Software Integrity Blog

 

Porous portals, Newegg is a broken egg, and Mirai’s creators have new hats

Government data breaches, Magecart Newegg breach, Mirai creators

Taylor Armerding, Synopsys Software Integrity Group senior strategist, gives you the scoop on application security and insecurity in this week’s Security Mashup.

What’s in this week’s Security Mashup, you ask?

Porous payment portals lead to government data breaches, Magecart pwns Newegg, and the Mirai creators trade in their black hats for white ones. Watch this week’s episode here:

GovPayNow.com leaks 14M+ records

via Brian Krebs, Krebs On Security: Even if you don’t trust the government, you’d agree they’re pretty good at taking your money. And that includes vetting the security of their third-party payment processors, right? Not if the recent government data breaches through payment portals are any indication. FireEye reported last week that payment system Click2Gov had malware for almost a year. Worse, it still had malware after developer Superion said they fixed the issue. And Brian Krebs reported that the GovPayNow.com payment system had exposed customer data for over last six years. That’s more than 14 million customer records from 35 states. Learn why government data breaches are trending in security news.

Magecart claims another victim in Newegg merchant data theft

via Charlie Osborne, ZDNet: Ticketmaster. British Airways. ABS-CBN. Newegg. What do these organizations have in common? They’re all apparent victims of Magecart, a threat group that’s currently on a rampage, hacking into payment systems to steal customer data. But the Magecart Newegg breach isn’t virtual; it just got real. Rather than selling all their stolen data outright, the group is running a reshipping operation: Use stolen data to buy high-value goods. Hire U.S. lackeys to ship them overseas. Sell them for cash. Rinse and repeat. Learn more about the Magecart Newegg breach here.

Mirai botnet creators helping FBI fight cybercrime to stay out of jail

via Mohit Kumar, The Hacker News: It’s easy to dismiss the Mirai creators as bad eggs, irredeemable punks who just wanted to watch the world burn. But at the time, the three young men (now in their early 20s) were just kids playing out their Minecraft rivalries in real life. And for their cooperation with law enforcement over the past year, they’ve have been granted a reprieve. They haven’t entirely escaped punishment (to the tune of several months of community service and a heap of money). But they have stayed out of prison by impressing the feds with their white hat skills. Watch here to learn more about the kids who created Mirai.

Stay up-to-date on the latest security news.

Subscribe to the blog today!

Transcript:

Hello, and welcome to Episode 20 of the Weekly Security Mashup. I’m Taylor Armerding, senior security strategist with the Synopsys Software Integrity Group, back again to talk about what’s trending in software security, software insecurity, and how to improve your own security.

Porous portals

So at the top of this week, Page 1: Porous portals. Just about every organization—including the biggest one of all, your government, at all levels—encourages you to pay your bills online. It’s easy! It’s quick! It’s convenient! It saves paper! And they also say it’s safe and secure—except when it isn’t. Which was illustrated again this past week in two reports on breaches of government payment portals that exposed the credit card information of millions of people. Security firm FireEye reported that their researchers had found malware used to compromise Click2Gov, “a bill payment portal developed by Superion. It includes various modules that allow users to pay bills associated with various local government services such as utilities, building permits, and business licenses,” FireEye said in a blog post.

There had apparently been suspicions of a breach going back almost a year, to October 2017. But Superion had announced this past June that after an investigation and development of patches, the portal was safe. Not according to FireEye, which said it had found malware capable of collecting payment card information, malware with “a very low detection rate” by antivirus solutions. The company said the attack was likely by a team of hackers, given the skill sets involved. A FireEye spokesperson said the company could not say how many people’s information might have been compromised.

And then there is GovPayNow.com, a portal that security blogger Brian Krebs reported is used by about 2,300 government agencies in 35 states “to accept online payments for everything from traffic citations and licensing fees to bail payments and court-ordered fines.” Krebs said the portal has leaked more than 14 million customer records dating back at least six years. Those records include “names, addresses, phone numbers, and the last four digits of the payer’s credit card.” He said until the site was updated after he notified the owner, “it was possible to view millions of customer records simply by altering digits in the Web address displayed by each receipt.” GovPayNet, owner of the portal, told Krebs in a statement that “the company has no indication that any improperly accessed information was used to harm any customer, and receipts do not contain information that can be used to initiate a financial transaction,” but that “out of an abundance of caution,” it had updated its system so only “authorized users” would be able to use that information. I don’t know. Paper checks and snail mail are sounding better to me all the time.

Broken egg

Page 2: Broken Egg. If you did any business since mid-August with Newegg, a popular computer and electronics web retailer, probably best to get a new credit card.

Security firms RiskIQ and Volexity reported last week that the attackers called Magecart, who breached Ticketmaster U.K., British Airways, and the online store of broadcaster ABS-CBN, were responsible for this one too. They used a code-based skimmer, just 15 lines of JavaScript surreptitiously embedded on the site’s payment page, to siphon off credit card data for about a month, from Aug. 13 to Sept. 18, when Newegg shut down the attack. RiskIQ senior threat intelligence analyst Yonathan Klijnsma told ZDNet that Newegg removed the malicious script within hours after Volexity notified the company of the attack. But Klijnsma wrote in a blog post that every e-commerce site is at risk. “These attacks are not confined to certain geolocations or specific industries—any organization that processes payments online is a target,” he wrote.

From black hats to white

Page 3: From black hats to white. Not quite all is forgiven for the three young men who created and spread the internationally notorious and destructive Mirai botnet that, among other bad things, was used to launch a massive DDoS (distributed denial of service) attack that took down domain name service provider Dyn in October 2016, which temporarily made a significant chunk of the internet unusable on the East Coast. They also used it to launch a DDoS attack that took down Brian Krebs’ blog site. Not a good idea, since he then tracked and unmasked them. But Paras Jha, 21, of New Jersey, Josiah White, 20, of Pennsylvania, and Dalton Norman, 21, of Louisiana, who initially created Mirai to attack their rivals in hosting video game Minecraft servers, have dodged some serious prison time, reportedly because they have seen the error of their ways. The three pleaded guilty last December to charges connected to Mirai, but the U.S. Department of Justice announced last week that since they had provided “extensive” and “exceptional” assistance to a dozen or more different law enforcement agencies, they would be sentenced to just five years of probation with no prison time.

They were also ordered to pay $127,000 in restitution, to serve 2,500 hours of community service, and reportedly agreed to forfeit cryptocurrency seized during the investigation. The three have been working with the FBI for more than a year, and a prosecutor said they had helped take down multiple botnets and stopped DDoS attacks. U.S. Attorney Brian Schroeder said this was an example of holding criminals accountable “while encouraging offenders to choose a different path to apply their skills.” I suspect if that different path leads them to Black Hat next year, their session will be sold out.

And that’s it for this week. The Weekly Security Mashup is a group effort, so thanks again to our entire content team, and thanks to you for watching. Help us spread the word. Tweet it like it, share it, like it, and come back again next week. I’m Taylor Armerding for the Synopsys Software Integrity Group, where we help organizations build secure, high-quality software faster.

 

 

More by this author