Oct 20 · 4 min read
With Halloween around the brink of October, the past month was the start of the scare for organizations across the globe. High-profile data breaches and stolen sensitive data caused a fright, and the ransomware group LAPSUS$ rose back from its grave.
It all started with the attack on Uber by a teenage hacker group. Shortly after, the Intercontinental Group of Hotels fell victim to a wiper attack carried out by a vengeful Vietnamese couple. A couple of days after, airline giant American Airlines disclosed details of a data breach to their customers.
These are just a few high-profile incidents that received a lot of media attention. So many global companies keep falling victim to a variety of security breaches and attacks. What is happening? Let’s analyze!
World-leading cab aggregator - Uber fell prey to a cyberattack last month. Preliminary analysis by experts suggests that attackers made use of the simplest attack technique to obtain the login credentials of an Uber employee to gain privileged access to internal systems. An 18-year-old teenager moved laterally through their internal IT systems to access sensitive information. This teenager is alleged to be part of the LAPSUS$ group of cybercriminals.
The teen pushed MFA Approvals repeatedly to the target employee. On allowing the MFA approval on his device, the hacker obtained initial access inside the company. He was then able to access resources shared on the network that included PowerShell scripts. One of the scripts contained hardcoded credentials for an administrator account - quite the treat for any hacker in disguise.
With this powerful administrator account, the hacker gained tokens to access their AWS console, GSuite, Slack channels, and other internal resources - including Uber vulnerability reports. The hacker accessed all the internal tools and posted screenshots of classified data on the internet.
In fact, LAPSUS$ did not stop there. A week after - they allegedly hacked Rockstar Games, a well-known game production company famous for creating the GTA video game series. Screenshots and videos from the unreleased GTA-6 were released on the internet by the same group.
Intercontinental Hotel Groups - one of the leading conglomerates operating more than 6000 hotels across 100 different countries fell prey to a phishing attack. The attackers, suspected to be a couple from Vietnam, initially tricked an employee into downloading a malicious email attachment and then managed to go through the two-factor authentication steps successfully. Following the breach, IHG booking systems were disrupted and a lot of data was lost from its database, temporarily sending it into a zombie state.
The hackers managed to gain access to sensitive assets once they gained access to the company’s internal password vault. Much to the attacker’s surprise, the credentials used to access the vault were available to all of the company’s employees, around 200,000 in number! . Adding salt to the wound, the password used to access the vault containing sensitive secrets of the entire organization was found to be ‘Qwerty1234’ - A password that neglects the Halloween spirit of being well disguised.
All standard password management solutions enforce strong password rules to access the vault. They never allow the use of weak passwords. It is quite surprising to note that the password to access the vault itself was weak and that a global leader with the ability to invest heavily in protecting their assets would fail at the very basics of password security.
The organization’s IT team was proactive in deploying countermeasures when the couple tried to unleash a ransomware attack on their network. The team was successful in isolating the servers from the network and effectively curbing ransomware propagation. Frustrated over the fact, the vengeful Vietnamese couple resorted to extreme methods and carried out a Wiper Attack instead. They immediately deleted massive amounts of data and took some corporate data and email records from the database causing huge temporary disruption for the organization.
American Airlines fell prey to a similar attack. The login credentials of an undisclosed number of employees were reportedly compromised. They have zeroed in on the cause to be a phishing attack perpetrated way back in July.
Hackers are known to be dormant once they have gained a foothold on an organizations’ IT infrastructure. They gather resources and information months together before making a move. These ghost invaders can be tracked and traced by gaining better visibility into all the accounts in an organization and the access they hold. An enterprise password management solution discovers and gives visibility into all the orphan accounts that may be potential threats to an organization.
Data leaked in the Intercontinental hotel attack reportedly includes employee and customer names, ages and birth dates, email addresses, personal phone numbers, license numbers, passport numbers, and certain medical information. This information known as PII (Personal Identifiable Information) has to be protected by GDPR norms in Europe. Failing to protect this information may cause a heavy fine to the organization involved, although American Airlines hasn’t disclosed any imposed fines.
Cyberattacks happen in a variety of ways. Security experts have predicted a data breach to occur every second by the year 2035.
Cybersecurity researchers have come a long way in concocting innovative ways to make IT secure. Parallelly, attackers and bad actors devise new ways and design new methods and strategies to circumvent the multiple layers of security that are put up.
Even though the damage was mainly caused due to incompetent password hygiene, the initial breach happened as a result of elaborate phishing campaigns.
What we can gather from these incidents is that history always repeats itself. You can deploy the most innovative security measures to prevent attacks, but without adhering to the best practices, the systems in place will remain vulnerable. Even though the methods of cyberattacks have grown more and more complex, the building block of access security has been and remains - maintaining password hygiene and best practices. This includes monitoring and controlling privileged access, patching software to their latest versions, and wholistically managing all sensitive activity.
Had these organizations followed best practices such as eliminating hard-coded credentials, enforcing password complexity rules, and a robust password policy, the attackers would not have succeeded in their attempt to access critical systems.
At the cost of sounding repetitive, here are a few access security best practices that organizations should follow.
Crawl the dark web - Monitor the dark web for breached passwords and eliminate their usage in your organization.
Spin the wheel - Put an end to password reuse, and rotate passwords periodically. You can create competent password policies for your organization and enforce them.
Cast a spell barrier - Enforce Multi-Factor Authentication for access to all sensitive assets. This acts as an additional layer of security and can prevent over 99% of identity compromises when compared to passwords alone.
Protect your candy trove - Use an enterprise-grade password vault for your sensitive passwords, credentials, and files - the candy of your organization.
Wear a pumpkin over your head/Disguise your passwords - Passwords in plain text and on applications are a major cause of breaches. Mask passwords while giving your users access to them and utilize APIs to fetch credentials.
Utilize a crystal ball - Looking into the future isn’t possible but you can prevent threats by reading the right cues. Monitor and record all user activity and send password activity logs to your SIEM solution and obtain actionable insights.
After implementing all the above best practices, it is crucial to educate your employees - every last one of them about cybersecurity and provide an action plan that should be followed when anomalous behavior is detected. Employees are humans at the end of the day and are prone to making mistakes, and you cannot expect them to be the complete line of defense. As cyberattacks take new avenues it is important to keep them informed and vigilant.
If we take a closer look at the events, we can see that the initial breach was limited to endpoints. The lack of proper privilege management practices and workflows helped the attackers in their quest to gain access to sensitive information.
Though organizations certainly require advanced technologies and a variety of cybersecurity tools, losing out on the basics of security leads to attacks. Password security is the foundation of information security. Internalizing this fact is critical.
Enforcing and automating these best practices can effectively shut down the pot that brews the recipe for password attacks. These practices can be automated to reduce error by using Password Management and Privileged Access Management solutions like Securden.
Identity thefts and data breaches - The aftermath of privileged access mismanagement
Cybersecurity is a growing concern for businesses of all sizes, as advanced hackers and cybercriminals...
Dec 27 · 4 min read
Spate of cyberattacks rock the land down under
Lack of API security, exposed credentials, and misuse of privileged access continue to cause harm...
Nov 25 · 4 min read
Make this Thanksgiving a memorable one. Treat yourself to a surprise!
We're planning to make this year's Thanksgiving extra special.
Nov 21 · 2 min read
The Spooky Season is here early! Recent data breaches re-emphasize the significance of password security
As Halloween is dedicated to remembering the martyred, organizations falling victim to data breaches remind us...
Oct 20 · 4 min read
We're at GITEX, Dubai. Come, meet us!
Are you planning to participate in GITEX, Dubai? If yes, this is a great opportunity to meet our product experts and get a ...
Oct 10 · 2 min read
May God defend me from my friends
As stories of trusted insiders causing information security breaches continue to unfold, it’s time organizations woke up to...
Dec 21 · 4 min read
Ransomware attack on Colonial Pipeline: Executing cyberattacks, now a child's play!
With the easy availability billions of compromised credentials on the dark web, and the practice of password reuse rampant, hackers...
jun 7 · 5 min read
Eliminating Admin Rights and Controlling Applications (Part 3)
One of the most effective approaches to reducing risks is eliminating the local admin accounts altogether and...
May 17 · 4 min read
Looking for a Passwordstate alternative?
Passwordstate, an enterprise password manager developed by Click Studios, suffered a supply chain attack between...
Apr 30 · 3 min read
Local Admin Accounts Management: Microsoft LAPS Vs. PAM (Part-2)
In the previous post, we dealt with the importance of local admin accounts, the associated security risks, and...
Apr 06 · 3 min read
Top 10 password policy recommendations for sysadmins in 2021
Passwords are omnipresent in our personal and business digital environments. An average person has at least...
Apr 01 · 6 min read
Local Admin Accounts - Security Risks and Best Practices (Part 1)
We are all too familiar with the local administrator account that gets created automatically when installing a Windows...
Mar 19 · 4 min read
Poor password security practices cause massive security breaches
Weak passwords, password reuse, password sharing, hard-coded credentials, lax measures to storing credentials...
Mar 13 · 6 min read