Data breaches caused by third parties cost millions of dollars to large companies and are often devastating to small businesses. A survey conducted by the Ponemon Institute reveals that 59% of organizations have experienced one or more data breaches caused by a third party, costing an average of $7.5 million to remediate. IBM’s Cost of a Data Breach Report 2020 states that third-party involvement was one of the amplifiers in a breach, increasing the data breach cost by $207,000.
Third-parties are companies that support your organization and often have access to, share, or maintain data critical to your operations. Third-parties include a broad range of companies such as data management companies, law firms, e-mail providers, web hosting companies, subsidiaries, vendors, service providers, subcontractors. Essentially any company whose employees or systems have access to your systems or your data is considered a third party. However, third-party cyber risk is not limited to these entities. Any external software, hardware, or firmware that you use for your business can also pose a cyber risk. There are several tools to assess third-party cyber risk and ways to prevent software supply-chain attacks. Knowing your potential risks allows your business to make adjustments and protect itself from becoming the next cyber breach headline.
We regularly update the list of major third-party (aka supply-chain) attacks and breaches revealed in the news. In this blog, you will find the most recent breaches for December. It should be noted that several of these breaches are still being substantiated as more data is collected.
1. Department of Treasury and Commerce, Cisco, SAP, Intel, Cox Communications, Deloitte, Fujitsu, Rakuten, Check Point, and Many More
Much has been said and written about the largest supply-chain attack in the last decade. The SolarWinds hack is believed to have affected around 250 federal agencies and businesses organizations, after a scrutinized search on 18,000 organizations who were using the affected version of the Orion software. Of the 18,000 organizations, they gained initial access to, the Russian hackers only sent their probes to organizations that might be of interest.
Latest analyses reveal that hackers were not only able to impersonate any of the organization’s existing users and accounts, including highly privileged accounts, but also were able to “view source code in a number of source code repositories,” according to Microsoft.
Assets at stake include:
- User accounts (incl. high privileged accounts)
- Repository source code
Microsoft’s announcement states, “We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories. The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated.”
Given the scope of the hack, the debate and investigation will continue for some time. However, the cybersecurity community is still curious about how the gray rhino has been neglected for so long and is now focusing on the lessons learned in the hopes that future attempts will not be successful or the extent will be limited.
Here is the recap of the lessons learned from the SolarWinds attack:
- Third-Party a.k.a. Supply-Chain Risk Monitoring: We relentlessly discuss the importance of third-party risk monitoring, detailing how hackers prey on vendors or third parties instead of their targets. Companies should leverage an SRS (Security Rating Service) tool to continuously monitor the security posture of their vendors.
- Threat Simulation: The better security infrastructure you build, the better the defense. Improve your resistance level with regular threat simulation and drills.
- Strict internet access policy: Company servers should only access relevant update servers, and users should only download required file types. Those with a strict access policy were not affected by the attack. For detection, keep logs of blocked traffic.
- Defense-in-depth: Will allow for timely detection of sophisticated attacks.
- DevSecOps: Integrate security to the DevOps cycle. From private keys to access rights, secure the operations at every point that each line of code traverses.
- Repository Management as part of DevSecOps is critical. With new builds of software going live every day, strict access control and crypto must be integrated into repositories.
- DNS: Threat Hunting for suspicious domains and acquiring DNS logs save lives.
- APT: This attack resurfaced the meaning and importance of APT.
- Multi-Factor Authentication: Regardless of the type of application, MFA should be used for every public system, and similar methods should be preferred for internal systems.
- EDR: Indispensable elements of a layered security architecture.
Microsoft’s breach came to light when the company alerted the cybersecurity firm CrowdStrike of an issue with a third-party reseller that handles licensing for Microsoft’s Azure customers. According to Microsoft’s social media post, Azure’s account used for managing CrowdStrike’s Microsoft Office licenses was observed making abnormal calls to Microsoft cloud APIs during a 17-hour period several months ago, and “there was an attempt to read emails, which failed.”
The intrusions seem to have occurred via a Microsoft corporate partner that manages cloud-access services. They did not recall the associate or the corporation that allegedly stole emails. Since the topic remains a highly sensitive topic, the partner’s name was not disclosed.
In a blog post two weeks earlier, Microsoft stated the credentials of “more than 40 customers” were stolen. What actually happened was a breach of a third-party reseller in the hopes of accessing a larger company – the customers of Azure accounts. Through this mechanism, an adversary could read and steal emails among many other pieces of information.
When FireEye Inc. learned it was hacked in December, investigators from the cybersecurity company immediately set out to try to find out how attackers got through their defenses. They reviewed 50,000 lines of source code to finally come up with the root cause of the hack.
It wasn’t simply FireEye that was targeted. In a product designed by one of its software vendors, Texas-based SolarWinds Corp., investigators found a vulnerability. On the FireEye side, the cybersecurity company announced hackers stole some of their red-team tools for finding vulnerabilities in its clients’ systems.
FireEye also has government-affiliated clients, including the Department of Homeland Security and other intelligence agencies. Although hackers only got their hands on the red-teaming tools not containing zero-day exploits, one can assume the expectation was far more aggressive than what was achieved. CEO Kevin Mandia added in a blog post, “There is no sign that the hackers have used the stolen tools, nor is there evidence that customer information was stolen.”
4. Private and Government Organizations in Vietnam
A remarkable supply-chain attack in Vietnam targeted the Vietnam Government Certification Authority, VGCA, through its digital signature toolkit.
The attackers modified the software installers available for download on the VGCA website with a backdoor called PhantomNet. The users, when signing a document, leveraged their USB for the private key and the driver downloaded from the site.
According to ESET, the Slovak internet security company, the breach window is believed to be between July 23 to August 16, 2020. In Vietnam, digital signatures are commonly used since they have the same validity as print signatures, which indicates the extent of the attack.
Once installed, the malicious software runs the original driver program seemingly harmless, as well as the backdoor PhantomNet. It collects system information and executes the commands retrieved from “vgca.homeunix[.]org” and “office365.blogdns[.]com” appearing like legitimate VGCA domains. The backdoor is believed to be used for reconnaissance prior to a more complex attack against selected targets.
5. Mongolian Government Agencies
A Chinese state-sponsored hacker group is believed to have hacked a chatting software named Able Desktop, which is commonly used among Mongolian government agencies. The app, developed by Able Software, is an add-on that provides instant messaging capabilities to the company’s main product, a human resources management (HRM) platform.
Able Desktop is used by more than 400 government agencies, including the Office of the President, the Ministry of Justice, the Ministry of Health, various local law enforcement agencies, and many local governments in Mongolia.
The trojanized version of the software found its way through official updates to the end-users, where hackers initially assessed Able’s backend. The attack is attributed to China-linked APTs, such as LuckyMouse and TA428, but also to a collection of server infrastructure known as ShadowPad. ShadowPad is also linked to other Chinese APT groups like CactusPete, TICK, IceFog, KeyBoy, and the umbrella group Winnti.
At the time of this writing, it is unclear which data and accounts hackers accessed other than the messages in the app.
6. Healthcare Organizations in Vietnam
A healthcare technology vendor in Vietnam, iSofH, leaked 12 million patient records, including highly confidential diagnoses. Not long after the discovery, the infamous “meow” attacker wiped the database.
The “meow” attacker seeks out unsecured databases and wipes them out with “meow”. Until now, Meow and a similar attack have destroyed more than 1,000 other databases.
According to initial reports, the database belonging to iSofH includes:
- detailed patient information (full names and dates of birth)
- credit card information
- recent tests and diagnostics
- logs, as well as personal information regarding company staff
- partial information about the doctors who work at the various hospitals iSofH operates
Innovative Solution for Healthcare (iSofH) serves more than 18 medical facilities, including eight top-tier clinics in Vietnam. The technology company provides software for electronic health records and hospital management systems.
isSofH’s server was left publicly exposed without encryption or password protection. As a result, the researchers were able to view a 4GB database of 12 million records, affecting roughly 80,000 patients and healthcare staff.
The database is like a trove for scammers and hackers in running their phishing campaigns, identity theft, or carrying more sophisticated attacks.
7. dental practıces in the U.S.
U.S. dental practices were also struck by a supply-chain attack in December, including Dental Care Alliance (DCA), a vendor providing support services to more than 320 affiliated practices across 20 states.
Upon detecting abnormal activity in its network, DCA officials started an investigation in mid-October and found a breach window from September 18-October 13.
Potentially compromised data includes:
- patient names
- contact details
- dental diagnosis
- treatment information
- patient account numbers
- billing details
- dentists’ names
- bank account numbers
- health insurance data
After the major BlackBaud ransomware attack, DCA ranks second in place among the most severe healthcare-related supply-chain attacks of 2020.
8. Aetna, Blue Cross Blue Shield of Tennessee
A data breach at the vision benefits company Eyemed, a third-party to numerous health insurance companies, affected around 500,000 Aetna members and more than a thousand BlueCross BlueShield of Tennessee members.
According to the announcement made by the Cincinnati-based third party, the company discovered an unauthorized person gained access to an EyeMed email mailbox. The attack is believed to be the result of a phishing scam.
Both Aetna and BCBS Tennessee were affected by the breach as main beneficiaries, however BCBS on a smaller scale with 1,300 members.
Aetna revealed the breached information includes:
- dates of birth
- vision insurance account information
In some limited instances:
- full or partial social security numbers
- birth or marriage certificates
- medical diagnoses
- treatment information
- financial information
As of now, there has not been a misuse or detected linked to the breach.
9. NOW: Pensions
NOW: Pensions suffered a data breach after one of its third-party service partners inadvertently posted personal data of members on a public software site in December.
According to the latest estimates, around 30,000 customers were hit by the exposure, with their sensitive personal data left open on the internet. The company explained that the database has been exposed for a short time and was copied by a small number of unknown parties.
As the exposure became public, the workplace pensions firm warned that names, postal and email addresses, birth dates, and national Insurance numbers all appeared in a public forum online.
Patrick Luthi, CEO of NOW: Pensions, claims, “The data was visible only to users of that forum for a short time and was copied by a small number of unknown parties. We reported this incident to the pensions regulator and the Information Commissioner’s Office.”
NOW: Pensions says it gave the affected clients free access to Experian Identity Plus for one year, which offers warnings on possible fraudulent activity. In the meantime, the organization has advised its clients to be extra careful about any emails they receive.