Industry News: ESG5

The target: GrowDiaries, an online community for marijuana growers.

The take: 2 million user records including: usernames, email address, IP addresses, user posted articles, and user account passwords. 

The attack vector: The breach occurred because of a credential management and best practice failure . The site failed to secure its database management application, Kibana, which was left exposed online with no password protection, allowing anyone with an internet connection to access the site. Furthermore, passwords stored in one of the databased were encrypted with weak format known as MD5, which is insecure and can be easily cracked.

Management applications which grant access to user data should always be secured with commensurate levels of security protection. In addition to securing all access points, protection of data ‘at rest’ should include rigorous controls around password tables including hashing, salting, and strong encryption to ensure that if a breach does occur, the damage to clients is mitigated as much as possible.

Read more...

The target: Gunnebo, a Swedish-based security firm.

The take: 38,000 sensitive company documents including: schematics of client bank vaults and surveillance systems, blueprints for monitoring and alarm equipment, and security function of Automatic Teller machines.

The attack vector: Compromised credentials to an employee’s Remote Desktop Protocol account which had a password of ‘password01’. While the confirmation of this particular RDP account’s role in the attack is unverified, security researchers highlight the extremely poor password hygiene here and infer this practice is likely widespread within the firm.

The breach highlights the critical important of robust password polices. Length, complexity, and aging standards for every company account are invaluable to preventing credential compromise.

Read more...

The target: MAXEX, an Atlanta-based residential mortgage trading company.

The take: 9GB of internal company and client data including: confidential banking information, login credentials, emails, penetration test reports, and full mortgage documentation for 23 individuals.

The attack vector: The breach took place due to an unsecured, publicly exposed Jenkins server. A server of this type is used in a variety of highly sensitive activities in the operation and development of software applications. Notably in this breach, MAXEX had stored login credentials in plain text with enough permissions to compromise many of its other systems.

This breach highlights the importance of properly securing data. Furthermore, it underscores the critical importance of credential management as a compromise in one system can easily lead to a pivot to other systems, which can have a cascading negative impact upon company and client data.

Read more...

The target: Broadvoice, a Voice-over-IP service provider.

The take: 350 million total customer records of personally identifiable information including: full names, date of birth, phone number, and voice-mail transcripts with highly sensitive details such as medical records, loan applications, and mortgage information.

The attack vector: A misconfigured Elasticsearch database housing 10 separate clusters of data. There was no authentication or security in place meaning anyone with an internet connection could have full access to the data. These storage servers are easily discoverable with scanning tools available to administrators and malicious attackers alike.

The type of data exposed in this breach poses enormous risk for Broadvoice’s customers as the intricate details leaked, in voice calls and prescription records for example, would give phishing and fraud attacks a high chance of success. This breach demonstrates the extreme importance of securing access to a firm’s data. Proper authentication, monitoring, and credential management are some of the critical tools which can be implemented to prevent these occurrences.

Read more...

The target: Snewpit, an Australian-based news sharing platform. 

The take: 80,000 user records of personally identifiable information including: usernames, full names, email addresses, profile pictures, and log data detailing the amount time users spent on the app and other behaviour metrics.

The attack vector: The information was exposed on an improperly secured, and publicly accessible, Amazon Web Services server. Bad actors can locate these unsecured storage buckets very easily and the complete lack of security on the database means the records were open to anyone with an internet connection.

The combination of data exposed in this incident could lead to very targeted and successful scams by fraudsters. Personally Identifiable information helps these attackers build a complete profile of their victims, and in this case, the log data which outlined the actions taken by users on Snewpit’s app greatly increases the credibility of their scams, vastly increasing the chance they are successful. Data and credential management are critical for ensuring sensitive information is stored safely and securely.

Read more...

The target: BrandBQ, a European fashion retailer. 

The take: 7 million customer records of personally identifiable information including: full names, email addresses, home addresses, date of birth, phone number, and payment records.

The attack vector: The data was exposed on an unencrypted and unsecured Elasticsearch server meaning anyone with an internet connection could have found the information and downloaded a copy. Along with customer information, an additional 50,000 records of relating to contractors who worked with BrandBQ were also stored on the server, exposing their purchase information and correspondence. Further mixed in were API logs relating to their mobile app, greatly increasing the range of possible exposure to over 500,000 affected users. 

Credential management and proper security around storage of data is critical for every business. In this case, the mixing of data all kept in one place compounded the severity of the breach as not only were BrandBQ’s customers made into vulnerable phishing targets, but their contractors are now also extremely susceptible to Business Email Compromise scams.

Read more...

The target: Düsseldorf University Hospital, a German teaching hospital

The take: A critically ill patient died as a result of the cyberattack on the hospital’s systems

The attack vector: A ransomware attack was carried out on the hospital’s systems, exploiting a vulnerability in their VPN. However – as the encryption attack caused the hospital’s computer system to become disconnected from the ambulance network, a critically ill patient had to be redirected to a remote hospital, and died after her admission to hospital was delayed by over an hour.

While hospitals are regular targets of ransomware attacks, this is the first known case where such an attack has cost a patient’s life, and is a stark reminder of the potential stakes. This attack was made possible by a security vulnerability in an off-the-shelf software product, which, for IT professionals, again, underlines the critical importance of maintaining patching procedures and ensuring that applications and appliances are maintained.

Read more...

The target: Razer, an American-based maker of computer accessories and peripherals.

The take: 100,000 records of Personally Identifiable Information including: full name, email, phone number, internal customer ID, order number, billing and shipping address

The attack vector: The data was left unsecured due to a misconfiguration on an Elasticsearch server without any protection or credential management, leaving the information open to be downloaded by anyone with an internet connection. 

The information exposed poses great risk for Razer’s customers as social engineering attacks, such as fraud and phishing, could easily be crafted with precision by bad actors because of the leaked personally identifiable data. This breach highlights the critical importance of not only proper and secure configurations of storage where sensitive information is held, but also strict and robust policy around access and security.

Read more...

The target: Service New South Wales, an Australian government agency.

The take: 3.8 million combined records from a total of 186,000 customers. Data stolen included: names, home addresses, scans of handwritten notes, applications forms, and records of transactions.

The attack vector: Attackers gained access to NSW’s systems through a targeted phishing attack against an employee. These credentials were compromised when the employee clicked on a suspicious link, leading to unauthorized access of 47 Service NSW staff member’s email accounts.

The highly sensitive information stolen presents a clear risk of identity theft and further scams against the affected customers. Training and teaching around phishing attacks are of critical importance for every firm. Knowing how to recognize an attack and what to do are key takeaways from this incident.

Read more...

The target: View Media, an online marketing and research company.

The take: 39 million user records containing sensitive Personally Identifiable Information such as: first and last names, zip codes, emails, and phone numbers.

The attack vector: View Media failed to secure an Amazon S3 storage bucket with any kind of credential management or authorization. The database housing this information was publicly accessible by anyone with an internet connection.

The personal information stored here is a perfect platform for scammers to launch a wide variety of phishing attacks from multiple angles including: email attacks, SMS text attacks (also known as smishing), and robo-call attacks via a phone number. The data found here can be used by hackers to build a robust target profile for their scamming campaigns, further highlighting the critical need for rigorous data storage practices and credential implementation.

Read more...