.jpg?width=200&height=78&name=CH%20Diligence%20(thicker%20line).jpg "CH Diligence (thicker line)")
The target: Angeles Investment Advisors, an asset manager based in Santa Monica, California
The take: The e-mail account of Michael Rosen, Chief Investment Officer, was compromised and used to send a bogus ‘bid for proposal’ link to his contacts.
The attack vector: While details have not been published at this time, it is likely that the initial compromise of Rosen’s account was as a result of a targeted phishing attack. Once attackers had control of his e-mail account, they were able to send a malicious attachment to his contact list, and even responded to individuals who questioned the legitimacy of the e-mail – assuring them that attachment was safe, and that they should open it post-haste.
One of the most insidious risks in an e-mail compromise is that the compromised account will be used as a pivot point, and that the trust in that individual will be exploited for criminal gain. These attacks highlight not only the need to ensure that technical controls are in place to prevent accounts from being compromised in the first place – but also the need to train staff to think critically about the content of messages they receive, and to confirm any suspicious communications or requests via a separate channel of communication.
The target: C3UK, a provider of Free WiFi at railway stations across the UK
The take: Personal data of more than 10K rail passengers including dates of birth, email addresses and travel plans
The attack vector: A security researcher discovered that C3UK had left a database backup publicly exposed on an Amazon Web Services storage device with no password protection.
While security controls around production systems and databases are missions critical, care must also be taken when storing and transferring backups and duplicate copies of production data. Security controls must always be commensurate to the level of sensitivity of data being handled, and must travel with that data throughout its lifecycle.
The target: Microsoft
The take: 250 million Call Centre records which included full conversations between service agents and customers, as well as a portion of customer emails, internal notes and IP addresses.
The attack vector: Cloud databases across five different online servers were left unsecured, as a misconfigured security group left them exposed to the internet. These records could be used in extremely targeted and effective phishing campaigns against customers, impersonating Microsoft support agents and referencing internal case numbers and topics discussed.
This breach again raises the critical consideration that effectiveness of an organization’s security relies on vigilant processes and validations where cloud technology is concerned no matter the scale of the infrastructure or the pedigree of the firm.
The target: LimeLeads, a San Francisco-based business-to-business leads generator.
The take: 49 million user records including: full name, title, user email, employer/company name, company address, company total revenue and estimated number of employees.
The attack vector: LimeLeads did not set up a password for the internal database which was hosted on a publicly accessible server, meaning anyone with an internet connection was able to access the data and scrape a copy. The highly specific personal details of the data could lead to extremely effective spear-phishing campaigns targeting high level individuals.
The security of intended internal systems is as critical as external facing ones. Adopting stringent cybersecurity policies across all areas of access, whether internal or external, is crucial to maintaining the integrity, confidential and availability of data.
The target: Cabarrus County, a district of North Carolina in the United States
The take: $1.7 million dollars
The attack vector: A BEC, or Business Email Compromise. The attackers posed as one of the county’s contractors and requested their bank account be updated in time for the next payment. They spoofed legitimate documents including an electronic funds transfer form (EFT) and signed bank documentation. After receiving the bogus documents, Cabarrus County staff changed the vendor’s account to this new, fake one and continued with their scheduled payments.
This attack highlights the importance of security awareness campaigns that test and train employee’s abilities to spot and report suspicious emails. Additionally, controls should be in place wherever payments are processed to ensure that any requests to change payment instructions are reviewed and validated outside of an e-mail correspondence string.
The target: Wyze, a Seattle-based smart home device maker.
The take: Email addresses, IP addresses, WiFi SSID’s and device information of 2.4 million customers.
The attack vector: During the deployment of a new database, a mistake by an employee removed all of the security protocols governing the system, thus exposing the information. In total, two exposed Elasticsearch databases and one MySQL production database were freely accessible and the attackers were then able to access and download the leaked information.
Deployment of new technology is a potentially critical point of vulnerability. Any changes intended for the production environment should be tested in a private staging environment and audited/tested wherever possible to avoid introducing gaps into a firm’s security posture.
The target: The National Bank of Blacksburg
The take: $2.4 million
The attack vector: The attack began with a phishing email which let the hackers install malware on the compromised computer. This move let them disable and alter anti-theft and anti-fraud measures such as PIN’s, withdrawal limits, daily debit card usage limits and fraud score protections. Through their now unrestricted access to the bank’s internal account manager software, Navigator, the attackers modified or removed critical security controls. They then accessed hundreds of customer accounts to steal funds over a period of two days.
This incident highlights the profound impact one compromised system can have in the context of an organization’s overall security posture, and underscores the old adage – ‘a chain is only as strong as its weakest link’. While network and server-level protections are essential, firm must ensure that endpoint controls and user training are up to snuff.
The target: A Chinese Venture Capital firm.
The take: $1 million.
The attack vector: The “man-in-the-middle” attack occurred when the Venture Capital firm transferred funds to an Israeli start-up company. The breach began with the threat actor creating two lookalike domains, both mirroring the VC firm and the Startup firm, but with an extra “s” at the end of the address. They then sent two emails, both posing as the VC firm’s CEO and as the start-up’s CEO, tricking both parties into sending sensitive banking information which the attacker then modified to hijack the money.
This coordinated attack highlights the critical need for human vigilance and the implementation of robust controls. Scrupulous validation of transactions where assets – funds or sensitive information - are being transferred is central to effective protection.
The target: SingHealth, Singapore’s largest group of healthcare organizations.
The take: 1.5 million patient records which included: names, prescriptions, medical records, government registration numbers, addresses and dates of birth.
The attack vector: The source of the breach according to early reports was a phishing campaign, however, security researcher’s leading hypothesis was that the attack originated through SingHealth’s failure to keep their software updated. The company used an open source penetration testing application called Ruler. However, they ignored an available patch for Ruler which addressed a known vulnerability, and which led to the hackers gaining access.
Regular and rigorous attention to security updates must be applied to ensure maximum safety of a company’s IT systems – especially where it pertains to tools used to assess the security of internal systems and the effectiveness of technical controls.
The target: Imperva, cyber-security firm based out of California.
The take: A complete copy of their customer information database.
The attack vector: Imperva uploaded a snapshot of its customer database for testing. However, in an unrelated incident, they left one of their internal systems publicly accessible on the internet from which the attacker stole key to the recently uploaded database. Using the key, the hacker was able to download a copy of the customer information.
After Imperva adopted cloud technologies to scale their infrastructure to meet increasing needs, they failed to account for the increased risk of this strategy. Cyber-security diligence applies at all levels of scale including times of expansion and investment in new technology.
Castle Hall helps investors build comprehensive due diligence programs across hedge fund, private equity and long only portfolios More →
Montréal
1080 Côte du Beaver Hall, Suite 904
Montréal, QC
Canada, H2Z 1S8
+1-450-465-8880
Abu Dhabi
Floor No. 15 Al Sarab Tower,
Adgm Square,
Al Maryah Island, Abu Dhabi, UAE
Tel: +971 (2) 694 8510
Copyright © 2021 Entreprise Castle Hall Alternatives, Inc. All Rights Reserved.
Terms of Service and Privacy Policy