Industry News: ESG5

The target: Broadvoice, a Voice-over-IP service provider.

The take: 350 million total customer records of personally identifiable information including: full names, date of birth, phone number, and voice-mail transcripts with highly sensitive details such as medical records, loan applications, and mortgage information.

The attack vector: A misconfigured Elasticsearch database housing 10 separate clusters of data. There was no authentication or security in place meaning anyone with an internet connection could have full access to the data. These storage servers are easily discoverable with scanning tools available to administrators and malicious attackers alike.

The type of data exposed in this breach poses enormous risk for Broadvoice’s customers as the intricate details leaked, in voice calls and prescription records for example, would give phishing and fraud attacks a high chance of success. This breach demonstrates the extreme importance of securing access to a firm’s data. Proper authentication, monitoring, and credential management are some of the critical tools which can be implemented to prevent these occurrences.

Read more...

The target: Snewpit, an Australian-based news sharing platform. 

The take: 80,000 user records of personally identifiable information including: usernames, full names, email addresses, profile pictures, and log data detailing the amount time users spent on the app and other behaviour metrics.

The attack vector: The information was exposed on an improperly secured, and publicly accessible, Amazon Web Services server. Bad actors can locate these unsecured storage buckets very easily and the complete lack of security on the database means the records were open to anyone with an internet connection.

The combination of data exposed in this incident could lead to very targeted and successful scams by fraudsters. Personally Identifiable information helps these attackers build a complete profile of their victims, and in this case, the log data which outlined the actions taken by users on Snewpit’s app greatly increases the credibility of their scams, vastly increasing the chance they are successful. Data and credential management are critical for ensuring sensitive information is stored safely and securely.

Read more...

The target: BrandBQ, a European fashion retailer. 

The take: 7 million customer records of personally identifiable information including: full names, email addresses, home addresses, date of birth, phone number, and payment records.

The attack vector: The data was exposed on an unencrypted and unsecured Elasticsearch server meaning anyone with an internet connection could have found the information and downloaded a copy. Along with customer information, an additional 50,000 records of relating to contractors who worked with BrandBQ were also stored on the server, exposing their purchase information and correspondence. Further mixed in were API logs relating to their mobile app, greatly increasing the range of possible exposure to over 500,000 affected users. 

Credential management and proper security around storage of data is critical for every business. In this case, the mixing of data all kept in one place compounded the severity of the breach as not only were BrandBQ’s customers made into vulnerable phishing targets, but their contractors are now also extremely susceptible to Business Email Compromise scams.

Read more...

The target: Düsseldorf University Hospital, a German teaching hospital

The take: A critically ill patient died as a result of the cyberattack on the hospital’s systems

The attack vector: A ransomware attack was carried out on the hospital’s systems, exploiting a vulnerability in their VPN. However – as the encryption attack caused the hospital’s computer system to become disconnected from the ambulance network, a critically ill patient had to be redirected to a remote hospital, and died after her admission to hospital was delayed by over an hour.

While hospitals are regular targets of ransomware attacks, this is the first known case where such an attack has cost a patient’s life, and is a stark reminder of the potential stakes. This attack was made possible by a security vulnerability in an off-the-shelf software product, which, for IT professionals, again, underlines the critical importance of maintaining patching procedures and ensuring that applications and appliances are maintained.

Read more...

The target: Razer, an American-based maker of computer accessories and peripherals.

The take: 100,000 records of Personally Identifiable Information including: full name, email, phone number, internal customer ID, order number, billing and shipping address

The attack vector: The data was left unsecured due to a misconfiguration on an Elasticsearch server without any protection or credential management, leaving the information open to be downloaded by anyone with an internet connection. 

The information exposed poses great risk for Razer’s customers as social engineering attacks, such as fraud and phishing, could easily be crafted with precision by bad actors because of the leaked personally identifiable data. This breach highlights the critical importance of not only proper and secure configurations of storage where sensitive information is held, but also strict and robust policy around access and security.

Read more...

The target: Service New South Wales, an Australian government agency.

The take: 3.8 million combined records from a total of 186,000 customers. Data stolen included: names, home addresses, scans of handwritten notes, applications forms, and records of transactions.

The attack vector: Attackers gained access to NSW’s systems through a targeted phishing attack against an employee. These credentials were compromised when the employee clicked on a suspicious link, leading to unauthorized access of 47 Service NSW staff member’s email accounts.

The highly sensitive information stolen presents a clear risk of identity theft and further scams against the affected customers. Training and teaching around phishing attacks are of critical importance for every firm. Knowing how to recognize an attack and what to do are key takeaways from this incident.

Read more...

The target: View Media, an online marketing and research company.

The take: 39 million user records containing sensitive Personally Identifiable Information such as: first and last names, zip codes, emails, and phone numbers.

The attack vector: View Media failed to secure an Amazon S3 storage bucket with any kind of credential management or authorization. The database housing this information was publicly accessible by anyone with an internet connection.

The personal information stored here is a perfect platform for scammers to launch a wide variety of phishing attacks from multiple angles including: email attacks, SMS text attacks (also known as smishing), and robo-call attacks via a phone number. The data found here can be used by hackers to build a robust target profile for their scamming campaigns, further highlighting the critical need for rigorous data storage practices and credential implementation.

Read more...

The target: Freepik, a website providing high quality free photos and graphic design. 

The take: 8.3 million records of personally identifiable information including: emails, usernames, and passwords.

The attack vector: An SQL injection was used to breach Freepik’s systems and allowed attackers to dump their user information. Attacks of this nature take advantage of poor controls in text input fields to send malicious instructions to the target database.

Any field where a user can submit text in web applications should be sanitized as a secure coding best practice to ensure these kinds of malicious commands cannot be submitted.

Read more...

The target: SANS Institute, a cybersecurity training firm.

The take: 28,000 records of Personally Identifiable Information including: names, job title, industry, home address and country of residence.

The attack vector:  The attack occurred through a “consent phishing” scam, where the attacker attempts to trick employees to install a malware app or grant it permissions to access sensitive data or execute dangerous commands. The phish in this case was design to replicate a SharePoint link via O365, and after the employee clicked the link and authorized the installation of the malware, a forwarding rule was created, sending 513 emails to the anonymous hacker.

This breach demonstrates that critical thinking and scrutiny is essential when dealing with e-mail communication. Performing the ‘hover test’ to validate links in incoming mail and validating the message sender are critical for avoiding these phishing attacks.

Read more...

The target: Virtu Financial, a high-speed trading firm.

The take: 6.9 million USD

The attack vector: Virtu was victim to a BEC, or Business Email Compromise, scam. The attack began when an executive’s email account was compromised and used to send fraudulent requests to the company’s accounting department leading to two outgoing wire transfers. The threat actors disguised their internal movements by creating email rules to prevent the legitimate owner from realizing the attack was happening. Believing the spoofed email requests were real, the accounting department made the transfers. The fraud was discovered two days later due to an internal auditing process.

The security of high profile accounts is paramount to robust cybersecurity, and this attack highlights why high level employees are often under the greatest focus from outside threats. Beyond maintaining security for employees with this level of access, the vetting of requests, especially where funds are concerned, is a top priority for vigilant cybersecurity.

Read more...