The target: The National Bank of Blacksburg
The take: $2.4 million
The attack vector: The attack began with a phishing email which let the hackers install malware on the compromised computer. This move let them disable and alter anti-theft and anti-fraud measures such as PIN’s, withdrawal limits, daily debit card usage limits and fraud score protections. Through their now unrestricted access to the bank’s internal account manager software, Navigator, the attackers modified or removed critical security controls. They then accessed hundreds of customer accounts to steal funds over a period of two days.
This incident highlights the profound impact one compromised system can have in the context of an organization’s overall security posture, and underscores the old adage – ‘a chain is only as strong as its weakest link’. While network and server-level protections are essential, firm must ensure that endpoint controls and user training are up to snuff.
The target: A Chinese Venture Capital firm.
The take: $1 million.
The attack vector: The “man-in-the-middle” attack occurred when the Venture Capital firm transferred funds to an Israeli start-up company. The breach began with the threat actor creating two lookalike domains, both mirroring the VC firm and the Startup firm, but with an extra “s” at the end of the address. They then sent two emails, both posing as the VC firm’s CEO and as the start-up’s CEO, tricking both parties into sending sensitive banking information which the attacker then modified to hijack the money.
This coordinated attack highlights the critical need for human vigilance and the implementation of robust controls. Scrupulous validation of transactions where assets – funds or sensitive information - are being transferred is central to effective protection.
The target: Sprint, an American telecommunications company.
The take: 261,300 documents, including phone bills and bank statements containing: names, addresses, phone numbers, and in some cases, screenshots with subscribers’ online usernames and account PINs.
The attack vector: A misconfigured cloud storage bucket was publicly exposed and not protected by a password, allowing anyone with internet access to download the contents. The misconfiguration was traced a marketing agency contracted by Sprint.
Any subsidiary or contractor which handles sensitive data is a potential breach source. Internal security controls must be extended to third parties handling a firm’s sensitive data.
The target: Adobe, an American computer software company.
The take: 7.5 million customer accounts which contained email addresses, account creation dates, subscription status, country and payment details.
The attack vector: A misconfigured Elasticsearch cloud database was left online without any password protection. This information could easily be used to launch sophisticated, targeted phishing attacks to trick users into giving further sensitive details.
When provisioning new systems or types of systems, care must be taken to ensure that appropriate and proportionate security measures are implemented, either by automated scanning or by manual review. Adopting (and validating) robust controls to technological tools employed is critical to secure operations.
The target: Macy’s, an American department store chain.
The take: First and last names, physical addresses, ZIP codes, email addresses, payment card numbers, card security codes and expiration dates.
The attack vector: The attackers used card skimming code, colloquially termed as Magecart, to inject a malicious script into two pages on Macy’s website, the wallet and checkout page. Tampering with the scripts on the retailer’s website allowed attackers to ‘skim’ sensitive information as it was entered by customers and forward it to their own systems.
Any webpage where sensitive information is entered by the user is a prime target for hackers. Ensuring robust standards around critical nodes such as these are key for strong security practices.
The target: InfoTrax, a Utah-based provider of IT systems for the Direct Sales industry.
The take: 1 million user records including Social Security Numbers, payment card information, bank account information, user names and passwords.
The attack vector: A vulnerability in InfoTrax’s public facing website allowed the attacker to upload malicious code, which allowed remote control of the company’s website and servers. Inadequate security monitoring practices gave the attacker unrestricted, and undetected, access to 17 different systems over a period of two years. InfoTrax was only alerted when one of its servers ran out of storage space.
Robust monitoring standards are critical to detect not only intrusions, but any and all unusual activity that can indicate if IT systems have been compromised.
The target: First American Financial Corp, a Fortune 500 real estate title insurance giant
The take: 885 million files, including records of wire transactions with bank account numbers, bank statements, mortgage records, tax documents, Social Security numbers and driver’s licenses.
The attack vector: FA’s webserver used a system of assigning sensitive documents unique web links – however, incrementing the id number in the link returned other, unrelated documents for any user accessing the site via web, with no authentication necessary.
‘Security by obscurity’ has no place in the 21st century – it is altogether insufficient to rely on the presumed inability of an attacker to locate sensitive resources left exposed to the public web. Any data which is not for public consumption must be protected with a secure authentication system to ensure that it can only be accessed by the intended audience.
The target: SingHealth, Singapore’s largest group of healthcare organizations.
The take: 1.5 million patient records which included: names, prescriptions, medical records, government registration numbers, addresses and dates of birth.
The attack vector: The source of the breach according to early reports was a phishing campaign, however, security researcher’s leading hypothesis was that the attack originated through SingHealth’s failure to keep their software updated. The company used an open source penetration testing application called Ruler. However, they ignored an available patch for Ruler which addressed a known vulnerability, and which led to the hackers gaining access.
Regular and rigorous attention to security updates must be applied to ensure maximum safety of a company’s IT systems – especially where it pertains to tools used to assess the security of internal systems and the effectiveness of technical controls.
The target: Imperva, cyber-security firm based out of California.
The take: A complete copy of their customer information database.
The attack vector: Imperva uploaded a snapshot of its customer database for testing. However, in an unrelated incident, they left one of their internal systems publicly accessible on the internet from which the attacker stole key to the recently uploaded database. Using the key, the hacker was able to download a copy of the customer information.
After Imperva adopted cloud technologies to scale their infrastructure to meet increasing needs, they failed to account for the increased risk of this strategy. Cyber-security diligence applies at all levels of scale including times of expansion and investment in new technology.
The target: FireEye, a publicly traded cybersecurity company in California.
The take: Corporate documents, details on client contracts and licenses, and personal login credentials.
The attack vector: Attackers used credentials exposed in public data breaches to access the personal accounts of a security analyst employed by FireEye. Once his accounts had been compromised, they were able to exploit his business use of those personal accounts to obtain sensitive information belonging to his employer.
On an individual level – this attacks highlights the importance of changing passwords and rotating credentials, particularly in the wake of a publicized credential breach. At the firm level - once confidential and sensitive information leaves a firm’s information systems, it’s completely outside of their control. Security policies must reflect zero tolerance for use of personal accounts to communicate on behalf of the firm or store/transfer sensitive and proprietary information.
Castle Hall helps investors build comprehensive due diligence programs across hedge fund, private equity and long only portfolios More →
Montreal
1080 Côte du Beaver Hall, Suite 904
Montreal, QC
Canada, H2Z 1S8
+1-450-465-8880
Halifax
168 Hobsons Lake Drive Suite 301
Beechville, NS
Canada, B3S 0G4
Tel: +1 902 429 8880
Manila
10th Floor, Two Ecom Center
Mall of Asia Complex
Harbor Dr, Pasay, 1300 Metro Manila
Philippines
Sydney
Level 15 Grosvenor Place
225 George Street, Sydney NSW 2000
Australia
Tel: +61 (2) 8823 3370
Abu Dhabi
Floor No. 15 Al Sarab Tower,
Adgm Square,
Al Maryah Island, Abu Dhabi, UAE
Tel: +971 (2) 694 8510
Prague
2nd Floor, The Park
V Parku 8
Chodov, Praha, 148 00
Czech Republic
Copyright © 2021 Entreprise Castle Hall Alternatives, Inc. All Rights Reserved.
Terms of Service and Privacy Policy