At a glance.
- RIPE NCC reports credential-stuffing attack.
- Kroger's pharmacy and Little Clinic sustains a data breach.
- Cuba ransomware gang attack on AFTS spreads to payment processor's customers.
- Clubhouse, exclusivity, fashion, and privacy.
Credential-stuffing attack at RIPE NCC.
The Réseaux IP Européens Network Coordination Centre (RIPE NCC), the regional internet registry for Europe, Western Asia, and the former Soviet Union, warned last week that it had sustained a credential-stuffing attack, and it strongly urged users to adopt two-factor authentication. Threatpost explains that, as one of the five regional authorities that allocate Internet resources and provide registration services, the principal risk of an attacker successfully compromising RIPE NCC data would be impersonation.
Niamh Muldoon, Global Data Protection Officer at OneLogin, commented by email on what affected organizations can do to protect themselves:
“It’s all about implementing an effective Access Control program and appropriate controls. As RIPE NCC is now doing, companies should urge all users to enable Multi-Factor Authentication (MFA) as part of single-sign-on (SSO) to help protect against credential stuffing attacks.
"MFA reduces the risk of attack by increasing the complexity of the exploit – the attacker must gain access to multiple authentication factors such as password, token and/or certificates, and do so quickly, before these factors expire. The challenge for enterprises is to build a process that enforces MFA without introducing too much end-user friction. Balancing the risk and user-acceptance is key.
"To meet these requirements, global Industry leaders are building platforms of Trust, where organizations model their access control processes into the technology platforms and present the end-user with authorization requests per risk profile and/or behavioral change. The risk profile is based on the data/system the access control is protecting. This incorporates machine learning and utilizes Adaptive MFA/Soft Tokens and Device-based Certificates to prevent account compromise while ensuring user productivity.”
Kroger warns customers of data breach as the Accellion compromise claims more third-party victims.
US supermarket chain Kroger has warned customers that it's been affected by the compromise of Accellion's FTA file transfer service. Kroger believes its own IT systems were unaffected, as were customer and paycard data from its grocery business, but that "certain associates’ HR data, certain pharmacy records, and certain money services records" may have been compromised. Kroger has discontinued its use of Accellion's system, and it's continuing its investigation. The involvement of the pharmacy and the Little Clinic triggered certain HIPAA disclosures, the Atlanta Journal Constitution reports.
Trevor Morgan, product manager with comforte AG, is struck by the way in which such supply-chain compromises continue to spread to fresh third-party victims:
“One interesting aspect of data security incidents is that they aren’t necessarily one-off events. Given that many enterprises depend on the same tools or software within their IT infrastructures, when a vulnerability in a core tool is exposed, a domino effect of incidents takes place as various organizations announce the effect on them and their customers.
"This is the case with the ongoing Accellion file-transfer breach. Kroger is the latest organization to announce that it was affected by this incident. By all accounts, when they became aware of the situation back in January, they ceased usage of the software in question and have performed their due diligence in analyzing the scope of their exposure and notifying customers accordingly. While they believe that less than 1% of their customers were affected, that’s still too many people whose personal, sensitive information may be compromised.
Update on the "Cuba" AFTS ransomware attack.
The ransomware attack on the Automatic Funds Transfer Service (AFTS) is likely to hit the service's users hard. In the US, state and local governments are, as StateScoop reports, heavy users of AFTS. We've seen how the problem has spread since the California Department of Motor Vehicles warned of the problem last week. The "Cuba" ransomware gang has (rather smugly) claimed extensive compromises that extend, according to StateScoop, to “financial documents, correspondence with bank employees, account movements, balance sheets, and tax documents.”
Cities and organizations that have reported being affected include, in addition to the California DMV, the Washington cities of Kirkland, Lynnwood, Monroe, Redmond, and Seattle, as well as some Seattle-area utilities. We heard from Immuniweb's Ilia Kolochenko, who sees the attack as another supply chain incident that shows how attacks on third-parties spread through those parties' user bases:
“This incident illustrates a disastrous domino-effect of Supply Chain attacks. Organizations working with regulated data, such as PII, health or banking data, should consider a cyber insurance that would cover ransomware attacks to the fullest extent possible. The insurance selection process is, however, a highly complicated matter. All covered cases, as well as all the exceptions thereto, should be unambiguously enumerated in a contract. Caps on various types of damages are to be clearly defined: including legal costs, recovery and forensics costs, notification and compensation to victims, and fines imposed by regulatory authorities.
"An experienced lawyer is always required to inspect all the nuances: a compensation for breach notification may be contractually limited to a specific type of notification that may be insufficient or even unlawful in a specific state, making the insurance pointless. Another example is the exclusion of international litigation or limited coverage thereof, while even an insignificant number of foreign individuals affected by a breach may bring the victimized company to a foreign court. In view of the surging ransomware attacks, cyber insurances will likely face an unprecedented boom in 2021 but are to be prudently selected to be efficient.”
Clubhouse is blocked by Beijing and recorded in Shanghai, but it's becoming fashionable elsewhere.
In a story SiliconAngle ran this morning, and that Bloomberg broke yesterday, it's reported that a third-party app is said to permit users to listen in to Clubhouse rooms without so much as a by-your-leave, that is, without an invite code.
There are other problems, some of them simple sequelae to rapid growth and wider adoption. "All the cool politicians are in Clubhouse," at least in the EU, Politico says, and if Forbes has it right, any audio, invitation-only social platform in which Elon Musk can invite Vladimir Putin to club would seem to carry a certain cachet. Since those two at least are unlikely to be conversing in Mandarin, it's clear that the app has expanded well beyond its Sinophone roots. Clubhouse attracted a great many users in China, where it seemed, until Beijing blocked it earlier this month, to offer a venue for relatively unfettered discussion of otherwise banned topics. But banned or not, the platform's data handling practices are not at all conducive to privacy, a Guardian essay argues. The app's backend services are provided by Shanghai-based Agora, which apparently has access to both user data and the unencrypted content of whatever's been said in Clubhouse's various rooms. The Stanford Internet Observatory thinks it sensible to conclude that Agora provides such information to the Chinese government.