Brasilian IT Firm Tivit Suffers from 2nd Round of Data Leaks

On December 12th 2018, in what would become my second most read article of all time, Rogue Media Lab featured a report covering the hack of Tivit, A Brasilian based IT solutions and network storage provider. At the time, Defcon Labs, the original publisher behind the leaks, had reported that “the data seem to be internal process documentation of the company itself,” adding that it was “uncertain whether they were the product of an offensive action or published involuntarily by misunderstanding.” However, a later report published by ZDNet on December 14th went on to reveal that, according to Tivit representatives, “nine members of staff had suffered a phishing attack through an email that contained a malicious link” – thus allowing the hackers to gain access to company computer/servers to steal the data.

Today the company suffered from its second round of leaks, featuring new information not included in the December 12th leak. In a posting to Pastebin earlier this morning, unknown hackers allegedly  posted access to 30 GB worth of data tied to password files and email archives of 10 Latin-American companies: Bradesco, CEF, Votorantim Energia, TecnicaZurick, Faber, Banco Original, CIP, Klabin and Acominas.

** EDITORS NOTE: The 9 additional downloads posted through mega.nz have already been taken down in the +3 hours since the leaks were posted online, but all data hosted through AnonFiles is still live/active. **

Additionally, in statements to Rogue Media Labs, Aline Rodrigues, a corporate spokesperson representing TIVIT, wanted my readers to know that:

A TIVIT comunica que as informações publicadas na data de hoje, 08.01.2019, são provenientes do mesmo incidente de segurança ocorrido e noticiado em dezembro de 2018. Trata-se, portanto, apenas de uma publicação de informações relacionadas ao incidente anterior. Os clientes envolvidos já foram notificados e as ações cabíveis foram tomadas em comum acordo com eles. Reforçamos que não houve nenhum tipo de invasão aos data centers da empresa, das redes de acesso da TIVIT ou de nossos clientes.

Translation for English Readers:

“TIVIT announces that the information published on today’s date, 08.01.2019, comes from the same security incident that occurred and reported in December 2018. It is therefore only a publication of information related to the previous incident. The clients involved have already been notified and the appropriate actions have been taken in agreement with them. We reinforce that there was no invasion of the company’s data centers, TIVIT access networks or our customers.”

Leak 2 | January 8th 2019

Raw Leak (8,313 Lines): https://pastebin.com/KE8uKBAE

Leaked Files/Databases:

Download 1 (1.68MB): https://anonfile.com/wfzfW0p5b2/Guia_Desenvolvimento_Projetos_REST_API_pdf
Download 2 (44 B): https://anonfile.com/4dz9W6pbbf/KLABIN_usr_banco_sap_txt
Download 3 (350 B): https://anonfile.com/Acz4W7p3bf/Mexico_zurich_acesso_txt
Download 4 (1.04 MB): https://anonfile.com/B2z5Wcp1b3/Modelo_de_Uso_do_GitLab_pdf
Download 5 (28 B): https://anonfile.com/Fez1Wcpbbb/semente_txt
Download 6 (214.91 KB): https://anonfile.com/G1z5Wcp2b6/Zurich_Mexico_servers_backupeados_xlsx
Download 7 (392.86 KB): https://anonfile.com/Kcz7W2p4b3/Zurich_Auditoria_Chile_docx
Download 8 (1.05 MB): https://anonfile.com/O7z6W7p0b3/TokenTivit_exe
Download 9 (1.32 MB): https://anonfile.com/Q0z3W7p2b4/Servidores_Acominas_xls
Download 10 (31.57 KB): https://anonfile.com/d50aW7pdbd/ecm.corp.form1_JPG
Download 11 (11.7 KB): https://anonfile.com/e400W6p5bc/Cronograma_ECM_-Bradesco_Unificado_pdf
Download 12 (34.43 KB): https://anonfile.com/f207Wcpbb2/ecm.corp.form2_JPG
Download 13 (220.74 KB): https://anonfile.com/g106Wcpcbe/GDBF-9226_png
Download 14 (391.12 KB): https://anonfile.com/ib04Wdp7ba/ECM-Bradesco_-_2018-01-03_pptx
Download 15 (197.95): https://anonfile.com/rf08Wbp6b3/ecm.corp.workflow_zip
Download 16 (466.8 B): https://anonfile.com/v907Wdp1b1/ecm.corp.cargas_zip

All files

4,4G 27 Dez 10:39 NG 2.zip.001
4,4G 27 Dez 10:44 NG 2.zip.002
428M 27 Dez 10:44 NG 2.zip.003
2,8G 21 Dez 16:30 cr-email.zip
736M 1 Out 00:15 em-files.zip
700M 29 Set 19:36 fs-files.zip
6,3G 21 Dez 16:39 vs.zip

https://mega.nz/#!66g2mARL!H2Oc416sM82MlTDpcQhGzZyIAT77t1a37GLBgLrOefw
https://mega.nz/#!Py4gFApQ!dS2N1wU17gcQeiClmQQCTupec_Eje4wkH3j9oFFacJU
https://mega.nz/#!y65gBS7C!vI7sQi4q2sN4SuoLR_7Xdznz-Jb-xGFkSnjazhDTgZk
https://mega.nz/#!L7pU0Cga!jQZcYqtI0VelPGD7yD9Rp3QacoMvGxF7kfrfLBG__Pc
https://mega.nz/#!frh0QKQb!XNYJTyxgZEYHHXMRxa2Uh5Ml3lPSl3Vei4pANj3a_EE
https://mega.nz/#!vuoSCYLY!WCb_O3tHr1uWUT35UMD72n0OQ0PD0OE0v8eluvZ3tp4
https://mega.nz/#!q2pwSI7Z!xZDwMr-PKFbpBKm_QHcFvfFgi-byfnxv711LQ4Z_WYg
https://mega.nz/#!GjomzAiL!ZNiPc_nMKsQ9wId6QTTJ4HpRc96KvEauPmbgYisg_dw

Leak 1 |December 11, 2018:

Raw Client Credentials Leak: https://pastebin.com/7RZCj45S
Database File Download 1 (18.31 MB): https://anonfile.com/M7ObI0k1b0/Leak_zip
Database File Download 2 (617.68 KB): https://anonfile.com/X6Vbpanfb3/KBA00052701-TOPOLOGIA_DE_REDE_CHEQUE_LEGAL_SP_RJ_v344_pdf
Database File Download 3 (266.83 KB): https://anonfile.com/i5W0pan9bb/KBA00051808-Topologia-CIP_Ambiente_STD_pdf
Email Database Download (149.69 MB): https://bayfiles.com/76Jej8lbbf/Emails_7z

Brasilian Based Cloud Storage & IT Solutions Firm Tivit Compromised by Massive Data Breach

In news first brought to my attention via Defcon Lab on December 12th 2018, various databases and cloud storage servers belonging to Tivit, a Brasilian based IT solutions and network storage provider, were hacked/compromised by unnamed assailants. In a series of leaks across Twitter over a 5 day time period, between December 7th-12th 2018, the login user names and credentials to more than a dozen Tivit cloud storage clients/accounts were dumped online. At the present moment in time no one has claimed responsibility for the hack, and it appears as though though the Twitter handle used to leak the information online (@infoleakbr) was created earlier this month exclusively for this very purpose.

About the incident in question, as was explained by Defcon Labs, “São quase mil linhas de código que aparentam conter rotinas internas da empresa, além de credenciais de acesso de diferentes clientes empresariais de grande porte.” Adding that “Os dados parecem ser documentação de processo interna da própria empresa, sendo incerto se foram produto de uma ação ofensiva ou publicados involuntariamente por equívoco.” You can view all the leaks in their entirety below.

Translation:

About the incident in question, as was explained by Defcon Labs,”there are almost a thousand lines of code that appear to contain internal company routines, as well as access credentials of different large enterprise customers.” Adding that “The data seem to be internal process documentation of the company itself, and it is uncertain whether they were the product of an offensive action or published involuntarily by misunderstanding.” You can view all the leaks in their entirety below.

Identifiable Clients Exposed By The Breach:

CIP – hxxps://www.cip-bancos.org.br/SitePages/Home.aspx
BROOKFIELD ENERGIA – hxxps://renewableops.brookfield.com/en/presence/latin-america
JMACEDO – hxxp://www.jmacedo.com.br/
MULTIPLAN – hxxp://multiplan.com.br/
BRASKEM – hxxps://www.braskem.com.br/
BANCO ORIGINAL – hxxps://www.original.com.br/
FABER – hxxp://www.faber-castell.com.br/
SAE – hxxp://portal.saebrasil.org.br/
MITSUI – hxxps://www.mitsui.com/br/en/index.html
ZURICH – hxxps://www.zurich.com.br/
KLABIN – hxxps://www.klabin.com.br/en/home/
VOTORANTIM – hxxp://www.votorantim.com.br/
SEBRAE – hxxp://www.sebrae.com.br/sites/PortalSebrae

Raw Client Credentials Leak: https://pastebin.com/7RZCj45S
Database File Download 1 (18.31 MB): https://anonfile.com/M7ObI0k1b0/Leak_zip
Database File Download 2 (617.68 KB): https://anonfile.com/X6Vbpanfb3/KBA00052701-TOPOLOGIA_DE_REDE_CHEQUE_LEGAL_SP_RJ_v344_pdf
Database File Download 3 (266.83 KB): https://anonfile.com/i5W0pan9bb/KBA00051808-Topologia-CIP_Ambiente_STD_pdf
Email Database Download (149.69 MB): https://bayfiles.com/76Jej8lbbf/Emails_7z

88% of IT Professionals Believe World Is Currently At Cyber-War

Late last year the United States officially recognized “cyber” as the 5th domain of Warfare, officially joining more traditional venues such as land, air, sea and space. The  move came as a countermeasure to the international declarations of others, including Russia’s announcement of the formation of a new “informational warfare” military unit months beforehand. 2017 and 2018 have also seen many different people, parties and countries around the world take bold new stances in regards to cyber Warfare. This includes the German Armies formation of a new Cyber Command unit, NATO’s re-classification of the internet/cyberspace as a domain of Warfare, the United States attempts to re-classify US-CYBERCOM as a military unit and global leaders calling for the drafting of a new “Digital Geneva Convention” – specifically to draft a new set of internationally recognized rules, guidelines and standards governing informational/cyber warfare into the future.

I bring this up because I have recently come across several studies that I find particularly interesting. The first is a study from Venafi, finding that 86% of American based Informational Technology workers believe that the world is currently at “Cyber War.” Breaking down the study a little further, according to the same research, 88% of those same IT workers believe that attacks which disrupt election infrastructure technically constitute acts of war. This includes things such as attacks against election infrastructure, voting machines and “machines that transmit, store, tabulate and validate electoral data.” Moreover, 86% believe that misinformation campaigns designed to manipulate public opinion for political outcome/gain also constitute acts of cyber war. Interestingly enough, 40% of IT professionals believe that cyber war already has and is actively costing human lives, only 3% of respondents believe that it is impossible for people to die from cyber wars/attacks.

The second study was conducted by researchers at The Military Times, an American based military news outlet. According to a poll of thousands of active Duty military personnel, almost a half of all soldiers and commanders in the US Armed Forces, 46% to be exact, believe that the United States will be drawn into some sort of large-scale armed conflict in 2019 – though they did not specify where or whom with. However, 89% of those same respondents stated that cyber attacks/terrorism represent the single greatest risk to the country at the same moment in time, and 71% state that Russia is the US’s single greatest enemy – up 18% from 2017.

While I am unable to find the study today, I remember covering a poll released by Russia Today during the summer of 2016. In it, around 43% of Russian citizens believe the the United States and Russia are currently at War, and greater than 60% of Russian citizens believe that eventual War with the United States is inevitable – especially given the state of international affairs under President Obama at that moment in time. A different study from 2017 found that 73% of Russian citizens believe the the US is actively engaged in manipulating the science and technology of foreign countries, including Russia. Indubitably, these fields would also cover cyber and cyber-warfare.

Image result for cyberwar

Ponemon Institute Releases State of EndPoint Security Report 2018

Earlier this week The Ponemon Institute released a new research paper entitled “Analyzing The 2018 State of Endpoint Security Risk,” sponsored by Barkly. To gather data and compile their results, researchers interviewed approximately 660 IT security professionals responsible for managing end point security for various corporations throughout the United States. What they concluded was is the number of 0Day exploits being released in the wild has dramatically increased over the course of 2018, and so to have the number of successful cyber attacks being absorbed by US corporations.

According to the results, the number of cyber attacks which have successfully breached the end point security measures implemented/installed by major US corporations has increased 17% from 2017 to 2018. Moreover, 64% of the IT professionals interviewed reported that at least one hacker or cyber attack had “successfully compromised data assets, files and/or IT infrastructure” causing significant financial damage to their systems within the course of the last 12 months alone. Perhaps most interestingly enough, 70% of the IT professionals interviewed admitted that they were unable to trace the origin of the hacks against them, and to this day have not uncovered the party(s) responsible for launching them. On top of this, only 69%of respondents say their traditional, signature-based antivirus solutions provide the protection needed to stop all serious attacks against their systems.

Key Findings from Ponemon’s Study:

  • 63% of IT security professionals say that they have seen endpoint attacks increase from 2017 – 2018
  • Only 52% of those same professionals claim the attacks can be stopped/mitigated
  • The average cost per compromised endpoint is $440. Small-and-medium-sized
    (SMB) companies have a much higher cost of $763
  • Of the professionals whom saw their systems compromised, 79% of them claim it was the result of new and previously unknown exploit – such as 0Day’s.
  • 19% say they were compromised by a previously disclosed/known attack style
  • Traditional anti-virus software only picks up 57% of all attacks
  • Every time a company is breached, it takes on average 102 days for security professionals to patch their systems
  • It takes on average 3 months for companies to buy/develop and begin to deploy Endpoint Detection & Response (EDR) solutions
  • The average cost, in damages, of an end point data breach rose from $5 million in 2017 to $7.12 million in 2018
  • The average IT budget of the companies surveyed was $114 million, with only an average of $5.56 million allocated specifically towards endpoint security
  • There was a 58% increase in the number of malware attacks against US corporations from 2017 to 2018

Based on their figures, researchers estimate that the number of endpoint security attacks absorbed by global corporations will only continue to increase in 2019. In their estimation, companies should expect to see at least a 38% increase in file based attacks – such as attacks using malicious encoded Word documents or pdf’s. Researchers are also advising companies to take a look at and/or consider replacing their “legacy” anti-virus service providers in favor of something new, and encourage more companies to launch or create new bug-bounty initiatives, which often times find solutions at a much lower cost than malicious data breaches after the fact.

View Full Study:

[pdf-embedder url=”https://roguemedia.co/wp-content/uploads/2018/10/state-of-endpoint-security-2018.pdf”%5D