November 2022 Hacker Summary (source: https://www.beyondidentity.com/blog/hacker-tracker-november-2022)The third quarter of 2022 saw a sharp, 28% increase in global cyberattacks compared to the same period in 2021.
Unfortunately, the wave of cybercrime hasn't shown any sign of relenting. American Airlines, Medibank, and Los Angeles Unified School District (LAUSD) are among the big names targeted recently.
Many of these were suspected or confirmed incidents of hackers using phishing tactics to bypass traditional multi-factor authentication systems. The consequences often include severe financial costs, loss of consumer trust, and millions of people left at risk of identity fraud.
Read on to learn more about some of the high-profile cyberattacks of the past month.
When it happened
Unconfirmed. The data breach was discovered in July 2022 and a consumer notification letter was sent out on September 16.
According to American Airlines, they suffered a phishing attack that led to the sensitive personal data of a small number of customers and employees being stolen.
Method of attack
American Airlines' internal investigation determined that the attacker successfully targeted employee email addresses with a phishing campaign. This allowed the attacker to gain access to personal data of customers and employees contained within those email accounts.
The fallout so far
Passport details and driver's license numbers were among the data stolen. So although American Airlines is providing the individuals whose data was accessed with 24 months of credit monitoring through Experian, victims may be at risk of identity theft for life.
October 21 - October 26, 2022 (according to limited analysis)
A database leak led to 3TB of media conglomerate Thomson Reuter's customer and corporate data being exposed, including sensitive information like unencrypted third-party passwords.
Method of attack
Thomson Reuters left the three databases in question unsecured and accessible to everyone for several days, before realizing their mistake. But malicious bots can detect open databases of this kind very rapidly, so this data will likely have been obtained by cybercriminals.
As confidential information about internal network elements was exposed, there is now a significant risk of a supply-chain attack against one of Thomson Reuters' business customers. Leaked login data has also opened up the risk of social engineering attacks.
When it happened
"Unusual activity" on Medibank's network was first reported on October 12, 2022.
In an absolutely devastating attack, cybercriminals gained access to all of the customer data, and a large proportion of the health claims data, of Australian medical insurer Medibank. As many as 3.9 million people are affected.
According to a Financial Review report, it is believed that the login credentials of an individual with high-level access to Medibank's IT systems were stolen using either malware or phishing tactics. This was possible because the company did not have phishing-resistant MFA systems in place. These details were later sold to a hacker on a Russian forum, who then breached their systems and encrypted data.
Medibank's stock price has fallen significantly and the company has estimated that the financial hit of the attack will be $25 to 35 million (AUD), not including potential compensation, fines, and legal costs. The reputational cost is harder to put a price tag on, but will be steep and long-lasting.
December 2017 - September 15, 2022
Toyota has admitted in a data breach notice that it accidentally left an access key publicly available on GitHub, meaning the email addresses and customer control numbers of almost 300,000 customers may have been leaked. Upon discovery, Toyota immediately made the source code private.
Despite this data having been publicly accessible for years, Toyota says it has found no evidence that a third party abused the exposed information. However, as the company itself acknowledges, there's still a strong possibility it has been.
The exposed data was less sensitive than many other high-profile cyberattacks, but almost 300,000 affected customers will have to remain vigilant against email phishing.
October 10, 2022
A cybercriminal stole personal data belonging to 2.2 million customers of MyDeal, an Australian ecommerce company, and then sold this data on a dark web marketplace.
The attacker used compromised employee credentials to gain access to MyDeal's Customer Relationship System and steal the data in question. How these credentials were obtained has not been disclosed, and we don't know if the attacker gained access to the company's wider network.
Although sensitive data like payment details and ID numbers were not obtained, MyDeal has had to apologize to its customers and warned them to watch out for phishing attacks. MyDeal was recently acquired by Woolworths, but the IT systems of the two companies have not yet been integrated. Had they been, the fallout would have been much worse.
October 1, 2022
Over Labor Day weekend in September, the Los Angeles Unified School District (LAUSD)-which contains over 1,000 schools-suffered an attack carried out by Vice Society, a Russian hacking group that targets educational institutions. The LAUSD refused to pay a ransom the cybercriminals demanded, so the hackers released 500GB of data, including sensitive financial information, Social Security numbers, and health and legal records.
The Vice Society, in this attack and others, have used ransomware methods to target their victims. However, experts have noted that their tactics are not innovative or remarkable.
The LAUSD has sought to downplay the significance of the attack, but it's clear the data released was sensitive enough to lead to consequences like identity theft for those individuals affected.
August 15 - 23, 2022
Michigan Medicine notified 33,850 patients of a data breach that may have led to their health data being stolen.
Michigan Medicine was inadequately protected by legacy MFA. This allowed the attacker to successfully trick four employees into entering their login details on a phishing webpage and then into accepting MFA alerts, giving the cybercriminal access to their accounts.
According to Michigan Medicine, they've found no specific evidence of data theft, but it's still a strong possibility this is exactly what's happened. Michigan Medicine has apologized and pledged to put better safeguards in place, but it's not clear if this includes phishing-resistant MFA.
In a recent SEC filing, home retailer Bed Bath & Beyond provided limited details of a cyberattack it suffered in October.
Phishing tactics were used to target an employee, allowing the attacker to gain access to the individual's hard drive and shared drives.
Fallout so far
Bed Bath & Beyond have said that they are reviewing whether the drives contained sensitive or personal data, adding that they have no reason to believe such information was accessed. But until all of the evidence is gathered and released, we can't be sure of this.
Nvidia RTX 4090
A security expert revealed that the new Nvidia RTX 4090 is twice as fast at cracking passwords as the previous best model, the RTX 3090. This technology is useful for system administrators who need to crack passwords-which means it's also useful for cybercriminals.
Microsoft investigation into misconfigured endpoint
Microsoft has provided an update on its investigation into one of its endpoints being misconfigured, potentially allowing unauthorized access to business transaction data. The company says it has fixed the issue and has found no evidence of its data or systems being compromised.
New CISA guidance on MFA
CISA has issued new guidance urging organizations to move away from older forms of MFA, highlighting the risks these antiquated protections face and saying that phishing-resistant MFA is now essential.