Weekly podcast: Remote ATM jackpotting; WordPress RCE vulnerability; Three mobile customer data compromised

This week, we discuss a jackpotting malware attack that caused cash machines across Europe to spit out cash, a WordPress RCE vulnerability affecting 27% of the web, and a data breach affecting more than 133,000 Three customers.

Hello and welcome to the IT Governance podcast for Friday, 25 November. Here are this week’s stories.

ATMs across Europe have been spewing millions of pounds of cash money following a ‘jackpotting’ malware attack by a cyber criminal group called Cobalt, according to Russian cyber security firm Group IB.

Want another list? Let’s have another list. Cash machines in Armenia, Belarus, Bulgaria, Estonia, Georgia, Kyrgyzstan, Moldova, Poland, Romania, Russia, Spain and the United Kingdom – and Malaysia – were all infected with malware that forced them to eject banknotes to so-called ‘money mules’, who trousered the boodle and scarpered.

Reuters reports that ATM manufacturers Diebold Nixdorf and NCR Corp “were aware of the attacks and were working with customers to mitigate the threat.”

Nicholas Billett, Diebold Nixdorf’s senior director of core software and ATM Security, said: “They are taking this to the next level in being able to attack a large number of machines at once.”

Owen Wild, NCR’s global marketing director for enterprise fraud and security, said: “We have been working actively with customers, including those who have been impacted, as well as developing proactive security solutions and strategies to help prevent and minimize the impact of these attacks.”

A critical remote code execution vulnerability on WordPress’s core auto-update server “may have allowed an attacker […] to deploy malware to up to 27% of the Web at once,” according to a blog by Matt Barry of Wordfence.

According to Barry, api.wordpress.org uses an open-source GitHub webhook that allows developers to sync a hashing algorithm of their choice to the WordPress SVN repository as a way of verifying the legitimacy of code updates. By supplying a weak hashing algorithm – in Barry’s proof of concept the 32-bit Adler32 hash – attackers could brute-force the webhook in just “a few hours”. They could then execute a shell command on api.wordpress.org, giving them access to the underlying operating system, and “conceivably create their own update for all WordPress websites and distribute a backdoor and other malicious code to more than [a] quarter of the Web. They would also be able to disable subsequent auto-updates so that the WordPress team would lose the ability to deploy a fix to affected websites.”

The vulnerability has now been patched, and Barry received a bounty for his troubles.

Personal data belonging to Three customers has been compromised by cyber criminals. No, not three customers – Three customers. Customers of the mobile network Three. 133,827 of them, in fact.

Last week, Three’s CEO David Dyson confirmed that criminals “gained access to Three’s upgrade system using authorised log-ins […] to acquire new handsets fraudulently”, which they intended to sell on. The phrase “authorised log-ins” suggests they got hold of a Three employee’s credentials. While in the upgrade system, they had access to information including the name, date of birth, sex, current and previous address, telephone number, email address, marital status and employment status of 26,725 customers. For 107,102 other customers, exposed information comprised their name, contract start and end dates, their handset type, Three account number, whether they are a handset or SIM-only customer, how long they’ve been with Three, whether they pay their bills by cash or card, and their billing date. No financial information was compromised.

According to the Telegraph, customers have “complained to the company on Twitter that it didn’t do enough to inform them that their sensitive information could be in the hands of criminals.”

The National Crime Agency has arrested three people in connection with the incident. The BBC reports that they are a 48-year-old man from Orpington, Kent, a 39-year-old man from Ashton-under-Lyne, Greater Manchester, and a 35-year-old from Moston, Greater Manchester.

Well, that’s it for this week. The usual plea: if you enjoy these podcasts, please share them using the hashtag #itgpodcast, and, until next time, remember that you can keep up to date with the latest information security news on our blog. And don’t forget to check out November’s book of the month, Managing Information Security Breaches – Studies from real life by Michael Krausz. Full of useful information about real-life incidents and breaches, this thought-provoking guide explains how to get your risk profile right, and how data breaches can be avoided and mitigated. Head over to our webshop to find out more – and save 10% if you buy by the end of the month.

Whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.