Anti-Malware , Encryption , Risk Management

Can't Stop the Ransomware Bitcoin-Hungry Attackers Target Enterprises Mathew J. Schwartz (euroinfosec) • September 2, 2016     Photo: BTC Keychain (Flickr/CC)

In their quest for easy ways to extort victims into giving them bitcoins, cybercriminals continue to double down on crypto-ransomware attacks.

See Also: Avoid 75% of all Data Breaches by Keeping Privileged Credentials Secure

For the criminally inclined, what's not to love?

"The [ransomware] driver is financial," Rik Ferguson, vice president of security research for Trend Micro, tells me. "It's something that is very easy for criminals to monetize, and it's something which is very easy for them to recruit in terms of networks, affiliates, distribution. And it's something which is morphing into another one of those crime-as-a-service offerings."

Online gangs can remotely encrypt and lock PCs, leaving them incapable of doing anything more than displaying a ransom note that tells victims how to obtain and transfer bitcoins to the attacker. Behind the scenes, some ransomware-as-a-service offerings automatically log incoming payments and generate decryption keys, enabling attackers to dispense with more mundane administrative tasks and maximize the time devoted to infecting more victims.

Such attacks are so lucrative that some crooks even run "customer service" centers to provide technical advice to their victims and occasionally allow them to negotiate lower ransom payments or deadline extensions, according to Finnish security firm F-Secure.

Call of the Cryptocurrency

Evidence of attackers' thirst for cashing in on ransomware continues to mount. Ferguson reports that whereas Trend Micro counted a total of 29 new ransomware families in 2015, in the first half of 2016 it had already seen 79 new ransomware families. New entrants have included horror-movie-themed Jigsaw, which dismembers files while victims watch; Powerware, which targets tax-return files; and DetoxCrypto, sporting a Pokémon Go theme.

Ransomware: Number of new #ransomware families seen per month by @TrendMicro pic.twitter.com/ro4OLgl8fv

Shakedowns Evolve

Ransom demands vary widely, and they continue to evolve. Widely used Cerber ransomware, for example, used to demand 1.24 bitcoins ($715) from victims, according to research published by Trend Micro fraud researcher Joseph C. Chen. But Cerber version 3 - the latest version - offers a "discount" price of 1 bitcoin ($575) if users pay quickly. "But if the user waits more than five days the ransom doubles to 2 bitcoins," he says, which is currently worth $1,150.

Ransomware: Cerber version 3 offers ransom "discount" if victims pay quickly, says @TrendMicro pic.twitter.com/3G79xEXzij

Enterprises Under Fire

In attackers' quests to generate more proceeds via ransomware, they're increasingly targeting enterprises, says Trend Micro's Ferguson, who's also a cybersecurity adviser to the EU's law enforcement intelligence agency, Europol.

"Now what we're seeing are ransomware attacks expanding into the enterprise environment - developing 'wormable' behavior, so they can actually expand through the network and infect multiple machines. So that's very much not consumer-focused, it's enterprise-focused," he says. Such ransomware may search out network shares, cloud drives or other mapped drives, so attackers can encrypt those too - especially because they may contain an organization's offsite backups.

"The attackers know that if they can infect, for example, ... medical data within a healthcare facility, then the pressure on the victim to pay the ransom is going to be exponentially larger than on an individual consumer, and the ransom that can be demanded and successfully extorted is potentially much, much higher," Ferguson says.

Healthcare Sector Targeted

In fact, the healthcare sector has been particularly hard hit by ransomware attacks this year. In the most high-profile incident in this sector, Hollywood Presbyterian Medical Center in Los Angeles paid a bitcoin ransom worth $17,000 to regain control of its ransomware-infected systems

While giving in to extortion demands raises ethical concerns, for organizations with time-sensitive records, lives may literally hang in the balance, thus inducing them to pay (see Ransomware Extortion: A Question of Time).

After the Hollywood Presbyterian Medical Center attack State Sen. Robert Hertzberg introduced legislation, S.B. 1137, that would amend California's laws to treat ransomware as extortion, allowing prosecutors to seek jail terms of up to four years. The state's legislature has approved the bill, which could soon be signed into law by Gov. Jerry Brown, Statescoop reports.

"Nearly every day, we read in the news about ransomware attacks stifling government agencies or private companies," Hertzberg says in a statement. "This is essentially an electronic stickup, and we need to treat it with the same seriousness and severity we would treat any stickup."

But the new law likely will have a negligible effect. That's because law enforcement agencies say the majority of cybercrime originates in Eastern Europe, including Russia, which doesn't extradite its citizens and hasn't prosecuted many domestic cybercrime-related cases (see Russian Cybercrime Rule No. 1: Don't Hack Russians).

3-2-1 Backup

Researchers have managed to crack the crypto used in some types of ransomware, allowing some victims to decrypt their files for free. But that's not a strategy anyone should rely on, because ransomware developers often quickly push updates to fix their mistakes.

Instead, security experts recommend that organizations strip out suspicious attachments at the email gateway level, warn employees to avoid known-bad sites that might distribute malware and keep reminding them to never open suspicious emails or documents.

But above all, "the most fundamental defense against ransomware is still backing up," Trend Micro's Chen says. Because many types of ransomware will encrypt backups, however, he recommends keeping them in multiple locations. "Practice the 3-2-1 rule," he says, "wherein three copies are stored in two different devices, and another one to a safe location."

Anti-Malware , Breach Notification , Data Breach

As Cybercriminals Seek Payment Card Data, Hutton Hotel is the Latest Victim Jeremy Kirk (jeremy_kirk) • September 5, 2016    

The string of cyberattacks striking point-of-sale systems at hotels continues unabated, as a Nashville, Tenn.-based hotel says POS malware compromised its customers' payment card details for more than three years.

See Also: Secure Access in a Hybrid IT World

The disclosure underscores the continuing problems facing merchants as they attempt to keep their payment card transactions secure. Cyberattackers are still finding low-hanging fruit and have stepped-up their attacks to include the networks of POS vendors, which make the hardware and software used for processing card transactions (see 1,000 Businesses Hit By POS Malware).

The latest victim is Hutton Hotel, an upscale, 247-room facility in Nashville owned by Carey Watermark Investors. Hutton Hotel's payment processor notified it of a possible breach.

"Findings from the investigation show that unknown individuals were able to install a program on the payment processing system at the Hutton Hotel designed to capture payment card data as it was routed through the system," according to its Sept. 2 breach notification.

POS malware targets processing points inside payment systems where card data may be unencrypted, such as the moment when a card gets swiped, but before it gets stored. Such attacks have proved successful despite many retailers implementing the Payment Card Industry Data Security Standard. Card issuers require all businesses that handle cardholder information to comply with PCI-DSS.

Unusually Long Breach

Hutton Hotel says the breach included the names, payment card numbers, expiration dates and the verification codes for people who paid for or placed reservations with the hotel from Sept. 19, 2012, through April 16, 2015. Also affected are people who used onsite food and beverage outlets from Sept. 19, 2012, through Jan. 15, 2015, and from Aug. 12, 2015, through June 10.

While many hotels have acknowledged payment card breaches, few have had such long exposure times as that of Hutton Hotel. It suggests that despite a nearly non-ending stream of warnings of large-scale breaches, some hotels are still being caught off-guard.

Hutton Hotel says it has put in place new security measures and is now using "stand-alone payment processing devices" although it didn't explain how that helps. Law enforcement has been notified, and the hotel is working with payment card companies to identify those affected.

"For those guests that we can identify as having used their payment card during the at-risk window and for whom we have a mailing or email address, we will be mailing a letter or sending an email to them," it said.

Hutton Hotel officials couldn't immediately be reached for comment.

Systemic POS Problem?

Hutton Hotel's breach shares a link with other recent breaches. It is managed by HEI Hotels & Resorts, which said on Aug. 15 that a POS malware strike compromised 20 hotels.

HEI also manages hotels belonging to Intercontinental Hotels Group. On Aug. 31, one chain owned by Intercontinental Hotels Group, Kimpton Hotels & Restaurants, warned of a breach. Kimpton, which has 62 properties in about 30 U.S. cities, said names and payment card data may have been leaked by POS malware over a nearly five-month period (see Kimpton Hotels Hit by Card Breach).

The raft of hotel breaches comes as POS vendors are also being directly attacked. Oracle warned in August that malware had been planted in a support portal that's used for servicing and maintaining MICROS POS systems. MICROS is one of the mostly widely used POS systems, with 330,000 customers in 180 countries (see MICROS Breach: What Happened?).

Smaller POS vendors have been hit as well, including Cin7, ECRS, NavyZebra, PAR Technology and Uniwell. Those attacks were discovered by Alex Holden, CISO for Hold Security, which tracks the underground trade in stolen data.

Those breaches follow a similar spate of POS malware infections at hotel chains in recent months that have affected Hilton, Hyatt, Omni Hotels & Resorts, Starwood Hotels and Resorts and Trump Hotels, among others.

Noble Breach Worse Than Suspected

On Aug. 24, meanwhile, Noble House Hotels and Resorts warned that one of its properties - Ocean Key Resort & Spa in Key West, Fla. - had been infected by POS malware from April 26 to June 8, and that anyone who used the hotel, including its restaurant and bars, may have had their payment card details stolen.

On Sept. 2, however, Noble released an updated breach notification warning that 10 of its hotels or independent restaurants suffered a POS malware breach that lasted from around April 25 up to August 5. The properties range from the Kona Kai Resort & Spa in San Diego and the Edgewater hotel in Seattle to the Blue Mermaid restaurant in San Francisco and the LaPlaya Beach & Golf Resort in Naples, Fla.

Anyone who used a payment card at the affected properties during the breach window may have had their name, card numbers, expiration numbers and CVV numbers stolen.

Executive Editor Mathew Schwartz contributed to this story.

Breach Notification , Data Breach , Data Loss

Breach Alert: POS Vendor Lightspeed Hacker Accessed Databases; Breach Severity Unclear Mathew J. Schwartz (euroinfosec) • September 5, 2016     Lightspeed says its Retail software was recently used in Kanye West's Pablo Temporary Store pop-up shop in Amsterdam.

"The security and privacy of your systems are our priority."

See Also: 2016 Annual Worldwide Infrastructure Security Update

If someone gave you $10 to guess what that boilerplate was attached to, you'd be hard-pressed not to guess that it was a data breach notification.

In this case, you'd be right, as it's the opening line of a breach notification recently sent to customers of Lightspeed POS, according to Australian data breach expert Troy Hunt.

Montreal-based Lightspeed POS, founded in 2005, sells a cloud-based point-of-sale system to retailers and restaurateurs that's used to process both physical and online transactions, and which competes with the likes of Shopify and Square. According to the notification, the breach affects the company's cloud-based POS product, Lightspeed Retail, which doesn't handle card data or customers' personal information, and which is mainly used by retailers.

Lightspeed couldn't be immediately reached for comment on the data breach notification, including how many customers it had alerted, how many might have been affected, as well as when the breach occurred and when it was detected. The company's website says it counts more than 38,000 customers across 100 countries, and processes 12 billion transactions annually.

Canada lacks a country-wide mandatory data breach notification law. Aside from some rules that apply only to healthcare data, "Alberta is currently the only province in Canada to have generally applicable mandatory data breach reporting requirements for all private sector organizations," according to law firm DLA Piper.

Uh oh, @LightspeedHQ hacked: pic.twitter.com/Zrxf5DHJhs

Breach Severity Unclear

The breach notification says that Lightspeed discovered that someone had accessed its Lightspeed Retail system without authorization and that it doesn't know how bad the breach might be, although it's hired unnamed "third-party security experts" to conduct a digital forensic investigation, as well as applied unspecified software patches.

Attackers accessed databases containing "sales, product and customer information as well as encrypted passwords and API keys," as well as "consumers' electronic signatures" for any customers using the company's "Customer Facing Display." Such displays - often, an iPad - are the equivalent of a second monitor that allows customers to see items that are being scanned and the total price of their purchase, in real time, and are required by law in some U.S. states, such as California and Nevada.

Lightspeed says its Retail product "has never stored any sensitive credit card information" and that its "integrated payment providers must use hardware that encrypts the payment information at the source of payment."

Lightspeed says that all passwords - which may have been accessed by attackers - "are stored using advanced encryption technology," though declines to say what that is, and notes that such protections only apply to passwords that have been created or changed since January 2015. It recommends that all customers change their passwords, although says that "there is no indication that any specific data, including any personal information, has been taken or used."

No Mention of Security Logs, Audit Processes

Such blandishments, however, are little more than doublespeak, equivalent to saying that "everything may have been stolen but we just haven't witnessed the fallout yet."

Indeed, organizations that have the right tools, audit and security logs, and skilled expertise in place should be able to provide a definitive breach damage assessment. But Lightspeed makes no reference to such tools or processes.

Don't discount the possibility that Lightspeed may not know the true severity of the breach until any information that was stolen begins to surface in unwelcome ways. This year, for example, stolen data circulating on underground sites revealed that Dropbox and LinkedIn, both of which reported intrusions in 2012, had suffered data loss that was orders of magnitude worse than they'd suspected (see Dropbox's Big, Bad, Belated Breach Notification).

Production Systems Accessed?

Lightspeed's breach notification also reveals which security controls were not in place prior to its breach. Post-breach, the company says it has "introduced and enforced strict new access policies, limiting personnel access to our production infrastructure and sensitive data." If attackers gained access to the company's production infrastructure, then they could have potentially altered the company's code to introduce malware into POS devices that's able to read cards when they're swiped, regardless of whether the system is then encrypting and sending the data elsewhere.

Lightspeed didn't immediately respond to a request for comment about that possibility, including whether a code-management system might have been accessed and tampered with.

On the upside, Lightspeed has also been moving toward using OAuth for authenticating to its API for Retail product. An upgrade was released on Aug. 2 for Retail's authentication protocol to Oath. Within a few months, OAuth will be mandatory, it says.

POS Vendor Breaches Continue

Lightspeed's breach is concerning in part because it has come to light in the wake of the breach of Oracle MICROS, with Oracle warning that it "has detected and addressed malicious code in certain legacy MICROS systems."

MICROS is point-of-sale hardware and software used across 330,000 customer sites in 180 countries and to date, Oracle has remained mum about just how bad the breach might be.

Alex Holden, CISO at security and digital forensics firm Hold Security, says 10 smaller POS vendors in addition to MICROS - he would name only Cin7, ECRS, NavyZebra, PAR Technology and Uniwell - have been attacked in recent weeks (see Recent POS Attacks: Are They Linked?).

Holden couldn't be immediately reached for comment about whether Lightspeed was on his list of breached POS vendors.

Managing Editor Jeremy Kirk contributed to this story.

Breach Response , Data Breach , Data Loss

As One Hacker Was Purged, Another Pilfered 20.5 Million Files, Congressional Report Says Eric Chabrow (GovInfoSecurity) • September 7, 2016     Reps. Jason Chaffetz (right) and Elijah Cummings (Photo: chaffetz.house.gov)

As the U.S. Office of Personnel Management purged a hacker, another intruder who secretly infiltrated the system stole 20.5 million records containing personal information of government workers and contractors, many with top security clearances, according to a new GOP Congressional report.

See Also: Eight Capabilities IT Pros Should Look for in a CASB

Republican members of the House Oversight and Government Reform Committee on Sept. 7 released the 241-page report about the 2014-2015 breach. It contends OPM leaders could have prevented the theft of personal information of tens of millions of individuals.

"The longstanding failure of OPM's leadership to implement basic cyber hygiene - such as maintaining current authorities to operate and employing strong multifactor authentication, despite years of warning from the inspector general - represents a failure of culture and leadership, not technology," states the report, written under the direction of Committee Chairman Jason Chaffetz, R-Utah.

Jason Chaffetz discuss the OPM report with the Associated Press.

OPM's acting director disputes many aspects of the report and says it fails to acknowledge the many data security steps that the office has taken since the incident. Meanwhile, Democrats on the Congressional panel claim the GOP report reaches conclusions that are contrary to facts found during the committee's investigation.

'Hacker X2' in Stealth Mode

The new report says that OPM was monitoring an intruder, labeled Hacker X1 when, on May 7, 2014, another hacker, Hacker X2, posed as an employee of OPM contractor KeyPoint, which conducted background investigations on prospective employees and contractors. Hacker X2, using the contractor's OPM credentials, logged into the OPM system, installed malware and created a backdoor to the network, according to the report.

Authorities believe Hackers X1 and X2 had ties to the Chinese government.

Intelligence agencies had asked OPM not to kick Hacker X1 off the network so they could monitor its movements and collect intelligence on the intruder, the report notes. But when the agency noticed Hacker 1 got dangerously close to the security clearance background information, OPM - working with the Department of Homeland Security - developed a remediation plan called "the Big Bang." The government purged Hacker 1 from the system in May 2014. Still, Hacker 2 wasn't detected and remained in the OPM system post-Big Bang, according to the report. Two months later, Hacker 2 began to exfiltrate security clearance background investigation files. In December 2014, the hacker stole personnel records; a month later, the cyber-assailant exfiltrated fingerprint data.

Basic Controls and Cutting-Edge Tools

"Had OPM implemented basic, required security controls and more expeditiously deployed cutting-edge security tools when they first learned hackers were targeting such sensitive data, they could have significantly delayed, potentially prevented or significantly mitigated the theft," the GOP report says.

The report identifies one of those controls as two-factor authentication, which, if implemented, might have prevented the breaches by both hackers.

One of the "cutting-edge" tools cited in the report is Cylance's Protect advance threat protection product, which OPM deployed after purging Hacker 1. The tool "lit up like a Christmas tree" when implemented, according to the report.

"Could they have done better? Absolutely," Cylance founder and CEO Stuart McClure said in an interview with the Associated Press. "But once they had been definitively convinced there was a breach, they took it very seriously."

OPM's Leader Responds

In a blog, OPM Acting Director Beth Cobert says she disagrees with many aspects of the report, but she did not address the specifics regarding the two hackers in her response. Cobert says the committee's report fails to fully reflect where the agency stands today in regards to IT security.

Cobert lists a number of steps OPM has taken since the breach to secure sensitive data. "The cybersecurity incidents at OPM provided a catalyst for accelerated change within our organization," she says. "Throughout this agency, management has embraced cybersecurity as a top priority."

Also critical of the Republican members' report were the committee's Democratic members, who issued a 21-page memorandum responding to the majority's account of the breach. The ranking member of the committee, Rep. Elijah Cummings, D-Md., says the Republican report reaches conclusions that are contrary to facts found during the committee's investigation. "The committee's year-long investigation into the data breaches showed that no one from the intelligence community or anywhere else detected the presence of the attackers and that these cyber spies were caught only with cutting-edge tools that OPM had deployed," Cummings says.

Role of Contractors

Cummings criticizes the Republicans for not adequately addressing contractors' role in federal cybersecurity, saying one of the most significant deficiencies uncovered during the committee's investigation was the finding that cyber requirements for government contractors are inadequate.

Through a spokesman, Federal CIO Tony Scott declined to comment on the Republican report, referring questions to OPM. In a speech last week at the National Institute of Standards and Technology, the CIO said the way the federal government funds IT projects served as a major contributor to the OPM breach because Congress, for the most part, fails to provide adequate money to modernize agencies' IT (see US CIO: Federal Funding Process Played Key Role in OPM Hack). Newer systems, he says, are less prone to cyberattacks.

"What you have is a recipe for high costs, cost overruns, projects that can't be completed or are difficult to start and the whole litany of things that we all know historically have been true," Scott said. "And, indeed, in OPM we found exactly that."