Industry News: ESG5

The target: Avon, a London-based cosmetics firm

The take: 19 million records of Personally Identifiable Information included: full names, phone numbers, dates of birth, email and home addresses. In addition, 40,000 security tokens, internal logs, account settings, and technical server information was also stolen.

The attack vector: The information was accessed from a wide open misconfigured cloud server for which there was no password protection or encryption. The server, which was publicly accessible on the internet to anyone with its IP address, was up for 9 days before being taken down.

Phishing attacks made possible through the personal information leaked here would be highly effective, however what’s potentially more damaging are the exposure of the technical details. Possessing this information could lead to attacks establishing full control of Avon’s servers and more. The storage of configurations which outline a firm’s technical operation is highly valuable and its exposure can have severe consequences. When this high level of information is compromised, threat actors could execute actions to take control of nearly every aspect of a company’s data and operations.

Read more...

The target: Dave.com, a digital banking app

The take: 7.5 million records of customer information including: real names, phone numbers, birth days and home addresses.

The attack vector: The breach at Dave.com was due to another breach at one of Dave.com’s third party service providers, Waydev (an analytics platform used by engineers), which in turn exposed Dave.com’s user data. The attackers used a blind SQL injection (an insertion of malicious code) to gain access to Waydev’s database and stole authorization tokens which let them penetrate Waydev’s systems and pivot to steal access to data from other firms, such as Dave.com.

This highlights the cascading negative effects cybersecurity incidents can have on companies which rely on third-party vendors for operation. Holding third-party vendors to an organization’s security requirements is a very challenging prospect. Vigilant monitoring and applying advanced analytics to watch for malicious activities are some of the proactive strategies used to pinpoint suspicious activity before it turns into a breach.

Read more...

The target: Benefit Recovery Specialists Inc, a Houston-based billing and debt collection vendor.

The take: 275,000 records of Personally Identifiable Information such as: name, date of birth, date of service, provider name, policy identification number, procedure code, and/or diagnosis code. For a small number of the records, Social Security numbers were also leaked.

The attack vector: The attackers accessed BRSI’s systems with stolen employee credentials, and used their access to deploy malware internally. While not confirmed by BRSI, experts believe the description of the attack match those of a successful phishing campaign. BRSI’s IT systems hosted the malware for 10 days before the malicious activity was discovered.

This breach highlights the importance of regular employee training and education around common social engineering attacks. The records exposed in this incident, and similar data held by other medically related vendors, underscores the severity of this type of data exposure as it can lead to sophisticated identify theft. It also is a critical reminder for companies using third party vendors that their overall security posture is dependent upon the robustness of all the firms which hold their data.

Read more...

The target: Cashaa, a British-based cryptocurrency exchange.

The take: $3 million USD in Bitcoin

The attack vector: The attackers compromised Cashaa’s systems by installing malware onto a company computer used to make their transactions. Once this malicious software was active, the attackers received a notification which informed them when one of Cashaa’s employees logged into the computer to make transfers from another crypto exchange site’s wallet. The hackers used their backdoor to access this wallet to drain the funds, receiving all 336 Bitcoin instead of the intended party.

The point of entry for an attack can have cascading consequences and this incident shows why securing company computers with proper malware detection is absolutely critical to strong cybersecurity. The breach which led to the malicious software being installed and the further monitoring failure which allowed the malware to send out notifications to the attackers, facilitated the theft.

Read more...

The target: Clubillion, an online gambling and casino app.

The take: Over 200 million user records containing the following personally identifiable information: emails, private messages, winnings, IP addresses, and movements in the app itself.

The attack vector: An unsecured Elasticsearch database hosted on Amazon Web Services was left unsecured and publicly accessible. Unlike other recent cases, this database was not a single static backup/archive of information, but was a live, ‘production’ database, constantly updated with up to 200M new records per day.

In addition to the usual phishing attacks that could be launched with access to personal information, the inclusion of app movement and the fact the exposed data was continuously updated makes highly targeted spear-phishing campaigns extremely likely to succeed. While it is always disappointing to see lapses in security around database backups, it is absolutely crucial that production systems housing sensitive data are adequately protected.

Read more...

The target: V Shred, a Las Vegas based fitness company which sells fitness plans, nutrition advice, and supplements.

The take: The combined Personally Identifiable Information of 99,000 of customers and potential clients including: names, home addresses, email addresses, dates of birth, usernames and passwords, age, gender, citizenship status, and user photos.

The attack vector: All of this information was hosted on a very common problem, an unsecured Amazon Web Services storage server accessible to the public online. However, in this case, anonymous users were also able to access the information without login credentials making the breach wider and deeper.

The exposed information could lead to highly sophisticated phishing attacks, and crucially, the user photos to identity theft. Credential management around publicly available company data is paramount to robust cybersecurity.

Read more...

The target: Frost & Sullivan, a US based business consulting firm.

The take: 6,000 customer records containing: client name, email address, the company contact. 6146 employee records containing: first and last names, login names, email addresses, and hashed passwords.

The attack vector: Due to a misconfigured, public-facing sever, the data was stolen from an unsecured backup folder which contained readable databases and company documents. The information was then put up for sale on a known hacking forum. 

This breach highlights the importance of a firm’s security posture for publicly accessible file containers. Since sensitive information such passwords were included in the leak, credential stuffing attacks could easily be carried out to great effect.  

Read more...

The target: Postbank, the banking division of South Africa’s Post Office.

The take: $3.2 million USD

The attack vector: Rogue employees printed the bank’s ‘master key’, a 36 digit code which allows its users to decrypt the bank’s operations and modify security protocols, on a piece of paper from an old data center. Using this credential they were able to access customer accounts and execute more than 25,000 fraudulent transactions, stealing $3.2 million. In addition to the cash, the master key also gave the attackers access to ATM pins, home banking access codes, customer data and credit card information which could then be used for sophisticated phishing attacks.

This breach highlights the importance of privileged credential management and the cascading negative effects that can happen when a high level protocol is compromised.

Read more...

The target: Genworth Financial, a fortune 500 Insurance holding company for mortgages and long term care.

The take: Personally Identifiable data of 1600 clients including: name, address, age, gender, date of birth, financial information, social security number, and signature.

The attack vector: The attackers gained unauthorized access through compromised login credentials belonging to some of Genworth’s third party insurance agents. These agents use an online access portal run by Genworth to manage their client’s policies. By exploiting the hacked logins, the threat actors were able to gather a trove of data which is very valuable for phishing attacks, identity theft and more.

This attack highlights the critical need for robust credential management amongst not only a firm’s employee, but also amongst third parties, and wherever access to a firm’s data is concerned.

Read more...

The target: San Francisco Employees’ Retirement System, the city’s firm which provides pension, retirement plans, and other benefits to city workers.

The take: Personal information for 74,000 members, including names, home addresses, dates of birth, beneficiary information, username/password combinations, and potentially tax information and bank routing numbers.

The attack vector: A breach notification was filed advising that ‘an unauthorized individual’ gained access to a database hosted in a test environment by one of the SFRS’s vendors.

This case again underlines the importance of validation of service providers and ensuring that third party organizations with access to sensitive data put appropriate controls in place. Furthermore, test and pre-stage environments should, as a best practise, use ‘dummy’ or heavily redacted data, especially in cases where security controls are not as rigid as those protecting production systems.

Read more...