At a glance.
- Ministry of Health exposes 243 million Brazilians' data.
- CLOP takes credit for credit card heist.
- Kmart sustains a ransomware attack.
- Lessons from the Carrefour GDPR fine.
Brazilian ministry leaks database password in website code.
The Brazilian Ministry of Health inadvertently exposed a database containing the personal info of 243 million Brazilians, reports ZDNet. The developers of the ministry’s website included the password to the database in the site’s source code, meaning the database was accessible by anyone with an F12 key on their computer. Brazilian newspaper Estadao discovered the mistake after learning of a similar issue on another government website. While it is unclear whether any unauthorized parties found the password, if the database was accessed this would be the largest data breach the country has ever experienced.
Ilia Kolochenko, Founder & CEO of ImmuniWeb, commented on the incident. He sees it as representative of the risks surrounding public code repositories:
“Public code repositories are the modern Alibaba Cave for cybercriminals. During the pandemic, enterprises around the globe are particularly susceptible to this threat: software engineers are exhausted, as WFH usually brings a higher volume or endless tasks, and become less attentive.
"While many organizations tend to outsource software development to the cheapest providers, eventually getting the corresponding quality and security of the code. Cybercriminals are perfectly aware of these amazing opportunities and effortlessly harvest the long-hanging fruits. Worse, such incidents and consequential attacks are hard, if not impossible, to detect in a timely manner. Likely millions of unwitting organizations and companies have been already silently breached because of sensitive data left exposed on Public Code Repositories like GitHub.
"To prevent such incidents, organizations shall to 3 simple things: invest into continuous security training for developers, continuously monitor Internet from leaked source code including resources such as Stack Overflow and not just Code Repositories, and keep in mind that when external software development company provides a price that is too good to be true – it’s likely so.”
Clop ransomware hits E-Land Retail.
Ransomware group CLOP is claiming that they stole the credentials for 2 million credit cards from South Korean retail giant E-Land, reports Bleeping Computer. E-land suffered a ransomware attack last month that forced them to shut down twenty-three stores, but it appeared that credit card data info was spared from the attack, as E-Land CEO Chang-Hyun Seok stated it was encrypted and stored on a separate server. However, CLOP now claims that the attack was just the big finale to a credit card theft operation that had been in place for over a year. The gang explained that last year they installed point-of-sale malware on E-Land’s system and had been using it to harvest credit card information without detection. CLOP boasted, “Before the lock, the cards were collected and deciphered, for a whole year the company did not suspect and did nothing.”
Bill Santos, President and COO of Cerberus Sentinel, commented, "E-Lands approach to data security, on top of a secure perimeter strategy, is an essential part of a complete security strategy. It is naïve to assume you’ll keep all attackers out of your environment; you should build a data security model that assumes external penetration, yet protects critical and confidential data with another level of security and response. This is an essential part of extending the culture of cybersecurity beyond traditional IT infrastructure into data, applications, and the user community itself."
Javvad Malik, Security Awareness Advocate at KnowBe4, wrote, "Ransomware operators no longer lead with encrypting data. Rather, many are taking their time to understand their victim environments, navigating throughout the infrastructure to find valuable information that is worth stealing as well as gaining an understanding of what information is worth encrypting with ransomware, and how much they should charge. If the group's claims are to be believed, they had been inside the network for over a year. This is why it's important for organisations to try and prevent criminal gangs entering their environment to begin with by having good technical controls such as perimeter controls, patching software, MFA, and security awareness training amongst others. Similarly, it's important to have strong monitoring and threat detection controls in place so that any infiltration can be quickly and reliably detected so that remedial action can be taken."
Kmart sustains ransomware attack.
BleepingComputer reports that Kmart, formerly a large US retailer that's now owned, post-bankruptcy, by Transformco, has been hit with Egregor ransomware. The attack has affected back office systems, and it's unclear if any personal data were affected, but as is now routinely the case, Egregor steals as well as encrypts data. The story is still developing, but we've received comments from some industry sources. Colin Bastable, CEO of Lucy Security, wrote:
“That’s an early Christmas surprise for Kmart’s new owners, Transformco. There is never a good time for a ransomware attack, but the run up to the Christmas shopping period is a bad time for Kmart to be hit. Egregor is the new kid in cybertown and he’s making a name for himself, especially in the USA, since he showed up in late September 2020. Over 80% of victims are in the USA, and Egregor wins both ways – ransom to get your data back and extortion if you are slow. Kmart can expect data to appear in public shortly. Like its Maze predecessor, the Egregor attack will probably show a little “ankle” to whet Kmart’s appetite, with a full reveal promised if they don’t stump up."
Trevor Morgan, product manager with comforte AG, wrote:
“One of the big fears coming out of an Egregor ransomware attack is the likelihood of unprotected files being stolen prior to the operation encrypting devices. This sensitive data is then used as leverage to extract a ransom from the target (in this case, the retailer Kmart). Otherwise, the operation leaks the stolen data online. While the report does not conclusively indicate whether threat actors gained access to Kmart’s most sensitive data, it serves as yet another reminder for all businesses to apply the strongest level of data-centric security to their datasets. Unlike access-based and perimeter-style defenses, which can be surmounted by experienced threat actors, data-centric security protects the data itself instead of the borders around it with methods such as tokenization and format-preserving encryption. No matter where the data goes, it remains protected even if it falls into the wrong hands. In a situation like Kmart’s, if the data happened to be tokenized then the operation would have much less leverage over the retailer. Let’s hope that this is indeed the case.”
And Red Canary intelligence analyst Brian Donohue commented:
"More often than not, ransomware payloads are delivered by other Trojans. In the context of the Egregor ransomware, we’ve observed that the first stage payload is often a trojan called Qbot. It’s obviously impossible to know the specifics of this or any infection without having a great deal of visibility into it. Defenders should note that there has been an increase in Qbot activity that could lead to the execution of Egregor and other ransomware. The best way to stop a ransomware infection is to detect the precursor activity that leads up to it.”
Tyler Reese, Senior Product Manager at One Identity, commented on recovery, and the unwisdom of relying on the criminals' word with respect to what they'll do if they receive the ransom:
“It’s important for companies to know that even if they pay the ransom, which they shouldn’t, it doesn’t mean they’ll get the information back. Hackers have been increasingly turning to ransomware-as-a-service, which means that the attacker may not have the ability to release the information allowing it to be available on the dark web forever. Instead of paying the ransom, organizations should look towards malware removal or executing a recovery plan. However, malware removal isn’t always possible and a recovery plan could cause more downtime than an organization simply can afford. The only option to avoid paying the ransom would be to prevent the attack altogether by having the right security measures in place.
"The first step of an effective security strategy is to know your enemy. Ransomware attacks find their way around internet security suites, commonly through phishing, to gain access to privileged credentials. Organizations are able to combat this by protecting their data with a strong privileged access management (PAM) strategy. PAM strategies protect companies’ data even if hackers are able to successfully execute a phishing attack by leveraging password vaults, monitoring and recording privileged sessions, using behavioral biometrics and following the principle of least privilege.”
Learning from Carrefour France’s GDPR violations.
In November, the French Data Protection Authority CNIL fined retail group Carrefour France a hefty €2.25 million for failure to comply with the EU’s General Data Protection Regulation (GDPR) rules regarding handling of customer data. JDSupra reports, both EU and US businesses can learn valuable lessons from Carrefour’s transgressions, particularly when it comes to customer loyalty programs and communication subscriptions. Some highlights:
- A retention period of four years for inactive loyalty program members is excessive. Whatever term is set, the company’s system must be configured to support and delete the data at the end of the term.
- Identifying documents should only be requested when there is doubt as to the identity of the individual, and the data should be deleted once identity is confirmed.
- Privacy information should be presented in a format that is easily accessible by customers, in concise, unambiguous language, devoid of technical jargon.
- If a customer requests removal, their data should be deleted as soon as possible, and logging into a customer account should not be required in order to unsubscribe from a communication.
- If login credentials are exposed, this is considered a breach and must be reported.