Breach Trends and Insights – January 2021

Breach Report - january 2021

This report summarises the top breaches between mid – December till 15th January 2020. The report will help you to keep track of the latest hacks and add insights to safeguard your organization by looking at the trends. 

Most common data breach trends identified – 

  1. Nation-state Attacks
  2. Ransomware Attacks
  3. Credential Stuffing

Juspay Data Breach Puts Amazon, Swiggy And Many Others In A Fix

Juspay, a Bengaluru-based startup, is a payment partner for many Indian online platforms, including Amazon, Swiggy, and Makemytrip. Rajashekhar Rajaharia, an independent cybersecurity researcher from India, first revealed his findings of the data breach over his Twitter handle. The compromised information of 10 crores (100 million) Indian cardholders was up for sale on the dark web. While analyzing this data dump, Rajashekhar noticed that the leaked information was from a Juspay data server and required immediate attention.

Juspay’s engineers noticed an unauthorized activity in one of the data stores during August’20. Juspay’s incident response team immediately sprang into action, traced the intrusion, and stopped it. The server used in the cyberattack was terminated and the entry point for this intrusion was sealed. Juspay then informed all its merchant partners of the cyberattack and worked with them to take various precautionary measures.

Cause: Root cause of the unauthorized access that led to the Juspay data breach was found to be an unrecycled access key that was exploited.

Impact: Juspay confirmed that although 35 million credit and debit card details were leaked, it included only masked card data, meaning, six digits out of sixteen-digit card numbers were masked (hashed). Names of issuing bank, expiry date, masked credit/debit card numbers, names, customer ID and merchant account ID have been leaked among several other details, another subset of the leaked database contains users’ phone numbers and email addresses.

Source – CISOmag

Solarwinds Breach: A Massive Cyberattack In The US, Using A Novel Set Of Tool

The ‘SolarWinds hack’, a cyberattack recently discovered in the United States, has emerged as one of the biggest ever targeted against the US government, its agencies, and several other private companies. In fact, it is likely a global cyberattack. 

This is being called a ‘Supply Chain’ attack: Instead of directly attacking the federal government or a private organization’s network, the hackers target a third-party vendor, which supplies software to them. In this case, the target was an IT management software called Orion, supplied by the Texas-based company SolarWinds. 

FireEye discovered a supply chain attack trojanizing  SolarWinds Orion business software updates to distribute SUNBURST Malware. The Attackers gained access to victims via this trojanized updates to Solarwinds Orion IT Monitoring and Management software, affecting numerous public and private organizations around the world. This campaign may have begun as early as Spring 2020 and is currently ongoing. FireEye and Solarwinds have been advising on patches and released a list of exploited CVEs and also provided Security Advisory in their websites to help the Organizations.

Impact: Orion has been a dominant software from SolarWinds with clients, which include over 33,000 companies. SolarWinds says 18,000 of its clients have been impacted. Incidentally, the company has deleted the list of clients from its official websites.

Source – Indian Express

>>[Free RECON Report] – Reconnaissance Techniques as Nation State Actors

Accellion Hack Behind Reserve Bank Of NZ Data Breach

The Reserve Bank of New Zealand, known as Te Pūtea Matua, has suffered a data breach after threat actors hacked a third-party hosting partner. Reserve Bank of New Zealand disclosed that they had suffered a data breach after attackers illegally accessed data stored at a third-party hosting provider. “A third-party file sharing service used by the Bank to share and store some sensitive information has been illegally accessed,” the notification stated. The data breach has been contained but may have exposed commercially and personally sensitive information.

Accellion’s file transfer appliance (FTA) was accessed illegally and may have exposed commercially and personally sensitive information. The vulnerability was resolved and a patch released for FTA within 72 hours to the less than 50 customers affected.

Impact: Data breach has been contained but may have exposed commercially and personally sensitive information.

Source – itnews.com

Ransomware Attack On Video Game Giant Capcom

Video game giant Capcom this week revealed that thousands more people than initially believed had their personal information stolen in a ransomware attack in November 2020. The game maker announced that it detected unauthorized access to its network, and two weeks later confirmed that the attackers accessed the personal information of employees, as well as financial information, sales reports, and other business data.

Game development documents, sales reports, financial information, and other information related to business partners were also accessed during the ransomware attack. The company also expects new details to emerge as the investigation progresses.

Impact: A total of 16,415 people (including 3,248 business partners, 9,164 former employees, and related parties, and 3,994 employees and related parties) had their personal information was stolen that includes names, physical and email addresses, phone numbers, HR information, birthdates, and passport information. 

Source – securityweek.com

Spotify Users Targeted In Potential Fraud Scheme

vpnMentor’s research team led by Noam Rotem and Ran Locar, has discovered a possible credential stuffing operation whose origins are unknown, but that affected some online users who also have Spotify accounts. Credential stuffing is a hacking technique that takes advantage of weak passwords that consumers use — and often re-use — online.

An Elasticsearch database containing over 380 million records, including login credentials and other user data being validated against the Spotify service. The hackers were possibly using login credentials stolen from another platform, app, or website and using them to access Spotify accounts. The exposed database belonged to a 3rd party that was using it to store Spotify login credentials. These credentials were most likely obtained illegally or potentially leaked from other sources that were repurposed for credential stuffing attacks against Spotify.

Impact: 380 million records – email addresses; login credentials (usernames and passwords)

Insights

Nation-state attacks are on the rise and Ransomware attacks have increased 40% to 199.7 million cases globally. Cyber Intrusions and Attacks have increased dramatically over the last decade, exposing sensitive, personal, and business information and disrupting critical operations. These attacks and data breaches warn the organizations to continuously monitor their Digital Attack Surface and there is a need to do continuous Red Teaming and Penetration Testing to identify the attack paths which can be leveraged by hackers.

The evolving nature of Attacks like web application breaches, ransomware, reconnaissance, cyber espionage, DDoS attacks, and Data exfiltration establishes cyber-risk as a new challenge for organizations, and Attack Technologies are outpacing defense technologies.

FireCompass would help organizations by using our internet-wide monitoring platform that will help in Attack Surface Discovery and risks associated with it. With the attack surface management tool, you can – 

  • Discover misconfigured Cloud Assets
  • Discover the hacker’s view of your attack surface
  • Discover your deep and dark web exposure
  • Identify Code leaks, leaked credentials
  • Discover Vulnerabilities in Internet infrastructure, Web apps, Mobile apps
  • Exposed pre-prod systems
  • Exposed services like APIs,  Open Ports


Free Ransomware assessment