The Week In Breach 6/11/18 – 6/17/18
June 27, 2018
Breach news to share with your customers!
Highlights from The Week in Breach
It should serve as no surprise, two of the breaches profiled this week occurred as the result of compromised email address and passwords. The particular events highlight the need to make password hygiene and compromised credential monitoring front and center.
This week also demonstrates that healthcare organizations are increasingly targeted by bad actors. Heathcare related PII/PHI is increasingly valuable and sought after in dark web markets and forums.
A few more highlights…
– Malware on the move! New Malware targeting Android phones making the rounds
– Cortana… the weakest link? An exploit in Windows 10 was patched on Tuesday that allowed one to change passwords
– AI startup working on the United States drone program finds Russian malware on their server
– The Nigerian princes are back! This time, they want to be business partners…
There is a new mobile malware targeting Android phones, containing a banking Trojan, keyloggers, and ransomware. The malware, called MysteryBot will exfiltrate your data and send it back to LokiBot assets. While it’s still not in wide circulation, Android users should exercise caution when downloading apps both in and out of the play store. https://www.bleepingcomputer.com/news/security/new-mysterybot-android-malware-packs-a-banking-trojan-keylogger-and-ransomware/
A vulnerability that used Cortana to access computer files even if the device was locked was revealed this week… just after patch Tuesday. https://securingtomorrow.mcafee.com/mcafee-labs/want-to-break-into-a-locked-windows-10-device-ask-cortana-cve-2018-8140/
Across the globe, email scammers are a consistent source of problems for those who use the web. This week the FBI made 74 arrests across 7 countries and an email scam bust that targeted mid-sized businesses. The scam originated in Nigeria, the same country where the notorious ‘Nigerian prince’ email scam comes from. https://www.cnet.com/news/fbi-busts-international-email-fraud-ring-that-stole-millions/
Look out for suspicious .men! Some top-level domains are more likely to be malicious than others, with .men .gdn and .work being the most abused. If you open a .men link there is about a 50/50 chance that you are going to a site loaded with spam or malware. Check those hyperlinks! https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
What we’re listening to this week!
Elmcroft Senior Living
Exploit: Outside actor.
Risk to Small Business: High: Lack of Data Loss Protection (DLP) and chain of custody leading to breach
Risk to Exploited Individuals: High: Elevated probability for Identity theft and fraud based on PII compromised.
Elmcroft: Recently ending its management of more than 70 assisted living, memory care, and inpatient hospital rehabilitation, Elmcroft was in wind-down mode when the breach occurred.
| Date Occurred Discovered | Occurred May 10th 2018, Discovered on May 12th | |
| Date Disclosed | Elmcroft made an official statement on June 8th, 2018 | |
| Data Compromised | Names Date of birth Social Security Numbers Personal health information | |
| How it was Compromised | A third party had access to information being transferred from Elmcroft to the new management company | |
| Customers Impacted |
|
|
| Attribution/Vulnerability | Undisclosed at this time. |
Terros Health
Exploit: Phishing scam that compromised one account.
Risk to Small Business: High: Demonstrates phishing is still a primary tactic to generate exploits and how one compromised email account can end in a major breach.
Risk to Exploited Individuals: High: Sensitive personal information, Social Security numbers and medical information were leaked all of which can be used maliciously by an outside actor.
Terros Health: Phoenix-based mental health and addiction services provider.
| Date Occurred Discovered | April 2018 | |
| Date Disclosed | June 8th, 2018 | |
| Data Compromised |
|
|
| How it was Compromised |
|
|
| Customers Impacted |
|
|
| Attribution/Vulnerability | One compromised email due to a phishing scam |
https://www.bizjournals.com/phoenix/news/2018/06/10/terros-healthwarns-of-patient-data-breach.html
Clarifi
Exploit: Malware exploit to steal IP
Risk to Small Business: High: Demonstrates the need to harden security when dealing with Intellectual Property and being targets as a Federal Contractor/Supply Chain Sub-contractor.
Risk to Exploited Individuals: High: Highly sensitive military information is located at the company, making individuals who work their targets for state-sponsored hacking. Clarifi: An artificial intelligence startup based in New York involved in improving U.S. military drones.
| Date Occurred Discovered | November 2017 | |
| Date Disclosed | June 2018 | |
| Data Compromised |
|
|
| How it was Compromised | Unclear, although the origin of the malware is believed to be Russian. | |
| Attribution/Vulnerability | Malware | |
| Customers Impacted | The company assures that no customer data was compromised |
https://www.wired.com/story/startup-working-on-contentious-pentagon-ai-project-was-hackedhttps://cyware.com/news/ai-startup-clarifai-working-on-pentagons-project-maven-was-allegedly-hacked-by-russian-source-8a171b30
HealthEquity
Exploit: Compromised email.
Risk to Small Business: High: Demonstrates the need for compromised credential monitoring and implementing stronger authentication tools.
Risk to Exploited Individuals: High: sensitive personal information and Social Security numbers were accessed during the breach.
HealthEquity: Utah based firm that handles millions of health savings accounts.
| Date Occurred Discovered | April 11, 2018 | |
| Date Disclosed | June 2018 | |
| Data Compromised | Names of members HealthEquity ID numbers Names of employers Employers HealthEquity IDs Social Security numbers | |
| How it was Compromised |
|
|
| Attribution/Vulnerability | Compromised employee email. | |
| Customers Impacted | 23,000 |
https://www.infosecurity-magazine.com/news/23000-individuals-affected-in/
Dixons Carphone
Exploit: Investigation ongoing.
Risk to Small Business: High: Breach response requirements of GDPR will significantly change how quick companies must disclose breach incidents and respond.
Risk to Exploited Individuals: High: Card data of customers was accessed by an outside actor.
Dixons Carphone: Electronics company located in the UK.
| Date Occurred Discovered | July 2017 | |
| Date Disclosed | June 2018 | |
| Data Compromised | Customer Cards Names Addresses Email addresses | |
| How it was Compromised |
|
|
| Attribution/Vulnerability | Unauthorized access to company data | |
| Customers Impacted | 5.9 million |
An important takeaway from this week is the damage that a single compromised email account can have on an organization of any size. With one compromised email account, a bad actor can send countless employees malware from an unsuspicious and legitimate email, often times without the employee knowing their email is compromised.
Continuously educating your customers and prospects about current cyber breaches will drive home why they should update their cybersecurity protection, so share this information today. Below is sample messaging to send along and we love hearing our Partners’ marketing success stories! Let us know about your latest ones at [email protected].
Don’t let your business end up in the next Week in Breach. Make sure you and your employees’ passwords are strong, not reused or shared, and that your network credentials aren’t for sale by constantly monitoring the Dark Web with Dark Web ID™!
Haven’t considered Partnering with ID Agent? Find out how Dark Web ID™ can help you protect your customers’ credentials, upsell services and close new deals. Our Partner Relation Managers are also here to provide marketing and sales support that will show you how to increase your MRR with the help of our platform! Learn about ID Agent’s Partner Program now!