Week of August 17, 2018


Week of August 17, 2018

FBI Probing Cyber Attack on Congressional Campaign in California*:

The U.S. Federal Bureau of Investigation is investigating a cyber-attack on the congressional campaign of a Democratic candidate in California, according to three people close to the campaign.

The hackers successfully infiltrated the election campaign computer of David Min, a Democratic candidate for the House of Representatives who was later defeated in the June primary for California’s 45th Congressional district.

The incident follows an article in Rolling Stone earlier this week that reported the FBI has also been investigating a cyber-attack against Hans Keirstead, a California Democrat.

While both Min and Keirstead later lost to other primary challengers from their own party, the two closely-watched races are considered critical, competitive battlegrounds as the Democrats seek to win back Congress from Republicans in November.

It is unclear who was behind the attack against Min’s campaign, why it was carried out, and what the hackers did with any information they obtained.

Details of the hack, described to Reuters by people with direct knowledge of the case, highlight the concerns of national security experts who fear that campaigns are woefully unprotected as the November mid-term elections approach.

In late March, Min’s staff received a troubling notice from the facility manager where the campaign rented space in Irvine, California, said the people close to the campaign.

The facility’s internet provider had identified unusual patterns of activity that could indicate a cyber-attack on campaign computers.

The four-person campaign team had no in-house expertise to deal with the attack. Instead they enlisted the help of software developers with no ties to the campaign other than that they sat nearby in the same shared workspace that Min rented.

The software developers discovered that hackers had placed software into the computers of Min’s campaign manager and finance director that recorded and transmitted keystrokes.

The hackers had also infected the computers with software that made it undiscoverable by the off-the-shelf anti-virus software used by the campaign staff.

The campaign immediately notified the Democratic Congressional Campaign Committee, and the DCCC notified the FBI and gave the campaign advice on improving its security.

*Source: Reuters, August 18, 2018


Eastern Maine Community College Data Breach Exposed 42000 Records*:

The Eastern Maine Community College suffered a malware attack targeting several computers.

As a result, around 42,000 records of former students and employees were exposed in the EMCC data breach.

The college explained that the group includes individuals who attended EMCC between 1998 and 2018 or were employed by the college between 2008 and 2018.

Supposedly, breached details include usernames, passwords, and email addresses associated with the college domain.

Although the college has identified no direct loss of data, they still suspect the breached records included personal information as well, such as the names, contact addresses, dates of birth, and Social Security numbers.

According to the EMCC press release, the breach occurred as a result of a malware attack that infected several college computers.

The college suspects it to be EMOTET malware – a robust modular banking Trojan classified among the “most costly and destructive malware” by the US-CERT.

After noticing the incident, EMCC reported it to relevant law enforcement authorities and has begun investigations.

The college is also employing measures to ensure the infection is removed from its systems.

Besides, EMCC will begin notifying the 42,000 affected “out of an abundance of caution” via separate letters.

Moreover, the college is also offering free credit monitoring and identity restoration services to the affected individuals.

*Source: Latest Hacking News, August 19, 2018


Hackers can Steal Data from the Enterprise Using Only a Fax Number*:

Fax machines are still widely used by businesses and a communications protocol vulnerability is leaving them exposed to cyberattacks.

According to research conducted in 2015, approximately 46.3 million fax machines are still in use, of which 17 million are believed to be in the United States.

While the focus of many IT vendors is patching and resolving security flaws in modern technologies, older technologies may be inadvertently ignored.

At a recent conference, researchers demonstrated the existence of security flaws in the HP Officejet Pro All-in-One fax printer range.

Fax numbers are easy to find by browsing a corporate website or requesting the information directly, and this is all that’s needed to exploit the new bugs.

The vulnerabilities discovered included a stack-based buffer overflow security flaw and "Devil's Ivy," which permits remote code execution through database handling errors.

According to the researchers, an image file can be coded with malware including ransomware, cryptominers, or surveillance tools.

Vulnerabilities in the fax machines' communication protocols can then be exploited to decode and upload the malware payloads to memory.

If malware is loaded into memory and fax machines are connected to networks, malicious code has the ability to spread and compromise additional systems, potentially leading to espionage, service disruption, or information exfiltration.

Check Point disclosed its findings to HP, which developed and deployed firmware patches in response.

This new vector poses a serious threat to organizations who may well not be aware of how accessible their entire network is, and how all their most sensitive information may be exposed, via a piece of equipment that is still sitting on the shelf collecting dust.

*Source: ZDNet, August 12, 2018


New Law May Force Small Businesses to Reveal Data Practices*:

A Rhode Island software company that sells primarily to businesses is nonetheless making sure it complies with a strict California law about consumers’ privacy.

AVTECH Software is preparing for what some say is the wave of the future: laws requiring businesses to be upfront with customers about how they use personal information.

California has already passed a law requiring businesses to disclose what they do with people’s personal information and giving consumers more control over how their data is used — even the right to have it deleted from companies’ computers.

Privacy rights have drawn more attention since news earlier this year that the data firm Cambridge Analytica improperly accessed Facebook user information. New regulations also took effect in Europe.

For AVTECH, which makes software to control building environmental issues, preparing now makes sense not only to lay the groundwork for future expansion, but to reassure customers increasingly uneasy about what happens to their personal information.

Aware that California was likely to enact a data law, AVTECH began reviewing how it handles customer information last year.

Although most of its customers are businesses, it expects it will increase its sales to consumers.

While it may yet face legal challenges, the California Consumer Privacy Act is set to take effect Jan. 1, 2020.

It covers companies that conduct business in California and that fit one of three categories: Those with revenue above $25 million; those that collect or receive the personal information of 50,000 or more California consumers, households or electronic devices; and those who get at least half their revenue from selling personal information.

Although many small businesses may be exempt, those subject to the law will have to ensure their systems and websites can comply with consumer inquiries and requests.

That may be an added cost of thousands for small companies that don’t have in-house technology staffers and need software and consulting help.

But many unknowns remain about the California law. The state attorney general’s office must write regulations to accompany several provisions.

There are inconsistencies between different sections of the law, and the Legislature would need to correct them, said Mark Brennan, an attorney who specializes in technology and consumer protection laws.

In the meantime, small business owners who want to start figuring out if they’re likely to be subject to the law and the General Data Protection Regulation can talk to attorneys and technology consultants who deal with privacy rights.

Brennan suggested that companies contact professional and industry organizations that are gathering information about the laws and how to comply.

*Source: Star Tribune, August 11, 2018


258K People at Risk in Adams County of Wisconsin Data Breach*:

Personal information, including PHI, on 258,120 people was exposed in a data breach of the Adams County, Wisconsin, computer system.

The Adams County government said in an August 10 release that the breach involved PII, PHI, and tax information from the county’s Veteran Service Office, Extension Office, Adams County Employees, Solid Waste, Health and Human Services (HHS), Child Support, and Sheriff's Office.

Any data that resided on the network between January 1, 2013, and March 28, 2018, is at risk.

The county explained that a possible breach was first discovered on March 28 by Schenck and a comprehensive report was provided on June 29 confirming the breach.

The investigation found that an unauthorized individual obtained rights, usernames, and passwords by manipulating software programs on the county’s network that allowed them to access PII, PHI, and tax information beyond their authorized role.

Access to control and/or authorize access to the involved departments has been restricted and placed in the control of one designated individual.

A long-term solution to prevent any future breaches is currently being examined and will be instituted as soon as feasible in light of current design and costs.

The county recommended that victims take the following steps: registering a fraud alert with the three credit bureaus; ordering free annual credit reports; and monitoring bank, credit card, and other account statements, explanation of benefits statements, and credit reports.

The county did not indicate that it would be providing free credit monitoring services to breach victims.

TV station WAOW has identified Adams County Clerk Cindy Phillippi as a suspect in the data breach investigation, according to documents obtained by the station.

The Wisconsin Department of Justice obtained a search warrant and seized Phillippi’s laptop computer.

The warrant alleges that she installed a computer logging tool and captured keystrokes from the county’s computers.

In responding to the charges, Phillippi said that she never misled investigators or the county and that everything she did was legal, authorized by the county board, or common practice in place before she became county clerk.

Phillippi said she asked for access to confidential records because she suspected that a department head was accessing pornography on his computer and she was investigating that possibility.

She said that she never logged into the secure system and that other people used her computer to log into that system.

*Source: Health IT Security, August 16, 2018


Hackers Can Turn Body Cameras into Malware Spewing Machines*:

Once lauded as tools to enhance police accountability, body cameras have been facing increasing scrutiny from privacy advocates, and now one researcher has identified them as cybersecurity time bombs.

A consultant at a security firm demonstrated that many body cameras are vulnerable to hacking, making several different nightmare scenarios possible: officers themselves could be tracked while wearing the cameras, footage could be doctored or deleted entirely, and the cameras could be hijacked to spread ransomware or other malicious code throughout police networks.

He demonstrated vulnerabilities in cameras made by Vievu, Patrol Eyes, Fire Cam, Digital Ally, and CeeSc.

Cameras from Axon, the largest manufacturer in the US, weren’t examined for vulnerabilities, but Vievu was recently acquired by Axon.

All five cameras have specific vulnerabilities in how they verify videos and software updates.

Specifically, they don’t use cryptographic mechanisms to confirm firmware updates or uploaded videos are legitimate.

He also found that the cameras don’t protect uploaded footage with digital signatures to ensure it hasn’t been manipulated.

Without this verification, attackers could therefore download, edit, then re-upload footage to cloud storage without a trace.

The cameras also run firmware without verification, meaning a hacker could expose the cameras to malicious code by disguising it as a normal software update.

Hackable body cameras are a potential liability for the entire police department that uses them.

Once hackers have compromised cameras, they could infect them with malware, giving them access to entire police networks.

Since discovering the vulnerabilities, the consultant has been in contact with all five companies.

*Source: Gizmodo, August 13, 2018


Cosmos Bank Hit by Rs 940MM Cyber Hack; Probe Finds Hong Kong as Source*:

Cybercriminals have stolen Rs 940 million from Cosmos Bank, after attacking the server at its headquarters in Pune on August 11 and 13.

According to the FIR filed by the bank’s management at the Chatushrungi police station, the hackers exploited malware vulnerability in its automated teller machine (ATM) switch system.

A senior officer of Pune cyber police said the money trail had taken them initially to an account of ALM Trading at Hang Seng Bank in Hong Kong.

Preliminary investigations revealed that the money had been withdrawn from ATMs in 28 countries.

Cosmos is one of the oldest cooperative banks in the country, established in 1906.

The investigation being conducted by the cyber cell of Pune police will get technical support from the Maharashtra Computer Emergency Response Team, which is also conducting a parallel probe.

According to sources, hackers transferred Rs 805 million from bank accounts at Cosmos Bank to a foreign bank in 14,849 separate transactions through debit cards.

Then, they conducted another attack to steal Rs 139 million through the SWIFT network.

The bank’s VISA and RuPay debit card systems, supported by the National Payments Corporation of India, were also compromised.

The personal and financial information of about 500 customers was stolen. Police officers said this number could rise. The bank has shut down its internet banking operations and website.

Experts said banks needed to be better prepared to deal with such malware campaigns.

The Reserve Bank of India (RBI) has instituted a clear cybersecurity framework for financial institutions. A quick look shows this is addressed only to scheduled commercial banks (and rural banks), non-banking financial companies, small finance banks and payments banks. There is no specific cyber-security guideline for cooperative banks.

PwC’s Vishwanath said while an information technology or security audit was required across the cooperative banking industry that was only a step in addressing the larger problem of a fundamental under-investment in cybersecurity solutions.

*Source: Business Standard, August 14, 2018


Russian Military Spy Software is on Hundreds of Thousands of Home Routers*:

The Russian military is inside hundreds of thousands of routers owned by Americans and others around the world, a top U.S. cybersecurity official said on Friday.

The presence of Russian malware on the routers, first revealed in May, could enable the Kremlin to steal individuals’ data or enlist their devices in a massive attack intended to disrupt global economic activity or target institutions.

On May 27, Justice Department officials asked Americans to reboot their routers to stop the attack.

Afterwards, the world largely forgot about it. That’s a mistake, said Rob Joyce, senior advisor to the director of the National Security Agency and the former White House cybersecurity coordinator.

On May 8, cybersecurity company Talos observed a spike in mostly Ukrainian victims of a new malware attack.

Dubbed VPNFilter, the malware used code similar to the BlackEnergy tool that Russian forces have used (in modified form) to attack Ukrainian infrastructure.

The U.S. intelligence community believes the culprits are the hackers known as APT 28 or Fancy Bear, Russian military operatives who were behind information attacks against the Democratic National Committee, State Department, and others.

The new malware, if activated, could allow the Russian military to peer into the online activities of hundreds of thousands of people.

Specifically, the May 23 report said, at least 500,000 victims in up to 54 countries.

The malware executes in three stages, according to the Talos report.

The U.S. government effort to stop the attack was effective at knocking down their command and control, but there was a persistent ‘stage one’ on all of the affected routers.

What’s needed now is for government, industry, and cybersecurity professionals to find a way to straightforwardly tell individuals how to detect the presence of the malware on their routers and then to restore the device to its trustworthy state.

*Source: Defense One, August 16, 2018


Hundreds of Stolen Passwords for Netflix, HBO, Hulu and More Discovered for Sale on ‘Dark Web’*:

Pirates are selling hundreds of stolen login details for popular over-the-top (OTT) services on “dark web” marketplaces, according to new research by content-security firm Irdeto.

For the month of April 2018, Irdeto discovered 854 listings of OTT credentials from 69 unique sellers across more than 15 dark web marketplaces.

The purloined usernames and passwords on sale were from 42 different streaming services including Netflix, HBO, DirecTV and Hulu.

According to Irdeto, the stolen account info it discovered was available for an average one-time price of $8.81, while some dark-web sellers also offered bundles of credentials for several services at higher prices.

It’s not clear how many of the stolen OTT accounts illegally available for sale represent legitimate, active accounts — or just scams from cybercriminals.

Irdeto said it did not buy or test the stolen credentials but discovered other buyers who commented that the accounts they had illegally purchased worked.

The findings of the sale of OTT login credentials is part of Irdeto’s Global Consumer Piracy Threat Report 2018.

The vendor also found that illegal live-streaming piracy is a global problem, with an average of 74 million global visits per month to the top 10 live-streaming sites in Q1 2018.

Most traffic came from the U.S. (2.93 million average monthly visits), the U.K. (1.71 million) and Germany (1,52 million).

In releasing the report’s findings Monday, Irdeto advised consumers to be vigilant of any unusual or unfamiliar activity on their account and recommend changing passwords regularly.

*Source: Variety, August 13, 2018


Get in Touch With Us!

Are you interested in receiving more information about our products? Do you have questions about sensitive data security? Would you like a demo? Complete the details below and one of our specialists will get in touch with you.

We love to help our customers solve their data security problems. Please tell us about what you are trying to accomplish, details about your environment, and any other information that will help us understand your needs better.

scroll top