Hacked! Lessons From Recent Cyber Attacks
Hacked! Lessons From Recent Cyber Attacks
With Cybersecurity Awareness Month in full swing, it is a good time to take a look at threat actor activity over the last 12 months. This blog post highlights five recent high-profile cyber attacks and outlines some lessons to help improve your company’s cyber defenses.
MOVEit Data Breach
Where else to start but with a large-scale breach for which the ramifications continue to reverberate across different sectors and companies? In May 2023, the notorious ransomware gang Clop began exploiting a zero-day vulnerability in Progress Software’s MOVEit managed file transfer solution. The impact of this exploit affected over 1,000 organizations, including oil and gas multinational Shell, the UK state broadcaster BBC, and the US Department of Energy.
Research shows evidence that Clop threat actors actually uncovered the zero-day SQL injection vulnerability in MOVEit two years before exploiting it. The access to such a wide variety of companies’ data came from Clop hackers stealing data stored on MOVEit file transfer instances used by the companies. By facilitating the execution of arbitrary code, the SQL flaw enabled Clop threat actors to install the LEMURLOOT web shell as a backdoor and exfiltrate data.
With a zero-day vulnerability like this for which no patch existed at the time of exploitation, many companies assume that a breach is inevitable. However, there are some important takeaways here that demonstrate the importance of effective third-party risk assessment and supply chain security practices.
Taking a look at the companies that avoided much of a fallout from the MOVEit breach shows that their footprint on MOVEit instances was minimal. In other words, as soon as they completed any file transfers using the tool, they removed those files from their MOVEit instances. This shows the importance of assessing third-party risks and making it an ongoing practice to minimize those risks in whatever way possible.
A second takeaway relates to supply chain visibility. When companies like British Airways and the BBC had data stolen from this breach, they didn’t get directly compromised as a result of using the MOVEit tool. However, Zellis, a payment provider for these organizations, was breached, which led to threat actors accessing data belonging to Zellis’ clients. These hidden risks highlight the value of knowing not only what third-party tools you directly rely on, but also what types of external solutions your company’s partners and service providers rely on.
Royal Mail Ransomware
Attacks that disrupt vital services like postal or courier companies are always concerning due to their cascading impacts and wide reach. Royal Mail is the United Kingdom’s primary postal service and courier company; in January 2023, it emerged that the organization got hit by LockBit ransomware, which led to a severe service disruption on international mail and parcel deliveries.
Royal Mail workers were alerted by the attack when the printers for international deliveries began printing ransom notes with the text, “Lockbit Black Ransomware. Your data are stolen and encrypted.” Negotiations ensued, and the threat actors demanded a ransom of $80 million to decrypt several important files and systems central to the postal company’s international operations. Royal Mail’s board members took a hardline stance to this demand by saying they wouldn't pay the ransom under any circumstance.
Tracing the root cause of this ransomware attack, it appears that an unnamed employee opened a phishing email containing a malicious file or link. It took a full six weeks before the company resumed its normal overseas deliveries. From this attack, there are a couple of useful cybersecurity takeaways:
Ransomware remains a considerable security threat, and the attack vectors that allow hackers access to companies’ technology infrastructures often stem from basic security mistakes like clicking malicious links in phishing emails. That shows why ongoing cyber awareness training is crucial.
CISA includes postal and shipping as part of critical infrastructure in the transportation sector. Ransomware gangs continue to target critical infrastructure in the hopes of landing a hefty payday by causing intolerable levels of societal disruption. Organizations in these sectors should be particularly vigilant about ransomware attacks and implement proactive measures, including simulated attacks, network segmentation, and limiting user privileges.
MGM Resorts Breach
A threat group named Scattered Spider managed to cause mayhem at hotel and entertainment giant MGM Resorts using social engineering tactics in September 2023. With the company forced to shut down much of its internal network to limit the blast radius of the attack, guests at hotels reported that ATMs, slot machines, and even room key cards were not working.
The threat actors gained administrative privileges on MGM Resorts’ Okta and Azure environments with social engineering techniques. The first step was to look on LinkedIn for an IT support employee at MGM Resorts. The next step involved calling the company’s helpdesk and posing as that employee to get access to an internal system. Estimates put the cost to MGM Resorts of this breach at $100 million.
So, what are the lessons here?
While it doesn’t involve anything technical, social engineering is still an efficient and effective way to gain initial access to company networks. Expect to see more threat groups who specialize in targeting companies via social engineering. All this cyber attack took was a LinkedIn search and a phone call to cause havoc on a multimillion-dollar business.
Employees continue to fall victim to these scams, but the blame doesn’t lie with those who get duped. The underlying problem is a lack of effective security training and awareness that goes beyond merely reminding people about the threat of social engineering and actually provides real-world experience of the types of scams they might see.
T-Mobile Exploit
After already suffering the reputational hit and class action costs from a 2021 data breach, things got worse for T-Mobile in January 2023 when a hacker managed to access the personal information of 37 million account holders. This cyber attack exploited flaws in an application programming interface (API) to siphon information from internal databases. According to T-Mobile’s statement about the incident, all of the data gleaned about customers was basic, but that wording is unlikely to be of any respite to people concerned about fraud or privacy issues.
Some aspects of this attack to learn from are:
As companies continue to open up APIs to drive business growth and encourage innovation, robust API security grows in importance. Threat actors are adept at finding and exploiting vulnerabilities in APIs that are often straightforward to prevent and detect.
On the topic of detection, companies should pay attention to API security through not only the lens of proper authentication and authorization but also behavioral analysis and anomaly detection. While T-Mobile contained the incident within a day of discovery, the damage was already done by then. Faster detection could’ve flagged potential API abuse by monitoring API calls, request rates, throughput, and other metrics for anomalies that deviated from normal activity.
Clorox Attack
In an incident that echoed the attack on MGM Resorts, American manufacturer Clorox got hit by a severe cyber attack in August 2023. The attack caused large-scale disruption to key operations, including product shortages and delays in the ability to process orders. The suspected threat group is Scattered Spider; the same group that hit MGM Resorts.
The company brought in third-party cybersecurity experts to help respond to the attack, and it took several weeks to get operations back to normal. A statement released by the company highlighted that the cyber attack’s impact was a projected 28% decrease in net sales. Company executives have remained tight-lipped on exactly what happened, but many within the security community agree that it bears the hallmarks of a ransomware attack that impacted operational technology.
As far as lessons from this incident go:
The heavy impact on the company’s revenue shows just how damaging cyber attacks can be, particularly when they disrupt a company’s ability to continue normal operations.
Ransomware is bad enough when it just hits IT systems and data, but for manufacturers lacking effective network segmentation or traffic filtering, the spread of ransomware across the IT/OT boundary into OT systems amplifies the impact of these attacks by many orders of magnitude.
Conclusion
A common link tying these attacks together is a lack of preparedness catching cyber defense teams and employees off guard. And when it comes to being truly ready for modern cyber attacks, exposure to live attack scenarios is invaluable.
Cloud Range provides a virtual cyber range-as-a-service platform for replicating your unique network environment and helping to practice, detect, and respond to cyber attacks. Our attack scenarios cover ransomware, spear phishing, normal phishing, supply chain attacks, and more.
