Equifax’s Website Breached Again

This week, we hear about Equifax's website getting breached again and CryptXXX 2.0 Ransomware bypassing decryption tool.

Breach

Equifax’s Website Breached Again

Equifax Inc., one of the big-three U.S. credit bureaus, has leaked W-2 information for an unforetold amount of US employees using their W-2 eXpress website. The hackers were able to gain access to Equifax’s W-2 eXpress website by using personally identifiable information of employees, including the last four digits of SSNs and dates of birth. These hackers were then able to file for fraudulent tax returns from the IRS, even if the affected individual was not due a return.

One of the nation’s largest grocery store chains, Kroger Co., sent a letter to all of its more than 431,000 employees that they might be affected by this breach. Equifax provides the W-2 eXpress service to large employers such as Kroger Co., which makes employee electronic W-2 forms accessible over Equifax’s website. Kroger Co. is not yet sure how many individuals had their sensitive information compromised. This news comes in the same year that both Stanford and Northwestern University had employee information leaked via the Equifax web portal.

References: Crooks Grab W-2s from Credit Bureau Equifax | Kroger Hit By W-2 Data Breach At Equifax | Equifax 'suffers data breach, losing 431,000 workers' details'

Mitigation Strategies:

  • Log management could detect any suspicious user account activity. 
  • Security Operations Center team provides around-the-clock security monitoring, daily log review, web application firewall management and advanced anomaly detection. 
  • Netflow traffic may also reveal large data transfers and data leakage.

Malware

CryptXXX 2.0 Ransomware Bypasses Previous Decryption Tool

The actors behind the CryptXXX ransomware, which was first discovered last month by researchers at Proofpoint, have been hard at work modifying the malware to make it even more dangerous. Shortly after it was discovered, Kaspersky Labs released a decryption tool that affected users could utilize to recover encrypted files. However, the newest version, CryptXXX 2.0, can now bypass that tool.

The number of actors spreading the CryptXXX 2.0 ransomware has increased, quickly making it one of the most common ransomware families seen. Furthermore, CryptXXX 2.0 is frequently dropped by the Angler exploit kit, the most widespread exploit kit in the world, making it even more dangerous to end users. The constant evolution and development occurring to the CryptXXX ransomware suggests that it will continue to compete in the malware environment.

References: CryptXXX 2.0: Ransomware Authors Strike Back Against Free Decryption Tool | Bad guys update 7ev3n and CryptXXX ransomware | Prince of pop trash PerezHilton pwned, visitors hit with Cryptxxx

Mitigation Strategies:

Top 20 IP Addresses

188.118.2.26 81.183.56.217
118.170.130.207 46.109.168.179
183.60.48.25 114.44.192.128
58.218.211.17 125.88.146.82
104.238.194.164 50.202.118.146
221.229.162.7 193.203.99.112
87.222.67.194 212.83.136.137
167.114.215.220 212.129.10.109
212.217.54.61 193.203.99.114
175.6.228.176 179.43.144.43

*IP addresses provided by Recorded Future.