Industry News: ESG5

The target: Service New South Wales, an Australian government agency.

The take: 3.8 million combined records from a total of 186,000 customers. Data stolen included: names, home addresses, scans of handwritten notes, applications forms, and records of transactions.

The attack vector: Attackers gained access to NSW’s systems through a targeted phishing attack against an employee. These credentials were compromised when the employee clicked on a suspicious link, leading to unauthorized access of 47 Service NSW staff member’s email accounts.

The highly sensitive information stolen presents a clear risk of identity theft and further scams against the affected customers. Training and teaching around phishing attacks are of critical importance for every firm. Knowing how to recognize an attack and what to do are key takeaways from this incident.

Read more...

The target: View Media, an online marketing and research company.

The take: 39 million user records containing sensitive Personally Identifiable Information such as: first and last names, zip codes, emails, and phone numbers.

The attack vector: View Media failed to secure an Amazon S3 storage bucket with any kind of credential management or authorization. The database housing this information was publicly accessible by anyone with an internet connection.

The personal information stored here is a perfect platform for scammers to launch a wide variety of phishing attacks from multiple angles including: email attacks, SMS text attacks (also known as smishing), and robo-call attacks via a phone number. The data found here can be used by hackers to build a robust target profile for their scamming campaigns, further highlighting the critical need for rigorous data storage practices and credential implementation.

Read more...

The target: Freepik, a website providing high quality free photos and graphic design. 

The take: 8.3 million records of personally identifiable information including: emails, usernames, and passwords.

The attack vector: An SQL injection was used to breach Freepik’s systems and allowed attackers to dump their user information. Attacks of this nature take advantage of poor controls in text input fields to send malicious instructions to the target database.

Any field where a user can submit text in web applications should be sanitized as a secure coding best practice to ensure these kinds of malicious commands cannot be submitted.

Read more...

The target: SANS Institute, a cybersecurity training firm.

The take: 28,000 records of Personally Identifiable Information including: names, job title, industry, home address and country of residence.

The attack vector:  The attack occurred through a “consent phishing” scam, where the attacker attempts to trick employees to install a malware app or grant it permissions to access sensitive data or execute dangerous commands. The phish in this case was design to replicate a SharePoint link via O365, and after the employee clicked the link and authorized the installation of the malware, a forwarding rule was created, sending 513 emails to the anonymous hacker.

This breach demonstrates that critical thinking and scrutiny is essential when dealing with e-mail communication. Performing the ‘hover test’ to validate links in incoming mail and validating the message sender are critical for avoiding these phishing attacks.

Read more...

The target: Virtu Financial, a high-speed trading firm.

The take: 6.9 million USD

The attack vector: Virtu was victim to a BEC, or Business Email Compromise, scam. The attack began when an executive’s email account was compromised and used to send fraudulent requests to the company’s accounting department leading to two outgoing wire transfers. The threat actors disguised their internal movements by creating email rules to prevent the legitimate owner from realizing the attack was happening. Believing the spoofed email requests were real, the accounting department made the transfers. The fraud was discovered two days later due to an internal auditing process.

The security of high profile accounts is paramount to robust cybersecurity, and this attack highlights why high level employees are often under the greatest focus from outside threats. Beyond maintaining security for employees with this level of access, the vetting of requests, especially where funds are concerned, is a top priority for vigilant cybersecurity.

Read more...

The target: Avon, a London-based cosmetics firm

The take: 19 million records of Personally Identifiable Information included: full names, phone numbers, dates of birth, email and home addresses. In addition, 40,000 security tokens, internal logs, account settings, and technical server information was also stolen.

The attack vector: The information was accessed from a wide open misconfigured cloud server for which there was no password protection or encryption. The server, which was publicly accessible on the internet to anyone with its IP address, was up for 9 days before being taken down.

Phishing attacks made possible through the personal information leaked here would be highly effective, however what’s potentially more damaging are the exposure of the technical details. Possessing this information could lead to attacks establishing full control of Avon’s servers and more. The storage of configurations which outline a firm’s technical operation is highly valuable and its exposure can have severe consequences. When this high level of information is compromised, threat actors could execute actions to take control of nearly every aspect of a company’s data and operations.

Read more...

The target: Dave.com, a digital banking app

The take: 7.5 million records of customer information including: real names, phone numbers, birth days and home addresses.

The attack vector: The breach at Dave.com was due to another breach at one of Dave.com’s third party service providers, Waydev (an analytics platform used by engineers), which in turn exposed Dave.com’s user data. The attackers used a blind SQL injection (an insertion of malicious code) to gain access to Waydev’s database and stole authorization tokens which let them penetrate Waydev’s systems and pivot to steal access to data from other firms, such as Dave.com.

This highlights the cascading negative effects cybersecurity incidents can have on companies which rely on third-party vendors for operation. Holding third-party vendors to an organization’s security requirements is a very challenging prospect. Vigilant monitoring and applying advanced analytics to watch for malicious activities are some of the proactive strategies used to pinpoint suspicious activity before it turns into a breach.

Read more...

The target: Benefit Recovery Specialists Inc, a Houston-based billing and debt collection vendor.

The take: 275,000 records of Personally Identifiable Information such as: name, date of birth, date of service, provider name, policy identification number, procedure code, and/or diagnosis code. For a small number of the records, Social Security numbers were also leaked.

The attack vector: The attackers accessed BRSI’s systems with stolen employee credentials, and used their access to deploy malware internally. While not confirmed by BRSI, experts believe the description of the attack match those of a successful phishing campaign. BRSI’s IT systems hosted the malware for 10 days before the malicious activity was discovered.

This breach highlights the importance of regular employee training and education around common social engineering attacks. The records exposed in this incident, and similar data held by other medically related vendors, underscores the severity of this type of data exposure as it can lead to sophisticated identify theft. It also is a critical reminder for companies using third party vendors that their overall security posture is dependent upon the robustness of all the firms which hold their data.

Read more...

The target: Cashaa, a British-based cryptocurrency exchange.

The take: $3 million USD in Bitcoin

The attack vector: The attackers compromised Cashaa’s systems by installing malware onto a company computer used to make their transactions. Once this malicious software was active, the attackers received a notification which informed them when one of Cashaa’s employees logged into the computer to make transfers from another crypto exchange site’s wallet. The hackers used their backdoor to access this wallet to drain the funds, receiving all 336 Bitcoin instead of the intended party.

The point of entry for an attack can have cascading consequences and this incident shows why securing company computers with proper malware detection is absolutely critical to strong cybersecurity. The breach which led to the malicious software being installed and the further monitoring failure which allowed the malware to send out notifications to the attackers, facilitated the theft.

Read more...

The target: Clubillion, an online gambling and casino app.

The take: Over 200 million user records containing the following personally identifiable information: emails, private messages, winnings, IP addresses, and movements in the app itself.

The attack vector: An unsecured Elasticsearch database hosted on Amazon Web Services was left unsecured and publicly accessible. Unlike other recent cases, this database was not a single static backup/archive of information, but was a live, ‘production’ database, constantly updated with up to 200M new records per day.

In addition to the usual phishing attacks that could be launched with access to personal information, the inclusion of app movement and the fact the exposed data was continuously updated makes highly targeted spear-phishing campaigns extremely likely to succeed. While it is always disappointing to see lapses in security around database backups, it is absolutely crucial that production systems housing sensitive data are adequately protected.

Read more...