The Week in Breach: 5/28/18 – 5/03/18
Breach news to share with your customers!
Highlights from The Week in Breach:
– Finance sector attacks ramping up
– BackSwap JavaScript injections effectively circumventing detection
– Honda has leaky buckets too
This week in breach has all been about money, money, money. The finance sector is getting pelted with attacks recently – even more than usual – and Mexico, Canada, and Poland have been hit the worst.
In other news…
North Korea is still up to their old tricks, targeting South Korean websites with advanced zero-day attacks.
https://www.bleepingcomputer.com/news/security/activex-zero-day-discovered-in-recent-north-korean-hacks/
School is letting out which means grade changing breaches are in season! Two students at Bloomfield Hills High School attempted to fudge their report card and refund lunches for themselves and 20 other students.
https://www.forbes.com/sites/leemathews/2018/05/22/school-hackers-changed-grades-and-tried-to-get-a-free-lunch/#478b6d026e7d
The government of Idaho was hacked 2 times in 3 days which is not a very good look.
https://idahobusinessreview.com/2018/05/22/state-government-hacked-twice-in-three-days/
Coca-Cola had a breach that compromised 8,000 employees’ personal data, but they are also providing identity monitoring for a year at no cost. Ahh… refreshing, isn’t it?
https://www.infosecurity-magazine.com/news/no-smiles-for-cocacola-after-data/
What we’re STILL listening to this week!
Security Now – Hosted by Steve Gibson, Leo Laporte
Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)
Small Business, Big Marketing – Australia’s #1 Marketing Show!
Simplii Financial (CIBC) & Bank of Montreal
Exploit: Spear Phishing
Type of Exploit Risk to Small Business: High: Personal and account information from a large number of customers were compromised, opening up the possibility of identity theft for business owners or employees.
Risk to Exploited Individuals: High: A large number of both personal and account information was breached from both banks including social insurance numbers and account balances.
Simplii Financial: Owned by CIBC, Simplii Financial is a Canadian banking institution offering a wide array of services for their customers such as mortgages and investing.
BMO (Bank of Montreal): BMO is also a Canadian banking institution that offers investing, financial planning, personal accounts, and mortgages.
| Date Occurred/ Discovered |
|
|
| Date Disclosed | May 28, 2018 | |
| Data Compromised | Personal and account information of the two bank’s customers. The hackers provided a sample of the breached data, containing the names, dates of birth, social insurance number and account balances of two customers. | |
| How it was Compromised | It is believed that both bank data breaches have been carried out by the same group of fraudsters, due to the time frame and ‘blackmail’ strategy of the group rather than the selling of the data. It is suspected that a spear phishing attack was used, focusing on individual employees with targeted phishing attempts rather than a ‘dragnet’ approach typically seen in phishing attacks. | |
| Customers Impacted |
|
|
| Attribution/Vulnerability | Undisclosed at this time. |
http://www.cbc.ca/news/business/simplii-data-hack-1.4680575
Honda Car India
Exploit: Misconfigured/ Insecure Amazon S3 buckets
Type of Exploit Risk to Small Business: High
Risk to Exploited Individuals: Moderate: Presumably low-risk PII and vehicle information exposed.
Honda Car India: Honda is an international cooperation from Japan that specializes in cars, planes, motorcycles and power equipment.
| Date Occurred/ Discovered |
The details were left exposed for at least three months, a security researcher who was scanning the web for unsecured servers left a message of warning timestamped February 28. | |
| Date Disclosed | May 30th, 2018 | |
| Data Compromised |
|
|
| How it was Compromised |
|
|
| Customers Impacted |
|
|
| Attribution/Vulnerability | Negligence. Once the researcher noticed that Honda had still not secured their buckets, he reached out to them but it still took the company 2 weeks to respond. |
SPEI
Exploit: Man in the Middle Attack
Type of Exploit Risk to Small Business: Severe: Security certificate exploit, website login spoofing, traffic re-direct. Significant financial loss. Threat intelligence/ data share fail.
Risk to Exploited Individuals: Low: Financial Institutions will absorb the loss.
SPEI: Mexican domestic payment system.
| Date Occurred/ Discovered |
A breach was first detected on April 17th, with 5 more financial institutions being breached on April 24th, 26th, and May 8th. | |
| Date Disclosed | May 2018 | |
| Data Compromised |
|
|
| How it was Compromised | The central bank of Mexico experienced a man in the middle attack in April that it was able to stop, but failed to warn other financial institutions in the country about the severity of the incident. This led to 5 other financial institutions being compromised except the attacks were successful. It is unclear exactly how the hackers were able to enter the network, but the situation is constantly developing. | |
| Attribution/Vulnerability | Outside actors/ not disclosing breach possibly facilitated more breaches. | |
| Customers Impacted | Multiple financial institutions in Mexico |
Polish Banks
Exploit: JavaScript malware injection named BackSwap
Type of Exploit Risk to Small Business: High: Sophisticated JavaScript injection designed to bypass advanced security/ injection detection.
Risk to Exploited Individuals: High: those who used the polish banks targeted by the new malware will take a financial loss, 2FA does not combat this.
Polish Banks: 5 Polish banks are being targeted
| Date Occurred/ Discovered |
The banking malware was first introduced in March 2018, the malware has been increasingly active since then. | |
| Date Disclosed | May 2018 | |
| Data Compromised | Banking account information and funds | |
| How it was Compromised |
|
|
| Attribution/Vulnerability | Outside actors, deployed through spam email campaign |
https://www.welivesecurity.com/2018/05/25/backswap-malware-empty-bank-accounts/
The last couple of months have seen an increase in the number of attacks on financial institutions around the world. Both the Bank Negara Malaysia and Bancomext were targeted in SWIFT-related attacks while two Canadian banks’ data was held at ransom in a massive breach. The largest three banks in the Netherlands were hit by DDoS attacks, the Swiss Financial Market Supervisory Authority stated that cyber-attacks were the greatest threat to their banks, while at the same time British banks spending on fighting financial crime sits at 5 billion pounds.
While no sector is immune from cyber-attack, the nature of the financial industry makes an attractive target. The sector is made up of institutions that store large quantities of sensitive data that can be sold on the Dark Web, as well as institutions that have access to large sums of capital.
Additional Sources:
https://www.hstoday.us/uncategorized/cyber-attacks-on-banking-infrastructure-increase
There’s more to come next week! MSP Partners, please feel free to share this information. Contact us and let us know how you’re getting breach news out to your customers!
Are you looking to see how Dark Web ID™ can help you protect your customers’ credentials? Learn about ID Agent’s Partner Program now!