Threat Report

Wednesday May 29th 2019

The threats are out there but sometimes they’re in our own house too. Over the last week we’ve learned about a number of large data leaks and breaches. We should be having serious discussions about data security, but instead Germany suggests an end encryption. I’m not the only one throwing shade this week. Baddies are throwing Shade in a new ransomware campaign. Let’s dig in.

One billion records breached last week

Over the last week, the news was filled with disclosures from organizations about data leaks and data breaches. I counted more than a billion records breached. It makes me wonder, is there is anyone left in the world that has not been impacted by a data breach?

Let’s start small with a targeted government breach. The New Zealand government suffered a “systematic” and “deliberate” cyberattack that resulted in the leak of secret finance documents. Treasury Secretary Gabriel Makhlouf said he had referred the matter to police on the advice of intelligence services.

Fast Retailing, Uniqlo’s parent company, suffered a breach attributed to weak passwords and password reuse throughout the organization. This resulted in the breach of personal information of 500,00 users.

Amadeus, an Israeli booking service, left a database exposed to the public which contained Personally Identifiable Information (PII) on 15 million passengers, 36 million bookings, and 700 thousand visa applications. The leaked information included high ranking Israeli government officials, like Israeli Prime Minister Benjamin Neetanyahu. According to Amadeus, this was the result of a misconfigured database which had no security controls in place.

Canva, an Australian tech startup, was breached by GnosticPlayers and impacted 139 million. Data lost included PII, encrypted passwords, and 78 million un-encrypted Google tokens that could be used to access those Gmail accounts. That actually makes this the largest known Gmail account breach in history. GnosticPlayers has stolen upward of 1.071 billion credentials from 45 companies.

Flipboard notified its 145 million users about a security incident where hackers accessed its internal systems for over nine months. Hackers accessed databases with customer information. These databases stored Flipboard usernames, hashed and uniquely salted passwords, and in some cases, emails or digital tokens that linked Flipboard profiles to accounts on third-party services.

The company already replaced all digital tokens that customers used to connect Flipboard with third-party services like Facebook, Twitter, Google, and Samsung. Heck, maybe this is the new largest known Gmail account breach in history, but they aren’t telling us any numbers.

Last but not least, First American Financial, a provider of title insurance and settlement services in the real estate and mortgage industries, has leaked 887 million mortgage related documents, wire transfers, etc. going back to 2003. The data was freely accessible via their website without requiring authentication or authorization. This leak had likely been running for over two years.

Exposed records include bank account numbers and statements, mortgage and tax records, social security numbers, wire transaction receipts, and driver’s license images.

A real estate developer tried to report to First American Financial but was ignored. The developer shared that a portion of First American’s website was leaking records and demonstrated that anyone who knew the URL for a valid document at the website could view other documents simply by modifying a single digit in the link.

First American has approximately 18,000 employees and so far has produced over $5.7 billion in 2019. As a title insurance agency, First American collects a variety of private information from both the buyer and seller.

First American did release a statement but it’s hardly worth reading. Basically, they’re looking into the impact that this could have on their customers, “if any.” Can you imagine an impact to someone having social security numbers and bank account numbers for millions of Americans with credit scores high enough to get trillions of dollars in real estate loans from banks? In some bizarre world, maybe there is no impact. Maybe we have hit total saturation of data breached and I should just go back to bed.

So, let’s get rid of encryption?

With all of these large, well-resourced organizations losing data and forgetting to secure their data or failing to detect or prevent data breaches. The best case in any of these scenarios is that the data was encrypted. Can you imagine what could happen if we start rolling back data security?

Germany’s Interior Minister, Horst Seehofer, purportedly wants to force messaging providers such as WhatsApp, Telegram, and Threema to provide plain text chats to law enforcement agencies on a court order or lose access to the market. Basically, we’re talking about outlawing strong encryption.

This isn’t the first time the idea has been floated by people that believe there should be no communication between two people that the government is not privy to. Thank heck it would be impossible to ban encryption.

Ransomware campaign throwing Shade

Alright, enough shade. Let’s talk about Shade. A sophisticated malware strain dubbed Shade has been observed in the wild and expands its scope to target victims in the U.S., Japan, Thailand, India, and Canada. Shade ransomware is a family of ransomware first spotted in late 2014 targeting hosts running Microsoft Windows and being distributed via malicious spam and exploit kits. During the infection process, upon infecting the Windows host, its background announces the infection through text files. In addition, the infections involved the Shade ransomware which has links that impersonate invoice. Analysis shows the delivery of Shade ransomware through infection chain that focuses on packed executables files sent through a URL.

Malspam-based Shade Ransomware Infection

The most common target for Shade ransomware infection attempts were organizations that fell under the High Technology and Education category outside of Russia and Russian language countries. Users and organizations best defense against ransomware attacks is to have a reliable and tested backup on an offline storage device that can be restored. Here are 186 compromised domains associated with the ransomware campaign.

Paul Scott

Paul Scott
Has 6 Gold Stars
LinkedIn