For this week’s “In the News”, research an article that centers around how identities were compromised to provide access, or how an account that was otherwise authorized was then used for unauthorized purposes.
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
Krish Damany says
In a cruel fate of irony, new hackers are using a phishing email disguised as news about the Colonial Pipeline breach. This email tells users to download a “ransomware system update” to prevent future attacks. Clicking the big blue “download” button, will inject the malware onto a user’s system and will begin to mine their data which could include login information that could be used maliciously to gain access to the organization. This type of ransomware is called a Cobalt Strike, and accounted for 66% of all ransomware attacks in 2020. This article stated this specific attack was already used on two companies and that IT teams should be on the lookout for more.
https://www.zdnet.com/article/hackers-use-colonial-pipeline-ransomware-news-for-phishing-attack/
Mei X Wang says
Hi Krish, interesting article you selected! Since the colonial Pipeline breach by the “REvil” group has been disclosed to the public, this has branched to more forms of ransomware as service attacks. Without proper security awareness training, employees will continue falling for phishing attacks. These attacks will reoccur unless top-level management-supported mandated training programs are consistently done, keeping employees sharp in recognizing these threats.
Vincent Piacentino says
Hi Krish!
Cool article! Some humans are horrible, sneaky SOB’s and I hate it!
Another thing is that some of these threat actors are better than most at making the phishing emails look real. You must have the trained eye of a Fox Master’s-degree level cyberslueth like us to recognize it. LOL
But seriously, things are only escalating as time goes on. I hesitate to say I can’t wait to see what the next best breaches will be this year…
Rudraduttsinh says
One of the biggest victims of identity compromised is face by the payment card industry. Also, the cost associated with the breach can have dire consequences on the stakeholders. In this article, I want to focus on the data breach that occurred with Home Depot’s Point of Sale. It is an important occurrence because Target was the victim of a similar attack just a few months ago. Both breaches have the same method of operation, where a 3rd party vendor was compromised, and the stolen data along with RAM scrapping malware were instrumental in the breach. After the breach Home Depot implemented the EMV Chip-and-PIN payment cards. The attackers installed the malware through compromised 3rd party vendor credentials. The breach could be prevented with proper implementation of Identity and access management along with network segregation. Another interesting fact is that organizations learned the lessons from the Target data breach but failed to implement the solution on time.
References
Hawkins, B.(2015). Case Study: The Home Depot Data Breach. SANS Institute. Retrieved from https://www.sans.org/reading-room/whitepapers/breaches/case-study-home-depot-data-breach-36367
Vincent Piacentino says
Facebook, Instagram and LinkedIn – January 11, 2021
A Chinese social media management company, Socialarks, suffered a data leak through an unsecured database that exposed account details and PII of 214 million social media users from Facebook and Instagram, and LinkedIn. The exposed information included names, phone numbers, email addresses, profile links, usernames, profile pictures, profile descriptions, follower logistics, location, job profiles, their LinkedIn profile link, and connected social media account login names. The amount and type of information leaked varied by social media platform.
The cause: Socialarks’ ElasticSearch server was publicly exposed without password protection or encryption and found during a routine IP address check on potentially unsecured databases. This was conducted by the “Safety Detectives” cybersecurity team, whose mission it is to find online risks to the public. Anyone in possession of the server’s IP address could access a database containing millions of people’s private information. The breached database contained a ton of sensitive personal information (408 GB worth) and more than 318 million records in total.
https://www.identityforce.com/blog/2021-data-breaches
https://www.safetydetectives.com/blog/socialarks-leak-report/
Mei X Wang says
COO Charged in Georgia Hospital Cyber-Attack
The chief operating officer of an IoT Security company, Securolytics, was recently indicted by the federal grand jury because of an attack carried out against a Georgia Hospital. In 2018, the Gwinnett Medical Center was attacked, leaving confidential PHI exposed.
The COO, Vikas Singla, was the co-founder of Securolytics, a start-up that served the healthcare industry providing cloud-based threat detection and analytics for IoT. The attack was suspected to be motivated by financial gain. Singla helped disrupt the center’s phone service and network printer service, and also obtain information for digitizing devices. He is also suspected of aiding other attacks against Duluth and Lawrenceville hospitals through the use of Lexmark printers.
The case is still under investigation but this brings up a big issue in the information security world. How do we protect ourselves against the companies that are offering us protection? Procurement and Third Party risk management programs need to be expanded upon in all organizations.
https://www.infosecurity-magazine.com/news/coo-charged-in-georgia-hospital/
Vanessa Marin says
First Horizon Corporation suffered a breach in early April of this year in which attackers accessed personal information of customers and managed to drain accounts of all their funds prior to being discovered. Details surrounding the breach are still under investigation however, it was disclosed that the accounts were using previously stolen credentials and a vulnerability in third party software was exploited. The vulnerability allowed access to 200 on-line customer bank accounts.
First Horizon did not provide further details on the exploited third-party software and what occurred there, but did say the vulnerability had been patched and addressed and funds had been refunded to customers. Impacted credentials and accounts had also been reset.
https://www.bleepingcomputer.com/news/security/first-horizon-bank-online-accounts-hacked-to-steal-customers-funds/
https://www.helpnetsecurity.com/2021/06/08/unauthorized-access-breaches/
https://www.helpnetsecurity.com/2021/04/21/select-identity-management-solution/
https://www.helpnetsecurity.com/2021/06/11/biometrics-for-banking-market/
Jerry Butler says
Astounding; this story reflects some of the benefits of I&AM technologies because if they are implemented correctly, these types of hacks should not able able to happen and go undetected for a longtime.
Amelia Safirstein says
An employee of venture capital firm, Sequoia Capital fell victim to an email phishing scheme. The bad actors were then able to access the employee’s email inbox which contained sensitive client information. If Sequoia Capital had focused more attention on training employees to recognize these types of attacks and training employees not to send sensitive information via vulnerable channels of communication, they may have been able to avoid this incident. Sequoia Capital has now hired a cybersecurity firm to investigate the incident and is implementing cybersecurity training for all employees.
https://www.securityweek.com/venture-capital-giant-sequoia-targeted-bec-attack
Vanessa Marin says
You know… one of my biggest pet peeves is blaming the victim. Companies always have to find a poor schmuck and then blame training. Yes, I agree, awareness is a factor but the company should OWN their gaps too. SO when I read your article, I went in all guns blazing ready to blast at Sequoia Capital. 🙂 However, I was pleasantly surprised though they did not explicitly acknowledge the gaps in their security, their resolution included much more than “we retrained”. Below is the direct list of items they fixed/changed/added from the article you posted.
“- configuration issues which allowed the attacker to gain initial access
– added technology to detect suspicious activity and malicious email content
– reviewed methods of storing and sharing sensitive information
– and [lastly] refreshed security training with an emphasis on phishing awareness and data handling.”
Very nice to see a company take ownership beyond blaming the little guy.
Vanessa
Amelia Safirstein says
Great point, Vanessa. Companies do frequently blame the little guy. Occasional failures are inevitable so looking at compensating mitigations and implementing a defense-in-depth setup is important.
William Bailey says
In this morning’s news, it was reported that 3.2 million Wegmans customer records were accessed due to a configuration error on a cloud-hosted database. While Wegmans doesn’t store social security numbers, the database could be used to learn more about individuals with their name, address, email address, date of birth, and phone number. The security researcher interviewed noted that customers should change their Wegmans passwords, and that if they used the same password elsewhere, that they should change those passwords also. If passwords are used on multiple systems, one system breach could result in improper access on another system/site.
https://www.whec.com/news/cybersecurity-expert-weighs-in-on-possible-exposure-of-wegmans-customer-data/6144040/
Eugene Angelo Tartaglione says
https://www.bleepingcomputer.com/news/cryptocurrency/criminals-are-mailing-altered-ledger-devices-to-steal-cryptocurrency/
Criminals are mailing altered Ledger devices to steal cryptocurrency
Scammers are sending fake replacement devices to Ledger customers exposed in a recent data breach that are used to steal cryptocurrency wallets. The end users were sent brand new official looking devices, which were real, but were altered by the Data-breachers to include a soldered on USB device that has an executable set up with the device to be a “password Migrator” tool, which will take the supplied passwords and send them to the hackers who initially sent these devices out to the Ledger customers.
Jerry Butler says
This is interesting Eugene, i thought that cryptocurrencies are secure.
Jerry Butler says
The GoDaddy Data Breach: What You Need To Know
According to the company, an “unauthorized individual” gained access to users’ login details to connect to SSH. However, GoDaddy said the breach only affected hosting accounts rather than customer accounts. Further, the intruder did not access customer data, and the breach affected less than 30,000 users.
On the surface, this appears a minor breach in the grand scheme of digital attacks. However, it highlights fundamental truths about cybersecurity and identity management which some enterprises struggle to grasp. First, it shows that regardless of size, your business remains vulnerable to cyberattacks. Second, the GoDaddy Data Breach shows the perils of using inadequate authentication protocols to protect data. Third, the breach serves as an example of how dangerous a lack of security visibility can be to your business’ reputation, both in the short and long term.
Additionally, it provides a lesson in Secure Shell Keys (SSH); SSH protocols are used to log in remotely from one system to another. By providing strong encryptions, it allows for the secure issuing of commands remotely and remote management. The SSH keys allow access to this encrypted connection.
https://solutionsreview.com/identity-management/the-godaddy-data-breach-what-you-need-to-know/