Breach Guide

Learn the steps to take in the event of a data breach and stay current on the cyber threat landscape with the FTC’s Data Breach Resources, FBI’s Daily Digest Library and San Diego’s Cyber Incident Response Guide.

Federal Trade Commission (FTC) Data Breach Resources

Find out the steps to take as a business or consumer if you experience a data breach.

ftc-gov

FBI Cyber Daily Digest Library

Stay current on the global threat landscape with the FBI’s daily circulation of published data breaches and articles.

  • Eufy owners privacy breached for an hour, app showed wrong cameras

    • In a major security and privacy lapse, for an hour on Monday morning, users of Eufy cameras discovered that cameras owned by other users were viewable in their app instead of their own, and settings could be changed by those granted bogus access as well.
    • Initially spotted on Reddit, Eufy cam owners are reporting that attempts to log into the app provide complete access to another camera setup, seemingly in another country. As part of this access, the users are also able to see and change settings on the account and connected hardware, turn lights on and off, and also retrieve details like the camera owner's email address.
    • Some miscreants are taking advantage of this access. They are modifying settings for accounts, and there are reports of some talking to children on the other side of the camera.
    • Update: In a statement to AppleInsider and other venues, Eufy claimed that the a "server upgrade" induced the problem for 0.001 percent of its users. The company also said that identified the problem at around 5:30 AM Eastern Time, and fixed it by 6:30.
    - Malcolm Owen | May 17, 2021
  • Hardware security breaches are virtually guaranteed

    • Hardware breaches are difficult to implement, as they have a physical component and often require both planning and a bit of luck, but once a device’s hardware has been hacked it is incredibly vulnerable.
    • The most common fallouts from hardware breaches include loss of sensitive data, by far the most common problem and present in over half of the cases according to this report.
    • Another issue of course beyond exposure of sensitive data is irreparable harm to your organization’s brand or worse potential liabilities or lawsuits. N The recent Verkada breach which exposed hundreds live feeds from video surveillance cameras inside schools, psychiatric hospitals and offices was, perhaps, the biggest breach that made national news.
    • Currently, we live in a sort of naïvely hopeful place, where we trust businesses like Apple, Intel, and other hardware manufacturers to oversee the process to keep us secure.
    • Manufacturers of hardware also have a big portion of the responsibility on their shoulders. Their principal engineers should get a crash course in security to up their game.
    • Deploying zero-trust principles across an organization is our only hope as Chief Security Officers (CSOs) and security teams against the potential threats of hardware breaches. Not to mention, it’s just good practice in these increasingly digital times.
    • When hardware is breached, we lose control over what it does, but we retain control over what the system can do. With a zero-trust plan, you can establish rules that allow hardware pieces to communicate with a limited number of other points in the network.
    - David Barroso | May 17, 2021
  • Russian crime gang who targeted HSE in cyber attack hold Health Dept to ransom as health service forced ‘back 20 years’

    • THE Russian crime gang who have crippled the HSE in a cyber attack are also holding the Department of Health to ransom.
    • The Conti ransomware operation is believed to be run by an Eastern European cybercrime group known as Wizard Spider.
    • Foreign Affairs Minister Simon Coveney tonight said a “war room” has been set up as the Government and health service chiefs fight to safely restore their systems without having to pay the web crooks.
    • We revealed yesterday that the gang has demanded up to €16million in ransom off the HSE and they had access to its network for two weeks.
    • Minister Coveney said there were “real consequences” to paying criminals ransom.
    • It was claimed that the hack on the health service has forced the HSE “back 20 years” with GPs being asked to only make ­referrals if it is considered urgent.
    • In previous attacks conducted by the Wizard Spider group, phishing attacks are used to install Trickbot and BazarLoader trojans that offer remote access to infected machines.
    • They then steal credentials and harvest unencrypted data stored on workstations and servers before encrypting all of the devices.
    • They then use the stolen data as leverage to force victims into paying a ransom by threatening to release it on their ransom data leak site if they do not receive payment.
    • The hackers claim to have stolen 700GB of unencrypted files from the HSE — including patient and employee information — while lurking on its system for two weeks.
    • Hospitals across the country reported of being severely impacted by the cyber attack.
    - Aoife Horan and Harry Manning | May 16, 2021
  • Colonial Pipeline reportedly pays $5M in cryptocurrency to hackers to end ransomware cyberattack

    • The hackers were paid in "untraceable cryptocurrency within hours after the attack," Bloomberg has reported, "are believed to be located in Russia or Eastern Europe."
    • The cyberattack deployed ransomware, which takes a computer system hostage and refuses to unlock it until a payment is made.
    • After successfully resuming operation in part on Wednesday, "Colonial Pipeline has made substantial progress in safely restarting our pipeline system and can report that product delivery has commenced in a majority of the markets we service," the company said Thursday morning in a statement.
    - Nathan Bomey | May 13, 2021
  • Tech audit of Colonial Pipeline found ‘glaring’ problems

    • An outside audit three years ago of the major East Coast pipeline company hit by a cyberattack found “atrocious” information management practices and “a patchwork of poorly connected and secured systems,” its author told The Associated Press.
    • How far the company, Colonial Pipeline, went to address the vulnerabilities isn’t clear. Colonial said Wednesday that since 2017, it has hired four independent firms for cybersecurity risk assessments and increased its overall IT spending by more than 50%.
    • Colonial’s inability to locate a particular maintenance document. “You’re supposed to be able to find it within 15 minutes. It took them three weeks.”
    • One of the main recommendations was that Colonial hire a chief information security officer, a position that cybersecurity experts consider essential in any company with infrastructure vital to national security.
      • Colonial said it instead assigned those responsibilities to a subordinate of chief information officer
    • The audit found no security-awareness training, which mostly teaches employees not to fall victim to phishing, the cause of more than 90% of cyber-intrusions.
      • But Colonial said its expanded cybersecurity regime includes regular simulated phishing campaigns for employees.
    - Frank Bajak | May 12, 2021
  • FACT SHEET: President Signs Executive Order Charting New Course to Improve the Nation’s Cybersecurity and Protect Federal Government Networks

    • President Biden signed an Executive Order to improve the nation’s cybersecurity and protect federal government networks.
    • This Executive Order makes a significant contribution toward modernizing cybersecurity defenses by protecting federal networks, improving information-sharing between the U.S. government and the private sector on cyber issues, and strengthening the United States’ ability to respond to incidents when they occur.  It is the first of many ambitious steps the Administration is taking to modernize national cyber defenses.
    • FACT: Much of our domestic critical infrastructure is owned and operated by the private sector, and those private sector companies make their own determination regarding cybersecurity investments.
    • The Executive Order the President is signing today will:
      • Remove Barriers to Threat Information Sharing Between Government and the Private Sector.
      • Modernize and Implement Stronger Cybersecurity Standards in the Federal Government.
      • Improve Software Supply Chain Security.
      • Establish a Cybersecurity Safety Review Board.
      • Create a Standard Playbook for Responding to Cyber Incidents.
      • Improve Detection of Cybersecurity Incidents on Federal Government Networks.
      • Improve Investigative and Remediation Capabilities.
    | May 12, 2021
  • Researchers track down five affiliates of DarkSide ransomware service

    • On Tuesday, FireEye researchers documented five separate clusters of activity suspected of being connected to DarkSide, the Ransomware-as-a-Service (RaaS) network responsible for the Colonial Pipeline security incident.
    • So far, FireEye has tracked five threat actors who are either current or past DarkSide RaaS affiliates. 
    • RaaS subscribers are given access to custom malware -- in this case, the DarkSide ransomware variant -- in return for developers receiving a slice of any ransom payment profits.
    • FireEye has described the current activities of three out of the five linked groups, tracked as UNC2628, UNC2659, and UNC2465.
      • UNC2628: tend to move quickly from initial infection to ransomware deployment and may only lurk on a compromised network for two to three days before starting encryption. 
        • Suspicious authentication attempts, brute force attacks, and 'spray and pray' tactics are common, and this threat actor may also acquire initial access through legitimate credentials for corporate virtual private networks (VPNs), which can be purchased from other cybercriminals online. 
        • UNC2628 is thought to partner with other RaaS services including REvil and Netwalker.
      • UNC2659 exploits CVE-2021-20016 to obtain initial access, a now-patched vulnerability in the SonicWall SMA100 SSL VPN, a service designed for mobile workers. 
        • "There is some evidence to suggest the threat actor may have used the vulnerability to disable multi-factor authentication options on the SonicWall VPN, although this has not been confirmed," FireEye says. 
        • TeamViewer is abused to maintain persistence on a compromised machine and the group exfiltrates files before encryption.
      • UNC2465 uses phishing emails to deliver DarkSide via the Smokedham .NET backdoor. In a case documented by FireEye, initial access to a network was obtained months ahead of ransomware execution. 
        • Smokedham also supports the execution of arbitrary .NET commands, keylogging, and screenshot generation. The NGROK utility is used by the threat actors to circumvent firewalls and expose remote desktop service ports.
    - Charlie Osborne | May 12, 2021
  • As investors go online, criminals follow

    • Amid a rise in online investing and the proliferation of mobile trading apps, the U.S. Financial Industry Regulatory Authority Inc. (FINRA) is seeing an increase in brokerage account breaches too.
    • FINRA said that reported incidents of criminals attempting to take over clients’ accounts using stolen login information are on the rise.
    • FINRA suggested that the rise in these kinds of attacks may also be enabled by the increased availability of stolen login credentials on the dark web, along with the development of tools to automate these intrusions, “using mobile emulators to mimic mobile devices that have been compromised to access thousands of online brokerage accounts.”
    • Along with using multi-factor authentication to better establish clients’ identities, firms are also deploying back-office controls to detect suspicious activity, and even scanning the dark web themselves for signs that their clients’ accounts may be compromised.
    - James Langton | May 12, 2021
  • Rail Firm Staff Fail ‘Bonus’ Phishing Test, Chaos Ensues

    • “Click here to claim your bonus pay,” said email from a British train company, signed by the firm’s chief. Hundreds of West Midlands Trains employees did exactly that. Because of course they did.
    • But it was a phishing test—designed by IT. And now the staff are hopping mad. Not only will they not get the bonus they’d been expecting, but the email itself was in poor taste (according to the union, at least).
    - Richi Jennings | May 12, 2021
  • University Cancels Exams After Cyber-Attack

    • Final examinations at the oldest technological research university in America have been canceled following a cyber-attack.
    • Much of the computer network of Rensselaer Polytechnic Institute (RPI) was forced to shut down after unauthorized access was detected on Friday. Student assessments, research, and other academic activities have been impacted.
    • RPI did not share any further details of the incident such as what information may have been accessed.
    • Rensselaer Polytechnic Institute, which has around 7,900 students, is a private university sited in the city of Troy, New York. Information Technology and Web Science are among the academic disciplines taught at the Institute.
    - Sarah Coble | May 10, 2021

San Diego Cyber Incident Response Guide

Learn more about San Diego’s region-wide cyber incident response guide and available local, state and federal resources.

San Diego Cyber Incident Response Guide October 2017