Data breaches - The month that was
With Halloween around the brink of October, the past month was the start of the scare for organizations across the globe. High-profile data breaches and stolen sensitive data caused a fright, and the ransomware group LAPSUS$ rose back from its grave.
It all started with the attack on Uber by a teenage hacker group. Shortly after, the Intercontinental Group of Hotels fell victim to a wiper attack carried out by a vengeful Vietnamese couple. A couple of days after, airline giant American Airlines disclosed details of a data breach to their customers.
These are just a few high-profile incidents that received a lot of media attention. So many global companies keep falling victim to a variety of security breaches and attacks. What is happening? Let’s analyze!
The attack on Uber - Trick! or Treat?
World-leading cab aggregator - Uber fell prey to a cyberattack last month. Preliminary analysis by experts suggests that attackers made use of the simplest attack technique to obtain the login credentials of an Uber employee to gain privileged access to internal systems. An 18-year-old teenager moved laterally through their internal IT systems to access sensitive information. This teenager is alleged to be part of the LAPSUS$ group of cybercriminals.
The teen pushed MFA Approvals repeatedly to the target employee. On allowing the MFA approval on his device, the hacker obtained initial access inside the company. He was then able to access resources shared on the network that included PowerShell scripts. One of the scripts contained hardcoded credentials for an administrator account - quite the treat for any hacker in disguise.
With this powerful administrator account, the hacker gained tokens to access their AWS console, GSuite, Slack channels, and other internal resources - including Uber vulnerability reports. The hacker accessed all the internal tools and posted screenshots of classified data on the internet.
In fact, LAPSUS$ did not stop there. A week after - they allegedly hacked Rockstar Games, a well-known game production company famous for creating the GTA video game series. Screenshots and videos from the unreleased GTA-6 were released on the internet by the same group.
Intercontinental hotel group data breach - No hocus pocus here!
Intercontinental Hotel Groups - one of the leading conglomerates operating more than 6000 hotels across 100 different countries fell prey to a phishing attack. The attackers, suspected to be a couple from Vietnam, initially tricked an employee into downloading a malicious email attachment and then managed to go through the two-factor authentication steps successfully. Following the breach, IHG booking systems were disrupted and a lot of data was lost from its database, temporarily sending it into a zombie state.
The hackers managed to gain access to sensitive assets once they gained access to the company’s internal password vault. Much to the attacker’s surprise, the credentials used to access the vault were available to all of the company’s employees, around 200,000 in number! . Adding salt to the wound, the password used to access the vault containing sensitive secrets of the entire organization was found to be ‘Qwerty1234’ - A password that neglects the Halloween spirit of being well disguised.
All standard password management solutions enforce strong password rules to access the vault. They never allow the use of weak passwords. It is quite surprising to note that the password to access the vault itself was weak and that a global leader with the ability to invest heavily in protecting their assets would fail at the very basics of password security.
The organization’s IT team was proactive in deploying countermeasures when the couple tried to unleash a ransomware attack on their network. The team was successful in isolating the servers from the network and effectively curbing ransomware propagation. Frustrated over the fact, the vengeful Vietnamese couple resorted to extreme methods and carried out a Wiper Attack instead. They immediately deleted massive amounts of data and took some corporate data and email records from the database causing huge temporary disruption for the organization.
American Airlines disclose data breach - A phantom from the past
American Airlines fell prey to a similar attack. The login credentials of an undisclosed number of employees were reportedly compromised. They have zeroed in on the cause to be a phishing attack perpetrated way back in July.
Hackers are known to be dormant once they have gained a foothold on an organizations’ IT infrastructure. They gather resources and information months together before making a move. These ghost invaders can be tracked and traced by gaining better visibility into all the accounts in an organization and the access they hold. An enterprise password management solution discovers and gives visibility into all the orphan accounts that may be potential threats to an organization.
Data leaked in the Intercontinental hotel attack reportedly includes employee and customer names, ages and birth dates, email addresses, personal phone numbers, license numbers, passport numbers, and certain medical information. This information known as PII (Personal Identifiable Information) has to be protected by GDPR norms in Europe. Failing to protect this information may cause a heavy fine to the organization involved, although American Airlines hasn’t disclosed any imposed fines.
Numerous cyberattacks, repetitive methods
Cyberattacks happen in a variety of ways. Security experts have predicted a data breach to occur every second by the year 2035.
Cybersecurity researchers have come a long way in concocting innovative ways to make IT secure. Parallelly, attackers and bad actors devise new ways and design new methods and strategies to circumvent the multiple layers of security that are put up.
Even though the damage was mainly caused due to incompetent password hygiene, the initial breach happened as a result of elaborate phishing campaigns.
Dragged yet again into the fundamental roots of password security.
What we can gather from these incidents is that history always repeats itself. You can deploy the most innovative security measures to prevent attacks, but without adhering to the best practices, the systems in place will remain vulnerable. Even though the methods of cyberattacks have grown more and more complex, the building block of access security has been and remains - maintaining password hygiene and best practices. This includes monitoring and controlling privileged access, patching software to their latest versions, and wholistically managing all sensitive activity.
Had these organizations followed best practices such as eliminating hard-coded credentials, enforcing password complexity rules, and a robust password policy, the attackers would not have succeeded in their attempt to access critical systems.
At the cost of sounding repetitive, here are a few access security best practices that organizations should follow.
Crawl the dark web - Monitor the dark web for breached passwords and eliminate their usage in your organization.
Spin the wheel - Put an end to password reuse, and rotate passwords periodically. You can create competent password policies for your organization and enforce them.
Cast a spell barrier - Enforce Multi-Factor Authentication for access to all sensitive assets. This acts as an additional layer of security and can prevent over 99% of identity compromises when compared to passwords alone.
Protect your candy trove - Use an enterprise-grade password vault for your sensitive passwords, credentials, and files - the candy of your organization.
Wear a pumpkin over your head/Disguise your passwords - Passwords in plain text and on applications are a major cause of breaches. Mask passwords while giving your users access to them and utilize APIs to fetch credentials.
Utilize a crystal ball - Looking into the future isn’t possible but you can prevent threats by reading the right cues. Monitor and record all user activity and send password activity logs to your SIEM solution and obtain actionable insights.
After implementing all the above best practices, it is crucial to educate your employees - every last one of them about cybersecurity and provide an action plan that should be followed when anomalous behavior is detected. Employees are humans at the end of the day and are prone to making mistakes, and you cannot expect them to be the complete line of defense. As cyberattacks take new avenues it is important to keep them informed and vigilant.
Closing the cauldron that brews security loopholes
If we take a closer look at the events, we can see that the initial breach was limited to endpoints. The lack of proper privilege management practices and workflows helped the attackers in their quest to gain access to sensitive information.
Though organizations certainly require advanced technologies and a variety of cybersecurity tools, losing out on the basics of security leads to attacks. Password security is the foundation of information security. Internalizing this fact is critical.
Enforcing and automating these best practices can effectively shut down the pot that brews the recipe for password attacks. These practices can be automated to reduce error by using Password Management and Privileged Access Management solutions like Securden.