The following is this week’s sample of ThreatScape® Media Highlights – an email roundup of security headlines augmented by insights and analysis from iSIGHT Partners. Our cyber threat intelligence clients receive this update daily.
Wednesday, 4 May 2016
WhatsApp Restored in Brazil after being Blocked by Order Affecting 100 Million Users
From The Media
On Tuesday afternoon, an order made by a Brazilian judge on Monday was overturned. The order directed wireless carriers to block the popular mobile messaging application WhatsApp for 72 hours throughout Brazil. The order applied to over 100 million users, affecting the country’s top five wireless providers. Reports indicate that the ban was due to failure to comply with data requests related to a drug crime investigation.
Read the Story: NY Times
iSIGHT Partners Analyst Comment
WhatsApp has been temporarily banned twice in Brazil in recent months for failure to provide information to law enforcement on the grounds that the information could not be rendered readable. Both times WhatsApp’s service was reinstated in a matter of hours on appeal. The judge who ordered the ban had previously ordered the arrest of Facebook’s vice president for Latin America over an earlier request for information from WhatsApp. WhatsApp stores messages locally on customers’ devices and recently adopted end-to-end encryption in order to enhance its customers’ security and privacy. WhatsApp is one of several technology companies that has been embroiled in the ongoing, global debate regarding law enforcement access to customers’ encrypted data.
Related iSIGHT Partners Reports
ThreatScape Media Highlights (Feinstein, Burr Draft Encryption Bill Would Require Tech Companies to Decrypt Messages Under Court Order), 11 April 2016
15-00013224 (Global Law and Government Policy Roundup: August – October 2015), 3 Dec. 2015
Intel-1114792 (Country Threat Profile: Brazil), 20 May 2014
QNB Hackers to Leak Data from Another Big Bank Soon
From The Media
According to security researcher Mohammad Amin Hasbini, the actors responsible for hacking the Qatar National Bank are going to leak data from a second bank. Allegedly, the group is planning to release data from a large bank dating back to 2001. According to Kaspersky Lab, the hackers are known as Bozkurtlar and have Turkish roots.
Read the Story: Gulf News
iSIGHT Partners Analyst Comment
We surmise that the @_bozkurt_1923 threat to release data from a “new big Arab Bank” is credible, but have observed no evidence to suggest which bank may have been targeted. We believe that the AntiQNB and Bozkurt Hackers pseudonyms connected to this breach were created to publicize the QNB leak; social media accounts using these names have no history of cyber threat activity claims, have only limited connections to other accounts, and their Tweets appear to have been populated over a period of days. We observed limited indications that suggest the QNB attackers may be Russian in origin.
Related iSIGHT Partners Reports
16-00005280 (AntiQNB Leaked Data from Qatar National Bank), 23 April 2016
15-00013448 (‘Hacker Buba’ Publishes UAE Bank InvestBank Customer Data After Failed Extortion Attempt), 4 Dec. 2015
Fraudsters Steal Tax, Salary Data From ADP
From The Media
Actors have stolen tax and salary information from payroll company ADP and used names of ADP customers’ employees to register accounts. According to ADP, victim companies mistakenly published corporate account signup links and codes on the Internet, allowing actors to create accounts for users with only minimal personal information. ADP confirmed that fraud affected only a small subset of ADP customers this year.
Read the Story: Krebs on Security
iSIGHT Partners Analyst Comment
While obtaining W2’s from an ADP portal requires several pieces of personally identifiable information (PII), existing authentication measures do not appear to sufficiently bar malicious actors from fraudulently obtaining large numbers of W2 forms from ADP. During recent months, iSIGHT Partners has observed an increase in the number of companies that have publicly disclosed successful phishing attempts resulting in the exposure of sensitive employee PII, including W-2 forms. Further, we have observed significant interest in such PII from malicious actors. We recommend that companies storing W2 forms introduce additional authentication measures that do not only rely on PII, since PII is commonly compromised and widely available in underground markets, making it unreliable for authentication.
Related iSIGHT Partners Reports
16-00004218 (Surge in Public Disclosure of Phishing Schemes Targeting Employee W-2 Information), 11 April 2016
16-00002266 (GanjaMan Advertises Databases Containing US Individuals’ Personally Identifiable Information; Could Be Used in a Broad Spectrum of eCrime Operations), 11 March 2016
16-00001538 (Services Offering Multiple Types of PII Frequently Advertised Throughout Global eCrime Marketplaces), 9 Feb. 2016
Michigan Power and Water Utility Hit by Ransomware Attack
From The Media
The Board of Water and Light in Michigan was recently the target of a ransomware attack. Only the corporate network was affected by the attack and both electric and water services were unaffected by the attack. According to the Board of Water and Light, no customer information was compromised in the attack and neither the operational network nor industrial control network were affected.
Read the Story: Security Week
iSIGHT Partners Analyst Comment
At this time we have not observed any indication that the Board of Water and Light was targeted specifically. Ransomware targeting is largely opportunistic, with malicious actors typically distributing their malware via widely targeted spam campaigns. While we have limited indications of interest by cyber criminals in targeting companies operating industrial control systems, the threat to these organizations from cyber criminals is largely similar to the threat facing many other organizations with targeting centering around corporate networks and databases accessible from them.
Related iSIGHT Partners Reports
16-00006184 (Ransomware Masquerades as Allen-Bradley File), 29 April 2016
16-00002294 (Ransomware Threat Landscape Overview), 28 March 2016
The post ThreatScape Media Highlights Update – Week Of May 4th appeared first on iSIGHT Partners.
