Information Security Incident Overview for the Past Week

The last two weeks have been turbulent for both the public and cybersecurity experts. While the previous week was marked by serious vulnerabilities in the WPA2 protocol—putting nearly all existing Wi-Fi networks at risk—the most significant event of the past week was a new wave of Bad Rabbit ransomware attacks. These attacks affected media outlets, government agencies, and companies in several countries, primarily in Russia and Ukraine. Below is a brief summary of the main cybersecurity events from October 23 to 29, 2017.

1. Bad Rabbit Ransomware Attacks Russian and Ukrainian Organizations

On October 24, 2017, Russian and Ukrainian organizations were hit by the Bad Rabbit ransomware. The malware targeted three Russian media outlets (including Interfax and Fontanka), top-20 Russian banks, as well as several Ukrainian companies and government agencies. According to Group-IB researchers, Bad Rabbit spread via drive-by download (with some experts suggesting watering hole attacks), using several popular news sites in Russia and Ukraine to deliver the malware. Experts believe the same hacker group may be behind both the NotPetya and Bad Rabbit attacks, possibly the Black Energy group. Security researchers from Cisco Talos and F-Secure discovered that a modified version of the EternalRomance exploit—stolen by The Shadow Brokers from the Equation Group, which is allegedly linked to the NSA—was used to spread Bad Rabbit. Two days after the attacks began, several cybersecurity experts reported that the Bad Rabbit operation had ceased.

2. Anonymous Continues Attacks on Spanish Government Websites

Anonymous activists continued their attacks on Spanish government resources in protest against the Spanish authorities’ actions regarding the Catalonia crisis. This time, the official website of the Spanish government’s Boletín Oficial del Estado (BOE) was targeted.

3. Hackers Breach jQuery Blog and Coinhive Account

Last week, hackers using the aliases str0ng and n3tr1x breached the official blog of one of the most popular JavaScript libraries—jQuery. The attackers compromised a developer’s account and defaced the blog, likely using a password obtained from a previous data breach. This was not the only incident last week involving the use of leaked passwords. For example, an unknown hacker accessed Coinhive’s CloudFlare account, allowing them to modify the company’s DNS servers and replace legitimate JavaScript code embedded in thousands of websites with a malicious version. The attacker apparently used an old password leaked during the 2014 Kickstarter breach to gain access.

4. Appleby Data Leak Affects High-Profile Clients

The week also saw reports of data leaks. Bermuda-based consulting and law firm Appleby warned its clients about a possible large-scale leak of confidential information. Reports indicate that the breach affected several of the UK’s wealthiest individuals.

5. APNIC Apologizes for Database Leak

The Asia-Pacific Network Information Center (APNIC) apologized to network owners for a leak of its database, which included poorly hashed passwords. Anyone could download the database, make changes, or compromise IP address blocks.

6. London Bridge Plastic Surgery Clinic Hacked

Last week, the prestigious London Bridge Plastic Surgery (LBPS) clinic suffered a cyberattack in which hackers stole personal medical data of celebrities, including intimate surgery photos. The hacking group The Dark Overlord claimed responsibility, having previously been linked to breaches at several U.S. medical centers, schools, and the compromise of Netflix’s computer network. The hackers claim to possess “terabytes” of data, including information about the royal family.

7. Heathrow Airport Security Data Leak

On Sunday, media reported that Heathrow Airport’s security service was investigating a possible data leak after an unemployed man found a USB drive on a London street. The drive contained unprotected information about the airport’s security systems. It held 76 folders with maps, videos, and documents related to security measures and anti-terrorism operations at the UK’s largest airport. Some files were marked confidential, but none were protected by any security measures.