good as professional security testing organizations and the significant bounty the collect from extorting their victims means they are well funded to develop their own exploits and bypass methods. Given this, it’s not surprising that they have been able to compromise many large high-profile targets. The reality is that it is very difficult to protect yourself from a skilled adversary. Often all that’s required to completely compromise an organization is to miss one security patch, fail to change an insecure default setting, or trick just one user through social engineering. The size and complexity of enterprise IT networks makes it very likely that once an attacker gains an initial foothold, they will be off to the races identifying other vulnerable or misconfigured systems. In short order, most skilled offensive security professionals or cyber criminals are able to gain complete administrative access to entire organizations. The difference is that the ethical hacking team reports their findings with suggestions for improvement while the cyber criminals will steal data and attempt to find and delete backups in order to trap a victim with ransomware encryption malware.

"Organizations seeking to protect themselves from such skilled cyber criminals must adopt a culture of security that includes multiple important areas. Critical items include regular information security training for all personnel, a strong IT team capable of effectively hardening computer systems and quickly patching when vulnerabilities are discovered, real time monitoring for suspicious activity and regular penetration testing by skilled ethical hackers. The reality is that effective information security is difficult. It requires skilled personnel, vendors, and supporting budget to ensure that you can both prevent and quickly recover from cyber-attacks from experienced adversaries like Maze."

Selected Reading

Twitter for Android vulnerability gave access to direct messages (BleepingComputer) Twitter today announced that it fixed a security vulnerability in the Twitter for Android app that could have allowed attackers to gain access to users' private Twitter data including direct messages.

Canon hit by Maze Ransomware attack, 10TB data allegedly stolen (BleepingComputer) Canon has suffered a ransomware attack that impacts numerous services, including Canon's email, Microsoft Teams, USA website, and other internal applications.

UK Retail Giant Monsoon Has Vulnerability Exposing Sensitive Data (VPNpro) Report: Monsoon Accessorize uses an insecure version of Pulse Connect Secure VPN, exposing records of company and customer data. Read to learn more.

Report: Cybersecurity Firm’s Data Exposed, Among Others (vpnMentor) The vpnMentor cybersecurity research team, led by Noam Rotem and Ran Locar, have uncovered an unsecured AWS S3 bucket with over 5.5 million files and more than

Lafayette pays $45,000 ransom after cyber-attack (Sentinel Colorado) "In a cost/benefit scenario of rebuilding the city's data versus paying the ransom, the ransom option far outweighed attempting to build," the city said in a statement. "The inconvenience of a lengthy service outage for residents was also taken into consideration."

DJI Statement On Further Misleading Claims About App Security (sUAS News - The Business of Drones) Today’s report from the Synacktiv digital security firm about DJI software includes further inaccuracies and misleading statements about how our products work, following similar reports from them last week. We want to make clear that DJI’s products protect user data; that DJI, like most software companies, continually updates products as real and perceived vulnerabilities come […]

Class-Action Lawsuit Claims TikTok Steals Kids' Data And Sends It To China (NPR) A lawsuit alleging that TikTok collects and sends American users' data to China could cost the company hundreds of millions of dollars. TikTok denies the allegations.