CyberWire staff | thecyberwire.com »
At a glance
- ObliqueRAT re-emerges from the nest.
- Polecat research data exposed in ransomware attack.
- Payroll giant suffers cyberattack.
- Malaysia Airlines’ frequent flyer program grounded.
ObliqueRAT re-emerges from the nest.
Researchers at Talos discovered a new malware campaign distributing the remote access Trojan ObliqueRAT. In the past, this type of RAT was typically embedded in malicious Microsoft Office documents, but this new operation instead directs the victims to compromised URLs by concealing the ObliqueRAT payload in image files, a tactic used to avoid detection by email security controls. As ZDNet explains, the campaign employs a technique called steganography to hide the RAT in .BMP files that, when viewed, dump the malware into the victim’s system. ObliqueRat has been linked to a state-sponsored threat group called Transparent Tribe, and this new campaign targets South Asian organizations.
Polecat breach reported.
The researchers at Wizcase uncovered a breach exposing the data of British risk and reputation intelligence firm Polecat, renowned for its spot-on predictions regarding recent US presidential elections. An unprotected ElasticSearch server was found containing 30TB of data, or more than 12 billion records, including employee login credentials and billions of social media posts and tweets on buzzy topics like Covid and former US president Trump, research data harvested by Polecat for analysis. The day after the exposure was discovered, the majority of the data were deleted and a ransom note appeared requesting approximately $550-worth of bitcoin in exchange for the restoration of the files. The threat actors’ intentions are uncertain, but the data could be sold to a Polecat competitor for corporate espionage or used to blackmail the individuals attached to the tweets.
We heard from Dean Ferrando, systems engineer manager – EMEA at Tripwire, who points out that misconfigurations are potentially disastrous:
“Misconfigurations like these are becoming all too common. Exposing sensitive data doesn’t require a sophisticated vulnerability, and the rapid growth of cloud-based data storage has exposed weaknesses in processes that leave data available to anyone. A misconfigured database on an internal network might not be noticed, and if noticed, might not go public, but the stakes are higher when your data storage is directly connected to the Internet.
“Organizations should identify processes for securely configuring all systems, including cloud-based storage, like Elasticsearch and Amazon S3. Once a process is in place, the systems must be monitored for changes to their configurations. These are solvable problems, and tools exist today to help.”
PrismHR sustains ransomware attack.
KrebsOnSecurity reports that payroll technology provider PrismHR has experienced what is likely a ransomware attack. Based in the US state of Massachusetts, the firm supplies software to professional employer organizations, or PEOs, that serve over 80,000 clients with 2 million employees. Shortly after the company discovered unauthorized activity on the network on February 28, PrismHR shut down client access to the platform. PrismHR warned its PEOs, “The outage may extend throughout today and possibly later, with potential impact on payroll processing.” However, Bleeping Computer reports, PEOs that use their own cloud infrastructure to host the platform should be unaffected. Though the company has not confirmed that the incident was a ransomware attack, it has the characteristics of one, and the sensitive nature of the data PrismHR stores — social security numbers, identification cards, insurance info — could spell disaster for the company and its many clients.
Niamh Muldoon, global data protection officer at OneLogin, sees this as another example of the enduring threat of ransomware:
“Ransomware shows no signs of slowing down and it remains a global cybersecurity threat. We have to remember that attackers have made cybercrime a business. And ransomware is the one cybercrime that has a high direct return of investment associated with it, by holding the victims’ ransom for financial payment. Taking the global economic environment and current market conditions into consideration, cybercriminals will of course continue to focus their efforts on this revenue-generating stream. During 2021 we are likely to see cyber-criminal individuals and groups partner together to try to maximize their return of investment with their attacks. The key message here is no one person or industry is exempt from the ransomware threat and it requires constant focus, assessment and review to ensure that critical information assets remain safeguarded and protected against it.”
Nine-years of data exposure at Malaysia Airlines.
Finally, Malaysia Airlines has disclosed a “data security incident” affecting its frequent fliers. Malaysia Airlines has been impacted by a third-party data breach that has compromised the data of members of Enrich, its frequent flyer program, reports ZDNet. The airline’s third-party IT service provider experienced a breach sometime between 2010 and 2019 that exposed personal membership data including names, dates of birth, and frequent flyer earnings. However, Channel Asia explains, the airline’s own systems were not breached, meaning that more sensitive data like itineraries and payment info were not involved. Still, the fallout from the incident could put the brakes on the airline’s plans to launch Enrich’s new fare-based earning program this April.
The incident has attracted a great deal of industry comment. James McQuiggan, security awareness advocate at KnowBe4, reminded us in an email that while we expect a reasonable level of privacy when we provide our information, that expectation is often disappointed:
“Within society, any time we provide any information about ourselves to another organization, there is an expected level of privacy. When data is provided to organizations for reward programs, the possibility of that organization being attacked and having data stolen is a risk.
“Within an organization’s robust security program, along with a layered defense within the network and environment for the protection of sensitive information, it is essential to conduct red team or pen testing exercises. This activity provides the opportunity to discover weaknesses and take corrective actions to reduce the risk of an attack.
“When working with third-party organizations for providing services, it is vital to conduct the necessary audits and periodic reviews to ensure that the third party is not the weakest link in your security chain.”
Purandar Das, CEO and Co-Founder of Sotero, sees the incident as another cautionary tale of third-party risk:
“Organizations continue to be impacted by under protected third-party service providers. While such services are a key part of an organization’s customer services, they pose an increasing risk to the company. This is an area that is being increasingly targeted by hackers. The reason is fairly simple. Service providers are less organized in terms of security.”
Their infrastructure is less secure and more easily penetrated. Hackers target them knowing that their access to potentially valuable data is easier. On the surface this data seems less likely to cause damage to the consumer. However, this stolen data forms a part of the consumers profile that is created by data stolen from many locations. In totality, this enables the hackers to assemble a strong profile of the consumers and their behavior and could be used to target them for nefarious purposes. The fact that this breach happened over a long period of time without detection indicates the lack of security at the service provider. It is also unlikely that this data was not used for wrong reasons if the breach lasted as long it did. If the data was useless, the hackers would have moved on. It is time for organizations to take control of their data and its protection even when it is in the hands of service providers.”
Demi Ben-Ari, co-founder and CTO of Panorays, also sees a lesson about exposure to third-party risk:
“The recent data breach at Malaysia Airlines illustrates how customers’ personal data can be compromised through a third-party provider. Unfortunately, this is not the first time an airline has experienced a third-party data breach, and it likely won’t be the last. To prevent such incidents, it’s crucial for every company to perform comprehensive evaluations of their third parties that combine external attack surface assessments, security questionnaires and business context for the most accurate view of vendor cyber risk. In addition, continuous monitoring is absolutely necessary for ongoing visibility, insight and control of third-party security risk.”
Chris Clements, VP of Solutions Architecture at Cerberus Sentinel points out that this sort of supply chain attack is notoriously difficult to detect, the risk difficult to manage:
“One of the worst aspects of ‘supply chain’ attack compromises is that it can be even harder to detect than a direct breach of an organization. Now more than ever businesses need to fully vet and actively manage vendors who may be able to access sensitive systems or data. A strong vendor management program can go a long way to preventing exposure by requiring third parties that interact with a business’s data or systems follow information security best practices and can demonstrate due diligence by adhering to well-known security standards such as NIST or ISO and also perform regular security testing to ensure that no mistakes that could lead to exposures have fallen through the cracks.”
Saryu Nayyar, CEO of Gurucul, wrote about the importance (and the difficulty) of holding third-party providers, even trusted ones, to a high standard of security:
“While it is unclear from the report whether Malaysia Airlines’ third party provider had exposed 9 years worth of information or had been exposed for 9 years, the end result is the same – valuable user information exposed to threat actors. It’s notable that Malaysia Airlines took the added step of informing members in their notification that they would not be contacting people by phone. That’s a proactive step, as malicious actors could easily use the exposed information to conduct phishing and social engineering attacks by phone.”
“One of the challenges with using 3rd party systems is the potential difficulty of holding them to the same level of cybersecurity used in your own organization. You could have a complete security stack, security analytics, and a trained security operations team, but that may not help when a trusted third party isn’t operating at the same standard.”
Finally, Bryson Bort, CEO of Scythe, doesn’t expect this kind of risk to diminish. “Another example that enterprise risk includes their supply chain: the amalgamation of products and vendors in an increasingly interconnected environment,” he wrote, and that trend toward interconnection is not a temporary one.
External Link: Trojan images. Research data exposed in ransomware attack. Payroll and HR provider hit with data breach. Third-party risk at Malaysia Airlines