February 25, 2014
How fast time flies! Only six months ago Hold Security announced a public offering of our Deep Web Monitoring services, and since then we've helped many companies identify, minimize, and eliminate security threats.
Today, we are breaking out the most popular part of the Deep Web Monitoring as a separate offering, and are proud to introduce Hold Security's Credentials Integrity Services.
One of the most valuable bounties for the hackers are your credentials - user IDs (email addresses) and passwords. And these credentials can be stolen not only directly from your company but also from services in which you and your employees entrust data.
Hold Security's analysts work tirelessly to find stolen or abused credentials and alert our customers. In October 2013, Hold Security identified the biggest ever public disclosure of 153 million stolen credentials from Adobe Systems. One month later we identified another large breach of 42 million credentials from Cupid Media.
To help our customers we tracked over 300 million abused credentials that were not disclosed publicly (that is over 450 million credentials if you count our Adobe find). But this month, we exceeded all expectations! In the first three weeks of February, we identified nearly 360 million stolen and abused credentials and 1.25 billion records containing only email addresses. These mind boggling numbers are not meant to scare you and they are a product of multiple breaches which we are independently investigating. This is a call to action, and if you are concerned about integrity of your company's user credentials we encourage you to use our Credentials Integrity Services.
February 13, 2014
Hackers compromised thousands of FTP sites to plant their malware or to attempt to compromise connected web services. This week Hold Security’s Deep Web Monitoring Service obtained evidence of hackers abusing FTP sites of companies of all sizes across the globe. Hackers planted PHP scripts armed with backdoors (shells) and viruses in multiple directories hoping that these directories map to web servers of the victim companies to gain control of the web services. They also uploaded HTML files with seamless re-directs to malicious sites.
The victim companies hosting exploited FTP sites are spread across the spectrum – from small companies and individual accounts with ISPs to major multi-national corporations. IDG’s journalist Jeremy Kirk has an in-depth story. The victimized FTP sites can be used to lure unsuspecting Internet surfers and direct them to sites peddling financial schemes, pornography, or prescription medications among other exploits.
How did the hackers gain access to the FTP sites? In several ways – some sites have anonymous, default, or publicized credentials for public or semi-private access. This data along with stolen credentials, possibly through botnets, have been used to ascertain unauthorized access and attempt exploitation.
We urge companies to re-examine their FTP implementations to minimize possible credential abuse, malware uploads, and possible interconnectivity to other services, especially Web. At the same time, end-users should be more vigilant about the embedded links they follow even to legitimate sites.
November 4, 2013
"TRUST US; YOUR DATA IS SECURE" states the Data Security page on CorporateCarOnline' s website but it didn't stop the cyber gang responsible for LexisNexis, Adobe, PR Newswire and many other breaches.
On September 28, Hold Security Deep Web Monitoring identified a database with nearly 10 million records on the same server where Adobe and PR Newswire data was found. It was identified to belong to CorporateCarOnline, who later confirmed the ownership.
CorporateCarOnline is an online software provider for limousine transportation reservation solutions.
Journalist Brian Krebs reports in-depth on the incident - a tragic loss of financial and personal data of hundreds of thousands customers.
The breach most likely occurred on or before September 10, 2013 and there is strong evidence that it was done through a Adobe's ColdFusion exploit.
This compromise affects many but it is also an attack against small businesses everywhere. Keeping your online business secure takes more than an assuring statement. Hold Security's Security Architecture and Security Assessment services for small businesses (and for businesses of all sizes) provide surprisingly affordable solutions of the highest quality and effectiveness. We make operating an online business security headache-free.
Hold Security apprised Visa, Mastercard, Discover, and AmericanExpress of the breach and each of these companies are taking steps to protect the victims.
October 16, 2013
The same group of cyber criminals responsible for LexisNexis, NW3C, and Adobe breaches also had stolen data that belongs to PR Newswire. Partial website source code and configuration data along with a database of PR Newswire customers was found on the same server where Adobe System’s source code was located.
Cleverly disguised as an image, an archive of PR Newswire was found on hackers’ repository server. The database date appears to be from March 8, 2013 but it is unclear yet if the breach had happened at the same time or at a later date as the archive was created on April 22, 2013.
While we are presently unaware of any deviant abuse of the stolen data, this breach casts a number of questions about the intentions of the hackers. Given the financial motivation of this hackers’ group, PR Newswire is an unlikely target and it might have been a target of opportunity.
On the other hand, considering criticality of major announcements done through PR Newswire, it is possible that savvy malicious individuals might use unannounced press releases or even manipulate major announcements to gain a competitive financial edge on the stock market.
Hold Security worked with journalist Brian Krebs who contacted PR Newswire to alert them of the breach.
October 17, 2013
Hold Security’s Deep Web Monitoring confirms today that PR Newswire was not a random target for the hackers. There is evidence, dated February 13, 2013, of a large-scale attack targeting PR Newswire’s multiple networks hitting over 2,000 IP addresses using ColdFusion exploits. The attack was sourced from a different server also used by the same group of hackers. If this attack resulted in a breach, it is possible that the hackers had access to PR Newswire infrastructure longer than previously thought.
October 3, 2013
Hold Security’s newly announced Deep Web Monitoring Program working with journalist Brian Krebs informed Adobe Systems Incorporated that source code for their flagship products has been found on servers of known hackers responsible for breaches of LexisNexis, Kroll, NW3C, and many other sites.
Over 40 Gigabytes in encrypted archives have been discovered on a hackers' server that appear to contain source code of such products as Adobe Acrobat Reader, Adobe Acrobat Publisher, and the Adobe ColdFusion line of products. It appears that the breach of Adobe's data occurred in early August of this year but it is possible that the breach was ongoing earlier. While it is unclear at this time how the hackers obtained the source code and whether they analyzed or used it for malicious purposes, it appears that the data was taken and viewed by unauthorized individuals.
This breach poses a serious concern to countless businesses and individuals. Adobe products are installed on most end-user devices and used on many corporate and government servers around the world. While we are not aware of specific use of data from the source code, we fear that disclosure of encryption algorithms, other security schemes, and software vulnerabilities can be used to bypass protections for individual and corporate data. Effectively, this breach may have opened a gateway for new generation of viruses, malware, and exploits.
About Hold Security
Hold Security’s Incident Response and Investigation Practice worked on numerous breaches where the clues and extrapolations of vital data about the perpetrators, information about the breach, and even the stolen data has been found in the “dark corners of the Internet”. Through our numerous resources, we continuously monitor underground forum communications, chat channels, and data exchanges between the most notorious cyber criminals. This “Deep Web Monitoring” service has been very successfully utilized by our existing customers as an extra value.
Today, with the news of Data Broker Giants Hacked by ID Theft Service and Hold Security investigators’ contributions to the story, we are proud to announce the first public offering of our Deep Web Monitoring services to select customers.
Here are some statistical facts about the Deep Web Data gathered just in the past few months:
Approximately 70 million e-mail addresses stolen by spammers, hackers, and botnets. Most of them accompanied with passwords.
30,000 compromised systems from around the world
200,000 stolen financial accounts
Hundreds of zero-day exploits and malware
Dozens of botnet controllers
Over 4,000 cyber-criminals’ dossiers updated
We can help you to find out who is targeting or exploiting data of your company, your employees, or your customers! We can help you identify many zero-day threats before they do any damage!