Marriott reports “unauthorized access” to customer database since 2014, exposing data of 500 million guests
Earlier this month, hotelier Marriott International reported that data on roughly 500 million customers staying at hotels operated under Starwood had been compromised in a breach that gave unknown attackers access to the hotel chain’s network since 2014.
Details of the breach are still emerging - there is of yet no word if this is related to another breach from 2015 or what infection vector was used, however it has been pointed out that Starwood had hundreds of instances of RDP (the computer’s “gateway” to the network) exposed to the internet, many using an outdated version of Windows.
- In an email released to customers December 9, Marriott stated while it had not completed identifying duplicate information, the hotel believes the database contained information on approximately 500 million consumers who have made a reservation at a Starwood-owned hotel.
- Marriott was alerted to the issue on September 8 from an internal security tool regarding an attempt to access the Starwood guest reservation database. Marriott said it “quickly engaged leading security experts” to conduct an investigation, which found unauthorized access to the Starwood network dating back to 2014.
- Guests who made a reservation on or before September 10, 2018 at a Starwood hotel likely had their information compromised to some degree.
- For approximately 327 million guests,compromised information included some combination of name, address, phone number, email address, passport number, date of birth, gender, arrival and departure information, reservation date and communication preferences, as well as Starwood Preferred Guest account information.
- For some guests, the information also includes credit card numbers and expiration dates.
- Credit card numbers were encrypted using Advanced Encryption Standard (AES-128), requiring two components to decrypt the data; however, Marriott has not been able to rule out the possibility that both were taken in the breach, meaning credit card information may have been exposed.
- For remaining guests, the information was limited to name and other data such as mailing address, email address, or other information.
- Starwood brands include Sheraton Hotels & Resorts, Four Points by Sheraton, Westin Hotels & Resorts, W Hotels, Design Hotels, Aloft Hotels, St. Regis, Element Hotels, The Luxury Collection, Tribute Portfolio and Le Méridien Hotels & Resorts.
- Marriott has reported the incident to law enforcement and continues to support the investigation.
Source: Security Week
Vulnerability in postal service site left 60 million customers exposed for more than a year
Heading into the busiest time of the year, the United States Postal Service (USPS) has finally patched a critical security vulnerability that exposed the data of more than 60 million customers to anyone with an account on the USPS.com website. An unnamed cybersecurity researcher discovered the vulnerability over a year ago and promptly reported it, but USPS declined to address the problem until a journalist recently asked for a comment:
- The vulnerability stems from an authentication weakness in an application programming interface (API) for the USPS "Informed Visibility" program, designed to help business customers track mail in real-time.
- The API was programmed to accept any number of "wildcard" search parameters, enabling anyone logged into the USPS website to search the system for account information of any other user.
- Any user, including those with malicious intent, could have extracted email addresses, usernames and IDs, account numbers, street addresses, phone numbers, authorized users and mailing campaign data from as many as 60 million USPS customer accounts.
Source: The Hacker News
Third-party vendor breach exposes data of millions of healthcare patients
Hospital network Atrium Health informed 2.6 million patients that their personal information was compromised following a breach at technology solutions provider AccuDoc, which provides billing and tech services to the healthcare industry. AccuDoc claims there is no evidence that any data was actually stolen, or that any of the compromised information was misused, despite the fact that unauthorized users had access to its databases for about a week in September of 2018.
- Atrium Health, formerly Carolinas HealthCare System, is a network of healthcare providers throughout the Southeast United States with more than 40 hospitals and 900 locations.
- Atrium Health learned on October 1, 2018 that AccuDoc had detected unauthorized access to its databases containing information related to payments made at several healthcare locations within the Atrium network.
- AccuDoc’s investigation revealed users had unauthorized access to its systems for about a week between September 22 and September 29, 2018.
- Compromised databases contained personal information on patients and guarantors including names, dates of birth, addresses, insurance policy details, medical record numbers, invoice numbers, account balances, dates of service and in some cases social security numbers.
- AccuDoc claims there was no evidence that any data was taken or misused.
Source: Security Week
New report profiles notorious MageCart cyber criminals
MageCart is a broad term given to at least six cybercriminal groups, according to a new report from security firms RiskIQ and Flashpoint, with a common goal of skimming credit card information from compromised online checkouts.
In a few short months, MageCart has gone from relative obscurity to dominating national headlines and becoming public enemy number one for the online retail industry. Recent high-profile breaches of global brands, including Ticketmaster, British Airways, and Newegg, as reported in a previous Threat Intelligence article, have made MageCart a household name. However, its activity isn't new and points to a complex and thriving criminal underworld that has operated in the shadows for years.
RiskIQ and Flashpoint profile six leading MageCart groups in their report, highlighting each group’s tactics and targets, and what makes them unique:
- Groups 1 & 2 target broadly, likely using automated tools to breach sites and skim customer information, and uses a sophisticated “reshipping” scheme to profit.
- Group 3 targets high volume sites, going after as many victims as possible, using a unique skimmer.
- Group 4 is extremely advanced, blending in with victim sites and employing methods to avoid detection.
- Group 5 targets third-party suppliers, such as Ticketmaster, to breach as many targets as possible.
- Group 6 is extremely selective, targeting top-tier victims, such as British Airways and Newegg, to secure a high-volume of traffic and transactions.
Source: Bank Info Security
Court documents reveal first-ever indictment on ransomware charges
On November 28, 2018, the United States Department of Justice (DOJ) announced charges brought against two Iranian citizens for their involvement in creating and deploying SamSam, ransomware notorious for targeting hospitals, cities, and public institutions.
Involving over 200 victims and $36 million dollars in ransom and damages, this is the first ever indictment issued by the U.S. involving responsibility for ransomware:
- Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah, 27, have been charged on several counts of computer hacking and fraud charges.
- According to unsealed court documents, Savandi and Shah used SamSam ransomware to extort over $6 million in ransom payments since 2015, and also caused more than $30 million in damages to over 200 victims, including cities like Atlanta, GA, and public institutions, such as the Colorado Department of Transportation.
- Living in and operating from Iran, neither has been arrested by U.S. authorities; the FBI has added both Savandi and Shah to their list of wanted hackers.
- Unlike most ransomware attacks, SamSam victims were hand-picked and selected systems were infected manually.
- Attackers first compromised the RDP on targeted systems, using either brute force attacks or stolen credentials, then attempted to strategically deploy SamSam throughout the network by exploiting vulnerabilities in other systems.
- Though Atlanta city officials refused to pay the ransom, efforts to recover systems and records cost the city an estimated $17 million.
Source: The Hacker News
Bundled pack makes SamSam and other ransomware easier for hackers to obtain and deploy
Ransomware-as-a-service has become a rapidly growing business model, with a particular dark web seller offering a package of highly effective encryption malware, including SamSam, one of the more troubling forms of ransomware to hit the market this past year:
- Available for $750, the 2018 ransomware pack includes other well-known ransomware such as Magniber, Satan, CryBrazil, XiaoBa, and more.
- Bundled packs also include tutorials and how-to guides for exploiting vulnerabilities and deploying attacks.
- The cost of the pack is more expensive than individual malware kits, but provides hackers with a wider range of options to ensure a greater likelihood of success,
- The inclusion of SamSam came as a surprise to many in the cybersecurity industry, as it was believed to be unique to the hackers recently indicted by the DOJ, and not widely available.
- The seller advertised in its forum post that it will remove the kit for sale after the first 25 kits have sold.
How safe is your organization? Take the Cyber Risk Scorecard survey to assess your current cybersecurity standing and find additional steps your organization can take to protect against common cyber threats.
Source: ZD Net