CyberWire staff | thecyberwire.com »
At a glance
- Jamaican government data breach.
- DoppelPaymer ransomware hits Kia Motors America.
- The growing threat of ransomware.
- Possible data breach of California DMV information handled by a third-party service.
- Singtel apologizes for third-party breach.
Jamaican COVID-19 data left unprotected
TechCrunch discovered that JamCOVID19, the Jamaican government’s COVID tracking website created by web contractor Amber Group, inadvertently exposed user test results in an unprotected cloud storage server. As the site also coordinates travel application approvals, the compromised data (which included more than 70,000 lab results, 425,000 immigration documents, and 440,000 images of travelers’ signature) belongs not only to Jamaicans, but also to travelers from countries like the US. Though a statement from the Jamaican government asserts that “At present, there is no evidence to suggest that the security vulnerability had been exploited for malicious data extraction prior to it being rectified,” the permissions on the server would allow anyone to download or even delete the data.
DoppelPaymer hits Kia
Car manufacturer Kia Motors America experienced a nationwide IT shutdown earlier this week, and Bleeping Computer reveals evidence that it was the result of a ransomware attack perpetrated by the DoppelPaymer gang. The attack took out much of the car company’s network, including mobile UVO Link apps, phone services, and internal dealership sites. In the ransom note obtained by Bleeping Computer, the hackers claim to have exfiltrated a “huge amount” of data and threaten to publish it if they are not paid approximately $20 million in bitcoin. In a less than conclusive official statement, Kia declines to admit that any attack occurred: “At this time, we can confirm that we have no evidence that Kia or any Kia data is subject to a ‘ransomware’ attack.”
We received a number of comments from security industry executives on the incident. Niamh Muldoon, global data protection officer with OneLogin, sees it as evidence that criminals still perceive a high return-on-investment from ransomware. “During 2021 we will definitely see cyber-criminal individuals and groups try to maximize their return of investment with their attacks, whether it’s targeting high-value individuals and/or large enterprise organizations like a car company. The key message here is no one person or industry is exempt from the ransomware threat and it requires constant focus, assessment and review to ensure you and your critical information assets remain safeguarded and protected against it.”
Trevor Morgan, product manager at comforte AG hopes that Kia will be able to limit the damage, but believes that in such cases an ounce of prevention is worth a pound of cure. “The ironic thing is that enterprises can avoid the threat of leaked hijacked data simply by taking a data-centric approach to protecting sensitive information. Using tokenization or format-preserving encryption, businesses can obfuscate any sensitive data within their data ecosystem, rendering it incomprehensible no matter who has access to it. These reports should all be treated as cautionary tales, as an enterprise might find themselves in the same boat without the proper data-centric approach.”
Purandar Das, CEO and Co-Founder of Sotero Software, would like to see more companies rethinking their approach to data security. “There are two parts to this. One is start by making the data useless when stolen. That eliminates a big part of the leverage the criminals have. The data is just as valuable as the operational aspects of the system that are affected. The stolen data also causes long term damage to innocent consumers who trust organizations to protect their data and privacy. Adopting newer encryption technologies, that keep data encrypted, even while in use is a must. Second, enabling secure backups of operational systems with fast recovery paths is another. Layering on more security products is not a viable or scalable solution.”
Piyush Pandey, CEO at Appsian, reminds us that cybercriminals are fundamentally after data. “Far too often organizations spend their resources focused on their perimeter, but the primary focus should be to ensure the safety of data. A “perimeter-first” security strategy frequently falls short. Defense-in-depth, Zero Trust, and Least Privilege are the concepts every information security leader should be familiar with and be actively putting into practice – especially for their business applications.”
According to Mr. Andrea Carcano, Co-Founder of Nozomi Networks, there are lessons here for business planners:
“These ransomware scenarios should be factored into an organization’s incident response and business continuity plans. Beyond a technical response, decision makers need to be prepared to weigh the risks and consequences of alternate actions. Ransomware threat actors typically rely on spear phishing links or vulnerable public services to gain initial entry into a network. Afterward, they move laterally to gain access to as many nodes of the network as possible, allowing them to increase the magnitude of the disruption.
“Cybersecurity best practices such as strong segmentation, user training, proactive cyber hygiene programs, multi-factor authentication and the use of continuously updated threat intelligence, should be used to protect IT and operational environments from ransomware.”
Saryu Nayyar, CEO of Gurucul, wishes law enforcement good hunting. “Eventually, the international law enforcement community will have to step up and deal with these cybercriminal gangs. Until that happens, these criminal businesses will just continue to operate with near impunity.”
Garret Grajek, CEO of YouAttest, believes that the large amount of information extracted from Kia is a sign that the crooks were there for some time. He has some recommendations for other organizations:
“Hackers are going to use some mechanism to enter or systems, be it phishing, social engineering, weak passwords, default admin passwords, etc. They might even be a trojan horse inside a legitimate agent (e.g. SolarWinds). The logical defense is to detect their actions once they penetrate the system. We know that in the Kill Chain, the attacker is going to attempt lateral movement and escalation of privileges. This is the point where we have to identify and stop the attack.
“One key mitigation method is enforcing the NIST PR.AC-6 principle of least privilege and attest to every privilege escalation to key security groups that legitimate users and hackers attempt. Organizations need to adopt solutions that force an immediate review of the account escalation attempts using IT audit and security access review products.”
The growing threat of ransomware.
As the Kia incident indicates, ransomware attackers are increasingly using the threat of exposing data in addition to locking up their victim’s systems in order to get a payout. Dark Reading suggests that the term “ransomware” be replaced by “extortionware,” a more fitting moniker for the crime’s ever-expanding reach. Ransomware has evolved over the years from its first appearance in 1989 as an AIDS Trojan circulated on floppy disks. When it reemerged in 2010, attackers targeted individuals through various vectors like malvertising, phishing scams, and social media messages. Nowadays, ransomware gangs are optimizing their payouts by hitting lucrative corporate targets and constantly upgrading their tactics. Purplesac estimates that $20 billion was lost to ransomware attackers in 2020, a nearly 50% increase over the year before, indicating that targets can no longer rely on backups to protect themselves, but instead should employ an array of security efforts to evade the need for payment.
The Conversation agrees that payment should be avoided at all costs (pun intended), as it only serves to embolden the perpetrators, but insurance firms are quick to suggest corporations quietly pay up, making it nearly impossible to nab the offenders. A survey showed that ransomware attacks increased a staggering 365% in the EU in 2019 over the year before. While the US government recently teamed up with Microsoft in an attempt to tackle Trickbot malware, these coordinated attacks often catch lower caliber criminals while letting the real masterminds slip through the cracks. A more viable solution: ensure all corporate employees are so thoroughly educated in cybersecurity that the attackers can find no chink in the armor.
Possible data breach at the California Department of Motor Vehicles.
TechCrunch reports that the California Department of Motor Vehicles is warning that a breach at a contractor the DMV uses, Automatic Funds Transfer Services (AFTS), may have exposed personal data. The Department emailed drivers that “the last 20 months of California vehicle registration records that contain names, addresses, license plate numbers and vehicle identification numbers” are potentially at risk. AFTS sustained a ransomware attack early in February.
Greg Wendt, Executive Director of Security at Appsian, commented in an email on the problem:
“The risk that comes with a vendor’s access to sensitive data is one of the fast-growing concerns amongst public and private sector organizations. A data breach like the one that effected CDMV and AFTS is a reminder that organizations should always be diligent about what kinds of data they are collecting, how it’s being stored, and most importantly – have the visibility to understand exactly how that data is being accessed. For example, is access suddenly coming from a hostile foreign country or are certain data records/reports being accessed at a higher-than-normal frequency? These are questions that can be answered if an organization invests in data access and usage analytics for their business applications.”
Purandar Das, CEO and Co-Founder of Sotero sees two weakness on display:
“There are two weaknesses being highlighted here. One is the inability, for today’s encryption to support data in use. Most organizations try and deploy encryption at rest solutions. This approach leaves organizations vulnerable when hackers exfiltrate data through a breach. The data is accessible and vulnerable because operational systems need to access and use data which encryption at rest solutions don’t address. An encryption “in use” approach minimizes or reduces this risk, significantly. This also enables organizations, to protect themselves for a situation where they are held hostage to a data release. The other weakness are the vulnerabilities in a connected ecosystem. Organizations have to share data with other partners to execute some aspects of their business processes. The inability to employ internal practices to secure data in a third-party environment is a big concern. The adoption of a secure data sharing approach that enables the free movement of data, in its encrypted state, while still enabling business use is needed.”
Singtel’s data breach.
Singtel has apologized to its customers for the Accellion-related data breach it sustained, TODAYonline reports. Laurie Mercer, Security Engineer at HackerOne, offered some advice on how to avoid becoming a victim of this sort of incident:
“Singtel made two easily avoidable errors with this breach. First of all, relying on legacy and outdated systems is only going to lead to a greater chance of a breach, especially if the manufacturer stops issuing patches – it’s the simplest way into your network. Remote file sharing is currently of utmost business criticality and relying on 20 year old software when attack surfaces have expanded exponentially and cybercriminals will be targeting this attack vector is a recipe for disaster.
“Secondly, organisations are only as secure as their least secure supplier. Cybercriminals do not care if you are in the process of decommissioning legacy systems. HackerOne paid out thousands in bounties for supply chain attacks just in the past few weeks. If your systems are available 24/4, you need continuous security to match.”
External Link: Jamaica COVID data breach, DoppelPaymer hits Kia. Third-party breaches at Singtel and the California DMV