Today is the last day to send us your feedback in exchange for a chance to win a $100 Amazon gift card. We'd love to hear how we can provide the best content for you, and help make your life easier (and more cybersecure).
Third-party risks hit universities, associations. Financial services data breaches. State employee successfully phished.
At a glance.
- US Geospatial Intelligence Foundation and AFCEA are affected by a third-party breach.
- Firefox upgrades browser privacy.
- Update on the Flagstar breach.
- Data exposure at FBS.
- California state employee lured in by phishing scam.
- Clop ransomware gets to Universities of Colorado and Miami via Accellion compromise.
- University of Northampton intranet hit by cyberattack.
SPARGO breach exposes data from two US government conferences.
As the CyberWire Daily Podcast noted yesterday, the Armed Forces Communications and Electronics Association and the US Geospatial Intelligence Foundation have both disclosed that SPARGO, a third-party vendor they work with, has experienced a data breach resulting from a ransomware attack. The Federal News Network reports that SPARGO, Inc., an events management company based in the state of Virginia, assists both organizations with registration for conferences, so the breach potentially exposed members’ personal data like names and addresses, but sensitive data like financial information or dates of birth were likely not compromised.
New Firefox privacy feature blocks without breaking.
Security Week reports that Mozilla is releasing a new privacy feature for the Firefox 87 browser called SmartBlock. Used in Firefox’s Private Browsing and Strict Mode, the intelligent tracker blocking mechanism improves user privacy by blocking third-party tracking content while simultaneously providing stand-ins for the third-party tracking scripts to ensure that all websites function properly even if tracking attempts are blocked.
Flagstar Bank breach larger than anticipated.
As the CyberWire noted earlier this month, Michigan-based Flagstar Bank disclosed that it was impacted by the breach of Accellion’s file transfer service, and the Clop ransomware gang added insult to injury by posting the private data of nearly twenty of the bank’s employees. BGR now reports that the amount of data stolen by the threat actors is far larger than originally assumed. Many of Flagstar’s customers have been sharing communications they’ve received from the bank indicating that the cybercriminals accessed highly sensitive data, including social security numbers, of not only bank employees, but customers and other individuals associated with the bank. Flagstar is extending free identity theft monitoring services to all impacted customers.
Forex breach exposes 20TB of highly sensitive data.
Researchers at WizCase report that they’ve discovered a data leak involving forex online trading broker FBS. The team of white hat hackers found an unsecured ElasticSearch server belonging to FBS that contained nearly 20TB of data, or more than 16 billion records containing confidential data including login credentials, passport numbers, credit cards info, and financial transactions of millions of FBS users. As Finance Feeds explains, FBS has over 400,000 partners and 16 million traders in more than 190 countries, and if a black hat were to find the data contained in the server, the repercussions could range from phishing scams to business espionage. The database was found by WizCase and reported to FBS in early October 2020, and FBS secured the server within just a few days.
California State Controller reports data breach.
The California State Controller’s Office (SCO) released a statement explaining that a threat actor gained access to the email account of an employee in its Unclaimed Property Division. After falling for a phishing email, the employee unwittingly submitted their login credentials on a malicious website. The compromised data in the account includes the social security numbers and other personal identifying information of thousands of state workers. KrebsOnSecurity reports that in addition to accessing the account, the threat actor also sent malicious spear-phishing emails to over nine thousand of the employee’s contacts. It’s worth noting that although SCO does offer employee training on detecting phishing scams, due to a recent change in the training guidelines not all employees are required to participate. According to an SCO spokesperson, SCO has reached out to the contacts who may have received a malicious email from the intruder, and the office is notifying all individuals whose data might have been exposed.
James McQuiggan, security awareness advocate at KnowBe4, pointed out that, really, it takes just one employee to make a mistake:
“One user clicks a link and enters their credentials on a fake login page. Its impact is exponentially problematic for the organization, from loss of data to damage to their brand and potential revenue loss. This event supports the issue that all organizations need to educate and phish their employees regularly to ensure they are aware of and know how to spot and report socially engineered emails. Organizations want to ensure they have the email feature to alert users of external emails. A banner or bolded text at the top of the email informing the employee that they are reading an external email, which alerts them to pay extra attention, as it could be malicious with attachments or phishing links.
"Employees always want to check the links by taking the extra moment to examine them by hovering over the link to verify if it is legitimate. Sometimes it can be challenging to determine if it is a real link or not. Having an alert tool within the organization where the employees can report potential phishing emails can reduce the risk of attacks and ensure that the employee is taking the proper actions to protect the organization.”
Purandar Das, CEO and Co-Founder of Sotero, notes how even an apparently trivial intrusion can be the entering wedge of a significant attack:
"Even a seemingly innocuous malicious attack can enable attackers to gain insights and valuable information that can be used to cause long lasting damage to consumers and organizations. The security focus for organizations has to evolve to be data centric regardless of where it is stored. As important as perimeter security is, securing data regardless of location has to become the objective. Organizations have to start planning and deploying data centric security solutions assuming that the perimeter can and will be breached"
Clop ransomware afflicts Universities of Colorado and Miami.
As the impact of the Accellion FTA breach continues to unfold, CBS Denver reports that cybercriminals have published data online that was allegedly stolen from the University of Colorado as a result of the breach, believed to be the largest data breach in the school’s history. The Clop threat group has been leaking data from several organizations impacted by the Accellion breach, but as Emsisoft cybersecurity threat analyst Brett Callow states, “Whether Clop is responsible for the hacks or is simply handling the extortion is impossible to say, but I suspect the latter.”
BleepingComputer reports that Colorado wasn't the only university hit by Clop via Accellion: the University of Miami was also affected.
Classic ransomware affected data availability. Over the past year it's now become routine for it to attack data privacy as well. Eddy Bobritsky, CEO, Minerva Labs sent us some comment on how this tendency was on display during the Clop ransomware incidents at Colorado and Miami:
"Ransomware groups are continuing with the trend of data theft in addition to encryption. Devious ransomware operators understand that they can gain an edge in ransom negotiation by threatening not only to lock corporate data, but to leak it as well. Virtually all big ransomware groups have started leak sites where stolen data is published and unpaying victims are shamed.
"Clop Ransomware group usually penetrates the network by using loaders and downloaders, specifically Get2 and Sdbbot which tend to be more evasive, with the goal of assessing the profitability of the target before dropping major tools that can be compromised by defenders.
"This is another example that demonstrates the importance for organizations to protect themselves before the attack, no matter the organization type or size. This also shows why it is important not to rely only on detection and response solutions that were never built to prevent threats from execution, they build to detect them first. In fact, in the past 10 years, year over year more money has been invested in endpoint security and yet, year over year the number of successful ransomware attacks increase. The time to detect and contain the breach increase together with the cost of a breach, of course, while the shortage in cyber security experts increases as well. The industry should adopt a new approach and technologies that are scalable and built to prevent modern threats before any damage has been done, at the beachhead - solutions that will enable organizations of any size to deal with modern cyber threats regardless of their team’s size, skillset and toolset."
We also heard from Jerome Becquart, COO of Axiad, who called for better user education and improved organizational digital hygiene:
“In today's landscape no organization is safe, whether you are in healthcare, education, transportation etc., which is why it is critical for all organization to adopt good cybersecurity hygiene and educate their users. Protecting users from phishing emails by digitally signing emails, moving away from passwords, and adopting multifactor authentication (MFA) are all part of the digital transformation organizations need to take to stay safe.
"With the acceleration in digital transformation, there has also been a rise in security risks, which need to be addressed. Protecting users from phishing emails by digitally signing emails, moving away from passwords, and adopting MFA should all be part of the new strategy organizations need to adopt to secure their digital perimeter.”
Niamh Muldoon, global data protection officer at OneLogin, discussed lessons on due diligence that can be drawn from the incidents.
“As expected, we are continuing to see the impact of the Accellion file-sharing data breach expand. We applaud the due diligence that many of the affected organizations are taking to be transparent with customers, partners, employees, and with CU, their students, about the exposure of their personally identifiable information (PII). As it appears to be the case with the University of Miami, an organization may not be directly exposed to the breach, but they may be using services or technology supported by Accellion.
"It is important to incorporate access control and data lifecycle management into risk assessment by asking about past data/files transfers, and whether those files have been properly managed, such as having access removed when it is no longer required. The results of the cross-functional risk assessment will determine if the organization is vulnerable per the versions of Accellion exploited by malicious attacker/s. Having your security and/or technology organization monitor and track official communications issued by Accellion will allow them to keep up-to-date.
"This is especially important because as the investigation continues more data will become available which may impact the associated risk to your organization, and require your organization to take more actions to reduce risk. If you are unclear from official communications where your organization is using a vulnerable version of not, reach out to Accellion for clarity - don’t just assume it's ok.”
Trevor Morgan, product manager at comforte AG, also took up lessons to be learned from the data breaches:
“As the Accellion-related fallout continues—this time at University of Colorado and University of Miami Health System—it’s a good time to reiterate the lessons learned. To begin with, always perform software patches and upgrades as soon as they are available. When software becomes outdated or meets its end of life status, make sure you look for current and fully supported products. In addition, keep in mind that threat actors are always looking for ways to get to your sensitive data. Outmoded protection methods such as perimeter security and access control no longer guard against concentrated efforts, and other methods such as standard encryption can also be cracked and can be a burden to administer.
"Therefore, look for ways to protect the data itself rather than the borders around it, an approach known as data-centric protection and which includes methods such as tokenization. Tokenization replaces sensitive information with benign but meaningless tokens, so even if hackers get to your data, it is unintelligible and therefore worthless to them. Lastly, know that the fifteen minutes of infamy you will experience if your sensitive data is compromised can cause lasting and irreparable harm to your business, especially reputational damage. Avoid it at all costs through increased attentiveness to data security.”
Cyberattack shuts down UK university intranet.
Not all university cyber incidents in the news involve third-party risk. In yet another addition to the ongoing wave of attacks on learning institutions across the globe, the BBC reports that the University of Northampton in the UK was hit by a cyberattack last week that impacted its IT and telephone servers, disrupting virtual learning and leaving students and staff with no access to university intranet. The Information Commissioner's Office has been notified and the Northamptonshire Police is working with the National Cyber Security Centre to support the university’s investigation.
Step Carefully: Protecting Data Breach Expert Reports from Discovery (JD Supra) In order to provide legal advice to clients in the aftermath of a hacking, lawyers must rely on digital forensics investigators to understand the...
Japan gov't, many local bodies halt use of Line app following data breach (The Mainichi) After revelations that personal data of users of the free messaging app Line was accessible to a Chinese affiliate firm sent shockwaves acros
Microsoft Exchange servers targeted by second ransomware group (The Record by Recorded Future) In the midst of a patching frenzy, Microsoft Exchange email servers are under attack from a new ransomware gang. Going by the name of Black Kingdom, this ransomware gang was first spotted last year in June, when they used vulnerabilities in Pulse Secure VPN products to breach corporate networks and install their file-encrypting payload.
The Peculiar Ransomware Piggybacking Off of China’s Big Hack (Wired) DearCry is the first attack to use the same Microsoft Exchange vulnerabilities, but its lack of sophistication lessens the threat.
Data of 6.5 million Israeli citizens leaks online (The Record by Recorded Future) The voter registration and personal details of millions of Israeli citizens were leaked online on Monday, just two days before the country held general elections for its unilateral parliament, known as the Knesset.
A day before elections, hackers leaked details of millions of Israeli voters (Security Affairs) Hackers have exposed personal and voter registration details of over 6.5 million Israeli voters, less than 24 hours before the election. A few hours before the election in Israel, hackers exposed the voter registration and personal details of millions of citizens. The source of the data seems to be the app Elector developed by the […]
The Cybersecurity 202: Online scammers seize confusion about vaccine registration to steal personal information (Washington Post) Online scams luring victims with promises of a vaccine are spiking, according to a new report out today from researchers at cybersecurity firm Palo Alto Networks.
Fake Websites Used in COVID-19 Themed Phishing Attacks, Impersonating Brands Like Pfizer and BioNTech (Unit42) We describe trends in COVID-19 themed phishing attacks since the start of the pandemic to gain insight into the topics that attackers try to exploit.
A recent cyberbreach proves that Florida’s drinking water is surprisingly easy to poison (Orlando Weekly) Out of their depth
Industrial giant Honeywell says it has ‘returned to service’ after cyber intrusion (CyberScoop) Honeywell, a Fortune 100 firm that makes aerospace and energy equipment, said Tuesday that malware had disrupted “a limited number” of its computer systems. Honeywell said it had “returned to service” following the incident, but the Charlotte, North Carolina-based firm’s statement did not elaborate on how service was disrupted.
Two large government conference organizers suffer data breach (Federal News Network) In today’s Federal Newscast, two large government conference organizers say the third party vendor they use for conference registration was the victim of a ransomware attack.
This is some of the worst news that a bank customer can get after a hack (BGR) Earlier this month, the Michigan-based bank Flagstar disclosed that a security incident had occurred, following the hack by a group of ransomware attackers who exploited a bank vendor’s zero-…
Sierra Wireless Says Ransomware Disrupted Production at Manufacturing Facilities (SecurityWeek) IoT company Sierra Wireless was recently targeted in a ransomware attack that disrupted production at manufacturing facilities.
CNA insurance firm hit by a cyberattack, operations impacted (BleepingComputer) CNA Financial, a leading US-based insurance company, has suffered a cyberattack impacting its business operations and shutting down its website.
Phish Leads to Breach at Calif. State Controller (KrebsOnSecurity) A phishing attack last week gave attackers access to email and files at the California State Controller's Office (SCO), an agency responsible for handling more than $100 billion in public funds each year. The phishers had access for more than 24 hours, and sources tell KrebsOnSecurity the intruders used that time to steal Social Security…
Notice of Data Breach (California State Controller's Office: Unclaimed Property) An employee of the California State Controller’s Office (SCO) Unclaimed Property Division clicked on a link in an email they received and then entered their user ID and password as prompted, unknowingly providing an unauthorized user with access to their email account. The unauthorized user had access to the account from March 18, 2021 at 1:42 p.m. to March 19, 2021 at 3:19 p.m.
BREAKING: FBS major leak exposes clients data (FinanceFeeds) Nearly 20TB of data was leaked comprising more than 16 billion records. Millions of FBS users spread across the world were affected.
Data Breach: Millions of Confidential Records Exposed in Online Trading Broker Data Leak (WizCase) Ata Hakcil led the team of white hat hackers from WizCase in identifying a major data leak on online trading broker FBS’ websites. The data from FBS.com and FBS.eu comprised millions of confidential records including names, passwords, email addresses, passport numbers, national IDs, credit cards, financial transactions and more. Were such detailed personally identifiable ...
Hobby Lobby Exposes Customer Data in Cloud Misconfiguration (Threatpost) The arts-and-crafts retailer left 138GB of sensitive information open to the public internet.
Ransomware gang leaks data stolen from Colorado, Miami universities (BleepingComputer) Grades and social security numbers for students at the University of Colorado and University of Miami patient data have been posted online by the Clop ransomware group.
Ransomware Group Leaks Information From CU Cyberattack On Dark Web (CBS Denver) A ransomware group has leaked data allegedly stolen from the University of Colorado on the dark web.
University of Northampton hit by cyber-attack (BBC News) The University of Northampton says it is still working to recover from the attack a week ago.
Alton confirms 'data incident' in early March (Alton Telegraph) City officials are acknowledging a data breach occurred earlier this...
Ransomware Extortion Threat Actors Post Data from 4 Healthcare Entities (HealthITSecurity) Three ransomware threat actors behind Avaddon, Conti, and the new variant Babuk leaked data they claim to have stolen from four healthcare providers in recent weeks, as the extortion trend continues.
Polk County Schools says student information may have been exposed in data breach (WTSP) The letter says the child's name, student identification number and date of birth were potentially exposed in a data breach in December 2019.
Fake romance, influencer scams thriving on Instagram (Tribuneindia News Service) Facebook-owned Instagram has seen a surge in frauds on its platform that were up by 50 per cent since the pandemic began, and scams related to romance, phishing and influencer sponsors top the chart, a new report said on Tuesday.