Major Data Breach Strikes Cloudflare

This week, the Alert Logic ActiveIntelligence team highlights how Major Data Breach Strikes Cloudflare and how the EyePyramid Malware was Used in High-Profile Hacks in Italy.

Breach

Major Data Breach Strikes Cloudflare

Cloudflare, an internet service provider that manages 10 percent of all web traffic, has been leaking assorted bits of customer information — passwords, cookies, personal information, messages and more — since a bug appeared in their code in September 2016. A bug that went undetected for years, but was itself blocked from leaking data by the way Cloudflare had configured its service. The company recently made some changes to its software, and those changes allowed the bug to begin leaking private data in a way it hadn’t previously done.

The issue was fixed last Friday, and Cloudflare recommends to change your passwords to avoid being put at risk and to keep an eye on your accounts to watch for suspicious activity.

References: Headache for Cloudfare and Potentially Some Clients Over Data Leak | Bug Causes Personal Data Leak, but No Sign of Hackers Exploiting: Cloudflare | Cloudflare Data Leak Potentially Exposed Trove of Passwords, Personal Information for Months         

Mitigation Strategies:

  • Scanning application code for vulnerabilities
  • Intrusion detection system (IDS) signatures would detect intrusion and network anomalies
  • Security Operations Center team provides 24x7 security monitoring, daily log review, web application firewall management and advanced anomaly detection.
  • Web application firewall management and advanced anomaly detection.
  • Netflow traffic shows large data transfers and potential data leakage. Netflow traffic may also reveal outbound connections to countries you may not do business in, which may be an indicator of malicious activity

Malware

EyePyramid Malware Used in High-Profile Hacks in Italy

Two Italian citizens were arrested last Tuesday by Italian authorities for exfiltrating sensitive data from high-profile Italian targets. Authorities said more than 18,000 email accounts had been compromised and 87 gigabytes worth of data had been stolen.

The attacks had been carried out since at least 2010 and they relied on a piece of malware dubbed EyePyramid. The malware was spread using spear-phishing emails and the level of sophistication is low. However, the malware is flexible enough to grant access to all the resources on the victim’s computer. Although the Italian Police Report doesn’t include malware hashes, it identified a number of C&C servers and e-mails addresses used by the malware for exfiltration of stolen data.

References: Threat Spotlight: EyePyramid Malware | EyePyramid Clears the Way for Future Malware Attacks | The “EyePyramid” Attacks

Mitigation Strategies:

  • Mail filtration would scan incoming files and hyperlinks of any malicious links or code
  • FIM solution would detect any type of file modification or addition
  • Intrusion detection system (IDS) signatures would detect intrusion and network anomalies
  • Security Operations Center team provides 24x7 security monitoring, daily log review, web application firewall management and advanced anomaly detection.
  • Log management could detect any suspicious user account activity
  • Netflow traffic shows large data transfers and potential data leakage. Netflow traffic may also reveal outbound connections to countries you may not do business in, which may be an indicator of malicious activity

This Week's Suspicious IP Addresses

46.109.168.179 188.225.35.79
118.170.130.207 188.118.2.26
195.162.95.50 107.179.45.24

*IP addresses provided by Recorded Future.