Monthly Breach Report: December 2021 Edition

Tis the season . . . for more cyberattacks. As holiday shopping ramps up and many prepare for in-person celebrations again, threat actors are waiting to hack and steal sensitive data. Take a look at some of the biggest attacks from the past 30 days.

Activity Monitoring Software Helps Pfizer Catch Employee Stealing Trade Secrets

When employees leave pharmaceutical giant Pfizer to work for a rival company, they might sneak out a few corporate pens and sticky notes with them and call it a day. But “soon to be former” employee Chun Xiao (Sherry) Li decided to steal much more, illegally swiping 12,000 confidential COVID-19 vaccine documents before starting her new job with Xencor, a California-based bio-pharma firm. Pfizer alleges that over a three-day period in October 2021, Li, the then-associate director of clinical statistics, uploaded proprietary and trade-secret files from her Pfizer-issued laptop to a personal Google Drive account. The files included vaccine study analyses and information on the development of new drugs.

Pfizer detected Li’s actions almost immediately after the recent installation of system-wide activity tracking software that monitors everything happening on an employee’s endpoint, including uploading files to the cloud. The newly installed software showed who accessed a file, when, and what they did. The New York-based firm alleges that further investigation uncovered an email detailing a job offer to Li from Xencor.

When confronted, Li initially appeared cooperative, claiming she was simply organizing her files offline. After meeting with the forensics team, she deleted the files. When the forensics team interviewed her again, she handed over a decoy laptop. In court filings, the company noted Li signed a confidentiality agreement as part of her employment. The company also alleges that at least one other person is in possession of the documents. Li joined Pfizer’s global product development group in China in 2006 before transferring to the San Diego division in 2016. As of press time, Li was in talks with Pfizer to settle the suit outside of court.

The full scope of Li’s actions is still being investigated. Intellectual property, like Pfizer’s COVID-19 trade secrets, is among an organization’s most valuable assets, vulnerable to threat and compromise both internally and externally. Pfizer noted in its lawsuit that since developing a COVID-19 vaccine, competitors have been trying to recruit its employees “relentlessly, especially during 2021.”

Sources:

• Infosecurity Magazine
• Endpoint News
• Bloomberg Law
• Reuters

Hive Ransomware Gang Hits Europe’s Largest Consumer Electronics Retailer

MediaMarkt, Europe’s largest consumer electronics retailer, recently became the victim of a Hive ransomware attack, with an initial ransom demand of $240 million. The attackers quickly reduced the demand to $50 million in bitcoin. The attack occurred in early November and caused both IT systems and store operations disruptions. MediaMarkt has over 53,000 employees and 1,000 stores in 13 countries.

All hacked computers displayed the same message: “Your network has been hacked, and all data has been encrypted. To regain access to all data, you must purchase our decryption software.” Store employees were told not to use the store computers and to disconnect network cables from cash registers. Customers could only buy merchandise physically present in the store. Returns and online orders could not be made.

Hive ransomware actors exfiltrated MediaMarkt data and encrypted files on the company’s network, leaving a ransom note in each affected directory that provided instructions on how to purchase the decryption software. In the “ransom note,” the hackers stated that if the company did not pay the ransom, the files would be published on their “HiveLeaks” data leak site. The gang even offered a professional “customer service” chat to negotiate the ransom.

Hive ransomware was first observed in June 2021 and likely operates as an affiliate-based ransomware, according to the FBI. The ransomware modus operandi includes deleting any backups to prevent the victim from recovering their data. Linux and FreeSBD servers, used to host virtual machines, are also not immune.

The MediaMarkt extortion schemes is an example of a “double extortion scheme” trend growing among cybercriminals, according to the US Financial Crimes Enforcement Network (FinCEN). Once data has been encrypted, the cybercriminals then threaten to publish or sell the stolen data.

Sources:

• Infosecurity Magazine
• RetailDetail 
• Coindesk
• S. Financial Crimes Enforcement Network
• Yahoo News

Adult Cam Site Leak Exposes Information of Millions of Users and Models

StripChat, a popular adult cam site based in Cyprus, recently leaked the unsecured personal data of millions of its customers and models. Famed security researcher Bob Diachenko discovered the leak in early November when the website left its Elasticsearch database cluster unsecured without a password November 4 – 7. The security news outlet Threatpost reports that 200 million StripChat records were exposed including:

• Email addresses
• IP addresses
• Tip amounts from customers to models
• Private chat details
• Timestamps of account payment and creation
• Models’ usernames, gender, studio IDs, tip menus and prices, live status, and their “strip score.”

As of press time, it is unclear if the information has been used in any cybercrimes. Although StripChat officials deny that details such as credit card numbers and personal identities were exposed, Diachenko says, “The exposure could pose a significant privacy risk for both StripChat viewers and models. If the data was stolen, they could face harassment, humiliation, stalking, extortion, phishing, and other threats, both online and offline.” He notes that although the StripChat data may not have exposed identifying details, the privacy risk for both users and models become more significant “if the exposed information is cross-referenced with other breaches, so the full profile of a person is drawn.”

Since the onset of the COVID-19 pandemic, adult websites have gained millions of new users. This increased traffic means more targets for cyberattacks through business email compromise (BEC). Diachenko warns that while the company downplayed the leak, the incident is an example of the all-too-common issue of public cloud misconfigurations: “Organizations need to continuously monitor all resources deployed in their enterprise to minimize risks of such exposure.”

Sources:

• Threatpost
• FBI: Scams and Safety
• The Record
• Tech Nadu

California Pizza Kitchen Serves Employee Social Security Numbers to Cybercriminals

California Pizza Kitchen (CPK), a US pizza chain, reported a data breach that exposed the Social Security numbers of more than 100,000 current and former employees. The company reported the breach in November after noticing a disruption to its systems on September 15. After three weeks of investigation, CPK determined that cybercriminals infiltrated its systems and gained access to certain files, including employee names and SSNs.

In November, the company sent letters to the victims, stating it had reinforced the security of its computing environment. It is not clear why it took the company two months to inform employees and law enforcement about the incident.

The company offered the victims free membership in Experian’s IdentityWorks program, which offers members:

• Daily credit reports and credit monitoring
• Identity restoration to address credit and non-credit related fraud
• Up to $1 million in Identity theft insurance

The company has not made public the type of breach that occurred or how attackers infiltrated the system.

Sources:

• TechCrunch
• Office of the Maine Attorney General
• Threatpost
• Gizmodo

Iranian Hacks Israeli Internet Hosting Company, Leaks Patient and LGBTQ Info

In late October, the Iranian hacking group Black Shadow infiltrated the servers of Cyberserv, a popular Israeli internet hosting company. The hackers demanded that Cyberserv pay $1 million in cryptocurrency ransom and threatened to release personal identifying information (PII) from the websites residing on its servers. To prove the seriousness of their threat, the group released the personal information of:

• 290,000 patients at Israel’s Machon Mor institute – including info on blood tests, treatments, CT scans, ultrasounds, colonoscopies, and vaccinations
• The full database of LGBTQ dating service Atraf, including members’ names, addresses, phone numbers, email addresses, passwords, locations, and in some cases, HIV status IDs

Prior to the Cyberserv attack, Infosecurity Magazine reports that Israel’s National Cyber Directorate warned the company “several times” that its IT systems were vulnerable. BlackShadow is an Iranian state-sponsored hacking group and is not believed to be financially motivated, but instead is part of a perpetual cyber war between Israel and Iran.

Sources:

• Infosecurity Magazine
• HackRead
• The Times of Israel
• Bleeping Computer
• TechCrunch

Hacker Offers Stock Market App Information to the Highest Bidder

Last month, the stock market trading app Robinhood announced a massive data breach after one of its employees was hacked during a phone call. In an unusual move, the cybercriminal revealed details of his crime in an interview with Bleeping Computer. He said he tricked a help desk employee into installing remote access software on their computer and was then able to remotely access Robinhood’s internal systems using the employee’s login credentials.

The hacker’s social engineering heist netted him 5 million user email addresses and 2 million full names. Two days later, he announced the sale of the information for $10,000 or higher. Robinhood asserts on its company blog the “list did not contain Social Security numbers, bank account numbers, or debit card numbers and that there has been no financial loss to any customers as a result of the incident.” The company also reported that the threat actor attempted to extort the company to prevent the data from being released. Stolen information includes:

• Email addresses for 5 million customers
• Full names for 2 million other customers
• Name, date of birth, and zip code for 300 people
• Extensive account information for ten people

Within the information sale, the hacker did not offer the more extensive data stolen from the last two groups. The hacker disclosed that the information stolen from the group of ten people included ID cards downloaded from a secure file transfer service used by the trading platform when performing Know Your Customer (KYC) requirements.

Soon after the Robinhood breach, the hacker struck again, this time exploiting a bug in the FBI Law Enforcement Enterprise Portal (LEEP). He sent hoax emails from IP addresses belonging to the FBI which warned that the recipients’ network was breached, and data was stolen by well-known dark web researcher Vinny Troia. According to Troia, the hoax is part of a series of attacks directed at him personally as part of a long-standing feud.

Sources:

• Robinhood
  Bleeping Computer
• TechCrunch
• The Verge

Protecting your data is vital in every season. Keep your organization out of the breach headlines with help from PKWARE and our full suite of data discovery and remediation solutions. See it in action with a personalized demo.