At a glance.
- Byucoin data breach.
- Ransomware hits North Carolina school district.
- Further restriction of privilege attaching to digital forensics.
- Telegram bot hawks Facebook data.
- Industry comment on the Cook County court data breach.
ShinyHunter’s latest release.
Bleeping Computer reports that the prolific hacker known as ShinyHunters has leaked yet another stolen database, this one from Indian cryptocurrency exchange Buyucoin. In the past, the threat actor has posted stolen data on the dark web from sites like Homechef, Tokopedia, and most recently Bonobos, as the CyberWire noted yesterday. This time, he published a link to an archive of databases allegedly acquired from the Buyucoin site, including a table of user records for over 160,000 users. Among the exposed data were email addresses, hashed passwords, and mobile phone numbers. While Buyucoin is still investigating the breach, they released a statement asserting that their user data are heavily protected: “All our user's portfolio assets are safe within a secure and encrypted environment. 95% of user's funds are kept in cold storage which are inaccessible to any server breach.”
North Carolina school district warns employees of ransomware attack.
After suffering a ransomware attack last August, Haywood County School district in the US state of North Carolina is notifying current and former employees that their data might have been exposed, Government Technology reports. Using extortion tactics that are becoming more and more popular among ransomware attackers, not only did the threat actors lock up the district servers, they also threatened to publish the data online if their demands were not met. Following the advice of investigators, the school district did not pay up, perhaps a smart move given that there’s no guarantee that cybercriminals will not leak data even if they are paid, so precautions would have to be taken regardless. Among the data compromised were staff phone numbers and student disciplinary records, but no financial data were included, as payroll is handled through a third party.
Data breach forensic investigations create legal dilemma.
As the CyberWire noted last week, law firm Clark Hill, PLC was required to produce a data breach investigative report as evidence in a recent lawsuit brought against the firm by an employee whose data was compromised in the breach. JD Supra explores the impact of this case and how it could change the way companies handle remediation after experiencing a cyberattack. The court’s stance that the report was not protected by attorney-client privilege or work product privilege means that organizations face a dilemma: While a forensic investigation is a necessity in order to access the breadth of the breach and mitigate the damage, the organization must be aware that any details in the report regarding their cybersecurity practices could be used against them in court.
Telegram bot sells Facebook data.
A hacker is using a bot on the messaging platform Telegram to sell Facebook user phone numbers, and Computing offers details. The hacker exploited a now-patched Facebook vulnerability that exposed the phone numbers of more than 400 million Facebook users in an unprotected online database, and he is now selling those numbers for $20 a piece. Telegram users can query the hacker’s bot by requesting the phone number connected to a particular Facebook user ID (or vice-versa). If the bot finds it, it’s released to the interested party upon payment. Co-founder of Hudson Rock cybersecurity Alon Gal discovered the bot earlier this month, but Telegram has yet to block it.
Comment on the Cook County data breach.
We've received some industry reaction to Web Planet's account of a data breach that exposed 323,000 records, some of them sensitive, held by an Illinois court. Bryan Embrey, VP of Development Management at Zentry, thinks the issue boils down to one of sound privilege management, an extension of need-to-know principles. “Situations like this could easily be avoided if policies had been deployed that restrict access to only need-to-know individuals," he wrote. "Applying zero trust principles, such as least-privilege access, could have significantly reduced the possibility of this breach. This is one instance where the good guys prevented personal information from being posted online, but many, many others have gone undetected or revealed forensically only afterwards.”
Another Zentry executive, co-founder and CTO Vinod Pisharody, placed the incident in the context of the limitations of perimeter defenses.
"Information systems and applications are often secured within a perimeter guarded by layers of security that typically protect these from the inside out. There are two problems with this:
"Access to this information is carefully guarded only when the attempt comes from internet-facing attempts. Internal attempts to access this information usually have less protection. If some attack targeted a less sensitive device on the internal network and then used that device as a base to attack more sensitive devices, it would bypass a lot of safeguards because the attacks would not be coming from the guarded dimension.
"Authentication and access controls are inadequate. These are either static (do not consider changes in environment) or have excessive privileges assigned. Static protections are nearly impossible to manually monitor and keep up to date. These can easily result in resources being left unprotected. Excessive privileges are generally assigned to various roles to 'just get things working.' These can lead to folks having access to information they may not know they have the privilege to access. If such folks have not been trained to handle sensitive information, they may inadvertently leak access."