Cybercrime , Fraud Management & Cybercrime , Incident & Breach Response
Breach Roundup: Cyberwar Is Too Hot for Insurers
Also: A Phishing Network Takedown, Another Ivanti Critical Flaw and Meta Bans RTEvery week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. Munich Re said it can't insure cyberwar, the Rhysida took responsibility for hitting the Seattle airport, Meta banned RT, Ivanti disclosed a flaw, hackers exploited construction software, AT&T settled with the FCC, Transport of London is checking users, a cyber firm said web servers pose a big risk, and police disrupted a phishing network.
See Also: Gartner Guide for Digital Forensics and Incident Response
Munich Re Says Cyberwarfare Is Too Risky
Martin Kreuzer, senior risk manager for cyber risks at Munich Re, said Monday the reinsurer views cyberwarfare as uninsurable. "If we need to give up the entire business, we are prepared to do so, because we simply think we cannot insure cyberwar," The Insurer reported.
Munich Re, the industry’s largest cyber underwriter, said it cannot accommodate the scale of cyberwar scenarios, prompting the company to push for clearer cyberwar exclusions in insurance policies, he said.
Cyber insurers have been aggressive in excluding incidents they say are the result of nation-state conflicts even as more corporations clamber for cyber insurance. Systemic and hard-to-quantify risks have pushed up the policy costs for years now, although Moody's ratings earlier this month said new market entrants could lead to a "moderate" decrease in insurance premiums (see: Moody's Ratings: Cyber Insurance Competition Up, Prices Down).
Even companies that pony up for expensive cyber policies will likely find their policies don't reimburse the full cost of an incident (see: Breach Roundup: Cyber Insurance Doesn't Cover Breach Costs).
Several governments have investigated the possibility of creating a backstop for catastrophic cyberattacks but haven't come up with one.
Port of Seattle Confirms Rhysida Ransomware Attack
The Port of Seattle confirmed that the Rhysida ransomware group was behind the cyberattack that disrupted its systems for three weeks. The breach, initially disclosed Aug. 24, forced the agency to isolate key systems, causing IT outages that affected services at Seattle-Tacoma International Airport. These disruptions included flight check-ins, baggage handling, ticketing, Wi-Fi and passenger display boards (see: Seattle-Tacoma Airport IT Outages Persist Into Day 3).
The cyberattack encrypted parts of the port's systems, leading to outages that affected maritime facilities and the flySEA app. Most systems were restored within a week, though the port is still working to bring back services such as the SEA Visitor Pass, TSA wait time information and full access to its website and app.
Rhysida is demanding 100 bitcoins - roughly $6.4 million - for stolen information, which the group says on its leak site consists of 3 terabytes of "databases, internal logins and passwords of employees, a full dump of servers with emergency services applications Port of Seattle and Seattle-Tacoma International Airport (SEA), personal data staff and customers."
The port refused to pay the ransom.
Meta Bans RT, Russian State Media for Influence Operations
Meta banned Russian state media outlets, including RT and Rossiya Segodnya, from Facebook, Instagram and WhatsApp "for foreign interference activity." The Tuesday decision came just days after the United States indicted two RT employees on charges of money laundering in a scheme to influence the 2024 election. U.S. Secretary of State Antony Blinken accused RT of functioning as an arm of Russian intelligence, helping to spread disinformation, fund Russian soldiers and target elections globally, including the October 2024 election in Moldova (see: US Sanctions Russian Media for Secretly Funding Ukraine War).
Ivanti Discloses Another Cloud Services Appliance Flaw
Internet appliance maker Ivanti disclosed yet another critical flaw in its Cloud Service Appliance that is under active exploitation, just days after warning customers that hackers were exploiting a remote code execution flaw (see: Ivanti Vulnerability Again Forces Emergency Patches).
The Utah company said it discovered the new path traversal flaw, tracked as CVE-2024-8963, while investigating the previous critical flaw. Both affect version 4.9 of the Cloud Services Appliance, which allows enterprises to manage devices behind firewalls and can serve as proxy network access. Users who already applied a Sept. 10 patch don't have to apply a new one, since the path traversal flaw was "incidentally addressed" in the patch. The U.S. Cybersecurity and Infrastructure Agency added the vulnerability to its list of known exploited vulnerabilities and gave federal agencies three weeks to address it.
Hackers have combined the two flaws to bypass admin authentication and achieve RCE. CSA 4.6 is at end of life, meaning that Ivanti recommends users upgrade to version 5.0. It also said dual-homed CSA configurations should ensure that eth0
is configured as an internal network.
In the past nine months, Ivanti has disclosed a steady number of vulnerabilities and warned clients about active exploitation, a drumbeat initiated in January when cybersecurity firm Volexity spotted a probably Chinese state hacking campaign exploiting zero-days in Ivanti gateway devices (see: Ivanti Discloses Additional Zero-Day That Is Being Exploited).
Hackers Target Construction Firms Via Foundation Software
Unidentified hackers exploited vulnerabilities in Foundation, accounting software used by the construction industry, according to cybersecurity firm Huntress. The attackers sought publicly accessible installations, using default usernames and passwords to gain administrative access, and affected companies in plumbing, concrete and HVAC sectors.
Huntress identified nearly 35,000 brute force attempts on Microsoft SQL Servers used by the software, and 33 of 500 installations were publicly exposed due to unchanged default credentials.
AT&T Settles FCC Probe Over 2023 Data Breach
AT&T agreed to a $13 million settlement with the U.S. Federal Communications Commission following a 2023 data breach that exposed customer proprietary network information of around 9 million customers. The breach, caused by a third-party vendor, did not compromise sensitive personal data such as Social Security numbers or financial information.
The FCC's investigation revealed AT&T failed to ensure its vendor properly protected customer data, which remained in the vendor's cloud environment for years beyond its contracted disposal date. As part of the settlement, AT&T committed to strengthening its data governance practices, including by limiting vendor access to customer information, enhancing security measures and conducting annual compliance audits.
Transport for London Requires In-Person ID Checks
Transport for London mandated all 30,000 employees attend in-person appointments to verify their identities and reset passwords, following a cybersecurity incident at the urban transport authority. The Sept. 2 incident, disrupted internal systems and affected some customer services.
Though TfL initially reported no evidence of compromised data, an update this week revealed that customer data, including names, contact details and addresses, were exposed. Sensitive information such as banking details and home addresses were not. TfL is contacting affected customers and reassuring them about the safety of its network.
The U.K.'s National Crime Agency arrested a 17-year-old from the West Midlands in connection with the attack. The suspect was released on bail.
Web Servers Pose Major Cybersecurity Risks
Web servers account for 34% of severe cybersecurity issues, more than any other platform, said cybersecurity firm Cycognito. Of the web interfaces surveyed, only 15% used secure protocols such as TLS or HTTPS, and less than half of those that handle personally identifiable information were protected by a web application firewall. Over 60% of interfaces exposing PII lacked WAF protection.
Cycognito said that many organizations focus on the wrong cybersecurity issues, and cybercriminals often target web servers rather than software supply chains. These compromised servers grant attackers access to the applications deployed on them, where they can then escalate their attacks.
A previous Cycognito survey says that while 60% of organizations update web applications weekly, 75% test them only monthly or less. Many companies struggle to remediate vulnerabilities, and 53% of respondents report difficulties even after web application tests reveal issues. Also, 35% of organizations experience a significant security event involving a web app at least once a week.
Spanish, Latin American Police Disrupt Phishing Network
Spanish and Latin American police took down a criminal network that fraudulently unlocked over 1.2 million stolen mobile phones using a phishing platform.
The operation, announced Thursday by Europol, was led by authorities in Spain, Argentina, Chile, Colombia, Ecuador and Peru. Dubbed Operation Kaerb, it resulted in the arrests of 17 individuals that used the iServer phishing-as-a-service platform to send malicious links to owners of the stolen phones in the pretext of recovering their lost devices.
Among those arrested is the alleged phishing platform administrator, detained by police in Argentina. Europol said the now-defunct iServer platform generated customized links mimicking legitimate companies to trick the victims into entering their mobile unlocking codes. The accused administrator has been developing and running phishing services since 2018 and has been in the mobile phone unlocking racket for the past five years, Europol said.
"The criminal sold access to his website and charged extra costs for phishing, SMS, emails or call performing. Criminal users of the platform, or 'unlockers,' provided phone unlocking services to other criminals in possession of stolen phones," the authorities said.
In addition to SMS phishing, iServer users at times directly contacted the victims over calls to personalize fraudulent messages and fake web pages. Investigators reported 483,000 victims worldwide, primarily Spanish speakers. ).
As part of the operation, the authorities identified more than 2,000 registered iServer users.
Cybersercurity firm Group-IB, which assisted investigators, said iServer stood out as an automated phishing platform for its focus on harvesting credentials to unlock stolen phones.
Other Coverage From Last Week
- Swiss Post to Strengthen Cybersecurity With Open Systems Buy
- Chinese Hackers Build Massive Botnet Targeting US Devices
- Australian Police Arrest Alleged Head of Ghost Encrypted App
- Apple Moves to Dismiss Suit Against Spyware Firm NSO Group
With reporting from Information Security Media Group's Prajeet Nair in Bengaluru, India; Akshaya Asokan in Southern England; and David Perera in Washington, D.C.