It’s the little things that give you away.
This past week brought us a diverse set of incidents. Unfortunately, several of the high-profile compromises could have been easily prevented. From database misconfigurations to Phishing exploits, this week was the busiest week in disclosure since the week of March 19th.
Here are a few items to note from this week’s report:
- Compromised credentials are still #1: Several incidents leverage compromised credentials from 3rd party data breaches to initiate their attack.
- Amazon buckets are still leaking: Two of the incidents reviewed this week leverage flaws in Amazon S3 configurations. It’s surprising to see these very easy-to-fix issues still impacting organizations that hold very sensitive data.
- Financially motivated breaches on the rise: Insider Threat and “Accidental Loss” of high-value data are on the rise.
- The healthcare sector targeted: Healthcare organizations are clearly in the crosshairs.
Business Vulnerability: High: Network Exploit, Compromised Credential Exploit, Customer PII Loss, Website Defacement, Phishing email generation using company CRM/customer database.
Individual Risk: High: Compromised PII, Password Re-use/3rd Party Compromise, Phishing Exploit
Date Occurred: April 15th, 2018
Date Disclosed: April 17th, 2018
Data Compromised: Personally Identifiable information of users including clear-text passwords.
How Compromised: Incident first appeared to be a technical glitch that redirected users to a WordPress site when they tried to visit TaskRabbit
Customers Impacted: TaskRabbit Users: Customers posting jobs and “Taskers”
Attribution/Vulnerability: Network & Website Exploit via Compromised Credentials.
What you need to know:
Given its complexity, I’m surprised that the SecOps space has given this incident very little attention. This is a great case study in compromise and lateral exploit.
It appears that a compromised credential allowed the attacker to gain network access AND access to TaskRabbit’s website and customer database. TaskRabbit acknowledges that it needs to do a better job with its “network intrusion detection” and that it stored more PII on its customers than needed.
Here’s what seems to have happened:
- Attacker uses a compromised email and password to gain access to the network
- Attacker defaces, then re-directs the website to a bogus WordPress landing page
- Attacker uses the company’s CRM/CMS to send Phishing emails from the domain to customers.
If anything, this highlights how a single credential can be used to create a large attack surface. For MSPs, these scenarios can be particularly complex to deal with and have long-term downstream damage since most MSPs are not tasked with or provide services to host and secure their customers’ websites.
2. Localblox (data scraping/collection firm)
Business Vulnerability: High: Unsecured Amazon S3 Bucket Exploit
Individual Risk: Moderate: Harvested data already & still widely available on the surface web
Date Occurred: Early 2018
Date Disclosed: April 18, 2018
Data Compromised: The data was found in a human-readable, newline-delimited JSON file. The data collected includes names and physical addresses, and employment information and job histories data, and more, scraped from Facebook, LinkedIn, and Twitter profiles. Localblox would use to cycle through email addresses that it had collected through Facebook's search engine to retrieve users' photos, current job title and employer information, and additional family information.
How it was Compromised: The company left a massive store of profile data on a public but unlisted Amazon S3 storage bucket without a password, allowing anyone to download its contents. The bucket, labeled "lbdumps," contained a file that unpacked to a single file over 1.2 terabytes in size. The file listed 48 million individual records, scraped from public profiles, consolidated, then stitched together.
Customers Impacted: Localblox claims it has more than 650 million records in its device ID database, and 180 million records in its mobile phone database, which includes mobile phone numbers and carriers. The company also says it has a US voter database with 180 million citizens.
Attribution/Vulnerability: Localblox Misconfiguration
What you need to know: Most companies using S3 (including Localblox in this case), do not realize that they had to go back and re-configure their access settings within Amazon’s S3 service to prevent anyone with access to Amazon’s platform from finding and accessing any bucket.
By default, the S3 service is highly prone to misconfiguration that can give almost anyone looking the ability to access or modify information in a non-password protected bucket. Attackers can gain access to list and read files, write/upload files, or change access rights to all objects and control the content of the files in a bucket.
The S3 issue is well known and easily fixed. It’s concerning that a company scraping social and web data to build profiles on people would be this negligent with their data storage and security.
As for the data they are scraping... it’s still widely available and easily accessed. By anyone…
3. FastHealth Interactive Healthcare (Website programming and hosting for hundreds of hospitals and other healthcare organizations)
Business Vulnerability: High: Compromised Default Password, Unsecured/internet database
Individual Risk: High: Compromised PII, Compromised PHI, Compromised Financial Data
Date Occurred: 2016 & 2017 (2 incidents)
Date Disclosed: April 2018
Data Compromised: Incident 1: Patient billing and health-related information entered via online patient web forms. Incident 2: Patient Health Information. At this time, it is unknown whether the databases were breached or if information was actually retrieved.
How it was Compromised: Attackers used credential stuffing to access the accounts, this means that hackers attempted to access the accounts by using credentials leaked from other data breaches.
Customers Impacted: At least 9200.
Attribution/Vulnerability: Compromised Default Password – Law Enforcement Observation
What you need to know: Compromised default password exploits are still very common. What’s concerning about this group is that it has experienced 2 incidents over a 2-year period. It looks like the organization fell asleep at the wheel, as the second incident was identified by Law Enforcement. There are very few details on what LE noticed. There is little chatter about this data being for sale.
4. True (Thai telecommunications company)
Business Vulnerability: High: Unsecured Amazon S3 Bucket Exploit
Individual Risk: High: Impacted Thai citizens with PII exposed
Date Occurred: Unknown/March 2018
Date Disclosed: March 2018
Data Compromised: True said stored copies of national identification cards belonging to 11,400 customers who bought "TrueMove H" mobile packages via True's e-commerce platform iTruemart, run by True's digital arm Ascend Commerce, had been made public.
How it was Compromised: The data leak came to light after Norway-based security researcher Niall Merrigan said in his personal blog on Friday that he was able to access 32 gigabytes of True's customer data, including identification cards, and that he notified True in March about the security breach.
Customers Impacted: 11,400 TRUE Customers.
Attribution/Vulnerability: Exposed by Norway-based researcher Niall Merrigan
What you need to know: Sound familiar? Thai communications is lucky that Niall decided to put his white hat on and notify them that their bucket is leaking!
5. Blue Shield of California
Business Vulnerability: High: Potential PII Exploit for Financial Gain or Accidental Data Loss
Individual Risk: Low: Dataset isolated/ impacted individuals contacted
Date Occurred: Breach had occurred in November 2017 during the 2018 Medicare Annual Enrollment Period
Date Disclosed: The Blue Shield of California Privacy Office received confirmation on March 23, 2018
Data Compromised: The PHI included names, home addresses, mailing addresses, Blue Shield subscriber identification numbers, telephone numbers, and subscribers’ Blue Shield Medicare Advantage plan numbers.
How it was Compromised: A Blue Shield employee emailed a document containing PHI to an insurance broker “in violation of Blue Shield policies.” Blue Shield of California said that it believes the insurance broker may have contacted some of the individuals identified in the document to sell a Medicare Advantage Plan offered by another health insurance company.
Customers Impacted: Blue Shield CA customers.
Attribution/Vulnerability: Insider Threat/ Blue Shield employee
What you need to know: It's not entirely clear if this incident was an exploit for financial gain or just a case of accidental data loss. It does come on the heels of a success for Phishing exploit that exposed the PHI of 21,000 people. It's interesting that several reports suggest that the 3rd party that received the data tried to use it to sell a Medicare Advantage plan. I would not be surprised if there is a criminal inquiry under way.
6. American Esoteric Laboratories
Business Vulnerability: High: Stolen Laptop Potential PII Exploit for Financial Gain or Accidental Data Loss
Individual Risk: High: Sensitive Patient Data (PHI), Payment Data
Date Occurred: On or after October 15, 2017
Date Disclosed: April 20, 2018
Data Compromised: Data breach may have resulted in the exposure of the personal and protected health information of patients of a medical lab chain with multiple Alabama locations.
How it was Compromised: Employee’s laptop containing a wide range of personal information about patients may have been stored on the laptop, including names, addresses, Social Security numbers, dates of birth, health insurance information, and/or medical treatment information.
Customers Impacted: American Esoteric Lab patients.
What you need to know: It appears that the organization, even though it knew it had PHI, did not use an endpoint protection nor did it encrypt their laptops. AEL states that it’s taking steps to make sure this type of incident does not happen again. "These steps include increasing the security of the AEL systems and networks through the use of encryption technology, updating relevant policies and procedures, and retraining staff."