At a glance.
- GETTR data scraped and leaked.
- The threat posed by untrained users.
- Morgan Stanley's Accellion FTA breach: update.
Scraped GETTR data leaked.
Alternative social network GETTR, launched last week with President Trump’s former spokesperson Jason Miller at the helm, has suffered a number of incidents as it finds its cyber sea legs, according to HackRead. The rollout was marred by a deluge of ‘adult’ content, and leading users’ profiles were vandalized. In the most recent turn of events, an alleged scrape of nearly 90 thousand members’ personal information has been made available online, apparently revealing user names, email addresses, locations, and birth years.
Miller’s response to the scrape: “GETTR does not request personal, identifying information from users and, unlike other social media platforms, we are not interested in selling any data...As soon as the problem was detected…the vulnerability was sealed.”
Untrained users as a threat to data.
PRWeb says KnowBe4’s 2021 Phishing by Industry Benchmarking Report, which studied 6.6 million individuals in 23 thousand organizations, found untrained users to be on average thirty-one percent phish-able across 15.5 million casts. A three month training decreased gullibility to sixteen percent, and after a year of lessons, only five percent took the bait.
KnowBe4 also found that twenty-four percent of employees don’t know the confidentiality status of information they’re responsible for, Intelligent CIO reports. Confidential information can put an organizations’ reputation, cybersecurity, regulatory compliance, and business secrets at risk. The finance sector fared better than average, at sixteen percent, while the education, retail, construction, and transportation industries hit digits as high as thirty-five percent.
Update on Morgan Stanley’s Accellion FTA breach.
As we’ve seen, and as Reuters reported, hackers snagged personal data from Morgan Stanley’s corporate customers via the Accellion FTA compromise. The investment firm’s clients, BleepingComputer notes, span forty-odd countries. When Morgan Stanley vendor Guidehouse, which serves the firms’ StockPlan Connect offering, suffered a breach through the Accellion vulnerability, threat actors grabbed encrypted files, along with their decryptor.
So far it appears the pilfered information has not been posted online. Names, birth dates, addresses, and social security numbers are exposed, but TechCrunch stresses that passwords were not.
Current estimates place the Accellion victim count at roughly three-hundred. Synopsys Cybersecurity Research Center strategist Tim Mackey has a reminder about remediating vulnerabilities: “simply patching the software and moving on isn’t the best path…patch management strategies should include reviews for indications of previous compromise.”
Randy Watkins, CTO at CRITICALSTART wrote to point out that Guidehouse is far from the only compamy that failed to notice a problem like this in their environment:
"While Guidehouse will face blowback for taking months to notice and disclose the breach, this is, unfortunately, not uncommon. Attackers can routinely dwell in environments for months before being discovered, if at all. With so much dwell time, attackers can move laterally and establish persistence throughout the network to maintain an entry into the Guidehouse environment. This difficult to enumerate and remove while not being actively used by the attacker. This persistence can be used to access the environment to steal additional information, or potentially launch a ransomware attack across the enterprise.
"Morgan Stanley responded appropriately by notifying affected customers, though the steps to remediate the third party breach, and any subsequent steps taken to validate third party security likely won’t be disclosed to the public. The Accellion vulnerability was widely publicized, and has been patched. However, with many organizations struggling to consistently patch all assets, there will likely be some additional disclosures in the future.”
Alexa Slinger, identity management expert at OneLogin, hopes other Accellion FTA users are learning from others' experience:
“This recent disclosure from Morgan Stanley serves as a stern reminder to all organizations who were previously, or currently are, using the Accellion FTA product that they must be prepared for additional hack disclosures. Businesses should be putting guardrails and safety measures in place for their consumer identities and data, as well as have a crisis management and recovery process ready.
"Businesses must mitigate the cyber security risks of legacy systems by conducting regular vulnerability assessments to determine areas of weakness, ensuring that the most recent patches are applied immediately and invest in additional layers of security for securing and monitoring their endpoints and network. Efforts should be made to educate the public about phishing attempts, clarifying the ways a business will and will not contact the customer.
"This incident also highlights the need for consumers to be educated on what to do in the case of their personal data being compromised and the appropriate steps to take. Consumers should always be keeping an eye on all of their online accounts, and enable credit monitoring to swiftly detect suspicious activity in their financial accounts.
"As more breaches continue to trickle down, it remains unclear how many organizations are still using the Accellion FTA product, as well how many other breaches have remained undisclosed.
Ben Smith, Field CTO at NetWitness (an RSA company), sees more motivation to learning as much as you can about one's third-parties. It should also serve as a reminder that contractual provisions aren't a sufficient safeguard against such risks:
“This data breach, like so many others in the news, speaks clearly to the importance of knowing not only who your third parties are, but what tools they are using to support you and your business.
"Relying only on contractual terms to ensure your third parties are compliant with your own requirements for patching of essential platforms and tools may provide an after-the-event financial remedy, but won’t help you address the damage to your brand.
Chris Clements, VP of Solutions Architecture at Cerberus Sentinel, wrote to recall everyone to the reality that double extortion, with both data encryption and data theft, is now the usual way in which ransomware gangs operate:
"Ransomware operators are no longer content with simply encrypting systems and calling it a day. It’s commonplace now for a breach to involve exfiltration of any and all data cybercriminals can get their hands on whether to hold as a secondary extortion or to sell to the highest bidder on the dark web. A solid backup and restore strategy alone is no longer sufficient for ensuring that an organization will survive a compromise unscathed. Once data has been stolen there is no guarantee that it won’t be resold or even dumped for free by threat actors. There’s a temptation to dunk on companies in the security or cyber insurance market that get hit by cybercriminals, but the reality is that doing security well is extremely hard and the vast majority of organizations are only a mistake or two away from suffering the same. True resiliency to cyber-attacks like these must come from adopting an organization wide culture of security that focuses efforts both on prevention and detection of computer threats. Culture must start at the top with the understanding of the risks and commensurate commitment to the effort required to ensure that everything possible is being done to protect both the organizations and its customers."