The IT Nerd

Australian telco Optus has disclosed that they suffered a cyber attack which resulted in the personal info of customers including names, DOBs, addresses and contact details being stolen. The attack occurred after hackers broke through the company’s firewall, accessing sensitive information of Optus’ 9.7 million subscribers. The company has confirmed the breach and exposed information but has stated that payment details and account passwords have not been compromised, and that services including mobile phones and home internet were not affected. The thing is, what was stolen is enough to start identity theft campaigns. Which makes this a non trivial event.

Mark Bower, VP of Product Management, Anjuna Security had this to say:

     “Too often we see large scale breaches where payment details and passwords were the only things protected, largely due to regulations like PCI DSS, yet massive amounts of personal data are not. That’s no longer good enough for maintaining customer trust. The types of data breached in this attack put millions of Australians at risk from phishing, social attack and phone scams which can have huge personal anxiety and financial consequences. Modern enterprises can certainly avoid this with a more holistic approach to data security given the availability of tools that can dramatically reduce impact of insiders or advanced attackers even in a total breach situation which is an inevitable and expected scenario for today’s CISO.”

Australia has been very good at investigating stuff like this. Thus I have to assume that the authorities are all over this. Which means we’ll find out how bad this is soon enough.

American Airlines has had to admit that they were pwned by hackers and customer data is in the wild. AP has the story:

American Airlines says personal information of a “very small number” of customers and employees was compromised after hackers breached some employee email accounts.

The airline said Tuesday that it has no indication that the attackers have misused any of the personal information.

American said the breach was discovered in July. The airline declined to say how precisely how many people had their personal information exposed or the nature of that information.

“American Airlines is aware of a phishing campaign that led to the unauthorized access to a limited number of team member mailboxes,” American spokesman Curtis Blessing said. “A very small number of customers and employees’ personal information was contained in those email accounts.

The way this statement was written by American Airlines leaves me with more questions than answers. Perhaps they don’t know the full extent of the breach. Or they do and simply don’t want to say. Either is plausible. John Gunn, CEO of Token takes this view:

 “The reputational damage from this breach will likely far exceed the out-of-pocket losses, especially in an industry where proper precautions and safety are paramount in customers’ selection of which airline they fly with.”

This is 100% true. And it likely doesn’t help that American Airlines is clearly being guarded about what it says. I would keep an eye on this story as I am sure that the airline will have to say more on this hack.

A reader of this blog brought the story of a company called FishPig. I’m not sure that’s the best name for a company, but whoever. Anyway, they were apparently pwned by hackers and here’s the fallout from that:

FishPig, a UK-based maker of e-commerce software used by as many as 200,000 websites, is urging customers to reinstall or update all existing program extensions after discovering a security breach of its distribution server that allowed criminals to surreptitiously backdoor customer systems.

The unknown threat actors used their control of FishPig’s systems to carry out a supply chain attack that infected customer systems with Rekoobe, a sophisticated backdoor discovered in June. Rekoobe masquerades as a benign SMTP server and can be activated by covert commands related to handling the startTLS command from an attacker over the Internet. Once activated, Rekoobe provides a reverse shell that allows the threat actor to remotely issue commands to the infected server.

“We are still investigating how the attacker accessed our systems and are not currently sure whether it was via a server exploit or an application exploit,” Ben Tideswell, the lead developer at FishPig, wrote in an email. “As for the attack itself, we are quite used to seeing automated exploits of applications and perhaps that is how the attackers initially gained access to our system. Once inside though, they must have taken a manual approach to select where and how to place their exploit.”

FishPig is a seller of Magento-WordPress integrations. Magento is an open source e-commerce platform used for developing online marketplaces.

Well that concerns me right out of the gate as this blog runs on WordPress. I only run a handful of plug-ins and none of them are from this company as far as I recall. But I’ll be checking the few plug-ins that I use on this site to ensure that I personally haven’t been pwned. If you run a WordPress site or use Magento, you might want to do the same thing. Like now. The article that I linked to can help you with that if you’re unsure as to what you should be looking for and doing.

This is your classic supply chain attack. And it illustrates why you need to be on top of everything that you use in your software stack. As well as being on top of what your vendors use in their software stack. Because anything that you use, or they use, no matter how minor, can lead to you getting pwned by hackers.

This is still a developing story. But Brian Krebs who is a go to guy when it comes to hackers, scammers, and computer security news is reporting this:

The news that the company disclosed to the London Stock Exchange doesn’t say anything useful. Thus it isn’t really clear what’s going on. From reading it, the hack seems like ransomware. But until the company decides to give an update, we can only guess.

Watch this space for more details.

The Los Angeles Unified School District has disclosed a ransomware attack which hit its IT systems over the weekend. The school district, which more than 640,000 students K-12 enrolled, and it includes LA and LA county posted this on Twitter.:

Dr. Darren Williams, CEO and Founder of BlackFog had this to say:

     “With the education vertical typically being under funded, under resourced and in many cases reliant on antiquated cybersecurity tools to prevent cyberattacks, it’s unlikely we’ll see this change in the near future. Cybercriminals will continue to target organizations with weak cybersecurity defenses and a plethora of sensitive data they can exfiltrate and leverage for extortion. Often, we see smaller school districts being targeted, unfortunately for LAUSD, 640,000 students will undoubtedly feel the pain from this incident.”

Clearly this was timed to coincide with the return to school so that it had the maximum effect. We can expect to see more of this behaviour as clearly there’s a perceived value to ransomware gangs to executing their attacks in this manner.

Digital Ocean says some customer email addresses were exposed due to a recent ‘Security incident’ at email marketing company Mailchimp.

• On August 8th, DigitalOcean discovered that our Mailchimp account had been compromised as part of what we suspect to be a wider Mailchimp security incident that affected their customers, targeted at crypto and blockchain. 
• From that Mailchimp incident, we suspect certain DigitalOcean customer email addresses may have been exposed. Out of an abundance of caution, we are currently sending email communications to those impacted. 
• A very small number of DigitalOcean customers experienced attempted compromise of their accounts through password resets. These customers’ accounts have been secured, and have been contacted directly. 
• As of August 9th, we have migrated email services away from Mailchimp. 
• No customer information other than email address was compromised, however, we recommend increased vigilance against phishing attempts in the coming weeks, in addition to enabling two-factor authentication on your DigitalOcean account. 

Charming. This is similar the Toronto Symphony Orchestra ransomware hack from a couple of weeks ago. Which is that this was a supply chain attack.

Mark Bower, VP of Product, Anjuna Security:

“There are three things attackers go for – credentials, code and keys, irrespective of platform or architecture. From there, it’s access to sensitive data, sometimes en-masse and catastrophic. The first is the human problem and the easy button for attackers with trusted email being a great place to start to obtain escalated privilege and control, as in this case. But businesses have to look out for insider risk and also get past the unsustainable patch sprints that leave system’s open to compromise like Log4J did to the industry. Escalated privilege – from insiders, attacks, or vulns leaves a massive gap in defenses: operating memory data theft has been missing from risk conversations because it’s not been easy to protect until the arrival of new techniques like confidential computing. With more and more data staying persistent in memory for speed, cloud latency reduction and scaling, it’s becoming a considerable risk – mitigations must therefore include it today and on CISO’s near term roadmap.”

If you take this hack combined with the indirect attack on the TSO, companies should get the message that they have to assess their attack surface including the third party services that they use and see what their risks are. That way they take steps to make sure that they don’t pwned directly or indirectly.

Clop ransomware has claimed to have breached Thames Water supplier by accessing their SCADA systems, which would give them the ability to cause harm to 15 million customers. However, as Clop published evidence of stolen files, the spreadsheet presented featured South Staff Water and South Staffordshire email addresses. South Staffordshire Water, a company which supplies 330 million liters of drinking water, issued a statement confirming an IT disruption from a cyberattack.

Oops.

Dr. Darren Williams, CEO and Founder of BlackFog has this to say:

     “With the rise of ransomware as a main attack method, criminals are running rampant to find any vulnerable systems they can take over. Whilst Clop did successfully breach South Staffordshire Water’s systems, they totally missed the mark here, claiming responsibility for a breach that didn’t happen (Thames Water being in South England, and Staffordshire being up North…)

Nevertheless, whilst misidentification of their target is somewhat embarrassing, the very fact that a water board is their latest victim is quite harrowing: severe drought conditions currently preside over the UK, with millions of households facing strict water usage restrictions. Clearly, attackers want to hit us where it hurts the most…

All organizations must remember how crucial it is to secure your environment and prevent data exfiltration at the endpoint if we are to prevent cataclysmic scarcities in our critical infrastructure supply chain.

On a lighter note, we must remember that such attack vectors are not any more dangerous than the usual, just uniquely targeted.”

Even accidentally pwning someone is still pwning someone. And it still has far reaching effects that the victim will still have to deal with.

Bleeping Computer is reporting that BlackCat ransomware has claimed responsibility for an attack on European gas pipeline. Creos Luxembourg S.A., a natural gas pipeline and electricity network operator in the central European country, last week announced that they had suffered a cyber attack. While the cyberattack had resulted in the customer portals of Encevo and Creos becoming unavailable, there was no interruption in the provided services.

On July 28, the company posted an update on the cyberattack, with the initial results of their investigation indicating that the network intruders had exfiltrated “a certain amount of data” from the accessed systems.

At that time, Encevo wasn’t in a position to estimate the scope of the impact and kindly asked customers to be patient until the investigations were concluded, at which time everyone would receive a personalized notice.

Since no further updates have been posted on Encevo’s media portal, this procedure is likely still underway. Encevo says that when more information becomes available, it will be posted on a dedicated webpage for the cyberattack.

For now, all customers are recommended to reset their online account credentials, which they used for interacting with Encevo and Creos services. Furthermore, if those passwords are the same at other sites, customers should change their passwords on those sites as well.

Saryu Nayyar, CEO and Founder of Gurucul had this to say:

     “With Encevo unable to “estimate the scope” of the attack, it highlights a common problem with today’s security operations. Too often are security teams overwhelmed with disparate and unrelated alerts or have to piece together the alerts manually, which leads to false positives and wasted efforts. Security teams lack the high accuracy needed to not only establish a threat but also understand the entire attack campaign versus just individual threats. The ability to collect a full set of telemetry across different sources, link together the various indicators of compromise (IoCs) and “build the puzzle” automatically is critical to providing the full context needed by security teams to get ideally prevent the attack, but also in this case be able respond appropriately and quickly.”

I for one will be interested to see the scope of the attack and the data that was stolen. Or in the words of the pipeline operator, “accessed” as that’s going to be interesting to see. Along with how the pipeline operator deals with the fallout of this attack.