Cyber Incident Weekly Report - Week of August 26, 2024

Data Breach at Oregon Zoo, Hackers Steal Credit Card Information

WHAT HAPPENED: In a regulatory filing with the Maine Attorney General, the Oregon Zoo disclosed that roughly 118,000 individuals had their data stolen in an incident detected on June 26, 2024. The stolen data includes names, payment card numbers, CVVs, and expiration dates. The notice indicates that all transactions processed between December 20, 2023, and June 26, 2024, are likely impacted. The notice also suggests that “the investigation determined that an unauthorized actor redirected customers’ transactions from the third-party vendor who processed online ticket purchases.”

CONCERNING: Oregon Zoo, Data Breach, Third-party, Web Infections.

SENSCY'S ANALYSIS: The Oregon Zoo is the latest zoological organization targeted by a cyber attack after the Tampa Zoo and Toronto Zoo dealt with incidents in the past year. While the data breach notice does not indicate the specific type of attack that led to the breach, the SensCy teams believe it is highly likely the result of a skimming malware infection on the third-party online ticketing service. Skimmer infection involves malicious code injected into a website, typically within its payment or checkout pages. This code, often called a "skimmer," captures sensitive information such as credit card details, personal information, and payment data users enter and sends it to the attackers. These skimmers are usually installed by exploiting vulnerabilities in the website’s security, such as outdated plugins, insecure code, or weak access controls. In this case, the Oregon Zoo used a third-party platform to manage the payment process, while this is common, carefully vetting and regularly reviewing third-party services and scripts integrated into the website are critical steps to ensure they are secure and up to date. This can be done by conducting external vulnerability scans, in this case, the third-party vendor likely had some misconfiguration in implementing a Content Security Policy (CSP) to restrict the sources from which scripts can be loaded, reducing the chances of malicious code being injected and executed.

Toyota Suffers Yet Another Third-Party Breach

WHAT HAPPENED: Toyota confirmed that customer information of Toyota Motor North America was stolen after a threat actor gained access to the data by targeting “a third-party entity,” not Toyota’s internal systems. The data stolen involves roughly 240GB, and according to ZeroSevenGroup, the information stolen contains details of Toyota employees, customers, contracts, and financial information.

CONCERNING: Toyota, Data Breach, Third-Party.

SENSCY'S ANALYSIS: The threat actor who claimed the attack on Toyota released a sample analyzed by researchers. The sample indicates that the data stolen was stolen or at least created on December 25, 2022. Combining this information with the known size of the stolen file, it is highly likely that the threat actor gained access to either a backup sever or potentially one of Toyota’s US dealership. Toyota explained that while they are not at liberty to disclose the third party, it will be responsible for notifying those involved. SensCy is continuously monitoring the rise of cyber attacks, notably data breaches, related to Third Party Risk Management (TPRM). While vendors, suppliers, and partners provide essential services, they also create potential entry points for cyber attackers. If a third party lacks robust cybersecurity measures, it can become a weak link, exposing your business to various threats, such as malware, ransomware, or data theft. This incident is Toyota’s third cyber incident since May 2023. While the previous two directly targeted Toyota’s infrastructure and impacted millions of customers, a third-party cyber incident can tarnish the reputation of the associated organization, even if the incident wasn’t directly targeted at the main company. This could lead to customers and stakeholders questioning the organization's ability to protect their data.

Flint Michigan Confirmed Ransomware Attack

WHAT HAPPENED: The City of Flint, Michigan, confirmed it suffered a ransomware attack on August 15, 2024. The city is experiencing major disruption in several services, including its Human Resource Management solution (BS&A system) and payment systems, the city is only able to receive payments by cash and check only at this time. Emergency services and public health are operational and not impacted. At the time of writing, the investigation has yet to determine if resident or employee personal data has been impacted. No ransomware gang has claimed the attack.?

CONCERNING: Local Government, Ransomware, Critical Infrastructure.

SENSCY'S ANALYSIS: At SensCy, we are constantly reminded that local governments are still a primary target for threat actors, notably ransomware gangs. Flint Michigan joins the long list of local government victims of a ransomware attack in 2024. Cities like Flint manage sensitive data, such as personal information of residents, financial records, and infrastructure details. This data can be valuable for identity theft, financial fraud, or ransomware attacks. Threat actors usually believe that smaller cities are more likely to pay ransom demands because they cannot afford prolonged disruptions to their services. Overall, the combination of valuable data, weaker defenses, and lower awareness makes smaller cities attractive targets for cybercriminals. However, by adopting a holistic, proactive approach, cities of all sizes can protect themselves and reduce the impact of a cyber-attack. Some of their steps include implementing strong cybersecurity practices, like regular software updates, firewalls, network segmentation, and regular encrypted backups. In addition, hackers target cities across the country because most of them do not have the budget to train their employees. Educating employees about phishing scams and other common social engineering tactics used by cybercriminals can make a significant difference. Finally, develop and test a cybersecurity incident response plan. The plan should outline steps to take in the event of a ransomware attack. This should include communication strategies, roles and responsibilities, and recovery procedures.?