ClixSense Data Breach: 6.6 Million Users Compromised

This week we hear about 6.6 Million Users Compromised in ClixSense Data Breach and how Seagate NAS Devices Host Cryptocurrency Mining Malware.

Breach

6.6 Million Users Compromised in ClixSense Data Breach

ClixSense, a website that offers users cash to view ads and take surveys, was the latest victim in a massive data breach affecting approximately 6.6 million users. An attacker was able to gain access to the company’s main database through an old server the company was no longer using, but was still connected to the network. After getting access, the cybercriminal copied most of the ClixSense users table, changed the account names to “hacked account” and set user account balances to zero balance.

The file dump included usernames, passwords, other personal information, but also home addresses, IP addresses, payment histories, and banking details. Additionally, it’s possible that social security numbers, dates of birth, and internal ClixSense emails may have been compromised, as well.  

References: Over 6 Million ClixSense Users Compromised By Data Breach | Reset Those Passwords: Over 6 Million ClixSense Users Compromised By Data Breach | ClixSense Data Breach Exposes Personal Information of Millions of Subscribers

Mitigation Strategies:

  • Intrusion detection system (IDS) signatures may detect intrusion and network anomalies
  • Log management could detect any suspicious user account login activity
  • Netflow traffic may also reveal large data transfers and potential data leakage
  • Asset Management update to know what assets may be on your network and no longer in use, but still have active connections
  • Security Operations Center team provides 24x7 security monitoring, daily log review, web application firewall management and advanced anomaly detection. 

Malware

Seagate NAS Devices Host Cryptocurrency Mining Malware

Miner-C, a new strain of cryptocurrency mining malware has been discovered in thousands of Seagate Central NAS devices. The malware itself doesn’t infect the NAS drives, but uses them as a repository to infect other devices. Cyber criminals copy a file named Photo.scr, disguised as a Windows folder icon, onto a public folder that’s accessible to all users on the Seagate NAS devices. When it’s clicked, it then installs a cryptocurrency mining application on the target PC.

As Miner-C does not have an automatic infection mechanism, attackers scan for FTP servers that are accessible from the internet and attempt to log in with default and weak credentials. Once they’ve gained access, attackers copy the malware in all of the available directories with write access enabled and hope that the newly added files will be clicked on. They will use new movies, music, news or photos file names that are currently trending to peak the interest of the victims. Researchers have found 7,263 Seagate Central devices with write access enabled and 70% of them were infected.

References:  SOHOpeless Seagate NAS Boxen Become Malware Distributors | Thousands of Seagate NAS Boxes Host Cryptocurrency Mining Malware | Hackers Hit Seagate NAS Devices With Cryptomining Malware

Mitigation Strategies:

  • FIM solution would detect any type of file modification or addition
  • Mail filtration would scan incoming files and hyperlinks of any malicious links or code
  • Web filtration to prevent users from clicking on malicious websites
  • Security Operations Center team provides 24x7 security monitoring of your logs from your security, servers and network technologies will allow for advanced anomaly detection.

Top 20 Malicious IP Addresses

93.184.220.29 188.118.2.26
118.170.130.207 81.183.56.217
46.109.168.179 114.44.192.128
69.195.129.70 87.222.67.194
74.208.167.253 58.218.200.137
106.120.108.154 104.193.254.221
185.93.185.237 185.93.185.235
91.198.174.192 31.184.234.10
31.184.234.11 31.184.234.16
31.184.234.17 31.184.234.15

*IP addresses provided by Recorded Future.