Published on April 11th, 2018 | by Akshay Nayak
Breach of Two Months – February & March 2018
Even though February is just 2-3 days short of other months, it still feels way smaller than that (Maybe because the starting digit is a 2? ). Therefore this year, we’ve decided to combine the months of February and March and have one breach as the winner.
Every Friday the SS8 Twitter feed features a notable breach, leak, or hack as our pick for the SS8 #breachoftheweek. At the end of every month, our engineers take a look at each of these ‘finalists’ and select one outstanding breach as our #BreachOfTheMonth pick. This breach threat analysis features the thoughts of engineer Akshay Nayak:
Charlotte Housing Authority
Charlotte housing authority suffered a data breach that compromised its employees’ W-2 information. The cause of the breach was BEC (Business Email Compromise) where the attacker posed as the CEO and asked the employees to send their W-2 information such as Names, Addresses, SSNs and salary information.
Octoly Data breach
Octoly – a Paris based influencer marketing startup exposed personal details of almost 12000 social media magnates. The data includes the real identities of these social media stars as well as their phone numbers and addresses. The exposed data was discovered by Upguard’s Chris Vickery and the cause of the breach was a misconfigured AWS server that could be accessed by anyone.
Winter Olympics Hack
Recent evidence has resurfaced concerning the Winter Olympic hack of Feb. 9th. This evidence indicates that ATOS – the IT infrastructure provider for the Pyeongchang games was compromised a couple of weeks ago, around December. The attackers used this initial intrusion to conduct reconnaissance and possibly harvest credentials belonging to Olympic staff. Armed with this information, it is believed that the attackers then used wiper malware to destroy Olympic data stored on ATOS’s servers in the cloud.
Tesla victim of cryptomining malware
One of Tesla’s servers was infected with crypto-mining malware.
The attacker gained access to one of Tesla’s Kubernetes pod which did not require any password. This Kubernetes pod contained credentials to access Tesla’s AWS S3 server containing telemetry data. In addition to the sensitive data being exposed on the S3 bucket, unauthorized crypto-mining was also being performed using the resources of the Kubernetes pod.
German Foreign & Defense Ministries
Multiple German Federal agencies including the Foreign and Defense ministries were breached by Russian hackers. The hack is believed to the work of the APT28 hacking and cyberespionage group. The German security agencies think that the infiltration took place a while ago and the hacker might have been on their network for almost 1 year.
Applebee’s POS breach
Around 167 Applebee’s restaurants across 15 states were affected by Point of Sales Malware. All these Applebee outlets belonged to RMH Franchise Holdings, which claims to be the 2nd largest Applebee Franchisee. The Malware infection was identified on Feb 13th and the compromised information includes names and payment card information such as numbers, expiration dates and card verification codes.
Walmart jewelry partner breach
On Feb 6th, Researchers at Kromtech security found another publicly accessible Amazon S3 bucket containing a MSSQL backup containing information like names, addresses, zip codes, phone numbers, email addresses, ip addresses and passwords in plain text. All this information was for over 1.3 million people across US and Canada. Since this database backup was named “walmartsql”, it was originally thought to belong to Walmart but further investigation revealed that it was owned by MBM Company Inc., which operates under the name Limogés Jewelry and supplies jewelry to major retailers Walmart, Target and Amazon.
Orbitz – a child company of travel website Expedia, suffered a data breach involving the compromise of payment information for around 800,000 cards. There were 2 separate breach disclosures one of which involved customers making travel bookings through American Express websites. Expedia said that the compromised data could include names, genders, payment card information, phone numbers, birth dates and email and physical addresses.
Atlanta Ransomware attack
On March 22nd, the city of Atlanta was the victim of a ransomware attack that crippled multiple services. WiFi was shut down in the International Airport, citizens were unable to pay their electricity bills online and multiple departments including the city police were unable to use the online systems to records and had to rely on pen and paper.
And the Breach of Two Months is…
The Atlanta Ransomware Attack
There recent ransomware attack on Atlanta’s IT infrastructure can only be described as egregious. The ransomware infection was first discovered in the morning of March 22nd by Atlanta Information Management (AIM) officials. AIM is responsible for managing internal and customer facing payment applications used to view and pay bills online. This meant that Atlanta Residents could not pay their water bills or any other utility bills normally paid using the affected system.
Shortly after the initial infection, the ransomware spread to other city departments. What followed was complete pandemonium. Travelers in Atlanta Airport were unable to access WiFi, court systems went down where neither any information could be accessed nor any fines paid and the police departments systems were down thereby forcing the officers to use pen and paper to write reports. The attackers have demanded a payment of around $51000 in Bitcoins. As Atlanta tries to bounce back from the attack and different services are slowly being restored, it is not known whether the ransom was paid.
The malware infection was caused by one of the strains of the SamSam ransomware. The hacking group responsible for using SamSam has earned nearly $850,000 by targeting systems in the Government, Healthcare, Education and ICS (Industrial Control System) sectors.
SamSam is not like other ransomware which employ social engineering tactics like phishing to get end users to click on malicious links or open infected attachments. It employs multiple techniques to infiltrate a network such as open ports involving popular protocols and vulnerable public facing applications. A variant of SamSam has previously been known to exploit vulnerabilities in Java based applications such as JBoss. More recent infections have taken advantage of a combination of open RDP or VNC ports and weak credentials. Once the system is infected, the attackers use Powershell scripts along with tools such as PSExec, WMIExec and Mimikatz to dump credentials and move laterally to infect other systems on the network.
Although the Atlanta ransomware attack is the most prominent ransomware infection of its kind, it is definitely not the first. Around the end of March, the Baltimore Police CAD (Computer Aided Dispatch) system was inaccessible because of a ransomware infection. The cause of this breach was that a firewall technician was trying to troubleshoot a totally unrelated issue when a few ports on the firewall were accidentally opened. Since hackers are always scanning the internet for open ports and vulnerable applications, a ransomware infection ensued.
Earlier in January, the city of Atlanta had failed a security audit from the city auditor’s office. This means that they were not even practicing basic security hygiene, forget being prepared to deal with a blight such as a ransomware infection.
There is nothing groundbreaking in the way SamSam is infecting other hosts. Any organization practicing good security hygiene is very unlikely to ever be affected by an attack of this nature. There are tens and hundreds of guides available online that can aid security practitioners in preventing, containing or recovering from a ransomware attack. These guides boil down to the following best practices:
- Patch Management – Identify and patch all vulnerable applications. If everything is too impractical to patch (in most cases, it is), assign high priority to public facing or mission critical services.
- Firewall Management – Ports such as RDP or SMB must not be left open on the public facing interface of a firewall.
- Backups – Have a good backup policy. Regular backups must be scheduled and if possible, data must be backed up to multiple locations that are segmented/separate from each other. Every once in a while, these backups must be tested for data integrity issues to ensure that they are clean and cause minimum disruption of services in case data has to be restored as a result of a ransomware attack.
- Awareness Training – This is imperative in order to reduce the risk from the human aspect of any security system. A person who has received awareness training is far less likely to be a victim of phishing than someone who hasn’t.
Hopefully, a high-profile attack like this will be a huge wake-up call for any organization that thinks that security always takes second place.
Akshay Nayak is a Threat Researcher at SS8 Networks. In addition to threat hunting, he likes listening to Bollywood music and playing FIFA. A big Game of Thrones fan, he is one of those people who likes the books better than the TV series.