Employee Caused Red Cross Data Breach

This week, the Alert Logic team highlights the Red Cross Data Breach and how Advanced Targeted Attacks Evolved in Q2 of 2017. Read the full report to learn more and get access to the week’s Top Malicious IP addresses.

Breach

Red Cross Data Breach Caused by an Employee

It has been revealed that a Precedent Communications employee was behind the massive data breach that hit the Australian Red Cross Blood Service late last year. Precedent was hired to handle website development and database management.

According to new investigation reports into the breach, a backup of a database file containing information relating to approximately 550,000 prospective blood donors was inadvertently saved to a public-facing web server by an employee on September 5, 2016. Reports also uncovered the fact that Precedent did not meet two Australian Privacy Principle requirements.

References: Australian Red Cross Data Breach Caused by Third-Party Error | Aussie Blood Data Breach Highlights Third Party Risk | Red Cross Data Breach That Impacted 550,000 Donors was Caused by ‘Human Error’

Mitigation Strategies:

  • Intrusion detection system (IDS) signatures would detect intrusion and network anomalies.
  • Security Operations Center team provides 24x7 security monitoring, daily log review, web application firewall management and advanced anomaly detection.
  • Web application firewall management and advanced anomaly detection.
  • FIM solution would detect any type of file modification or addition.
  • Encryption could encode information that only authorized selected parties can access and also deny the intelligible content to a would-be attacker.
  • Log management could detect any suspicious user account activity.

Malware

Advanced Targeted Attacks Evolved in the Second Quarter of 2017

The second quarter of 2017 saw sophisticated threat actors unleash a wealth of new and enhanced malicious tools, including three zero-day exploits and two unprecedented attacks: WannaCry and ExPetr.

Researchers highlighted Sofacy and Turla as the attackers behind APT campaigns. The Russian-speaking groups added new ways to bypass detection, crafted new payloads to drop, and identified new zero days and backdoors to help them infect users and maintain persistence on machines.

References: Updates to Sofacy, Turla Highlight 2017 Q2 APT Activity | The Epic Turla Operation | Kaspersky Reviews in a New Report the Most Prominent Cyber Attacks During the Second Quarter of 2017

Mitigation Strategies:

  • Security Operations Center team provides 24x7 security monitoring, daily log review, web application firewall management and advanced anomaly detection.
  • Log management could detect any suspicious user account activity.
  • Mail Filtration would scan incoming files and hyperlinks of any malicious links or code.
  • Intrusion detection system (IDS) signatures would detect intrusion and network anomalies.
  • FIM solution would detect any type of file modification or addition.

This Week's Suspicious IP Addresses

24.41.255.142 64.85.198.227
96.234.33.32 195.154.183.111
200.114.207.57 103.207.37.102

*IP addresses provided by Recorded Future.