At a glance.
- AWS S3 buckets and ransomware.
- Phishing for QuickBooks users.
- Will hack your data for beer...
- Arrest made in French COVID test data leak.
- COVID track-and-trace used for public surveillance and control in China.
- Further comment on the Twitch breach.
- A fertility clinic sustains a ransomware attack.
Storage buckets and ransomware.
The researchers at Ermetic examine weaknesses in AWS S3 storage buckets that make them vulnerable to ransomware attacks. A misconfigured storage bucket is like putting the jewels in a vault but forgetting to lock it, and Ermetic found that every enterprise environment they examined had vulnerability identities that, if compromised, could deploy ransomware on at least 90% of the buckets in the AWS account. Ermetic further details just how a misconfigured identity can open a database up to the threat of ransomware, as their findings determined that 70% of the environments examined had machines publicly exposed to the internet, making it possible for attackers to compromise multiple identities.
Saumitra Das, CTO and Cofounder of Blue Hexagon wrote to remind people that moving into the cloud doesn't put an end to threat hunting:
“This report highlights the urgent need to “detect threats” in the cloud and not just focus on misconfigurations. Research from Cloud Security Alliance shows that even if misconfigurations are detected in S3 buckets or IAM access keys not being used for a long time, it takes a while for these to get detected and remediated - sometimes days, weeks and even months. It also highlights that ransomware is not just an on-premises problem but as the pandemic has accelerated cloud migration of workloads it has also accelerated cloud migration for attackers and ransomware criminal operators.
“It is critical to monitor three things in the cloud:
"(1) runtime activity of identities in terms of what they are doing and from where.
"(2) cloud storage (S3) in terms of not just the permissions and configurations but actually the read/write pattern and what is actually being stored in there.
"(3) network activity which can highlight when instances either inadvertently or deliberately opened to the Internet are brute-forced and then identities stored on those instances are used for lateral movement.”
“You cannot guarantee that mistakes like identities being enabled for too long, too permissive, leaked in code will not happen. They can only be reduced. On the other hand, keeping an eye on active attacks on the cloud infrastructure can thwart attackers from gaining enough privilege and access to ransom the data.”
Phishing scam baits QuickBooks users.
Bleeping Computer discusses a phishing operation in which scammers pose as support staff from QuickBooks maker Intuit, emailing QuickBooks users about the supposed expiration of their plans. Intuit has stated that these emails are not legitimate and advises users against responding or clicking on any links or attachments in the messages. The campaign is likely an effort to take over users’ QuickBooks accounts by tricking the victims into installing remote access software.
Erich Kron, security awareness advocate at KnowBe4, wrote about the strong attraction accounting and tax tools have for criminals:
“Accounting and financial software makes for great targets for cybercriminals, as these often have multiple methods of payments associated with the accounts, records of invoices and other information that can be used to scam not only account holders, but their customers and vendors as well.
"To defend against phishing emails such as this, rather than following a link in the notification email, people should type the URL into the browser, then log into the website and check the account status. Cybercriminals use strong emotional responses, like one a person might have to a notification that their accounting software subscription has expired, to trick people into taking an action without thinking through the consequences.”
Free beer? Even hackers can’t resist free beer. (Hacker doesn't live by Mountain Dew alone, dudes and dudettes.)
In an incident that suggests cases of arrested development, circa sophomore year, Sky News reports that a vulnerability in Scottish brewery and pub chain BrewDog’s mobile app gave hackers access to the details of over 200,000 of the company’s shareholders in its Equity for Punks program. As ZDNet details, the issue was linked to a user authentication error in which a hard-coded authentication token could be issued without the verification of user credentials. Bonus: Users are eligible for a free beer on their birthdays, so in addition to the data, the hackers could get a free pint. Computer Weekly adds that the researchers who discovered the breach had difficulties disclosing it to BrewDog, calling the company’s dedication to security into question. BrewDog has repaired the bug and did not find any evidence that the data had been tampered with.
Jason Kent, Hacker in Residence at Cequence Security, wrote that, unfortunately, APIs' bleeding in this way isn't that uncommon:
“API breaches that align with the OWASP API Top 10 aren't that uncommon anymore. In this case, simple enumeration of IDs while being authenticated via a hardcoded API Key, follows as well. Authentication and authorization issues are at the top of the list for a reason. Here you can see both issues lead to complete acquisition of the customer database, utilization and even things like "rewards" points can be utilized without the permission of the account owner. BrewDog's response is, unfortunately, very similar to our own experiences with reporting APIs bleeding out data in an uncontrolled manner. Dumping the entire customer database and having access to all of the information for an organization's customers shouldn't be ignored and is a great lesson to anyone with an API that wants to ensure its security.”
Yariv Shivek, VP of Product at Neosec, was also moved to write more in sadness than anger about how commonplace the errors the incident revealed have remained:
“Hardcoding API credentials (API keys, tokens, etc.) into mobile apps is sadly a common mistake. Mobile applications -- as well as single-page web applications (aka SPAs) -- run in untrusted client environments, environments under the (ab)user's control. Looking for API credentials in applications is easy, and when those credentials allow bypassing authentication or authorization, this can lead to data leaks and even complete account takeovers.”
“Secure coding and client-based security controls can and should be employed to prevent these things from happening. But as with all things, prioritization is key, and prioritization relies on knowing which API endpoints pass sensitive data, the types of sensitive data being passed, as well as what each service and endpoint's risk posture is. This knowledge is actually at most organizations' fingertips -- in the form of unmined logs.”
French hacker arrested for COVID-19 data leak.
The Record by Recorded Future reports that a French hacker has been nabbed for leaking the COVID-19 test results of over 1.4 million patients stolen from the largest hospital system in Europe, Paris-based hospital trust Assistance Publique – Hôpitaux de Paris. The hospital disclosed the incident three days after the hack was discovered in September. The suspect, who had previously expressed his disagreement with France’s COVID-19 safety protocols, infiltrated a file-sharing server used to send laboratory tests to the French Health Ministry, then uploaded the files on file-sharing portal MEGA, sharing links with the public on JeuxVideo and Twitter. His motivation thus appears to have been a hacktivist one, unless it was what Gide would have called an acte gratuit (existentialist French usage for "I did it for the lulz, bro").
The thin line between COVID-tech and public surveillance.
The MIT Technology Review shares an excerpt from a book by Darren Byler, describing how China’s surveillance state is linked to global COVID-tech. Chinese surveillance companies like Dahua, one of the top providers of “smart camp” systems used in the surveillance and oppression of undesirables in China, have capitalized on the pandemic by selling their heat-mapping camera systems to companies like Amazon looking to monitor employees for COVID symptoms. As well, medical research companies owned by the Beijing Genomics Institute (BGI) have established fifty-eight labs in eighteen countries and sold millions of COVID tests to nearly two hundred countries. Dahua and BGI are both on a US no-trade list intended to prevent US firms working with companies considered a threat to national interests, but this list prevents US companies from selling to them, not from purchasing their products.
Further comment on the Twitch incident.
Chad Anderson, senior security researcher at DomainTools, wrote to share some of the implications the Twitch breach may have for Amazon's future:
“This data breach is huge and reveals not only user accounts and hashes passwords, but full source code and Amazon’s future direction for the company as the leak contains a Steam clone for monetizing digital game sales with tight integration into current high user base games. Many figured the acquisition of Twitch was to head in this direction at some point, but now we know just how long Amazon is in that race. On top of all of that comes the leak of the financial information for big streamers. That unveils a lot we didn’t know before about streamer finances. All in all this leak is massive from a user privacy and intellectual property perspective.
“There’s a lot of shock and awe with these attacks. We know from experience that oftentimes these attackers will combine previous breaches together to make these reveals look larger. We also know that with good practices from the personal end — using a password manager and multi-factor authentication — you can minimize any impact these leaks have on spidering out into other services you subscribe to today. On top of that, good practices at companies of salting and hashing stored passwords, something Epik did not do and was a huge security oversight, or encrypting user data at rest can go a long way in minimizing the additional impact to their users. Whether for hacktivism or financial gain, attacks aren’t going to stop so what companies should be doing is implementing policies and security that make it so expensive for attackers to accomplish their means that they can’t afford to complete their goals. At the end of the day, the only thing that will make this stop is making execution costly for the attackers.”
A fertility clinic sustains a data breach.
ZDNet reports that ReproSource, a fertility clinic owned by Quest Diagnostics, has disclosed a ransomware attack and attendant data breach that exposed the information of some three-hundred-fifty-thousand patients. The data included both personal and financial information.
Tim Erlin, VP of Strategy at Tripwire, commented on why healthcare is likely to remain an attractive target for ransomware gangs:
“Healthcare has always been a target for cyberattacks because the nature of its services requires the collection of both personal data and money. Ransomware may be the attack du jour, but the pattern of attacking healthcare isn’t new. Ransomware doesn’t suddenly appear on systems. Ransomware attacks have to start with an initial intrusion, then spread to the systems with the most valuable information to hold ransom. Organizations should build a basic response plan, then focus on making it as difficult as possible for the attacker to succeed at that initial intrusion and movement within their environment.”
James McQuiggan, a KnowBe4 security awareness advocate sees the familiar tension between security and operations:
“While focusing on patient care, healthcare organizations struggle to secure their patient data, as there are constant attacks against them. Most of them are profit-generating organizations and are willing to pay up, as the cybercriminals see as they continue to target them. This type of attack is prosperous for criminals as they target the organization to pay and the patients in a shame campaign to collect as much money as possible.
"Healthcare organizations need to invest in their employee's education and security culture to help them spot phishing emails and other social engineering attacks to reduce the risk of attacks by cybercriminals via the human element. Critical systems such as patient data need fortifying with multi-factor authentication to reduce the risk of unauthorized access by cybercriminals when inside the networks.”
Purandar Das, Co-founder and the chief security evangelist at Sotero agrees that medical organizations are attractive targets:
“This is not a surprising development. Medical organizations, among others, are targets that are waiting to be hit. The attackers are going down the roster list and targeting the ones that they believe have the most valuable data in terms of monetization. Health, medical and personal data, top that list. What is surprising is that this attack/breach happened in August and there is still no clarity about the data lost. This speaks to the readiness or lack thereof in not only being ready to defend against such attacks but also the lack of infrastructure to identify the attack, the cause and the impact. Offering credit monitoring seems to be the standard response to appease legal and insurance requirements. Credit monitoring is band aid on a much larger issue.”