Canon Officially Confirms Ransomware Attack, Says Employee Data Was Stolen

Ibis Canon Rumors Canon Full Frame Mirrorless Canon PowerShot G7 X Canon Eos 90d Coronavirus

Some months ago Canon USA was victim of a ransomware hacking attack. We reported about this incident.

Canon has finally released an official statement about the hacking attack. It turns out that information concerning past and current employees was stolen by the hackers, as employees’ names, social security number, date of birth, driver’s license number, government-issued ID, bank account number, and their electronic signature.

Canon statement about the ransomware attack:

Notice of Data Security Incident

Canon understands the importance of protecting information. We are informing current and former employees who were employed by Canon U.S.A., Inc. and certain subsidiaries, predecessors, and affiliates1 from 2005 to 2020 and those employees’ beneficiaries and dependents of an incident that involved some of their information. This notice explains the incident, measures we have taken, and steps you can take in response.

We identified a security incident involving ransomware on August 4, 2020. We immediately began to investigate, a cybersecurity firm was engaged, and measures were taken to address the incident and restore operations.  We notified law enforcement and worked to support the investigation.  We also implemented additional security measures to further enhance the security of our network.

We determined that there was unauthorized activity on our network between July 20, 2020 and August 6, 2020.  During that time, there was unauthorized access to files on our file servers. We completed a careful review of the file servers on November 2, 2020 and determined that there were files that contained information about current and former employees from 2005 to 2020 and their beneficiaries and dependents. The information in the files included the individuals’ names and one or more of the following data elements: Social Security number, driver’s license number or government-issued identification number, financial account number provided to Canon for direct deposit, electronic signature, and date of birth. 

We wanted to notify our current and former employees and their beneficiaries and dependents of this incident and to assure them that we take it seriously.  As a precaution, we have arranged for them to receive a complimentary membership to Experian’s® IdentityWorksSM credit monitoring service. This product helps detect possible misuse of an individual’s information and provides the individual with identity protection services.  IdentityWorksSM is completely free to the individual, and enrolling in this program will not hurt the individual’s credit score. If you are a current or former employee, or the beneficiary or dependent of a current or former employee, and would like more information on IdentityWorksSM, including instructions on how to activate your complimentary membership, please call our dedicated call center for this incident at 1-833-960-3574.  For information on additional steps you can take in response, please see the additional information provided below.

We regret that this occurred and apologize for any inconvenience.  If you have additional questions, please call 1-833-960-3574, Monday through Friday, between 9:00 a.m. and 6:30 p.m., Eastern Time.

1This notice is being provided by or on behalf of Canon U.S.A., Inc. and the following subsidiaries, predecessors, and affiliates: Canon BioMedical, Inc., Canon Business Solutions-Central, Inc., Canon Business Solutions-Mountain West, Inc., Canon Business Solutions-NewCal, Inc., Canon Business Solutions-Tereck, Inc., Canon Business Solutions-West, Inc., Canon Development Americas, Inc., Canon Financial Services, Inc., Canon Information and Imaging Solutions, Inc., Canon Information Technology Systems, Inc., Canon Latin America, Inc., Canon Medical Components U.S.A., Inc., Canon Software America, Inc., Canon Solutions America, Inc., Canon Technology Solutions, Inc., Canon U.S. Life Sciences, Inc., NT-ware USA, Inc., Océ Imaging Supplies, Inc., Océ Imagistics Inc., Océ North America, Inc., Océ Reprographic Technologies Corporation, and Virtual Imaging, Inc.

ADDITIONAL STEPS YOU CAN TAKE

We remind you it is always advisable to be vigilant for incidents of fraud or identity theft by reviewing your account statements and free credit reports for any unauthorized activity. You may obtain a copy of your credit report, free of charge, once every 12 months from each of the three nationwide credit reporting companies. To order your annual free credit report, please visit www.annualcreditreport.com or call toll free at 1-877-322-8228. Contact information for the three nationwide credit reporting companies is as follows:

If you believe you are the victim of identity theft or have reason to believe your personal information has been misused, you should immediately contact the Federal Trade Commission and/or the Attorney General’s office in your state. You can obtain information from these sources about steps an individual can take to avoid identity theft as well as information about fraud alerts and security freezes. You should also contact your local law enforcement authorities and file a police report. Obtain a copy of the police report in case you are asked to provide copies to creditors to correct your records. Contact information for the Federal Trade Commission is as follows: 

  • Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue NW, Washington, DC 20580, 1-877-IDTHEFT (438-4338), www.ftc.gov/idtheft 

Canon Has Been Hacked And Hit By Ransomware, 10TB Data Stolen

Coronavirus Covid-19 Ransomware

Canon has been attacked by the Maze ransomware group. Many Canon sites are affected.

As BleepingComputer reports, numerous Canon services have been affected, including Canon’s email, Microsoft Teams, the Canon USA website, and other internal applications. These Canon related domains have been affected:

www.canonusa.com
www.canonbroadcast.com
b2cweb.usa.canon.com
canondv.com
canobeam.com
canoneos.com
bjc8200.com
canonhdec.com
bjc8500.com
usa.canon.com
imagerunner.com
multispot.com
canoncamerashop.com
canoncctv.com
canonhelp.com
bjc-8500.com
canonbroadcast.com
imageland.net
consumer.usa.canon.com
bjc-8200.com
bjc3000.com
downloadlibrary.usa.canon.com
www.cusa.canon.com
www.canondv.com

BleepingComputer was able to obtain a partial screenshot of the ransom note:

Reports BleepingComputer about Maze and the attack against Canon:

After contacting the ransomware operators, BleepingComputer was told by Maze that their attack was conducted this morning when they stole “10 terabytes of data, private databases etc” as part of the attack on Canon […]

Maze is an enterprise-targeting human-operated ransomware that compromises and stealthily spreads laterally through a network until it gains access to an administrator account and the system’s Windows domain controller.

During this process, Maze will steal unencrypted files from servers and backups and upload them to the threat actor’s servers.

Once they have harvested the network of anything of value and gain access to a Windows domain controller, Maze will deploy the ransomware throughout the network to encrypt all of the devices.

If a victim does not pay the ransom, Maze will publicly distribute the victim’s stolen files on a data leak site that they have created.

Maze has claimed responsibility for other high-profile victims in the past, including LG, Xerox, Conduent, MaxLinear, Cognizant, Chubb, VT San Antonio Aerospace, the City of Pensacola, Florida, and more.

The Canon USA site is still down. It seems this attack is not related to the image.canon outage of a few days ago. Canon released a statement to BleepingComputer, saying they are “currently investigating the situation.”

More About The Security Flaw In Canon’s WiFi Transfer Protocol

Security Flaw Canon Firmware

Canon yesterday issued security advisory concerning a security flaw in their Picture Transfer Protocol, the WiFi transfer protocol used on Canon cameras.

The security flaw was demonstrated by Israeli security company Check Point Research during DEF CON 2019. The security researchers were able to hijack a Canon EOS 80D using USB and wirelessly using WIFI.

The discovered vulnerabilities would allow a malicious actor to take over a target’s DSLR camera through both WiFi and USB, giving him full control over it. Such an infection could, for example, be used for installing a Ransomware on the camera, and demanding ransom for both the images and the camera itself. Not a nice scenario for professionals.

As LensVid sums it up:

An attacker who would want to use a similar approach to perform a real-world ransomware attack on a EOS 80D will need to set-up a rogue WiFi Access Point and initiate the exploit (something that can certainly be done by many sufficiently experienced attackers although will require the Camera’s WIFI to be turned on).

The video below shows how Check Point Research exploited the Canon EOS 80D using the cited security flaw. By building on existing knowledge of Magic Lantern, they were able to build a ransomware.

All the steps involved in exploiting the security flaw in Canon’s WiFi transfer protocol are documented in this technical article.

Check Point Research promptly informed Canon. While waiting for the firmware updates, Canon recommends the following:

  • Ensure the suitability of security-related settings of the devices connected to the camera, such as the PC, mobile device, and router being used.
  • Do not connect the camera to a PC or mobile device that is being used in an unsecure network, such as in a free Wi-Fi environment.
  • Do not connect the camera to a PC or mobile device that is potentially exposed to virus infections.
  • Disable the camera’s network functions when they are not being used.
  • Download the official firmware from Canon’s website when performing a camera firmware update.

Canon already issued a firmware update for the Canon EOS 80D, and more updates will follow.

Unfortunately, that’s not the end of the story. The researchers found multiple critical vulnerabilities in Canon’s Picture Transfer Protocol. And it’s likely these vulnerabilities are present in other manufacture’s PTP as well.

Stay tuned.

[via LensVid]