While stressful and costly to the victim, hacks can also be an opportunity for onlookers to learn how to prevent getting breached. Hacks create an opportunity to think creatively about company and personal security and a challenge to meet today’s evolving threatscape.
This article will look at how major reputable companies fell to small mistakes. You don’t have to be a corporate giant to be targeted. In fact, 43% of all hacks in 2019 occurred to small and medium businesses, not giant corporations.
This article will highlight a few notable hacks and takeaways to keep you from being on a list like this. Skip down to the take-aways if you don’t feel like reading.
Media Source: Giphy
1 – NotPetya Malware, 2017
The Hack Headline: Cyberattack Hits Ukraine Then Spreads Internationally
Widely considered the most destructive malware ever released, the NotPetya Attack was a Russian-backed attack against Ukraine. While it hit its mark and took down the Ukraine power grid, it also had serious consequences globally. NotPetya was a variation of an earlier ransomware called Petya, but a couple key differences included that NotPetya only pretended to be ransomware, but had no decryption key or way to collect ransom, and it spread on its own. Petya was a true ransomware and required the victim to download it (usually through phishing email) to take effect. NotPetya spread through computers running on anything older than Windows 10 and used the EternalBlue hack to exploit a Microsoft hole. Although the hole had already been patched by MS17-010, there were enough computers without the patch for NotPetya to spread rampantly.
In the case of NotPetya, there was no way to return the encoded files. Anything touched by NotPetya was irreversibly damaged.
Because there was no “kill-switch” to stop it, NotPetya spread internationally causing $10 billion in damages all was said and done.
Take Away Mantra: Take Software Patches Seriously
Apply patches ASAP – Not at your earliest convenience. If a company is releasing a patch, that means the issue is serious enough that it cannot wait until the next point release.
2 – Solar Winds Supply-Chain Hack of 2020
The Hack Headline: SolarWinds backdoor used in nation-state cyber attacks
Solar Winds is a software company out of Tulsa, Oklahoma that has an IT performance management product called Orion. When a group of hackers got access to the system they were able to send out software updates injected with malicious code. This update was downloaded by over 30,000 companies providing a backdoor for the hackers directly to government agencies and large enterprises globally.
Take Away Mantra: Pay attention to traffic & DNA
Set up a network traffic analyzer. Review your computer’s event log and determine the expected legitimate connections made over the course of a week. Set up an alert in your security system for any new or unknown connections made. When you are dealing with personal data and government secrets, it is OK to be paranoid.
Additionally, an identity-based verification system would have prevented the attack. Companies with high levels of physical security clearance should consider biometric authentication to protect their digital assets. It exists as iris or retina scans, face scans, and fingerprint scans as an access requirement. There are weaknesses in multi-factor authentication that only biometric authentication can truly ace.
Media Source: Giphy
3 – Yahoo’s Data Breach of 2013
The Hack Headline: Every Single Yahoo Account was Hacked – 3 Million in All
The Yahoo hack of 2013 was all the more devastating because it occurred from something as preventable as an employee unwittingly clicking on a phishing email with a malicious attachment. Once the employee clicked on the attachment, malware was downloaded that gave the hackers remote access to the system, also called a RAT (Remote Access Trojan).
Take Away Mantra: You are as strong as your weakest link
It just took one employee clicking on a malicious email to bring down all of Yahoo. If you can’t verify where the email came from, do not open it or it’s attachments. Confirm with a contact by reaching out to the person or company directly through a separate communication channel or the IT security team if there is one. Do beware that the attackers can pretend to be anyone, from the CEO to a FedEx delivery person.
4 – The Social Engineering Embarrassment for USA in 2016
The Hack Headline: Hacker Leaks Info of 30,000 FBI and DHS Employees
A 15-year-old leader of a hacker group called Crackas With Attitude was able to use social engineering to break into 61- year-old CIA director John Brennan’s AOL account. He did this by pretending to be a Verizon worker and tricked another Verizon employee into revealing Brenna’s personal information.
Media Source: Giphy
He then used the account to gain access into the US Government’s intelligence systems and operations. From there he doxxed the FBI, the CIA, homeland security and the department of justice, dumping contact information and identities across the internet. Needless to say, this was a huge embarrassment for the US government.
Take Away Mantra: Don’t reuse your passwords & protect them with 2FA/MFA
Not every company has the same level of scrutiny when providing access to account passwords. This is why it is important not to be the 52% that use their passwords for multiple accounts, and to make sure your security questions do not have easy-to-find answers like pet names, or birthdays. Protect your passwords with two-factor authentication or multi-factor authentication to add an additional layer of protection between you and a brute force attack.
5 – CitiGroup Hacked Due To An Overlooked Entry Point in 2011
The Hack Headline: Thieves Found CitiGroup site an easy entry
360k Citigroup accounts were exposed due to an overlooked and easily avoidable flaw called an insecure direct object reference (IDOR). OWASP has warned against IDOR for years in the category of Broken Access Control, including in their 2013 top ten vulnerabilities list. IDOR happens when a reference to an internal implementation object is exposed to users who are not intended to have access.
The hacker simply changes the parameter value that the direct object references to access additional data. In this case, all the hackers had to do was swap out their personal account numbers in the browser address bar with other numbers. The hacker wrote a script to guess at hundreds of thousands of different possible account numbers, gaining access to accounts through brute force.
Take Away Mantra: Don’t forget to lock the front door too
What makes this hack so notable is how easy it is to avoid. Don’t forget to check the boxes on the simple things too when securing your website.
6 – The 2016 Bangladesh Bank Heist – The Almost Largest Bank Heist in History
The Hack Headline: That Insane, $81M Bangladesh Bank Heist? Here’s What We Know
State-sponsored North Korean hackers were able to break into the Bangledesh Central Bank and steal local admin rights / credentials. With that level of access, the users were able to elevate privilege. They installed a monitoring software that allowed them to see how the system’s secure messaging platform worked. The platform allowed them to gain access to the interbank communication system called SWIFT. The attackers used their credentials to send messages and initiate fraudulent transactions.
What stopped the hack from being a complete success was a careless spelling error. The misspelling of the NGO’s name, Shalika foundation’ as Shalika ‘fandation’ ultimately disrupted the $1 billion transfer attempt, leaving the hackers to get away with just $81 million. Even hackers get caught when they don’t check their work for mistakes!
Take Away Mantra: Less Is More
Do not grant local admin rights to business users. It can allow for downloads of softwares and (unwittingly) malware that can jeopardize your entire network or create the opportunity for privilege creep and escalation. Only give employees the privileges that they require to do their job and only for the amount of time required to accomplish it.
7 – The Capital One Data Theft of 2019
Hack headline: A hacker gained access to 100 million Capital One credit card applications and accounts
An ex-Amazon employee was able to exploit a misconfigured Web Application Firewall ( WAF). She tricked the WAF into relaying requests to a back-end resource on the AWS platform where she was able to escalate privileges. This is considered a Server-side Request Forgery (SSRF) attack.
According to a study by Varonis, 65% of companies have over 1,000 stale user accounts, with outdated permissions.
Take Away Mantra: Keep exes in the past.
Delete all account credentials associated with ex-employees the same hour they resign or are let go to avoid risk of retribution.
Conclusion
You don’t have to be the smartest person in the room to learn from the mistakes of others. The road back to status quo after a hack is steep and blocked with financial obstacles from real sales loss, client compensation, and class action settlements from data exposure. Not only that, 25.6% of hack victims surveyed by Sucuri claimed to suffer damage to their brand reputation.
Don’t be the next victim. Stay well read on the latest threats and educate yourself on basic cyber-threat literature like OWASPs top 10 vulnerabilities. Take advantage of free tools, like Sucuri’s malware/infection scanner. And, when in doubt, consult a security analyst so little mistakes don’t cause you big hack headaches.
Take Away Mantras Checklist:
- Take software patches seriously ( as in within the hour) – NotPetya
- Pay attention to traffic & DNA (it pays to be paranoid) – Solar Winds
- You are as strong as your weakest link (or your least educated employee)- Yahoo
- Don’t reuse your passwords & protect them with 2FA/MFA (or you might embarrass your county) – Social Engineering Attack Against US Agencies
- Lock the front door too (not just the back door) – CitiGroup
- Less is More (as far as access goes) – The Bangledesh Bank Heist
- Keep Exes in the Past (ex employees that is) – Capital One
Denis Sinegubko
Moe O
Ben Martin
Tony Perez
Luke Leal
Peter Gramantik
Art Martori
Yuliyan Tsvetkov
Juliana Lewis