.png?width=200&height=78&name=CH%20Diligence%20(thicker%20line).png "CH Diligence (thicker line).png")
Cision: Agio, a leading cybersecurity and managed IT provider for financial services firms, published its inaugural 2022 Hedge Fund Managed IT Trends Report.
The Target: DoorDash, a popular food delivery company.
The Take: Exposure of Personally Identifiable Information belong to customers and employees including: names, customer delivery addresses, phone numbers, and some partial credit card information.
The Vector: The attackers breached a third-party company that DoorDash works with through a phishing attack. By using the compromised credentials, they were able to move in the vendor’s network freely and then access some of DoorDash’s own internal tools.
This breach is a stark reminder of the effective of social engineering attacks and how critical authentication controls are in an overall robust cybersecurity posture. Enforcing multi-factor authentication, reasonably paced password resets, and regular social engineering and phishing awareness training are all effective strategies to mitigate these kinds of breaches to protect a firm’s customer base.
The Target: MIDC, Maharashtra Industrial Development Corporation
The Take: $68,000.00
The Vector: A threat actor gained access to the firm’s CEO’s email account. With the compromised credentials, the attacker sent requests for fund transfers to an external account, to which the employees followed through.
This breach is a stark reminder of not only the importance of credential hygiene and authentication, as well as reminders about access and how attackers will be able to act with all the powers the breached accounts give them, but also for social engineering. These types of attacks exploit our innate desire to do tasks quickly without stopping to consider the nature of the request. At all times, requests for information or monetary payments should be approached with caution and deliberate, thoughtful action.
The Target: Workforce Safety & Insurance, North Dakota’s division of workplace safety and worker compensation.
The Take: Exposure of 182 records of Personally Identifiable Information including: emails between claimants and WSI, voice-mails containing information about said claims, and emails between WSI and their business partners.
The Vector: The attacker penetrated Klaviyo’s internal systems by tricking an employee to give up their company credentials through a phishing attack, allowing the threat actor to access systems with all the privileges of the stolen login.
This breach highlights critical need for employee training to protect a firm against phishing attacks. By using the exposed credentials, the attackers were able to act with all the same permissions as the affected employee. The human component of cybersecurity is a very real and important piece of the overall picture of cybersecurity posture. Furthermore, the sensitive information breached can lead to highly targeted spear-phishing attacks as it lends credence.
The Target: BharatPay, an India-based financial services firm providing cash deposits, fund transfers, and online purchasing.
The Take: Exposed 37,000 records of Personally Identifiable Information including: usernames, hashed passwords, mobile phone numbers, email addresses, transaction data (such as transaction ID and bank balance), and API keys.
The Vector: The cause of the attack was an outdated software version of PHP allowing the threat actor to inject malicious JavaScript code and have it executed. The firm had only last updated their software years ago in 2020. By exploiting a known issue, the attacker was able to penetrate the firm’s systems.
This breach highlights the ongoing and ever-present need for the regular and quick patching of all software relied upon by the firm for daily operation. When known vulnerabilities are fixed by the software company, and patches released to the public, it is incumbent upon the firm to take responsibility and deploy these patches immediately to avoid a loss of integrity and data which could have easily been prevented.
The Target: Klaviyo, an email marketing firm.
The Take: Exposure of client’s Personally Identifiable Information including: names, addresses, emails, phone numbers, and two internal customer lead lists.
The Vector: The attacker penetrated Klaviyo’s internal systems by tricking an employee to give up their company credentials through a phishing attack, allowing the threat actor to access systems with all the privileges of the stolen login.
This breach highlights critical need for employee training to protect a firm against phishing attacks. By using the exposed credentials, the attackers were able to act with all the same permissions as the affected employee. The human component of cybersecurity is a very real and important piece of the overall picture of cybersecurity posture.
The Target: Wiseasy, an Android based digital payments company.
The Take: Exposure of payment information, system admin credentials, plain-text passwords for WiFi networks the app was connected to, and client personal information including: names, phone numbers, email addresses.
The Vector: Compromised employee credentials were sold on the dark web, allowing the attackers to login and act as legitimate users to make configuration changes and view sensitive information.
As Wiseasy had no multi-factor authentication set up on employee accounts, the exposed credentials let attackers fully access their internal systems and perform actions with every permission the breached accounts had access to. This security lapse is a stark reminder of the importance of having proper multi-factor authentication enforced on any and all accounts that have access to critical internal services.
The Target: Entrust, a digital cybersecurity firm focused on identity management.
The Take: Sensitive corporate internal data from Entrust’s own IT systems.
The Vector: The attacker used previously compromised Entrust employee credentials to access their internal systems, posing as an authenticated user.
This breach is a critical reminder of the importance of credential authentication and password hygiene. Enforced multi-factor authentication could have prevented the Entrust breach, and enforcing this multi-factor authentication, along with reasonably regular forced password resets, password length and complexity rules, are effective strategies to mitigate these kinds of breaches.
The Target: Morgan Hunt, a British recruitment agency.
The Take: Exposure of Personally Identifiable Information including: names, contact details, identity documents, proof address documents (bank or building statements, national insurance number, and date of birth.
The Vector: The attackers breached a third-party software developer of Morgan Hunts who were storing access credentials to their database with no authentication or access controls.
This breach is a stark reminder that authentication controls are a critical piece in an overall robust cybersecurity posture. Furthermore, all steps should be taken by a firm to ensure any third-party vendor who can access their data is employing the requisite methods. Enforcing multi-factor authentication, reasonably regular forced password resets, and password length and complexity rules are all effective strategies to mitigate these kinds of breaches to protect a firm’s customer base.
The Target: Axie Infinity, a Decentralized Finance company that runs a “play to earn” game video game.
The Take: $625 million worth of crypto currency.
The Vector: The hackers used social engineering and phishing to craft a highly targeted fake job offer email and embedded a malicious program instead a PDF attachment. The Axie Infinity employee believed this was legitimate and opened the PDF attachment, and during the fake recruiting process, also gave away critical personal information which was then used to gain access to the firm’s systems to steal the funds.
This breach highlights the ongoing and ever-present need for employee training to protect a firm against social engineering attacks. By using the exposed credentials, the attackers were able to act with all the same permissions as the affected employee and pivot into other systems. The human component of cybersecurity is a very real and important piece of the overall picture of cybersecurity posture.
Castle Hall helps investors build comprehensive due diligence programs across hedge fund, private equity and long only portfolios More →
Montreal
1080 Côte du Beaver Hall, Suite 904
Montreal, QC
Canada, H2Z 1S8
+1-450-465-8880
Halifax
168 Hobsons Lake Drive Suite 301
Beechville, NS
Canada, B3S 0G4
Tel: +1 902 429 8880
Manila
10th Floor, Two Ecom Center
Mall of Asia Complex
Harbor Dr, Pasay, 1300 Metro Manila
Philippines
Sydney
Level 15 Grosvenor Place
225 George Street, Sydney NSW 2000
Australia
Tel: +61 (2) 8823 3370
Abu Dhabi
Floor No. 15 Al Sarab Tower,
Adgm Square,
Al Maryah Island, Abu Dhabi, UAE
Tel: +971 (2) 694 8510
Prague
2nd Floor, The Park
V Parku 8
Chodov, Praha, 148 00
Czech Republic
Copyright © 2021 Entreprise Castle Hall Alternatives, Inc. All Rights Reserved.
Terms of Service and Privacy Policy