Cybersecurity shocking data breaches

Listen to this article:

Corporate email addresses should never be used on any non-professional service. Picture: www.avast.com

Cyberspace continues to dominate our privacy issues and as reported by Techrepublic.com and others, data leaks affecting both personal and professional data grew in 2022 and will continue into 2023.

Huge data leaks impacting millions of users occurred in 2022, such as the WhatsApp leak and more recent Twitter leak exposing more than 200 million users’ information.

Those data leaks are often sold privately in cybercriminals’ underground marketplaces, with price depending on several parameters such as the number of users, the types of users targeted, and whether the passwords are encrypted or clear text.

For example, a database containing 105 million Indonesian citizens’ records was sold in September 2022 for $5000 on the dark web. The database seemingly came from the General Elections Commission of Indonesia and contained full names, places and dates of birth, and national identification numbers.

I wonder if our own national databases are out there too. Corporate email addresses should never be used on any nonprofessional service, yet people tend to use it to register for third-party web services.

Definitely something to be avoided and you have no excuse with “free” gmail accounts and others available. This greatly increases the attack surface for the corporate entity, as an attacker may collect that information.

Should the employee use the same password on the service as his corporate email account, attackers may obtain a foothold inside the entity’s infrastructure. In addition, there is the single-sign-on (SSO) risk of compromising access across several entities.

With so many applications now using SSO for authentication, it is crucial to supervise rights given to applications and websites to avoid any malicious ones having full rights on email accounts. I’d advise that companies should also enforce 2FA on all applications where the option is available.

Also supervision of cloud applications should be done, and if any suspicious behaviour is detected, such as a connection from a different country or at an unusual time, passwords should be reset. Using corporate email addresses on multiple third parties services also increases the risk of phishing and success of social engineering schemes.

Kaspersky observed that threat actors insist on the publication of their stolen data from companies. In each of the first ten months of 2021, they saw between 200 to 300 posts per month from ransomware actors showing their successful compromises.

By the end of 2021 and the first half of 2022, that number grew to more than 500 per month. However, in previous PR attempts, the LockBit group has published supposedly successful corporate compromises which were later found to be fake.

For example:

• Improper analyses of the stolen data by the threat actors, whether intended or not.

• Attempting to monetise an intrusion, even if there was no encryption.

• Attempting to damage the reputation of an organisation.

• Fabricating a higher level of intrusion activity by the ransomware organisation.

• Seeking attention for their ransomware organisation.

Cloud and virtualisation technologies will be increasingly hit by attackers. While businesses often transfer parts of their data and operations to the cloud, they also often use partner services which may not be well configured or contain vulnerabilities.

Companies may not be aware of cloud infrastructure intrusions, as some cloud providers do not log important system events. This makes it interesting for attackers and makes proper investigation and incident response more difficult, according to Kaspersky researchers.

Malware-as-a-service models have gained popularity through the last years amongst cybercriminals and will keep increasing. “Cybercriminals try to optimise their work efforts by scaling their operations and outsourcing certain activities, just as a legitimate business would” Kaspersky said.

This model also lowers the barrier of entry for wannabe cybercriminals, as they can just rent efficient services to operate without needing too much cybersecurity knowledge themselves. The increased use of this model may lead to less unique attacks due to different attackers using the same tools.

These tools may subsequently increase in complexity to avoid being correctly analysed by automated security systems.

Earlier this month, as reported in the news, the US telecommunications provider T-Mobile and millions of its customers were the victims of another data breach – this one apparently carried out by hackers who knew how to exploit an application programing interface (API) used by the carrier.

Basically an API is used for programs to talk to each other including accessing information databases.

T-Mobile revealed the breach in a filing with the US Securities and Exchange Commission, noting that the impacted API provided the hackers with names, billing addresses, email addresses, phone numbers, dates of birth, T-Mobile account numbers, and plan features for 37 million current postpaid and prepaid customers.

The breach started on or around November 25 of last year, the carrier said, adding that it stopped the malicious activity within a day after discovering it and that it’s currently working with law enforcement to investigate further.

Data breaches and hacks are hardly a new phenomenon for T-Mobile.

Over the past several years, the company has suffered several security incidents, including a bug on its website in 2018 that allowed anyone to access customer data, a breach in 2021 that exposed the personal data of almost 50 million people, and a series of breaches carried out by the Lapsus$ cybercrime group in March of 2022.

Repeated data breaches such as this can have a significant impact on the reputation of organisations, and T-Mobile certainly seems to be an organisation that is becoming synonymous with massive data breaches.

Collecting and storing information on such a massive amount of customers, T-Mobile also has a responsibility to ensure it is secure, a responsibility which they have failed with multiple times now.

APIs are like highways to a company’s data: highly automated and allowing access to large amounts of information. When there are no controls in place that monitor the amount of data left by the domain via the API, it results in no control over customer data.

Although no credit card details or social security numbers were accessed in the hack, the information that was stolen represents a gold mine for cybercriminals, according to Kron.

Using this data, they can design phishing, vishing, and smishing attacks and reference information that a customer may feel would only be known to TMobile.

A successful attack could then lead to financial theft, identity theft or worse.

To prevent these types of attacks, organisations that work with APIs should implement tight controls over who and what is allowed to use the APIs and at what time and frequency.

A zerotrust approach is the best way to reduce the attack surface since it limits access to resources from inside and outside of the network until the request can be verified.

In practice, there should be a fundamental shift where CTOs, CIOs, CDOs, data architects, and application developers start to decouple data from applications and other silos to establish “zero copy” data ecosystems.

There’s some great IRB Rugby 7s action in Sydney this weekend. Go Fiji Go! As always God bless and stay safe in both digital and physical worlds.

• ILAITIA B. TUISAWAU is a private cybersecurity consultant. The views expressed in this article are his and are not necessarily shared by this newspaper. Mr Tuisawau can be contacted on ilaitia@ cyberbati.com

Array
(
    [post_type] => post
    [post_status] => publish
    [orderby] => date
    [order] => DESC
    [update_post_term_cache] => 
    [update_post_meta_cache] => 
    [cache_results] => 
    [category__in] => 1
    [posts_per_page] => 4
    [offset] => 0
    [no_found_rows] => 1
    [date_query] => Array
        (
            [0] => Array
                (
                    [after] => Array
                        (
                            [year] => 2024
                            [month] => 01
                            [day] => 25
                        )

                    [inclusive] => 1
                )

        )

)