SEC Investigating Data Leak at First American Financial Corp.

Aug 19

SEC Investigating Data Leak at First American Financial Corp.

The U.S. Securities and Exchange Commission (SEC) is investigating a security failure on the Web site of real estate title insurance giant First American Financial Corp. that exposed more than 885 million personal and financial records tied to mortgage deals going back to 2003, KrebsOnSecurity has learned.

In May, KrebsOnSecurity broke the news that the Web site for Santa Ana, Calif.-based First American [NYSE:FAFexposed some 885 million documents related to real estate closings over the past 16 years, including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts and drivers license images. No authentication was required to view the documents.

The initial tip on that story came from Ben Shoval, a real estate developer based in Seattle. Shoval said he recently received a letter from the SEC’s enforcement division which stated the agency was investigating the data exposure to determine if First American had violated federal securities laws.

In its letter, the SEC asked Shoval to preserve and share any documents or evidence he had related to the data exposure.

“This investigation is a non-public, fact-finding inquiry,” the letter explained. “The investigation does not mean that we have concluded that anyone has violated the law.”

The SEC did not respond to requests for comment.

Word of the SEC investigation comes weeks after regulators in New York said they were investigating the company in what could turn out to be the first test of the state’s strict new cybersecurity regulation, which requires financial companies to periodically audit and report on how they protect sensitive data, and provides for fines in cases where violations were reckless or willful. First American also is now the target of a class action lawsuit that alleges it “failed to implement even rudimentary security measures.”

First American has issued a series of statements over the past few months that seem to downplay the severity of the data exposure, which the company said was the result of a “design defect” in its Web site.

On June 18, First American said a review of system logs by an outside forensic firm, “based on guidance from the company, identified 484 files that likely were accessed by individuals without authorization. The company has reviewed 211 of these files to date and determined that only 14 (or 6.6%) of those files contain non-public personal information. The company is in the process of notifying the affected consumers and will offer them complimentary credit monitoring services.”

In a statement on July 16, First American said its now-completed investigation identified just 32 consumers whose non-public personal information likely was accessed without authorization.

“These 32 consumers have been notified and offered complimentary credit monitoring services,” the company said.

First American has not responded to questions about how long this “design defect” persisted on its site, how far back it maintained access logs, or how far back in those access logs the company’s review extended.

Tags: , ,

You can skip to the end and leave a comment. Pinging is currently not allowed.

Are You Ready for Layered Cybercrime Operations?

Your biggest foe?  Complacency

The sophistication of these multi-prong attacks require cyber security teams to be even more vigilant than in the past.  It’s critical to understand that data breaches, for all the attention they receive, represent only one piece of the current cyber crime landscape.

Cyber security teams should identify soft spots in their networks and areas that could be valuable to criminals.  For example, last year we provided threat intelligence to Symantec’s incident response team during an engagement with a large organization that found a cryptominer installed on its network. It was stunning that the IT personnel were unconcerned.  They did not believe criminals using their CPU processing to generate crypto currency represented a viable threat.  However, the IT people became very interested when we explained that the presence of a cryptocurrency miner effectively represented a network intrusion and could be indicative of additional malware they were not aware of. Furthermore, the presence of the cryptocurrency miner could provide a much easier path for the attackers to regain access to their network in the future as well as destabilizing potential operations due to increased CPU usage.

In the current cyber crime environment, complacency is one your biggest foes. If cyber security teams identify and effectively remediate a Trickbot infection on their network, they might breathe a sigh of relief that they have addressed the attack and can start determining whose banking credentials may have been compromised. However, given the number of customizable features of current Trickbot malware offerings, they might not realize Trickbot was also used to compromise their RDP servers.

It’s like going to a doctor for a headache and being given some aspirin, while the real problem might be that you need glasses – the headache’s may subside, but eventually your vision may become blurred. Symantec provides threat intelligence on the latest attacks that use malware in combination, so if you see one intrusion on your network you know you’d better pay extra attention to the other, related attacks.

By having a greater understanding of the threats, and the most recent threat intelligence, you can harden your network and develop training exercises to help your employees understand how to ward off these threats. You need to work extra hard to keep your network safe, because you’d better believe the Malware-as-a-Service vendors are working just as hard to keep the their “customers” – the bad guys – ahead of the latest enterprise security advances.

12th August – Threat Intelligence Bulletin

August 12, 2019

Top attacks and breaches

  • AT&T employees have been bribed to unlock more than 2 million mobile devices and plant malware on the company’s internal network. The malware allowed the threat actor to gather the telco’s confidential and proprietary data and to remotely process unauthorized unlock requests.
  • GermanWiper, suspected to be a variant of Sodinokibi ransomware, has been found targeting German organizations via spam phishing emails. Once infected a system, GermanWiper deletes files, rather than encrypts them, while misleading victims to think that paying the ransom would get them the files back.

Check Point Anti-Virus blade protects against this threat (Ransomware.Win32.GermanWiper)

  • Security researchers have uncovered that Machete, a cyber espionage group focusing on Latin American countries and mainly on Venezuelan government entities, has stolen gigabytes of confidential documents including files used by geographic information systems (GIS) software.

Check Point Anti-Virus and Anti-Bot blades protect against this threat (Spyware.Win32.Machete)

  • New Clicker Trojan has been found installed on more than 33 Android applications with over 100 million installations. The Trojan allows attackers to perform multiple malicious activities including displaying advertisements or subscribing users to expensive premium services.

Check Point SandBlast Mobile provides protection against this threat

  • The American insurance giant “State Farm” has fallen victim to a credential-stuffing attack, putting its 83 million costumers’ online accounts at risk.
  • Security researchers have revealed that the infamous LokiBot infostealer has introduced new upgraded and sophisticated capabilities including updated persistence mechanism and the ability to hide its source code within image files on an infected machine. It is currently being spread in a phishing email campaign.

Check Point SandBlast and Anti-Bot blades protect against this threat (Trojan.Win32.LokiBot; Botnet.Win32.LokiBot)

Vulnerabilities and Patches

  • Check Point researchers have revealed several vulnerabilities in the picture transfer protocol (PTP) used in Canon DSLR digital cameras, which allow attackers to completely take over the camera via WiFi or USB and deploy any kind of malware strain on it.

Check Point IPS blade protects against this threat (DSLR Cameras PTP/IP Multiple Buffer Overflow Vulnerabilities)

  • A new variant of the Spectre vulnerability has been found, affecting all modern Intel CPUs and some AMD processors leveraging speculative execution for high performance. The vulnerability may allow local attackers to access sensitive information stored in the operating system privileged kernel memory.
  • A zero-day privilege escalation vulnerability has been discovered in Steam game client for Windows, exposing over 100 million users and allowing attackers with limited permissions to run arbitrary code on administrative privileges.
  • New critical vulnerabilities have been discovered in Qualcomm’s chips and Linux kernel driver, exposing millions of Android devices to cyber attacks. When chained together, the vulnerabilities may allow a remote attacker to take complete control over targeted Android devices within their Wi-Fi range.
  • A new unpatched zero-day vulnerability has been discovered in the KDE software desktop environment for Linux. The vulnerability may allow attackers using maliciously crafted .desktop and .directory files to run arbitrary code on a user’s computer without needing the victim to open them.

Threat Intelligence reports

  • Check Point researchers have discovered that SQLite database can be abused by attackers to execute malicious code in other apps, including Apple’s, by exploiting memory corruptions issues in the SQLite engine.

Check Point IPS blade protects against this threat (SQLite fts3_tokenizer Untrusted Pointer Remote Code Execution (CVE-2019-8602))

  • Check Point researchers have demonstrated three potential attack methods leveraging the vulnerabilities they had discovered in WhatsApp. The vulnerabilities allow attackers to intercept and manipulate WhatsApp conversations and potentially spread misinformation from allegedly trusted sources.
  • A new strain of Clipsa malware has been spotted in the wild, capable of scanning the Internet to locate vulnerable WordPress sites and launch brute-force attacks on them. Clipsa info stealer is also capable of stealing administrator credentials and cryptocurrency transfers, and installing a cryptocurrency miner.

Check Point Anti-Virus and Anti-Bot blades protect against this threat (Infostealer.Win32. Clipsa)