Industry News: ESG5

The target: Benefit Recovery Specialists Inc, a Houston-based billing and debt collection vendor.

The take: 275,000 records of Personally Identifiable Information such as: name, date of birth, date of service, provider name, policy identification number, procedure code, and/or diagnosis code. For a small number of the records, Social Security numbers were also leaked.

The attack vector: The attackers accessed BRSI’s systems with stolen employee credentials, and used their access to deploy malware internally. While not confirmed by BRSI, experts believe the description of the attack match those of a successful phishing campaign. BRSI’s IT systems hosted the malware for 10 days before the malicious activity was discovered.

This breach highlights the importance of regular employee training and education around common social engineering attacks. The records exposed in this incident, and similar data held by other medically related vendors, underscores the severity of this type of data exposure as it can lead to sophisticated identify theft. It also is a critical reminder for companies using third party vendors that their overall security posture is dependent upon the robustness of all the firms which hold their data.

Read more...

The target: Cashaa, a British-based cryptocurrency exchange.

The take: $3 million USD in Bitcoin

The attack vector: The attackers compromised Cashaa’s systems by installing malware onto a company computer used to make their transactions. Once this malicious software was active, the attackers received a notification which informed them when one of Cashaa’s employees logged into the computer to make transfers from another crypto exchange site’s wallet. The hackers used their backdoor to access this wallet to drain the funds, receiving all 336 Bitcoin instead of the intended party.

The point of entry for an attack can have cascading consequences and this incident shows why securing company computers with proper malware detection is absolutely critical to strong cybersecurity. The breach which led to the malicious software being installed and the further monitoring failure which allowed the malware to send out notifications to the attackers, facilitated the theft.

Read more...

The target: Clubillion, an online gambling and casino app.

The take: Over 200 million user records containing the following personally identifiable information: emails, private messages, winnings, IP addresses, and movements in the app itself.

The attack vector: An unsecured Elasticsearch database hosted on Amazon Web Services was left unsecured and publicly accessible. Unlike other recent cases, this database was not a single static backup/archive of information, but was a live, ‘production’ database, constantly updated with up to 200M new records per day.

In addition to the usual phishing attacks that could be launched with access to personal information, the inclusion of app movement and the fact the exposed data was continuously updated makes highly targeted spear-phishing campaigns extremely likely to succeed. While it is always disappointing to see lapses in security around database backups, it is absolutely crucial that production systems housing sensitive data are adequately protected.

Read more...

The target: V Shred, a Las Vegas based fitness company which sells fitness plans, nutrition advice, and supplements.

The take: The combined Personally Identifiable Information of 99,000 of customers and potential clients including: names, home addresses, email addresses, dates of birth, usernames and passwords, age, gender, citizenship status, and user photos.

The attack vector: All of this information was hosted on a very common problem, an unsecured Amazon Web Services storage server accessible to the public online. However, in this case, anonymous users were also able to access the information without login credentials making the breach wider and deeper.

The exposed information could lead to highly sophisticated phishing attacks, and crucially, the user photos to identity theft. Credential management around publicly available company data is paramount to robust cybersecurity.

Read more...

The target: Frost & Sullivan, a US based business consulting firm.

The take: 6,000 customer records containing: client name, email address, the company contact. 6146 employee records containing: first and last names, login names, email addresses, and hashed passwords.

The attack vector: Due to a misconfigured, public-facing sever, the data was stolen from an unsecured backup folder which contained readable databases and company documents. The information was then put up for sale on a known hacking forum. 

This breach highlights the importance of a firm’s security posture for publicly accessible file containers. Since sensitive information such passwords were included in the leak, credential stuffing attacks could easily be carried out to great effect.  

Read more...

The target: Postbank, the banking division of South Africa’s Post Office.

The take: $3.2 million USD

The attack vector: Rogue employees printed the bank’s ‘master key’, a 36 digit code which allows its users to decrypt the bank’s operations and modify security protocols, on a piece of paper from an old data center. Using this credential they were able to access customer accounts and execute more than 25,000 fraudulent transactions, stealing $3.2 million. In addition to the cash, the master key also gave the attackers access to ATM pins, home banking access codes, customer data and credit card information which could then be used for sophisticated phishing attacks.

This breach highlights the importance of privileged credential management and the cascading negative effects that can happen when a high level protocol is compromised.

Read more...

The target: Genworth Financial, a fortune 500 Insurance holding company for mortgages and long term care.

The take: Personally Identifiable data of 1600 clients including: name, address, age, gender, date of birth, financial information, social security number, and signature.

The attack vector: The attackers gained unauthorized access through compromised login credentials belonging to some of Genworth’s third party insurance agents. These agents use an online access portal run by Genworth to manage their client’s policies. By exploiting the hacked logins, the threat actors were able to gather a trove of data which is very valuable for phishing attacks, identity theft and more.

This attack highlights the critical need for robust credential management amongst not only a firm’s employee, but also amongst third parties, and wherever access to a firm’s data is concerned.

Read more...

The target: San Francisco Employees’ Retirement System, the city’s firm which provides pension, retirement plans, and other benefits to city workers.

The take: Personal information for 74,000 members, including names, home addresses, dates of birth, beneficiary information, username/password combinations, and potentially tax information and bank routing numbers.

The attack vector: A breach notification was filed advising that ‘an unauthorized individual’ gained access to a database hosted in a test environment by one of the SFRS’s vendors.

This case again underlines the importance of validation of service providers and ensuring that third party organizations with access to sensitive data put appropriate controls in place. Furthermore, test and pre-stage environments should, as a best practise, use ‘dummy’ or heavily redacted data, especially in cases where security controls are not as rigid as those protecting production systems.

Read more...

The target: Magellan Health, a for-profit managed health care and insurance firm

The take: Names, addresses, employee ID numbers, W-2 or 1099 details, social security and Taxpayer ID numbers, and in some cases, usernames and passwords for an undisclosed number of ‘current employees’.

The attack vector: After an initial round of phishing e-mails, attackers obtained user credentials and accessed internal systems, deploying software to capture login credentials for some staff, and exfiltrating personal employee information before deploying a ransomware attack on Magellan’s system some days later.

This example illustrates the cumulative and progressive nature of a breach, once initiated – no cyber-attack exists in isolation. Once an attacker has gained access to privileged accounts and systems, they can execute multiple attack vectors – exfiltrating sensitive data, and triggering a ransomware attack on internal systems, either to distract from their earlier activities or for purely financial gain. Security controls must be many and layered to ensure that a compromise of one can still be mitigated and contained.

Read more...

The target: Covve, an ‘intelligent contact management solution’.

The take: a 90GB database containing names, e-mail addresses, phone numbers, business names & titles, social networking links and personalized notes affecting more than 23 million individuals.

The attack vector: While this incident was, at its core, another all too familiar instance of an unsecured database left publicly exposed, the notable factor in this breach is that the personally identifiable information leaked wasn’t that of the service’s users. Since Covve is a contact management app, the names, contact details, notes and social networking handles that were publicly leaked all belong to individuals who do not and probably never have used the service.

From an individual standpoint, this breach highlights just how challenging it can be to maintain control over personal information – 23 million people, through no action of their own, saw their personal information exposed in this breach. From an organizational standpoint, again – a firm must be acutely aware of the kind of data they are storing and processing, and be able to ensure that it is being handled and protected in a manner commensurate to the sensitivity of that data.

Read more...