Unauthorized Parties Gain Access to Tax Database

This week, we hear the latest on the TaxAct data breach and new developments in the BlackEnergy malware story.

Breach

Unauthorized Parties Gain Access to Tax Database 

TaxAct, tax software maker, informed its customers that an unauthorized third party gained access to their TaxAct accounts in late 2015.  According to a letter released by TaxAct, accounts created between November 10, 2015 and December 4, 2015 may have been compromised by a cyber criminal. There is evidence the attacker viewed and possibly copied or printed stored tax returns and gained access to social security numbers, addresses, names, driver’s license numbers and bank account information. 

TaxAct did not give a figure for those affected; however, TaxAct suspended less than 0.25% accounts after identifying instances of suspicious activity. TaxAct suspects the information used to conduct the attack was obtained from an outside source. 

The company disabled affected accounts and has offered customers a year of free credit monitoring, a $1 million insurance reimbursement policy, and access to ID protection experts.  

References: TaxAct breached: Customer banking and Social Security information compromised | TaxAct Acknowledges Data Breach

Mitigation Strategies:

Malware

Ukraine Power Outage Linked to Spear Phishing Attack 

A power cut in western Ukraine last month was caused by spear phishing, says the U.S. Department of Homeland Security (DHS).

The attack caused a blackout for 80,000 customers of western Ukraine's Prykarpattyaoblenergo utility. Experts have described the incident as the first known power outage caused by a cyber attack. Ukraine's state security service has attributed the attack to state-sponsored hackers from Russia.

DHS said the "BlackEnergy Malware" used in the attack appears to have infected Ukraine's systems via a corrupted Microsoft Word attachment. The same code was detected in 2014 within systems at U.S. facilities, but there was no known successful disruption to the U.S. grid.

Crimea, the region annexed from Ukraine by Russia, has suffered repeated power cuts since Russia seized the territory in March last year. Russia has blamed pro-Ukraine saboteurs for the outages.

Independent analysts have linked the recent spear phishing attack to Russia. iSight Partners, a U.S. security firm, said the probable culprit was the so-called "Sandworm Team," a Russian hacking group it has been tracking for more than a year. "We have linked the Sandworm Team to the incident, principally based on BlackEnergy 3, the malware that has become their calling card," John Hultquist, director of cyber espionage analysis at iSight Partners, said in a blog post.

A report released by SANS ICS over the weekend concluded hackers probably caused Ukraine's six-hour outage by remotely switching breakers in a way that cut power.

References: Hackers caused power cut in western Ukraine Analysis confirms coordinated hack attack caused Ukrainian power outage

Mitigation Strategies:

  • Intrusion Detection System (IDS) signatures to detect the malware attempting specifically observed call back information
  • Netflow traffic may also reveal large data transfers and data leakage
  • Log management could detect external IP information from the attacker if logs are configured 

Top 20 IP Addresses

217.114.218.18 92.249.104.63
31.204.150.138 162.248.52.111
180.97.221.22 82.199.130.34
23.251.32.154 185.26.122.13
209.58.130.151 209.58.131.168
209.17.114.78 78.129.180.33
176.124.138.110 190.121.21.211
88.198.41.86 213.251.182.115
216.155.144.251 104.194.26.205
198.1.110.182 31.204.152.102

These IPs are collated from the most frequent IP addresses that are detected as having attempted to attack our customers. Occasionally this list may include the IP addresses of legitimate penetration testers who have been contracted to launch cyber attacks against an organization as part of an exercise. These attacks are identical to those sent from criminals. They are detected, blocked, and processed in the same way as any other cyber attack. We aim to remove the IP addresses from known penetration testing companies, even though they represent the source of some of our most frequent attacks. Occasionally such IP addresses escape our vigilance and are included in the list. Recipients of this list should take their own steps to verify the validity and relevance of the content before blacklisting.