Industry News: ESG5

The target: SpiceJet, one of India’s largest privately owned airlines.

The take: Private information of more than 1.2 million passengers including: Full names, phone number, email address, date of birth and a month’s worth of flight information.

The attack vector: SpiceJet’s IT systems were cracked through a brute-force attack of an extremely weak password. Once the system was penetrated, an unencrypted database backup file was discovered containing the millions of readable records.

This breach highlights the importance of secure password practices which should be applied at all levels across a firm. In addition, wherever personally identifiable information is concerned, extra care is advised as their compromise can enable highly effective phishing campaigns and identity theft.

Read more...

The target: Microsoft

The take: 250 million Call Centre records which included full conversations between service agents and customers, as well as a portion of customer emails, internal notes and IP addresses.

The attack vector: Cloud databases across five different online servers were left unsecured, as a misconfigured security group left them exposed to the internet. These records could be used in extremely targeted and effective phishing campaigns against customers, impersonating Microsoft support agents and referencing internal case numbers and topics discussed.

This breach again raises the critical consideration that effectiveness of an organization’s security relies on vigilant processes and validations where cloud technology is concerned no matter the scale of the infrastructure or the pedigree of the firm.

Read more...

The target: LimeLeads, a San Francisco-based business-to-business leads generator.

The take: 49 million user records including: full name, title, user email, employer/company name, company address, company total revenue and estimated number of employees.

The attack vector: LimeLeads did not set up a password for the internal database which was hosted on a publicly accessible server, meaning anyone with an internet connection was able to access the data and scrape a copy. The highly specific personal details of the data could lead to extremely effective spear-phishing campaigns targeting high level individuals.

The security of intended internal systems is as critical as external facing ones. Adopting stringent cybersecurity policies across all areas of access, whether internal or external, is crucial to maintaining the integrity, confidential and availability of data.

Read more...

The target: Cabarrus County, a district of North Carolina in the United States

The take: $1.7 million dollars

The attack vector: A BEC, or Business Email Compromise. The attackers posed as one of the county’s contractors and requested their bank account be updated in time for the next payment. They spoofed legitimate documents including an electronic funds transfer form (EFT) and signed bank documentation. After receiving the bogus documents, Cabarrus County staff changed the vendor’s account to this new, fake one and continued with their scheduled payments.

This attack highlights the importance of security awareness campaigns that test and train employee’s abilities to spot and report suspicious emails. Additionally, controls should be in place wherever payments are processed to ensure that any requests to change payment instructions are reviewed and validated outside of an e-mail correspondence string.

Read more...

The target: Wyze, a Seattle-based smart home device maker.

The take: Email addresses, IP addresses, WiFi SSID’s and device information of 2.4 million customers.

The attack vector: During the deployment of a new database, a mistake by an employee removed all of the security protocols governing the system, thus exposing the information. In total, two exposed Elasticsearch databases and one MySQL production database were freely accessible and the attackers were then able to access and download the leaked information.

Deployment of new technology is a potentially critical point of vulnerability. Any changes intended for the production environment should be tested in a private staging environment and audited/tested wherever possible to avoid introducing gaps into a firm’s security posture.

Read more...

The target: The National Bank of Blacksburg

The take: $2.4 million

The attack vector: The attack began with a phishing email which let the hackers install malware on the compromised computer. This move let them disable and alter anti-theft and anti-fraud measures such as PIN’s, withdrawal limits, daily debit card usage limits and fraud score protections. Through their now unrestricted access to the bank’s internal account manager software, Navigator, the attackers modified or removed critical security controls. They then accessed hundreds of customer accounts to steal funds over a period of two days.

This incident highlights the profound impact one compromised system can have in the context of an organization’s overall security posture, and underscores the old adage – ‘a chain is only as strong as its weakest link’. While network and server-level protections are essential, firm must ensure that endpoint controls and user training are up to snuff.

Read more...

The target: A Chinese Venture Capital firm.

The take: $1 million.

The attack vector: The “man-in-the-middle” attack occurred when the Venture Capital firm transferred funds to an Israeli start-up company. The breach began with the threat actor creating two lookalike domains, both mirroring the VC firm and the Startup firm, but with an extra “s” at the end of the address. They then sent two emails, both posing as the VC firm’s CEO and as the start-up’s CEO, tricking both parties into sending sensitive banking information which the attacker then modified to hijack the money.

This coordinated attack highlights the critical need for human vigilance and the implementation of robust controls. Scrupulous validation of transactions where assets – funds or sensitive information - are being transferred is central to effective protection.

Read more...

The target: Sprint, an American telecommunications company.

The take: 261,300 documents, including phone bills and bank statements containing: names, addresses, phone numbers, and in some cases, screenshots with subscribers’ online usernames and account PINs.

The attack vector: A misconfigured cloud storage bucket was publicly exposed and not protected by a password, allowing anyone with internet access to download the contents. The misconfiguration was traced a marketing agency contracted by Sprint.

Any subsidiary or contractor which handles sensitive data is a potential breach source. Internal security controls must be extended to third parties handling a firm’s sensitive data.

Read more...

The target: Adobe, an American computer software company.

The take: 7.5 million customer accounts which contained email addresses, account creation dates, subscription status, country and payment details.

The attack vector: A misconfigured Elasticsearch cloud database was left online without any password protection. This information could easily be used to launch sophisticated, targeted phishing attacks to trick users into giving further sensitive details.

When provisioning new systems or types of systems, care must be taken to ensure that appropriate and proportionate security measures are implemented, either by automated scanning or by manual review. Adopting (and validating) robust controls to technological tools employed is critical to secure operations. 

Read more...

The target: Macy’s, an American department store chain.

The take: First and last names, physical addresses, ZIP codes, email addresses, payment card numbers, card security codes and expiration dates.

The attack vector: The attackers used card skimming code, colloquially termed as Magecart, to inject a malicious script into two pages on Macy’s website, the wallet and checkout page. Tampering with the scripts on the retailer’s website allowed attackers to ‘skim’ sensitive information as it was entered by customers and forward it to their own systems.

Any webpage where sensitive information is entered by the user is a prime target for hackers. Ensuring robust standards around critical nodes such as these are key for strong security practices.

Read more...