Industry News: ESG5

The target: Codecov, a software company which provides code testing and code statistics.

The take: Security tokens and keys for 29,000 customers and employees, admin credentials, and application source code.

The attack vector: Attackers gained access to Codecov’s ‘Bash Uploader’ script, a method of uploading unencrypted data to Codecov’s servers used by clients and employees, through a previously unknown vulnerability which let them extract credentials with authority to modify the script. They then used these credentials to have all data sent to Codecov also be sent to their third-party server.

This breach highlights the importance of securing and testing applications and processes which interact with a firm’s data storage. Wherever information is uploaded, either by clients or employees, the method used should be highly scrutinized to ensure its security is in line with industry best practice and standards.

Read more...

The target: The Kentucky office of Unemployment Insurance.

The take: Unauthorized access to claimant accounts which had the ability to alter the destination bank accounts of the benefit payments, forwarding the funds to fraudsters.

The attack vector: Attackers leveraged the lack of robust password hygiene and modern credential management in Unemployment Office’s IT systems. It was reported that some 4000 users had created passwords such as “1-2-3-4” and 1500 used the phrase “2020”, both easily exploited with moderate computing power and password cracking applications.

Enforcing strong password management across all platforms is critical to protecting customer data. Industry standard practices of password length, complexity, two-factor authentication, and email verification will only be effective if these methods are enforced. Doing so will ensure users, and their data, are protected as much as possible.

Read more...

The target: Office Depot, a European online seller of office equipment

The take: 974,050 wide-ranging records of sensitive information including: monitoring logs, server IP addresses, secure remote login credentials, and customer’s personally identifiable information such as names, physical addresses, and order history. 

The attack vector: A non-password protected, unencrypted Elasticsearch database was left online, allowing anyone to access the information by entering the URL. 

Leaving databases exposed to the internet without any credential management impacts its confidentiality, integrity, and availability. Furthermore, collecting and storing sensitive data in plain text without encryption increases the risk to clients. In some cases, the database credentials needed to access the encrypted data is stored on the same server, rendering the encryption ineffective. Proper credential access, along with best encryption practices is essential in keeping data secure.

Read more...

The target: Ubiquiti, a major vendor of cloud-enabled networking devices. 

The take: Source code, customer data, and cryptographic secrets which would enable remote access to both professional and consumer-grade customer devices.

The attack vector: The attackers gained control of administrative credentials stored on an IT employee’s LastPass account. With these in hand, the threat actors gained high-level access to Ubiquiti Amazon Web Services accounts, including database storage servers, application logs, and user credentials. Multiple backdoor accounts were reportedly created. A whistleblower alleged that due to an absence of database access logging, Ubiquiti were unable to confirm which records had been accessed, by whom, and when.

While use of password vaults and privileged account management tools are absolutely a best practice, these tools can only be as secure as the authentication measures enforced upon them. Complex, unique passwords in addition to two-factor authentication should be in place wherever possible to protect privileged credentials and management consoles.

Additionally – comprehensive logging practices are critical to the reconstruction of events when investigating a breach, and the absence thereof can severely limit a firm’s the ability to determine the full scope of the attack.

Read more...

The target: California State Controller’s Office

The take: Financial and personally identifiable information and documents, such as Social Insurance Numbers, on several thousand employees.

The attack vector: An employee, the target of a spear phishing attack, clicked on a suspicious link and entered their account ID/email address and password. This gave the attacker full access to SCO’s systems with the same level of access the employee had, including any files shared with the affected account. From here, the attacker further launched phishing attempts against over 9000 employees, using the hacked account to increase the believability of the scam.

Phishing attacks against individual employees remain one of the greatest security threats to the entire organization. Regular social engineering and awareness testing and training, along with tone-from-the-top messaging to emphasize the importance of critical thinking and caution are crucial to protecting sensitive information assets.

Read more...

The target: SendGrid, a Colorado-based email marketing company.

The take: 400,000 unique login credentials of: email address, password, IP address, and physical location. 

The attack vector: The attacker used a combination of previously hacked accounts on the SendGrid platform to send fake Zoom invites. As SendGrid was known as a trusted SMTP provider, the fake messages had a much higher chance of reaching their targets, passing through some email protection.

This incident highlights the importance of critical thinking as a component of social awareness training for staff. In the event that a trusted account is compromised, analysis of the context of these requests becomes the critical – is a meeting invite expected, does the timeline and subject matter line up with expectations? While messages originating from fraudulent e-mail addresses are easier to spot, they are not the only vector for phishing attacks – each item in the inbox must be approached with the same level of caution.

Read more...

The target: Microsoft’s email server software, Microsoft Exchange.

The take: The networks of over 30,000 organizations, consisting of hundreds of thousand of on-premises servers. Threat actors have moved aggressively to exfiltrate personally identifiable information, highly sensitive company and client data, banking details, financial data, and more.

The attack vector: Four security holes in Exchange Server versions 2013 to 2019 were exploited in tandem to grant attackers full access to an array of email severs. More critically, in every instance where the breach was discovered, the intruders had installed a backdoor, which continues to allow remote access to affected servers even after the set of four vulnerabilities have been patched.

While zero-day exploits will unavoidably cause challenges for vendors and their clients, we underscore the critical nature of threat monitoring, timely patching, enacting defense-in-depth measures to mitigate the failure of any single layer of security controls. Approaching security incidents and overall cybersecurity with a “when not if” mindset can materially reduce the impact of incidents such as these.

Read more...

The target: Star Alliance airlines, Air New Zealand, Malaysia Airlines, Finnair and others

The take: Frequent flyer information for at least a million passengers, including name, date of birth, gender, contact information, ID number and frequent flyer status.

The attack vector: The breach was traced to SITA, an IT service provider that claims to serve 90% of the global aviation industry, and acts as the intermediary to store and share frequent flyer information between airlines.

Supply chain attacks continue to pose a material threat, as bad actors identify high-value targets which can enable them to capture information for multiple organizations at once. When entrusting service providers with sensitive information, firms are still ultimately responsible for their data and must ensure that commensurate controls travel with it throughout its lifecycle.

Read more...

The target: The Health and Welfare Department of West Bengal, India

The take: 8 million COVID-19 test results including personally identifiable information such as: name, age, address, and positive or negative test results.

The attack vector: The breach revolves around the health authority’s reporting system, whereby individuals who had been tested for COVID-19 received links by SMS with a unique URL to access their test results by web. It was discovered that there was no authentication in place on the reporting system, and that by incrementing the ID number included in the URL, anyone with internet access could access all test results for the state.

This example serves once again to highlight the huge risks of adopting a ‘security by obscurity’ model. When administering a public facing portal which provides access to sensitive information, authentication controls are not optional – it is simply inadequate to make all records publicly available and trust that the uniqueness of the URL will protect the sensitive data of organizations or individuals.

Read more...

The target: The Independent School District of 2142 of St. Louis County Schools

The take: W-2 tax forms of 677 district employees with personally identifiable information including: Social Security Number, first and last name, home address, wages, and more.

The attack vector: A spoofed email requesting the forms came from an attacker pretending to be the district Superintendent. Believing the request to be legitimate, the forms were sent to the fraudulent email address provided in the request.

This breach highlights the importance of employee cybersecurity training and a posture of constant vigilance. Scammers rely upon people’s natural inclination to be helpful and prompt, and it’s critical to ensure that employees who handle sensitive information receive tailored training, emphasizing the caution and care they must employ in responding to unusual requests for data.

Read more...