New Zealand's central bank deals with breach. Car-sharing service breached. Recovering from ransomware. UN agency personnel data exposed.

Summary

By the CyberWire staff

At a glance.

Reserve Bank of New Zealand experiences a breach in what may have been a third-party incident.
Montréal car-sharing service suffers data breach.
Update on recovery from ransomware attack on Texas utilities.
United Nations personnel data exposed.

New Zealand’s central bank suffers breach.

The Reserve Bank of New Zealand (RBNZ), the country’s central bank, sustained a breach through a third-party file sharing service, Yahoo News reports. While Reserve Bank announced on Sunday that the potentially compromised data were “sensitive,” they have not specified which info was impacted. RBNZ governor Adrian Orr stated "The nature and extent of information that has been potentially accessed is still being determined, but it may include some commercially and personally sensitive information." He also confirmed that the system had been secured and that the bank is working with security experts and authorities to investigate the nature of the breach. An RBNZ spokesman initially declined to release the name of the file sharing service in question, the New Zealand Herald reports, but CNBC says it was US-based Accellion. CNBC also notes that RBNZ doesn't think that it was particularly targeted in the breach, but that it was simply collateral damage. New Zealand saw a 33% increase in cyberattacks last year, with targets including the local stock exchange and various corporations.

Cyberattack puts the brakes on Canadian car-sharing service.

Communauto, a car-sharing company based in Montréal, Canada, was the victim of a cyberattack over the holidays, says the Montreal Gazette. The compromised client data include client names, membership numbers, and street addresses, but the company asserts that, fortunately, credit card information was not impacted as it is stored in a third party database. Communauto CEO Benoît Robert stated that while the breach and investigation have interfered with some services, they have spoken with the hackers and they have promised that the stolen data have been destroyed. Let’s hope these cybercriminals keep their word.

Slow drip of progress on Texas utilities ransomware attack.

It was discovered over a month ago that Texarkana Water Utilities (TWU), located in the US state of Texas, had suffered a ransomware attack. Now officials tell the Texarkana Gazette that personnel are growing impatient over a lack of transparency in the subsequent investigation. The incident impacted multiple local government agencies, from the Texarkana Texas Police Department to the Bowie County Justices of the Peace, closing some offices and leaving many employees without access to essential digital records or, in some cases, even hardware. Officials have stated that they feel the investigators have been less than forthcoming with information about the incident. Bowie County Judge Bobby Howell stated that the county has been advised by their legal advisors to refrain from speaking publicly about the ongoing criminal investigation. He acknowledged that the impact of the incident is complicated and that it is uncertain when systems will be up and running again, but advised those concerned to "Be patient. We will put some information out when the time is right."

UN staffers' records exposed.

BleepingComputer reports that researchers associated with Sakura Samurai found exposed Git repositories containing a bit more than a hundred-thousand private employee records held by the United Nations Environmental Programme. The exposure placed personal information at risk.

We received comment on the incident from a number of industry experts. KnowBe4 Security Awareness Advocate Javvad Malik commented that the discovery is an object lesson in how easy it can be to lose sight of what data you have, and where those data are held:

"It's easy for organizations, especially global ones, to have data spread out across various systems and platforms. Keeping track of all these disparate systems can be challenging enough, and ensuring the right security settings are applied and that credentials are appropriately managed is key. While many technologies and processes exist to help secure organizations to prevent these kinds of issues, it is essential that organizations cultivate a culture of security so that everyone is aware of the role they have to play in securing the organization as it's not something a security department can do on their own."

Paul Bischoff, privacy advocate at Comparitech, sees this as a common and widespread developer error:

“Exposing credentials in public Github repositories is a common developer oversight, and cybercriminals routinely scan Github for exposed credentials to steal. Last year, our research team set up a honeypot Github repos containing access credentials to some dummy AWS servers. It took hackers just one minute to find the credentials and break into our honeypot servers. So it's very likely that cybercriminals accessed the UNEP data before researchers. Developers need to scan their code for credentials before committing it to Github. For additional security, they can avoid creating an access key for the root user, use temporary security credentials instead of long-term access keys, properly configure IAM users, rotate keys periodically, and remove unused keys.

"UN staff should be on the lookout for targeted phishing and scam messages from fraudsters posing as UNEP employees or administrators. Always verify the sender of an email or other message before responding. Never click on links or attachments in unsolicited emails and messages.”

And Chris Hauk, consumer privacy champion at Pixel Privacy, wrote that the sensible assumption is that bad actors probably found the same stuff the white hats did:

“As it appears likely that bad actors have...accessed the UN data, UN staff will need to be aware that the bad guys will likely use the information gained in the breach to attempt to use a bit of social engineering to obtain more information or to launch attacks on UN servers. Bad actors may send emails or text messages leveraging the information they have, in order to appear to be legitimate communications from other employees or supervisors.”

Speaking of white hats, Sakura Samurai drew some industry applause for their work. Saryu Nayyar, CEO of Gurucul, wrote:

“Ethical Hacking group Sakura Samurai's exposure of the United Nations Environment Program's git repositories is another classic example of the consequences of an unintentional misconfiguration. Fortunately, the UN's IT team reacted quickly to close the hole, but it is likely that threat actors had already discovered the vulnerable data and acquired it themselves.

“This shows that even multinationals with mature cybersecurity practices are not immune to this kind of misconfiguration, and points out the need for regular configuration reviews along with a full security stack that includes security analytics to identify and remediate these vulnerabilities before threat actors can discover them.”

Chloé Messdaghi, Chief Strategist, Point3 Security, agreed, and took note of the responsible disclosure:

“Our applause to Sakura Samurai’s team – what they did was worthy of it! This was successful because the UN’s vulnerability disclosure policy was transparent – that’s why they decided to look for the vulnerabilities. There was a sense of trust that they would be recognized, not persecuted.

“Also, it wasn’t well known that the UN has a vulnerability disclosure policy, and that’s ironic as these types of organizations are the ones that need it the most. The process the researchers faced could have been a bit more transparent. When a researcher reports something, the organization’s contact person needs to know who to direct the information to in order to immediately get the ball rolling – otherwise it slows down the process. An automated ticketing process isn’t appropriate for vulnerability disclosure input.

“But as soon as these researchers did get direct contact, they were met with people who probably didn’t understand the problem but did fully realized the importance of fixing it immediately. These researchers have enormous respect for those at the UN who handled this matter.

“Also, Sakura Samurai made sure NOT to disclose anything until the problem was patched, in order to sustain and support the UN’s compliance with GDPR regulations. This is a good example of how vulnerability disclosure policies work, and the value of working closely with independent researchers, i.e., hackers.”

Selected Reading

United Nations data breach exposed over 100k UNEP staff records (BleepingComputer) This week, researchers have responsibly disclosed a vulnerability by exploiting which they could access over 100K private records of United Nations Environmental Programme (UNEP). The data breach stemmed from exposed Git directories which let researchers clone Git repositories and gather PII of a large number of employees.

New Zealand central bank hit by cyber attack (Yahoo) New Zealand's central bank said Sunday it was responding with urgency to a "malicious" breach of one of its data systems, a third-party file sharing service that stored "sensitive information".

New Zealand Central Bank Probing Data Breach (Bloomberg) The Reserve Bank of New Zealand says it’s investigating an illegal breach of a third-party file sharing service used to share and store some sensitive information. Paul Allen reports on "Bloomberg Daybreak: Asia."

Reserve Bank data breach: Sensitive information illegally accessed (New Zealand Herald) Reserve Bank's system has been breached.

New Zealand central bank says it was not a specific target of cyberattack (CNBC) New Zealand's central bank said on Monday a cyberattack that breached its data systems also affected other users of a third-party application.

Ransomware Read Me First: Don't Get Scammed... Twice (GroupSense) Read this before clicking on that 'Unencrypt my files now!' advertisement. You'll thank us later...

Trickbot Still Alive and Well (The DFIR Report) The Trickbot threat actors used Cobalt Strike to pivot through-out the domain, dumping lsass and ntds.dit as they went. They used tools such as AdFind, Nltest, Net, Bloodhound, and PowerView to peruse the domain, looking for high privileged credentials to accomplish their mission. They used PowerShell, SMB, and WMI to move laterally.

Dassault Falcon Jet Disclosed Data Breach – Ransomware Suspected (Latest Hacking News) Dassault Falcon Jet Corps. disclosed a data breach in December 2020. It now turns out that the firm suffered Ragnar Locker ransomware attack.

Chinese start-up leaked 400GB of scraped data exposing 200+ million Facebook, Instagram and LinkedIn users (SafetyDetectives) High-flying and rapidly growing Chinese social media management company Socialarks has suffered a huge data leak leading to the exposure of over 400GB of person

Communauto hit by cyber attack (Montreal Gazette) The Montreal-based car-sharing service says hackers were unable to get access to members' credit card numbers.

Cities, county still reeling in wake of cyberattack (Texarkana Gazette) As multiple agencies in both Texarkanas and Bowie County remain crippled by a ransomware attack discovered more than a month ago, frustration at a lack of information and progress grows among officials and personnel.

Italy's Ho Mobile issues new SIM serial codes following data breach (Telecompaper) Vodafone Italia's low-cost brand Ho Mobile announced that it will be protecting customers affected by a recent data breach by automatically issuing new SIM card serial codes. In a statement, the company said it will be generating new ICCID codes and informing customers via SMS that their previous code is no longer valid, preventing any possibility of telephone fraud or SIM swap attacks and allowing them to retain their number and safely change operator in the future.

From camera doorbells to security drones — how your home tech could spy on you (The Sun) Trembling with fear, mum-of-three Lianne Davies peered out of her bedroom window into the dark winter night. Though nobody was visible, she heard a stranger loudly threatening her husband Paul on h…

UK Mass Hacking Ruled Illegal (Forbes) After five years of legal wrangling, the UK High Court has ruled that the security and intelligence services cannot search the computers and phones of millions of people under a single 'general warrant'.

Scottish Labour investigate reported breach of data regulations by party’s former deputy leader (Morning Star) Scottish Labour is investigating a reported breach of data regulations by the party’s former deputy leader.

What does Twitter's GDPR fine mean for your business? (Business Leader) Twitter’s recent $500,000 fine for breaching data protection laws demonstrates the need for businesses of all sizes to ensure contracts with organisations who process data for them are carefully drafted, according to a specialist technology law firm.

Assange Victory Leaves Whistleblowers, Journalists Hanging (Law360) A U.K. court's recent refusal to endorse claims that the prosecution of Julian Assange amounts to an attack on freedom of speech highlights the need to introduce a public interest defense into English law to protect journalists and whistleblowers, lawyers say.

WSJ News Exclusive | Is Your iPhone Passcode Off Limits to the Law? Supreme Court Ruling Sought (Wall Street Journal) Two civil-liberties groups are asking the U.S. Supreme Court to rule on the knotty digital-privacy question involving personal devices.

BREAKING: Supreme Court Takes Up Calif. Donor Privacy Cases (Law360) The U.S. Supreme Court on Friday agreed to hear two petitions by conservative advocacy groups challenging a California law requiring charitable organizations to disclose donor information, which the groups argue chills First Amendment associational rights.

Protecting Data Breach Investigations From Disclosure (Bloomberg Law) Attorneys for companies involved in data breach litigation or investigations often use forensic investigators to uncover information about the breach. Alston & Bird attorneys say some courts have found this work discoverable depending on the facts surrounding the investigation and offer ways for companies to protect it from disclosure under the attorney-client privilege, the work product doctrine, the protection from disclosure of opinions of non-testifying experts, or a combination of the three.