It is Tuesday, January 21st, 2020 and here are today’s most pressing cyber stories we need to know about.
160,000 data breaches reported already
Over 160,000 data breach notifications have been made to authorities in the 18 months since Europe's new digital privacy regulations came into force, and the number of breaches and other security incidents being reported is on the rise.
Analysis by law firm DLA Piper found that after General Data Protection Regulation (GDPR) came into force on 25 May 2018, the first eight months saw an average of 247 breach notifications per day. In the time since, that has risen to an average of 278 notifications a day.
The GDPR Data Breach Survey also calculates the total cost of GDPR-related fines paid so far to be €114m ($126m/£97m). The largest fine paid so far was one of €50m issued by the French data protection authority, CNIL, to Google over infringements around transparency and consent.
The UK Information Commissioner's Office has issued two larger fines relating to data protection infringements, but currently neither of the organizations involved have come to a final agreement over the payments.
In July last year, British Airways was issued with a £183m ($238m/€213m) fine following cyberattacks against its systems which resulted in personal details of around 500,000 customers being stolen by hackers.
Following what was described as an "extensive investigation", the ICO concluded that information was compromised by "poor security arrangements" at British Airways. At the time, the airline made it clear it wasn't happy with the fine, stating it was "surprised and disappointed".
Then, just a day later, the ICO issued a fine of £99M ($124M/€112M) to Marriott Hotels for a data breach which exposed the personal details of 339 million guests around the world – including 30 million European citizens and seven million UK citizens.
Hackers breached Starwood Hotels in 2014; that hotel chain was subsequently purchased by Marriott in 2016, but the breach wasn't discovered and patched until 2018. A statement from Marriott at the time of the penalty notice said the company was "deeply disappointed" by the proposed fine.
Both Marriott and British Airways are appealing their fines.
Under GDPR, organizations can be fined up to four per cent of their annual turnover if they've been found to be irresponsible with security following a data breach. Despite this, it's believed that just one third of organizations are fully GDPR compliant.
The total amount of fines of €114 million imposed to date is relatively low compared to the potential maximum fines that can be imposed under GDPR, indicating that we are still in the early days of enforcement.
Mitsubishi Electric discloses security breach
In a short statement published today on its website, Mitsubishi Electric, one of the world's largest electronics and electrical equipment manufacturing firms, disclosed a major security breach.
Although the breach occurred last year, on June 28, and an official internal investigation began in September, the Tokyo-based corporation disclosed the security incident today, only after two local newspapers, the Asahi Shimbun and Nikkei, published stories about the hack.
Both publications blamed the intrusion on a Chinese-linked cyber-espionage group named Tick (or Bronze Butler), known to the cyber-security industry for targeting Japan over the past few years.
According to the reports in local media, the intrusion was detected after Mitsubishi Electric staff found a suspicious file on one of the company's servers.
The intrusion was later tracked to a compromised employee account.
"Unauthorized access began with affiliates in China and spread to bases in Japan," Asahi reported.
The newspaper said hackers escalated their access from this initial entry point to Mitsubishi Electric's internal systems, gaining access to the networks of around 14 company departments, such as sales and the head administrative office.
The two newspapers reported that hackers stole sensitive data from the company's internal network. In particular, Nikkei reported that hackers compromised "tens of PCs and servers in Japan and overseas," from where they stole around 200 MB of files, mostly business documents.
Mitsubishi Electric did not deny that data exfiltration took place, but only denied that the intruders stole data on its business partners and defense contracts.
The company said it's still investigating the incident, but according to open-source reporting, the attackers appeared to have deleted access logs, slowing down investigators.
In Japan, the incident is being treated with the utmost severity. Mitsubishi Electric is one of Japan's biggest defense and infrastructure contractors, with active projects within the Japanese military, but also telecommunications, railways, and the electrical grid.
Before going public with the news today, Mitsubishi Electric had also notified members of the Japanese government and Ministry of Defense, according to local newspaper Mainichi.
DdoS Mitigation firm founder admits to DDoS
A Georgia man who co-founded a service designed to protect companies from crippling distributed denial-of-service (DDoS) attacks has pleaded to paying a DDoS-for-hire service to launch attacks against others.
Tucker Preston, 22, of Macon, Ga., pleaded guilty last week in a New Jersey court to one count of damaging protected computers by transmission of a program, code or command. DDoS attacks involve flooding a target Web site with so much junk Internet traffic that it can no longer accommodate legitimate visitors.
Preston was featured in the 2016 KrebsOnSecurity story DDoS Mitigation Firm Has History of Hijacks, which detailed how the company he co-founded — BackConnect Security LLC — had developed the unusual habit of hijacking Internet address space it didn’t own in a bid to protect clients from attacks.
Preston’s guilty plea agreement doesn’t specify who he admitted attacking, and refers to the target only as “Victim 1.” Preston declined to comment for this story.
But that 2016 story came on the heels of an exclusive about the hacking of vDOS — at the time the world’s most popular and powerful DDoS-for-hire service.
KrebsOnSecurity exposed the co-administrators of vDOS and obtained a copy of the entire vDOS database, including its registered users and a record of the attacks those users had paid vDOS to launch on their behalf.
Those records showed that several email addresses tied to a domain registered by then 19-year-old Preston had been used to create a vDOS account that was active in attacking a large number of targets, including multiple assaults on networks belonging to the Free Software Foundation (FSF).
The 2016 story on BackConnect featured an interview with a former system administrator at FSF who said the nonprofit briefly considered working with BackConnect, and that the attacks started almost immediately after FSF told the company’s owners they would need to look elsewhere for DDoS protection.
Perhaps having fun at the expense of the FSF was something of a meme that the accused and his associates seized upon, but it’s interesting to note that the name of the FSF’s founder — Richard Stallman — was used as a nickname by the co-author of Mirai, a potent malware strain that was created for the purposes of enslaving Internet of Things (IoT) devices for large-scale DDoS attacks.
Ultimately, it was the Mirai co-author’s use of this nickname that contributed to him getting caught, arrested, and prosecuted for releasing Mirai and its source code (as well as for facilitating a record-setting DDoS against this Web site in 2016).
According to a statement from the U.S. Justice Department, the count to which he pleaded guilty is punishable by a maximum of 10 years in prison and a fine of up to $250,000, or twice the gross gain or loss from the offense. He is slated to be sentenced on May 7.
Emotet Malware dabbles in Extortion with New Spam Template
The Emotet malware has started using a spam template that pretends to be an extortion demand from a "Hacker" who states that they hacked the recipient's computer and stole their data. Emotet is spread through spam emails that commonly use templates based around a particular theme such as shipping information, voice mails, scanned documents, reports, and invoices.
The threat actors will send out email templates that reflect approaching holidays, such as Christmas party and Halloween party invites, and trending current events such as an invite to a Greta Thunberg Demonstration.
The goal of all of these emails is to trick the recipient into opening an attached Word document that will attempt to download and install the Emotet malware onto the computer. Emotet will then use the infected computer to send further malicious spam and to download and install other malware onto the device.
Since the summer of 2018, scammers have been sending out sextortion emails that state that the recipient's computer was hacked and that an attacker recorded video of the recipient while on adult sites.
The emails then threaten to send the video to the recipient's friends and family if they don't pay the scammers a $500 to $3,000 extortion payment.
These emails are a scam and the attackers do not have any video, but it scared enough people that they made over $50 thousand in just a week.
In a new template shared by security researcher ExecuteMalware, the Emotet operators have started to use a similar extortion template that states "YOUR COMPUTER HACKED!" and that the recipient's data was stolen.
The email goes on to tell the user to open the attached document for instructions on how to pay $50 or $100 or their stolen data will be sold on the black market for $10.
If the user opens the document, they will be shown the standard Emotet malicious document template that states the recipient needs to "Enable Content" to properly view the document.
Once the document is opened, a PowerShell command will be executed that downloads and installs the Emotet Trojan on the computer.
Even worse, after some time Emotet will download the TrickBot information-stealing Trojan, which will begin to steal your login credentials, sensitive files, browser history, and more.
On high-value networks, TrickBot is also known to partner with the Ryuk Ransomware actors and will open a reverse shell back to them so that the Ryuk operators can encrypt the entire network.
Due to the severity of the Emotet infection, users need to be wary of any strange emails they receive, especially ones containing Word attachments.
Instead of opening an attachment, they should contact the sender directly to confirm they sent the email or at least share it with their network administrator first so it can be opened in a controlled environment.
For those who wish to learn more about Emotet and its latest developments, we recommend that you follow the Cryptolaemus group on Twitter.
Cryptolaemus is a group of security researchers who provide frequent updates on this malware's activity so that other researchers and network administrators can be better protected against this threat.