CISO Case Files: Digital Age Rum Runners

For the right price:

If you want something, there is always someone who will provide it. No matter how illegal or difficult. The best example of this in the United States is the Rum-Runner.  In 1920 the US entered prohibition, making the manufacture, transportation, or sale of alcohol illegal. With that act, the Rum-Runners found their golden age. Anyone with a boat and need for money could leave a US port, travel to Canada or the Caribbean, fill their holds with rum to sell, and return by outrunning the coast guard, hence Rum-Runner. This led to floating markets of rum-laden boats anchored just offshore in international waters where anyone could buy alcohol cases. Soon after, these rum-runners and floating markets began to diversify into other crimes giving us gangsters like Al Capone and Lucky Luciano. In our day, instead of international waters, criminals and their clients visit the dark web for illegal goods.

Details from the Crime Scene: 

Our client, a European mutual insurance provider, looked to improve their physical security. Our client selected a safety and security company to create a unified security badge program and surveillance system for all of their Europe-based offices to assist in this.  Nearly a dozen offices received physical security updates, including new alarms, badge readers, automatic locks, and more. All of these improvements were connected devices with internet access to provide a unified and centrally controlled experience. Shortly after the third party successfully upgraded our client’s physical security, the vendor suffered a cyber-attack where 19 gigabytes of data were stolen. Seven gigabytes of information related to our client were posted for sale on the Netwalker dark web marketplace.  For more information on protecting yourself from the dark web, leaks see our blog. 

CybelAngel Investigates: 

Darkweb monitoring is a core module of our Digital Risk Protection Platform. We apply our scanning technology to closed communities spread across Tor, I2P, Discord, WhatsApp, etc.CybelAngel analysts must locate closed dark web forums before applying our crawling to detect threats such as exposed assets, credentials, or other sensitive information. It was on a forum where our technology identified a threat actor selling 7GB of data stolen from a security services provider. The data being sold were plans and technical documents for nearly a dozen of our client’s offices. Hundreds of pages listed the location of alarms, badge readers, locks, and a list of all their associated IP addresses.  With access to these systems compromising physical security would be easy. There were numerous avenues for potential abuse or infiltration from controlling cameras, unlocking doors, or creating chaos by triggering alarms.  Learn more about the connection between cyber and physical security in our webinar Smart Building Under Siege. 

Arresting the Leak: 

Halting dark web sales is difficult. Typical remediation offerings such as take-down services or security changes are not available. A better option is to render the information useless as fast as possible.  Informing our client of the leak and threats allowed them to initiate a security audit and re-secure their physical security systems. With the physical security systems updated, our client could continue their work confident in their physical and digital safety. 

Detective’s Notes:

This case saw the connection of three different threats, third-party breaches, dark web markets, and unsecured IoT. We’ve covered each of these in-depth before. CybelAngel CSM Damien Eschbach covers the risk and security challenges of misconfigured IoT in his blog.  This story is fairly typical with large supply chains and vendor networks. Your security is only as good as the weakest link. You can check for third-party leaks with our free exposure dashboard.