In this report we will talk about some of the important cyberattacks that have taken place during 15th May – 15th June.

Analyzing the attacks, the following key insights are gained:

With more integration with third party systems, organizations are exposing themselves towards indirect breach that flows into their organization without adequately understanding the risks and taking appropriate countermeasures.
A standard third party security evaluation framework is not implemented as mandatory requirements for a large number of cases and as a result, third party risk evaluation is generally patchy.
Ransomware attacks are using well known attack channels which are Phishing and open ports. Even when the methods and attack vectors are known, Ransomware managed to penetrate into systems due to lack of visibility of possible misconfiguration.
Weak or faulty access control (OTP not validated, guest user having higher privilege access) is another risk that allows malware to easily penetrate into systems. In a recent security assessment exercise, FireCompass used its Attack framework to successfully launch a phishing attack to retrieve password and using it managed to get privileged access. Although the user was a guest user, it still got higher access than that is required and it pointed to a possible misconfiguration.
FireCompass security research team has observed the following top attack vectors for data breaches: Web Vulnerability Exploitation, Publicly Accessible Information, Third Party, SQLi, Phishing, Misconfiguration, Plain Text Keys.
Given the velocity and volume of changes in IT infrastructure and applications in organisations worldwide, it is becoming increasingly challenging to track and monitor organisations IT and (OT where applicable) attack surface. Continuous automated monitoring augmented by human intelligence is the need of the hour.
Understanding adversary behaviour and validating susceptibility of organisations systems against successful attacks, especially recent ones, will improve organisations knowledge of their attack surface and efficacy of the defensive controls.
Continuous testing using automated Attack Runbooks that perform various types of adversarial simulation and apply human augmented intelligence effectively will help in knowing and thereby making organisations’ attack surface better protected.

Following is a summary of the significant breaches in the month of May 2021.

Air India discloses data of 4.5 Million passengers were stolen in SITA cyber attack

Three months after global aviation industry IT supplier SITA fell victim to a cyber attack, Air India has admitted to a massive data breach that compromised the personal data of about 4.5 million passengers from across the world.

The breach involved personal data spanning almost 10 years, from 26 August 2011 to 3 February 2021. Breached data included the passenger’s name, date of birth, contact information, passport information, ticket information, frequent flyer data and credit card information.

SITA, an information technology and communications company, is the data processor of Air India’s passenger service system (which is responsible for storing and processing of personal information of the passengers) had recently been subjected to a sophisticated cybersecurity attack leading to personal data leak of certain passengers. SITA cyber attack was first discovered at the end of February. Air India customers are unlikely the only victims of the SITA hack. The company said that customers from several airlines were affected, including travelers who flew with Air New Zealand, Cathay Pacific, Finnair, Jeju Air, Lufthansa, Malaysia Airlines, SAS and Singapore Airlines.

Impact: 4.5 Million passengers personal information got breached

Cause: The massive data leak was caused by a “sophisticated cyberattack” on Air India’s passenger service system provider SITA.

Reference: India Today | ZDNet | Bleeping Computer

>>[Request Demo] - Get the Hacker’s View Of Your Attack Surface

Domino's India discloses data breach after hackers sell data online

Domino’s India has disclosed a data breach after a threat actor hacked their systems and sold their stolen data on a hacking forum. A threat actor created a new topic on a hacking forum where they claimed to be selling 13 TB of stolen data, including details for 18 crores (180 million) orders and 1 million credit cards, from Domino’s India.

The breach took place in March and was confirmed by Jubilant Foodworks in April — after it was put on sale on the dark Web. However, it ultimately informed customers after the hackers created the search engine with the data that was earlier available for purchase. The search engine, which was initially reported by security researcher Rajshekhar Rajaharia on Twitter, is available on the dark Web and provides details such as mailing addresses, mobile numbers, and longitude and latitude of customers. The hackers claimed that the search engine included data of 180 million Domino’s India customers.

The threat actor was selling the data for approximately 10 BTC, or $380,000 at today’s rates, and shared samples of the database structure for the allegedly stolen data. The same threat actors launched a Tor dark web search engine that allows people to enter their phone numbers or email addresses to see if their information is exposed in the database.

Impact: Breached database included around 180 million customers’ order records. From the database tables and information shared by users who utilized the search engine, the data does include customers’ mobile numbers, names, email addresses, and GPS coordinates.

Hackers can use this information to perform further attacks, such as phishing scams and SMS messaging scams, to steal further sensitive data from those exposed in this breach.

Cause: Data Leak was caused by Ransomware Attack. Credit data of 10L users on ‘sale’ for Rs 4 cr in the Dark Web.

Reference: Bleeping Computer | Moneycontrol | The Economic Times | Entrackr | Gadgets 360

Colonial Pipeline, the largest fuel pipeline in the US shuts down operations after ransomware attack

Colonial Pipeline said that a cyberattack forced the company to proactively close down operations and freeze IT systems after becoming the victim of a ransomware attack.

The Colonial Pipeline Company reported on May 7 that it was the victim of a “cybersecurity attack” that “involves ransomware,” forcing the company to take some systems offline and disabling the pipeline. The attack has been attributed to DarkSide, a criminal hacker group based in Eastern Europe. Colonial Pipeline paid a $4.4 million ransom to the DarkSide ransomware operation that allowed them to receive a decryption key and quickly bring their systems back online. An FBI agent states that law enforcement gained control of a private key belonging to a DarkSide Bitcoin wallet holding the Colonial Pipeline ransom payment and FBI recovered 63.7 Bitcoins of the approximately 75 Bitcoin payment sent by Colonial Pipeline. With the significant decrease in the price of Bitcoins since the payment, the recovered bitcoins are worth roughly $2.26 million at today’s prices.

Bloomberg reported about a month after the attack that the company was likely breached through a leaked password to an old account that had access to the virtual private network (VPN) used to remotely access the company’s servers. The account reportedly didn’t have multi factor authentication, so the hackers only needed to know the username and the password to gain access to the largest petroleum pipeline in the country.

Impact: Entire pipeline operations had been shut down

Cause: Ransomware Attack

Reference: Bloomberg | Bleeping Computer | Vox

Irish healthcare shuts down IT systems after Conti ransomware attack

Ireland’s Health Service Executive (HSE), the country’s publicly funded healthcare system, has shut down all IT systems after its network was breached in a Conti human-operated ransomware ransomware attack.

Conti operators are known for breaching enterprise networks and spreading laterally until gaining access to domain admin credentials which allow them to deploy the ransomware payloads filelessly, using reflective DLL injection techniques. Conti operates as a private Ransomware-as-a-Service (RaaS) that recruits hackers to deploy the ransomware in exchange for large shares of any paid ransom.

Impact: All IT systems were shut down after its network got breached

Cause: Conti human-operated ransomware attack that seeks to get access to data

Reference: Bleeping Computer

DigitalOcean admits data breach exposed customers’ billing details

DigitalOcean, the popular cloud-hosting provider, has told some of its customers that their billing details were exposed due to what it described as a “flaw.”

DigitaOcean told customers in an email that it has “confirmed an unauthorized exposure of details associated with the billing profile on your DigitalOcean account.” The company said the person “gained access to some of your billing account details through a flaw that has been fixed” over a two-week window between April 9 and April 22.

According to the statement released, DigitalOcean claimed that only 1% of billing profiles had been impacted by the breach. Also said it fixed the flaw and notified data protection authorities, but it’s not clear what the flaw was that put customer billing information at risk.

Impact: Billing Account details like Billing Name, Billing Address, Payment Card Expiration date, Last four digits of user’s payment card and Payment card bank name were accessed

Cause: Unauthorised party had managed to exploit the flaw to gain access to billing information between April 9 and April 22, 2021.

Reference: TechCrunch | Hot for Security

Experian API Exposed Credit Scores of Most Americans

Experian fixed a weakness with a partner website that lets anyone look up the credit score of tens of millions of Americans just by supplying their name and mailing address. Experian says it has plugged the data leak, but the researcher who reported the finding says he fears the same weakness may be present at countless other lending websites that work with the credit bureau.

Bill Demirkapi, an independent security researcher said he discovered the data exposure while shopping around for student loan lenders online. Demirkapi encountered one lender’s site that offered to check his loan eligibility by entering his name, address and date of birth. Peering at the code behind this lookup page, he was able to see it invoked an Experian Application Programming Interface or API — a capability that allows lenders to automate queries for FICO credit scores from the credit bureau.

Demirkapi found the Experian API could be accessed directly without any sort of authentication, and that entering all zeros in the “date of birth” field let him then pull a person’s credit score. He even built a handy command-line tool to automate the lookups, which he dubbed “Bill’s Cool Credit Score Lookup Utility.” Experian figured out which lender was exposing their API and API access has been disabled.

Impact: Hundreds or even thousands of companies using the same API, and many of those lenders could be similarly leaking access to Experian’s consumer data.

Cause: Experian API could be accessed directly without any sort of authentication

Reference: Krebs on Security

Russian hackers hit 150 firms in latest cyber attack: Microsoft

Russia-based hackers by the group named ‘Nobelium’ have targeted around 3,000 email accounts across 150 organisations.

‘Nobelium’ launched the attacks by gaining access to the Constant Contact account of USAID. Constant Contact is a service used for email marketing. From there, the actor was able to distribute phishing emails that looked authentic but included a link that, when clicked, inserted a malicious file used to distribute a backdoor we call NativeZone. This backdoor could enable a wide range of activities from stealing data to infecting other computers on a network.

Impact: 3,000 email accounts across more than 150 different organizations are targeted by the attackers

Cause: Phishing attacks launched by Nobelium.

Reference: ET CISO

1.7 million affected by hack of top Japan dating app

Net Marketing Co, which runs the Omiai app, said it detected unauthorised access in April to the server that stores member information. The personal data of more than a million users of one of Japan’s most popular dating apps may have been exposed by a hack, its operator has warned.

Images of driving licences and passports that had been submitted for age verification were among the data compromised between April 20-26, the company added. Credit card information was not affected as it is processed separately through a financial institution.

Impact: 1.71 million users were affected

Cause: Unauthorised access to the server that stores member information.

Reference: ET CISO | Tech Xplore

Microsoft Office SharePoint Targeted With High-Risk Phish, Ransomware Attacks

SharePoint servers are being picked at with high-risk, legitimate-looking, branded phish messages and preyed on by a ransomware gang using an old bug. A phishing campaign, discovered by researchers at Cofense, is draping itself in a Microsoft Office SharePoint theme and successfully bypassing security email gateways (SEGs).

The phish is targeting Office 365 users with a legitimate-looking SharePoint document that claims to urgently need an email signature. The campaign cropped up in a spot that’s supposed to be protected by Microsoft’s own SEG. Cofense notes that red flags include the fact that the user’s name isn’t apparent in the opening message: an indication that it’s a mass-distribution campaign intended to reach many targets.