MEGANews: The Most Important Infosec Events of October

Sberbank Data Leaks

In October, several data leaks affecting Sberbank made headlines. It began when Kommersant reported that Sberbank client data, including information on 60 million cards (both active and closed), was being sold on the black market. At the time, Sberbank had about 18 million active cards.

The leak, which may have occurred at the end of August, was one of the largest in the Russian banking sector. Sberbank acknowledged the breach but initially claimed it affected only 200 people—the same number of records the seller provided as a sample. An internal investigation revealed that a 1991-born employee, a sector head in one of the bank’s business units, had access to the databases and attempted to steal client information for personal gain. The employee confessed and is now cooperating with law enforcement.

On October 7, 2019, Sberbank reported additional findings: in late September, the perpetrator sold 5,000 Sberbank Ural Bank credit card accounts in several batches to a criminal group on the darknet. Most of these cards were outdated and inactive, and the compromised cards have since been reissued, so there is no threat to clients’ funds.

Shortly before Sberbank’s press release, another credit card database appeared online, as noted by DeviceLock founder Ashot Oganesyan. Journalists confirmed this was a new part of the leak. Several smaller databases (500 and 300 clients) with similar structures were also found. One database had 1,999 rows, 1,709 of which were active cards and 290 closed.

SearchInform’s analytics head, Alexey Parfentiev, commented that it’s common practice to release a small sample of stolen data for demonstration. He suggested that Sberbank either doesn’t know the full extent of the leak or is withholding information. Later in the month, Kommersant reported yet another leak: a database containing Sberbank clients’ personal data, including a recording of the last call with the bank’s call center, was offered for sale on the black market.

The database, which appeared for sale on October 13, 2019, contained a million records with full personal details (passport, registration, addresses, phone numbers, accounts, balances, or debts) collected from 2015 to recently. Buyers could request data by region, card balance, or debt size, and even obtain a recording of the client’s last call to the bank. Journalists verified the authenticity of a sample, and Izvestia confirmed the data using the Sberbank Online app. Sberbank denied any new leak, but experts believe the data may have come from an external call center.

62% of Industrial Enterprises Use Outdated Operating Systems

CyberX experts collected data from over 1,800 client networks worldwide from October 2018 to October 2019. The results were concerning: more than 60% of industrial networks still use devices running outdated operating systems (Windows XP and Windows 2000). Including Windows 7, whose support ends in January 2020, the figure rises to 71%. Oil, gas, and energy companies showed the best security results.

Hardware Backdoor in Cisco Devices

Over a year after Bloomberg’s controversial article about alleged hardware backdoors on Supermicro server boards, FoxGuard’s Monta Elkins demonstrated how easy it is to implant a hardware bug. At the CS3STHLM conference, Elkins showed how he used a $150 soldering station, a $40 microscope, and a $2 microchip to implant a backdoor into a Cisco ASA 5505 firewall. The chip, programmed by Elkins, could create a new admin account and provide remote access to the device. Cisco is investigating the findings. Elkins’ research follows similar work by Trammell Hudson, who recreated the Supermicro backdoor described by Bloomberg. Both stress that while such attacks are rare, hardware supply chain attacks are real and easier to execute than many believe.

False Sense of Security in App Stores

BlackBerry’s chief evangelist Brian Robison told Forbes that hundreds of malicious apps have bypassed security mechanisms in the App Store and Google Play. Cylance researchers found that not only malware but also government spyware often makes it into official app catalogs. Robison warned users not to trust apps blindly, even from official stores, and to stay vigilant.

Shutdown of Welcome to Video

The UK’s National Crime Agency and the US Department of Justice announced the shutdown of Welcome to Video, one of the largest darknet sites distributing child pornography. The investigation, involving authorities from Germany, South Korea, Saudi Arabia, the UAE, and the Czech Republic, resulted in the seizure of over 8 terabytes of video (about 250,000 files), 45% of which was previously unknown content. 337 people in 12 countries have been arrested or charged, and at least 23 child victims have been rescued. The site’s South Korean administrator, Jong Woo Son, is serving a long prison sentence and now faces additional charges in the US. Welcome to Video was one of the first darknet sites to monetize child exploitation using Bitcoin, with about $370,000 in cryptocurrency transactions traced through blockchain analysis tools from Chainalysis.

100 Million Attacks on Smart Devices

Kaspersky Lab reported over 105 million attacks on Internet of Things (IoT) devices from 276,000 unique IP addresses in the first half of 2019—nine times more than the same period in 2018. Russia was among the top five sources of infections (11%), along with China (30%), Brazil (19%), Egypt (12%), and the US (8%). Most attacks aimed to use smart devices for DDoS attacks or as proxy servers. The most active malware families were Mirai and NyaDrop (39% each), followed by Gafgyt (2%).

NordVPN and TorGuard Breaches

VPN providers NordVPN and TorGuard suffered breaches after NordVPN advertised itself as “unhackable.” Security researcher hexdefined revealed that NordVPN’s private keys (including OpenVPN and website certificates) were stolen and made public. Although the certificate expired in October 2018, attackers could have used it for phishing or man-in-the-middle attacks. The breach occurred in March 2018 at a Finnish data center where NordVPN rented servers. The company claims no user credentials or activity logs were compromised. TorGuard confirmed a breach of a proxy server certificate in 2017 but stated that their main CA key was not affected. VikingVPN was also mentioned as compromised, but has not commented.

Fancy Bear Targets 16 Anti-Doping Agencies

Microsoft analysts reported that the Russian-speaking hacker group Fancy Bear (aka Strontium, APT28) attacked at least 16 anti-doping organizations ahead of the Tokyo Olympics. The group used spear phishing, password spraying, IoT device attacks, and various malware, both open-source and custom. Some attacks were successful, but not all.

Samsung Galaxy S10 Fingerprint Scanner Issues

Media outlets reported a serious issue with the Samsung Galaxy S10’s fingerprint scanner: when a screen protector was used, the device could be unlocked with any fingerprint. Samsung confirmed the problem affects Galaxy S10, S10+, S10e, and Note 10 models. The ultrasonic scanner was recording the silicone pattern of the screen protector instead of the actual fingerprint, allowing anyone to unlock the device. A patch was released quickly, but several UK banks temporarily suspended mobile banking for S10 users. Similar issues were reported in China and Israel, with some banks disabling fingerprint authentication. In October, Google’s Pixel 4 was also found to unlock with Face Unlock even if the user’s eyes were closed, raising further biometric security concerns.

From Blocking to Fines: Russian Internet Regulation

At the 6th World Internet Conference in Wuzhen, Roskomnadzor head Alexander Zharov announced that Russian authorities plan to shift from blocking violators to imposing fines, aiming for equal rules for states, corporations, and individuals. A new bill proposes significant fines for companies that do not comply with internet regulations, which Zharov called a more effective and civilized approach than blocking.