Business Continuity & Cyber Security Incident Log w/e 11/08/2017

Business Continuity Incident

Cyber Criminals Target Hungarian Banks

BUDAPEST: Three major banks in Hungary have experienced a series of targeted phishing attempts in recent months, the central bank said on Tuesday, without naming the lenders involved.

The National Bank of Hungary, which is the regulator for banks and financial markets, said no funds had been lost as a result of the attacks, which started in June.

In a statement, it said banking clients were targeted with misleading email and text messages calling on account holders to confirm their security credentials.

The central bank said the cloned websites through which hackers were trying to obtain banking login details were more convincing than in previous phishing attempts, using grammatical Hungarian rather than relying on translation software, for example.

The central bank said banks affected were taking measures to tackle the issue but warned that other lenders could be subject to similar phishing attempts in the coming days. — Reuters



Phishing & Social Engineering Behind HBO Cyber Attack

Cyber-security executives are speculating the HBO hack by “Mr Smith” was the result of the intruder putting in a tremendous amount of effort to infiltrate the entertainment giant that included many separate attacks, while said giant most likely was slayed by ignoring basic security hygiene.

On 7 August a small treasure trove of HBO content was posted publicly to the web by a hacker who is now demanding a US$ 6 million (£4.6 million) payment to stop any further release of data. The hacker who goes by Mr. Smith posted five scripts for Game of Thrones and a month’s worth of email from HBO vice president for Film Programming Leslie Cohen along with some other corporate information, according to the Associated Press.

The general consensus among cyber-security insiders is the hacker was able to procure this information through a series of small attacks conducted over an extended period of time tied to poor security practices by either by HBO or perhaps a third-party vendor. Mr. Smith seemed to confirm the timeline saying the $6 million ransom amount is tied to the length of time his crew spent on the hack, about six months.

“Through a persistent effort of phishing, malware attacks and plain old social engineering, the attackers likely compromised many individual identities. Once these identities are compromised, the attackers can inject malware onto systems that over time learn more passwords and allow them lateral access into other systems on the network,” Corey Williams, Centrify’s senior director of products and Marketing, told SC Media.

Another strong possibility is HBO is simply another victim of partnering with a third-party vendor that either made an error or did not have its cyber-security ducks lined up in a row. If this turns out to be true HBO will join a long list of companies, to include Verizon, Trump Hotels, Hard Rock and Scottrade, which suffered a data breach due to one of these ancillary companies proving to be a weak link.

“They have to treat intellectual property (IP) with the same level of protection that banks treat regulated customer information – that is it should be given the highest level of IT security controls and data privacy protection.  Then in those instances where a studio has outsourced to a vendor (eg Larson Studios and the Netflix hack), they must insure that their vendors employ equally strong security,” Brad Keller, director 3rd Party Strategy for Prevalent, said in an email interview with SC Media.

HBO launched an investigation into the initial attack that took place on 1 August when its CEO and chairman Richard Plepler confirmed the cable company had been victimised. So far the company has not released any information.

Whatever the company discovers during its investigation, along with its decision on whether or not is should pay the U $ 6 million ransom will prove quite educational for other media firms who may find themselves victimised in a similar manner.

As with most ransomware situations, the consensus on whether or not the victim should pay up was split. If the data is deemed more valuable than the ransom and it cannot be replicated then breaking out the corporate check book might be in order, but otherwise, if at all possible, the bad guys should not be paid off.

“It’s a business decision, plain and simple. If an attacker was threatening to release the new Star Wars movie early, I’d want to understand the business impact of that. If it meant that there would be a decrease in people attending movies or buying merchandise in dollar amounts that exceeded the amount of the ransom, I’d at least consider coming to the table and negotiating,” said James Carder, CISO of LogRhythm.

However, everyone did agree that snatching IP was a smart move as it forces the company to quickly make a decision over what is essentially a product with an expiration date. And they did not rule out the suggestion that despite asking for money the hacker could have an ulterior motive, one similar to the Sony hack that was focused on damaging the studio for the release of the anti-North Korea movie “The Interview.”

“”Intellectual property is particularly well suited to ransomware attacks because there is little way to repair the damage after it has been released.  In the case of movies and/or episodes, there is an immediate diminution in market value,” Keller said.

Williams agreed, adding the negative consequences of pre-releasing brand defining IP can be tremendous with the possibility of subscriptions being impacted in HBO’s case.

Carder did add that if a company manages to save a few dollars in negotiating to pay a lower ransom it would be smart to take that money and invest in boosting its cyber-security. And he had a few suggestions on where to invest with the most important point made being the amount the company invests should be near the equivalent to the value of what it is trying to protect.

“Unfortunately, there isn’t a silver bullet or one thing these studios can do. It’s a combination of things that must happen. Studios must practice good IT and security hygiene (patching systems and applications, updating and modernising systems/applications/infrastructure, controlling access to only those that need access, validating identities, encrypting or applying other safeguards to critical business systems and data). They also must implement stringent monitoring and alerting mechanisms as compensating controls for when or if an attacker breaks through their defenses,” Carder said.

Williams noted that even improving some basic security protocols would be a huge help. The first change he suggested is to stop relying on passwords as a line of defense to protect intellectual property. Next is to implement multi-factor authentication and utilise machine learning to halts attacks as they happen.

While there are many things companies must do to increase security, the one thing they cannot do is underestimate their enemies, said Matthew Pascucci, cybersecurity practice manager at CCSI.

“The HBO hack should be taken seriously. Anytime a malicious actor has your sensitive data and is releasing it to the public they’ve earned the right to be taken serious. How HBO responds to their demands and moves forward with the isolation of the incident will determine what needs to be done moving forward from a hardening and process perspective,” he said.

In the end it may be hard to discern what will be the final result of this attack. HBO may determine how it was done, but unless it publicly states that it paid, or the hacker makes such a disclosure, the world may not know. Unlike the NotPetya attack, which has negatively impacted the financials of FedEx and Maersk, HBO may pass through this incident unscathed. Especially if it enters into a negotiation with Mr. Smith.

“Just like with any business deal, there could be some level of negotiation and potentially some agreements made if HBO thinks that the stolen data has considerable value from a business perspective. By comparison, if you look at the effects of Sony’s breach, there was really no material impact on Sony’s fiscal results the year it was breached. Most of the cost incurred was associated with the investigation and the remediation necessary to bolster their cyber-security programme, which could be seen as an investment in the long run,” Carder said.

GDPR Means Large Fines for Information Systems Failure

Airlines, electricity firms and broadband providers could face multi-million pound fines if they fail to take measures to prevent cyber attacks that result in major disruption to services, under a government plan to be announced today.

Companies will be hit with financial penalties of up to £17million or four per cent of global turnover if they cannot show they adequately assessed the risk of threats to their computer systems, including cyber hacking or even power failures.

Ministers said the fines, which will be set out as part of a consultation today, would only be used as a ‘last resort’ and affect electricity, transport, water, transport, health and digital infrastructure providers.

Airlines (like British Airways), electricity firms and broadband providers could face multi-million pound fines if they fail to take measures to prevent cyber attacks

The move comes after the NHS became the highest profile victim of a global ransomware attack, which resulted in operations being cancelled, ambulances being diverted and patient records being made unavailable.

The co-ordinated attack that infected a large number of computers across the health service was linked to Wannacry malicious software.

The issue was raised again after a major IT failure for British Airways left 75,000 passengers stranded and cost the airline £80m – although the company cited a power supply issue rather than a cyber-attack.

Digital minister Matt Hancock, said: ‘We want the UK to be the safest place in the world to live and be online, with our essential services and infrastructure prepared for the increasing risk of cyber attack and more resilient against other threats such as power failures and environmental hazards.’

Operators will be required to develop a strategy and policies to manage risk, and show how they are working to prevent attacks or system failures.

The Department for Digital, Culture, Media and Sport said they also wanted to see action to detect attacks, develop security monitoring and raise staff awareness, as well as ensuring incidents were reported immediately and that systems were in place for recovery. Workshops will be held with operators to allow them to offer feedback.

The consultation proposes similar penalties for flaws in network and information systems as those due to be in force for data protection lapses by May 2018.

Read more:


Mondelez Still Suffering From Cyber Attack

While the impact of a June malware attack on Mondelez International Inc. was severe, the 2.3 percentage point impact on sales was smaller than the 3 points projected by the company earlier in July. The cost from the attack was estimated at just over $150 million in lost sales and incremental expenses, but Mondelez said recovery work will continue into the second half of the year.

In its second-quarter earnings announcement, Mondelez offered additional detail about the attack and associated financial costs.

“On June 27, 2017, a global malware incident impacted the company’s business,” Mondelez said. “The malware affected a significant portion of the company’s global Windows-based applications and its sales, distribution and financial networks across the company. During the last four days of the second quarter and early third quarter, the company executed business continuity and contingency plans to contain the impact and minimize the damages from the malware and restore its systems. This allowed the company to service customer needs and continue sales and production at a reduced capacity while progressing recovery activities. Based on the nature of the malware and its impact to the company’s technology, the company did not expect nor to date has it found any instances of company or personal data released externally.

“Although the company believes it has now largely contained the disruption and restored a majority of its affected systems, the company anticipates additional work during the second half of 2017 as the company continues to recover and further enhance the security of its systems. For the second quarter, the company estimates that the malware incident had a negative impact of 2.3% on its net revenue growth and 2.4% on its organic revenue growth. The company also incurred incremental expenses of $7.1 million as a result of the incident.”

In an Aug. 2 conference call with investment analysts, Irene Rosenfeld, chairman and chief executive officer, said Mondelez was not yet “back to normal.”

Considerable background during the call was offered by Brian T. Gladden, chief financial officer:

“In terms of our results, the malware incident had a negative impact of approximately 240 basis points to organic net revenue or about $140 million. We expect to recover a majority of the delayed second-quarter shipments in our third quarter, and we’ve made good progress in shipping these orders during the month of July.

“We did, however, permanently lose some revenue due to shorter supply chains, missed promotions and lost consumption in some markets. That said, we do not believe the incident has had any long-term impact to our customer relationships or market share. We’re pleased with our execution during this crisis and believe that our business continuity plans were effective in minimizing the impact to our customers and to our ongoing financial results. As you can imagine, we’re conducting a comprehensive review of the incident to determine any potential opportunities to further improve the security of our global systems environment. Currently, we do not expect the required investments to be material to our results.

“This event has underscored the resiliency of our team and their ability to pull together in the face of adversity. I’d like to thank our teams for their tireless efforts to put us back on track and ensure that we’re focused most importantly on our customers and consumers.”

The impact of the attack was most severe in the Mondelez North America region, largely because of lost consumption associated with the timing just before July 4, Mr. Gladden said.

Google puts Pressure on Chrome Extension Developers Following Security Breach

Google’s security team has sent out warnings via email to Chrome extension developers after many of them have been the targets of phishing attacks, some of which have been successful and resulted in crooks taking over extensions.

These phishing attacks have come into the limelight this past week when phishers managed to compromise the developer accounts for two very popular Chrome extensions — Copyfish and Web Developer.

The phishers used access to these developer accounts to insert adware code inside the extensions and push out a malicious update that overlaid ads on top of web pages users were navigating.

Phishing attacks have been going on since mid-June

According to new information obtained by Bleeping Computer, these attacks started over two months ago and had been silently going on without anyone noticing.

All phishing emails contained the same lure — someone posing as Google was informing extension developers that their add-on broke Chrome Web Store rules and needed to be updated.

The extension developer was lured onto a site to view what was the problem and possibly update the extension. Before seeing the alert, the site asked extension developers to log in with their Google developer account, a natural step when accessing a secure backend.

The login page was identical to the real Google account login page, and this is how the owners of the Copyfish and Web Developer extensions compromised their accounts.

Bleeping Computer obtained one of the phishing emails that extension developers received in the past months. This email was sent to OinkAndStuff, the developer of two very popular Chrome extensions named Blue Messenger (~80K users) and Websta for Instagram (~100K users).

Phishing email

In a private conversation with Bleeping Computer, OinkAndStuff said he received this email on June 21, 2017, almost seven weeks ago.

Evidence points to common actor behind all phishing attacks

The domain used in the phishing email came from a Freshdesk domain. The Copyfish extension dev was also phished via a Freshdesk domain. The lure (email message) was almost identical in all three incidents (Copyfish, Web Developer, and OinkAndStuff).

All evidence points to the fact that there’s a common actor behind all these phishing attacks that have targeted Chrome extension developers.

“It is really well written and with links very much similar to Google,” sad OinkAndStuff. “I immediately detected that it was a scan and my investigation led to a P.O. box in Panama. In that same day, I sent an email to Google reporting this case.”

OinkAndStuff says that days later Google started blocking the site via its Safe Browsing API.

Phishing attacks continued through month of July

“But this wasn’t the end. After this incident I received two more tentatives on 7-7-2017 and 21-7-2017 with the same tactics,” the developer says. “I reported them to Google and Google once again blocked and flagged the websites as a scam website.”

“The second and third attacks were through a link which is a bit lame but the first attack was very very hard to detect,” the developer also noted.

“I even analyzed the HTML and JavaScript of the scam website and compared to the official Google login page and believe me this attack was surgical-made because it was really well done by some very clever organization,” OinkAndStuff told Bleeping Computer. “They changed domains on each attack because as I was reporting them, Google also blocked the website so they were forced to move to a new domain name on every new round of attacks.”

Following these repeated waves of phishing emails in June, July, and August, Google’s staff was eventually forced to recognize that something was amiss.

On August 4, two days after the hijacking of the Web Developer Chrome extension, Google sent out the following email, warning all extension developers about the rising danger of phishing attacks posing as official Chrome Web Store communications.

Google email warning

As the above email advises, extension developers should not log in with their Chrome developer accounts on Google login pages hosted on non-Google domains.

For the time being, the threat remains active for all owners of popular extensions, which are a prime target for any crook that wants to make a few bucks by ad affiliate programs.

Chemical Company Hit by $2 Million Fire

REEDLEY, Calif. – Around 100 fire personnel battled the fire at the Gar Tootelian agricultural plant in Reedley late Sunday morning. The fire ravaged one building on the property, causing at least $2 million in damage costs.

The plant is on Crawford Avenue between South and Parlier Avenues. It started around 11:30 a.m. in a warehouse housing the plant’s maintenance shop, according to Cal Fire.

Workers alerted emergency responders after a fire alarm brought them to the plant. By the time any fire crew arrived, the fire already consumed at least a quarter of the 20,000 square foot building.

While only things like tires and other maintenance equipment burned, Cal fire public information officer Capt. Jeremiah Wittwer said crews took a certain approach while fighting the fire given agriculatural chemicals and possibly hazardous materials are on the property.

“We try to stay upwind, out of the smoke and in the safest areas,” said Wittwer. “Figure out what we’re dealing with before we engage in any firefighting efforts.”

The plant has an on-site water tanker and several fire hydrants. Wittwer said they helped with firefighting efforts, but the resources depleted fast. He said thankfully canals were nearby to provide a quick refill for tankers.

“Being able to grab the water out of the canal and give us that additional 1,000 gallon per minute (GPM). Definitely helped contain this fire,” Wittwer said.

Crews had the fire out in a matter of hours. Cesar Cardenas has lived by the plant for the past couple of years. He said he knows things at the plant overall are safe.

However, things like this can be a worry, especially since chemicals were threatened.

“(A chemical fire) is probably everybody’s worst nightmare,” said Cardenas. “It does weigh on your mind, it’s always a concern.”

The cause of the fire is still under investigation. A Gar Tootelian spokesperson said the on-site tanker and fire hydrants have only been a recent addition to the property, as part of an expansion effort that started five years ago.



Cyber Attack Takes Out Bournemouth Community Centre

A CYBER-attack has left Bournemouth’s community centres without a website just as their clubs and courses approach a crucial time of year.

Visitors looking for information about what’s on at the centres receive only an error message or a pop-up box asking them to log in.

The shared website – at – served Beaufort, Ensbury Park, Kinson, Moordown, Muscliff, Strouden Park and Townsend centres.

It is run by a webmaster out of the area, but with Bournemouth Borough Council advising the community associations.

Clubs and classes based at the town’s nine community centres are mostly taking a summer break but planning ways to attract new members in September. Although the council owns the community centre buildings, it no longer subsidises their activities, leaving cash-strapped community associations dependent on fundraising.

David Brown, chairman of Kinson Community Association and also a councillor in Poole, said the cyber-attack had been “damaging”.

“We have been receiving calls from people unable to find the information they are looking for because our website is down and we appear to have no chance of recovering it,” he said.

“It is damaging to our business not only because of the money and time which has been invested in the website, but as a small community charity we can ill afford the additional costs to make up for this.

“We are entering a busy time of year with many of the groups and classes at Kinson Community Centre starting new terms in September and we always expect lots of enquiries, so we are spending extra money on press advertising and leaflets, without a website address, to ensure people know how to contact us.”

He urged anyone interested in activities there to contact the office on 01202 572826.

Amanda Nicholls, assistant community liaison officer for Bournemouth council, said: “Unfortunately, the Bournemouth Community Centres website has been targeted by hackers and the incident has been reported to the police and the cybercrime unit.

“We ask that residents please remain careful of any emails they receive and to please contact their community centres direct if they require further information about centre activities. We apologise for any inconvenience caused. ”


TalkTalk Fined £100,000 by ICO

The UK’s Information Commissioner’s Office has slapped TalkTalk with a £100,000 fine for breaching the Data Protection Act.

The fine relates to 2014, when the personal data of up to 21,000 customers was accessed unlawfully by three accounts belonging to IT services company Wipro.

At the time, TalkTalk outsourced some customer service work to the India-based company.

An investigation was launched after an unspecified number of TalkTalk subscribers complained in September 2014 that they were receiving scam calls in which their addresses and account numbers were quoted.

This revealed that 40 Wipro employees had access to data belonging to 50,000 TalkTalk customers.

The staff could access the data from any internet-enabled device, the ICO said, with no controls in place to restrict access to devices linked to Wipro.

Although the UK government body did not find direct evidence of a link between the compromised information and the complaints about scam calls, it said a lack of adequate security measures had left customer data open to exploitation by “rogue” employees.

Moreover, it said TalkTalk had failed to implement measures to stop the problem despite having had “ample opportunity over a long period of time” to do so.

It is the second time in less than a year that the ICO has fined TalkTalk.

Last October, it handed out a £400,000 fine for security failings related to a cyber attack in 2015.

Information Commissioner Elizabeth Denham said: “TalkTalk may consider themselves to be the victims here.

“But the real victims are the 21,000 people whose information was open to abuse by the malicious actions of a small number of people.

“TalkTalk should have known better and they should have put their customers first.”

In a statement, TalkTalk said: “We notified the ICO in 2014 of our suspicions that a small number of employees at one of our third party suppliers were abusing their access to non-financial customer data.

“We informed our customers at the time and launched a thorough investigation, which has led to us withdrawing all customer service operations from India.

“We continue to take our customers’ data and privacy incredibly seriously, and while there is no evidence that any of the data was passed on to third parties, we apologise to those affected by this incident