The target: Gunnebo, a Swedish-based security firm.
The take: 38,000 sensitive company documents including: schematics of client bank vaults and surveillance systems, blueprints for monitoring and alarm equipment, and security function of Automatic Teller machines.
The attack vector: Compromised credentials to an employee’s Remote Desktop Protocol account which had a password of ‘password01’. While the confirmation of this particular RDP account’s role in the attack is unverified, security researchers highlight the extremely poor password hygiene here and infer this practice is likely widespread within the firm.
The breach highlights the critical important of robust password polices. Length, complexity, and aging standards for every company account are invaluable to preventing credential compromise.
CBS News: Federal agencies warned that cybercriminals are unleashing a wave of data-scrambling extortion attempts against the U.S. healthcare system designed to lock up hospital information systems, which could hurt patient care just as nationwide cases of COVID-19 are spiking.
Dark Reading: Humans are good at some things, like eating too many potato chips or getting annoying songs stuck in their heads. They're not so good at choosing edible wild mushrooms by appearance, for example, nor are they good at choosing strong, safe passwords. Unfortunately, that last item has some serious repercussions in the cybersecurity world.
IT-Online: According to the World Economic Forum, cybercrime damages are projected to reach $6-trillion in 2021, which would equal the GDP of the world’s third largest economy. Spending by enterprises on cybersecurity is continuing to grow, defying the pandemic-driven economic downturn impacting global IT spending.
GlobeNewswire: Mimecast Limited (NASDAQ: MIME), a leading email security and cyber resilience company, today released new research which highlights the risky behavior of employees using company-issued devices. More than 1,000 respondents in countries throughout the globe were asked about their use of work devices for personal activities and how aware they are of today’s cyber risks. The results highlighted the need for better awareness training, as people are clicking on links or opening suspicious emails despite having been trained.
The Guardian: Isentia, which boasts it has “most government departments and large corporations” as clients in Australia, told the Australian Stock Exchange on Tuesday it is “urgently investigating a cybersecurity incident” that was “disrupting services” involving its media portal – a service customers use to see media reporting on them, or issues of interest to them, and find journalists.
MSSP Alert: Private equity firm Francisco Partners is acquiring cybersecurity company Forcepoint from defense contractor Raytheon Technologies. Financial terms of the deal were not disclosed. This is M&A deal 436 that MSSP Alert and sister site ChannelE2E have covered so far in 2020. See the full M&A deal list here.
Forbes: Data has often been called the most valuable commodity of the digital world or the most valuable resource (paywall) in the world. In modern economics, it has perhaps surpassed the traditional worth of gold. Some have even gone on to suggest that it is as real an asset as land is, and perhaps even a more profitable factor for production in terms of revenue potential.
The target: MAXEX, an Atlanta-based residential mortgage trading company.
The take: 9GB of internal company and client data including: confidential banking information, login credentials, emails, penetration test reports, and full mortgage documentation for 23 individuals.
The attack vector: The breach took place due to an unsecured, publicly exposed Jenkins server. A server of this type is used in a variety of highly sensitive activities in the operation and development of software applications. Notably in this breach, MAXEX had stored login credentials in plain text with enough permissions to compromise many of its other systems.
This breach highlights the importance of properly securing data. Furthermore, it underscores the critical importance of credential management as a compromise in one system can easily lead to a pivot to other systems, which can have a cascading negative impact upon company and client data.
TechRepublic: The world's biggest social media companies may have to put more of a priority on security now that a New York state financial watchdog is calling for the creation of a designated regulator tasked with monitoring their cyber defense.
Reuters: The stock opened at $18.60 per share, compared with its IPO price of $20 per share. At the debut price, the company was valued around $8 billion. McAfee priced its IPO towards the lower end of its targeted range between $19 and $22 per share.
KnowBe4: Mid-level managers need to be particularly wary of targeted phishing attacks, according to Jenn Gast at INKY. Gast explains that criminals can easily conduct open-source research on a company’s organizational structure and craft spear phishing messages to trick its employees.
Yahoo Finance: Sixty-four per cent of organizations failed to report cyber breaches this year, over fears of reputational damage at a time when more customers are seeking service online, a cybersecurity expert explains.
Security Magazine: Financial services institutions and banks around the globe face monumental challenges as they look to streamline service delivery for customer transactions, manage multi-party loan processes, collaborate on industry benchmarks and indices, and eliminate fraud and cybercrime.
Cision: Sepio Systems, the leader in Hardware Access Control (HAC), today announced the availability of a new research note conducted with TAG Cyber, LLC, the leader in democratizing world-class cyber security research and advisory services, and co-authored by Sepio Systems, that claims rogue devices are posing severe threats to the financial services industry.
The target: Broadvoice, a Voice-over-IP service provider.
The take: 350 million total customer records of personally identifiable information including: full names, date of birth, phone number, and voice-mail transcripts with highly sensitive details such as medical records, loan applications, and mortgage information.
The attack vector: A misconfigured Elasticsearch database housing 10 separate clusters of data. There was no authentication or security in place meaning anyone with an internet connection could have full access to the data. These storage servers are easily discoverable with scanning tools available to administrators and malicious attackers alike.
The type of data exposed in this breach poses enormous risk for Broadvoice’s customers as the intricate details leaked, in voice calls and prescription records for example, would give phishing and fraud attacks a high chance of success. This breach demonstrates the extreme importance of securing access to a firm’s data. Proper authentication, monitoring, and credential management are some of the critical tools which can be implemented to prevent these occurrences.
Cision: The research covered 50 medium-sized personal data breach cases with a damage scale of more than 1,000 cases and less than 1 million cases caused by unauthorized access and categorized the personal data breach cases into eight industries: manufacturers, retail, services and infrastructure, software and telecommunications, trading companies, financial services, advertising/publishing/media, and government/public offices/organizations, based on the information of the companies that announced the breach.
Yahoo Finance: European and American officials said Thursday that they have arrested 20 people in several countries for allegedly belonging to an international ring that laundered millions of euros stolen by cybercriminals through malware schemes.
The Sydney Morning Herald: Politicians and their staff face stricter rules around use of personal phones on parliamentary networks as it emerged a state actor was the likely culprit behind a second major cyber attack in 2019.
CNBC: For just a few dollars, criminals are selling credentials for customers of E*Trade, Charles Schwab, TD Ameritrade, Robinhood and others, according to New York-based security firm Intsights. The demand has only increased during the pandemic, according to the firm’s chief security officer Etay Maor.
Private Equity Wire: This is the seventh year of consecutive double digit growth for the Edinburgh and London-based business, and follows a 24 per cent rise to GBP32 million in 2018. It is the first year-end since mid-market private equity house Livingbridge supported an MBO in May 2019, and represents significant progress following the initial investment.
O Canada: The company, which was carved out of Intel Corp four years ago, will sell nearly 31 million shares, while the selling stockholders will offer about 6 million shares in the IPO, according to a regulatory filing https://www.sec.gov/Archives/edgar/data/1783317/000119312520268184/d89887ds1a.htm.
DARKReading: Technology and security companies teamed up with the financial services and telecommunications industries to disrupt the command-and-control (C2) infrastructure used to manage the well-known Trickbot ransomware to infect more than a million computing devices, the firms behind the takedown.
The target: Snewpit, an Australian-based news sharing platform.
The take: 80,000 user records of personally identifiable information including: usernames, full names, email addresses, profile pictures, and log data detailing the amount time users spent on the app and other behaviour metrics.
The attack vector: The information was exposed on an improperly secured, and publicly accessible, Amazon Web Services server. Bad actors can locate these unsecured storage buckets very easily and the complete lack of security on the database means the records were open to anyone with an internet connection.
The combination of data exposed in this incident could lead to very targeted and successful scams by fraudsters. Personally Identifiable information helps these attackers build a complete profile of their victims, and in this case, the log data which outlined the actions taken by users on Snewpit’s app greatly increases the credibility of their scams, vastly increasing the chance they are successful. Data and credential management are critical for ensuring sensitive information is stored safely and securely.
IT News: PwC Australia has created a new business unit bringing together cyber, digital trust and digital law teams from across the firm to bolster the services it offers clients navigating the cyber security and regulatory landscape.
Hedge Week: Drawbridge has continued to invest in its people, technology and customers throughout the year, working closely with clients to help them ensure security, continuity and safety during the unprecedented times that have resulted from Covid-19.
DarkReading: CyberArk tested products from multiple major security vendors, including Kaspersky, Symantec, Trend Micro, McAfee, and Check Point Software Technologies, and says it found vulnerabilities in every single one.
Cision: BitSight, the Standard in Security Ratings, and Solactive, a German index engineering firm, today released new research demonstrating that a company's cybersecurity performance is an indicator of business performance. Analysis shows that indices composed of well-performing BitSight-rated companies outperform their respective benchmarks by 1% to 2% annually. For certain sectors, such as U.S. Technology, well-rated companies outperform the benchmark by 7% per year. The findings are an endorsement for today's introduction of the Solactive BitSight Cyber Risk Index, a financial index that will enable investors to invest in companies who are top cybersecurity performers as measured by BitSight.
Institutional Asset Manager: Cyber-enabled fraud attempts are escalating and evolving, and the current remote working environment has created additional vulnerabilities that firms need to address. The memo, produced by the SBAI’s Governance Working Group, provides guidance on key controls that help protect managers’ payment processes. It also can be used as a tool for investors to evaluate these controls during due diligence.
Security Magazine: Security teams in the financial services sector are experiencing even more exacting demands as they defend their organizations in a world under a new and unexpected threat — a global pandemic, says a new Accenture report, "2020 Future Cyber Threats: The latest extreme but plausible threat scenarios in financial services."
Institutional Asset Manager: Dow Jones’s risk data, including politically exposed persons (PEPs), sanctions lists and adverse media entities for the UK, Europe and the Asia Pacific, will flow through Bottomline’s cyber fraud and risk management platform. The additional intelligence will help identify internal and external threats and protect against criminal activity. The data inclusion can also help banks and corporates avoid incurring regulatory fines and reputational damage that often accompany fraud incidents by enabling them to identify suspicious transactions and stop payments fast.
The target: BrandBQ, a European fashion retailer.
The take: 7 million customer records of personally identifiable information including: full names, email addresses, home addresses, date of birth, phone number, and payment records.
The attack vector: The data was exposed on an unencrypted and unsecured Elasticsearch server meaning anyone with an internet connection could have found the information and downloaded a copy. Along with customer information, an additional 50,000 records of relating to contractors who worked with BrandBQ were also stored on the server, exposing their purchase information and correspondence. Further mixed in were API logs relating to their mobile app, greatly increasing the range of possible exposure to over 500,000 affected users.
Credential management and proper security around storage of data is critical for every business. In this case, the mixing of data all kept in one place compounded the severity of the breach as not only were BrandBQ’s customers made into vulnerable phishing targets, but their contractors are now also extremely susceptible to Business Email Compromise scams.
Reuters: Facilitating ransomware payments to sanctioned hackers may be illegal, the U.S. Treasury said on Thursday, signaling a crackdown on the fast-growing market for consultants who help organizations pay off cybercriminals.
National Post: America’s top law enforcement agents and spies are teaming up under one roof as part of a new federal strategy to fight foreign hackers, senior FBI officials said in an interview.
Financial Post: Anthem Inc said it would pay $39.5 million as part of a settlement with U.S. states attorneys general following an investigation into a massive cyber-attack at the company in 2015.
Newshub: The chief information officer of the New Zealand stock exchange (NZX) has resigned and will leave the company at the end of 2020. David Godfrey's resignation follows a series of distributed-denial-of-service attacks (DDoS) which caused multiple crashes of the trading website.
Bleeping Computer: US-based Arthur J. Gallagher (AJG) global insurance brokerage and risk management firm confirmed a ransomware attack that hit its systems. AJG is one of the largest insurance brokers in the world with more than 33,300 employees and operations in 49 countries.
Meri Talk: Given the Federal government’s rapid shift to telework since the onset of the COVID-19 pandemic and the larger attack surface that working from home creates, there is a significantly greater need for government to take a fresh look at addressing the most fundamental cybersecurity challenges.
Business Wire: CyberSaint, the developer of the leading platform for automated, intelligent cybersecurity program management, today announced the availability of new features supporting the Financial Services Sector Cybersecurity Profile within the CyberStrong platform, including automated mappings between those standards and the NIST Cybersecurity Framework, FFIEC, and others.