At a glance.
- Love in the time of alt-coin.
- Veterans' private data exposed.
- Spearphishing in the aerospace and travel sectors.
Fake cryptocurrency apps: a love story.
Sophos has published a report on fraudulent apps posing as cryptocurrency trading platforms in order to swindle users out of money, and Naked Security examines how the hackers behind these apps romance their targets. The scammers find victims through social media or even dating platforms, earning their trust through a long courtship. Once the target opens their heart, the cybercriminals woo them into downloading their “elite” app. In order to bypass traditional app marketplaces like Google Play or Apple’s App Store, the crooks take advantage of a complicated process typically reserved for developers looking to test new apps before launching them. To accomplish this, the scammers hook up with a proxy company who stands in as the “developer” and submits the “test app” for approval. The victims undergo a complex process to have their devices registered for this “development” phase, all the while convinced this is part of the vetting process for this exclusive app. Once the target begins making “investments,” the scam is all about flirtation, the crooks plying the victim with fake projections while the money goes directly into their pockets. Once the scammers get what they want, they ghost the victim without even a breakup note, leaving them broke and brokenhearted.
Veterans’ private data exposed in unprotected database.
Researcher Jeremiah Fowler discovered that cybercriminals likely gained access to the private data of hundreds of thousands of US veterans, Forbes reports. The data were essentially handed to them, stored in an unsecured storage database on the web. The database was owned by United Valor Solutions, a disability evaluation services provider for government agencies like the Veterans Administration. In addition to the sensitive data (including medical records) of 189,460 veterans, the database also contained unencrypted passwords for internal United Valor accounts, meaning attackers could easily use the credentials to infiltrate United Valor’s systems from the inside. To make matters worse, the storage bucket was configured in such a way that anyone could not only view the data, but also modify or even remove records. It became clear to Fowler that attackers had already found the goldmine when, buried among the records, he came upon a ransom note demanding 0.15 bitcoin (or about $8,400) in exchange for not releasing the records to the public. Fowler immediately informed United Valor of his findings, and they secured the data the very next day, but it’s likely the damage had already been done.
Several industry experts emailed comments on the incident. Saryu Nayyar, CEO of Gurucul thinks it likely there may be more to the story::
“If the researcher found this database of 200,000 medical records, then who knows who else may have also found it and made off with the highly sensitive PII data of veterans. United Valor does not appear to be in control of the situation. They claim only two IP addresses accessed the data: United Valor’s and the researcher’s. That sounds doubtful. All in all this is a troublesome discovery, especially given the sensitivity of the data.”
Dr. Chenxi Wang, General Partner at Rain Capital, also thinks there may be more going on here:
“It is entirely possible that the United Valor systems had already been penetrated and infected by malware/ransomware. We are seeing a change in the tactics of ransomware attacks. Instead of encrypting data and ask for a ransom, more ransomware attacks have been threatening to expose data instead. This happened with the recent Japanese toolmaker ransomware attack.
“The data could show up on the darknet if the perpetrator's goal is fetching a handsome price for it, as health records are a much more attractive of a target than credit card data these days. Health records can sell for $150/record while credit card data is only a few dollars per record. Usually such security incidents are not isolated. Once you discover some symptoms, you probably already had multiple incidents or breaches.”
Tom Garrubba, CISO at Shared Assessments, thinks the incident looks like a case of poor application design and development:
“The only explanation for having a database publicly exposed is due to poor application design and development. It might also indicate that United Valor practices poor internal cyber hygiene as it appears that “the data has only been accessed via our internal IP and yours.” This could be an indicator as to the presence of an internal threat. There are numerous tools and logging functionality available to monitor such internal threats and it appears these are non-existent in the United Valor IT toolbox or, they exist but are poorly utilized. Such tools could have helped identify when the “ransomware” occurred and provided useful in their follow up investigations.
“It depends on the type of malware installed by the threat actor and the techniques employed to bypass any existing controls.
“It is possible that a ransomware incident and the exposed databases are related. In many cases poorly designed and tested application controls provide easily accessible gateways for threat actors to get to their targets: networks, systems, and data.
“This data could wind up on the dark net – for sale to the highest bidder. Such sensitive personal and health information are ripe targets for “Robin Hood theft” – a form of medical ID theft – which is rampant in the healthcare industry due to its difficulty in catching the user fraud in a timely manner. Such information carries a high price tag in the dark web.
“In many, cases, threat actors will not only steal the data but install backdoors for stealthy access to the network and systems and even install other types of malware which often go hidden for a long time. This incident could lead to discovery of additional security issues.
“This shows why organizations must practice good cyber hygiene and test all components that are public facing. They also must employ time-tested cyber security strategies, tools and techniques when protecting such sensitive data.”
Baber Amin, COO of Veridium, comes back to zero trust:
“An incident is discovered either by looking for it, or being notified of it. I am sure that United Valor is going through the authentication and access logs to confirm who had access and whether all access is accounted for and mapping to authorized persons. If access was obtained via a stolen credential, that will make it a bit more challenging to track. This is one reason why organizations are moving away from static credentials like passwords. You can’t steal something if it doesn’t exist.
“It is always possible that the veterans’ data contained in this exposed database could eventually show up on the darknet, since the data was available publicly. The mystery is how the data got there, and who was involved in that chain.
“This could be a “tip of the iceberg” if the data exposure was done via an attack, but if it was put out in public due to an internal security failure or error, then it just be a one-off mistake. Our advice is to organizations is to follow zero trust principals and:
- "Implement passwordless for employees
- "Use a layered security approach using biometrics, FIDO2 keys, device biometrics
- "Utilize risk signals to match an authenticated session with the risk associated with information/resource/service being accessed
- "Encrypt all sensitive information at rest and in transmit
- "Eliminate all extra standing privileges”
Spearphishing in the aerospace and travel sector.
Microsoft has reported an active campaign against targets in the aerospace and travel sectors. The criminals are spearphishing emails to distribute a range of malicious packages. Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, sent us some comments:
“The targeting of particular industries is now often pointing to particular malware gangs. Many gangs have become more specialized, targeting a specific industry that they have especially good experience and success in. To increase the chances of getting a potential victim to execute malware, the attacker has to make the social engineering and phishing attack seem as close to an internal or partner communication as possible. Specializing in a particular industry helps to do this. The attacker, as they gain more and more experience in the industry, starts to not only collect partner names they can use against other trusted partners, but starts to understand the insider terminology and topics that the industry insiders use with each other. A particular industry can also be targeted because it has wanted information by a requesting customer, such as a nation-state. All-in-all, any time you see a particular industry specifically targeted by a piece of malware or a particular malware gang, it isn’t good. It means they are targeting the industry for a reason and become comfortable with compromising targets within that industry. In this case, it’s aerospace and travel, and that is not good on a bunch of levels.”