The current year is a significant checkpoint to see businesses’ ability to adapt to escalating cybersecurity circumstances quickly. It’s been almost two years since industries migrated to online environments due to the pandemic — the new way of working created security gaps threat actors utilized to their benefit, and companies had to find a way to repel them.
However, despite newly developed cybersecurity solutions, rising general awareness, and the ongoing narrative that cybersecurity is essential, it seems businesses are slow to keep up with the pace of incoming attacks. The 2022 mid-year statistics show that cyber-attacks increased by 42% globally compared to the previous year.
Business vulnerability often comes from the denial that they will get attacked. For instance, only 14% of small businesses feel prepared for a cyber attack, yet, in 2022, 43% of cyberattacks focused on small businesses.
Since the main question is not “if” but “when?” let’s dig deep retrospectively into the most attention-grabbing and interesting cyber attacks businesses have faced this year.
Red Cross
Type of attack: Malware
Weakness: Late patching
Individuals affected: 515,000
The year 2022 started with big news about a data breach that affected Red Cross data on highly vulnerable people’s profiles. Lifting data of 60+ global Red Cross and Red Crescent Movement societies from the servers, threat actors gained access to the sensitive data of 515,000 individuals.
Interestingly, the attack doesn’t classify as a ransomware attempt, as the attackers made no demand for money, suggesting retaining the data. It confirms that the attack on a non-profit organization was highly sophisticated and precisely targeted to acquire data on war refugees and displaced people due to migration, disaster, or other catastrophic events.
Due to the data breach identified within 70 days of threat actors operating on the network, Red Cross systems went offline, disrupting intense organizational activity by shutting down the Restoring Family Links system. The purpose of the service is to help confidentially locate and restore family connections for vulnerable people.
What went wrong?
The case categorizes as a data breach due to third-party vulnerability. Red Cross rents servers from an unnamed Swiss company to store organization data.
According to Red Cross, information was secured by the vendor’s defense systems that proved adequate against obtaining data from previous breach attempts. Scheduled anti-malware updates were in rotation to ensure the patching process.
However, after continuous attempts, malicious actors identified a vulnerability — a security gap due to a late patch on one of the authentication modules. Criminals placed web shells that allowed compromise administrator credentials, access registries, and deploy offensive security tools.
Disguising themselves in the systems as legitimate users and administrators within the network won cybercriminals the time to exploit the data despite it being encrypted.
The compromised server was taken offline once the unauthorized party was detected during a routine security procedure. The highly sophisticated attack was a carefully crafted attempt to collect data, as the information was copied but not deleted, altered, published, or traded for money.
How to mitigate the risk?
Robust security is mandatory in dealing with persistent malicious actors. The Red Cross case shows that one slip can result in a data breach even though security practices were in place. Thus, once selecting a vendor, ensure the cloud service provider is aligned with compliance and data security requirements.
Credit Suisse
Type of attack: Data leak
Weakness: Unrestricted access
Users affected: 18,000+
Credit Suisse is a multinational investment bank and financial services provider based in Switzerland, with 48,000+ employees. The data leak caught media attention in February after leaking information about 30,000 client accounts.
The customer data included former and current customers, 90% of the accounts were already inactive or were in the process of closing. The attack discredited confidential financial data, exposing funds of over $100 billion in total.
The data leak was performed in connection with an insider threat. An employee of Credit Suisse had large-scale access to sensitive data suggesting network access controls were insufficient to control and restrict employee activity.
What went wrong?
The attack is related to the whistleblower case, which means that files were leaked deliberately by the organization member. External factors weren’t the factor that misguided and triggered the attack.
Regarding the number of accounts, the employee must have had access to most company resources. Unrestricted access of almost 50K workers to the entire internal systems, documents, customer data, and projects creates a hardly controllable risk.
Whether it’s an inside job or an external threat actor that manages to enter the network via compromised credentials or social engineering practices, the lacking user authentication in accessing resources is generally damaging.
How to mitigate the risk?
Insider threat is one of the organizations’ most complicated security aspects, making it almost impossible to protect completely. Security managers must treat hardly unpredictable factors such as conscious intent or accidental breaches with the highest alert and preparedness.
Thus, user and network segmentation, periodic access rights revision, and the Zero Trust security model deploy obstacles that limit free user movement within the company network.
OpenSea
Type of attack: Phishing
Weakness: Third-party vulnerability
Users affected: 32
The cyber attack on one of the biggest NFT marketplaces, OpenSea, went public in June this year. The email phishing attack targeted the platform’s users interacting with them under the name of the OpenSea company.
Using the opportunity of the company’s announcement about migration to a new contract system, the malicious actor managed to phish out a solid sum of Ethereum (ETH) within 3 hours.
The attack involves a third party, email delivery vendor Customer.io, having one of the employees misusing the company’s email address list.
What went wrong?
The attack’s details are not fully disclosed, but one of the most likely versions is spoofing via vendor email servers.
The malicious actor entered a third-party server without authorization and, on behalf of OpenSea, approached 32 platform users, referring to contracts that needed to be signed.
The emails contained a malicious link that allowed collecting user signatures and storing them in the attacker’s server — 17 users out of 32 who received spoofed emails provided their identity details.
The collected unique signatures allowed confirming the NFT transactions to the cyber-criminal. Lost funds in cryptocurrency might have a more significant monetary value than the estimate — $1,7 million worth of ETH was how much the malicious actor managed to convert at the time.
How to mitigate the risk?
Phishing attacks are among the most popular ways to scam users and employees. Therefore, organizations must practice content filtering to streamline incoming emails and limit exposure to malicious links and websites that might threaten network security.
Uber
Type of cyber attack: Social engineering
Weakness: Unsecured admin credentials
Users affected: N/A
In September, Uber announced a security incident in their computer systems. According to the company, Uber’s contractor was exposed to malware on their device, revealing the password.
Initially, the attacker bought the Uber contractor’s credentials on the dark web. Using social engineering methods, they successfully entered Uber systems.
However, successful login led to more significant problems within the systems. Luckily, no client data was exposed and leaked to the public but confidential company information, exploiting security bugs and vulnerabilities.
How did it happen?
The malicious actor performed several attempts to enter the Uber systems. Their first try was to spam the user with MFA push notifications, asking to verify the access.
After a few unsuccessful requests, the attacker contacted the targeted Uber contractor pretending to be IT support that needed access to the systems. This way, the cybercriminal entered the network.
Besides having access to the network, internal files, and data, the attacker came across a code with unsecured admin credentials that unlocked access to privileged information.
To the company’s knowledge, the attacker accessed and downloaded information from Slack conversations, dashboards, and G-Suite, but no customer-facing systems or related personal information.
How to mitigate the risk?
Control of people-related threats is challenging on organizational levels. Education and cybersecurity training help minimize the risks. However, Uber’s situation shows that the company must carefully protect sensitive and confidential data. Data encryption, access restrictions, and managing the attack surface becomes vital in case of a breach.
Optus
Type of attack: Human error
Weakness: No authentication controls
Users affected: 9.8 million
Since September 22, 2022, the top story spot of news channels was held by the data breach of Optus, the second largest Australian telco arm of Singaporian Singtel telecommunications company. The data breach affected nearly 10 million Optus legacy and present customers, exposing 2,8 million sensitive client records.
The cyber attack unveiled severe information security gaps of poor security management within the organization’s network. Non-existent access controls to the system and excessive personal data storage compromised a massive amount of data records posing threats to millions of customers.
The cybercriminal requested $1 million in ransomware for the stolen data. If demand is not fulfilled, they threatened to release over 10,000 records daily.
How did it happen?
Optus refuses to admit that the data breach happened because of a human error. However, following the attack vectors implies imprudence made the data breach possible.
The customer database was placed in an unprotected testing network, creating a security weakness. It allowed the discovery of the IP address after running a search using simple code.
Moreover, Optus employees must identify the customer identity to provide information or service they inquired about. Therefore, in the context of the pandemic, the database needed to be accessed remotely from anywhere.
However, the database was available to any remote endpoint that requested access to the server as there were no user authentication controls. Freeway to the data wasn’t the only security issue.
Optus collected unnecessary customer data and stored it for an extended time without legal reason. 2,8 million accounts out of 9,8 million records were connected to customer passports or ID documents, driver’s licenses, addresses, and Medicare numbers. As a result, damaging customers’ privacy.
How to mitigate the risk?
Layered security gaps demonstrate knowledge or competence lacking in the organization. If it’s frustrating to evaluate where to start implementing security measures, it’s beneficial to run a cybersecurity risk assessment to begin building a strategy. One of the first steps to better network security with remote workers is to apply Multi-Factor Authentication (MFA) methods for employee identity verification.
NOTE: the analysis focuses on attack vectors and how organizations can avoid them, not specific companies and attack-related scandals. Overviewed attack episodes are recent, so complete developments of the events are considered ongoing, limiting projections of estimated loss at this stage.
