1

Edition 2

Russian hackers steal up to 1.2 billion usernames and passwords

Cybercrime and financial institutions

Botnets infect 18 systems per second

Dire consequences for small businesses

Recent incidents of note

Contact details

Page 1

Page 2

Page 3

Page 3

Page 4

Page 5

The ever-increasing number of cyber-related incidents should be a frequent topic of conversation and debate in many boardrooms. At red24 we are acutely aware of this concern as it reflects the increase in cyber-related questions during crisis management consultations and presentations. In response to the proliferation of cyber events and our clients’ focus on this risk, this quarterly newsletter highlights recent incidents and examines the impact in terms of financial cost, operational implications and damage to reputation.

Russian hackers steal up to 1.2 billion usernames and passwords

A ‘CyberVor’ gang based in Russia is believed to have stolen as many as 1.2 billion usernames and passwords from more than 420,000 web and File Transfer Protocol (FTP) sites. The group used a botnet, a network of infected computers controlled by the hackers, to examine websites for potential weaknesses, and effectively conduct a security audit of the sites. Once weaknesses were identified, the CyberVor gang was able to manipulate these in order to steal data from the sites’ databases.

Although the names of the breached sites have not been disclosed, it is believed that the list includes a number of industry-leading businesses from a range of markets, as well as small or personal websites. The garnering of information occurred over a prolonged period of time, as the attackers allowed the botnet to discover more websites from which information could be copied.

However, the claim that this is the ‘biggest data breach ever’ has been disputed by a number of industry experts, with various arguments made, including the fact that the attack was neither one single attack (but many continuous attacks), nor was it against one single target. Indeed, AV founder John McAfee argued that the number of identities stolen ‘may be closer to 500 million’ rather than the 1.2 billion reported in most publications. Regardless of these arguments, the size of the attack demonstrates the considerable capabilities of and damage caused by a small, competent group of intent hackers.

Small groups with big results: The CyberVor group which carried out this huge attack is a small organisation – comprising around a dozen young men, who began their careers in cybercrime by launching small-scale spam attacks. Despite the group’s small number, and the comparatively basic techniques which they employed in this attack, an alarmingly large amount of data was accessed and stolen.

Attacks such as this highlight the constant threat to almost any business which has a website. The websites which were accessed by the botnet were not targeted for any specific reason other than their vulnerabilities. Therefore, any organisations and companies which have vulnerabilities on their websites could become victims of such attacks. Maintaining robust and adequate information security, both online and in an organisation’s internal systems, is essential to maintain customer confidence, business continuity and reputational integrity.

2

Cybercrime Bulletin Edition 2

Cybercrime and financial institutions

European Central Bank website hacked

Sensitive personal information, including email addresses and contact information, was stolen from the European Central Bank (ECB) in July after the organisation’s website was hacked. According to the bank’s website, the data was taken from a ‘separate database from any internal system’, and that no market-sensitive data was stolen. The stolen data was sourced from a database used during the registration process for events such as conferences and visits. According to the ECB, most of the stolen information was encrypted, but included email addresses, some street addresses and telephone numbers which were not encrypted.

On 21 July however, the ECB allegedly

received an anonymous communication requesting financial compensation in return for the stolen data. The German police were notified of the theft and both internal and police-led investigations commenced. The value of the financial demand is unknown; the ECB has not released any information pertaining to the identities of the criminals involved or if and how the situation has been rectified.

The situation demonstrates the threat of cybercrime to established and risk-aware institutions, including the ECB, which actively seeks to maintain security and confidentiality, and represents a wealth of confidential information, including records of transactions between commercial banks in the eurozone and the central bank.

JPMorgan Chase data breach

On 28 August, the US Federal Bureau of Investigation (FBI) began investigating reports that up to four US banks, including JPMorgan Chase, were targeted by hackers in order to obtain customer information. The volume of data stolen and the perpetrators remain unknown at the time of writing, although media outlets have quoted inside sources stating the hackers extracted, ‘gigabytes of sensitive data.’ In addition, Bloomberg News, which first reported the attacks, claimed that Russian hackers were suspected. Furthermore the capabilities of the attackers appeared to be, ‘far beyond the capability of ordinary criminal hackers’ according to media sources, provoking speculation that the attacks may have been state-sponsored. These assertions however remain unconfirmed by US authorities.

In contrast to previous cyber attacks against banks, this attack deliberately sought to steal sensitive customer information rather than disrupt bank services and operations.

Large financial institutions, including multinational banks, are routinely targeted by hackers. JPMorgan Chase confirmed that, ‘companies of our size unfortunately experience cyber attacks nearly every day,’ while the Bank of England stated in a report published this year that the financial system is susceptible to cyber attacks

The cost to banks:

Cybercrime is a persistent and growing threat to financial institutions, including banks. According to the Brazilian Federation of Banks, cybercrime accounts for 95 percent of losses incurred by Brazilian banks. In response, Brazilian banks spent more than US$910 million on digital security in 2013.

This is part of a larger trend which has seen financial institutions increase spending on cyber security; in 2013, investment bank JPMorgan Chase allegedly spent approximately US$150 million, while the Department for Business, Innovation and Skills estimated that the UK financial sector spends more than £700 million annually.

According to recent studies, companies in retail banking and investment management are making the most significant investments in technology that focuses on cyber-attack intelligence and data leaks.

However, John Milne, Head of Resilience in the Special Resolution Unit of the Bank of England, raised the issue of businesses failing to have recovery plans for ‘doomsday scenarios’ and the need for firms to improve their capabilities to react to a cyber attack and plan for worst-case scenarios. This therefore requires investment beyond technology and IT expertise, to include crisis management planning and testing.

3

Cybercrime Bulletin Edition 2

as it has a ‘high degree of interconnectedness, reliance on centralised market infrastructure and sometimes complex legacy IT systems.’

Boleto payments hacked in Brazil

A Brazilian payment system called the Boleto Bancario, similar to money orders, has been used by cyber criminals to skim funds from Brazilian bank accounts. The attack, which is reported to have begun in 2012, infected over 192,000 computers and led to 495,000 fraudulent transactions. The prolonged targeting of the Boleto system resulted in as much as US$3.75 billion being skimmed from Brazilian bank payments. The Boleto system is used for most types of payments in Brazil, with more than 6 billion transactions issued last year according to Brazil’s central bank. This presented an attractive target for cyber criminals in terms of the number of potential victims.

The ‘Bolware’ malware was designed to disguise the fraudulent transactions, making it difficult for users to detect the scam. The software intercepts legitimate Boleto payments and redirects them to a criminal’s account. There have been 19 reported versions of the ‘Bolware’, demonstrating the dedication the cyber criminals had to ensuring that the malware was not blocked or detected by the users. Computers are infected using typical phishing techniques, and once the software is downloaded it scans the user’s internet browsers and modifies Boleto transactions in order to redirect the payments.

Botnets infect 18 systems per second

On 15 July, FBI Assistant Director Joseph Demarest claimed that cyber criminals are developing increasingly sophisticated strategies to attack targets, which has led to a botnet infection rate of 18 computers per second. ‘The use of botnets is on the rise. Industry experts estimate that botnet attacks have resulted in the overall loss of millions of dollars from financial institutions and other major US businesses,’ said Demarest. ‘The impact of this global cyber threat has been significant. Botnets have caused over US$9 billion in losses to US victims and over US$110 billion in losses globally. Approximately 500 million computers are infected globally each

year, translating into 18 victims per second.’

These botnets are used by a range of cyber criminals, including state-sponsored hackers, hackers for hire, organised cyber syndicates and even terrorist groups. The targets are also varied, with perpetrators interested in state and trade secrets, as well as potentially targeting critical infrastructure. This threat was realised in the discovery of the Energetic Bear hack campaign which targeted critical infrastructure in the US. The threat was deemed severe enough that at the beginning of July the US Industrial Control Systems Cyber Emergency Response Team issued a warning urging all organisations involved in critical infrastructure to monitor their systems.

Dire consequences for small businesses

On 15 June, a cloud-based code hosting service, Code Spaces, was forced to shut down after it suffered a Direct Denial of Service (DDoS) attack. The company posted a letter on its now-defunct website; the attack began as a standard DDoS attack before the perpetrators attempted to extort a large amount of money from the organisation. After the company refused to pay the ransom, the criminals deleted most of the data, backups, machine configurations and offsite backups held by the company. The potential cost of resolving the issue and refunding customers, as well as the reputational damage caused to Code Spaces, forced the company to cease operations.

Impact to businesses: This incident highlights the crippling effect which cyber attacks can have on SMEs. The cost of resolving a cyber attack exceed that of defending against such incidents, and this, combined with the reputational damage which the loss of data or compromise of information can bring, will worsen the consequences of such an incident, especially for small- and medium-sized businesses. Despite Code Spaces’ ability to combat the initial DDoS attack, the extortion which followed ultimately forced the closure of the business. This incident clearly indicates the need not only for appropriate security to detect, prevent and resolve cyber attacks, but also the need for experts in extortion to counter any associated ransom demands.

4

Cybercrime Bulletin Edition 2

Recent incidents of note

Global cost of data security set to rise to US$70 billion in 2014: A report by Gartner Inc, a US-based technology research firm, indicated that global spending on information security will exceed US$71 billion in 2014. This indicates a 7.9 percent increase on last year’s spending, in large part due to the need to invest in new methods of countering cybercrime. A proliferation of malware, with reference to accessibility and form, has contributed considerably to this increase in spending, as well as businesses which had previously treated information security as an IT function attributing greater importance to network security in terms of business continuity.

Nokia blackmailed using source code: Nokia, the mobile phone manufacturer based in Finland, was blackmailed into paying millions of euros to hackers who threatened to reveal part of the company’s source code for its mobile operating system. According to local media sources, hackers were able to steal encryption codes relating to Nokia’s Symbian software, and threatened to make the information public. As a result, Nokia may have witnessed an increased level of malware infecting its smartphone devices. It is believed that Nokia contacted Finnish police and arranged for the ransom to be paid. However, when the money was collected from the agreed location, a car park, the police ‘lost track’ of the criminals.

Free decryption for CryptoLocker malware: In June 2014, CryptoLocker malware, which encrypted files on a computer before demanding a ransom in exchange for the decryption key, is believed to have infected around 500,000 computers. These victims can now recover their encrypted files without paying the ransom. Law enforcement and cyber security firms collaborated to gain access to a database of infected computers, and after analysing this data, an online portal was created to allow victims to access the decryption software free of charge. Initially, those infected were faced with a ransom demand of US$400, €400, or an equivalent amount in Bitcoin currency. Information taken from the database of victims indicates that only 1.3 percent of individuals infected with the malware paid the ransom.

Average DDoS attack size increases by 216 percent: According to a report by Verisign, the average size of DDoS attacks in the last quarter grew by 216 percent, with approximately two-thirds being recorded at over 1Gbps. Media and entertainment (43 percent) and IT services (41 percent) were the most-affected industries.

New York records record number of breaches: According to a report issued by New York state’s attorney general, more than 900 data breaches took place across the state in 2013, and cost the public and private sectors more than US$1.37 billion. These breaches compromised the personal and financial records of 7.3 million New York residents. The primary cause of these breaches was due to computer networks being hacked, although the attorney general stated that the majority of these incidents could have been prevented. The report said that businesses of all sizes had suffered data breaches, including those linked to financial and health service industries.

There has been an increase in the overall number of digital attacks against public and private institutions across the US in recent years, including Chinese hackers infiltrating the US government’s systems to obtain information on federal employees in March 2014. The severity of these figures indicates the increasing risk of cyber attacks to businesses of all sizes and the financial impact this can have.

Data breach for the UK Information Commissioner’s Office: On 15 July 2014, it was announced that the Information Commissioner’s Office (ICO) suffered a, ‘non-trivial data security incident’ in the past year. The details of the incident have not been released, and the ICO stated that it will not offer further information on the breach. This follows a similar breach in 2011.

US Montana Department of Public Health exposes 1.3 million records: Recent reports indicate that on 22 May, the Department of Public Health and Human Services for Montana shut down its server after suspicious activity was detected. An independent forensic investigation was launched, which uncovered that 1.3 million records, including health care and bank account details, may have been exposed after the server had been hacked. The server also held information such as names, addresses, birth dates and social security numbers for patients, as well as information regarding health assessments, diagnoses, treatment, health conditions, prescriptions and insurance. A statement released by the department states that those affected were being contacted and offered free credit monitoring services.

5

Cybercrime Bulletin Edition 2

Fortunately, last year the department upgraded its property insurance policy to include coverage for data security incidents. The US$2 million will cover costs such as setting up a help-line, free credit monitoring and mailing notifications to those affected.

Cybercrime affects various organisations; however, red24 can provide clients with the following services so as to reduce the risk of falling victim to this form of crime.

• Cyber professionals• Extortion advisors• Traditional investigators• Public relations• Crisis management consultants• Breech notification• red24 can assist and support organisations pre- and post-incident if required.• Our Crisis Response Management (CRM) Centre provides assistance 24/7.

red24 has been supporting clients with their risk mitigation procedures and crisis management preparations since 2001.

Contact usred24’s Crisis Response Management (CRM) Centre is staffed 24/7 and is ready to assist and support you in the event of a cyber incident.

Tel: +44 (0) 203 291 2424 Email: cyber@red24.com Web: www.red24.com