Month: April 2017
The Intercontinental Hotels Group data breach previously announced in February as affecting 12 hotels in the chain has proven to have been far more extensive than was first thought.
Last week the group announced that the breach affected guests that used their credit cards to pay at franchisee hotels across the United States and in Puerto Rico between September 29, 2016 and December 29, 2016.
According to the chain’s website, the Intercontinental Hotels Group data breach potentially affected guests who stayed at its Holiday Inn, Holiday Inn Express, Crowne Plaza, Staybridge Suites, Candlewood Suites, Hotel Indigo, and InterContinental Hotels. The full list of hotels that have potentially been affected by the malware incident has been listed on the IHG website. In total, 1,184 of the group’s hotels have potentially been affected.
The Intercontinental Hotels Group data breach involved malware that had been downloaded onto its systems, which was capable of monitoring payment card systems and exfiltrating payment card data. It does not appear that any other information other than card details and cardholders’ names were stolen by the attackers.
The hotel group does not believe the data breach extended past December 29, 2016, although that cannot be entirely ruled out as it took until February/March for all of the affected hotels to be investigated and for confirmation to be received that the malware had been removed.
Prior to the malware being installed, IHG had started installing the OHG Secure Payment Solution (SPS), which provides point to point encryption to prevent incidents such as this from resulting in the theft of clients’ data. Had the process started sooner, the Intercontinental Hotel Group data breach could have been prevented.
Hotels that had implemented the SPS prior to September 29, 2016 were not affected and those that had implemented the solution between September 29, 2016 and December 29, 2016 stopped the malware from being able to locate and steal credit card data. In those cases, only clients that used their credit cards at affected hotels between September 29, 2016 and when the SPS system was installed were affected.
Intercontinental Hotels Group Data Breach One of Many Affecting the Hospitality Sector
The Intercontinental Hotels Group data breach stands out due to the extent to which the group was affected, with well over 1,100 hotels affected. However, this is far from the only hotel group to have been affected by POS malware. Previous incidents have also been reported by Hard Rock Hotels, Hilton Hotels, Omni Hotels & Resorts and Trump Hotels.
Hotels, in particular hotel chains, are big targets for cybercriminals due to the size of the prize. Many hotel guests choose to pay for their rooms and services on credit cards rather than in cash, and each hotel services many thousands – often tens of thousands – of guests each year.
Globally, IHG hotels service more than 150 million guests every year, which is a tremendous number of credit and debit cards. Such a widespread malware infection would be highly lucrative for the attackers. Credit card numbers may only sell for a couple of dollars a time, but with that number of guests, an attack such as this would be a huge pay day for the attackers.
The Hospitality Sector is a Big Target and Vulnerable to Cyberattacks
While many tactics are used to gain access to POS systems, oftentimes it is weak or default passwords that allow hackers to gain access to hotel computer systems. Stolen credentials are another common way that access is gained. The Verizon’s Data Breach Investigations Report (DBIR) for 2016 shows that in each of the reported breaches affecting the hospitality sector, access to systems was gained by the attackers in less than an hour.
Malware can also be inadvertently downloaded by employees and guests. Poor segregation of the POS system from other parts of the network is commonplace. That makes it easy for hackers to move laterally within the network once a foothold has been gained. Doubling up POS systems as workstations makes it too easy for hackers to gain access to POS systems.
Many hotels also fail to perform adequate risk assessments and do not conduct penetration tests or vulnerability scans. Even malware scans are performed infrequently. Some hotels also fail to implement appropriate security solutions to block access to malware-laden websites.
The Intercontinental Hotels Group data breach could have been prevented, and certainly discovered more quickly. The same is true for many hotel data breaches.
Unless hotels and hotel groups improve their cybersecurity posture and implement appropriate technology, policies and procedures to prevent cyberattacks, data breaches of this nature will continue to occur.
TitanHQ offers a range of products that can prevent hackers from gaining access to computers and POS systems. For further information on how you can protect your hotel or chain against cyberattacks, contact the TitanHQ team today.
Last week, the Bitglass Threats Below the Surface Report was released. The report highlights the extent to which organizations are being attacked by cybercriminals. Far from cyberattacks being a relatively rare occurrence, they are now as certain as death and taxes.
The report revealed that out of the 3,000 IT professionals surveyed for the report, 87% said they had experienced a cyberattack in the past 12 months. Many of those respondents had experienced numerous cyberattacks in the past year, with one company in three experiencing more than five cyberattacks in the last 12 months. To put that figure in perspective and show how the probability of being attacked has increased, two years ago, only half of companies were experiencing cyberattacks on that scale.
IT professionals rated mobile devices as one of the biggest problem areas. When asked to rate security posture, more respondents rated mobile as somewhat or highly vulnerable than any other system. While attacks can come from all angles, the report revealed that many companies are not actively monitoring their systems and devices for potential vulnerabilities. Only 24% monitored SaaS and IaaS apps for vulnerabilities, 36% monitored mobile devices and 60% monitored the network perimeter and laptops/desktops.
In response to the increased number of threats and the frequency of cyberattacks, companies have been forced to increase spending on cybersecurity defenses. The Bitglass Threats Below the Surface Report shows biggest spenders are the retail and technology sectors, with 39% of retail organizations and 36% of technology companies saying they are now spending a large proportion of their budgets on cybersecurity. 52% of respondents said their organization is planning on increasing cybersecurity spending.
Respondents were asked to rate their biggest concerns for the report to get a gauge of the biggest perceived threats. The biggest concern for 37% of respondents is phishing. Phishing attacks are becoming more sophisticated and harder for non-security professionals to identify. A range of social engineering techniques are used to fool end users into opening infected email attachments or clicking on malicious links and revealing their sensitive information. While effective at preventing many phishing attacks, training alone is no longer sufficient. Technological controls are now essential.
Malware is also a major concern along with insider threats, rated as a top concern by 32% and 33% of respondents, with email one of the main methods of malware delivery. Ransomware was also a major concern, although while ransomware attacks can result in significant costs and system downtime, fortunately, many companies have improved their ransomware defenses and have been able to recover without paying a ransom by restoring files from backups.
54% of companies said they had experienced a ransomware attack and were able to recover their data from backups without having to pay a ransom. That said, 33% of companies had no alternative but to pay a ransom to recover locked data, while 13% of companies said they had refused to pay a ransom and had experienced data loss as a result.
Do you have any machines running on unsupported operating systems? Is all of your software up to date with all of the latest patches applied? If you are not patching promptly or are still running outdated, unsupported operating systems or software, you are taking unnecessary risks and are leaving your network open to attack.
Hackers are constantly trawling the Internet looking for vulnerable systems to attack. Even if you are only running Windows XP or Vista on one networked machine, it could allow a hacker to exploit vulnerabilities and gain access to part or all of your network.
An alarming number of businesses are still running outdated software and are not patching promptly. For instance, 7.4% of businesses are still using Windows XP, even though Microsoft stopped issuing patches three years ago.
Hackers are discovering new vulnerabilities in software and operating systems faster than the software manufacturers can address those flaws. Zero-day vulnerabilities are regularly discovered and exploits developed to take advantage of the flaws and gain access to business networks. When a software developer stops issuing updates, the list of potential vulnerabilities that can be exploited grows fast.
Take Windows for example. Each set of updates released by Microsoft every Patch Tuesday contains patches to remediate several critical vulnerabilities that could be exploited to run code or access a system and gain user privileges. While exploits may not currently exist for those flaws at the time the patches are released, that is not the case for long. Hackers can look at the updates and reverse engineer patches to discover the vulnerabilities. Exploits can then be developed to attack unpatched machines.
Take the recent set of updates addressed by Microsoft in its March Patch Tuesday update as an example. Microsoft silently patched a slew of flaws for which exploits had been developed. Four days later, exploit tools from The Equation Group were dumped online by Shadow Brokers. Those tools could be used to exploit the flaws addressed by Microsoft a few days previously.
The exploit tools can be used to attack unpatched machines, but the patches were only issued to address flaws in supported versions of Windows. Many of those exploit tools can be used to attack unsupported Windows versions such as XP and Vista.
One of those tools, called Eternalromance, will likely work on all previous versions of Windows back to Windows XP. EasyPi, Eclipsedwing, Emeraldthread, eraticgopher and esteemaudit have all been confirmed to work on Windows XP.
Those are just the exploit tools recently discovered by The Equation Group. They represent just a small percentage of the exploits that exist for flaws in older, unpatched Windows versions. In addition to exploits for Windows flaws, there are exploits for many software programs.
There will always be zero day exploits that can be used to attack businesses, but running outdated software and unsupported operating systems makes it too easy for hackers.
Businesses of all sizes must therefore ensure that they have good patch management policies covering all software and operating systems and all devices. However, since unsupported operating systems will never be patched, continued use of those products represents a very large and unnecessary risk.
Windows-based systems are far more likely to be infected by viruses and malware; however, Mac users are far from immune to malware infections. A new report from McAfee suggests Mac malware infections increased substantially in 2016. Malware instances rose by a staggering 700% in the space of just one year.
The Threats Report by McAfee Labs shows that its anti-virus solutions detected and prevented 460,000 Mac malware infections in the final quarter of 2016 alone. That is a significant jump from the previous quarter when 150,000 Mac malware infections were detected and blocked – a rise of 247% from Q3 to Q4.
Compared to the number of infections of Windows based systems, the number of mac malware infections is still very low. McAfee detected more than 600 malware samples on Windows devices and 15 million attempted virus attacks on Android devices. At its highest, Mac malware infections were at 1.3% of the level seen on Windows-based devices.
However, the rise in Mac malware attacks should not be ignored. While Mac users are far better protected against malware attacks than Windows users, they should not be complacent. Cybercriminals are now developing more malware to target Mac users and they are no longer content with attacking Windows devices.
McAfee reports that malware developers are increasingly tailoring their malicious software to be capable of attacking multiple platforms. As more consumers and businesses use Macs and other Apple devices, attacks become more profitable. When there is potential for profit, malware developers are quick to take advantage.
The Threats Report indicates much of the new Mac malware is adware, with OSX/Bundlore one of the main malware variants discovered in Q4, 2016. Adware usually comes bundled with legitimate apps, especially apps on non-official stores. Downloading apps from the Mac app store is unlikely to result in infection.
Other forms of Mac malware have also increased in prevalence. As with Windows-based malware, the malware has been developed to steal login credentials and banking details. Remote access Trojans have also increased in number as has Mac ransomware – OSX/Keydnap being a notable example. OSX/Keydnap was bundled with the torrent client BitTorrent and even found its way onto the official download site.
To prevent Mac malware infections, businesses and consumers should be security aware and not take unnecessary risks. Apps should only be downloaded from official stores, security software should be installed, updates to software and apps should be applied promptly and strong, secure passwords should be used.
The cost of a ransomware attack is far higher than the amount demanded by cybercriminals to unlock encrypted files. The final cost of a ransomware attack is likely to be many times the cost of the ransom payment, in fact, the ransom payment – if it is made – could be one of the lower costs that must be covered.
Typically, cybercriminals charge between $400 and $1,000 per infected computer to supply the keys to decrypt data. If one member of staff is fooled into clicking on an infected email attachment or downloading ransomware by another means, fast action by the IT team can contain the infection. However, infections can quickly spread to other networked devices and entire networks can have files encrypted, crippling an organization.
Over the past 12 months, ransomware attacks have increased in number and severity. New ransomware variants are constantly being developed. There are now more than 600 separate ransomware families, each containing many different ransomware variants.
Over the past year there has also been an increase in ransomware-as-a-service (RaaS). RaaS involves developing a customizable ransomware which is rented out to affiliates. Any individual, even someone with scant technical ability, can pay for RaaS and conduct ransomware campaigns. Access to the ransomware may be as little as $50, with the affiliate then given a cut of the profits. There has been no shortage of takers.
Figures from FireEye suggest ransomware attacks increased by 35% in 2016. Figures from the FBI released in March 2016 suggested ransomware had already netted cybercriminals $209 million. Herjavec Group estimated that ransomware profits would top $1 billion in 2016; a considerable rise from the $24 million gathered during the previous calendar year. Figures from Action Fraud indicate ransom payments in the United Kingdom topped £4.5 million last year.
While ransom demands for individual infections can be well below $1,000, all too often ransomware spreads to multiple computers and consequently, the ransom increases considerably. Cybercriminals are also able to gather information about a victim and set ransoms based on ability to pay.
In June 2016, the University of Calgary paid $16,000 to recover its email system. In February last year, Hollywood Presbyterian Medical Center (HPMC) paid a ransom payment of $17,000 to unlock its system. A ransom demand in excess of $28,000 was demanded from MIRCORP following an infection in June 2016. The MUNI metro ransomware attack in San Francisco saw a ransom demand of $73,000 issued!
Figures from Malwarebytes suggest globally, almost 40% of businesses experienced a ransomware attack in the previous year. Ransomware is big business and the costs are considerable.
What is the Cost of a Ransomware Attack?
Ransomware infections can cause considerable financial damage. The cost of a ransomware attack extends far beyond the cost of a ransom payment. The Malwarebytes study suggests more than one third of businesses attacked with ransomware had lost revenue as a result, while 20% were forced to stop business completely.
The FBI and law enforcement agencies strongly advise against paying a ransom as this only encourages further criminal activity. Organizations that are unprepared or are unable to recover data from backups may have little choice but to pay the ransom to recover data essential for business.
However, the true cost of a ransomware attack is far higher than any ransom payment. The HMPC ransomware infection resulted in systems being out of action for 10 days, causing considerable disruption to hospital operations.
System downtime is one of the biggest costs. Even if backup files exist, accessing those files can take time, as can restoring systems and data. Even if a ransom is paid, downtime during recovery is considerable. One study by Intermedia suggests 32% of companies that experienced a ransomware attack suffered system downtime for at least five days.
A study by Imperva on 170 security professionals indicates downtime is the biggest cost of a ransomware attack. 59% of respondents said the inability to access computer systems was the largest cost of a ransomware attack. 29% said the cost of system downtime would be between $5,000 and $20,000 per day, while 27% estimated costs to be in excess of $20,000 per day.
One often forgotten cost of a ransomware attack is notifying affected individuals that their data may have been compromised. Healthcare organizations must also notify individuals if their protected health information (PHI) is encrypted by ransomware under HIPAA Rules.
Major attacks that potentially impact tens of thousands of patients could cost tens of thousands of dollars in mailing and printing costs alone. Credit monitoring and identity theft protection services may also be warranted for all affected individuals.
Many affected individuals may even choose to take their business elsewhere after being notified that their sensitive information may have been accessed by cybercriminals.
Following a ransomware attack, a full system analysis must be conducted to ensure no backdoors have been installed and all traces of malware have been removed. Additional protections then need to be put in place to ensure that future attacks do not occur.
The true cost of a ransomware attack is therefore considerable. The final cost of a ransomware attack could be several hundred thousand dollars or more.
It is therefore essential that businesses of all sizes have appropriate protections in place to prevent ransomware attacks and limit their severity if they do occur.
To find out more about some of the key protections that you can put in place to improve your resilience against ransomware attacks, contact the TitanHQ team today.