Please fill in the form below to subscribe to our blog

The Week in Breach: 5/21/18 – 5/27/18

May 30, 2018

Breach news to share with your customers!

Highlights from The Week in Breach:
– You’d better reboot your router… NOW!
– Nation states injecting malicious apps into play stores to steal your stuff.
– Malware infects healthcare system impacting 500,000 Marylanders.
– Time from detection to acknowledgment and response getting slower and slower and slower. 

It’s back to business as usual in the world of breach, and we are seeing no signs of it slowing down this summer. This week’s headlines have been dominated by targeted attacks of SOHO Routers. “SOHO” was coined to describe “small office – home office” routers used to set up local area networks by small businesses. According to DHS, “The size and scope of this infrastructure impacted by VPNFilter malware is significant. The persistent VPNFilte malware linked to this infrastructure targets a variety of SOHO routers and network-attached storage devices.” The initial exploit vector for this malware is currently unknown. Here is the link to US-CERT’s alert TA18-145A detailing the threat and what you should do the protect yourself from exploit!   


What we’re STILL listening to this week!

Security Now – Hosted by Steve Gibson, Leo Laporte

Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)

Small Business, Big Marketing – Australia’s #1 Marketing Show!


TeenSafe (Update)

Small Business Risk: High: App server hosted on AWS accessible by anyone without a password.
Exploit: AWS/Suspected Misconfiguration
Risk to Exploited Individuals: High: Even though less than 10,000 individuals were impacted, this is a highly vulnerable segment of the population. 

TeenSafe: The TeenSafe app allows parents access to their children’s web browser history, text messages (including deleted SMS and iMessages and messages on WhatsApp and Kik), call logs, and device location, plus lets them observe which third-party apps have been installed.

Date Occurred
Discovered
Unknown, but accounts from past three months were compromised.
Date Disclosed May 21, 2018
Data Compromised Highly personal data including Apple IDs. The compromised data did not include photos, messages, or location data. The server stores parents’ email address used for their TeenSafe account and their child’s email address, the child’s device name, and the device’s identifier.
How it was Compromised At least one of the app’s servers, which are hosted by Amazon’s cloud service, was accessible by anyone without a password. The data, including passwords and user IDs, were reportedly stored in plaintext, even though TeenSafe claims on its website that it uses encryption to protect user data. TeenSafe requires two-factor authentication to be switched off for the app to work, so anyone with just a password can easily gain access to compromised accounts. The app is available for both iOS and Android and doesn’t require parents to seek their child’s consent for access to their phone.
Customers Impacted
Around 10,200 accounts from the past three months were compromised, though that number also includes duplicates.
Attribution/Vulnerability Undisclosed at this time.

https://www.theverge.com/2018/5/21/17375428/teensafe-app-breach-security-data-apple-id

https://www.zdnet.com/article/teen-phone-monitoring-app-leaks-thousands-of-users-data/

Google Play

Small Business Risk: Low: Targeted nation state exploit. 
Exploit: Mobile Device Malware Exploit 
Risk to Exploited Individuals: High: 
Nation-state exploit targeting defectors.

North Korean Defectors / Google Play malware

Date Occurred
Discovered
The apps had been live in the Google Play store for three months — from January to March.
Date Disclosed May 2018
Data Compromised
Google Play store has allegedly hosted at least three apps designed to collect data from specific individualsTwo of these apps were posing as security apps, while the third claimed to provide food ingredient information. But what they really did was steal information from devices and receive a certain code that allowed them to further access data like photos, contact lists, and even text messages.
How it was Compromised
A North Korean hacking team was recently able to upload three Android apps to the Google Play Store that targeted people who escaped from the authoritarian country, according to a report from McAfee. The malware campaign, nicknamed RedDawn, involved the hackers contacting the targets through Facebook to invite them to install seemingly innocent apps from the Google Play Store. 
Customers Impacted
By the time McAfee privately notified Google as to the existence of these apps, 100 folks had already downloaded them.
Attribution/Vulnerability Back in January, McAfee noted that it had found malicious apps intended to infect North Korean journalists and defectors’ devices. The group behind these apps was subsequently named Sun Team and is apparently the same group behind these latest apps. The apps were all linked to the same developer email address. McAfee found that the words used in the control servers were common in North Korea. There was also a North Korean IP address discovered in a test log file of some Android devices connected to account used to send out the malware. 

https://www.digitaltrends.com/mobile/mcafee-malware-google-play/

http://www.techtimes.com/articles/228100/20180520/north-korea-hackers-use-android-apps-with-malware-to-harass-defectors.htm

LifeBridge Health 
Small Business Risk: 
Extreme: Malware designed to inject healthcare systems and extract PHI/PII.
Exploit: Server/Security Exploit with Malware Injection
Risk to Exploited IndividualsExtreme: Although data has not been validated for sale on the Dark Web, the extracted data included “lifelong” PII & PHI that can be used to profile and/or exploit an individual for decades.

Lifebridge Health 

Date Occurred
Discovered
The breach occurred more than a year ago; discovered May 18.
Date Disclosed May 2018
Data Compromised
The breach could have affected patients’ registration information, billing information, electronic medical records, social security numbers and other data.
How it was Compromised An unauthorized person accessed the server through LifeBridge Potomac Professionals on Sept. 27, 2016. Malware infected the servers that host LifeBridge Potomac Professionals’ electronic medical records, and LifeBridge Health’s patient registration and billing systems.
Attribution/Vulnerability Outside actors 
Customers Impacted More than 500,000 Maryland patients.

https://healthitsecurity.com/news/data-on-500k-patients-exposed-in-lifebridge-healthcare-data-breach

T-Mobile
Small Business Risk: High: Website configuration error revealing customer data for anyone to exploit.
Exploit: Website, Database & Security Misconfiguration
Risk to Exploited Individuals: Moderate: A threat actor would really have to develop a targeted threat plan to fully exploit the exposed population.

T-Mobile

Date Occurred
Discovered
Research done by ZDNet indicates that this T-Mobile.com web data breach was likely active as far back as October of last year. 
Date Disclosed April 2018
Data Compromised Allowed people to access the following info easily by attaching a cell phone number to the end of the web address:

  • Customers’ full names
  • Their mailing addresses
  • Account PINs used as a security question for customer service phone support
  • Billing account numbers
  • Past due bill notices
  • Service suspension notices
  • Tax identification numbers (in some instances)
How it was Compromised
A website bug on T-Mobile.com allowed anyone with access to a web browser to run a phone number and determine the home address and account PIN of the customer to whom it belonged.
Attribution/Vulnerability Outside actors / undisclosed at this time.

https://www.statesman.com/business/personal-finance/mobile-website-data-breach-exposed-customer-addresses-pins/Ht3PZSdXMJkEKlDnggh3EL/            

 

Stay tuned for next week’s edition of The Week in Breach. And Partners, please remember to share this much-needed information with your customers! Email us at [email protected] and let us know how you’re spreading this week’s breach news!


Not a Partner? Find out how Dark Web ID™ can help you protect your customers’ credentials, upsell your services and close new deals. Learn about ID Agent’s Partner Program now!

[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section][et_pb_section admin_label=”section”][et_pb_row admin_label=”row”][et_pb_column type=”4_4″][et_pb_text admin_label=”Text”]

Breach news to share with your customers!

 

Highlights from The Week in Breach:
– You’d better reboot your router… NOW!
– Nation states injecting malicious apps into play stores to steal your stuff.
– Malware infects healthcare system impacting 500,000 Marylanders.
– Time from detection to acknowledgment and response getting slower and slower and slower. 

It’s back to business as usual in the world of breach, and we are seeing no signs of it slowing down this summer. This week’s headlines have been dominated by targeted attacks of SOHO Routers. “SOHO” was coined to describe “small office – home office” routers used to set up local area networks by small businesses. According to DHS, “The size and scope of this infrastructure impacted by VPNFilter malware is significant. The persistent VPNFilte malware linked to this infrastructure targets a variety of SOHO routers and network-attached storage devices.” The initial exploit vector for this malware is currently unknown. Here is the link to US-CERT’s alert TA18-145A detailing the threat and what you should do the protect yourself from exploit!   


What we’re STILL listening to this week!

Security Now – Hosted by Steve Gibson, Leo Laporte

Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)

Small Business, Big Marketing – Australia’s #1 Marketing Show!


TeenSafe (Update)

Small Business Risk: High: App server hosted on AWS accessible by anyone without a password.
Exploit: AWS/Suspected Misconfiguration
Risk to Exploited Individuals: High: Even though less than 10,000 individuals were impacted, this is a highly vulnerable segment of the population. 

TeenSafe: The TeenSafe app allows parents access to their children’s web browser history, text messages (including deleted SMS and iMessages and messages on WhatsApp and Kik), call logs, and device location, plus lets them observe which third-party apps have been installed.

Date Occurred
Discovered
Unknown, but accounts from past three months were compromised.
Date Disclosed May 21, 2018
Data Compromised Highly personal data including Apple IDs. The compromised data did not include photos, messages, or location data. The server stores parents’ email address used for their TeenSafe account and their child’s email address, the child’s device name, and the device’s identifier.
How it was Compromised At least one of the app’s servers, which are hosted by Amazon’s cloud service, was accessible by anyone without a password. The data, including passwords and user IDs, were reportedly stored in plaintext, even though TeenSafe claims on its website that it uses encryption to protect user data. TeenSafe requires two-factor authentication to be switched off for the app to work, so anyone with just a password can easily gain access to compromised accounts. The app is available for both iOS and Android and doesn’t require parents to seek their child’s consent for access to their phone.
Customers Impacted
Around 10,200 accounts from the past three months were compromised, though that number also includes duplicates.
Attribution/Vulnerability Undisclosed at this time.

https://www.theverge.com/2018/5/21/17375428/teensafe-app-breach-security-data-apple-id

https://www.zdnet.com/article/teen-phone-monitoring-app-leaks-thousands-of-users-data/

Google Play

Small Business Risk: Low: Targeted nation state exploit. 
Exploit: Mobile Device Malware Exploit 
Risk to Exploited Individuals: High: 
Nation-state exploit targeting defectors.

North Korean Defectors / Google Play malware

Date Occurred
Discovered
The apps had been live in the Google Play store for three months — from January to March.
Date Disclosed May 2018
Data Compromised
Google Play store has allegedly hosted at least three apps designed to collect data from specific individualsTwo of these apps were posing as security apps, while the third claimed to provide food ingredient information. But what they really did was steal information from devices and receive a certain code that allowed them to further access data like photos, contact lists, and even text messages.
How it was Compromised
A North Korean hacking team was recently able to upload three Android apps to the Google Play Store that targeted people who escaped from the authoritarian country, according to a report from McAfee. The malware campaign, nicknamed RedDawn, involved the hackers contacting the targets through Facebook to invite them to install seemingly innocent apps from the Google Play Store. 
Customers Impacted
By the time McAfee privately notified Google as to the existence of these apps, 100 folks had already downloaded them.
Attribution/Vulnerability Back in January, McAfee noted that it had found malicious apps intended to infect North Korean journalists and defectors’ devices. The group behind these apps was subsequently named Sun Team and is apparently the same group behind these latest apps. The apps were all linked to the same developer email address. McAfee found that the words used in the control servers were common in North Korea. There was also a North Korean IP address discovered in a test log file of some Android devices connected to account used to send out the malware. 

https://www.digitaltrends.com/mobile/mcafee-malware-google-play/

http://www.techtimes.com/articles/228100/20180520/north-korea-hackers-use-android-apps-with-malware-to-harass-defectors.htm

LifeBridge Health 
Small Business Risk: 
Extreme: Malware designed to inject healthcare systems and extract PHI/PII.
Exploit: Server/Security Exploit with Malware Injection
Risk to Exploited IndividualsExtreme: Although data has not been validated for sale on the Dark Web, the extracted data included “lifelong” PII & PHI that can be used to profile and/or exploit an individual for decades.

Lifebridge Health 

Date Occurred
Discovered
The breach occurred more than a year ago; discovered May 18.
Date Disclosed May 2018
Data Compromised
The breach could have affected patients’ registration information, billing information, electronic medical records, social security numbers and other data.
How it was Compromised An unauthorized person accessed the server through LifeBridge Potomac Professionals on Sept. 27, 2016. Malware infected the servers that host LifeBridge Potomac Professionals’ electronic medical records, and LifeBridge Health’s patient registration and billing systems.
Attribution/Vulnerability Outside actors 
Customers Impacted More than 500,000 Maryland patients.

https://healthitsecurity.com/news/data-on-500k-patients-exposed-in-lifebridge-healthcare-data-breach

T-Mobile
Small Business Risk: High: Website configuration error revealing customer data for anyone to exploit.
Exploit: Website, Database & Security Misconfiguration
Risk to Exploited Individuals: Moderate: A threat actor would really have to develop a targeted threat plan to fully exploit the exposed population.

T-Mobile

Date Occurred
Discovered
Research done by ZDNet indicates that this T-Mobile.com web data breach was likely active as far back as October of last year. 
Date Disclosed April 2018
Data Compromised Allowed people to access the following info easily by attaching a cell phone number to the end of the web address:

  • Customers’ full names
  • Their mailing addresses
  • Account PINs used as a security question for customer service phone support
  • Billing account numbers
  • Past due bill notices
  • Service suspension notices
  • Tax identification numbers (in some instances)
How it was Compromised
A website bug on T-Mobile.com allowed anyone with access to a web browser to run a phone number and determine the home address and account PIN of the customer to whom it belonged.
Attribution/Vulnerability Outside actors / undisclosed at this time.

https://www.statesman.com/business/personal-finance/mobile-website-data-breach-exposed-customer-addresses-pins/Ht3PZSdXMJkEKlDnggh3EL/            

 

Stay tuned for next week’s edition of The Week in Breach. And Partners, please remember to share this much-needed information with your customers! Email us at [email protected] and let us know how you’re spreading this week’s breach news!


Not a Partner? Find out how Dark Web ID™ can help you protect your customers’ credentials, upsell your services and close new deals. Learn about ID Agent’s Partner Program now!

[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section]