Illinois Employment Department Breached

This week, the Alert Logic ActiveIntelligence team highlights how 1.4M Affected in Data Breach at Illinois Employment Department and how Apache Struts 2 Campaign Targets Servers with Ransomware.

Breach

1.4M Affected in Data Breach at Illinois Employment Department

The FBI is investigating following a data breach at the Illinois employment department. The state Department of Employment Security says the personal information of about 1.4 million job seekers on their online job board was hacked last month.  There is no indication that anyone’s information has been misused.

References: Employment Agency Security Breach Affects 1.4 Million Residents | 1.4M Illinois Job Seekers May have had Personal Data Hacked | Vendor Contracted by Illinois Department of Employment Security Data Breached

Mitigation Strategies:

  • Intrusion detection system (IDS) signatures would detect intrusion and network anomalies
  • Security Operations Center team provides 24x7 security monitoring, daily log review, web application firewall management and advanced anomaly detection.
  • Log management could detect any suspicious user account activity
  • Netflow traffic shows large data transfers and potential data leakage. Netflow traffic may also reveal outbound connections to countries you may not do business in, which may be an indicator of malicious activity.
  • Web application firewall management and advanced anomaly detection.
  • Applications code audit would be scanning your code for vulnerabilities that might allow an attacker to compromise the application

Malware

Apache Struts 2 Campaign Targets Servers with Ransomware

Researchers have noticed new mutations in the campaigns targeting the Apache Struts 2 vulnerability. F5 Networks' researchers witnessed a campaign targeting the Apache Struts 2 vulnerability pivot on March 20 and it started delivering Cerber ransomware to servers.

References: From Ddos to Server Ransomware: Apache Struts 2 - CVE-2017-5638 Campaign | Cerber for Servers: Apache Struts2 Campaign Targets Servers with Ransomware | Apache Struts 2 Attack Campaign Vulnerability

Mitigation Strategies:

  • FIM solution would detect any type of file modification or addition
  • Intrusion detection system (IDS) signatures would detect intrusion and network anomalies
  • Security Operations Center team provides 24x7 security monitoring, daily log review, web application firewall management and advanced anomaly detection.
  • Vulnerability scanner to identify any potential vulnerabilities in the environment
  • Web application firewall management and advanced anomaly detection. 

This Week's Suspicious IP Addresses

218.65.30.61 141.8.226.58
123.183.209.137 162.156.13.186
221.229.162.204 118.170.130.207

*IP addresses provided by Recorded Future.