In this edition of Qualys’ infosec news digest, we look at Orbitz’s data breach, AMD’s vulnerabilities controversy, and recent actions by the U.S. government against alleged Russian and Iranian cyber spies.
Orbitz was (kinda, sorta, maybe) hacked
Orbitz disclosed last week that personal information linked to almost 900,000 payment cards may have been compromised, after it detected a “data security incident” in which “there was likely unauthorized access” to customer data.
The customer data at risk includes payment card details, full names, dates of birth, phone numbers and e-mail and home addresses.
Orbitz doesn’t think that passport numbers nor travel itineraries were compromised. It doesn’t collect Social Security numbers. Orbitz, which is owned by Expedia, isn’t sure if data was stolen, but a privacy rights experts recommends that customers not rest easy.
“I think consumers should assume that their personal information has been compromised even though they may not have been notified. There have been so many data breaches that you just can’t assume that you haven’t been affected,” Beth Givens, executive director of the Privacy Rights Clearinghouse, told Consumer Reports.
Customers should monitor their accounts closely, and consider getting new payments cards, and placing either a fraud alert or an all-out freeze on their credit report, according to Consumer Reports. They should also sign up for the free credit monitoring service Orbitz is offering.
Meanwhile, independent security analyst Graham Cluley warned that “scams may arrive via email, in bogus phone calls, or even via post” so he advises to “keep a close eye on your finances, query unusual transactions, and be wary of unsolicited communications.”
The suspected breach, which Orbitz discovered on March 1st and took place between early October and late December of last year, affected a legacy travel booking platform used by consumers and business partners.
Over at TechRepublic, Conner Forrest pointed out that the Orbitz incident highlights the importance of properly securing legacy IT systems.
“Legacy systems are a reality in most IT environments, but they are also connected to a host of data breaches in the financial sector, healthcare industry, and more,” Forrest wrote.
“So, how does one stay safe? For starters, always update and patch systems to account for any known flaws,” he added.
Orbitz offered no explanation for how its systems may have been accessed without authorization. The data in question was generated by transactions made at different points in 2016 and 2017.
At least one of Orbitz’s partners has acknowledged being impacted: American Express said in a statement that the affected Orbitz platform serves as the booking engine for Amextravel.com and for travel booked through Amex Travel Representatives.
Whenever partners are involved in a data breach -- either because they caused it, or because they’re affected by it -- it’s relevant to bring up the issue of managing the risk of doing business with those in your network of trusted third parties.
Essentially, an organization needs to make sure its vendors, suppliers, partners and contractors are following good security practices, because if they slip and suffer a breach, you could find yourself involved in a difficult situation you had no control over.
In fact, there’s an example of this in the news right now. Limoges Jewelry reportedly left an Amazon AWS cloud storage bucket unprotected, exposing personal information of 1.3 million customers, including plain text passwords, MacKeeper’s Kromtech Security researchers reported earlier this month. But its partners are also getting dragged into the incident by association, most notably Wal-Mart, as Cluley noted in his take on the matter.
“Before you entrust sensitive data to any third party, your company needs to be sure the partner can and will keep it safe from attack,” Cluley wrote.
Iranian hacking ring exposed
The U.S. government on Friday unsealed an indictment detailing a “massive,” years-long cyber theft campaign against U.S. and international universities, public sector agencies and businesses, and charged 9 Iranian residents with carrying out the alleged hacks.
The defendants, all affiliated with Iran-based company Mabna Institute, carried out the alleged hacks between 2013 and 2017. They took, among other things, “more than 31 terabytes of academic data and intellectual property from universities,” according to a U.S. Department of Justice statement.
The victimized organizations included 144 U.S. universities, 30 American businesses, the U.S. Department of Labor, the states of Hawaii and Indiana, and the U.S. Federal Energy Regulatory Commission (FERC), as well as 176 universities in 21 foreign countries.
The data was given to intelligence agencies within the Iranian government, as well as to Iranian universities, according to the DOJ.
“The hackers targeted innovations and intellectual property from our country’s greatest minds. These defendants are now fugitives from American justice, no longer free to travel outside Iran without risk of arrest,” said U.S. Attorney Geoffrey S. Berman for the Southern District of New York.
The primary hacking method of the alleged cyber thieves was spear-phishing, as they successfully compromised about 8,000 email accounts belonging to university professors in the U.S. and abroad.
While the defendants remain out of the U.S. government’s reach in Iran, the DOJ says this “name and shame” technique is worth pursuing, especially because it limits these individuals’ ability to do business and travel abroad, as this would put them at risk of arrest and extradition in more than 100 countries, including the U.K.
"This type of public identification helps to deter state-sponsored computer intrusions by stripping hackers of their anonymity and by imposing real consequences," Deputy Attorney General Rod Rosenstein said at a press conference, as reported by Politico.
Russians poking around U.S. critical infrastructure networks
As John E. Dunn highlights over at Sophos’ Naked Security blog, the U.S. government recently disclosed its discovery that the Russian government has been targeting public and private sector infrastructure organizations for cyber intrusion and surveillance.
In a US-CERT alert, the Department of Homeland Security and the FBI provided information about “Russian government actions” targeting U.S. government agencies as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.
“DHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks,” reads the alert.
After gaining access, the Russian government “cyber actors” conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).
As stated earlier in this blog post regarding third-party risk, the hackers in this case targeted smaller “peripheral” organizations such as third-party suppliers with less secure networks, with the intention of leveraging those compromised systems as jumping off points to penetrate larger targets.
Techniques used by the hackers included spear-phishing emails from compromised legitimate accounts, watering-hole domains, credential gathering, open-source and network reconnaissance, host-based exploitation, and targeting industrial control system (ICS) infrastructure, according to the alert.
AMD hardware vulnerability disclosures
CTS, a largely unknown security research firm in Israel, dropped a news bomb earlier this month when they claimed to have discovered 13 extremely serious vulnerabilities in AMD chips, a warning that echoed with a Meltdown / Spectre urgency.
However, when it became known that CTS had given AMD only a brief 24-hour window to address their findings, the researchers became part of the story and were on the receiving end of industry criticism for their haste in disclosing the bugs.
A back-and-forth ensued and when the dust cleared it turned out that exploiting the vulnerabilities wasn’t as easy as initially portrayed, for example requiring that attackers have admin privileges on the affected systems, as third-party researcher Trail of Bits concluded.
Last week AMD provided further clarification about the nature of flaws and the scope of CPUs affected in its own analysis, while promising to soon issue firmware patches and BIOS updates to remediate the vulnerabilities.
In other InfoSec news …