Industry News: ESG5

The Target: Toyota, a Japanese car manufacturer

The Take: Two cloud databases exposed Personally Identifiable Information including: physical address, name, phone number, email address, customer ID, vehicle registration number, and vehicle identification numbers.

The Vector: Several misconfigured cloud databases were left open and unsecured with no password, meaning anyone with an internet connection could have downloaded the data.

Securing access to databases through rigorous password hygiene is an essential component of security, and cloud databases are no exception. Furthermore, the data stolen in this attack can be used for crafting highly effective automotive-based phishing attacks. Regular security compliance reviews can help prevent these breaches.

Read more...

The Target: NextGen Healthcare, a U.S based maker of electronic records software and management services.

The Take: Exposure of 1 Million records of Personally Identifiable Information including: names, addresses, dates of birth, and social security numbers.

The Vector: An employee’s credentials were compromised through a credential stuffing attack. These breaches rely on employees reusing passwords between platforms, which allowed the attackers to login to NextGen systems.

This breach is a stark reminder of how important authentication controls and password hygiene are in an overall robust cybersecurity posture. Regular social engineering, phishing awareness training, and in this case, tightly enforced password and identity management, are effective strategies to mitigate these kinds of breaches to protect a firm’s customer base.

Read more...

The Target: Brightline, a pediatric mental and behavioural health provider.

The Take: Exposure of Personally Identifiable Information including: full names, physical addresses, dates of birth, member identification numbers, date of health plan coverage and employer names.

The Vector: A zero-day exploit was used to breach a third-party vendor, Fortra, of Brightline’s, targeting their file transfer software which let the attackers gain access to sets of files throughout the third-party vendor’s systems.

This breach is critical reminder that zero-day exploits do happen, and furthermore that patching software in a timely, effective manner is a key component of ensuring customer data is protected. Ensuring third-party vendors are deploying patches and fixes in accordance with a firm’s cybersecurity policy is an important step in an overall robust security posture.

Read more...

The Target: Peugeot, a France based automobile manufacturer.

The Take: Exposure of company sensitive data including: credentials to a MYSQL database, secure web tokens along with their passphrases and locations of keys, a link to the git repository for the website, and source code.

The Vector: Peugeot’s website based in Peru was hosting an unsecured environment file (.env), which contains credentials for other services used by the program, or website in this case, that the developers are working on. The logins stored here exposed credentials to a third-party software Peugeot used named Symphony, which could let attackers download session IDs and impersonate users.

This breach is a critical reminder to monitor, flag, and properly secure all publicly accessible files on a website, and to furthermore ensure these files are protected by passwords adhering to robust cybersecurity standards of complexity and length. This attack also shows how one exposure of a system can lead to a pivot into other systems. It’s essential to secure all public-facing websites.

Read more...

The Target: Samsung, a South Korea based technology company.

The Take: Exposure of internal company documents including: meeting notes and sensitive source code.

The Vector: Samsung employees uploaded sensitive information to ChatGPT, an A.I chat service. ChatGPT takes information provided by users to better answer further questions in the future, and as such, the data uploaded will be provided to third-parties at any time without any controls or user authorization.  

This breach is a unique insight into how rapidly the A.I development is proceeding. It is critical that employees be aware of what such services are, and the risks involved. External services like ChatGPT takes information inputted with absolutely no accountability or oversight. Any data sent in this way can be considered open to the public.

Read more...

The Target: SafeMoon, a DeFi platform for cryptocurrency trading.

The Take: Theft of $8.9 million USD. 

The Vector: A software feature intended for internal use only was set to public, allowing attackers to exploit and artificially inflate the price of the SafeMoon token and then sell them for large amounts of cash.

This breach is critical reminder that new software features must be thoroughly tested before deployment. In addition, ensuring proper access settings around this kind of software is paramount for an overall robust cybersecurity posture.

Read more...

The Target: Toyota Italy, one of the world’s largest vehicle manufacturers.

The Take: Exposure of Personally Identifiable Information belonging to Toyota’s clients including: phone numbers and email addresses.

The Vector: Unsecured and exposed marketing tools, namely APIs for Salesforce and Mapbox, were able to be accessed publicly on Toyota Italy’s website. This allowed attackers to access employee credentials to the third-party platforms and exfiltrate client data.

This breach is a stark reminder of how important authentication controls are in an overall robust cybersecurity posture. In particular, the information exposed here is perfect for crafting highly believable phishing campaigns as it would allow push notifications. Access monitoring and testing for every public-facing webpage is a key strategy to mitigate these kinds of breaches to protect a firm’s customer base.

Read more...

The Target: Lionsgate Play, a U.S based video-streaming platform.

The Take: Exposure of 30 Million records of User Data including: IP addresses, operating system, user search queries, and web browser information.

The Vector: A misconfigured Elasticsearch database was left open and unsecured, meaning anyone with an internet connection could have viewed and downloaded the data. 

This shows how important authentication controls are, and even more critically, that they be purposefully and smartly deployed with security in mind. Multi-factor authentication and password length and complexity rules on server access are effective strategies to mitigate these kinds of breaches to protect a firm’s data.

Read more...

The Target: Community Health Systems, a U.S based multi-state hospital chain.

The Take: Exposure of 1 million records of Personally Identifiable Information including: full names, medical billing and insurance information, diagnoses, medication, date-of-birth, and social security numbers.

The Vector: A zero-day exploit was used to breach a third-party vendor, Fortra, of CHS, targeting their file transfer software which let the attackers gain access to sets of files throughout the third-party vendor’s systems.

This breach is critical reminder that zero-day exploits do happen, and furthermore that patching software in a timely, effective manner is a key component of ensuring customer data is protected. Ensuring third-party vendors are deploying patches and fixes in accordance with a firm’s cybersecurity policy is an important step in an overall robust security posture.

Read more...

The Target: Animker, an all-in-one video marketing online platform company.

The Take: Exposure of 700,000 records of Personally Identifiable Information including: full names, device types, postal codes, IP addresses, mobile phone numbers, email addresses, profile details, and physical addresses.

The Vector: A misconfigured database was left open and unsecured, and notably, on its default settings, meaning anyone with an internet connection could have viewed and downloaded the data using the server maker’s basic setup guide.

This shows how important authentication controls are, and even more critically, that they be purposefully and smartly deployed with security in mind. Multi-factor authentication and password length and complexity rules on server access are effective strategies to mitigate these kinds of breaches to protect a firm’s data.

Read more...