Owner of Buca Di Beppo and other popular brands report pay data breach
Earl Enterprises, owner of several popular restaurant brands, including Buca di Beppo, Planet Hollywood, and Mixology 101, admitted in early April that cybercriminals had stolen customer payment card data from several of its restaurant chains a period of 10 months.
- Brands impacted include Buca di Beppo, Earl of Sandwich, Planet Hollywood, Chicken Guy!, Mixology and Tequila Taqueria
- All Buca di Beppo locations across the United States appear to be affected by the breach, including several franchise locations.
- Hackers obtained data using malware designed to capture credit and debit card information on point-of-sale (PoS) systems.
- Stolen data includes card numbers, expiration dates and, in some cases, cardholder names.
- The breach may impact customers who used a credit or debit card at affected locations between May 23, 2018 and March 18, 2019 (see which restaurants were affected)
- Stolen data from 2.15 million payment cards appeared for sale on the dark web in March, triggering an investigation into the incident
- Other major restaurant chains that have disclosed payment card breaches in the past year include Huddle House, Chili’s, Applebee's, and Cheddar's Scratch Kitchen.
Bayer announces malware attack, no data stolen
German chemical manufacturer Bayer, maker of aspirin and other products, confirmed reports of a hacking attack, insisting no data had been stolen.
- Bayer first spotted malicious software designed to spy on the company’s activities in early 2018 and malware was still present as late as March of this year.
- Winnti, a hacking group believed to be linked to the Chinese state, is said to be responsible for the attack
- Winnti’s primary target has been Asian-based video game companies with the intent to steal source code and digital certificates
- Winniti then began targeting pharmaceutical companies, using those stolen digital certificates to deploy a Remote Access Trojan (RAT)
- Bayer stated that they have been working closely with a private cyber security organization and law enforcement to identify and clean up affected systems.
- Winnti has targeted companies in several countries in Europe, South America and the U.S., including three smaller German firms since the beginning of 2019.
Third-party app developers exposed data of over 540 million Facebook records
Two third-party Facebook application developers exposed users' personal information by leaving the data exposed in unsecured Amazon web hosting S3 buckets.
- Security firm UpGuard reports data was exposed from 540 million records, though the number of users affected was unclear.
- Despite UpGuard’s repeated attempts to contact both developers, one of the developers, a Mexico City-based media firm named Cultura Colectiva, did not remove personally identifiable information (PII) from public view until reporters from Bloomberg contacted them.
- The other developer, maker of an integrated app called At the Pool, had been out of business for several years.
- Exposed data from Cultura Colectiva included Facebook IDs, comments, likes, reactions, account names and more.
- Exposed data from the other developer included 22,000 plaintext passwords and other user data.
- Because the At the Pool app integrated with Facebook, it's likely Facebook passwords were also exposed.
- Researchers also found a backup database for the At the Pool app containing file names such as "fb_user," "fb_friends," "fb_likes," and others.
- Both data sets were stored in S3 buckets that allowed public downloads; neither bucket was password protected.
Facebook continues to struggle with privacy, sloppy security practices
Facebook itself continues to struggle with privacy concerns and poor security practices.
- Facebook revealed in March that they had accidentally stored passwords for hundreds of millions of Facebook users tens of thousands of Instagram users in unencrypted plaintext
- Facebook has since revised its Instagram estimate to be in the millions.
- Passwords were accessible to some Facebook engineers who did not abuse that access, according to the company
- Facebook also discovered additional Instagram passwords stored in a readable format but insisted password logs were never improperly accessed by any of its employees.
- News of the exposure has been compounded by additional reports that Facebook had been caught asking new users for their email account passwords to verify their identity
- Facebook was suspected of using access to email accounts to collect users’ saved contacts; a Facebook spokesperson shared with Business Insider that the company was using the data to "build Facebook's web of social connections and recommend friends to add."
- Facebook revealed that they had in fact "unintentionally" uploaded email contacts from as many as 1.5 million new users without their consent or knowledge since May 2016.
Sources: TheHackerNews.com (Instagram) and TheHackerNews.com (Facebook)
Email compromise results in network intrusion at third-largest IT outsourcing company
India’s third-largest IT outsourcing company, Wipro, has been plagued by a network intrusion from what investigators initially assumed to be a state-sponsored attacker. Wipro engaged a forensics investigation firm after detecting abnormal activity in several employee accounts on their network, the result of an advanced phishing campaign.
- Attackers were using Wipro’s systems as jumping-off points for digital fishing expeditions, targeting at least a dozen customer systems.
- Wipro’s customers were able to trace suspicious network reconnaissance and other malicious activity back to partner systems in direct communication with Wipro’s network.
- A source familiar with an outside forensic investigation being conducted for a Wipro customer said, from file folders on the intruder’s back-end infrastructure, that it appears at least 11 other Wipro clients were attacked. The source did not provide the names of the other affected organizations.
- According to another source, Wipro’s corporate email system had been compromised for some time and the company is in the process of building out a new private email network.
- Wipro has been providing specific “indicators of compromise” to concerned clients detailing telltale clues, of the tools and procedures the attackers may have used that might indicate an attempted or successful intrusion.
- Wipro employs more than 170,000, serving clients across six continents with high-profile customers in healthcare, banking, communications and other industries, with over $8 billion in annual revenue from IT services.
- The apparent breach is another blow to the embattled IT service provider, currently involved in a lawsuit with the state of Nebraska after the state demanded last September that Wipro halt work on Nebraska’s Medicaid enrollment system and cancelled a contract this past March. Wipro also settled a lawsuit with another customer last August, paying$75 million over a botched implementation that reportedly cost hundreds of millions of dollars to fix.
Live broadcast from The Weather Channel disrupted by unconfirmed ransomware attack
A security incident lasting at least 90 minutes disrupted live broadcasting from The Weather Channel in mid-April.
- The station confirmed via Twitter that they had been the victim of a malware attack (unconfirmed reports point to ransomware specifically).
- The station was able to quickly restore live programming through back-up mechanisms, which would support a ransomware claim.
Ransomware attacks wreak havoc on municipal operations
Several municipalities have been dealing with the aftermath of ransomware attacks. Attacks impacted the cities of Augusta, Maine, Stuart, FL and Greenville, NC, and Imperial County in California.
- Augusta City Center operations were shuttered April 18 after what appeared to be a ransomware attack; malware somehow gained entry and methodically locked endpoints and servers.
- Affected departments and systems included police dispatch, municipal finances, billing, tax records, assessor’s records and general assistance.
- Though Augusta’s IT department not specifically point to ransomware, the incident had all of the indicators of a ransomware attack. but the description of what took place has all the hallmarks of a ransomware attack.
- Imperial County and Stuart both suffered a Ryuk ransomware attack, knocking both networks offline for a period of time.
- Greenville, NC was reportedly relying on paper forms while its IT department rebuilds the network.
Mystery database exposes personally identifying information of millions of Americans
Researchers recently stumbled upon an unprotected database, hosted on Microsoft cloud servers, storing 24GB of information on individuals in roughly 80 million (some 60%) of U.S. households. The owner of the database has not been identified, but Microsoft has stepped in to remove it until the database can be secured.
- Two researchers from vpnMentor came across the database as part of a web-mapping project.
- Data included the number of individuals living in a household, address, geographical location, full name, marital status, age, date of birth, gender, income bracket, homeowner status, and dwelling type.
- The database only appeared to store data on individuals over the age of 40.
- Certain data fields could indicate the database is owned by an insurance, healthcare, or mortgage company.
- The data did not contain payment card information, social security numbers, email addresses or passwords; however, the trove of information could be incredibly valuable for attackers to use in conjunction with other data breaches for highly targeting phishing or ransomware attacks.
Atlanta Hawks online store compromised, payment card data stolen
Cybercriminals deployed the Magecart card-skimming code to the Atlanta Hawks’ online store, stealing customers names, addresses and payment card numbers.
- Sanguine Security identified the code on the store’s checkout page on Saturday April 20, though research from RiskIQ revealed that HawksShop.com had been compromised since as far back as 2017.
- Skimming code was first detected on the website in June 2017, one of hundreds of affected sites.
- A representative for the Atlanta Hawks claimed the malware was no longer active on the site as of late April. That claim was later found to be false, though the site had been shut down for maintenance shortly after.
- HawksShop.com runs on the Adobe Magento Commerce Cloud 2.2 e-commerce system. Intruders may have gained access to the system via an unsecured third-party component.
Attackers applying new tactics on an old scam
Sextortion scams, a type of ransom attack that seeks to obtain payment in exchange for withholding an alleged “sex tape” video from public release, is nothing new, but tactics have been evolving.
- New variants are now attaching password protected zip files, allegedly containing proof of a video recording of the recipient
- Recipients cannot view the files in the archive; however, recipients can see the file names, which is enough to scare some recipients into making a payment
- Email subjects often contain a case number, email address, date and time, and an ominous statement (e.g., “You have been warned many times.”)
- The email states that the sender has webcam video of you utilizing porn sites, and threatens to share this video with all of your contacts if you do not send them a $660 bitcoin payment.
- Files within the ZIP attachment have been named to give a sense of legitimacy to the claim, including Camera-Vid.avi, contacts.txt, debt.txt, Google_Chrome_Default.txt, information.txt, and screenshot.jpg, etc
- The email includes a link to a “bitcoin wallet,” directing the recipient to “cryptonator.com” which them allows you to “purchase” the password needed to access the zip files for $50
- Experts recommend marking the email as spam and deleting the message immediately
Single threat actor responsible for some of the largest malware campaigns observed
A threat actor, tracked as “TA505” is responsible for some of the largest malicious spam campaigns observed, distributing instances of the banking Trojans known as Dridex and The Trick, ransomware Locky and Jaff, and several other threat vectors in very high volumes.
- Activity on the Necurs botnet, used to drive the massive spam campaign, appears to coincide with activity from TA505.
- Over the past months, the actor appears to have switched to new Remote Access Trojans (RATs) for their attacks, including tRat and ServHelper, both written in Delphi.
- In attack campaigns between December 2018 and February 2019, TA505 employed a Remote Manipulator System (RMS) backdoor to target financial institutions in South America, Southeast Asia, Europe, Africa and the Middle East, as well as large retailers and food and beverage industry organizations in the United States.
- TA505 used spear-phishing emails attempting to trick users into opening a malicious Word document containing a Visual Basic for Applications (VBA) macro, used to download a command and control server payload
- The malicious documents prompted a Microsoft Windows Installer process to fetch an additional payload from the command and control sever. Researchers from cybersecurity firm CyberInt identified four command and control servers and payloads used in this campaign.
- The same tactics, techniques and procedures were also observed in an attack on the Notary Chamber of Ukraine, where the threat actor was unsuccessful in its attempts to install the RAT.
FISA warrant against Chinese telecom revealed in federal court in March
U.S. authorities announced in federal court last month that they had obtained a Foreign Intelligence Surveillance Act (FISA) warrant enabling them to spy on and gather information from Huawei as the U.S. Attorney’s office builds its case against the Chinese telecom equipment manufacturer.
- Huawei and its CFO, Meng Wanzhou, stand accused of conspiring to commit bank fraud, as well as violating U.S. sanctions against Iran
- Charges include a claim that Huawei used Skycom, a suspected “front company” based out of Iran, to obtain embargoed U.S. goods, technology and services in Iran, and to move money via the international banking system.
- Arrested in Canada back in December, Meng maintains her innocence and has been fighting extradition to the United States; Huawei pleaded not guilty to the 13-count indictment in March
- Huawei last month pleaded not guilty to the 13-count indictment saying Skycom was a local business partner.
- The U.S. has been pressuring other countries to drop Huawei from their cellular networks, over concerns that its equipment could be used by Beijing for spying, though Huawei dismisses the concerns as unfounded.
- The case against Huawei continues to unfold, with the next court date set for June 19, 2019.
Cybersecurity researchers uncover infamous Carbanak malware source code
Cybersecurity researchers from Fire Eye have discovered the full source code of the malware known as Carbanak.
- Carbanak, also known as FIN7, Anunak or Cobalt, is one of the most dangerous, full-featured, malware products owned by an advanced persistent threat (APT) cybercriminal group involved in several attacks against restaurants, hospitals and financial institutions.
- Rumored to have been leaked last summer, FireEye cybersecurity researchers revealed that they found Carbanak's source code, builders, and some previously unseen plugins in two RAR archives that had been uploaded to the VirusTotal malware scanning engine from a Russian IP address two years prior.
- At 20MB, the source code is comprised of 755 files, with 39 binaries and 100,000 lines of code.
- First uncovered in 2014 by Kaspersky Lab, Carbanak was one of the most successful malware attacks in the world, launched by the highly organized APT group, owing their success to continually evolving tactics.
- The APT launched its first series of malware attacks nearly six years ago, using Anunak and Carbanak to compromise banks and ATM networks around the world, stealing over billions of dollars from more than 100 global financial institutions.
- Hackers deployed the malware via a spear-fishing campaign targeting hundreds of bank employees. Once opened, Carbanak allowed
- Hackers deployed the malware via a spear-phishing campaign targeting hundreds of bank employees. Once opened, Carbanak infected bank networks, allowing attackers to transfer money fake accounts or APT-monitored ATMs.
- According to the European authorities, the criminal group later developed a sophisticated banking trojan called “Cobalt,” based on Cobalt-Strike penetration testing software in use until 2016.
- First exposed in 2015 as financially-motivated cybercriminals, three suspects, all from Ukraine, were arrested in the first 6 months of 2018: Dmytro Fedorov, 44, Fedir Hladyr, 33, and Andrii Kopakov, 30, the alleged leader of the group.
- All the three suspects were indicted and charged with 26 felony counts in August 2018.
Joint raids crack down on illegal trade, dark web marketplace
Europol, with the FBI and other law enforcement agencies, cracked down on an illegal goods trade in late March, making 61 arrests and shuttering the “Dream Market” dark web site.
- Dream Market functioned as a transaction service enabling the sale of illegal goods such as weapons and drugs, as well as malware kits and ransomware.
- The site’s closing reportedly disrupted ransomware attacks in progress, forcing attackers and ransomware distributors to use alternatives like Google Adwords to reconnect with victims
- Law enforcement officials likely gained control of the Dream Market site, using the platform to gather evidence and make the arrests.
How safe is your organization? Take the Cyber Risk Scorecard survey to assess your current cybersecurity standing and find additional steps your organization can take to protect against common cyber threats.
401(k) retirement plan data is a massive cyber breach waiting to happen, but who is actually responsible for keeping participant data safe? Join us for a Cybersecurity and your 401(k) plan webinar addressing your fiduciary obligations as a retirement plan sponsor.