learn more
<https://castlehalldiligence.com>
shutterstock_490960141-1

Industry News: ESG5

      Know Your Breach: Klaviyo

      The Target: Klaviyo, an email marketing firm.

      The Take: Exposure of client’s Personally Identifiable Information including: names, addresses, emails, phone numbers, and two internal customer lead lists.

      The Vector: The attacker penetrated Klaviyo’s internal systems by tricking an employee to give up their company credentials through a phishing attack, allowing the threat actor to access systems with all the privileges of the stolen login.

      This breach highlights critical need for employee training to protect a firm against phishing attacks. By using the exposed credentials, the attackers were able to act with all the same permissions as the affected employee. The human component of cybersecurity is a very real and important piece of the overall picture of cybersecurity posture.

      Read more...

      Know Your Breach: Wiseasy

      The Target: Wiseasy, an Android based digital payments company.

      The Take: Exposure of payment information, system admin credentials, plain-text passwords for WiFi networks the app was connected to, and client personal information including: names, phone numbers, email addresses.

      The Vector: Compromised employee credentials were sold on the dark web, allowing the attackers to login and act as legitimate users to make configuration changes and view sensitive information.

      As Wiseasy had no multi-factor authentication set up on employee accounts, the exposed credentials let attackers fully access their internal systems and perform actions with every permission the breached accounts had access to. This security lapse is a stark reminder of the importance of having proper multi-factor authentication enforced on any and all accounts that have access to critical internal services.

      Read more...

      Know Your Breach: Entrust

      The Target: Entrust, a digital cybersecurity firm focused on identity management.

      The Take: Sensitive corporate internal data from Entrust’s own IT systems.

      The Vector: The attacker used previously compromised Entrust employee credentials to access their internal systems, posing as an authenticated user. 

      This breach is a critical reminder of the importance of credential authentication and password hygiene. Enforced multi-factor authentication could have prevented the Entrust breach, and enforcing this multi-factor authentication, along with reasonably regular forced password resets, password length and complexity rules, are effective strategies to mitigate these kinds of breaches.

      Read more...

      Know Your Breach: Morgan Hunt

      The Target: Morgan Hunt, a British recruitment agency.

      The Take: Exposure of Personally Identifiable Information including: names, contact details, identity documents, proof address documents (bank or building statements, national insurance number, and date of birth.

      The Vector: The attackers breached a third-party software developer of Morgan Hunts who were storing access credentials to their database with no authentication or access controls.

      This breach is a stark reminder that authentication controls are a critical piece in an overall robust cybersecurity posture. Furthermore, all steps should be taken by a firm to ensure any third-party vendor who can access their data is employing the requisite methods. Enforcing multi-factor authentication, reasonably regular forced password resets, and password length and complexity rules are all effective strategies to mitigate these kinds of breaches to protect a firm’s customer base.

      Read more...

      Know Your Breach: Axie Infinity

      The Target: Axie Infinity, a Decentralized Finance company that runs a “play to earn” game video game.

      The Take: $625 million worth of crypto currency.

      The Vector: The hackers used social engineering and phishing to craft a highly targeted fake job offer email and embedded a malicious program instead a PDF attachment. The Axie Infinity employee believed this was legitimate and opened the PDF attachment, and during the fake recruiting process, also gave away critical personal information which was then used to gain access to the firm’s systems to steal the funds.

      This breach highlights the ongoing and ever-present need for employee training to protect a firm against social engineering attacks. By using the exposed credentials, the attackers were able to act with all the same permissions as the affected employee and pivot into other systems. The human component of cybersecurity is a very real and important piece of the overall picture of cybersecurity posture.

      Read more...

      Know Your Breach: Kaiser Permanente

      The Target: Kaiser Permanente, a U.S based health plan and health-care provider.

      The Take: Personally Identifiable health Information on 69,000 individuals, including: first and last name, medical record number, dates of service, laboratory test results. 

      The Vector: A threat actor gained access to compromised employee email account and acting with all the same permissions as the breached credentials, downloaded and stole the information.

      This breach is a stark reminder of the importance of robust employee credential authentication and password hygiene. Performing regular monitoring on account behaviour is critical to ensure access is kept within the firm. Additionally, locking down appropriate permissions, admin access, and ensuring users only need the tools they need to do their jobs, and no more, will reduce the risk of these attacks.

      Read more...

      Know Your Breach: Halfords

      The Target: Halfords, a U.K-based automobile maintenance service.

      The Take: Exposure of Personally Identifiable Information of current and past customers including: telephone number, car details, and physical address location.

      The Vector: The firm’s automated confirmation email which contained a URL link for order tracking with ID in the address. By incrementing the ID number, different orders belonging to other customers were able to be freely accessed and seen.

      The breach is critical reminder of the importance of credential management and authentication around points of access which expose customer data. The information stored in customer record scenarios is especially sensitive as the exposed details can greatly aid malicious actors in crafting highly targeted and effective spear-phishing campaigns. All points of access to sensitive data should be appropriately locked down, minimizing unnecessary and dangerous exposure of customer information.

      Read more...

      Know Your Breach: StoreHub

      The Target: StoreHub, a Malaysian point-of-sale software vendor.

       The Take: Exposure of 1 million customers accounts with 1.7 billion records of Personally Identifiable Information including: full names, phone numbers, physical addresses, email address, device types, order information, partially masked credit card numbers, and access tokens. 

      The Vector: A completely unsecured AWS Elasticsearch database server with no authentication, or data encryption, was left open and accessible to anyone with an internet connection.

      This breach highlights the critical importance of employing robust practices of credential management, user authentication and validation. The personal information, along with the event logs and sensitive company information, can lead to highly effective phishing attacks. Furthermore, the use of encryption on user data can help secure sensitive information in the event of a breach and its use is widely considered a key pillar of a robust cybersecurity posture.

      Read more...

      Know Your Breach: MyEasyDocs

      The Target: MyEasyDocs, an India-based online documents verification platform.

      The Take: Exposure of 57,000 customer’s, in this case students, Personally Identifiable Information including: full names, phone numbers, grades, subject majors, email addresses, dates of graduation, National ID and School registration number.

      The Vector: The breach occurred through a misconfigured Microsoft Azure database, letting anyone with internet access connect and download the sensitive data.

      This breach highlights the critical importance of employing robust practices of credential management, user authentication and validation. An unprotected point of entry on a key piece of equipment like a storage server can lead to a breach with a cascading effect on data security. The detailed personal information, along with the event logs and sensitive company information, can lead to highly effective phishing attacks.

      Read more...

      Know Your Breach: Verizon

      The Target: Verizon, a U.S multinational telecommunications company.

       The Take: Exposure of an employee database containing Personally Identifiable Information including: full names, email addresses, and phone numbers. 

      The Vector: The attacker posed as an internal support agent and tricked an employee into allowing them to remotely access their corporate computer. From there, the threat actor gained access to a Verizon internal tool that displayed employee information, from there they wrote a script to scrape and export the data. 

      This breach highlights the ongoing and ever-present need for employee training to protect a firm against social engineering attacks. While Verizon’s systems were not penetrated or affected in any way, the attacker was still able to exploit an employee’s ignorance to exfiltrate sensitive company data. The human component of cybersecurity is a very real and important piece of the overall picture of cybersecurity posture.

      Read more...