This week is interesting stats again: it’s DBIR time!
Now in its 13th year, Verizon’s Data Breach Investigations Report (DBIR) has become an annual fixture of the infosec calendar. The report, which now has over eighty organisations contributing to it, provides useful intelligence into the state of security. In total, over 157,000 incidents were analysed, though only 32,000 met quality requirements. Just under 4,000 were publicly disclosed data breaches.
Here’s my run-down of where we are in 2020…
Just 1/10 breaches are linked to espionage, with advanced-persistent threats (APTs) accounting for only 4% of breaches. It’s money that makes the cyber world go round: 86% of breaches were financially motivated.
Attackers may be directly after cash (such as in Business Email Compromise (BEC) attacks), personal data that can be sold on the dark web, or access that can be used to ransom/extort the victim out of money. Rarer, but still of note, are that sometimes it is the IT resources of the victim that they are after — compute power, network connectivity, or data storage — such as the crypto-mining attack on supercomputers from last week (vol. 3, iss. 20).
When cyber-criminals are trying to hack an organisation they are not using sophisticated means to do so: in 4/5 cases they are using stolen or brute-forced credentials. Lots of passwords have now been breached and they are frequently sold and exchanged to try against different accounts or services. Multi-factor authentication really is a must on things like your VPNs, email, and other externally facing apps.
Organisations are getting better at detecting, and containing, security incidents, with detection taking ‘days or less’ in 60% of cases, and 80% of cases are contained within the same period. Over 25% of incidents still take ‘months or more’ to detect, though.
More often than not, it is human error, not malware, that leads to breaches (22% vs 17% respectively.) Patching remains important, and big vulnerabilities make headlines, but only 1/20 breaches involved an attacker actually exploiting a vulnerability.
In those error cases, over half were notified to organisations by an external security researcher. If you don’t haven’t considered how you’ll engage with someone reporting a concern you should consider drafting a ‘playbook’ for how you will communicate and act with good samaritans, not just bad actors. That doesn’t mean you need a full bug bounty programme, though you may want to consider signposting security contacts on your website.
So, take a deep breath, and remind yourself it’s unlikely to be nation-states and zero-days that you need to worry about. Focus your efforts, especially for Internet-facing applications, on ensuring multi-factor authentication is enabled, and attackers will be looking for ways to monetise their unauthorised access.
(Other) Interesting stats
60% of ‘insider threat’ incidents caused by employees planning to leave their job, of those 44% do so by forwarding information to personal email accounts, 16% use cloud-based collaboration platforms to exfiltrate data, and 11% aggregate, then download data, according to Securonix zdnet.com
Other newsy bits
9 million EasyJet customers affected by data breach
This week EasyJet announced that personal information of 9 million customers had been breached by a ‘sophisticated attacker’ between October 2019 and January 2020. The data included names, email addresses, and travel itinerary information including dates, destinations and booking references. For a subset of 2,208 customers full payment card information (including the CVV ‘three digits’) were also compromised.
Lots of speculation centred around why the company would store unencrypted card details, including the CVV (which is prohibited to prevent fraud), though missed the relatively simple explanation: that the attack, for card details at least, has all the hallmarks of being a MageCart group, and similar to that suffered by British Airways in 2018.
The ICO is proposing a fine of £183M for the BA breach, though over 250x more card details were snaffled during that incident and the case has been kicked into the long grass (vol. 3, iss. 1).
The timeline described in the FT caught my eye: the intrusion was detected in January and the 2,208 customer’s that had card details compromised were notified in April, however, a month later the airline announced the wider compromise of details at the recommendation of the ICO so those further 9m customers could be alert for potential phishing scams.
The company presumably wanted to avoid negative publicity surrounding such a large breach: low-cost air travel isn’t exactly known for being customer-centric. The companies share price has remained relatively stable, though any changes are dwarfed by the ~60% drop as a result grounding their fleet due to the COVID-19 global pandemic. theguardian.com, theregister.co.uk, thetelegraph.co.uk, ft.com
ADT employee snooping on CCTV install customers
220 households have been victims of an ADT employee who added himself to customer’s home alarm and CCTV systems to spy on the families remotely. In one case watching a mother and daughter “on approximately 73 different occasions.” ADT employees typically cannot view cameras remotely — the technician added themselves personally during the installation — though the access went unnoticed for seven years. Controls to prevent employee abuse are important, especially where sensitive personal data is being processed. Audit logs help to monitor actions, and can be used to spot unusual patterns of behaviour, but only if reviewed regularly. Quickly detecting and taking action against ‘rogue’ employees minimises the repetitional and legal consequences. In this case, two almost identical charges have now been filed against the company, one seeking a class-action lawsuit against the US company. theregister.co.uk
Tracking the Coronavirus contact tracing and tracking apps
A team at the MIT Technology Review have started tracking contact tracing and tracking apps. As well as the technology behind each app, you can see how they compare against various privacy related principles: voluntary, limited collection/processing, transparency, and so on. Austria, Italy and Singapore ‘score’ highly, the UK’s app sits in the middle of the pack, while the Chinese health code system app doesn’t fare well against any of their questions. Also this week campaign groups wrote to the UK Prime Minister express concerns that GCHQ has the capability to re-identify users of the NHSX Contact Tracing app being trialled on the Isle of Wight. technologyreview.com, theregister.co.uk
“Massive’ COVID-19 phishing campaign
Microsoft’s Security Intelligence Team is warning of a ‘massive’ phishing campaign that they are tracking. The attackers are pretending to be Johns Hopkins sharing the latest Coronavirus case data. The boobytrapped excel attachment installs a remote administration tool that can be used to control the victim’s computer and install other nasties. Check out their tweets for technical indicators of compromise. @MsftSecIntel, bleepingcomputer.com
Attacks, incidents & breaches
- Hypersonic missile specs amongst data stolen from Mitsubishi Electric, causing Japanese national security concerns cyberscoop.com
- Symantec say Iranian attackers have targeted at least three telcos in Pakistan cyberscoop.com
- Voter name, address and ID of 200M Indonesian’s from 2014 election allegedly compromised (Indonesia is the world’s 4th largest country, by population) bleepingcomputer.com
- MageCart found on clothing retailer Paramo’s website, 3,743 card details believed to have been compromised theregister.co.uk
- Database of 129M Russian car owners for sale on dark web, including name, address, car registration, other ID information bleepingcomputer.com
- US meal kit service Home Chef breached, 8M records taken bleepingcomputer.com
- Mathway app breached by ShinyHunters, 25M emails and passwords stolen zdnet.com
- Ragnar ransomware hides from antivirus by running itself from within a virtual machine, according to Sophos theregister.co.uk
- NetWalker ransomware shifts focus to only target non-Russian enterprises bleepingcomputer.com
- Chinese Winnti group attacking games companies, bundling malware into build pipelines to target Taiwanese, South Korean victims and manipulate in-game currencies arstechnica.com, welivesecurity.com
- Beer-app Untappd useful OSINT tool for identifying intelligence, defence staff bellingcat.com
- Sarwent malware now opening Remote Desktop on infected computers for future use or sale to other attackers zdnet.com
- Amplification attack possible that uses recursive DNS to DDoS victim’s name servers theregister.co.uk
- Don’t leak data about user’s password information during your login process (I’m looking at you, Nintendo) vice.com
- Unc0ver jailbreak released that unlocks all versions of iOS11 to iOS13.5 techcrunch.com
Internet of Things
- Router exploit kit GhostDNS source code accidentally uploaded to Avast by attacker bleepingcomputer.com
- Suspects have reasonable right to privacy during legal investigation, says UK Court of Appeal: “those who have simply come under suspicion by an organ of the state have, in general, a reasonable and objectively founded expectation of privacy” mishcon.com
- FBI has gained access to Pensacola shooter’s iPhone and blasted Apple for not building a law enforcement backdoor, though in doing-so has proven when necessary they can do do so without in less than four months cyberscoop.com, techcrunch.com
- Ukrainian security service arrests individual in conjunction with January 2019’s ‘Collection #1’ megabreach (vol. 2, iss. 3) that contained over 700M credentials krebsonsecurity.com
Press secretary discloses President Trump’s bank details
Donald Trump promised to donate his salary while serving as president and this week while announcing that this quarter the payment will be made to the Department of Health and Human Services, the press secretary held up a real cheque during the briefing revealing the US President’s account information. While reputable news outlets have obscured the account and routing numbers, the President banks with Capital One and the address where his account is registered. As the NYT notes, additional security checks will likely be in place for high profile account, but in case you need reminding: don’t share your card or account details online… or with the world’s media. nytimes.com