The target: Ubiquiti, a major vendor of cloud-enabled networking devices.
The take: Source code, customer data, and cryptographic secrets which would enable remote access to both professional and consumer-grade customer devices.
The attack vector: The attackers gained control of administrative credentials stored on an IT employee’s LastPass account. With these in hand, the threat actors gained high-level access to Ubiquiti Amazon Web Services accounts, including database storage servers, application logs, and user credentials. Multiple backdoor accounts were reportedly created. A whistleblower alleged that due to an absence of database access logging, Ubiquiti were unable to confirm which records had been accessed, by whom, and when.
While use of password vaults and privileged account management tools are absolutely a best practice, these tools can only be as secure as the authentication measures enforced upon them. Complex, unique passwords in addition to two-factor authentication should be in place wherever possible to protect privileged credentials and management consoles.
Additionally – comprehensive logging practices are critical to the reconstruction of events when investigating a breach, and the absence thereof can severely limit a firm’s the ability to determine the full scope of the attack.
The target: California State Controller’s Office
The take: Financial and personally identifiable information and documents, such as Social Insurance Numbers, on several thousand employees.
The attack vector: An employee, the target of a spear phishing attack, clicked on a suspicious link and entered their account ID/email address and password. This gave the attacker full access to SCO’s systems with the same level of access the employee had, including any files shared with the affected account. From here, the attacker further launched phishing attempts against over 9000 employees, using the hacked account to increase the believability of the scam.
Phishing attacks against individual employees remain one of the greatest security threats to the entire organization. Regular social engineering and awareness testing and training, along with tone-from-the-top messaging to emphasize the importance of critical thinking and caution are crucial to protecting sensitive information assets.
The target: SendGrid, a Colorado-based email marketing company.
The take: 400,000 unique login credentials of: email address, password, IP address, and physical location.
The attack vector: The attacker used a combination of previously hacked accounts on the SendGrid platform to send fake Zoom invites. As SendGrid was known as a trusted SMTP provider, the fake messages had a much higher chance of reaching their targets, passing through some email protection.
This incident highlights the importance of critical thinking as a component of social awareness training for staff. In the event that a trusted account is compromised, analysis of the context of these requests becomes the critical – is a meeting invite expected, does the timeline and subject matter line up with expectations? While messages originating from fraudulent e-mail addresses are easier to spot, they are not the only vector for phishing attacks – each item in the inbox must be approached with the same level of caution.
The target: Microsoft’s email server software, Microsoft Exchange.
The take: The networks of over 30,000 organizations, consisting of hundreds of thousand of on-premises servers. Threat actors have moved aggressively to exfiltrate personally identifiable information, highly sensitive company and client data, banking details, financial data, and more.
The attack vector: Four security holes in Exchange Server versions 2013 to 2019 were exploited in tandem to grant attackers full access to an array of email severs. More critically, in every instance where the breach was discovered, the intruders had installed a backdoor, which continues to allow remote access to affected servers even after the set of four vulnerabilities have been patched.
While zero-day exploits will unavoidably cause challenges for vendors and their clients, we underscore the critical nature of threat monitoring, timely patching, enacting defense-in-depth measures to mitigate the failure of any single layer of security controls. Approaching security incidents and overall cybersecurity with a “when not if” mindset can materially reduce the impact of incidents such as these.
The target: Star Alliance airlines, Air New Zealand, Malaysia Airlines, Finnair and others
The take: Frequent flyer information for at least a million passengers, including name, date of birth, gender, contact information, ID number and frequent flyer status.
The attack vector: The breach was traced to SITA, an IT service provider that claims to serve 90% of the global aviation industry, and acts as the intermediary to store and share frequent flyer information between airlines.
Supply chain attacks continue to pose a material threat, as bad actors identify high-value targets which can enable them to capture information for multiple organizations at once. When entrusting service providers with sensitive information, firms are still ultimately responsible for their data and must ensure that commensurate controls travel with it throughout its lifecycle.
The target: The Health and Welfare Department of West Bengal, India
The take: 8 million COVID-19 test results including personally identifiable information such as: name, age, address, and positive or negative test results.
The attack vector: The breach revolves around the health authority’s reporting system, whereby individuals who had been tested for COVID-19 received links by SMS with a unique URL to access their test results by web. It was discovered that there was no authentication in place on the reporting system, and that by incrementing the ID number included in the URL, anyone with internet access could access all test results for the state.
This example serves once again to highlight the huge risks of adopting a ‘security by obscurity’ model. When administering a public facing portal which provides access to sensitive information, authentication controls are not optional – it is simply inadequate to make all records publicly available and trust that the uniqueness of the URL will protect the sensitive data of organizations or individuals.
The target: The Independent School District of 2142 of St. Louis County Schools
The take: W-2 tax forms of 677 district employees with personally identifiable information including: Social Security Number, first and last name, home address, wages, and more.
The attack vector: A spoofed email requesting the forms came from an attacker pretending to be the district Superintendent. Believing the request to be legitimate, the forms were sent to the fraudulent email address provided in the request.
This breach highlights the importance of employee cybersecurity training and a posture of constant vigilance. Scammers rely upon people’s natural inclination to be helpful and prompt, and it’s critical to ensure that employees who handle sensitive information receive tailored training, emphasizing the caution and care they must employ in responding to unusual requests for data.
The target: Accellion, a U.S based cloud service vendor providing secure file transfer applications for enterprise use.
The take: A variety of datasets including personally identifying information and proprietary data for an estimated 300 clients, including The Australian Securities and Investments Commission, The Reserve Bank of New Zealand, Harvard Business School, Singtel (a Singapore-based telcom conglomerate), and the QIMR Berghofer Medical Research Institute.
The attack vector: Hackers breached the firm’s legacy File Transfer Application software by taking advantage of a zero-day vulnerability in a legacy software product – a point of weakness identified and exploited by a threat actor before the developer was made aware of it and was able to produce a patch.
This supply-chain attack against a platform which was near retirement highlights the danger of relying on end-of-life, legacy software products. Firms should be proactive in moving to current-generation software solutions - Accellion have reportedly “encouraged all FTA customers to migrate to Kiteworks [their current generation offering] for the last three years”.
The target: UScelluar, the fourth largest mobile network operator in the United States.
The take: Customer records of personally identifiable information including: names, addresses, account names and PIN codes, telephone numbers, information on their phone service plans, and the ability to alter the phone number on accounts which receive two-factor authentication texts.
The attack vector: The attackers tricked retail employees into downloading malicious software which contained a RAT (remote access tool), allowing the threat actors to access the computer systems remotely. As the employees were already logged into the CRM (customer retail management) software, the hackers were able to move freely within the systems using an employee’s credentials.
Social engineering is a widely used tactic by attackers to exploit our innate desire to be helpful in a quick manner without thinking through the consequences. The employee’s mistake, innocent or not, of clicking on an unverified link granted the attacker the ability to install a Remote Access Tool and navigate through the company’s systems under legitimate credentials. Continuous employee education around suspicious links, and the social engineering tactics they’re paired with, are critical components of a firm’s robust cybersecurity posture.
The target: Bonobos, a men’s clothing store.
The take: 70GB database containing personally identifiable information such as: 7 million order records, account information of 1.8 million customers with phone numbers, shipping and email addresses, 3.5 million partial credit card records, and hashed passwords.
The attack vector: While Bonobos’ own internal systems show no signs of breach, an externally hosted backup of the database was accessed in a provider’s cloud storage environment.
Security controls must always be commensurate with the sensitivity of data being stored, and must travel with that data, both within internal systems, and when transferring sensitive data to backup media or external vendor or partner’s systems. This attack highlights the importance of auditing and validating security controls at every stage of the data lifecycle.