6 Lessons From Major Data Breaches This Year
Though many incidents stemmed from familiar security failures, they served up — or resurfaced — some important takeaways.
September 22, 2021
![Takeaway on Post-IT note Takeaway on Post-IT note](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt6bbc5adf89c71110/64f15104095a7f00eb90fad5/takeaway.jpg?width=700&auto=webp&quality=80&disable=upscale)
Vitalii Vodolazskyi via Shutterstock
Data breaches can have many causes, but most of them boil down to an organization failing to do something or detect something they should have if they had been following security best practices.
Even so, these attacks can reveal a lot about the bad guys' tactics, techniques, and procedures, the state of malware, and developing trends on the threat horizon.
Many ransomware attacks, for instance, might have the same root cause — like a poorly configured RDP server that provides an initial foothold on the network, or a user clicking on a malicious attachment and downloading malware on their system. Yet today's ransomware attacks are very different from those of even a year ago. Many involve double- and triple extortion schemes where attackers not only encrypt data but also use data theft and denial-of-service attacks as additional forms of leverage. As a result, the impact of ransomware attacks — and the responses to them — are different today than they might have been just a year ago.
Similarly, while phishing continues to be one of the most common initial attack vectors, phishing schemes themselves have become a lot more sophisticated and targeted, with many attacks now combining the use of email, text messages and phone calls.
Here's a look at some breaches or clusters of similarly themed attacks over the past year that served up (or resurfaced ) some key lessons for security leaders.
A China-based threat actor tracked as the Hafnium Group and numerous other groups carried out a wave of attacks on a set of four vulnerabilities in Microsoft Exchange server earlier this year. Hafnium's attacks alone impacted some 30,000 organizations. A lot of the attack activity targeting the so-called "ProxyLogon" vulnerabilities happened before Microsoft released a patch for the flaws in early March. The vulnerabilities sparked widespread concern because of the access they enabled attackers to gain on enterprise networks — and for how many organizations were impacted by them.
Casey Ellis, founder and CTO at crowdsourced security platform Bugcrowd, says the Hafnium and other Exchange server attacks signaled a shift in the tactics, techniques, and procedures of advanced persistent threat (APT) groups from stealthy, targeted attacks to opportunistic vulnerability exploitation.
"The Exchange flaws also provided an interesting demonstration of 'research clustering,'" he says. News of the vulnerabilities and attacks on them spurred even more activity targeting the flaws.
"The sense of 'blood in the water' drew the attention of many hackers — both good-faith and malicious," he says. The activity resulted in several more vulnerabilities being uncovered in Exchange Server.
Few breaches this year rattled the industry or had as wide an impact as a ransomware attack in May on US gas pipeline operator Colonial Pipeline. The attack — by a Russian group called DarkSide — forced the company for the first time in its history to completely shut down operations for a day while it tried to recover its systems. The shutdown triggered a temporary fuel shortage across some sections of the US East Coast.
The breach garnered a lot of attention because it hammered home how a well-chosen cyberattack could cause chaos on a national scale. It showed how some threat actors were not just capable but also willing to inflict damage on critical infrastructure targets that adversaries previously have avoided hitting for fear of repercussions.
Importantly, the attack highlighted the serious security gaps that prevail in the industrial sector and served as a catalyst for a cybersecurity executive order from the Biden administration designed to strengthen controls around critical networks. In announcing the order, Biden highlighted the need for countries to take decisive action against ransomware gangs operating out of their countries. He warned of the US government's willingness to pursue its own measures to disrupt the ability of such gangs to operate.
Fears that the attack would prompt some form of US cyber retaliation resulted in DarkSide and some other ransomware gangs ceasing operations in the days and weeks following the attack.
Several organizations, including general retailer Kroger, law firm Jones Day, the State of Washington, and security firm Qualys, were impacted in attacks earlier this year that exploited multiple vulnerabilities in a near obsolete file-transfer appliance they were using from Accellion. The attacks resulted in sensitive data being stolen from many of the victims and later being made available for sale via a Dark Web site operated by a Russia-based group called FIN1.
The Accellion attacks drew some comparisons to the breach at SolarWinds because it impacted a widely used technology from a trusted vendor. One of the main takeaways is that supply chain risk is not an easy problem to solve, says Joseph Bambenek, principal threat hunter at Netenrich.
"The underlying issue isn’t controlling the secure coding practices of a vendor because you really can’t," he notes. "We’ve come up with models like the cyber kill chain, diamond model, and so on because we don’t need to detect every single atomic aspect of an attack."
What the attacks — and others involving supply chain partners — highlighted was the need for organizations to be able to detect at least some components of an attack chain before full compromise.
"Attackers need to execute lots of steps to fully compromise an organization," Bambenek says.
The Accellion attacks were another instance of a set of vulnerabilities that appear to have been first exploited by nation-state actors and then used by a broader set of financially motivated threat groups, says Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify.
"These types of attacks once again demonstrate that it is critical to ensure defense in depth as your supply chain can lead to major security breaches," he says.
The vulnerabilities in the Accellion attacks highlight the importance of continuous and robust software assurance, as well as the need for both product manufacturers and network designers to "build it like it's broken," Bugcrowd's Ellis adds.
Enterprise organizations need no reminders about the importance of prompt patching. Yet a wave of attacks on VPN devices from Pulse Secure — and, to a lesser extent, from Fortinet and others — showed that many are still not heeding that practice. The attacks mainly targeted security flaws in VPN devices that Pulse and the other impacted vendors had issued patches for a long time ago.
The fact that many of these attacks appeared to be succeeding prompted wide concern from the Cybersecurity & Infrastructure Security Agency and others because they impacted devices that organizations are using to secure remote access to their networks for work-from-home employees and others. One major concern was the privileged access that the vulnerabilities potentially allowed could enable attackers to gain a foothold on enterprise networks.
"Cyber actors continue to exploit publicly known — and often dated — software vulnerabilities against broad target sets, including public- and private-sector organizations worldwide," CISA warned in July. Organizations can mitigate the threat by applying available patches and implementing a centralized patch management system, CISA said.
The VPN attacks — just like the attacks on the Exchange Server flaws — also showed how the COVID-19-triggered move to a distributed work environment exposed more attack surface at many organizations and attracted more attention from adversaries, Ellis says. Targeted exploitation of highly privileged network equipment, in general, has increased as attackers look for new vulnerabilities in remote access infrastructure.
In July, numerous managed service providers (MSPs) using Kaseya's Virtual System Administrator (VSA) technology — and, in turn, their customers — were impacted by a ransomware attack that a threat actor sneaked into their environments by chaining together a set of three vulnerabilities in Kaseya's remote management technology. The attacks were noteworthy for their sheer sophistication and planning. It took the attackers just two hours, for instance, to exploit the VSA servers at the MSP locations and deploy ransomware in a highly automated fashion on endpoints belonging to potentially thousands of their customers.
The Kaseya attack demonstrated a dangerous new Internet, Bugcrowd's Ellis says.
"It was orders of magnitude more sophisticated than most previous ransomware campaigns," he notes. "The level of coordination and planning that went into the development of the kill chain, let alone its deployment, is more typical of well-funded state actors."
At the same time, the subsequent chaos surrounding payment collection demonstrated that, while the attackers were technically proficient, they still had plenty to learn about running a criminal enterprise.
Security researchers expect that most breaches that happen in the cloud over the next few years will be the result of avoidable misconfigurations and other user mistakes. One incident that highlighted the risks this year involved China's social media management company Socialarks.
In January, researchers from Safety Detectives reported discovering a database containing 408 GB of data, with profiles of some 214 million social media users that Socialarks had scraped from Facebook, LinkedIn, and Instagram. Safety Detectives found the data stored in an Elasticsearch database that was left exposed to the Internet without any password protection or encryption. The exposed data included personally identifiable information, such as email addresses and phone numbers.
The compromise was one of many in recent years that resulted from a cloud misconfiguration error. In recent years numerous companies have exposed staggering volumes of data because of such mistakes. Many of the incidents have involved data exposed in Amazon AWS S3 storage buckets. According to security vendor UpGuard, there have been literally thousands of breaches involving incorrect S3 settings in the past few years.
A recent report from Fugue and Sonatype, based on a survey of 300 cloud professionals, showed that 36% organizations had experienced a cloud security breach or data leak over the past 12 months. Respondents cited misconfiguration as their biggest cloud security risk. Nearly one-third believed that the rate of cloud misconfigurations would increase over the next year, while 40% expect the risk to remain unchanged.
"We find that resource misconfiguration is what cloud customers tend to get wrong, sometimes with devastating consequences," the report said. "Many of the data breaches that make the headlines are the result of the exploitation of cloud misconfiguration mistakes."
Security researchers expect that most breaches that happen in the cloud over the next few years will be the result of avoidable misconfigurations and other user mistakes. One incident that highlighted the risks this year involved China's social media management company Socialarks.
In January, researchers from Safety Detectives reported discovering a database containing 408 GB of data, with profiles of some 214 million social media users that Socialarks had scraped from Facebook, LinkedIn, and Instagram. Safety Detectives found the data stored in an Elasticsearch database that was left exposed to the Internet without any password protection or encryption. The exposed data included personally identifiable information, such as email addresses and phone numbers.
The compromise was one of many in recent years that resulted from a cloud misconfiguration error. In recent years numerous companies have exposed staggering volumes of data because of such mistakes. Many of the incidents have involved data exposed in Amazon AWS S3 storage buckets. According to security vendor UpGuard, there have been literally thousands of breaches involving incorrect S3 settings in the past few years.
A recent report from Fugue and Sonatype, based on a survey of 300 cloud professionals, showed that 36% organizations had experienced a cloud security breach or data leak over the past 12 months. Respondents cited misconfiguration as their biggest cloud security risk. Nearly one-third believed that the rate of cloud misconfigurations would increase over the next year, while 40% expect the risk to remain unchanged.
"We find that resource misconfiguration is what cloud customers tend to get wrong, sometimes with devastating consequences," the report said. "Many of the data breaches that make the headlines are the result of the exploitation of cloud misconfiguration mistakes."
Data breaches can have many causes, but most of them boil down to an organization failing to do something or detect something they should have if they had been following security best practices.
Even so, these attacks can reveal a lot about the bad guys' tactics, techniques, and procedures, the state of malware, and developing trends on the threat horizon.
Many ransomware attacks, for instance, might have the same root cause — like a poorly configured RDP server that provides an initial foothold on the network, or a user clicking on a malicious attachment and downloading malware on their system. Yet today's ransomware attacks are very different from those of even a year ago. Many involve double- and triple extortion schemes where attackers not only encrypt data but also use data theft and denial-of-service attacks as additional forms of leverage. As a result, the impact of ransomware attacks — and the responses to them — are different today than they might have been just a year ago.
Similarly, while phishing continues to be one of the most common initial attack vectors, phishing schemes themselves have become a lot more sophisticated and targeted, with many attacks now combining the use of email, text messages and phone calls.
Here's a look at some breaches or clusters of similarly themed attacks over the past year that served up (or resurfaced ) some key lessons for security leaders.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024