Sensitive Customer Data Leaked From ADP

This week, we hear about the recent leak of sensitive customer data from payroll, tax, and benefits administrator ADP and a new ransomware that claims payment will go to charity.

Breach

Sensitive Customer Data Leaked From ADP

ADP, the payroll, tax, and benefits administration used by over 640,000 companies, has mistakenly exposed sensitive data, including its customers’ employee tax and salary information. ADP customer U.S. Bank, the nation’s fifth-largest commercial bank, warned its employees that their tax data had been compromised due to a vulnerability in ADP’s customer portal. This is problematic because the thieves behind this breach can use the stolen information to fraudulently file for a tax refund in someone else’s name.

ADP claims their systems were not compromised, and that this breach stemmed from an authentication code posted by U.S. Bank on an insecure page, thus allowing the thieves access to the ADP portal. ADP released a statement that they are working with federal law enforcement to uncover the perpetrators behind this theft.

References: ADP Data Used in US Bank Employee W-2 Breach | Fraudsters Steal Tax, Salary Data From ADP | US Bank Workers, ADP Hit by Tax Refund Thieves

Mitigation Strategies:

  • Log management detects any suspicious user account activity.
  • The Security Operations Center team provides 24x7 security monitoring, daily log review, web application firewall management, and advanced anomaly detection.
  • IDS signatures detect the intrusion and possible data leakage

Malware

New Ransomware Says Payment Will Go to Charity

A new ransomware has emerged, with the claim that ransom money will be donated to a children’s charity. Like traditional ransomware, it encrypts all the data on a PC before demanding the ransom. The key difference is that the ransom note informs users that their files are locked, directs them to send 5 bitcoins—approximately $2,200—to a specific email address, and informs them that “Many children will receive presents and medical help!”

“Based on research by Colombian security analysis group Nyxbone, the threat is a combination of ransomware families, such as CryptoWall 3.0, WryptoWall 4.0, and the recent CryptXXX.” The infection occurs by spam email, which contains links to malicious websites. When users access these malicious websites with browsers containing vulnerabilities, the ransomware automatically starts the encryption process.

References: New CryptMix Ransomware Promises to Give Money to a Children’s Charity | What Are the Odds That a Ransomware Payment Will Go to a Children’s Charity?

Mitigation Strategies:

Top 20 IP Addresses

46.109.168.179 188.118.2.26
118.170.130.207 81.183.56.217
114.44.192.128 87.236.19.30
93.174.93.94 183.60.48.25
188.209.52.22 89.32.40.0/24
185.58.227.227 185.118.66.0/24
89.32.40.128/26 158.85.253.245
41.71.178.0/24 104.219.238.10
46.166.165.79 84.245.33.104
193.200.80.26 207.244.76.204

*IP addresses provided by Recorded Future.