At a glance.
- Report: Experian partner API leaked data.
- Wyoming Department of Health warns of medical lab test data breach.
- Third-party breach affects First Horizon Bank.
- Babuk doxes DC police officers.
- DoppelPaymer hits Illinois Attorney General's office.
Experian lending partner bug exposes credit data.
Leading American consumer credit bureau Experian was notified of a flaw in their application programming interface (API) that exposed the credit card scores of tens of millions of US users, KrebsOnSecurity reports. Independent researcher Bill Demirkapi discovered the issue when, while using a lender’s site, he noted that he was able to obtain his credit score by simply entering his name and street address. By examining the code, he determined that the lender’s site was using Experian’s API to retrieve the credit data, and he was even able to automate the process (cleverly dubbing the automation “Bill’s Cool Credit Score Lookup Utility”). Demirkapi, who refused to disclose the name of the lending site as he concluded the vulnerability was likely systemic, stated “Experian should mandate non-public information for promotional inquiries, otherwise an attacker who found a single vulnerability in a vendor could easily abuse Experian’s system.” After being notified of the issue, Experian stated “We have been able to confirm a single instance of where this situation has occurred and have taken steps to alert our partner and resolve the matter.” However, Demirkapi fears this is just a bandaid, as the issue could be present on other lending partners’ sites: “They found one endpoint I was using and sent it into maintenance mode. But this doesn’t address the systemic issue at all.”
We received several reactions from industry experts to the news of this breach. Shreyans Mehta, co-founder and CTO of Cequence Security, commented to us about the API vulnerabilities that may pose a growing risk to financial institutions:
“This API authentication vulnerability highlights a concern with the growing use of APIs between financial institutions. Not every organization has the sophistication and security controls in place to validate and ensure they are not exposing customer’s private financial data. And, even organizations with sophisticated security programs in place can find themselves with vulnerable APIs that were published outside of the controlled processes. This is why it’s important to have broad visibility into all APIs — home-grown, 3rd party, managed, and shadow APIs — so that risk can be accessed and remediated quickly when needed.
"I’d like to hope that organizations building apps with such sensitive data would pay close attention to common OWASP API vulnerabilities. And at the same time, organizations like Experian, who are keepers of the country’s financial data should be playing an active role in validating how their APIs are used.”
David Stewart, CEO of Approov noted evidence of poor security practices:
"Allowing API access to personal data by requiring only publicly available information is clearly poor security practice, but this kind of situation points to an endemic issue. Since the evolution to an API-first Internet, poor security practice and API vulnerabilities have been a source of joy to bad actors who been exploiting both at scale through scripting on an industrial scale. While enterprises play catch up - adopting robust authorization flows and discovering/fixing vulnerabilities in their APIs, it is vital that they implement API shielding today in order to prevent scripts from using their APIs to access sensitive data in their backend systems."
Rajiv Pimplaskar, CRO of Veridium, observed that know-your-prospect isn't quite the same thing as know-your-customer:
"Today’s hyper competitive global financial services and insurance (FSI) landscape has increased the need for Know Your Prospect (KYP) activities in order to gain market share while reducing customer acquisition costs. This is different from the commonly known KYC (Know Your Customer) requirements that are primarily driven by various regulation. An example is when you apply for auto insurance, Personally Identifiable Information (PII) like previous addresses, existing credit cards or banking relationships are often “pre-fetched” during the application process. While this can speed things up for the applicant, it can also create the potential of information misuse and data exposure.
“In an effort to combat KYP or KYC fraud, several countries around the world predominantly in Asia and LATAM have adopted a Government source verification paradigm where certain institutions or relying parties can query a national database using the prospect’s biometrics or certain biographic data. The Government database provides identity verification and reduces the risk of fraud and also the underwriting expense for the FSI entity. In the US such paradigms are still emerging with several identity providers vying to assume this role."
Saryu Nayyar, CEO of Gurucul, pointed out credit score data's utility in social engineering:
“The credit score data exposed as well as risk factors can be very successfully used to socially engineer money from people’s accounts. This data is personal and highly sensitive - just the sort of data cyber criminals use to gain credibility and sound convincing in their tactics. And all this due to an insecure API? Shame on you Experian!”
And when, Tom Garrubba, CISO of Shared Assessments, wonders, will people get serious about DevSecOps?
“If this isn’t an argument for more and better DevSecOps, then nothing is. The root cause of this issue is poor testing of the application’s overall security controls. This could have been prevented if the application designers would have designed, as part of their application development process, secure code development and thorough testing at each phase of the development lifecycle. Unsecure API’s are one of the most common threat vectors used by bad actors to take advantage of poorly secured applications to get to data. Such bad coding practices not only hurt everyone financially but can seriously erode the trust of the agencies that utilize the application and damage the reputation of the development firm.
“The fact is that application security is becoming so much more important, as is careful talent acquisition - cyber criminals are now actually seeking to obtain legitimate cyber and tech-related positions in companies.”
Garret Grajek, CEO of YouAttest, takes some time to thank Brian Krebs for his reporting:
“Brian Krebs once again did a great service to the IT security industry by revealing the flaw in the Experian API. His mission to improve the security posture of the internet is valued. An important takeaway on this is just how vulnerable all data is with ubiquitous on-line scanning an penetration efforts. It is no longer an option but a must that our systems be re-evaluated to insure that not only data but users and user privileges are validated, with a zero-trust concept in mind - to insure that the only access that is allowed is what is intended.”
US health employee exposes test results.
The Wyoming Department of Health (WDH) announced that an employee accidentally exposed lab test results submitted to the US health agency by over 164,000 patients. The employee uploaded the compromised files, mostly pertaining to COVID-19 and flu test results, to GitHub online storage servers, a service the WDH typically uses only for code maintenance. The files have been removed and employees are being retrained on how to properly use the GitHub service. Meanwhile, WDH is notifying the compromised individuals (though they do not have complete contact information for all of the patients impacted) and offering free identity theft protection.
US bank experiences third-party breach.
Infosecurity Magazine reports that First Horizon Bank, based in the US state of Tennessee, experienced a data breach that impacted the accounts of more than one hundred customers. An intruder gained unauthorized access to the accounts by using stolen login credentials and exploiting a vulnerability in third-party security software. First Horizon has notified the Securities and Exchange Commission that less than $1 million was stolen from the accounts, and the bank has fixed the security issue, changed the impacted passwords, and reimbursed the customers involved.
Uriel Malmon, senior director of emerging technologies at PerimeterX, commented on the risk of identity takeover in financial services:
“Identity takeover isn’t just a problem for some organizations, it’s a problem for every organization. Since users tend to re-use their credentials, attackers continue to trade these in the criminal underground making any breach a potential threat to everyone.
"Today, there is a convergence of strategy with attackers. There used to be separate silos for application fraud (applying for new accounts or credit cards), credit card fraud (cloning or copying cards), and online banking fraud. However, since the move to EMV chips on credit cards, there are now more combined attacks where account takeover is used for partial identity theft and the construction of synthetic identities. These are then used in new account application fraud. This means that an attack on any line of business threatens every other line of business.
"Due to the 'combined arms' nature of modern attacks, no silver bullet exists to protect identities and no single point of detection or enforcement exists. Organizations need to adopt an 'identity defense in depth' strategy of protecting the identities of their customers throughout their entire lifecycle, in order to efficiently protect themselves as well."
Demi Ben-Ari, CTO and founder of Panorays, discussed the importance of vetting third-party security:
"The latest data breach through First Horizon Corp. is an example of why it’s so crucial for organizations to thoroughly assess the security of the third parties with which they do business—including their financial institutions. In this case, a hacker gained unauthorized access to First Horizon, most likely through leaked credentials and unpatched software. This resulted in compromised personal customer information and theft. Cyber incidents such as these illustrate the importance of understanding your complete attack surface and taking steps to mitigate third-party cyber risk. This includes continuously assessing, monitoring and remediating risk, while taking into consideration the business impact of each relationship."
James McQuiggan, Security Awareness Advocate at KnowBe4, saw the incident as more evidence of the inadequacy of the username/password combination as a means of proving identity:
"With the increasing cyber attacks against third-party organizations and credential theft, organizations responsible for financial and personally identifiable information (PII) must implement a multi-factor authentication (MFA) program to secure user accounts. It is no longer acceptable to simply use a username and password to secure accounts.
"Other technologies are available, like Fast Identity Online (FIDO), which utilizes a more substantial "something you have" functionality where the USB key needs to be connected to the device for authenticating logins, which reduces some of the various MFA attacks. While it has been proven that cybercriminals can bypass specific MFA features, it is easier to use credential stuffing versus attacking the MFA feature of the website or client."
According to Timothy Chiu, Vice President of Marketing at K2 Cyber Security, this is another case in which we see the growing sophistication of the (relatively) common criminals that infest cyberspace:
"The recent First Horizon data breach is a good reminder that cyber attacks are getting more sophisticated and often target more than one vulnerability combined to pull off the breach. In this case, using both stolen credentials and a vulnerability together, points to the need for multiple levels of security in any organization. Training users on security, such as recognizing phishing and fake websites is a start, but not enough. Organizations also need network, system and application security to protect their assets. Application security adds the final layer, protecting applications that may have unknown or unpatched vulnerabilities. In support of the importance of adding application security, the new NIST Security and Privacy Framework now includes IAST and RASP technology; these tools improve application security during development and in production."
Checkmarx's Robert Haynes pointed out that the weakest link is all too often a human operator:
“Attackers are adept at finding the weakest link. This is most frequently a human, and often results in phishing or spear phishing attacks against IT staff, as their credentials are the most useful to an attacker. Attackers will also exploit vulnerable technology, often in conjunction with illicit credentials they may have obtained.
"Third party security software" could represent a wide range of technologies from VPNs (example: the recent pulse secure VPN compromise) to software libraries providing services such as One Time Passcodes (example: the bug in a Django two factor authentication plugin last year that stored passwords in plain text). "Whatever the mechanism of compromise used here, it's another reminder that all organizations, but especially financial services organizations, need to consider the totality of their attack surface area, from the email security of the most senior company officer down to the smallest software library used in their applications.”
Babuk publishes Washington, DC police officer dossiers.
As the CyberWire noted on Tuesday, the Babuk ransomware group released images of data stolen from the Washington, DC police department on the dark web. Now the cybercriminals, who have posted private dossiers of five current and former officers, are attempting to extort the police department, NBC News reports. The records contain highly personal information including the officers’ arrest history, housing and financial information, and polygraph results, and at least one officer has confirmed that the data is authentic. Soon after the initial compromise was discovered, acting Chief Robert J. Contee III stated in a video response, “Our partners are currently fully engaged in assessing the scope and impact. If it is discovered that personal information of our members or others was compromised, we will follow up with additional information.” The Federal Bureau of Investigation is assisting with the investigation.
DoppelPaymer attacks Illinois Attorney General’s office.
The DoppelPaymer ransomware gang has released data stolen from the Illinois Office of the Attorney General (OAG) after officials refused to meet the threat actors’ ransom demands, the Record by Recorded Future reports. The files, which contain private information related to OAG court cases and state prisoners’ personally identifiable information, were published on the gang’s dark web portal. While it’s unclear exactly why the OAG refused to pay up, the US Treasury Department added the Evil Corp cybercrime group (creators of DopplePaymer ransomware) to its list of foreign sanctioned entities in December 2019, meaning payment by US entities to this group is against the law unless special permission is granted.