Industry News: ESG5

The target: The National Bank of Blacksburg

The take: $2.4 million

The attack vector: The attack began with a phishing email which let the hackers install malware on the compromised computer. This move let them disable and alter anti-theft and anti-fraud measures such as PIN’s, withdrawal limits, daily debit card usage limits and fraud score protections. Through their now unrestricted access to the bank’s internal account manager software, Navigator, the attackers modified or removed critical security controls. They then accessed hundreds of customer accounts to steal funds over a period of two days.

This incident highlights the profound impact one compromised system can have in the context of an organization’s overall security posture, and underscores the old adage – ‘a chain is only as strong as its weakest link’. While network and server-level protections are essential, firm must ensure that endpoint controls and user training are up to snuff.

Read more...

The target: A Chinese Venture Capital firm.

The take: $1 million.

The attack vector: The “man-in-the-middle” attack occurred when the Venture Capital firm transferred funds to an Israeli start-up company. The breach began with the threat actor creating two lookalike domains, both mirroring the VC firm and the Startup firm, but with an extra “s” at the end of the address. They then sent two emails, both posing as the VC firm’s CEO and as the start-up’s CEO, tricking both parties into sending sensitive banking information which the attacker then modified to hijack the money.

This coordinated attack highlights the critical need for human vigilance and the implementation of robust controls. Scrupulous validation of transactions where assets – funds or sensitive information - are being transferred is central to effective protection.

Read more...

The target: Sprint, an American telecommunications company.

The take: 261,300 documents, including phone bills and bank statements containing: names, addresses, phone numbers, and in some cases, screenshots with subscribers’ online usernames and account PINs.

The attack vector: A misconfigured cloud storage bucket was publicly exposed and not protected by a password, allowing anyone with internet access to download the contents. The misconfiguration was traced a marketing agency contracted by Sprint.

Any subsidiary or contractor which handles sensitive data is a potential breach source. Internal security controls must be extended to third parties handling a firm’s sensitive data.

Read more...

The target: Adobe, an American computer software company.

The take: 7.5 million customer accounts which contained email addresses, account creation dates, subscription status, country and payment details.

The attack vector: A misconfigured Elasticsearch cloud database was left online without any password protection. This information could easily be used to launch sophisticated, targeted phishing attacks to trick users into giving further sensitive details.

When provisioning new systems or types of systems, care must be taken to ensure that appropriate and proportionate security measures are implemented, either by automated scanning or by manual review. Adopting (and validating) robust controls to technological tools employed is critical to secure operations. 

Read more...

The target: Macy’s, an American department store chain.

The take: First and last names, physical addresses, ZIP codes, email addresses, payment card numbers, card security codes and expiration dates.

The attack vector: The attackers used card skimming code, colloquially termed as Magecart, to inject a malicious script into two pages on Macy’s website, the wallet and checkout page. Tampering with the scripts on the retailer’s website allowed attackers to ‘skim’ sensitive information as it was entered by customers and forward it to their own systems.

Any webpage where sensitive information is entered by the user is a prime target for hackers. Ensuring robust standards around critical nodes such as these are key for strong security practices.

Read more...

The target: InfoTrax, a Utah-based provider of IT systems for the Direct Sales industry.

The take: 1 million user records including Social Security Numbers, payment card information, bank account information, user names and passwords.

The attack vector: A vulnerability in InfoTrax’s public facing website allowed the attacker to upload malicious code, which allowed remote control of the company’s website and servers. Inadequate security monitoring practices gave the attacker unrestricted, and undetected, access to 17 different systems over a period of two years. InfoTrax was only alerted when one of its servers ran out of storage space.

Robust monitoring standards are critical to detect not only intrusions, but any and all unusual activity that can indicate if IT systems have been compromised.

Read more...

The target: First American Financial Corp, a Fortune 500 real estate title insurance giant

The take: 885 million files, including records of wire transactions with bank account numbers, bank statements, mortgage records, tax documents, Social Security numbers and driver’s licenses.

The attack vector: FA’s webserver used a system of assigning sensitive documents unique web links – however, incrementing the id number in the link returned other, unrelated documents for any user accessing the site via web, with no authentication necessary.

‘Security by obscurity’ has no place in the 21^st century – it is altogether insufficient to rely on the presumed inability of an attacker to locate sensitive resources left exposed to the public web. Any data which is not for public consumption must be protected with a secure authentication system to ensure that it can only be accessed by the intended audience.

Read more...

The target: SingHealth, Singapore’s largest group of healthcare organizations.

The take: 1.5 million patient records which included: names, prescriptions, medical records, government registration numbers, addresses and dates of birth.

The attack vector: The source of the breach according to early reports was a phishing campaign, however, security researcher’s leading hypothesis was that the attack originated through SingHealth’s failure to keep their software updated. The company used an open source penetration testing application called Ruler. However, they ignored an available patch for Ruler which addressed a known vulnerability, and which led to the hackers gaining access.

Regular and rigorous attention to security updates must be applied to ensure maximum safety of a company’s IT systems – especially where it pertains to tools used to assess the security of internal systems and the effectiveness of technical controls.

Read more...

The target: Imperva, cyber-security firm based out of California.

The take: A complete copy of their customer information database.

The attack vector: Imperva uploaded a snapshot of its customer database for testing. However, in an unrelated incident, they left one of their internal systems publicly accessible on the internet from which the attacker stole key to the recently uploaded database. Using the key, the hacker was able to download a copy of the customer information.

After Imperva adopted cloud technologies to scale their infrastructure to meet increasing needs, they failed to account for the increased risk of this strategy. Cyber-security diligence applies at all levels of scale including times of expansion and investment in new technology.

Read more...

The target: FireEye, a publicly traded cybersecurity company in California.

The take: Corporate documents, details on client contracts and licenses, and personal login credentials.

The attack vector: Attackers used credentials exposed in public data breaches to access the personal accounts of a security analyst employed by FireEye. Once his accounts had been compromised, they were able to exploit his business use of those personal accounts to obtain sensitive information belonging to his employer.

On an individual level – this attacks highlights the importance of changing passwords and rotating credentials, particularly in the wake of a publicized credential breach. At the firm level - once confidential and sensitive information leaves a firm’s information systems, it’s completely outside of their control. Security policies must reflect zero tolerance for use of personal accounts to communicate on behalf of the firm or store/transfer sensitive and proprietary information.

Read more...