Industry News: ESG5

The target: Clubillion, an online gambling and casino app.

The take: Over 200 million user records containing the following personally identifiable information: emails, private messages, winnings, IP addresses, and movements in the app itself.

The attack vector: An unsecured Elasticsearch database hosted on Amazon Web Services was left unsecured and publicly accessible. Unlike other recent cases, this database was not a single static backup/archive of information, but was a live, ‘production’ database, constantly updated with up to 200M new records per day.

In addition to the usual phishing attacks that could be launched with access to personal information, the inclusion of app movement and the fact the exposed data was continuously updated makes highly targeted spear-phishing campaigns extremely likely to succeed. While it is always disappointing to see lapses in security around database backups, it is absolutely crucial that production systems housing sensitive data are adequately protected.

Read more...

The target: V Shred, a Las Vegas based fitness company which sells fitness plans, nutrition advice, and supplements.

The take: The combined Personally Identifiable Information of 99,000 of customers and potential clients including: names, home addresses, email addresses, dates of birth, usernames and passwords, age, gender, citizenship status, and user photos.

The attack vector: All of this information was hosted on a very common problem, an unsecured Amazon Web Services storage server accessible to the public online. However, in this case, anonymous users were also able to access the information without login credentials making the breach wider and deeper.

The exposed information could lead to highly sophisticated phishing attacks, and crucially, the user photos to identity theft. Credential management around publicly available company data is paramount to robust cybersecurity.

Read more...

The target: Frost & Sullivan, a US based business consulting firm.

The take: 6,000 customer records containing: client name, email address, the company contact. 6146 employee records containing: first and last names, login names, email addresses, and hashed passwords.

The attack vector: Due to a misconfigured, public-facing sever, the data was stolen from an unsecured backup folder which contained readable databases and company documents. The information was then put up for sale on a known hacking forum. 

This breach highlights the importance of a firm’s security posture for publicly accessible file containers. Since sensitive information such passwords were included in the leak, credential stuffing attacks could easily be carried out to great effect.  

Read more...

The target: Postbank, the banking division of South Africa’s Post Office.

The take: $3.2 million USD

The attack vector: Rogue employees printed the bank’s ‘master key’, a 36 digit code which allows its users to decrypt the bank’s operations and modify security protocols, on a piece of paper from an old data center. Using this credential they were able to access customer accounts and execute more than 25,000 fraudulent transactions, stealing $3.2 million. In addition to the cash, the master key also gave the attackers access to ATM pins, home banking access codes, customer data and credit card information which could then be used for sophisticated phishing attacks.

This breach highlights the importance of privileged credential management and the cascading negative effects that can happen when a high level protocol is compromised.

Read more...

The target: Genworth Financial, a fortune 500 Insurance holding company for mortgages and long term care.

The take: Personally Identifiable data of 1600 clients including: name, address, age, gender, date of birth, financial information, social security number, and signature.

The attack vector: The attackers gained unauthorized access through compromised login credentials belonging to some of Genworth’s third party insurance agents. These agents use an online access portal run by Genworth to manage their client’s policies. By exploiting the hacked logins, the threat actors were able to gather a trove of data which is very valuable for phishing attacks, identity theft and more.

This attack highlights the critical need for robust credential management amongst not only a firm’s employee, but also amongst third parties, and wherever access to a firm’s data is concerned.

Read more...

The target: San Francisco Employees’ Retirement System, the city’s firm which provides pension, retirement plans, and other benefits to city workers.

The take: Personal information for 74,000 members, including names, home addresses, dates of birth, beneficiary information, username/password combinations, and potentially tax information and bank routing numbers.

The attack vector: A breach notification was filed advising that ‘an unauthorized individual’ gained access to a database hosted in a test environment by one of the SFRS’s vendors.

This case again underlines the importance of validation of service providers and ensuring that third party organizations with access to sensitive data put appropriate controls in place. Furthermore, test and pre-stage environments should, as a best practise, use ‘dummy’ or heavily redacted data, especially in cases where security controls are not as rigid as those protecting production systems.

Read more...

The target: Magellan Health, a for-profit managed health care and insurance firm

The take: Names, addresses, employee ID numbers, W-2 or 1099 details, social security and Taxpayer ID numbers, and in some cases, usernames and passwords for an undisclosed number of ‘current employees’.

The attack vector: After an initial round of phishing e-mails, attackers obtained user credentials and accessed internal systems, deploying software to capture login credentials for some staff, and exfiltrating personal employee information before deploying a ransomware attack on Magellan’s system some days later.

This example illustrates the cumulative and progressive nature of a breach, once initiated – no cyber-attack exists in isolation. Once an attacker has gained access to privileged accounts and systems, they can execute multiple attack vectors – exfiltrating sensitive data, and triggering a ransomware attack on internal systems, either to distract from their earlier activities or for purely financial gain. Security controls must be many and layered to ensure that a compromise of one can still be mitigated and contained.

Read more...

The target: Covve, an ‘intelligent contact management solution’.

The take: a 90GB database containing names, e-mail addresses, phone numbers, business names & titles, social networking links and personalized notes affecting more than 23 million individuals.

The attack vector: While this incident was, at its core, another all too familiar instance of an unsecured database left publicly exposed, the notable factor in this breach is that the personally identifiable information leaked wasn’t that of the service’s users. Since Covve is a contact management app, the names, contact details, notes and social networking handles that were publicly leaked all belong to individuals who do not and probably never have used the service.

From an individual standpoint, this breach highlights just how challenging it can be to maintain control over personal information – 23 million people, through no action of their own, saw their personal information exposed in this breach. From an organizational standpoint, again – a firm must be acutely aware of the kind of data they are storing and processing, and be able to ensure that it is being handled and protected in a manner commensurate to the sensitivity of that data.

Read more...

The target: Norfund, a Norwegian state-owned Private Equity company.

The take: $10 million USD, diverted from a microfinance institution in Cambodia to a Mexican bank account.

The attack vector: Attackers gained access to Norfund’s e-mail system, likely via a phishing attack, and studied communication between Norfund and their partners. This allowed them to identify those responsible for money transfers, and create a false Norfund e-mail address to impersonate the individual authorized to wire large sums of money via their bank. The attackers diverted the payment intended for the Cambodian institute to a Mexican bank account, fraudulently created in the same name. The attackers delayed discovery of the fraud by over a month by continuing communication in both directions with both Norfund employees and the Cambodian institute, thereby ensuring that the banks would be unable to reverse the fraudulent transfer.

This is, unfortunately, yet another example of a sophisticated business e-mail compromise attack, wherein a very capable group of attackers used access to an internal system to learn the patterns, habits, and procedures of an organization and then proceeded to exploit them. Addressing complex threats like this one require complex and multi-levelled controls – user phishing training and two-factor authentication for e-mail accounts, monitoring of access to e-mail systems, and robust and layered controls around cash transfers that require multiple channels of verifiable communication.

Read more...

The target: Small Business Administration (SBA), a US government agency that supports entrepreneurs and small businesses.

The take: Up to 8,000 applications for Economic Injury Disaster Loans may have been improperly exposed to other applicants, including such sensitive data as social security numbers, addresses, phone numbers, dates of birth, income and financial/insurance information.

The attack vector: A flaw in the caching configuration of the online loan application portal, implemented to accommodate increased demand, meant that when one applicant pressed the ‘back’ button in their web browser during the application process, they may have been served a page containing the application data belonging to another business.

Scalability of critical infrastructure is an essential component of web applications and electronic tools – sudden increases in demand for certain services are a reality in the face of the evolving COVID-19 pandemic. It is equally critical, however, that while considering system capacity, security controls are not weakened.

Read more...