Industry News: ESG5

The target: SendGrid, a Colorado-based email marketing company.

The take: 400,000 unique login credentials of: email address, password, IP address, and physical location. 

The attack vector: The attacker used a combination of previously hacked accounts on the SendGrid platform to send fake Zoom invites. As SendGrid was known as a trusted SMTP provider, the fake messages had a much higher chance of reaching their targets, passing through some email protection.

This incident highlights the importance of critical thinking as a component of social awareness training for staff. In the event that a trusted account is compromised, analysis of the context of these requests becomes the critical – is a meeting invite expected, does the timeline and subject matter line up with expectations? While messages originating from fraudulent e-mail addresses are easier to spot, they are not the only vector for phishing attacks – each item in the inbox must be approached with the same level of caution.

Read more...

The target: Microsoft’s email server software, Microsoft Exchange.

The take: The networks of over 30,000 organizations, consisting of hundreds of thousand of on-premises servers. Threat actors have moved aggressively to exfiltrate personally identifiable information, highly sensitive company and client data, banking details, financial data, and more.

The attack vector: Four security holes in Exchange Server versions 2013 to 2019 were exploited in tandem to grant attackers full access to an array of email severs. More critically, in every instance where the breach was discovered, the intruders had installed a backdoor, which continues to allow remote access to affected servers even after the set of four vulnerabilities have been patched.

While zero-day exploits will unavoidably cause challenges for vendors and their clients, we underscore the critical nature of threat monitoring, timely patching, enacting defense-in-depth measures to mitigate the failure of any single layer of security controls. Approaching security incidents and overall cybersecurity with a “when not if” mindset can materially reduce the impact of incidents such as these.

Read more...

The target: Star Alliance airlines, Air New Zealand, Malaysia Airlines, Finnair and others

The take: Frequent flyer information for at least a million passengers, including name, date of birth, gender, contact information, ID number and frequent flyer status.

The attack vector: The breach was traced to SITA, an IT service provider that claims to serve 90% of the global aviation industry, and acts as the intermediary to store and share frequent flyer information between airlines.

Supply chain attacks continue to pose a material threat, as bad actors identify high-value targets which can enable them to capture information for multiple organizations at once. When entrusting service providers with sensitive information, firms are still ultimately responsible for their data and must ensure that commensurate controls travel with it throughout its lifecycle.

Read more...

The target: The Health and Welfare Department of West Bengal, India

The take: 8 million COVID-19 test results including personally identifiable information such as: name, age, address, and positive or negative test results.

The attack vector: The breach revolves around the health authority’s reporting system, whereby individuals who had been tested for COVID-19 received links by SMS with a unique URL to access their test results by web. It was discovered that there was no authentication in place on the reporting system, and that by incrementing the ID number included in the URL, anyone with internet access could access all test results for the state.

This example serves once again to highlight the huge risks of adopting a ‘security by obscurity’ model. When administering a public facing portal which provides access to sensitive information, authentication controls are not optional – it is simply inadequate to make all records publicly available and trust that the uniqueness of the URL will protect the sensitive data of organizations or individuals.

Read more...

The target: The Independent School District of 2142 of St. Louis County Schools

The take: W-2 tax forms of 677 district employees with personally identifiable information including: Social Security Number, first and last name, home address, wages, and more.

The attack vector: A spoofed email requesting the forms came from an attacker pretending to be the district Superintendent. Believing the request to be legitimate, the forms were sent to the fraudulent email address provided in the request.

This breach highlights the importance of employee cybersecurity training and a posture of constant vigilance. Scammers rely upon people’s natural inclination to be helpful and prompt, and it’s critical to ensure that employees who handle sensitive information receive tailored training, emphasizing the caution and care they must employ in responding to unusual requests for data.

Read more...

The target: Accellion, a U.S based cloud service vendor providing secure file transfer applications for enterprise use. 

The take: A variety of datasets including personally identifying information and proprietary data for an estimated 300 clients, including The Australian Securities and Investments Commission, The Reserve Bank of New Zealand, Harvard Business School, Singtel (a Singapore-based telcom conglomerate), and the QIMR Berghofer Medical Research Institute.

The attack vector: Hackers breached the firm’s legacy File Transfer Application software by taking advantage of a zero-day vulnerability in a legacy software product – a point of weakness identified and exploited by a threat actor before the developer was made aware of it and was able to produce a patch.

This supply-chain attack against a platform which was near retirement highlights the danger of relying on end-of-life, legacy software products. Firms should be proactive in moving to current-generation software solutions - Accellion have reportedly “encouraged all FTA customers to migrate to Kiteworks [their current generation offering] for the last three years”.

Read more...

The target: UScelluar, the fourth largest mobile network operator in the United States.

The take: Customer records of personally identifiable information including: names, addresses, account names and PIN codes, telephone numbers, information on their phone service plans, and the ability to alter the phone number on accounts which receive two-factor authentication texts.

The attack vector: The attackers tricked retail employees into downloading malicious software which contained a RAT (remote access tool), allowing the threat actors to access the computer systems remotely. As the employees were already logged into the CRM (customer retail management) software, the hackers were able to move freely within the systems using an employee’s credentials. 

Social engineering is a widely used tactic by attackers to exploit our innate desire to be helpful in a quick manner without thinking through the consequences. The employee’s mistake, innocent or not, of clicking on an unverified link granted the attacker the ability to install a Remote Access Tool and navigate through the company’s systems under legitimate credentials. Continuous employee education around suspicious links, and the social engineering tactics they’re paired with, are critical components of a firm’s robust cybersecurity posture.

Read more...

The target: Bonobos, a men’s clothing store. 

The take: 70GB database containing personally identifiable information such as: 7 million order records, account information of 1.8 million customers with phone numbers, shipping and email addresses, 3.5 million partial credit card records, and hashed passwords.

The attack vector: While Bonobos’ own internal systems show no signs of breach, an externally hosted backup of the database was accessed in a provider’s cloud storage environment.

Security controls must always be commensurate with the sensitivity of data being stored, and must travel with that data, both within internal systems, and when transferring sensitive data to backup media or external vendor or partner’s systems. This attack highlights the importance of auditing and validating security controls at every stage of the data lifecycle.

Read more...

The target: Pixlr, a popular, free online photo editing application.

The take: 1.9 million user records of personally identifiable information including: email addresses, login names, hashed password, and user’s county of origin.

The attack vector: The breach occurred when an AWS storage bucket was left unsecured and online by Pixlr’s parent company, Inmagine. This allowed the attacker to download a copy of the data and then post it on a public hacking forum, vastly increasing the negative area of effect for the compromised users.

This leak shows the negative and cascading effects a breach can have, not only in the personal or financial risk to the user, but in how far the stolen data can be distributed to malicious actors. Robust password controls and user authentication are critical to maintain data integrity and confidentiality. In addition, this breach highlights the importance of protecting against credential stuffing attacks by using strong, unique passwords which are not shared among logins - a security strategy recommended to every firm.

Read more...

The target: United Nations Environmental Programme (UNEP)

The take: 100,000 records containing: employee personally identifiable information, project funding records, employment evaluation records, and most critically 7 sets of administrative credentials to other databases.

The attack vector: The leak originated from an unsecured Git directory and credential files (Git is one of the world’s most popular software version control systems). Within these exposed files were unencrypted, plain text administrative passwords for not only the repository which was accessed, but for other datasets and systems as well.

This breach demonstrates the importance of appropriate credential storage – privileged credentials should never be stored in plaintext scripts or configuration files replicated in git repositories. Data must always be held with security controls commensurate to the sensitivity of that data.

Read more...