What can we learn from cyber attacks in 2022?

CATEGORY
Improving security behaviours
BY
Max Kurton
DATE
January 3, 2023
FOR
Security Awareness Pros

Contributed by:

⚡ TL;DR ⚡

Welcome to 2023! A new year means new opportunities. However, not all options can be viewed as positive. Over the next 12 months, we will see hackers make many attempts to breach personal privacy and corporate data for various reasons, such as bragging rights, curiosity, boredom, financial gain, sabotage, corporate espionage, blackmail, and extortion.

Cybercriminals will continue discovering new and improved ways to prey on businesses and expose their weaknesses to gain the information they want. IBM’s Cost of Data Breaches Report 2022 quotes an average total cost of a data breach at USD 4.35 million, which is a 2.6% increase from the year before. The most common attack vectors are credential theft (19%), phishing (16%), misconfigured cloud (15%), and vulnerabilities in third-party software (13%).

Not only are these attacks costly there is also the average time required to identify and contain each type of compromise. Identifying and containing a compromise through stolen credentials takes 327 days, nearly a whole calendar year. For phishing breaches, the mean time to identify and contain is 295 days, with the highest average cost by initial attack vector, at USD 4.91 million.

However, it’s not all doom and gloom. Implementing changes to an organisation can take time, but solutions can be implemented to speed up that process and make your organisation more secure. We can also look at past breaches and understand how they happened to help demonstrate why such simple methods of entry can be exposed for more considerable damages.

Even though there were numerous attacks and breaches last year, we’ve compiled eight security breaches we can all learn from to grow our organisations and keep our employees safe in 2023.

COSTA RICAN GOVERNMENT

Two major ransomware attacks crippled many of the country's essential services. Import and export ground to a halt, over 30,000 medical appointments needed to be rescheduled, and tax payments were also disrupted. Millions were lost due to the attack, and staff at affected organisations had to return to using pen and paper to get things done.

At the heart of the hacking spree is Conti, the notorious Russia-linked ransomware gang. The threat group accessed the government's systems, stole precious data, and demanded USD 20 million. A total of 670GB of data stolen was posted to a leak site weeks after, which equals 90% of the data that was accessed.

This forced the Central American government to declare a national emergency in response to the ransomware attacks, marking the first time a country has done so in response to a cyberattack.

ACORN FINANCIAL SERVICES

On August 9th Acorn Financial Services experienced a data breach after an unauthorised party gained access to sensitive consumer data. Access was granted through an email-based cyber attack, most likely targeted via a phishing email and their email credentials were stolen.

The breach resulted in names, addresses, dates of birth, driver’s license numbers, financial account numbers, Social Security numbers, and other account-related information being compromised.

Acorn was quick to respond, launched a full investigation, and sent out data breach letters to all affected parties, informing them of the incident and what they could do to protect themselves.

CRYPTO.COM

One of the best-known cryptocurrency exchanges in the world was hit by a hack of 483 users, leading to unauthorised withdrawals of bitcoin and Ether worth USD 35 million. This broke down to over USD 15 million worth of ETH and USD 19 million worth of BTC.

The transactions were approved without the user inputting two-factor authentication (2FA), which is mandatory for all users. Crypto.com initially dismissed the attack as an 'incident' but later retracted its statement, confirming that money had been stolen and that affected users had been reimbursed.

The company revoked all customer 2FA tokens and added additional security before customers logged back into the platform and set up their 2FA tokens again. The new measures include a mandatory 24-hour delay between registering a new withdrawal address and the first withdrawal. It also announced its plans to transition away from 2FA to "true multi-factor authentication", though no timeline or details for this change were made.

TWILIO

Twilio confirmed the hackers gained access to the accounts of 209 customers and  93 Authy end users, effectively allowing attackers to generate login codes for any connected 2FA-enabled account.

Other companies, such as Okta and Signal, confirmed they were compromised due to the Twilio breach and coordinated response to the threat actors by collaborating with carriers to stop the malicious messages and having the hosting providers shut down the malicious URLs.

In an update since the attack, Twilio has announced that it revoked access to compromised employee accounts and has reemphasised its security training to ensure employees are on high alert for social engineering attacks.

MEDIBANK

Medibank Private Ltd is one of the largest health insurance providers in Australia. 9.7 million Medibank customers were impacted by a breach with stolen records, including names, birth dates, passport numbers, and information on medicare claims. The hackers found the login credentials for a single support desk worker that did not have two-factor authentication.

Once inside, the threat actor found the customer database and then used the stolen credentials to write a script to automate pulling the customer data. 200GB of stolen data was placed into a zip file and extracted through two established backdoors.

Hackers posted a sample of the stolen data and demanded Medibank pay a USD 10 million ransom to prevent the database from being freely published on the dark web. The CEO and Medibank refused the demands, saying, “We believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published.”

FLEXBOOKER

Discovered in January 2022, FlexBooker, an appointment management business, was hit by a vast attack that exposed 19 million files, including full names, email addresses, phone numbers, and appointment details.

The hacking group, Uawrongteam, compromised FlexBooker's data by exploiting its AWS configuration. The company used an AWS S3 bucket to store data but did not implement any security measures, leaving the contents exposed.

3.7 million users were involved in the breach of sensitive information. FlexBooker said their "system data storage was also accessed and downloaded" as part of the attack. They worked closely with Amazon Web Services to ensure accounts were resecured and a backup was restored.

MAILCHIMP

Malicious hackers compromised an internal company tool used by the company's customer support and account administration teams to gain access to customer accounts. Hackers viewed approximately 300 Mailchimp accounts and successfully exported audience data from 102 of those.

The hackers utilised a social engineering attack to trick employees into handing over credentials. Using the accounts, the attackers launched phishing attacks, which appeared legitimate because they were coming from Mailchimp emails. They also gained access to API keys for an undisclosed number of customers, allowing attackers to potentially send spoofed emails, but this was disabled.

As a knock-on effect, cryptocurrency wallet company Trezor reported that attackers used data stolen from the Mailchimp breach to launch a phishing campaign that breached the data of 106,856 customers. An email was sent that contained malicious code, which, once downloaded, asked customers to input vital information needed to access their Trezor wallet.

UBER

Uber was in the news again for a data breach which this time began with a hacker purchasing stolen credentials belonging to an Uber employee from a dark web marketplace. An MFA blocked them, but this did not stop the hacker, who contacted the employee via WhatsApp to approve the MFA notification and sent a flood of notifications until the employee eventually agreed.

After completing the attack, the hacker used an employee's Slack account and announced the successful breach to the entire company. Despite the deep access the hacker gained, there is no evidence of customer data theft.

The company was close to a complete system shutdown, and the hacker could have sold the bug bounty program for a very high price. They decided to walk away, indicating they were able to pull off such an attack just for the thrill of a successful cyberattack or to brag to the hacker community.

SECURITY PRACTICES TO CONSIDER IN 2023

  • Companies are quick to act after the damage has already been done. However, we need to see a more proactive approach to security versus reactive.
  • Security teams should be comparing your current MFA processes against common exploit tactics, as not all MFA protocols are equal.
  • Go beyond standard training and email phishing by having complete visibility into human risk across a variety of different behaviour points.
  • Implement security nudges for when a training incident occurs by delivering personalised security coaching through just-in-time training, and utilising gamification leaderboards across teams.
  • Stop wasting time manually checking your security awareness program and implement automation for email phishing, MFA phishing, and IM attack sims.
  • It goes without saying, but 2022 opened many eyes to attacks becoming even more sophisticated than in previous years. This trend will continue as attacks become more frequent, and attacks against employees will become even harder to detect, so it makes sense to look into managing human cyber risk now before it's too late.