An Analysis of the Pearson VUE Data Breach
Cisco Shuts Down Cert Tracker After Pearson Breach
A third party technology examination company, Pearson VUE, was recently a victim of a malware attack that has exposed personal user data and passwords, according to Network Computing. Pearson VUE is one of the largest handlers of technology exams for companies and organizations that test individuals for technology-specific certifications. Companies that use Pearson include some of the most influential names in IT, including Cisco, Oracle, F5, IBM, Adobe, and many others. VMWare and Oracle have stated they were not affected.
“Security and networking professionals who are certified by these major companies could of potentially had their: usernames, passwords, emails, education, current employer, and other personal information stolen,” said Marcello Duarte, Head of Threat Intelligence, SecurityScorecard. “This information could be used in larger attacks targeting the individual companies in which these professionals are employed.”
Pearson VUE offers computer-based exams for many industries, including being an outsourced technology examiner for the U.S. military. In a public statement about the third party malware, Pearson VUE wrote on November 23:
“We recently were made aware that an unauthorized third party placed malware on Pearson VUE’s Credential Manager System—which is used by adult learners to support professional certifications and licenses. The unauthorized third party improperly accessed certain information related to a limited set of our users.”
The “limited set of users” Pearson describes, however, includes Cisco, which blogged about the breach this week to alert its customers and exam takers about the exposure, and has had over 5,000 views since November 21. Cisco stated: “As the investigation into this incident is still ongoing, the Cisco Certifications Tracking System will remain down until further notice, though testing for Cisco Certifications is able to continue.”
Not everyone was happy about this, including networking blogger, Greg Ferro, who advocated for Cisco to move completely away from Pearson as a partner. Ferro wrote, “Cisco needs to choose better business partners… This breach was entirely predictable and expected when you see the technology that they use for testing.”
SecurityScorecard Picks Up Key Pearson Signals
On November 10, SecurityScorecard’s proprietary ThreatMarket™ technology picked up signals from Pearson via our automated Google Dorking features which discovered an exposed Microsoft Excel spreadsheet with names, passwords, and other identifying information based in the country of Cyprus. ThreatMarket is the threat intelligence foundation of the SecurityScorecard’s security-risk benchmarking platform.
“Pearson could experience a loss of trust in their platforms and companies could potentially bring these systems in house vs trusting a third party with such sensitive information,” said Duarte.
Below is evidence of the Google Dork as it was discovered in ThreatMarket. Google Dorking is an advanced search technique that attackers use to discover confidential or other documented or website material that was unintentionally placed on the larger Internet. SecurityScorecard has automated these techniques for companies to help them gain more precise visibility into security risk.
Here is the spreadsheet that SecurityScorecard discovered with the names, passwords, and other personally-identifiable information material redacted to protect users.
Our platform also discovered leaked passwords, malware, and a PHP vulnerability. Here is evidence of Pearson’s several leaked passwords as picked within ThreatMarket. Most recently, here is one leaked on October 29:
Here is evidence of several Pearson malware infections for the months of October and November which includes: Zeus Gameover, Shiotob, Bamital, and Bedep. Several of these families are banking malware, which we wrote extensively about in our paper, 2015 Banking Malware Research Report, from earlier this year.
Additionally, here is a recently unpatched PHP CVE. A ‘CVE’ is a Common Vulnerability and Exposure, which is a system designed to capture known vulnerabilities and label them so they can be tracked and clearly identified for researchers and law enforcement. Some PHP vulnerabilities can allow an attacker to completely take over websites.
The bulk of SecurityScorecard data originates from a proprietary collection of security intelligence sensors processed by the ThreatMarket intelligence engine. ThreatMarket funnels terabytes of unique datasets per month from home grown:
- Malware analysis pipelines
- Monitored hacker chatter crawlers
- Honeypot/sinkhole infrastructures
- Automated dorking methods
- Vulnerability cadence checkers
- Deep social engineering sensors
Additionally, we gather data from open source intelligence sources and other best-in-class data feeds that we use to validate our ThreatMarket findings.