For this week’s “In the News”, research an article that centers around how identities were compromised to provide access, or how an account that was otherwise authorized was then used for unauthorized purposes.
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
In April 2022, Cash App filed a report with the Securities and Exchange Commission (SEC) explaining the company had a security breach affecting approximately 8.2 million customers. It was disclosed that a former employee downloaded company reports containing customer data who used Cash App’s investing services, which included social security numbers, credit card information, date of birth, and first and last names. The article does not mention anymore details around the former employee, but an important question to answer is whether the employee required access to these reports. Additionally, was the former employee still with Cash App at the time of the breach? If no, why does Cash App not have a policy that has an user account decommissioning process?
In the second article, I found that the former employee was authorized to access this information, but the report was downloaded after he was no longer employed with Cash App. It is surprising to me that Cash App did not have a DLP solution implemented to monitor the egress points for sensitive information and prevent it from leaving the network.
Source:
https://news.trendmicro.com/2022/04/07/cash-app-data-breach/
https://www.usatoday.com/story/money/2022/04/06/cash-app-data-breach/9490327002/
Before I comment too much about this article, what kind / how many controls should have been present in Cash App’s Information Security Program?
(hint – there is no silver bullet, and think before/after the breach, because Cash App is still in business; how do they minimize the likelihood or impact of the next breach attempt?)
I think Cash App would need to implement a DLP solution to monitor the egress points for any information higher than confidential to prevent it from leaving the network. Furthermore, Cash App may want to implement a tokenization server to replace the sensitive data with tokens or mask the data and encrypt it at rest. Additionally, Cash App should implement a policy and process to deactivate user’s access as part of the onboarding process.
In this article from ZDnet, cyber criminals are increasing their “dwell time” within networks to an average of 15 days. There have even been instances of multiple competing criminals gaining and maintaining access to network within the same time frame. This increased dwell time, allows criminals to amass a greater repository of organizational intelligence to launch more sophisticated attacks. Sophos, a leading security company, reports that in 2021, 47% of successful attacks used unpatched security vulnerabilities to gain initial access. The article goes on to highlight that strained and under resourced security departments are failing to detect suspicious activity within their networks. Business email compromise is often a result of increased criminal dwell time. Strong identity access logging is critical for investigating suspicious user activity such as enumeration and exfiltration of business data
https://www.zdnet.com/article/hackers-are-now-hiding-inside-networks-for-longer-thats-not-a-good-sign/
A large-scale phishing attack was uncovered by PIXM, as well as the person who had been carrying out the attacks.
Anti-phishing company PIXM found that a fake login portal for Facebook was being used as a stand-in for the social network site’s landing page, and that users were entering their account information in an attempt to log in to the site only to have their information stolen. Ensuring that MFA is enabled on all social media platforms is essential. The threat actor was able to obtain the login information of users who imputed their credentials into the portal. Enabling MFA would’ve prevented the threat actor from login into the account. In most cases, people use the same social media user name and passwords for other online services such as banking.
https://www.techrepublic.com/article/a-cybercriminal-stole-1-million-facebook-account-credentials-over-4-months/
Yikes! I would say go one step farther – enforce MFA. Many times I’ve audited a company who says “oh, yeah we have MFA”. Unfortunately, enabled != enforced. If users are provided the option to voluntarily enroll in MFA they will delay as long as possible best to enforce MFA in my opinion.
I found an interesting article of a woman who is accused of downloading data of more than 100 million Capital One customers. Her lawyers argue a conviction would criminalize legitimate research practices.
This article shows why zero-trust model is important for enterprises today, Ms. Thompson, 36, is accused of violating an anti-hacking law known as the Computer Fraud and Abuse Act, which forbids access to a computer without authorization. In 2019, she downloaded personal information belonging to more than 100 million Capital One customers, The data came from applications for credit cards, and included 140,000 Social Security numbers and 80,000 bank account numbers. She faces 10 counts of computer fraud, wire fraud and identity theft. s. Thompson has pleaded not guilty, and her lawyers say her actions — scanning for online vulnerabilities and exploring what they exposed — were those of a “novice white-hat hacker.”
https://www.nytimes.com/2022/06/08/technology/capital-one-hacker-trial.html
https://www.jdsupra.com/legalnews/compromised-email-account-leads-to-data-9566510/
In this digital era, the attacker is brilliant, and they always try new techniques to gather authorized authentication. They use social engineering and advanced technology to compromise security authentication of legal account credentials, maximum security of hardware, and software failure to social engineering attack due to its attacks directly on human nature. The above news article LLC confirmed that the company experienced a data breach after an unauthorized party accessed sensitive consumer information through employee email accounts using names, social security numbers, driver’s license numbers, and state identification numbers.
As per the investigation, all data breaches happen due to attackers hacking the employee email address between 4 to 18 Nov 2021. Late they breach all sensitive databases of individual consumers, in that including social security numbers and state identification numbers. On May 27, 2022, LLC issued a Notice of Data Breach to all individuals whose information was compromised due to the incident. They do not clarify how it happened and how the hacker got sensitive information, but it is clear it happened due to an employee’s email id being hacked by attackers. To hack email addresses, attackers use social engineering techniques like phishing, spyware, malware, keyloggers, and another attack to get email authentication and credentials.
Thus, it is mandatory and essential that they provide appropriate steps to educate all employees about the risk of data security, aware of social engineering attack techniques, phishing emails, and all other challenging threats to businesses. It all happens due to one email account being accessed by a third party, damaging the whole organization’s reputation and consumers’ sensitive information.
According to research conducted by the Microsoft Security Response Center (MSRC), malicious actors can get unauthorized access to an online account even before the user has created it. According to their research, pre-hijacking attacks are more vulnerable to high-traffic services. The malicious actors capture basic information about the victim, such as their name and email address, and then use that information to get access to services that the user does not utilize but has access to via federated authentication. To mitigate this attack, they also recommend using multi-factor authentication wherever possible.
Reference:
https://portswigger.net/daily-swig/dozens-of-high-traffic-websites-vulnerable-to-account-pre-hijacking-study-finds
This article raises a pretty painful point regarding cloud identity and access management; many teams implementing cloud identities are not focusing on access controls for both standard and even privileged enterprise accounts! The result of this is that attackers are able to execute simple browser exploits and remain undetected in organizations’ cloud environments for extended periods of time. The MFA lack of enforcement sentiment continues in this case as well; according to Aaron Turner, VP of SaaS Posture of cybersecurity company Vectra, as all entry points into the cloud environment are, at large, not being covered by MFA – only 1 interface is. This leaves the rest open to attacks that render the one MFA interface useless.
https://securityboulevard.com/2022/04/mismanaged-iam-can-lead-to-data-breaches/
“Kaiser Permanente Exposes Nearly 70K Medical Records in Data Breach”
Personal health information related to roughly 70,000 patients was compromised when a Kaiser Permanente employee’s account credentials were stolen. The employee fell victim to a phishing attempt, and the attacker used their credentials to access their emails for a period of several hours before the company “terminated the activity”. Those emails contained patient medical records, which the attacker could use to launch further social engineering campaigns against the patients themselves. Strangely, Kaiser cannot confirm or deny whether the attacker actually accessed the emails containing the PHI, because their auditing logs don’t include such information. Because of this uncertainty, and the fact that Kaiser was forced to notify all 70,000 potentially-impacted patients, many experts say that the company has insufficient incident response procedures. This case is proof that it is critical that organizations implement detailed audit logs related to information asset access, including such granular details as which emails are viewed in an employee’s mailbox.
https://threatpost.com/kaiser-permanente-breach/179949/