At a glance.
- COVID-19-themed phishbait seems to decline.
- Cryptomining worm steals AWS credentials.
- Cruise company Carnival reports ransomware and possible loss of personal data.
- Stolen data's potential for use in social engineering.
- Tally rises in Canada Revenue Agency breach.
Cybercrime during the pandemic.
The Economist summarizes the effect of the pandemic on cybercrime: the dramatic rise in remote work has greatly expanded the attack surface criminals can exploit, and it's unsurprising that COVID-19 has been accompanied by a wave of attacks on security and privacy. And phishing has been the principal form of such attack. But such social engineering seems to be changing. Recorded Future reports that phishing attempts explicitly themed with COVID-19 phishbait have recently fallen off sharply. “These scams feed on emotion, and we’ve seen a decline in COVID-19 related phishing lures because it’s not something people are struggling to get information on anymore — it’s something we’re all living with,” one of the company's researchers said. So, while the expanded attack surface remains, the specific lures change. Call it understanding, resignation, skepticism, or even learned helplessness, the urgency that would lead people to click rashly and without caution seems to have abated.
Harvesting credentials and mining alt-coin.
Researchers at Cado say they’ve found a cryptomining worm, “TeamTNT,” that also has Amazon Web Services’ credential-stealing functionality. TeamTNT scans for misconfigured Docker instances. The researchers say they've seen the campaign compromise a number of Kubernetes and Docker systems. The AWS Command Line Interface stores credentials unencrypted in a file called “credentials,” and the malware simply uploads this file to the attackers’ server. It also steals the AWS configuration file for additional information about the setup.
Cruise line company reports a data incident.
Carnival Corporation and Carnival PLC, the cruise line company whose subsidiaries include Princess Cruises, Carnival, the Holland America Line, Seabourn, P&O Cruises, Costa Cruises, AIDA Cruises, P&O Cruises, and Cunard, disclosed a “data incident” to the US Securities and Exchange Commission in an August 15th 8-K filing. Reuters reports that the incident was a ransomware attack. Carnival still has the matter under investigation, but both passenger and employee data are believed to have been affected. It's also not known which of the company's brands were affected.
Paul Bischoff, privacy advocate at Comparitech, commented through an email that it's too soon to tell what the impact of the incident will be. “We won't know the real impact of Carnival's breach until the company discloses what information was stolen," he wrote. "The sooner it reveals what customer information was breached, the sooner those customers can take steps to prepare and protect themselves. The longer it waits, the longer cybercriminals will have to launch attacks against affected customers.”
Chris Hauk, consumer privacy champion at Pixel Privacy sees problems with the ways in which Carnival organized its defenses:
“This is another case of a company not taking the steps to properly defend their networks against the bad actors of the world. As mentioned by cybersecurity firm Bad Packets, Carnival failed to patch its edge gateway devices and firewalls, even though patches have been available to fix both issues since earlier this year. As for Carnival customers, they will need to keep their eyes open for phishing attempts and other "attacks" designed to separate them from their personal information and hard-earned money, as bad actors may attempt to take advantage of the data gleaned from this attack and the data breach that occurred earlier this year.”
Pravin Madhani, CEO and Co-Founder, K2 Cyber Security, wrote to urge that neither social engineering nor exploitation of known vulnerabilties should be overlooked. Chris Clements, Cerberus Sentinel's VP of Solutions Architecture, also urged attention to sound digital hygiene: patching, regular backup, and sound response and recovery plans. He noted the possibility that the attackers may have lurked in the system for some time before the attack was noticed. "Carnival states that they detected the ransomware attack on August 15th, but it’s likely that the attackers had access to their network and data for weeks or months prior searching and exfiltrating any sensitive data they could find."
Monetizing the data taken from Ritz London guests.
The fraudulent two-step that compromised paycard information of guests who'd made dining reservations required effective and convincing spoofing. For it to be worth their while, the crooks had to be able to make purchases with the stolen data, but there are, as KnowBe4 Security Awareness Advocate Javvad Malik observed in emailed comments, obstacles to doing this. Those obstacles can be overcome through social engineering:
"Compromising systems are usually one half of any hack. The second part is knowing how to monetise the information. In many cases, information relating to individuals can be used to launch social engineering attacks against the victims. This can range from sending phishing emails, to physical mail, text messages or phone calls. Because the criminals have access to sensitive information, they can sound very convincing and it can make it very difficult for people to identify it as fraudulent activity.
"In today's connected world, it is far too easy for criminals to get personal information on individuals from any number of sources. Therefore, people should always be wary of any call claiming to be from their bank or trusted reseller and should refrain from giving financial or other sensitive information over calls which they have not initiated themselves. When in doubt, they should end the call, and phone the provider themselves using a known number."
Canada Revenue Agency data breach tally rises.
Global News reports that Canadian authorities now put the number of GC accounts compromised in the Canada Revenue Agency breach as at least 9000, up from initial estimates of 5500. Affected accounts have been disabled, and investigators trace the breach to a credential-stuffing campaign.
Observers see the incident as holding lessons for both organizations and users. Casey Kraus, president of Senserva, regards it as a cautionary tale about cloud use: "Working to enforce policies like multi-factor authentication, privileged identity management, and automatic password changes can help to keep user accounts safe. Focusing on what a user has access to and how they access their account is the first step in preventing a breach in today's tech age.” Shawn Ram, Head of Insurance at Coalition, also points out the importance of two-factor authentication. Chris Hauk, consumer privacy champion at Pixel Privacy, points out that users can help immunize themselves against credential-stuffing by simply not re-using passwords.