Published on November 7th, 2017 | by Vishrut Sharma
Breach of the Month, October 2017
Every Friday the SS8 Twitter feed features a notable breach, leak, or hack as our pick for the SS8 #breachoftheweek. At the end of every month, our engineers take a look at each of these ‘finalists’ and select one outstanding breach as our #BreachOfTheMonth pick. Which did we choose for October? This month’s breach threat analysis features the thoughts of Threat Researcher Vishrut Sharma:
Data breach in South Africa:
Data of around 30 Million people in South Africa was leaked online this month in a 27 GB file. The file is known to be online since April of 2015 and contains personally identifiable data such as identity numbers, income information, employment history and home addresses(Did anyone say Equifax?). The MySql database backup file had been placed on a public facing web server which was configured to allow directory browsing. The information leaked from this breach is ideal for hackers to perform identity theft. It is speculated that the leak happened from the server of a properties firm – “Jigsaw holdings”.
3 Billion accounts compromised from Yahoo breach of 2013:
Recently, Yahoo announced that new investigation into the massive data breach of 2013 revealed that all yahoo user accounts had been impacted from the breach (2 billion more than what was reported earlier). The compromised data includes names, telephone numbers, email addresses, date of birth, MD5 hashed passwords and security questions with their answers. The company believes that bank account details and credit card information was not robbed as these were not stored on the system that got breached. An increase in account takeovers and email fraud is bound to happen as users often reuse passwords to access different accounts and services.
North Korean hackers steal US war plan:
North Korean hackers have been held responsible for many cyber attacks on the United States over the years. October saw another such attack, where a large cache of classified military documents shared by US and South Korea were . The attack was successful because of an unintended connection to the internet within the premises of South Korean military intranet. The anatomy of the attack begins with North Korean based hackers, attacking an antivirus firm : Hauri Inc- which makes antivirus software installed onto computers used by South Korea’s military. The hackers were able to infiltrate into South Korea’s military servers after embedding the malware onto the antivirus software. Information about the attack was disclosed by south Korean lawmaker Rhee Cheol-hee who said that 235 GB of military documents were stolen and about 80% of them are yet to be identified.
APNIC exposed Whois Database Password Hashes:
The Asia Pacific Network Information Centre (APNIC) is one of the organizations that register and administer IP addresses. It has under its ambit 62 economies of the Asia-Pacific region. On October 12th APNIC was alerted about leaked Whois database data containing hashed passwords. The Whois database contains identification and contact information of millions of domain names.
While the passwords were hashed, an attacker with the right tools and knowledge of password cracking could recover plain text passwords from the hashes.
The data exposed included authentication details of Maintainer and Incident Response Team (IRT) objects in the Whois database.
Both these objects contain an attribute “auth” that defines a hashing scheme and stores access passwords based on the scheme. These auth hashes were available for download and were spotted at a 3rd party website, republishing Whois data. The direct consequence of such a leak would be a rise in domain hijacking where an attacker can transfer a domain’s ownership to another name after which it is almost impossible to get your domain back. All the maintainer and IRT passwords have now been reset by APNIC.
Thankfully, APNIC says that no evidence has been found of any abuse of the data, and the problem was fixed the second day after its discovery.
AND THE WINNER IS ……………..
North Korean hackers steal US war plan:
This breach wins because of the sheer scale of potential damage and the way it was perpetrated. The North Koreans instead of attacking South Korea’s Military Intranet directly, went after the firm that made its antivirus software. The data hacked includes contingency plans for South Korean forces and information on military facilities and power plants. It is also speculated that the data contained blueprints for an attack by the US and South Korea on North Korea’s Kim Jong-un.
In a nation where most citizens don’t have access to internet, North Korean hackers have shown great prowess in repeatedly infiltrating networks and wreaking havoc around the globe with ransomware attacks.
Vishrut is a Threat Researcher at SS8. He believes that in the rapidly changing security landscape of today, signature based malware detection will have to be augmented with AI and machine learning to defend computers from next generation cyber adversaries.