Home Isolation – Day 10

Hello All. Just a quick post today. I don’t normally talk about my employer on my website – try to keep it as neutral as possible. However, given the days of COVID-19, I would like to take the opportunity to thank my employer for their contribution to helping others that are affected by the pandemic. Read the full story – https://www.accountingtoday.com/news/pwc-donates-2-85m-to-coronavirus-related-efforts

Bad Day for Citrix…

On March 8, it was confirmed through a statement posted by Citrix that the company’s internal network had been breached by hackers who had used password spraying, successfully using a short list of passwords on a wide range of systems to eventually identify credentials that worked. Apparently, the attackers made off with 6 TB to 10 TB of data from internal systems.

It wasn’t a surprise to hear that Citrix initially found out about the breach from law enforcement (specifically the FBI) on March 6 that it had evidence that Citrix had potentially been breached. I think the stats are still pretty high regarding organizations that are informed regarding a potential breach by law enforcement. Specifically when they are gathering intelligence on some organized crime campaign or some other organization that had been breach and come across evidence such as source IPs to indicate another organization was also hacked.

As per folks at Citrix, the attackers appear to have downloaded business documents, but the company said it’s not sure which data was breached. “At this time, there is no indication that the security of any Citrix product or service was compromised,” Stan Black, Citrix CSIO.

Interestingly enough, security firm Resecurity claims that the attack against Citrix began on October 15, 2018, used a list of nearly 32,000 user accounts, and is connected to Iranian interests.  Resecurity claim, the Iranian-linked group known as IRIDIUM has hit more than 200 government agencies, oil and gas companies and technology companies including Citrix.

Resecurity has provided a number of IOCs, including the following IPs:

Source IPs:

  • 178.131.21[].19[] (Iran)
  • 5.115.23[].11[] (Iran)
  • 5.52.14[].23[] (Iran)

Used proxies:

  • 23.237.104.90 – Canada (VPN)
  • 194.59.251.12 – USA (VPN)
  • 185.244.214.198 – Poland
  • 138.201.142.113 – Germany
  • 92.222.252.193 – France (Nov 29, 2018)
  • 51.15.240.100 – France (Dec 7, 2018) x 3 times
  • 185.220.70.135 – Germany (Dec 7, 2018) x 5 times

To read the complete Resecurity blog post, which is quote good and full of great IOCs, please visit – https://resecurity.com/blog/supply-chain-the-major-target-of-cyberespionage-groups/

 

Latest Retailer to Get Hit…

Hello All. Looks like Macy’s is the latest retailer to get hit be cyber criminals. Macy’s mentioned last week that attackers had obtained the names and passwords of some customers and may even have gained access to their credit card numbers and expiration dates, though not the CVV2 codes, which it does not store. Macy’s claims that the breach was small in scale, only affecting approx. 0.5% of customers registered on macys.com or bloomingdales.com. The breach apparently occurred between April 26 and June 10. On June 11, Macy’s detected the suspicious activity and soon after blocked the profiles in question. Macy’s said it has contacted the affected customers and will provide consumer protection services free of charge.

With a string of retail breaches since Target and Home Depot years ago such as Adidas a few weeks ago, HBC (Saks Fifth Avenue, Saks Off Fifth, and Lord & Taylor stores) as well as companies hit by breaches in the last year such as Sears and Kmart, Whole Foods, and Under Armour, it doesn’t look like there is any end to the breaches and that organizations aren’t implementing strong enough controls to protect the valuable customer data they are custodians of.

DHS Subject to Insider Breach

As per the US DHS Office of Inspector General (OIG), in what they are referring to as a “privacy incident” identified in May, 2017 have been hit with an insider breach which has resulted in the data leak of approximately 247,167 current and former DHS employees. It also included an unspecified number of subjects, witnesses, and complainants associated with DHS OIG investigations from 2002 through 2014. The data was found on the home computers of one of the three identified insiders.

The data included:

  • Names, Social Security numbers, dates of birth, positions, grades, and duty stations of the employees, and
  • Names, Social Security numbers, alien registration numbers, dates of birth, email addresses, phone numbers, and addresses of individuals associated with investigations, as well as any personal information they provided in interviews with DHS OIG investigative agents.

According to the OIG, “the evidence indicates that affected individual’s personal information was not the primary target of the unauthorized unauthorized transfer of data.”

The folks at DHS have noted that they did not send out the notices before December 2017 because “the investigation was complex given its close connection to an ongoing criminal investigation.” Essentially, it took them until November to finish the forensic analysis of the compromised data an assess the risk to affected individuals.

Uber hacked….and covered up. Say it isn’t so!

Hello All. So the news is making the rounds. Not only did Uber get breached in 2016 affecting 57 million users, but they covered it up by paying the hackers responsible $100,000 to keep quiet and destroy any evidence of the event.

Uber acknowledged on Tuesday that two individuals in October 2016 had accessed and downloaded data on 57 million Uber riders and drivers that was stored in a third-party infrastructure system. The company says none of its own systems were breached.

As part of the cyber-attack, the names and driver license numbers of around 600,000 drivers were accessed, according to Uber. 57 million Uber users also had their information exposed, including names, emails, and mobile phone numbers, the company said in a blog post. Uber said other personal information, including trip details or credit card information, was not accessed.

According to news sources, Travis Kalanick, the CEO at the time, first learned of the incident in November 2016, when Uber was working on a settlement with the Federal Trade Commission for various privacy violations. The company chose to pay the hackers the ransom to delete any evidence and keep the event a secret.

Uber’s current CEO Dara Khosrowshahi has asked for the resignation of Uber’s Chief Security Officer, Joe Sullivan, and a lawyer who reported to him.

I can only imagine that Lyft business is going to be doing better in the months to come.