Industry News: ESG5

The target: Solution for Healthcare. a Vietnamese technology firm which provides software for electronic health records and hospital management.

The take: 12 million records of an estimated 80,000 patients and healthcare staff. The personally identifiable information included: full names, dates of birth, postal codes, email addresses, phone numbers, passport details, credit card numbers, and detailed medical records. 

The attack vector: The data was initially exposed due to an unsecured Elasticsearch server the company maintained which had no monitoring or credential management. The lack of any security measures whatsoever led to the further development wherein the exposed database was attacked by a malicious, automated software script named Meowbot. This led to the deletion of an unspecified amount of information in the server.

Leaving databases exposed to the without any credential management impacts its confidentiality, integrity and availability. Furthermore, when vulnerable data is left wide open, other kinds of attacks which could make its recovery impossible are easily executed. Ensuring data is protected with the appropriate measures is critical for operational success.

Read more...

The target: Marriage Tax Refund, a UK-based tax relief organization.

The take: 100,000 records of personally identifiable information including: full name, gender, home address, partner name and address, and refund amounts.

The attack vector:  The firm had misconfigured its WordPress based Client Management Service, exposing a directory list containing PDF documents to the public. There was no password protection or credential management in place, meaning anyone with an internet connection could have viewed and downloaded the contents of the database.

Compromised management software of client data poses a high risk for a firm. Robust credential control around software which manages personally identifiable information is critical to maintaining a firm’s security and that of their clients. This breach highlights the importance of the management of client systems which contain client data, and how this information is accessed and secured, giving a critical reminder of how closely it needs to be managed.

Read more...

The target: The NHS, the United Kingdom’s national healthcare service provider.

The take: 284 records of personally identifiable information including: names, dates of birth, contact information, and hospital identification numbers.

The attack vector:  The breach was the result of human error and internal process failure when a spreadsheet containing the personal information was accidentally emailed to thirty-one individuals outside the NHS.

This incident could have been avoided with the implementation of data classification controls – appropriate tagging of sensitive materials could have provided an additional stopgap before this document left internal systems. Ultimately, this breach serves as an important reminder that wherever sensitive personal data is in play, vetted processes should be implemented and followed, with regular training and reminders, to ensure its protection. It is an organization’s responsibility to provide the tools and training necessary to maintain safe and consistent approaches to handling data, and to impress upon staff the importance of adherence to procedure.

Read more...

The target: Apodis Pharma, a France based digital supply chain management company.

The take: 1.7 Terabytes of information including: 4,400 records of client, partner, and employee names. 17 million records of confidential sales data, prices, and order quantities between Apodis and their customers.

The attack vector: A publicly accessible Kibana dashboard was left unsecured and accessible to anyone with an internet connection. This Kibana dashboard gave access to the database, exposing all of the contained information inside.

Compromised management software can lead to a waterfall effect of exposures. Robust credential control around software which grants multiple levels of access is extremely critical to maintaining a firm’s security. This breach highlights the importance of the management of employee tools and how they are accessed, used, and secured, offering a stark reminder of how tightly managed access should be.

Read more...

The target: Levitas, an Australian based hedge fund manager.

The take: $8 million

The attack vector: The attack was initiated when one of the founders clicked on a fake Zoom meeting link. This gave the attackers the ability to inject their own malicious software to take control of the high level email account, and with these powerful credentials in hand, the attackers created fake invoices for a bogus company and then sent requests for payments to be made from the firm. Authorizations from the compromised email account were sent shortly after the requests, prompting the transference of funds to the unknown companies. The threat actors then withdrew the cash.

This breach demonstrates the critical nature of verification processes, and the inherent power of high level credentials and their management. There were several flags raised along throughout the scheme and this attack shows just how important it is to review, verify, and certify transactional processes no matter to origin within a firm.

Read more...

The target: TronicsXhange, a California-based electronics retailer

The take: 80,000 images of personal identification cards and 10,000 fingerprint scans. Information included: driver license number, full name, birthday, home address, gender, hair and eye color, height and weight, and a photo of the individual. 

The attack vector: The breach occurred when an unsecured Amazon S3 bucket was discovered online even after the company had ended its operation. The database was connected with no password protection meaning anyone who found the correct URL could access and freely download the data. 

The breach is serious as the sensitive information stored could lead to severe cases of fraud. Asset management is a critical procedure for any company, and the fact that this server was kept online even after the company had supposedly closed its doors for business highlights the extreme importance of proper decommissioning procedures to ensure sensitive information is securely destroyed or taken offline.

Read more...

The target: Vertafore, a U.S based insurance provider. 

The take: 27.7 million records of personally identifiable information including: driver license numbers, first and last names, date of birth, address, and vehicle registration history. 

The attack vector: Three database files containing the above information were placed, through human error, on an unsecured external, third-party storage service with no authorization access. Meaning anyone with an internet connection had the ability to access and download the data.

This breach highlights the importance of robust cybersecurity protocols and processes. Rigid steps around the transfer andmovement of data is needed to ensure maximum protection of sensitive information, with multiple checks to verify that the destination of the information is secure and expected safeguards are in place. When data is moved, the proper controls commensurate with the sensitivity of the data must travel with it.

Read more...

The target: GrowDiaries, an online community for marijuana growers.

The take: 2 million user records including: usernames, email address, IP addresses, user posted articles, and user account passwords. 

The attack vector: The breach occurred because of a credential management and best practice failure . The site failed to secure its database management application, Kibana, which was left exposed online with no password protection, allowing anyone with an internet connection to access the site. Furthermore, passwords stored in one of the databased were encrypted with weak format known as MD5, which is insecure and can be easily cracked.

Management applications which grant access to user data should always be secured with commensurate levels of security protection. In addition to securing all access points, protection of data ‘at rest’ should include rigorous controls around password tables including hashing, salting, and strong encryption to ensure that if a breach does occur, the damage to clients is mitigated as much as possible.

Read more...

The target: Gunnebo, a Swedish-based security firm.

The take: 38,000 sensitive company documents including: schematics of client bank vaults and surveillance systems, blueprints for monitoring and alarm equipment, and security function of Automatic Teller machines.

The attack vector: Compromised credentials to an employee’s Remote Desktop Protocol account which had a password of ‘password01’. While the confirmation of this particular RDP account’s role in the attack is unverified, security researchers highlight the extremely poor password hygiene here and infer this practice is likely widespread within the firm.

The breach highlights the critical important of robust password polices. Length, complexity, and aging standards for every company account are invaluable to preventing credential compromise.

Read more...

The target: MAXEX, an Atlanta-based residential mortgage trading company.

The take: 9GB of internal company and client data including: confidential banking information, login credentials, emails, penetration test reports, and full mortgage documentation for 23 individuals.

The attack vector: The breach took place due to an unsecured, publicly exposed Jenkins server. A server of this type is used in a variety of highly sensitive activities in the operation and development of software applications. Notably in this breach, MAXEX had stored login credentials in plain text with enough permissions to compromise many of its other systems.

This breach highlights the importance of properly securing data. Furthermore, it underscores the critical importance of credential management as a compromise in one system can easily lead to a pivot to other systems, which can have a cascading negative impact upon company and client data.

Read more...