Published on February 12th, 2018 | by Vatsal Desai
Breach of the Month – January 2018
Every Friday the SS8 Twitter feed features a notable breach, leak, or hack as our pick for the SS8 #breachoftheweek. At the end of every month, our engineers take a look at each of these ‘finalists’ and select one outstanding breach as our #BreachOfTheMonth pick. Which did we choose for January? This month’s breach threat analysis features the thoughts of engineer Vatsal Desai:
Malaysia Organ Donor Database
Data breach affecting personal and health information of 200K Malaysian residents was reported by the technology forum Lowyat. Database of organ donors was leaked in the form of yearly MS-Excel worksheets. The information contained within these dumps are dated from 1997 to 2016 and contains information like PII, contact details and health data.
Upon further investigation, it was found that the worksheets dated 1997 to 2008 contained dummy information. Worksheets dated 2009 to 2016 contained valid registration data of organ donors. Information about the registrant’s relatives and additional demographic data was also leaked. Lowyat informed government agencies about the breach before publishing its report. Lowyat also claims to have disclosed partial information due to the sensitive nature of the data that was received and that the subset was part of a much bigger data breach that includes data stolen from various Malaysian organizations.
Norwegian Health Authority
HelseCERT reported an abnormality with various Hospital networks associated with the Norwegian Public Health Care system on January 15, 2017. Norwegian Health Care systems that were affected include the Southern and Eastern Norway Regional Health Authority, it includes several counties including the country capital – Oslo.
It is speculated that 2.8 Million patient records may have been compromised as part of the breach, this amounts to about half of the country’s population. The motive of the breach is unclear, the use of stolen records may range from selling it on the Darkweb to harming national interests.
Italy Speed Camera Ticket Database
Police department of Correggio, Italy suffered a security breach that was reported in January 2018. Speed camera database and certain email credentials were compromised by an adversary claiming to be part of the Hacktivist group ‘Anonymous’. Compromised email credentials were used to send an email titled ‘Plains Reggiana Correggio (Re) Italy – Gatso System – Hacked by Anonymous!’ to various media correspondents. The email contained a screenshot of a 40GB database being deleted via an RDP session, sample images with incomprehensible license plates, ASCII art of the Hacktivist group’s logo, web location of the stolen database with access credentials and conversations among the Municipal police and the Municipality. The email also contained certain documents revealing a database rollback operation performed in December 2017. It is unclear whether the Police department maintains an offsite backup for full recovery but it is clear that some data may be recovered using similar rollback capabilities. Italian police and defense departments have been targeted by Anonymous on several occasions – July 2011, October 2012 and November 2017.
And the Winner is……
Jason’s Deli POS Breach
Point-of-Sale (POS) are the ‘to-go’ systems for adversaries trying to compromise retailers, Software/Hardware scrapers are generally used for the same. Some entities affected by POS breaches in the last 12 months include Forever21, Sonic, Wendy’s, Hyatt Hotels, Chipotle, Hard Rock, Kmart, Madison Square Garden, Whole Foods, etc.
Jason’s Deli (JD) reported a data breach on January 11, 2018. Credit card information of approximately 2 Million customers was stolen during the latter half of 2017. RAM-scrapers were used at several JD outlets over a period of 6 months starting June 8, 2016. RAM-scrapers are known to capture credit card numbers, validity dates and any other information that can be found on the magnetic track. JD reports that it is unlikely that CVV information and debit cards PINs were also captured. Credit card data captured by these scrapers was known to be available for sale on the dark web in December 2017. JD’s management was notified of such sales during the same time by certain payment processors.
During the same time (December 2017), in an article published on KerbsonSecurity, Brian Kerbs discusses the correlation between Joker’s Stash (Popular Darkweb Credit Card store) and JD. Kerbs discusses a new set of 7 Million Credit Card numbers (codename: Dynamittte) being available for sale on Joker’s Stash. Kerbs’ sources confirmed that information contained in a subset of Dynamittte (codename: Blasttt-US) belonged to customers who had recently purchased at an JD outlet. Additional sources confirmed that the ZIP codes found with the Blasttt-US subset matched with the ZIP codes of various JD outlets. It should be noted that 7 Million credit cards from the Dynamittte set may not necessary correspond to the 2 Million credit cards stolen at JD outlets as traders tend to mix up the cards from other breaches to avoid direct correlations.
JD claims to have cleaned up all the POS systems affected by the malware and is currently working with third-party forensics & cyber security firms and law enforcement agencies to further investigate the breach. JD has published a list of potentially affected outlets and a state wise advisory for customers requesting additional information .
Vatsal is a Threat Researcher at SS8. He believes that security is a time-based control — it is only a matter of time before someone breaks into the network, the goal is to improve the control time to surpass the value of the asset under protection.