The Inner Circle

 View Only

Hacker Tracker: November 2022 (When, What, Method of Attack, Current Fallout)

  • 1.  Hacker Tracker: November 2022 (When, What, Method of Attack, Current Fallout)

    Posted 16 days ago

    November 2022 Hacker Summary (source: https://www.beyondidentity.com/blog/hacker-tracker-november-2022)

    The third quarter of 2022 saw a sharp, 28% increase in global cyberattacks compared to the same period in 2021.

    Unfortunately, the wave of cybercrime hasn't shown any sign of relenting. American Airlines, Medibank, and Los Angeles Unified School District (LAUSD) are among the big names targeted recently. 

    Many of these were suspected or confirmed incidents of hackers using phishing tactics to bypass traditional multi-factor authentication systems. The consequences often include severe financial costs, loss of consumer trust, and millions of people left at risk of identity fraud.   

    Read on to learn more about some of the high-profile cyberattacks of the past month. 

    American Airlines

    When it happened 

    Unconfirmed. The data breach was discovered in July 2022 and a consumer notification letter was sent out on September 16. 

    What happened 

    According to American Airlines, they suffered a phishing attack that led to the sensitive personal data of a small number of customers and employees being stolen. 

    Method of attack 

    American Airlines' internal investigation determined that the attacker successfully targeted employee email addresses with a phishing campaign. This allowed the attacker to gain access to personal data of customers and employees contained within those email accounts. 

    The fallout so far

    Passport details and driver's license numbers were among the data stolen. So although American Airlines is providing the individuals whose data was accessed with 24 months of credit monitoring through Experian, victims may be at risk of identity theft for life. 

    Thomson Reuters

    When it happened 

    October 21 - October 26, 2022 (according to limited analysis

    What happened

    A database leak led to 3TB of media conglomerate Thomson Reuter's customer and corporate data being exposed, including sensitive information like unencrypted third-party passwords. 

    Method of attack

    Thomson Reuters left the three databases in question unsecured and accessible to everyone for several days, before realizing their mistake. But malicious bots can detect open databases of this kind very rapidly, so this data will likely have been obtained by cybercriminals. 

    The fallout so far

    As confidential information about internal network elements was exposed, there is now a significant risk of a supply-chain attack against one of Thomson Reuters' business customers. Leaked login data has also opened up the risk of social engineering attacks. 

    Medibank

    When it happened

    "Unusual activity" on Medibank's network was first reported on October 12, 2022. 

    What happened

    In an absolutely devastating attack, cybercriminals gained access to all of the customer data, and a large proportion of the health claims data, of Australian medical insurer Medibank. As many as 3.9 million people are affected.

    Method of attack

    According to a Financial Review report, it is believed that the login credentials of an individual with high-level access to Medibank's IT systems were stolen using either malware or phishing tactics. This was possible because the company did not have phishing-resistant MFA systems in place. These details were later sold to a hacker on a Russian forum, who then breached their systems and encrypted data. 

    The fallout so far

    Medibank's stock price has fallen significantly and the company has estimated that the financial hit of the attack will be $25 to 35 million (AUD), not including potential compensation, fines, and legal costs. The reputational cost is harder to put a price tag on, but will be steep and long-lasting. 

    Toyota

    When it happened

    December 2017 - September 15, 2022

    What happened

    Toyota has admitted in a data breach notice that it accidentally left an access key publicly available on GitHub, meaning the email addresses and customer control numbers of almost 300,000 customers may have been leaked. Upon discovery, Toyota immediately made the source code private. 

    Method of attack

    Despite this data having been publicly accessible for years, Toyota says it has found no evidence that a third party abused the exposed information. However, as the company itself acknowledges, there's still a strong possibility it has been.

    The fallout so far

    The exposed data was less sensitive than many other high-profile cyberattacks, but almost 300,000 affected customers will have to remain vigilant against email phishing. 

    MyDeal

    When it happened

    October 10, 2022

    What happened 

    A cybercriminal stole personal data belonging to 2.2 million customers of MyDeal, an Australian ecommerce company, and then sold this data on a dark web marketplace. 

    Method of attack

    The attacker used compromised employee credentials to gain access to MyDeal's Customer Relationship System and steal the data in question. How these credentials were obtained has not been disclosed, and we don't know if the attacker gained access to the company's wider network. 

    The fallout so far

    Although sensitive data like payment details and ID numbers were not obtained, MyDeal has had to apologize to its customers and warned them to watch out for phishing attacks. MyDeal was recently acquired by Woolworths, but the IT systems of the two companies have not yet been integrated. Had they been, the fallout would have been much worse. 

    LAUSD data leak

    When it happened

    October 1, 2022

    What happened 

    Over Labor Day weekend in September, the Los Angeles Unified School District (LAUSD)-which contains over 1,000 schools-suffered an attack carried out by Vice Society, a Russian hacking group that targets educational institutions. The LAUSD refused to pay a ransom the cybercriminals demanded, so the hackers released 500GB of data, including sensitive financial information, Social Security numbers, and health and legal records. 

    Method of attack

    The Vice Society, in this attack and others, have used ransomware methods to target their victims. However, experts have noted that their tactics are not innovative or remarkable

    The fallout so far

    The LAUSD has sought to downplay the significance of the attack, but it's clear the data released was sensitive enough to lead to consequences like identity theft for those individuals affected.

    Michigan Medicine 

    When it happened

    August 15 - 23, 2022

    What happened

    Michigan Medicine notified 33,850 patients of a data breach that may have led to their health data being stolen. 

    Method of attack

    Michigan Medicine was inadequately protected by legacy MFA. This allowed the attacker to successfully trick four employees into entering their login details on a phishing webpage and then into accepting MFA alerts, giving the cybercriminal access to their accounts. 

    The fallout so far

    According to Michigan Medicine, they've found no specific evidence of data theft, but it's still a strong possibility this is exactly what's happened. Michigan Medicine has apologized and pledged to put better safeguards in place, but it's not clear if this includes phishing-resistant MFA. 

    Bed Bath & Beyond

    When it happened

    October 2022

    What happened

    In a recent SEC filing, home retailer Bed Bath & Beyond provided limited details of a cyberattack it suffered in October.

    Method of attack

    Phishing tactics were used to target an employee, allowing the attacker to gain access to the individual's hard drive and shared drives. 

    Fallout so far

    Bed Bath & Beyond have said that they are reviewing whether the drives contained sensitive or personal data, adding that they have no reason to believe such information was accessed. But until all of the evidence is gathered and released, we can't be sure of this.

    Other news 

    Nvidia RTX 4090

    A security expert revealed that the new Nvidia RTX 4090 is twice as fast at cracking passwords as the previous best model, the RTX 3090. This technology is useful for system administrators who need to crack passwords-which means it's also useful for cybercriminals. 

    Microsoft investigation into misconfigured endpoint

    Microsoft has provided an update on its investigation into one of its endpoints being misconfigured, potentially allowing unauthorized access to business transaction data. The company says it has fixed the issue and has found no evidence of its data or systems being compromised.

    New CISA guidance on MFA

    CISA has issued new guidance urging organizations to move away from older forms of MFA, highlighting the risks these antiquated protections face and saying that phishing-resistant MFA is now essential.



    ------------------------------
    Joel McNamee
    Director
    Beyond Identity
    ------------------------------