At a glance.
- US Geospatial Intelligence Foundation and AFCEA are affected by a third-party breach.
- Firefox upgrades browser privacy.
- Update on the Flagstar breach.
- Data exposure at FBS.
- California state employee lured in by phishing scam.
- Clop ransomware gets to Universities of Colorado and Miami via Accellion compromise.
- University of Northampton intranet hit by cyberattack.
SPARGO breach exposes data from two US government conferences.
As the CyberWire Daily Podcast noted yesterday, the Armed Forces Communications and Electronics Association and the US Geospatial Intelligence Foundation have both disclosed that SPARGO, a third-party vendor they work with, has experienced a data breach resulting from a ransomware attack. The Federal News Network reports that SPARGO, Inc., an events management company based in the state of Virginia, assists both organizations with registration for conferences, so the breach potentially exposed members’ personal data like names and addresses, but sensitive data like financial information or dates of birth were likely not compromised.
New Firefox privacy feature blocks without breaking.
Security Week reports that Mozilla is releasing a new privacy feature for the Firefox 87 browser called SmartBlock. Used in Firefox’s Private Browsing and Strict Mode, the intelligent tracker blocking mechanism improves user privacy by blocking third-party tracking content while simultaneously providing stand-ins for the third-party tracking scripts to ensure that all websites function properly even if tracking attempts are blocked.
Flagstar Bank breach larger than anticipated.
As the CyberWire noted earlier this month, Michigan-based Flagstar Bank disclosed that it was impacted by the breach of Accellion’s file transfer service, and the Clop ransomware gang added insult to injury by posting the private data of nearly twenty of the bank’s employees. BGR now reports that the amount of data stolen by the threat actors is far larger than originally assumed. Many of Flagstar’s customers have been sharing communications they’ve received from the bank indicating that the cybercriminals accessed highly sensitive data, including social security numbers, of not only bank employees, but customers and other individuals associated with the bank. Flagstar is extending free identity theft monitoring services to all impacted customers.
Forex breach exposes 20TB of highly sensitive data.
Researchers at WizCase report that they’ve discovered a data leak involving forex online trading broker FBS. The team of white hat hackers found an unsecured ElasticSearch server belonging to FBS that contained nearly 20TB of data, or more than 16 billion records containing confidential data including login credentials, passport numbers, credit cards info, and financial transactions of millions of FBS users. As Finance Feeds explains, FBS has over 400,000 partners and 16 million traders in more than 190 countries, and if a black hat were to find the data contained in the server, the repercussions could range from phishing scams to business espionage. The database was found by WizCase and reported to FBS in early October 2020, and FBS secured the server within just a few days.
California State Controller reports data breach.
The California State Controller’s Office (SCO) released a statement explaining that a threat actor gained access to the email account of an employee in its Unclaimed Property Division. After falling for a phishing email, the employee unwittingly submitted their login credentials on a malicious website. The compromised data in the account includes the social security numbers and other personal identifying information of thousands of state workers. KrebsOnSecurity reports that in addition to accessing the account, the threat actor also sent malicious spear-phishing emails to over nine thousand of the employee’s contacts. It’s worth noting that although SCO does offer employee training on detecting phishing scams, due to a recent change in the training guidelines not all employees are required to participate. According to an SCO spokesperson, SCO has reached out to the contacts who may have received a malicious email from the intruder, and the office is notifying all individuals whose data might have been exposed.
James McQuiggan, security awareness advocate at KnowBe4, pointed out that, really, it takes just one employee to make a mistake:
“One user clicks a link and enters their credentials on a fake login page. Its impact is exponentially problematic for the organization, from loss of data to damage to their brand and potential revenue loss. This event supports the issue that all organizations need to educate and phish their employees regularly to ensure they are aware of and know how to spot and report socially engineered emails. Organizations want to ensure they have the email feature to alert users of external emails. A banner or bolded text at the top of the email informing the employee that they are reading an external email, which alerts them to pay extra attention, as it could be malicious with attachments or phishing links.
"Employees always want to check the links by taking the extra moment to examine them by hovering over the link to verify if it is legitimate. Sometimes it can be challenging to determine if it is a real link or not. Having an alert tool within the organization where the employees can report potential phishing emails can reduce the risk of attacks and ensure that the employee is taking the proper actions to protect the organization.”
Purandar Das, CEO and Co-Founder of Sotero, notes how even an apparently trivial intrusion can be the entering wedge of a significant attack:
"Even a seemingly innocuous malicious attack can enable attackers to gain insights and valuable information that can be used to cause long lasting damage to consumers and organizations. The security focus for organizations has to evolve to be data centric regardless of where it is stored. As important as perimeter security is, securing data regardless of location has to become the objective. Organizations have to start planning and deploying data centric security solutions assuming that the perimeter can and will be breached"
Clop ransomware afflicts Universities of Colorado and Miami.
As the impact of the Accellion FTA breach continues to unfold, CBS Denver reports that cybercriminals have published data online that was allegedly stolen from the University of Colorado as a result of the breach, believed to be the largest data breach in the school’s history. The Clop threat group has been leaking data from several organizations impacted by the Accellion breach, but as Emsisoft cybersecurity threat analyst Brett Callow states, “Whether Clop is responsible for the hacks or is simply handling the extortion is impossible to say, but I suspect the latter.”
BleepingComputer reports that Colorado wasn't the only university hit by Clop via Accellion: the University of Miami was also affected.
Classic ransomware affected data availability. Over the past year it's now become routine for it to attack data privacy as well. Eddy Bobritsky, CEO, Minerva Labs sent us some comment on how this tendency was on display during the Clop ransomware incidents at Colorado and Miami:
"Ransomware groups are continuing with the trend of data theft in addition to encryption. Devious ransomware operators understand that they can gain an edge in ransom negotiation by threatening not only to lock corporate data, but to leak it as well. Virtually all big ransomware groups have started leak sites where stolen data is published and unpaying victims are shamed.
"Clop Ransomware group usually penetrates the network by using loaders and downloaders, specifically Get2 and Sdbbot which tend to be more evasive, with the goal of assessing the profitability of the target before dropping major tools that can be compromised by defenders.
"This is another example that demonstrates the importance for organizations to protect themselves before the attack, no matter the organization type or size. This also shows why it is important not to rely only on detection and response solutions that were never built to prevent threats from execution, they build to detect them first. In fact, in the past 10 years, year over year more money has been invested in endpoint security and yet, year over year the number of successful ransomware attacks increase. The time to detect and contain the breach increase together with the cost of a breach, of course, while the shortage in cyber security experts increases as well. The industry should adopt a new approach and technologies that are scalable and built to prevent modern threats before any damage has been done, at the beachhead - solutions that will enable organizations of any size to deal with modern cyber threats regardless of their team’s size, skillset and toolset."
We also heard from Jerome Becquart, COO of Axiad, who called for better user education and improved organizational digital hygiene:
“In today's landscape no organization is safe, whether you are in healthcare, education, transportation etc., which is why it is critical for all organization to adopt good cybersecurity hygiene and educate their users. Protecting users from phishing emails by digitally signing emails, moving away from passwords, and adopting multifactor authentication (MFA) are all part of the digital transformation organizations need to take to stay safe.
"With the acceleration in digital transformation, there has also been a rise in security risks, which need to be addressed. Protecting users from phishing emails by digitally signing emails, moving away from passwords, and adopting MFA should all be part of the new strategy organizations need to adopt to secure their digital perimeter.”
Niamh Muldoon, global data protection officer at OneLogin, discussed lessons on due diligence that can be drawn from the incidents.
“As expected, we are continuing to see the impact of the Accellion file-sharing data breach expand. We applaud the due diligence that many of the affected organizations are taking to be transparent with customers, partners, employees, and with CU, their students, about the exposure of their personally identifiable information (PII). As it appears to be the case with the University of Miami, an organization may not be directly exposed to the breach, but they may be using services or technology supported by Accellion.
"It is important to incorporate access control and data lifecycle management into risk assessment by asking about past data/files transfers, and whether those files have been properly managed, such as having access removed when it is no longer required. The results of the cross-functional risk assessment will determine if the organization is vulnerable per the versions of Accellion exploited by malicious attacker/s. Having your security and/or technology organization monitor and track official communications issued by Accellion will allow them to keep up-to-date.
"This is especially important because as the investigation continues more data will become available which may impact the associated risk to your organization, and require your organization to take more actions to reduce risk. If you are unclear from official communications where your organization is using a vulnerable version of not, reach out to Accellion for clarity - don’t just assume it's ok.”
Trevor Morgan, product manager at comforte AG, also took up lessons to be learned from the data breaches:
“As the Accellion-related fallout continues—this time at University of Colorado and University of Miami Health System—it’s a good time to reiterate the lessons learned. To begin with, always perform software patches and upgrades as soon as they are available. When software becomes outdated or meets its end of life status, make sure you look for current and fully supported products. In addition, keep in mind that threat actors are always looking for ways to get to your sensitive data. Outmoded protection methods such as perimeter security and access control no longer guard against concentrated efforts, and other methods such as standard encryption can also be cracked and can be a burden to administer.
"Therefore, look for ways to protect the data itself rather than the borders around it, an approach known as data-centric protection and which includes methods such as tokenization. Tokenization replaces sensitive information with benign but meaningless tokens, so even if hackers get to your data, it is unintelligible and therefore worthless to them. Lastly, know that the fifteen minutes of infamy you will experience if your sensitive data is compromised can cause lasting and irreparable harm to your business, especially reputational damage. Avoid it at all costs through increased attentiveness to data security.”
Cyberattack shuts down UK university intranet.
Not all university cyber incidents in the news involve third-party risk. In yet another addition to the ongoing wave of attacks on learning institutions across the globe, the BBC reports that the University of Northampton in the UK was hit by a cyberattack last week that impacted its IT and telephone servers, disrupting virtual learning and leaving students and staff with no access to university intranet. The Information Commissioner's Office has been notified and the Northamptonshire Police is working with the National Cyber Security Centre to support the university’s investigation.