Industry News: ESG5

The Target: Verizon, a U.S multinational telecommunications company.

 The Take: Exposure of an employee database containing Personally Identifiable Information including: full names, email addresses, and phone numbers. 

The Vector: The attacker posed as an internal support agent and tricked an employee into allowing them to remotely access their corporate computer. From there, the threat actor gained access to a Verizon internal tool that displayed employee information, from there they wrote a script to scrape and export the data. 

This breach highlights the ongoing and ever-present need for employee training to protect a firm against social engineering attacks. While Verizon’s systems were not penetrated or affected in any way, the attacker was still able to exploit an employee’s ignorance to exfiltrate sensitive company data. The human component of cybersecurity is a very real and important piece of the overall picture of cybersecurity posture.

Read more...

The Target: General Motors, a U.S based automobile company.

The Take: Exposure of Personally Identifiable Information including: first and last names, email address, physical address, username, phone numbers, profile picture, and usable reward point balance. 

The Vector: Through a credential stuffing attack, the threat actors leveraged customer’s unsecure passwords already exposed through other means and were able to access user’s GM customer accounts. While banking information was not exposed, customer reward-card balances were freely able to be accessed and were used by the attackers to fraudulently redeem rewards. 

This breach is a stark reminder that credential hygiene is an important piece in an overall robust cybersecurity posture. Enforcing multi-factor authentication, reasonably regular forced password resets, and password length and complexity rules are all effective strategies to mitigate these kinds of breaches to protect a firm’s customer base.

Read more...

The Target: Texas Department of Insurance. 

The Take: 2 million records of Personally Identifiable Information affecting 1.8 million individuals were exposed, including: social security numbers, addresses, dates of birth, phone numbers, and worker injury information. 

The Vector: A configuration error with an online web portal which manages worker’s compensation information was not properly secured, allowing members of the public to freely access pages of the site containing sensitive information.

This breach is a stark reminder of the importance of access control around public-facing web applications and the configuration of settings that control them. Sensitive information must be protected and ensuring proper authentication and credential management is being used is a key core of maintaining a robust cybersecurity posture.

Read more...

The Target: MM.Finance, the largest decentralized finance platform on the Cronos blockchain.

The Take: $2 Million

The Vector: A DNS (domain name service, a server that directs users to the appropriate website upon entering the name of a site) vulnerability allowed attackers to inject a malicious website address into the code on the front-facing website as a redirected destination. When users visited the site to make transactions, they were instead sent to a bad website address where the threat actor was able to steal the funds being transacted.

This breach is an important reminder of the critical nature of user-facing website security. Any method which allows public access must be secured to the highest standard and regularly audited for potential breaches. Furthermore, monitoring and updating, if necessary, configurations of key infrastructure like DNS servers is part of maintaining a robust cybersecurity posture.

Read more...

The Target: Heroku, a cloud platform as a service with support for several programming languages.

The Take: Exposure of customer passwords, file storage, and internal source code.

The Vector: The threat actor used previously exposed GitHub authorization tokens, general use tokens issued to third-party integration software firms by GitHub to allow them to integrate with their platform, and exploited these to connect to Heroku’s internal systems, allowing the attackers to exfiltrate and download the data from their database of customer accounts. 

This breach is an important reminder of the danger of pivot attacks. While initially the authorization tokens which were stolen provided access only to customer accounts of Heroku who made use of the tokens, the attackers were able to pivot through these exposed accounts and access Heroku’s internal systems. No matter which level the breach takes place, it’s critical to evaluate all possible avenues of attack and take appropriate precautions.

Read more...

The Target: Newman Regional Health, a U.S based Kansas hospital

The Take: Exposure of Personally Identifiable Information of 52,000 individuals including: names, medical record numbers, employee information, dates of birth, email addresses, phone numbers, and physical addresses. 

The Vector: A threat actor gained access to compromised employee email accounts, and acting with all the same permissions as the breached credentials, exfiltrated the above data. 

This breach is a stark reminder of the importance of not only robust employee credential authentication and password hygiene, but also regular internal system scanning. The threat actor had access to the compromised system for nearly a year. Performing regular monitoring on account behaviour is critical to ensure access is kept within the firm. Additionally, locking down appropriate permissions, admin access, and ensuring users only need the tools they need to do their jobs, and no more, will reduce the risk of these attacks.

Read more...

The Target: Army Futures Command, a division of the United States’ Depart of Defense.

The Take: Exposure of Personally Identifiable Information of an unknown amount.  

The Vector: Settings controlling access to Shared files on Microsoft Teams were accidentally set to “public” instead of private, resulting in any shared files being exposed to all users across the firm. The default settings were set to public, and the company did not investigate these settings prior using the messaging platform.

This breach is a stark reminder of the importance of access control around shared files and the configuration of settings that control them. Sensitive information must be protected and trusting in default settings to be sufficient is not part of maintaining a robust cybersecurity posture. Investigating any avenue through which information is shared, even inside the firm, is critical to get a full and clear picture of how information is handled.  

Read more...

The Target: Christie Business Holdings Company, a major medical firm based out of Illinois in the United States. 

The Take: Personally Identifiable Data belonging to 500,000 individuals. The data accesses contained: names, addresses, medical and insurance information, and Social Security Numbers.

The Vector: The threat actors gained access through BEC attack (Business Email Compromise) on an employee’s email account, therefore able to act with all the permissions of said employee, and attempted to intercept business transactions as well as view the exposed personal data. 

This breach is a stark reminder of the important not only robust employee credential authentication and password hygiene, but also the principle of least privilege. When a firm’s employee account is breached, it’s critical to note the attackers can access and perform all the same actions as the employee. Locking down appropriate permissions, admin access, and ensuring users only need the tools they need to do their jobs, and no more, will reduce the risk of these attacks.

Read more...

The Target: Fox News, a U.S based news organization.

The Take: Exposure of Personally Identifiable Information including: internal employee emails, usernames, employee ID numbers, affiliate information, event logging, host names, IP address, and device data.

The Vector: A misconfiguration of a storage server left the data exposed online, meaning anyone with an internet connection could have accessed and downloaded the information. 

This breach highlights the critical importance of employing robust practices of credential management, user authentication and validation. An unprotected point of entry on a key piece of equipment like a storage server can lead to a breach with a cascading effect on data security. The detailed personal information, along with the event logs and sensitive company information, can lead to highly effective phishing attacks.

Read more...

The Target: Palo Alto Networks, a U.S based cybersecurity company. 

The Take: Exposure of Personally Identifiable Information including: names, business contact information, conversation records, conversation records, email addresses, and support tickets with attachments such as firewall logs, configurations, and other debugging assets.

The Vector: A misconfiguration of Palo Alto’s support ticketing system allowed anyone with an internet connection to login and view support tickets, gaining access to personal and client company information.

The breach is critical reminder of the importance of credential management and authentication around points of access which expose customer data. The information gathered in support scenarios is especially sensitive as the exposed details can greatly aid malicious actors in crafting highly targeted and effective spear-phishing campaigns. All points of access should be appropriately locked down and employing another layer of security like Two-Facto Authentication is highly recommended.

Read more...