New Zealand's central bank deals with breach. Car-sharing service breached. Recovering from ransomware. UN agency personnel data exposed.

At a glance.

• Reserve Bank of New Zealand experiences a breach in what may have been a third-party incident.
• Montréal car-sharing service suffers data breach.
• Update on recovery from ransomware attack on Texas utilities.
• United Nations personnel data exposed.

New Zealand’s central bank suffers breach.

The Reserve Bank of New Zealand (RBNZ), the country’s central bank, sustained a breach through a third-party file sharing service, Yahoo News reports. While Reserve Bank announced on Sunday that the potentially compromised data were “sensitive,” they have not specified which info was impacted. RBNZ governor Adrian Orr stated "The nature and extent of information that has been potentially accessed is still being determined, but it may include some commercially and personally sensitive information." He also confirmed that the system had been secured and that the bank is working with security experts and authorities to investigate the nature of the breach. An RBNZ spokesman initially declined to release the name of the file sharing service in question, the New Zealand Herald reports, but CNBC says it was US-based Accellion. CNBC also notes that RBNZ doesn't think that it was particularly targeted in the breach, but that it was simply collateral damage. New Zealand saw a 33% increase in cyberattacks last year, with targets including the local stock exchange and various corporations. 

Cyberattack puts the brakes on Canadian car-sharing service.

Communauto, a car-sharing company based in Montréal, Canada, was the victim of a cyberattack over the holidays, says the Montreal Gazette. The compromised client data include client names, membership numbers, and street addresses, but the company asserts that, fortunately, credit card information was not impacted as it is stored in a third party database. Communauto CEO Benoît Robert stated that while the breach and investigation have interfered with some services, they have spoken with the hackers and they have promised that the stolen data have been destroyed. Let’s hope these cybercriminals keep their word.

Slow drip of progress on Texas utilities ransomware attack.

It was discovered over a month ago that Texarkana Water Utilities (TWU), located in the US state of Texas, had suffered a ransomware attack. Now officials tell the Texarkana Gazette that personnel are growing impatient over a lack of transparency in the subsequent investigation. The incident impacted multiple local government agencies, from the Texarkana Texas Police Department to the Bowie County Justices of the Peace, closing some offices and leaving many employees without access to essential digital records or, in some cases, even hardware. Officials have stated that they feel the investigators have been less than forthcoming with information about the incident. Bowie County Judge Bobby Howell stated that the county has been advised by their legal advisors to refrain from speaking publicly about the ongoing criminal investigation. He acknowledged that the impact of the incident is complicated and that it is uncertain when systems will be up and running again, but advised those concerned to "Be patient. We will put some information out when the time is right."

UN staffers' records exposed.

BleepingComputer reports that researchers associated with Sakura Samurai found exposed Git repositories containing a bit more than a hundred-thousand private employee records held by the United Nations Environmental Programme. The exposure placed personal information at risk.

We received comment on the incident from a number of industry experts. KnowBe4 Security Awareness Advocate Javvad Malik commented that the discovery is an object lesson in how easy it can be to lose sight of what data you have, and where those data are held:

"It's easy for organizations, especially global ones, to have data spread out across various systems and platforms. Keeping track of all these disparate systems can be challenging enough, and ensuring the right security settings are applied and that credentials are appropriately managed is key. While many technologies and processes exist to help secure organizations to prevent these kinds of issues, it is essential that organizations cultivate a culture of security so that everyone is aware of the role they have to play in securing the organization as it's not something a security department can do on their own."

Paul Bischoff, privacy advocate at Comparitech, sees this as a common and widespread developer error:

“Exposing credentials in public Github repositories is a common developer oversight, and cybercriminals routinely scan Github for exposed credentials to steal. Last year, our research team set up a honeypot Github repos containing access credentials to some dummy AWS servers. It took hackers just one minute to find the credentials and break into our honeypot servers. So it's very likely that cybercriminals accessed the UNEP data before researchers. Developers need to scan their code for credentials before committing it to Github. For additional security, they can avoid creating an access key for the root user, use temporary security credentials instead of long-term access keys, properly configure IAM users, rotate keys periodically, and remove unused keys.

"UN staff should be on the lookout for targeted phishing and scam messages from fraudsters posing as UNEP employees or administrators. Always verify the sender of an email or other message before responding. Never click on links or attachments in unsolicited emails and messages.”

And Chris Hauk, consumer privacy champion at Pixel Privacy, wrote that the sensible assumption is that bad actors probably found the same stuff the white hats did:

“As it appears likely that bad actors have...accessed the UN data, UN staff will need to be aware that the bad guys will likely use the information gained in the breach to attempt to use a bit of social engineering to obtain more information or to launch attacks on UN servers. Bad actors may send emails or text messages leveraging the information they have, in order to appear to be legitimate communications from other employees or supervisors.”

Speaking of white hats, Sakura Samurai drew some industry applause for their work. Saryu Nayyar, CEO of Gurucul, wrote:

“Ethical Hacking group Sakura Samurai's exposure of the United Nations Environment Program's git repositories is another classic example of the consequences of an unintentional misconfiguration. Fortunately, the UN's IT team reacted quickly to close the hole, but it is likely that threat actors had already discovered the vulnerable data and acquired it themselves.

“This shows that even multinationals with mature cybersecurity practices are not immune to this kind of misconfiguration, and points out the need for regular configuration reviews along with a full security stack that includes security analytics to identify and remediate these vulnerabilities before threat actors can discover them.”

Chloé Messdaghi, Chief Strategist, Point3 Security, agreed, and took note of the responsible disclosure:

“Our applause to Sakura Samurai’s team – what they did was worthy of it! This was successful because the UN’s vulnerability disclosure policy was transparent – that’s why they decided to look for the vulnerabilities. There was a sense of trust that they would be recognized, not persecuted.

“Also, it wasn’t well known that the UN has a vulnerability disclosure policy, and that’s ironic as these types of organizations are the ones that need it the most. The process the researchers faced could have been a bit more transparent. When a researcher reports something, the organization’s contact person needs to know who to direct the information to in order to immediately get the ball rolling – otherwise it slows down the process. An automated ticketing process isn’t appropriate for vulnerability disclosure input.

“But as soon as these researchers did get direct contact, they were met with people who probably didn’t understand the problem but did fully realized the importance of fixing it immediately. These researchers have enormous respect for those at the UN who handled this matter.  

“Also, Sakura Samurai made sure NOT to disclose anything until the problem was patched, in order to sustain and support the UN’s compliance with GDPR regulations. This is a good example of how vulnerability disclosure policies work, and the value of working closely with independent researchers, i.e., hackers.”