Remote working is often cited as one of the top reasons for the rise in cyber-crime in 2020, but it’s far from the only growing challenge for today’s CISOs. Let’s set aside zoom-bombing, phishing scams, and the weak link of at-home devices, and take a look at 5 unique recent security breaches and what we can learn about boosting the efficacy of vulnerability testing as a result.
Middleware Could Be Used for Recon, or as a Stepping Stone
Estee Lauder had 440 million records exposed in February of 2020, many of which were related to middleware that the company uses internally, such as messaging software, application services, and API management. Middleware could be the end-target of an attack, but it can also be used as a route to inject malware elsewhere in the network by uncovering information on operating systems or communication paths.
When security testing is limited, it often focuses on the weaknesses of crown jewel applications alone, and so blind spots and gaps in the network can be easily missed. It’s important to recognize that even what at first glance seems like ‘unimportant’ information can be used as a stepping stone for lateral movement or network reconnaissance.
Are On-premises Security Tools a Target?
FireEye disclosed in December that they had become the victims of a Nation-State attack. They described the breach as different from any of the tens of thousands of attacks they have responded to over the past 25 years, showing that new attack methods, or combinations of attack methods, are appearing all the time. FireEye’s red teaming and penetration testing tools were targeted and stolen in the attack, the same ones that the company uses to test their customer networks. These tools have yet to be leaked or utilized elsewhere, but could be used to uncover vulnerabilities against future targets, or simply exposed as a means to discredit FireEye directly.
A Call to Action to Shore up Credentials
An attack on Wishbone earlier this year, (the second large-scale data breach the company has suffered since 2017) has put credentials under the spotlight. 40 million records were leaked in the attack, including mobile numbers, dates of birth, Facebook and Twitter account details, and passwords, too. These passwords were not plaintext, but MD5-hashed, an algorithm that has been considered “cryptographically broken” since 2010, and a reminder that organizations need to make sure they are on top of updating their security protocols. When considering a platform like Wishbone that holds so many private records that pertain to minors, revisiting security processes to make sure that policies aren’t outdated is more essential than ever.
Companies relying on vulnerability scanning platforms take note. It’s important to focus on how attackers can access data, but also on up to date and prioritized mitigation to protect credentials if they become exposed. In this case, tokenizing or securely encrypting the data could have protected the users and stopped the data from being leaked and reused on the Dark Web.
The Shared Responsibility Model Gets Tested
Only 10% of consumers feel they have control over their personal data. Data leaks, such as the recent example of fitness company VShred, go some way to explaining why. The company was found to have exposed an AWS bucket containing the PII of tens of thousands of users, including sensitive ‘before and after’ photos, social security numbers, usernames, passwords, and more.
Dangerously, the response from the company suggested that they were unaware that users could anonymously browse and access this information, and that they had intentionally kept the bucket public so that users could download content such as meal plans.
Even small companies need to be able to show that they are protecting their customers’ data and are meeting compliance laws such as GDPR that demand thorough risk assessments over cloud-storage, as well as tight policy around retention and access.
Ransomware takes its Toll
2020 was a tough year for Australian-based Toll Group, which were the victim of two ransomware attacks in just three months. The first attack encrypted business-critical files using MailTo ransomware, also known as Netwalker. The second used NetFilm, a new variant of Nemty, that is thought to be distributed via exposed RDP, and uses AES-128 encryption to lock files.
Almost 9 months later, Toll is still feeling the impact of the attacks, including attempting to limit the damage caused by the 220 GB of data that was stolen, some of which was exposed on the Dark Web. The company has therefore started a 12-month cyber resilience program to shore up its defenses.
As over 1,000 companies call ransomware a risk factor for their organizations, 2021 could well be the year that security teams get proactive about network-based risks and vulnerabilities.
Taking Vulnerability Management to the Next Level in 2021
These 5 attacks are an important reminder to all security teams that the level of today’s cyber threat has advanced. As a result, our security validation and threat emulation practices must keep up. A gap was created on this front of security validation where periodic or manual pen testing cannot assess the risk from these threats, in both the sophistication and breadth of attacks. Enterprises have to look at tools that can emulate the latest attacks in a safe way to know if they are prepared. This is a new practice of continuous security validation that needs to be adopted.
The technologies chosen must support the secure management of a hybrid environment and provide intelligent data to support and prioritize mitigation to reduce your risk and prepare you for if the worst-case scenario comes knocking on your door.
Interested in seeing how Pcysys checks all the boxes? Schedule a demo.
Director of Content
Evading Detection: From Inception to Reality
In this article, we will show how it’s possible to use reflective loading to run Mimikatz while evading detection by Windows Defender. While this is a known attack method, recent improvements in windows defender blocked the method from working properly, so we needed to find a new way to handle dependencies. Read on to see...
When Being Attractive Gets Risky – How Does Your Attack Surface Look to an Attacker?
In the era of digitization and ever-changing business needs, the production environment has become a living organism. Multiple functions and teams within an organization can ultimately impact the way an attacker sees the organization’s assets, or in other words, the external attack surface. This dramatically increases the need to define an exposure management strategy. To...
Bypassing “air-gapped” networks via DNS
In order to protect an organization’s critical assets from Internet access, IT teams often create isolated or ‘air-gapped’ networks. These networks are often considered inherently untouchable. While air-gapped networks may not have direct access to the Internet, they still often require DNS services in order to resolve a company’s internal DNS records. This will prove...