Breach Trends and Insights – March 2021

8789832263?profile=original

This report summarises the top breaches between 25th February till 25th March 2021. 

The report will help you to keep track of the latest hacks and add insights to safeguard your organization by looking at the trends. 

Since the pandemic began, the FBI reported a 300% increase in reported cybercrimes. The attack techniques cover a good mix of attacking wrong configuration, mistake by oversight as well as some novel zero-day attack.

In this report, we will talk about some of the important cyberattacks that have taken place during the last month. 

Top 10 FireCompass Insights From Recent Breaches

Analyzing the attacks, the following key insights are gained:

  1. Legacy COTS products that are heavily used in enterprises and exposed over the internet still contain unpatched code that is not secured in today’s connected environment and as a result, exposes vulnerabilities. It is especially true where a large number of instances are involved.
  2. Nation state-sponsored adversaries are targeting to exploit widely used legacy enterprise COTS products (e.g. Microsoft Exchange) using zero-day exploits even when the attack is not of the variety of large-scale APT.
  3. Some of the vulnerability types that were mostly countered and have not been that common in the recent past have reappeared.
  4. New attack vectors viz. SSRF is gaining popularity among hackers
  5. The understanding and knowledge regarding identifying new attack vectors are low with the defenders and as a result, the testing and countermeasures are not adequate.
  6. Complex integration with many third-party systems has expanded attack surfaces to an extent that is not always clearly understood. As a result, assessing risk and taking appropriate countermeasures becomes challenging. Regular attack surface monitoring is becoming a key measure of protection against cyberattacks.
  7. The exploitation of vulnerabilities induced by a lack of appropriate countermeasures in the supplier’s systems in a supply chain is on the rise.
  8. Lack of standardized data sharing procedure with suppliers and ability to track shared information throughout its lifecycle in a highly complex environment causing data breaches that have directly and indirectly attributed to exploitation of existing vulnerabilities. For example, credentials shared with suppliers for testing or integration purposes landed into production environments due to a lack of adequate data governance in today’s big data environment.
  9. Lack of efficient backup and speedy restoration techniques allow ransomware to impact organizations easily. Due to data volume, the data restoration exercise is not regularly practiced. Due to high restoration time coupled with the demand to run the business without any downtime has made a target having no option but to meet ransomware attacker’s demand thereby incentivizing more such attacks.
  10. Not following simple security controls and trading off convenience over security is still a major reason for security breaches. Hardcoded credentials, especially in embedded systems are common.

Top 6 Breaches In March 2021

Microsoft Exchange Server Hack

Four zero-day vulnerabilities in Microsoft Exchange Server are being actively exploited by a state-sponsored threat group from China and appear to have been adopted by other cyber attackers in widespread attacks.

Impact: The attack impacted hundreds of thousands of organizations globally and 30,000 in the US

Cause: Four zero-day vulnerabilities in Microsoft Exchange Server are being actively exploited by nation-state attackers

Microsoft Exchange Server is an email inbox, calendar, and collaboration solution. Users range from enterprise giants to small and medium-sized businesses worldwide.

The critical vulnerabilities, known together as ProxyLogon, impact on-premise Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. However, Exchange Online is not affected. 

Microsoft is now also updating Exchange Server 2010 “for defense-in-depth purposes.”

  • CVE-2021-26855: CVSS 9.1: a Server Side Request Forgery (SSRF) vulnerability leading to crafted HTTP requests being sent by unauthenticated attackers. Servers need to be able to accept untrusted connections over port 443 for the bug to be triggered.

  • CVE-2021-26857: CVSS 7.8: an insecure deserialization vulnerability in the Exchange Unified Messaging Service, allowing arbitrary code deployment under SYSTEM. However, this vulnerability needs to be combined with another or stolen credentials must be used.

  • CVE-2021-26858: CVSS 7.8: a post-authentication arbitrary file writes vulnerability to write to paths. 

  • CVE-2021-27065: CVSS 7.8: a post-authentication arbitrary file writes vulnerability to write to paths.

 

If used in an attack chain, all of these vulnerabilities can lead to Remote Code Execution (RCE), server hijacking, backdoors, data theft, and potentially further malware deployment.

On March 2, Microsoft released patches to tackle the four severe vulnerabilities in Microsoft Exchange Server software. At the time, the company said that the bugs were being actively exploited in “limited, targeted attacks.” 

On March 12, Microsoft focused its investigation on whether the hackers obtained the credentials needed to gain access to the Exchange Server by a Microsoft partner, either intentionally or unintentionally. It is suspected that the hackers possessed Proof-of-Concept (PoC) attack code that Microsoft shared with antivirus companies as part of the company’s Microsoft Active Protections Program (Mapp).

Source – Zdnet.com

Computer Giant Acer Hit By $50 Million Ransomware Attack

Computer giant Acer has been hit by a REvil ransomware attack where the threat actors are demanding the largest known ransom to date, $50,000,000.

A ransomware gang recently targeted a Microsoft Exchange server on Taiwanese PC giant Acer’s domain. Acer’s Exchange server had been targeted, according to a screenshot from BleepingComputer, which first reported the news. Revil claimed on their leak site Thursday that they had broken into and stolen Acer’s unencrypted data.

Impact: Documents that include financial spreadsheets, bank balances, and bank communications.

Cause: Acer Exchange Mail Server Flaw May Have Been Exploited

Source: bleepingcomputer.com

Walmart: Notice Of Data Security Incident

Walmart was informed by one of its suppliers that a data hosting service they used was compromised on January 20, 2021. An unauthorized party accessed the service and stole records from that service provider. Some of those records included information about a confined number of Walmart pharmacy patients. Walmart’s information systems were not affected by this incident.

Walmart’s supplier immediately stopped using the affected service. Although Walmart’s systems were not impacted, Supplier’s security practices were reviewed by Walmart and are monitoring the circumstances surrounding this event.

Impact: Information affected may have included some patient names, addresses, dates of birth, telephone numbers, information about medications such as drug name and strength, prescription numbers, prescriber information such as prescriber name, and dates associated with the prescription, such as fill dates.

Cause: Data Hosting service used by Walmart was compromised

Source: databreaches.net

Email Security Breach Impacts Covenant Healthcare Patients

Covenant Healthcare in Saginaw, MI has discovered an unauthorized individual gained access to two employee email accounts that contained the protected health information of 47,178 patients.

Impact: 47000 Patients PII were exposed

Cause: Unauthorized individual gained access to two employee email accounts that contained the protected health information of patients

A review of the compromised email accounts revealed they contained the following types of protected health information: Names, addresses, dates of birth, Social Security numbers, driver’s license numbers, medical diagnosis and clinical information, medical treatment information, prescription information, doctors’ names, medical record numbers, patient account numbers, and medical insurance information. 

Affected individuals have been advised to place a fraud alert on their accounts and to monitor their account statements for signs of unauthorized activity. Affected individuals do not appear to have been offered complimentary credit monitoring.

Source – hipaajournal.com

Hackers Access Security Cameras Inside Cloudflare, Jails, And Hospitals

Hackers say they broke into the network of Silicon Valley startup Verkada and gained access to live video feeds from more than 150,000 surveillance cameras the company manages for Cloudflare, Tesla, and a host of other organizations.

Verkada exposed an unprotected internal development system to the Internet. It contained credentials for an account that had super admin rights to the Verkada network. Once inside the network, the hackers said they had access to feeds from 150,000 cameras, some of which provided high-definition video and used facial recognition.

Impact: Hackers gained access to live video feeds from more than 150,000 surveillance cameras the company manages for Cloudflare, Tesla, and a host of other organizations.

Cause: Exposed hardcoded password (Verkada exposed an unprotected internal development system to the Internet)

Source: arstechnica.com

Molson Coors Brewing Operations Disrupted By A Cyberattack

The Molson Coors Beverage Company has suffered a cyberattack that is causing significant disruption to business operations. Molson Coors disclosed that they suffered a cyberattack on March 11th, causing significant disruption to their operations, including the production and shipment of beer.

“On March 11, 2021, Molson Coors Beverage Company (the “Company”) announced that it experienced a systems outage that was caused by a cybersecurity incident. The Company has engaged leading forensic information technology firms and legal counsel to assist the Company’s investigation into the incident and the Company is working around the clock to get its systems back up as quickly as possible.

“Although the Company is actively managing this cybersecurity incident, it has caused and may continue to cause a delay or disruption to parts of the Company’s business, including its brewery operations, production, and shipments,” Molson Coors disclosed.

Impact: Business Operations have been impacted as employees are unable to access specific systems.

Cause: Ransomware Attack 

Source: bleepingcomputer.com

E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)