We’re only a month into 2016, but somehow, between now and the end of 2015, we’ve already uncovered several big cyberattacks that big companies have fallen victim to.
Between Faithless, Citrix, and JD Wetherspoon -- each company was hacked through different methods, but the outcomes are similar: threat actors gained access to high-profile digital assets, and knowledge of the attack among companies proved invaluable, since the damage had already been done, every single time.
Cyber threats are evolving and changing as each day goes by. If you want to keep up with the bad guys, you need to track them in real-time and know what they’re going to do before they do it. It’s not enough to leave this work to your defenses. Firewalls and anti-viruses are mandatory but they alone can’t keep you safe.
You need to go one step further and step beyond the perimeter. You need to be proactive -- and know how to mitigate threats before they start to materialize. Once they’ve done that, the prevention you’re capable of won’t keep you completely covered.
Nobody wants to be that guy who gets attacked after watching the guy next to you be the victim. In order to learn from your friends’ mistakes, you need to know how not to repeat them.
The first step is knowing what you want and need to avoid:
Weapon of Destruction: SQL injection
The hack was caused by an SQL injection which uploaded a single piece of malware into the website, succeeding to intercept the site’s defenses. How did this happen?
Simple: A threat actor named “Foxi” managed to perform an SQL injection onto the ‘Faithless’ dance act’s website -- and extracted masses of the band’s customer data. Foxi then offered the stolen data for sale on a hacking forum, where he sells a lot of similar stolen data, too.
The stolen data includes personal email addresses and the passwords they used to access the site. Cyber criminals have an incentive in selling (and buying) this data online -- as they can use it to get additional personal information (i.e credit card and banking details), as well as take over the victims’ computer (in rarer cases).
Our Argos Cyber Threat Intelligence system spotted the breach back in September -- when it picked up that a Faithless database was being sold on the Dark Web. The stolen database was interceptable to our intelligence system because of it’s real-time collection abilities, that identifies stolen goods as they are being exchanged on hacking forums, paste sites and a variety of other sources.
While the Faithless website issues were indeed fixed, the company didn’t publicize that they had been hacked, effectively leaving the 18,000 fans whose private information was compromised to be unaware of their status as victims.
Knowledge didn’t prove to be very useful in the case of Faithless, because once the site admins knew about the breach, it was too late for them to do anything. And in terms of the fans (victims) -- at least now they know that they should be extra careful about suspicious emails that they may receive.
Weapon of Destruction: an insecure password
US software company Citrix, who specializes in virtualization and cloud computing, has reportedly been compromised by a Russian hacker called w0rm.
w0rm claims to have accessed Citrix’s content management system on their network via an insecure password. From there, w0rm was able to exploit a series of security holes -- thus gaining access to the company's administrative system, including the remote assistance system.
w0rm's attack showed that it had gained access to all of Citrix's customers through the administrative system.
Because Citrix offers a platform for remote assistance – which means the attacker had the option to bypass customers' security systems and upload malware undetected -- ultimately penetrating every endpoint of each existing Citrix customer.
Because w0rm didn’t choose to take the route of bypassing customer security systems -- he saved Citrix customers (and the Citrix companies themselves) a heavy amount of losses. w0rm could have easily accessed sensitive customer information by keylogging what they type, or he could have even used their endpoints as a botnet to run DDoS attacks.
Citrix should really consider themselves lucky, cause had w0rm pursued the access he managed to obtain, they wouldn’t have known about it until after the fact (until Citrix learned of the data being stolen), as his actual hacking activity would be of an ‘undetectable’ format.
This has now been addressed by Citrix CSO. In his post, Stan Black describes that what w0rm accessed was an old marketing server, with anonymous access which does not put Citrix customers in any danger.
CyberInt’s technology prevents exactly the type of attack that Citrix fell victim to. Unfortunately, the damage that CyberInt is capable of preventing can only be appreciated once it’s already too late. One message companies can take from the Citrix breach is that if they want to withstand cyber attacks, they need to be proactive about their cyber resilience.
Weapon of destruction: ??
Another company that suffered the consequences of a non-proactive cybersecurity approach is JD Wetherspoon, one of UK’s largest pub chains. The JD Wetherspoon breach was by identified CyberInt’s Argos Cyber Threat Intelligence Platform, but only inadvertently, while CyberInt’s Cyber Intelligence team was investigating a different case on the Dark Web.
This platform employs a proactive approach to cybersecurity by patrolling cybercrime forums on the Dark Web.
On the Dark Web, the CyberInt platform saw that 656,723 customers were victims of stolen data, including email addresses, phone numbers, DOB and credit and debit card details.
This sum doesn’t include the 15,000 staff members whose personal information was also stolen. Making it 4 times bigger than the infamous TalkTalk breach that occurred 2 months earlier.
Based on the similar experiences of Faithless and Citrix listed above, the potential outcomes of the JD Wetherspoon are pretty obvious -- especially in that once the breaches were made known, it was already too late to prevent them.
For example, the JD Wetherspoon attack took place in June 2015, yet was only identified 6 months later, and by a platform that wasn’t explicitly searching for it. JD Wetherspoon only learned that they’d been hacked by luck of the draw, and even so, they found out 6 months too late.
The only way that JD Wetherspoon could have prevented a breach of this capacity is by being proactive about enforcing their cybersecurity. By nature, hacker threats are inherently undetectable.
Once they start materializing, the cybersecurity that can handle these hackers can only succeed if it can of detect threats in real-time. Otherwise, it’s too late to stand a chance in preventing them, or to stand against the hackers at all.
In other words, without being proactive about your cyber resilience, whatever you do may just be too little, too late.