Data of 10.6m MGM hotel guests posted for sale on Dark Web forum

The personal data of 10,683,188 MGM hotel guests that leaked sometime in or before 2017 was posted for sale on the Dark Web this week, ZDNet reports.

It doesn’t matter that the data isn’t freshly baked: it’s still edible. ZDNet called hotel guests whose details were included in the data dump and found that, while some of the phone numbers had been disconnected, many were still valid, as “the right person answered the phone.”

The data was first spotted by an Israeli security researcher calling themselves Under the Breach who claims to have “deep relations” with various threat actors that gives them “pre-breach information on many publicly traded companies.”

Under the Breach says they spotted some Vegas-big names among the leaked guest records, including Twitter CEO Jack Dorsey, pop star Justin Bieber, and government officials from the Department of Homeland Security (DHS) and the Transportation Security Administration (TSA).

Under the Breach came across the leaked files on an online forum commonly used by hackers, they told Business Insider. The researcher said that they’d cross-referenced the information with publicly available data and emails that had been exposed in previous breaches.

A spokesperson for MGM Resorts confirmed the security breach, saying that the data is old. The dump included full names, addresses, phone numbers, emails and birthdays, but MGM says that no payment information was compromised. The hotel chain hasn’t confirmed the identity of any of the affected guests; nor has Twitter commented on whether or not Dorsey’s information was involved.

ZDNet confirmed the authenticity of the data on Wednesday. None of the hotel guests whom the news outlet contacted had stayed at the hotel more recently than 2017. But regardless of how long ago the initial breach happened, the personally identifiable information (PII) is still valuable for use in spearphishing campaigns or in SIM-swap attacks, as Under the Breach told ZDNet.

An MGM spokesperson told ZDNet that the data came out of a security breach that happened last year:

Last summer, we discovered unauthorized access to a cloud server that contained a limited amount of information for certain previous guests of MGM Resorts. We are confident that no financial, payment card or password data was involved in this matter.

The hotel chain said that it had promptly notified all affected hotel guests in accordance with applicable state laws. ZDNet wasn’t able to find any of those notifications, but it did find posts dating to August 2019 on the Vegas Message Board from people who said that they’d been alerted to the July breach.

The sale of the records has been linked to the threat actor known as GnosticPlayers, which has claimed responsibility for multiple big breaches, including the September 2019 hack of online social game maker Zynga, the massive hack of 26 million records stolen from another six online companies in March 2019, and plenty more.

The tally of records put up for sale on the Dark Web by GnosticPlayers spirals ever upward: in 2019, the entity dumped more than a billion user records, ZDNet reports.


Latest Naked Security podcast

Adobe fixes critical flaws in Media Encoder and After Effects

After fixing a fat pile of critical security flaws as part of last week’s Patch Tuesday update, Adobe has come back with two more that need urgent attention.

This is what’s called an out of band update, which means that a vulnerability is too risky or likely to be exploited to leave to the next scheduled update.

The first is in the Windows and macOS versions of the After Effects graphics software and affects anyone running version 16.1.2 and earlier.

Identified as CVE-2020-3765 after being reported to Adobe only days ago, the company offers little detail on the vulnerability itself beyond stating that the update:

Resolves a critical out-of-bounds write vulnerability that could lead to arbitrary code execution in the context of the current user.

All that tells us is that exploiting the flaw would require access to the user’s machine which shouldn’t detract from the need to patch the issue.

The second is also an out-of-bounds write weakness, this time in Adobe Media Encoder, affecting Windows and macOS versions 14.02. Identified as CVE-2020-3764, this requires similar current user access.

There is no evidence that either of these flaws is being exploited in the wild, but you never know, hence the need to patch now.

The update

The fix for After Effects (APSB20-09) is to upgrade to version 17.0.3. For Media Encoder (APSB20-10) it’s version 14.0.2.

It’s unusual for Adobe to issue out of band updates. Excluding the later than usual patching of a slew of flaws last October, the last was three emergency fixes for ColdFusion the month before that.

Despite the inconvenience, this is to be applauded. The sooner a critical is patched, the sooner everybody stops worrying about it.


Latest Naked Security podcast

Washington state Senate passes bill to rein in facial recognition

The American Civil Liberties Union (ACLU) dubbed 2019 the year that proved that ubiquitous facial recognition surveillance isn’t inevitable. The latest (tentative) win for legislative restrictions on the increasingly pervasive technology: the state of Washington.

On Wednesday, the state senate passed a bill – Senate Bill 6280 – that would prohibit state and local government agencies from using facial recognition in most instances, including…

Ongoing surveillance – meaning tracking people as they move through public places over time, be it in real-time or through use of a service that relies on historical records.

And…

Persistent tracking – which refers to the use of facial recognition to persistently track someone without first having identified them or verified their identity.

If passed, the law will require law enforcement to first get a search warrant before using those types of faceprint-reliant tracking and surveillance, or else would be limited to emergency situations in which people’s lives are at risk.

From here, the bill goes to the state House for consideration.

The latest version of the bill specifies that at least 90 days before government agencies adopt a new facial recognition technology, they must inform the public about the technology in question – in detail.

Accountability reports would have to include the name of the technology, the vendor, what kind of data it collects and from where, how that data is processed, why and how it’s going to be used, data or research that demonstrates its supposed benefits, whether it’s going to be used by other agencies and how, data retention policy, how data will be securely stored and accessed, and how it’s going to affect civil rights and liberties… to name a few.

It would be an understatement to say that this type of transparency would be a marked change from the secretive (and sometimes slapdash) way in which agencies have been adopting the technology to surveil people, often without the need for warrants.

SB 6280 would also require that decisions with legal implications that are based on facial-recognition programs be reviewed by an agency worker with training on the technology – someone with authority to reverse the decision, according to analysis (PDF) from the Washington senate committee on Environment, Energy and Technology.

Examples of such decisions include whether or not somebody gets a loan, housing, insurance, health care, and educational or job opportunities. If a given program does have such an impact, it would have to be tested before being deployed. The bill would also set training standards for government employees handling personal data gleaned from facial recognition.

According to the Seattle Times, SB 6280 is likely going to face resistance in the House, where a competing bill – House Bill 2856 (PDF) – would go further still, by imposing a moratorium on local and state facial recognition programs until 1 July, 2023.

The Seattle Times quoted the House bill’s sponsor, Rep. Debra Entenman, who is herself one of the people whom facial recognition most frequently fails to correctly identify: a black woman.

[This debate is about] having a technology that is not ready to be used in the public sphere.

As an African American woman, I am of course concerned about the fact that law enforcement and others believe that this technology will make people safer.

The Seattle Times also quoted the Senate bill’s sponsor, Sen. Joe Nguyen:

Right now, facial-recognition technology is being used unchecked and with little recourse. And tech companies generally don’t care about the moral values of the products they are creating.

Running tally of pushback

In October, the state of California outlawed facial recognition in police bodycams. Some of its biggest cities have gone further still in restricting the controversial technology, including San Francisco, Berkeley, and Oakland.

Outside of California, government use of facial recognition has also been banned in three Massachusetts municipalities: Somerville, Northampton and Brookline. New York City tenants also successfully stopped their landlord’s efforts to install facial recognition technology to open the front door to their buildings.


Latest Naked Security podcast

ISS World “malware attack” leaves employees offline

Global facilities company ISS World, headquartered in Denmark, has shuttered most of its computer systems worldwide after suffering what it describes as a “security incident impacting parts of the IT environment.”

The company’s website currently shows a holding page, with no clickable links on it:

ISS World replaced its website with a static information page.

On 17 February 2020, ISS was the target of a malware attack. As a precautionary measure and as part of our standard operating procedure, we immediately disabled access to shared IT services across our sites and countries, which ensured the isolation of the incident.

The root cause has been identified and we are working with forensic experts, our hosting provider and a special external task force to gradually restore our IT systems. Certain systems have already been restored. There is no indication that any customer data has been compromised.

Some media outlets – for example, the BBC – have mentioned ransomware prominently in their coverage of the issue, perhaps because of the suddenness of the story, but at the moment we simply don’t know what sort of malware was involved.

As you can imagine, facilities companies that provide services such as cleaning and catering rely heavily on IT systems for managing their operations.

But one silver lining for ISS World is that many, perhaps most, of its staff don’t rely on computers to carry out their hour-by-hour work, and most staff work on customer sites:

The nature of our business is to deliver services on customer sites mainly through our people and as such we continue our service delivery to customers while implementing our business continuity plans. Our priority is to ensure limited or no disruption while we fully restore all systems.

Nevertheless, a report in the UK claims that 43,000 staff worldwide, including 4000 in the UK, don’t have access to email, a serious operational blow to any modern business.

ISS World has promised, via its one-page, static website, that it is “currently estimating when IT systems will be fully restored and are assessing any potential financial impact”, and that it will “provide a further update when we have significant, additional information.”

Two things right

As bad as it sounds, it seems that the company has done at least two things right: it has issued a clear statement of what it’s willing to say right now, and it has stated that it will tell us all more when it is sure of its facts.

It’s easy to jump down the throat of a business that suffers a cyberattack, to demand answers right away, and to assume that “something is suspicious” if the company demands time to investigate for some time before making a full statement.

In this case, we’d urge ISS World customers to be as patient as possible, and to give the company time to find out as much as it can, with as much forensic precision as possible, before expecting it to reveal what it knows.

Incidents of this size in a business this large are definitely a matter for the regulators and for law enforcement – so if there’s any chance of finding out who was reponsible with the sort of evidence that would stand up in court…

…let’s hope ISS World can come up with it.

What to do?

Here’s our advice on how to keep crooks out of your network – not just for ransomware in particular, but for malware in general.

  • Pick strong passwords. And don’t re-use passwords, ever.
  • Make regular backups. They could be your last line of defence against a six-figure ransom demand. Be sure to keep them offsite where attackers can’t find them.
  • Patch early, patch often. Attacks such as WannaCry and NotPetya relied on unpatched vulnerabilities to spread around the globe.
  • Lock down RDP. Criminal gangs exploit weak RDP credentials to launch targeted malware attacks. Turn off RDP if you don’t need it, and use rate limiting, 2FA or a VPN if you do.
  • Use anti-ransomware protection. Sophos Intercept X and XG Firewall are designed to work hand in hand to combat ransomware and its effects. Individuals can protect themselves with Sophos Home.

Ransomware attack forces 2-day shutdown of natural gas pipeline

The US Department of Homeland Security (DHS) on Tuesday said that an infection by an unidentified ransomware strain forced the shutdown of a natural-gas pipeline for two days.

Fortunately, nothing blew up. The attacker never got control of the facility’s operations, the human-machine interfaces (HMIs) that read and control the facility’s operations were successfully yanked offline, and a geographically separate central control was able to keep an eye on operations, though it wasn’t instrumental in controlling them.

Where this all went down is a mystery.

The alert, issued by DHS’s Cybersecurity and Infrastructure Security Agency (CISA), didn’t say where the affected natural gas compression facility is located. It instead stuck to summarizing the attack and provided technical guidance for other critical infrastructure operators so they can gird themselves against similar attacks.

The alert did get fairly specific with the infection vector, though: whoever the attacker was, they launched a successful spearphishing attack, which enabled them to gain initial access to the facility’s IT network before pivoting to its operational technology (OT) network.

OT networks are where hardware and software for monitoring and/or controlling physical devices, processes and events reside. Some examples are SCADA industrial control systems, programmable logic controllers (PLCs), and HMIs.

After the attacker(s) got their hands on both the IT and OT networks, they deployed what CISA called “commodity” ransomware, encrypting data on both networks. Staff lost access to HMIs, data historians and polling servers. Data historians – sometimes referred to as process or operational historians – are used in several industries, and they do what you might expect: record and retrieve production and process data by time and store the information in a time series database.

Although humans partially lost their view of some low-level OT devices, the attack didn’t affect PLCs, and hence, the facility never lost control of operations. From the alert:

At no time did the threat actor obtain the ability to control or manipulate operations.

CISA’s alert also noted that, although the victimized facility’s emergency response plan didn’t specifically take cyberattacks into consideration, a decision was made to implement what DHS called a “deliberate and controlled shutdown” of operations. That shutdown lasted about two days. It also affected other compression facilities that were linked to the victimized site, the advisory said:

Geographically distinct compression facilities also had to halt operations because of pipeline transmission dependencies.

As a result, “the entire pipeline asset” had to be shut down for two days, not just the victimized compression facility.

Why, in this day and age, when ransomware and other malware attacks are running amok, would cyberattacks have been left out of a utility company’s emergency response plan? CISA said in its advisory that the victimized facility pointed to a gap in cybersecurity knowledge being a mitigating factor: it’s at the heart of the facility’s failure to “adequately incorporate cybersecurity into emergency response planning.”

For years, DHS has been warning that enemy nations have been ready to disrupt US energy utilities.

In 2018, DHS’s chief of industrial-control-system analysis, Jonathan Homer, got specific. He said that between 2016 and 2018, Russian hackers snared “hundreds of victims” in the utilities and equipment sectors, to the point where “they could have thrown switches” in a way that could have caused power blackouts. Similarly to the recently announced natural-gas compression facility attack, those compromises also started with phishing attacks, according to Homer. He added that the attackers had, at the time, been sophisticated enough to even jump air-gapped networks.

Although we don’t know which malware strain was involved in this week’s advisory, Ars Technica notes that it comes two weeks after researchers from industrial cybersecurity firm Dragos reported that a ransomware strain known as EKANS had tampered with industrial control systems used by gas facilities and other critical infrastructure.

Dragos reported that EKANS, a ransomware that emerged in December 2019, is pretty straightforward, as ransomware goes: it encrypts, it displays a ransom note. But beyond that, it’s been tailored to cripple industrial control systems in particular. From Dragos’s writeup:

EKANS featured additional functionality to forcibly stop a number of processes, including multiple items related to ICS operations. While all indications at present show a relatively primitive attack mechanism on control system networks, the specificity of processes listed in a static “kill list” shows a level of intentionality previously absent from ransomware targeting the industrial space.

ICS asset owners and operators are therefore strongly encouraged to review their attack surface and determine mechanisms to deliver and distribute disruptive malware, such as ransomware, with ICS-specific characteristics.

Mind you, we don’t know if EKANS was used in this recent incident at the natural-gas pipeline. What we do know: ransomware exists to specifically target such crucial infrastructure facilities, and operators should be aware of the risks that entails.

Again, CISA’s advisory provides guidance for critical infrastructure operators. Here’s additional guidance for the rest of us:

How to protect yourself from ransomware

  • Pick strong passwords. And don’t re-use passwords, ever.
  • Make regular backups. They could be your last line of defense against a six-figure ransom demand. Be sure to keep them offsite where attackers can’t find them.
  • Patch early, patch often. Ransomware like WannaCry and NotPetya relied on unpatched vulnerabilities to spread around the globe.
  • Lock down RDP. Criminal gangs exploit weak RDP credentials to launch targeted ransomware attacks. Turn off Remote Desktop Protocol (RDP) if you don’t need it, and use rate limiting, two-factor authentication (2FA) or a virtual private network (VPN) if you do.
  • Use anti-ransomware protection. Sophos Intercept X and XG Firewall are designed to work hand in hand to combat ransomware and its effects. Individuals can protect themselves with Sophos Home.

For information about how targeted ransomware attacks work and how to defeat them, check out the SophosLabs 2019 Threat Report.

For more advice, please check out our END OF RANSOMWARE page.


Latest Naked Security podcast

go top