Weekly podcast: Sports Direct, fileless malware and remote printer hijacking

This week, we discuss a hack that Sports Direct didn’t tell its staff about, a spate of malware attacks against enterprise networks, and 150,000 printers churning out ASCII robots.

Hello and welcome to the IT Governance podcast for Friday, 10 February 2017. Here are this week’s stories.

Sports Direct – famed for reasonably priced sportswear and “treating its workers as commodities rather than as human beings” (to quote last year’s government report into employment practices at the company) – has “left its 30,000-strong workforce in the dark over a data breach when a hacker accessed internal systems containing staffers’ personal information,” according to an exclusive report by The Register.

Last September, the attacker exploited unpatched vulnerabilities affecting the content management system that the UK’s largest sports retailer was using to run a staff portal, and accessed employees’ unencrypted personal data. According to The Register, “staff had still not been notified of the breach, which included names, email and postal addresses, as well as phone numbers” this Monday.

A spokesman for Sports Direct said: “We cannot comment on operational matters in relation to cyber-security for obvious reasons. However, it is our policy to continually upgrade and improve our systems, and where appropriate we keep the relevant authorities informed.” The Information Commissioner’s Office said it was “aware of an incident from 2016 involving Sports Direct” and would be “making enquiries.”

When the General Data Protection Regulation comes into effect next May, notifying affected parties of data breaches that affect their personal information will be mandatory. Breached companies that fail to comply with the new law could face administrative fines of up to €20 million or 4% of annual global turnover – whichever is greater – as well as legal action from aggrieved data subjects. See itgovernance.co.uk/gdpr for more information.

According to Kaspersky Lab, networks belonging to at least 140 enterprises in 40 countries – including banks, government organisations and telecoms companies – have been infected with malware that resides in the memory of compromised machines, making it almost impossible to detect. For this reason, the actual number of infections is likely to be much higher.

Kaspersky Lab researcher Kurt Baumgartner told ArsTechnica that the attackers are “pushing money out of the banks from within the banks” by targeting the computers that run ATMs. “What’s interesting here,” he said, “is that these attacks are ongoing globally against banks themselves. The banks have not been adequately prepared in many cases to deal with this.”

The researchers don’t know who’s behind the attacks or how the malware takes hold. Possible attack vectors are SQL injection attacks and attacks on WordPress plugins. More details will be provided at the Security Analyst Summit in April.

In the last few months I’ve talked a few times about poorly secured Internet of Things devices being hijacked to form botnets – especially when the Mirai botnet attacked the Dyn Managed DNS service last October, affecting a number of well-known websites – so I was interested to learn of a hacker humorously demonstrating why it’s important to secure your devices. Last Saturday, about 150,000 printers around the world, many of which were connected to restaurant point-of-sale systems, apparently started churning out ASCII art – mostly robots – and messages warning their owners, among other things, that their machines were “part of a flaming botnet operating on Putin’s forehead”.

The culprit was apparently a bored student who calls him or herself Stackoverflowin – and there was no botnet.

When Motherboard got hold of Stackoverflowin, the first question they asked was “how’d you do it, and how can end users protect themselves?” Well, it turns out that all it took was a simple script to identify insecure public-facing printers with open LPD, IPP and RAW services on ports 515, 631 and 9100 respectively.

According to Bleeping Computer, affected manufacturers include Brother, Canon, Epson, HP, Lexmark, Konica Minolta and Samsung. A remote code execution vulnerability affecting Dell Xeon machines enabled Stackoverflowin to commandeer other printers.

While pictures of robots cause little harm, it is possible to exploit security vulnerabilities to other, more malicious, ends. As Stackoverflowin told Motherboard: “People need to take their printer out of the public internet unless it’s needed, to be honest. And if it’s needed, they should be whitelisting IPs/IP subnets [that is, approving connections only from specific IP addresses] or using a VPN [a virtual private network] to access the local network.”

Well, that’s it for this week. Until next time you can keep up with the latest information security news on our blog.

And don’t forget that IT Governance’s February book of the month is The Psychology of Information Security – Resolving conflicts between security compliance and human behaviour. Drawing on the experience of industry experts and academic research, this book considers information security both from end users’ and from security professionals’ perspectives, providing valuable insight into security issues relating to human behaviour, and explaining how a security culture that puts risk into context promotes compliance. Save 10% if you order by the end of the month.

Whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.