The ongoing worldwide outbreak of coronavirus disease (COVID-19), which originated in Wuhan, China, in December 2019, continues to grab headlines. As of closing-February 2020, more than 90,000 cases had been confirmed and atleast 3000 have died. The World Health Organization (WHO) has declared the outbreak a public health emergency of international concern, and health authorities continue to work to contain the spread of the disease.
Companies have a duty of care to their employees as well as a broader responsibility to their business partners and communities.
Steps to assist your company
Start preparing for a pandemic early. Organizations should review their existing business continuity and emergency management; including evaluating the impacts from a temporary reduction in workforce or a higher-than-average number of employees working remotely.
Assess risks and vulnerabilities to physical and cyber systems from a reduction in staff, both internally and among key organizational interdependences, such as supply chain partners or service providers.
Communicate early and regularly, internally and externally, since information voids will often be filled with incorrect information.
Security and IT executives need to brief senior leadership regularly and ensure there is a clear understanding of leadership’s expectations and their true level of risk acceptance.
Establish an “intelligence baseline” Going on a quest for perfect information about a widespread health concern is unreasonable and will exacerbate the level of frustration security executives might already feel. Determine which trusted sources of information you’re going to rely on, good examples include WHO, the Centers for Disease Control, Department of Health or a trusted medical response provider.
Focus your awareness campaign on those sources, unless gaps emerge that must be addressed. Sticking with select sources allows you to conduct trend analysis on how the situation is evolving.
Identify potential triggers, risk tolerances and responses. All crises are fluid, but emergent medical issues tend to be even more so. A trigger-based escalation matrix can be an incredibly powerful tool to help you respond more confidently. When new information comes in, it’s important to validate it as soon as possible and discern which escalation plans or other pre-vetted decision trees might need to be recalibrated.
Accept that the ‘facts’ are likely to change. Be prepared to re-evaluate your assumptions of those so-called facts and then adjust your action plans based on new information or emerging trends.
Ensure a coordinated response. Organizations must ensure a strong, coordinated response that integrates cybersecurity, emergency management and risk communications staff.
Ensure consistent and frequent communications to your staff and external stakeholders.
Think globally. The term pandemic refers to a disease that has spread across a large region such as multiple continents.
When evaluating security risks or preparing business continuity plans, companies need to be prepared for potential impacts on a worldwide scale. Ensure all plans have factored in worldwide aspects of your business, including supply chain, customers and service providers.
Keep in mind that many suppliers and business partners are in different parts of the world. Contact business partners—especially supply chain—to confirm instructions for requests, orders, shipments, receipts, payment, etc.
Stress test all facets of the remote work capability. Estimates of the peak impact of COVID-19 vary widely and likely will continue to vary for some time. What’s clear is that the business impacts are not going away and may well increase before they begin to dissipate.
Remote work—whether by choice or out of necessity—will likely have to play a significant role in your business continuity planning. Stress test every facet of your infrastructure now. An IT backbone intended to remotely support perhaps 10% to 20% of the workforce might struggle under the weight of the current challenge.
The earlier you understand the weak points in your system, the more time you’ll have to problem solve, or prioritize who should have access to your systems.
Be transparent in sharing updates. Even the best business continuity plan is likely to be significantly challenged without dedicated employees willing and able to go above and beyond their normal responsibilities to help navigate the unique challenges a medical crisis can pose. Ensure those employees’ efforts are recognized and appreciated.
By removing—or simply reducing—your employees’ burden of sifting through an overwhelming and contradictory mountain of ‘intelligence,’ you enable them to focus on their roles and free them up to help meet the challenges to the organization.
The Australian public is being warned against an SMS scam urging users to click on a link for Coronavirus testing locations. On Monday night, the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) issued a High Alert Priority warning advising users to simply delete the text message and not click on any links. “The link in these text messages is not legitimate, and if clicked on, may install malicious software on your device, designed to steal your banking details,” the warning read. It came as the Australian Competition and Consumer Commission (ACCC)’s Scamwatch reported it had received multiple reports of coronavirus-themed scam texts from members of the public. The scam message reads: “You’ve received a new message regarding the COVID-19 safetyline symptoms and when to get tested in your geographical area”, followed by a link which uses ‘covid19info’ as part of its domain name. Despite being grammatically challenged, the message uses words such as safety and tested, two key words preying on people’s susceptibility to click on links for more information about a rapidly threatening pandemic. Ramping up The warnings come a week after users were warned to avoid scam emails along the same lines. Crispin Kerr, Australian Country Manager for cyber security firm Proofpoint said the company had observed a sharp increase in the number of coronavirus-related email scams, with bad actors sending out more than 200,000 emails at one time. “These emails are extremely well-crafted and use stolen branding to make it appear they are coming from a legitimate, trusted source,” Kerr said. “For example, we’ve seen cybercriminals pretending to be the ‘World Health Organisation’ and ‘Australia HealthCare,’ a fake but fully branded health organisation, to try and convince individuals to click through to a malicious link by offering advice on how to stay safe from the coronavirus. “The COVID-19 lures we’ve observed are truly social engineering at scale. “They know people are looking for safety information and are more likely to click on potentially malicious links or download attachments,” Kerr said. The ACSC says if you've received one of these messages and clicked on the link, contact your bank immediately. If you’ve been scammed out of money, report it to ReportCyber at www.cyber.gov.au/report.
CORONAVIRUS PHISHING ATTACKS
Cybercriminals are using concerns about the coronavirus to launch phishing attacks
Learn to identify and protect yourself against such attacks
What is Happening?
While COVID-19, or the novel coronavirus, is capturing attention around the world, cybercriminals are capitalizing on the public's desire to learn more about the outbreak. There are reports of phishing scams that attempt to steal personal information or to infect your devices with malware, and ads that peddle false information or scam products.
In one example, a phishing email that used the logo of the CDC Health Alert Network claimed to provide a list of local active infections. Recipients were instructed to click on a link in the email to access the list. Next, recipients were asked to enter their email login credentials, which were then stolen.
What Should You Do? If you are looking for information on the coronavirus, visit known reputable websites like the U.S. Center for Disease Control or the World Health Organization. Be on the lookout for phishing emails which may appear to come from a trusted source.
You can look at the sender’s details – specifically the part of the email address after the ‘@’ symbol – in the ‘From’ line to see if it looks legitimate.
Be wary of emails or phone calls offering unexpected or unprompted information.
Be aware of emails from unfamiliar sources that contain links or attachments. Do not click on these links, as they could be embedded with malware.
Although social media companies like Facebook are cracking down on ads spreading coronavirus conspiracies and fake cures, some ads may make it past their review process. Remember, it’s best to seek information on the disease from official sources like those mentioned above.
AUSTRALIA POST Email Scams
Australia Post has issued a warning to watch out for fake emails that claim a package of yours hasn’t been delivered because of a weight limit. The emails have subject lines like “unfortunately we have not been able to deliver your package” and prompt people who open the emails to click on a phishing link that directs them to a fake Australia Post website asking for personal and banking information. “Please note that Australia Post will never email or text message you asking for personal information, financial information or a payment,” Australia Post said. “If you are in doubt about the authenticity of an email, text message or phone call, please delete immediately or hang up.” The notification about email scams comes within days of Australia Post warning it had seen evidence of “cyber criminals” putting together “fake websites branded with the Post Billpay logo”. An example of the fraudulent websites provided by Australia Post includes many of the logos and artefacts as the legitimate Billpay web page, making it a believable fake at a cursory glance. The fraud is more evident when you notice the fake text boxes (asking for a card number, expiry date, and CCV) have mis-matched sizes and there is strangely phrased “Payment For Delivery 3 AUD Fees to receive your package” above the Visa and Mastercard logos.
ncreased scam activity comes amidst a surge in Australia Post delivery requests as a result of people online shopping during the COVID-19 isolation period. Auspost reported a 90 per cent increase in deliveries during April compared with the same time last year. As a result, the delivery organisation added 600 casual staff to help manage the load. Scams on the rise COVID-19 has led to a spike in the number of scams being perpetrated online. The Australian Cyber Security Centre (ACSC) said it received an average of two cybercrime reports per day between mid-March and late April and had responded to a further 20 incidents involving COVID-19 national suppliers or response services. Leaning on tech giants like Google and Microsoft, the ACSC has knocked down hundreds of malicious coronavirus-themed websites. Emails and SMS messages have also been regular attack vectors for scammers looking to take advantage of the global health crisis. Unveiling Telstra’s ‘Cleaner Pipes’ initiative this week, Telstra CEO Andrew Penn said the company was upgrading its DNS filtering and ability to block scam text messages. “If COVID-19 is forcing the pace and scale of innovation it is also underscoring the critical importance of cyber security,” Penn said. “In an era where staying at home means staying safe, staying safe and secure online has also never been more important.” If you spot a scam you can report it to the ACCC’s Scamwatch and if you fear you have been a victim of identity theft, contact ID Care.
Online Australian Car Auction Ransomware Attack
A major car auction company has been hit by a malware attack that has locked its computer networks, with the hackers demanding a $30 million ransom. The Australian branch of Manheim Auctions, which runs car auctions online and in person, was the subject of a cyber attack last month that locked staff out of its computer system, forcing it to stop trading for several weeks. Earlier, the firm revealed it had been the subject of a cyber attack but the full extent was not revealed until a statement from Western Australia Consumer Protection this week, which confirmed the cyber criminals were demanding a $30 million payment for access to Manheim Auctions’ computer network to be restored. The company has insisted that no personal data of its users has been compromised as part of the attack, and that it will not be paying the ransom. WA Commissioner for Consumer Protection, Penny Lipscombe, said the incident involved a ransomware attack. “Often the ransomware is downloaded by an employee who opens an attachment in a scam email or clicks on a link, giving the cyber criminal access to the computer system,” Lipscombe said. “The system is locked by the criminals and files encrypted, followed by a ransom demand to have the system unlocked.” IT experts from Manheim Auctions’ parent company in America, Cox Automotive, are now working to restore the firm to normal operations and develop a new website. Lipscombe backed the company’s decision to not pay the ransom. “Of course, we recommend that companies do not pay the ransom as the criminals are likely to come back asking for more money,” she said. “Paying will also give the criminals added incentive to continue their illegal and highly disruptive practices. Instead, seek expert IT assistance to have the computer system restored.” The hack is believed to have taken place on 14 February. Two days later, the company posted on its Facebook page that its website was down due to ‘technical issues’. On 18 February, the company revealed that it was a “cyber incident related to a third party”. “As a result, we still have restricted access to some of our computer systems and the information contained within,” Manheim Auctions said in the Facebook post. “Since first becoming aware of this IT security incident, we have been working closely with external professional IT security advisors to help facilitate a restoration of services as soon as possible.” Manheim’s website was offline and it was forced to cancel a number of planned auctions. It soon began to run auctions in person only. The cyber incident appears very similar to one that impacted transport giant Toll earlier this year. The company was hit with one of the largest ransomware takedowns ever seen in Australia at the end of January, leaving its IT systems down and having to resort to manual processing for several weeks. The company’s network was infected with a strain of the Mailto ransomware, which locks the files into the unusable “mailto” format. Toll also refused to pay the hacker’s ransom and claimed there was “no indication that any personal data has been lost”. Global money exchange firm Travelex was also hit with a ransomware attack late last year which left the company conducting its services manually. The hackers reportedly demanded a ransom of more than $8.5 million to decrypt 5GB of customer data that had apparently been obtained. Lipscombe said there are a number of steps companies can take to protect from ransomware attacks, including educating staff to not open email attachments from unknown senders, keep antivirus software up-to-date and maintain a backup of all data in a safe place. “All businesses should have their cyber security reviewed and updated so that they have the latest antivirus software and firewalls installed to be protected from malware,” she said. “Staff also need to be trained not to automatically open attachments or click on links in emails, especially if the sender is unknown. “Money spent on cyber security is money well spent, especially when compared to the cost of having computer systems locked and, in extreme cases, businesses not being able to operate for a considerable amount of time.”
CYBER ATTACK HITS HOSPITALS IN VICTORIA
A sophisticated cyberattack has brought down the computer systems of several regional hospitals in Victoria.
The attack affected hospitals in the Gippsland Health Alliance, in the state's east and South West Alliance of Rural Health.
This includes hospitals in Warrnambool; Colac; Geelong; Warragul; Sale; and Bairnsdale; as well as a host of services in smaller towns.
According to Dr Nalin Asanka Gamagedara Arachchilage, Senior Research Fellow in Cyber Security at La Trobe University, the attack can be attributed to human vulnerabilities.
“This is a ransomware attack,” he said. “The ransomware attack shut down the entire hospital systems from patient records, booking and management systems -- which may impact patient contacting and scheduling. Doctors will not be able to access to patients’ health records either.”
Although it is yet to be confirmed the type of attack and who was involved, the Department of Health and Human Services (DHHS) said the cyber incident was uncovered on Monday and the Victorian Cyber Incident Response Service has been deployed to block access to several systems by the infiltration of ransomware, including financial management.
“Hospitals have isolated and disconnected several systems such as the internet to quarantine the infection,” it stated. “The priority is to fix all affected systems and prevent any further compromise.”
According to DHHS, this isolation has led to the shutdown of some patient record, booking and management systems, which may impact on patient contact and scheduling. Where practical, hospitals are reverting to manual systems to maintain their services.
West Gippsland Healthcare Group chief executive officer Dan Weeks said most of the local IT services are still functional including internal intranet communications, phone system, public address system, access to printers and external websites.
Victoria’s Premier Office has confirmed Victoria Police and the Australian Cyber Security Centre are also on board to manage the incident and investigate the scope of the attack.
“A full review will take place to address what has occurred and identify what additional measures may be required to ensure hospitals have the best protection against cyber security incidents,” stated Premier Daniel Andrews.
Attack not exactly a surprise
The incident shouldn’t come as a surprise to the Victorian Government, as an enquiry into the Security of Patients’ Hospital Data by the Victorian Auditor-General’s Office, released in May 2019, found Victoria’s public health system to be highly vulnerable to cyberattacks.
According to the report there were key weaknesses found in health services’ physical security and in their logical security – which covers password management and other user access controls.
“Staff awareness of data security is low, which increases the likelihood of success of social engineering techniques such as phishing of tailgating into corporate areas where ICT infrastructure and servers may be located,” stated the report.
“The audited health services are not proactive enough, and do not take a whole-of-hospital approach to security that recognises that protecting patient data is not just a task for their IT staff.”
Archilage told Information Age, it was “very clear” that cybercriminals are interested in “breaking into people’s mindset rather than breaking into systems straightway”.
“Cybercriminals usually launch a ransomware attack by locking the data on a victim’s computer -- typically by encryption,” he said. “Ransomware attacks normally occur through phishing links – which is the art of human hacking.”
“Prevention is better than the cure,” said Archilage. He urged organisations to back their data and follow the Australian Signals Directorate introduction of top eight mitigation strategies to reduce cyber risk across the board of many enterprises as a baseline level of security.
Dane Meah, CEO of InfoTrust encouraged all businesses to implement email authentication controls, limiting the ability of cybercriminals to send spoofed emails.
“Unfortunately, when cyber security is not prioritised, it will take a major incident for people to sit up and realise a proactive approach is needed,” he said. “In a recent case we saw an organisation lose close to $2m in cash. A data breach can be even worse.”
Meah believes there has been a paradigm shift where it’s expected that attacks like these will occur, however it’s how an organisation detects and responds to an incident that matters most.
“I’m sure there’s more that could have been done to avoid this attack - hindsight is 20/20,” he said. “I’d encourage organisations concerned with being hit by ransomware to review the egress points that ransomware hits.”
HACKER BREACHES US BANK
A lone actor has hacked into US bank Capital One in a massive data breach affecting more than 100 million Americans.
Fourteen years’ worth of customer data including 140,000 social security numbers and 80,00 bank account numbers were compromised in the incident.
Capital One became aware of the breach when it received an email linking to a GitHub file of the linked data.
The file contained code for a set of commands that granted access to a cloud server behind a misconfigured firewall and over 700 folders or buckets of data.
Capital One has confirmed it has since fixed the vulnerability on its web applications that are hosted on Amazon Web Services (AWS).
Paige Thompson, 33, – known by the username ‘erratic’ – is the FBI’s main suspect.
She is a former Amazon employee and systems engineer who worked on AWS.
Thompson’s name and GitLab profile was included in the GitHub file dump.
In an affidavit, FBI Special Agent Joel Martini explained how he linked Thompson’s GitHub account to a server list matching IP addresses controlled by the same VPN provider from which the Capital One breach took place.
Martini also tracked Thompson through a Meetup group with “Paige Thompson (erratic)” listed as the organiser.
That group contained a Slack invitation code to a channel on which user ‘erratic’ boasted about files she accessed illegally – and the methods she used to hide her activity.
Martini also linked the Twitter account @0xA3A97B6C with the username ‘ERRATIC’ which had been messaging the person who eventually tipped off Capital One about the data breach.
“I’ve basically strapped myself with a bomb vest, f@#%ing dropping Capital One’s DOX and admitting it,” they said in one message.
Based on this evidence, Martini and other FBI Special Agents executed a search warrant on Thompson’s home earlier this week where they seized devices referencing Capital One and AWS, other potential targets, and further connecting Thompson with the ‘erratic’ alias.
"While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened," said Capital One Chairman and CEO, Richard Fairbank.
"I sincerely apologise for the understandable worry this incident must be causing those affected and I am committed to making it right."
The felony charges of gaining unauthorised access to information on a financial institution’s computers carries a maximum sentence of five years in prison and a US$250,000 fine.
SEXTORTION EMAILS HIT AUSTRALIA
Australians are being hit with a new online scam that appears to be coming from their own email account, with more than 300 reports from the public just this week.
The Australian Cyber Security Centre put out an alert this week about the widespread scam, a new form of the common “sextortion” tactic.
The scam involves individuals receiving an email that appears to come from their own email account which threatens to reveal intimate photos of them unless they pay a fee, often in cryptocurrency.
“This scam uses a tactic known as ‘sextortion’ – a form of online blackmail where a cybercriminal threatens to reveal intimate images of someone online, often to their friends and family, unless they pay a ransom quickly,” the alert said
“The scam uses ‘spoofing’ to make the email look like it’s come from your own email address. Email spoofing occurs when email addresses are manipulated to come from a different source but display a legitimate address.
“This is a technique commonly used by cybercriminals to make their scam seem real.”
The Australian Cyber Security Centre, Office of the eSafety Commissioner and Scamwatch have received more than 300 reports from the public of the scam in this week alone.
The alert includes a number of tips and warnings for Australians.
It says that you should never give in to the demands of the scam email, and report it straight away to the Office of the eSafety Commissioner.
You should never give the scammer any money or images, and should cease contact immediately.
You should also immediately change the passwords for all of your online accounts, including your email address, and call 000 if you are fearful for your physical safety.
It’s likely that if a password was obtained and used as part of the scam it was because it was included in a previous breach, and the eSafety Commissioner advised Australians to check if they have been caught up in any using the haveibeenpwned.com platform.
It’s a new form of the common sextortion scam. A global version of the tactic emerged last year, where victims were told that camera in their device had been hacked and footage of them watching pornography or other compromising websites had been obtained, and this would be released if a ransom wasn't paid.
These scam emails often also included the current or former password of the account to add legitimacy.
Earlier this year, the eSafety Commissioner found that most victims of financial sextortion are men, after being threatened to leak sexually explicit images unless they pay a fee.
Its study found that nearly a third of all image-based abuse being reported involve the sextortion technique.
Another report earlier this year found that Australian businesses are also more likely to be vulnerable to email scams than their international counterparts, with phishing attacks on the rise.
AUSTRALIAN ANDROIDS BREACH
More than 100,000 Australian Android users have had their devices infected with malware that replaces popular apps with fake versions serving up advertising, with more than 25 million incidents around the world.
Israeli cybersecurity firm Check Point Research released a report last week detailing the “Agent Smith” malware which it detected earlier this year, but was traced back to January 2016.
The app utilises a previously-known vulnerability in the Android operating system, disguising itself as a version of a popular app, including WhatsApp, and then serving up ads to the owner.
It does this by searching for legitimate apps on the device and replacing them with malware-infected versions.
The malware was downloaded from third-party app store 9Apps.com, not Google’s official Play store.
After it was downloaded, the malware would then infect the innocent apps, which would display advertising out of context.
The infected apps were found to usually be a phone utility, game or adult-themed applications.
The malware was being used for financial gain by the hackers, who would receive money every time someone clicked on the advertising.
But Check Point Research said there are “endless possibilities” for the vulnerability to be exploited in much more serious ways, such as banking credential theft and eavesdropping.
“Due to its ability to hide its icon from the launcher and impersonate any popular existing apps on a device, there are endless possibilities for this sort of malware to harm a user’s device,” the report said.
More than 15 million of the infected devices were found to be India, with 141,000 in Australia, 300,000 in the US and 137,000 in the UK.
Malware like this is typically focused on developing countries, making the spread of Agent Smith in the US, UK and Australia even more concerning.
Android users should update their phones immediately, and can search for the malicious apps by going to the Apps and Notifications section in Settings, tapping on the app information list, and searching for suspicious applications with names such as Google Updater, Google Installer for U, Google Powers and Google Installer.
These apps should be uninstalled.
“The malware attacks user-installed applications silently, making it challenging for common Android users to combat such threats on their own,” Check Point Software Technologies head of mobile threat detection research Jonathan Shimonovich said.
“Combining advanced threat prevention and threat intelligence while adopting a ‘hygiene first’ approach to safeguard digital assets is the best protection against invasive mobile malware attacks like Agent Smith.
“In addition, users should only be downloading apps from trusted app stores to mitigate the risk of infection, as third party app stores often lack the security measures required to block adware loaded apps.”
There needs to be a more cohesive effort to combat threats like this, Check Point Research said.
“The Agent Smith campaign serves as a sharp reminder that effort from system developers alone is not enough to build a secure Android ecosystem,” the report said.
“It requires attention and action from system developers, device manufacturers, app developers and users so that vulnerability fixes are patched, distributed, adopted and installed.”
The cybersecurity firm connected the malware to a Chinese internet company based in Guangzhou, with its front-end genuine business helping Chinese Android developers to publish and promote their apps on overseas platforms.
Agent Smith was also found to resemble previous malware found on Android devices, like Gooligan, Hummingbad and CopyCat.
It also follows revelations last year that Android users were downloading malware-infested versions of the popular game Fortnite.
Android apps have also been found to automatically share user data with Facebook without the permission of users, according to a Privacy International report earlier this year.
NORTH KOREA MALWARE
The US government has issued a warning about a new malware strain believed to have been used by North Korean hackers.
Dubbed HOPLIGHT, the trojan malware variant has been identified by the Federal Bureau of Investigation (FBI) and the Department of Homeland Security (DHS) through “analytic efforts” between the agencies.
It is said to be targeting US companies and government agencies.
“Working with US Government partners, DHS and FBI identified Trojan malware variants used by the North Korean government,” said the US Cybersecurity and Infrastructure Security Agency (CISA) in a statement.
“This malware variant has been identified as HOPLIGHT.”
The Malware Initial Findings Report (MIFR) details digital signatures for nine files associated with the malware, seven of which “are proxy applications that mask traffic between the malware and the remote operators”.
“DHS and FBI are distributing this MAR to enable network defence and reduce exposure to North Korean government malicious cyber activity,” the statement said.
According to CISA, the malware is able to generate fake TSL handshake sessions using valid public SSL certificates, which disguise network connections with remote malicious actors.
HOPLIGHT can read, write and move files, create and terminate processes, upload and download files and connect to a remote host, says the report.
A built-in proxy application can also mask communications with the remote command-and-control server.
The Lazarus Group
Referred to by the US government as HIDDEN COBRA, and also known as the Lazarus Group, the North Korean-aligned threat group behind the malware is believed to have been active since 2009.
It is the same group that was said to be responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment, which occurred in the lead-up to the release of comedy film The Interview (the film is about a plot to assassinate North Korean leader Kim Jong-un).
The malware attack copied critical files and rendered many computers within Sony inoperable.
A 2017 report into the WannaCry attack – which affected approximately 300,000 computers globally – concluded it was “highly likely” that Lazarus was behind the incident.
In September of last year, the US Department of Justice issued formal charges to Park Jin-hyok for his role in both the Sony and WannaCry attacks during his time working in the country’s Reconnaissance General Bureau.
Park remains on the FBI’s most wanted list.
FACEBOOK names in plain text
Hundreds of millions of Facebook user records were publicly displayed and accessible on Amazon servers in yet another major privacy incident for the social media giant.
Australian cybersecurity company UpGuard revealed the breach last week, finding records containing sensitive private information of Facebook users being stored on Amazon cloud servers without any protection, meaning they could be viewed and downloaded by anyone that found them.
The records were stored by two third-party Facebook apps and included comments, passwords, photos, names and likes.
The largest dataset belongs to Mexico-based media company Cultura Colectiva, which was openly storing 540 million records, with access only closed after it was reported in the media.
The other app, called At The Pool, stored the passwords and emails of 22,000 users in plaintext.
“The data sets vary in when they were last updated, the data points present and the number of unique individuals in each,” UpGuard said in the post. “What ties them together is that they both contain data about Facebook users, describing their interests, relationships and interactions that were available to third-party developers.”
The passwords stored in the At The Pool dataset were for that specific app rather than for Facebook, but there is significant risk that many users would have duplicated their passwords. The At The Pool parent company’s website has now been taken down. While the data was stored in its own Amazon S3 bucket, it was configured to allow for public downloads.
“This should offer little consolation to the app’s end users whose names, passwords, email addresses, Facebook IDs and other details were openly exposed for an unknown period of time,” UpGuard said.
These third-party apps were previously able to easily access this sort of information from Facebook, until the company cracked down on this following the Cambridge Analytica scandal. An audit conducted by the tech company suspended hundreds of applications for mishandling user data.
“As these exposures show, the data genie cannot be put back in the bottle,” the cybersecurity researchers said. “Data about Facebook users has been spread far beyond the bounds of what Facebook can control today. Combine that plenitude of personal data with storage technologies that are often misconfigured for public access, and the result is a long tail of data about Facebook users that continue to leak.”
UpGuard said it received no response from Cultura Colectiva when it notified the company of the breach, and Amazon also didn’t act to close access. The dataset was only secured after Facebook was notified of its existence at the start of this month, UpGuard said.
The At The Pool dataset was taken down during the cybersecurity firm’s investigation.
“These two situations speak to the inherent problem of mass information collection: the data doesn’t naturally go away, and a derelict storage location may or may not be given the attention it requires,” UpGuard said.
“For app developers on Facebook, part of the platform’s appeal is access to some slice of the data generated by and about Facebook users.
“In each case, the Facebook platform facilitated the collection of data about individuals and its transfer to third parties, who became responsible for its security. The surface area for protecting the data of Facebook users is thus vast and heterogenous, and the responsibility for securing it lies with millions of app developers who have built on its platform.”
The access to sensitive data that Facebook apps were given was put in the spotlight last year when it was revealed that political consulting firm Cambridge Analytica had harvested the data of millions of Facebook users without their consent, through an app offering a personality quiz.
It also comes just weeks after it was revealed that millions of Facebook passwords were being stored in plain text on the company’s own internal servers, accessible by employees.
New documents last month also showed that more than 100,000 Australians were caught up in another security breach last year, where Facebook user data on names, contact information and location were accessed.
Freedom of Information documents showed that up to 111,813 Australian Facebook users were impacted by this breach.
Alert: Australia has been hacked
Australian businesses have been infiltrated by large-scale global cyber attacks instigated by China.
The attacks focused on managed service providers (MSPs), which remotely manage the IT infrastructure of organisations, and often hold sensitive information.
It follows the US announcement that it had indicted two Chinese nationals: Zhu Hua (朱华), aka Afwar, aka CVNX, aka Alayos, aka Godkiller; and Zhang Shilong (张士龙), aka Baobeilong, aka Zhang Jianguo, aka Atreexp, both members of hacking group Advanced Persistent Threat 10 (APT10).
APT10 acts on behalf of China’s intelligence and security agency, the Chinese Ministry of State Security.
It is believed the two men, who are on the FBI’s Wanted list, are currently in China.
The pair can now be arrested if they travel outside of China.
This morning, Australia joined the US in publicly condemning the attacks that have stolen intellectual property from businesses and government, with Senator the Hon Marise Payne, Minister for Foreign Affairs, and the Hon Peter Dutton, Minister for Home Affairs, expressing “serious concern”.
“The worldwide cyber security compromise serves as a reminder that all organisations must remain vigilant about security and that organisations such as MSPs must be responsible and accountable to those they serve,” they said in a joint statement.
In 2015, countries at the G20 Summit – including China – agreed to “refrain from cyber-enabled theft of intellectual property, trade secrets and confidential business information with the intent of obtaining a competitive advantage”.
Australia and China reaffirmed the agreement bilaterally just last year.
China slammed by US
The US Department of Justice (DoJ) said “hundreds of gigabytes of sensitive data were secretly taken” by APT10 which had targeted a range of companies since 2006.
These companies spanned aviation, banking and finance, satellite and maritime technology, mining and gas exploration, and manufacturing to name a few.
FBI Director Christopher Wray described the list of companies, not named in the indictment, as a “Who’s Who” of the global economy.
“Healthy competition is good for the global economy. Criminal conduct is not. Rampant theft is not. Cheating is not,” Wray said at a press conference.
“China’s goal, simply put, is to replace the US as the world’s leading superpower, and they’re using illegal methods to get there. They’re using an expanding set of non-traditional and illegal methods,” Wray said.
“China’s state-sponsored actors are the most active perpetrators of state-sponsored espionage against us.”
The DoJ echoed the sentiments.
“It is galling that American companies and government agencies spent years of research and countless dollars to develop their intellectual property, while the defendants simply stole it and got it for free,” said US Attorney Berman.
“As a nation, we cannot, and will not, allow such brazen thievery to go unchecked.
“No country should be able to flout the rule of law – so we’re going to keep calling out this behaviour for what it is: illegal, unethical, and unfair.”
Earlier this year, Australian cyber security expert Charles Widdis warned of China attacking businesses to steal information relating to quality management systems and business processes.
“If you're a company doing business with other countries, you can expect that you're being hacked – because they want to know your negotiating position,” he told Information Age.
“I don’t think [business leaders] accept that there are people whose job it is – they get paid – to take your information. It’s an employee in a company that’s attacking you.
“It’s nothing personal, he doesn’t dislike you – it’s just a job. At the end of the day, he goes home, he’s got a family to feed.
“It’s a real thing and it goes on.”
How China did it
APT 10 used ‘spear phishing’ techniques to introduce malware onto targeted computers. The hackers sent emails that appeared to be from legitimate addresses but contained attachments that installed a program to secretly record all keystrokes on the machine, including user names and passwords.
The DoJ said NASA and the Department of Energy were victims, adding APT10 had compromised “more than 40 computers in order to steal sensitive data belonging to the Navy, including the names, Social Security numbers, dates of birth, salary information, personal phone numbers, and email addresses of more than 100,000 Navy personnel.”
The Australian government was less forthright, declining to name affected companies.
The Age named both IBM and SAP as being affected.
ACS President Yohan Ramasundara said the government had done the right thing in calling out the attacks.
“It is encouraging to see the Federal Government come out today and condemn the audacious and targeted Chinese attacks on MSPs that have occurred for more than a decade,” Ramasundara said.
“In a combined report released earlier this year, the Australian Strategic Policy Institute (ASPI) and ACS recommended governments use public attribution as a tool in deterring global cyber crime.
“Deploying improved messaging to both partners and adversaries, as well as creating consequences for actions, are also listed as key recommendations.
“Minister for Foreign Affairs, Senator the Hon Marise Payne, and Minister for Home Affairs, the Hon Peter Dutton MP, have led the way with their attribution of the Chinese cyber-enabled commercial intellectual property theft.”
Nigel Phair, Director of UNSW Canberra Cyber, agreed naming China was a step in the right direction, adding businesses need to be less lax about their cyber security.
“Organisations need to not take information security so lightly and think that it’s not going to happen to them,” he told Information Age.
“This is another wake-up call in a long line of wake-up calls.”
The Australian Cyber Security Centre (ACSC) has issued advice MSPs and their clients can use to limit their exposure and protect their information.
Copyright © Information Age, ACS