Industry News: ESG5

The target: Accellion, a U.S based cloud service vendor providing secure file transfer applications for enterprise use. 

The take: A variety of datasets including personally identifying information and proprietary data for an estimated 300 clients, including The Australian Securities and Investments Commission, The Reserve Bank of New Zealand, Harvard Business School, Singtel (a Singapore-based telcom conglomerate), and the QIMR Berghofer Medical Research Institute.

The attack vector: Hackers breached the firm’s legacy File Transfer Application software by taking advantage of a zero-day vulnerability in a legacy software product – a point of weakness identified and exploited by a threat actor before the developer was made aware of it and was able to produce a patch.

This supply-chain attack against a platform which was near retirement highlights the danger of relying on end-of-life, legacy software products. Firms should be proactive in moving to current-generation software solutions - Accellion have reportedly “encouraged all FTA customers to migrate to Kiteworks [their current generation offering] for the last three years”.

Read more...

The target: UScelluar, the fourth largest mobile network operator in the United States.

The take: Customer records of personally identifiable information including: names, addresses, account names and PIN codes, telephone numbers, information on their phone service plans, and the ability to alter the phone number on accounts which receive two-factor authentication texts.

The attack vector: The attackers tricked retail employees into downloading malicious software which contained a RAT (remote access tool), allowing the threat actors to access the computer systems remotely. As the employees were already logged into the CRM (customer retail management) software, the hackers were able to move freely within the systems using an employee’s credentials. 

Social engineering is a widely used tactic by attackers to exploit our innate desire to be helpful in a quick manner without thinking through the consequences. The employee’s mistake, innocent or not, of clicking on an unverified link granted the attacker the ability to install a Remote Access Tool and navigate through the company’s systems under legitimate credentials. Continuous employee education around suspicious links, and the social engineering tactics they’re paired with, are critical components of a firm’s robust cybersecurity posture.

Read more...

The target: Bonobos, a men’s clothing store. 

The take: 70GB database containing personally identifiable information such as: 7 million order records, account information of 1.8 million customers with phone numbers, shipping and email addresses, 3.5 million partial credit card records, and hashed passwords.

The attack vector: While Bonobos’ own internal systems show no signs of breach, an externally hosted backup of the database was accessed in a provider’s cloud storage environment.

Security controls must always be commensurate with the sensitivity of data being stored, and must travel with that data, both within internal systems, and when transferring sensitive data to backup media or external vendor or partner’s systems. This attack highlights the importance of auditing and validating security controls at every stage of the data lifecycle.

Read more...

The target: Pixlr, a popular, free online photo editing application.

The take: 1.9 million user records of personally identifiable information including: email addresses, login names, hashed password, and user’s county of origin.

The attack vector: The breach occurred when an AWS storage bucket was left unsecured and online by Pixlr’s parent company, Inmagine. This allowed the attacker to download a copy of the data and then post it on a public hacking forum, vastly increasing the negative area of effect for the compromised users.

This leak shows the negative and cascading effects a breach can have, not only in the personal or financial risk to the user, but in how far the stolen data can be distributed to malicious actors. Robust password controls and user authentication are critical to maintain data integrity and confidentiality. In addition, this breach highlights the importance of protecting against credential stuffing attacks by using strong, unique passwords which are not shared among logins - a security strategy recommended to every firm.

Read more...

The target: United Nations Environmental Programme (UNEP)

The take: 100,000 records containing: employee personally identifiable information, project funding records, employment evaluation records, and most critically 7 sets of administrative credentials to other databases.

The attack vector: The leak originated from an unsecured Git directory and credential files (Git is one of the world’s most popular software version control systems). Within these exposed files were unencrypted, plain text administrative passwords for not only the repository which was accessed, but for other datasets and systems as well.

This breach demonstrates the importance of appropriate credential storage – privileged credentials should never be stored in plaintext scripts or configuration files replicated in git repositories. Data must always be held with security controls commensurate to the sensitivity of that data.

Read more...

The target: Solution for Healthcare. a Vietnamese technology firm which provides software for electronic health records and hospital management.

The take: 12 million records of an estimated 80,000 patients and healthcare staff. The personally identifiable information included: full names, dates of birth, postal codes, email addresses, phone numbers, passport details, credit card numbers, and detailed medical records. 

The attack vector: The data was initially exposed due to an unsecured Elasticsearch server the company maintained which had no monitoring or credential management. The lack of any security measures whatsoever led to the further development wherein the exposed database was attacked by a malicious, automated software script named Meowbot. This led to the deletion of an unspecified amount of information in the server.

Leaving databases exposed to the without any credential management impacts its confidentiality, integrity and availability. Furthermore, when vulnerable data is left wide open, other kinds of attacks which could make its recovery impossible are easily executed. Ensuring data is protected with the appropriate measures is critical for operational success.

Read more...

The target: Marriage Tax Refund, a UK-based tax relief organization.

The take: 100,000 records of personally identifiable information including: full name, gender, home address, partner name and address, and refund amounts.

The attack vector:  The firm had misconfigured its WordPress based Client Management Service, exposing a directory list containing PDF documents to the public. There was no password protection or credential management in place, meaning anyone with an internet connection could have viewed and downloaded the contents of the database.

Compromised management software of client data poses a high risk for a firm. Robust credential control around software which manages personally identifiable information is critical to maintaining a firm’s security and that of their clients. This breach highlights the importance of the management of client systems which contain client data, and how this information is accessed and secured, giving a critical reminder of how closely it needs to be managed.

Read more...

The target: The NHS, the United Kingdom’s national healthcare service provider.

The take: 284 records of personally identifiable information including: names, dates of birth, contact information, and hospital identification numbers.

The attack vector:  The breach was the result of human error and internal process failure when a spreadsheet containing the personal information was accidentally emailed to thirty-one individuals outside the NHS.

This incident could have been avoided with the implementation of data classification controls – appropriate tagging of sensitive materials could have provided an additional stopgap before this document left internal systems. Ultimately, this breach serves as an important reminder that wherever sensitive personal data is in play, vetted processes should be implemented and followed, with regular training and reminders, to ensure its protection. It is an organization’s responsibility to provide the tools and training necessary to maintain safe and consistent approaches to handling data, and to impress upon staff the importance of adherence to procedure.

Read more...

The target: Apodis Pharma, a France based digital supply chain management company.

The take: 1.7 Terabytes of information including: 4,400 records of client, partner, and employee names. 17 million records of confidential sales data, prices, and order quantities between Apodis and their customers.

The attack vector: A publicly accessible Kibana dashboard was left unsecured and accessible to anyone with an internet connection. This Kibana dashboard gave access to the database, exposing all of the contained information inside.

Compromised management software can lead to a waterfall effect of exposures. Robust credential control around software which grants multiple levels of access is extremely critical to maintaining a firm’s security. This breach highlights the importance of the management of employee tools and how they are accessed, used, and secured, offering a stark reminder of how tightly managed access should be.

Read more...

The target: Levitas, an Australian based hedge fund manager.

The take: $8 million

The attack vector: The attack was initiated when one of the founders clicked on a fake Zoom meeting link. This gave the attackers the ability to inject their own malicious software to take control of the high level email account, and with these powerful credentials in hand, the attackers created fake invoices for a bogus company and then sent requests for payments to be made from the firm. Authorizations from the compromised email account were sent shortly after the requests, prompting the transference of funds to the unknown companies. The threat actors then withdrew the cash.

This breach demonstrates the critical nature of verification processes, and the inherent power of high level credentials and their management. There were several flags raised along throughout the scheme and this attack shows just how important it is to review, verify, and certify transactional processes no matter to origin within a firm.

Read more...