Scottrade Breach Exposes 20,000 Clients

This week, the Alert Logic ActiveIntelligence team highlights how Scottrade Bank Data Breach Exposes 20,000 Clients and how a Cyber Espionage Group Uses Spyware to Backdoor Targeted Systems.

Breach

Scottrade Bank Data Breach Exposes 20,000 Clients

Scottrade Bank, a subsidiary of Scottrade Financial Services, Inc., recently secured a MSSQL database containing sensitive personal information on at least 20,000 customers that was inadvertently left exposed to the public. The exposed database had no encryption and included information such as Social Security Numbers, names, addresses, phone numbers, and other information that one would expect a bank to possess.

Scottrade Bank released a statement that said they are working with Federal law enforcement to investigate the theft and believe that contact information was the primary goal of those responsible for compromising the database where the data was stored.

References: Scottrade Bank Data Breach Exposes 20,000 Customer Records | Scottrade Bank Data Breach Exposes 20,000 Customers' Personal Information | Scottrade Bank Data Breach Exposes 20,000 Customer Records

Mitigation Strategies:

  • Web application firewall management and advanced anomaly detection. 
  • Intrusion detection system (IDS) signatures would detect intrusion and network anomalies.
  • Security Operations Center team provides 24x7 security monitoring, daily log review, web application firewall management and advanced anomaly detection.
  • FIM solution would detect any type of file modification or addition.
  • Security Group acts as a virtual firewall that controls the traffic for one or more instances.

Malware

Cyber Espionage Group Uses Spyware to Backdoor Targeted Systems

Russian cyber espionage group, referred to as APT29, are using a stealthy backdoor to get access to a victim environment. This new spyware technique is being called POSHSPY. POSHSPY leverages two of the tools the group frequently uses: PowerShell and Windows Management Instrumentation (WMI). APT29 deploys POSHSPY as a secondary backdoor for use if they lost access to their primary backdoors. As stealthy as POSHSPY can be, it comes to light quickly if you know where to look. 

References: Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY) | POSHSPY Ensures Permanent Access to Targeted Systems  | APT29 Uses Stealthy Backdoor to Maintain Access to Targets

Mitigation Strategies:

  • FIM solution would detect any type of file modification or addition.
  • Intrusion detection system (IDS) signatures would detect intrusion and network anomalies.
  • Security Operations Center team provides 24x7 security monitoring, daily log review, web application firewall management and advanced anomaly detection.
  • Log management could detect any suspicious user account activity.
  • Security Group acts as a virtual firewall that controls the traffic for one or more instances.

This Week's Suspicious IP Addresses

123.183.209.136116.31.116.46
61.177.172.5361.177.172.54
195.3.144.21682.247.137.26

*IP addresses provided by Recorded Future.