In our June review of the biggest IS incidents, we will explore recent incidents where one single click has stopped the operations of an entire company, sales managers provided hackers with client information, and data from the largest companies was leaked.
SNOWLEAK
What happened: Snowflake, the largest cloud service provider, fell prey to a cyber attack.
How it happened: Unidentified actors attacked Snowflake and obtained data on the company’s customers. The exact number of victims is still unknown. However, it is supposed that this leak could be one of the largest in history, as giants like AT&T, HP, MasterCard, etc. had been using Snowflake services.
Currently, hackers are exploiting stolen usernames and passwords to bypass MFA and gain access to customers' cloud accounts. According to media reports, at least 160 accounts have been compromised. Customer or employee data from Santander, Ticketmaster, and Advance Auto Parts has already been put up for sale.
Initially, Snowflake denied the attack and even demanded that the Hudson Rock information security company delete a report claiming that the cloud service provider fell victim to a cyberattack. Nevertheless, the company admitted the leak later due to the compromise of employee credentials through information stealers.
TWO-WEEK HALT
What happened: A criminal group launched a cyberattack on the world's largest manufacturer of input devices, Key Tronic.
How it happened: Last month, Key Tronic confirmed facing an attack that led to a data breach and disruption of operations in its filings to the U.S. Securities and Exchange Commission (SEC). In it, the company representatives reported that the organization had encountered a cyberattack that disrupted its work. The attack affected business applications, as well as financial and operational reporting systems.
Key Tronic also stated that the hackers gained access to user data. The Black Basta group claimed responsibility for the attack. They reported obtaining 530 GB of corporate data, including: employees' passport information, social security numbers, financial records, engineering data, corporate documents.
As a result, Key Tronic halted operations in the United States and Mexico for two weeks. About $600,000 was spent on incident localization and the IS specialist’s work.
CRIME AND PUNISHMENT
What happened: A terminated employee deleted 180 virtual servers of an ex-employer and was sentenced to more than 2 years of imprisonment.
How it happened: In October 2022, QA tester Kandula Nagaraju was fired from National Computer Systems (NCS) for poor work performance. The fact of the termination made the former employee “confused and upset", as he believed that he had made good contributions to NCS.
After termination, Nagaraju found out that his NCS credentials were still active. In early 2023, he used them to take revenge on his former employer. On March 18–19, the disgruntled ex-employee deleted NCS’ standalone test system consisting of 180 servers using a script he developed.
In April 2023, the company went to court. The evidence was found soon: a data deletion script and a history of the search for use of similar scripts spoke for themselves. In the end, the ex-tester was sentenced to 2 years and 8 months in prison. After the incident, NCS stated that Nagaraju's account had remained active due to the "human factor." The company spent $678 thousand to restore the servers.
GET RESPONSE WITH A PHISH
What happened: The GetResponse email marketing service faced a massive data breach.
How it happened: On June 5, the GetResponse security team identified unauthorized access to one of the internal customer support tools. This allowed the hacker to obtain one of the employees’ credentials. Thereby, the attacker managed to get to the accounts of 10 clients.
One of the compromised customers turned out to be CoinGecko, a crypto exchange platform. The malicious actor exported 1,916,596 contacts along with personal information from the platform’s account and sent phishing emails to 23,723 addresses.
GetResponse assures that the attack was the result of a complex chain within which the vulnerabilities of third-party software vendors were exploited. After the incident, the company notified the affected parties, informed the relevant authorities, and began auditing all third-party applications.
THE FATAL CLICK
What happened: A medical organization encountered a ransomware attack because an employee uploaded a malicious file.
How it happened: Ascension, the largest private healthcare system in the United States, reported that a ransomware attack in May 2024 was caused by an employee who accidentally uploaded a malicious file. The company believes that the action was unintentional, as the employee thought he was downloading a safe file.
Ascension also stated that hackers gained access to seven file servers and stole data likely containing protected health information (PHI) and personally identifiable information.
The company has still not fully recovered from the cyberattack. It had to suspend a part of business processes, including medical ones, and temporarily switch to keeping track of procedures on paper.
OMG, AMD
What happened: Data from AMD, the largest electronics manufacturer, was put up for sale on the darknet.
How it happened: On June 17, a post appeared on a hacker forum with confidential AMD data for sale. According to the post’s author, AMD was breached in June 2024. The data affected included information about: future products, spec sheets, employee and customer data, financial information, source code, firmware.
Previously, the same attacker had sold data from AT&T, Home Depot, Europol, General Electric, and other well-known organizations.
The company’s spokesperson told media that a third-party vendor's website which contained “a limited amount of information related to specifications used to assemble certain AMD products” was hacked.
PHISHY BUSINESS
What happened: A large-scale fraud scheme involving the sale of data for targeting phishing emails has been uncovered.
How it happened: Epsilon Data Management is a marketing company engaged in the analysis and sale of data for marketing purposes. The organization has a large dataset and algorithms that help predict people's behavior and identify possible buyers for certain goods and services.
For over 10 years, a former senior executive and a sales manager of the company, Robert Reger and David Little, were selling scammer lists with the following consumer information: full names, age, home and email addresses, consumer preferences, purchase histories.
Fraudsters used this data to target phishing emails, tricking victims into sending money to them.
A sentencing hearing is scheduled for September 2024. Reger and Lytle face a maximum penalty of 20 years in prison for each count of mail and wire fraud.
SECRET APPLE SAUCE EXPOSED
What happened: A threat actor claims to have leaked the source code of Apple's internal tools.
How it happened: On June 18, the hacker posted on the darknet the source code of Apple's internal tools: Apple-HWE-Confluence-Advanced, AppleMacroPlugin, and AppleConnect-SSO.
Very little is known about the first two, but the AppleConnect-SSO quick authentication tool enables employees to access the company’s internal systems and services and iOS applications, including Concierge, MobileGenius, EasyPay, AppleWeb, etc.
Also in the post, the attacker claims that the data was breached in June and that the company itself is to blame for the data leak. Apple Inc. has not yet commented on the information about the incident.
REVVING TROUBLES
What happened: CDK Global, a provider of SaaS solutions for car dealers, faced a ransomware attack.
How it happened: CDK Global develops a platform that manages the entire operation of an enterprise, from CRM to inventory. More than 15,000 car dealerships across North America rely on CDK Global software.
However, due to the cyberattack, the company had to shut down its IT systems, phones, and applications in order to localize the incident. This disruption also affected operations at many car dealerships using CDK Global software.
Reports from anonymous sources suggest the company encountered ransomware and is currently negotiating with the gang to get a decryption tool and prevent stolen data leaks.
IS tip of the Month: Summer is a favored season among insiders as most of the staff is on vacation, enjoying parties till dawn. Malicious insiders take advantage of using colleagues’ computers and accounts to move sensitive data to their personal storage. But there is a solution to keep your peace of mind during this travel season: the Data Loss Prevention system. DLP will ensure insiders take a permanent vacation. Click here and try it free for 30 days.
Comments