At a glance.
- The Thingiverse breach.
- Privacy litigation and Ring cameras.
- Update on the Twitch breach.
- Accenture's LockBit ransomware incident.
- Sinclair Broadcasting sustains ransomware attack.
Conflicting perspectives on the Thingiverse breach.
3D printing design site Thingiverse has experienced a data breach, but as All 3DP reports, there’s disagreement regarding the incident’s scope. The breach exposed around 228,000 email addresses linked to user accounts, but a tweet from Thingiverse downplaying the incident asserts that only about five hundred users were impacted, PCMag explains. "The non-production, non-sensitive data included encrypted passwords (random salted) with mostly testing data," Thingiverse stated. On the third hand, a former employee of Thingiverse operator MakerBot analyzed the leaked data and claims it contains the info of a whopping 2,079,011 users. He also alleges the data is more sensitive than Thingiverse has let on, including hashed passwords, physical addresses, user-to-user direct messages, and moderation logs -- data that could allow an attacker to “take control of every internet-connected MakerBot printer owned by any user in this leak.” Experts say the source of the breach is likely a publicly accessible MySQL backup from October 2020.
UK privacy case raises questions about Ring cameras.
After a dispute among neighbors regarding an alleged invasion of privacy enabled by a Ring security doorbell camera, a UK judge has ruled that Ring’s ability to record sound more than forty feet away violates the UK Data Protection Act, Yahoo News reports. Her Honour Judge Melissa Clarke declared the recording range “cannot be said to be reasonable for the purpose for which the devices are used by the Defendant, since the legitimate aim for which they are said to be used, namely crime prevention, could surely be achieved by something less.” However, don’t throw out your Ring just yet. The ruling doesn’t prevent use of the device, as long as users take advantage of features like customizable privacy zones to ensure they’re not infringing on their neighbors’ privacy. Still, the ruling is considered a landmark case as it sets a precedent regarding consumer surveillance tech.
The latest on the Twitch breach.
As we noted earlier this month, Twitch experienced a data breach when a self-proclaimed hacktivist released over 100GB of data which allegedly included everything from company source code to proprietary SDKs to a very controversial list of payouts earned by top users. However, according to Twitch’s most recent update, the leak might not be as massive as initially thought, as the company says user login credentials and full credit card numbers were not compromised, Security Week reports. “The exposed data primarily contained documents from Twitch’s source code repository, as well as a subset of creator payout data,” the update explains. Infosecurity Magazine adds that Twitch described the impact on customers as “minimal” and the affected users have been contacted.
Update: Lockbit attack at Accenture.
As we noted previously, in August, the LockBit ransomware group claimed to have stolen six terabytes of data from leading multinational IT consulting company Accenture, which it dumped online after unsuccessfully pursuing a ransom of $50 million. In its official fourth quarter financial report to the US Securities and Exchange Commission, the company has now confirmed a security incident occurred, TechTarget reports. "During the fourth quarter of fiscal 2021, we identified irregular activity in one of our environments, which included the extraction of proprietary information by a third party, some of which was made available to the public by the third party,” the report explains. A source also told BleepingComputer that Accenture has disclosed the breach to a threat intelligence firm, though they have not yet confirmed the incident to the public or relevant authorities, which means it is possible that personally identifiable information was not impacted. And Accenture has of course disclosed the incident in a Form 10K filed with the US Securities and Exchange Commission.
Erich Kron, security awareness advocate at KnowBe4, foresees more such incidents to come:
“Ransomware attacks and data exfiltration will continue to be an issue for organizations of all sizes and across industries. This case is interesting, as the claim that six terabytes of data were lifted from the organization's network is an astounding figure. The claim that credentials were stolen and then used in attacks against one or more airports is extremely disturbing.
"While ransomware attacks that exfiltrate data are becoming even more common, organizations can take steps to eliminate or reduce the damage done by these bad actors. Since email phishing is the most common attack vector being used to initially get into networks, training users to spot and report these attacks is a very effective and low-cost way to reduce or eliminate the threat. Organizations should also have strong Data Loss Prevention (DLP) controls in place to mitigate the exfiltration of data by bad actors.”
The Sinclair Broadcast Group discloses that it sustained a ransomware attack, with an attendant data breach.
The Sinclair Broadcast Group, which operates one-hundred-eighty-five television stations with six-hundred-twenty channels in eighty-six US media markets, has disclosed that it determined yesterday that it had been subjected to a ransomware attack. An announcement issued publicly this morning (and filed with the US Securities and Exchange Commission) read, in part, “As the Company is in the early stages of its investigation and assessment of the security event, the Company cannot determine at this time whether or not such event will have a material impact on its business, operations or financial results.” The ransomware incident involved the now customary data breach, but the extent of that breach remains under investigation.
Saryu Nayyar, CEO of Gurucul, was struck by the brazen quality of the attack. “Sinclair TV seems to be the victim of a ransomware attack, with multiple channels going off the air in an attempt to extort money," she wrote. "Attackers are getting more creative and brazen with their attacks, and this shows that more than enterprise networks and computing infrastructure is at risk. Anyone who has electronic systems exposed to the Internet can face a ransomware attack, demonstrating the need to monitor all systems rather than just computers.”
Doug Britton, CEO of Haystack Solutions, sees poor preparation as a shortcut to adverse headlines. “An alarming number of US and Multinational corporations have inadequate security precautions and are suffering from headline making cyber-attacks. Without the right personnel in place, even the most sophisticated cyber vendors and security tech won't be enough. Cyber professionals who understand the organization, the business model, and how data is handled within the company are critical," he wrote. “Corporations need to continue to invest in cybersecurity professionals. Security is a job that is never finished. Having the right in-house team in place is the best defense against constant cyber threats. We have the technology to find this talent even in the tightest labor markets. We need to move quickly and make a sustained commitment to get these folks into the fight or we risk having significant breaches continue.”
Bill Lawrence, CISO of SecurityGate, sees lessons for the conduct of ransomware response drills:
“There are a couple of good lessons learned from what we know so far with this ransomware attack: Somehow, the attack didn’t spread to Sinclair’s ‘master control’ broadcast system, so if it was network segmentation or a higher level of protection and care for the ‘crown jewels’, those are good practices to emulate. Also, they lost their internal network, email, phones, along with local broadcasting systems.
“For your next incident response plan drill, put the participants in separate rooms and forbid the use of company email or phone calls. It would be hard for them to order a pizza together, much less work on business continuity. Out-of-band, encrypted communications, with apps such as ArmorText or Signal, set up and practiced before they are direly needed, can help immensely.”
Ron Bradley, VP of Shared Assessments, sees the incident as a case of criminals hitting a soft target of opportunity:
“Why hunt for moose when you have thousands of rabbits running around?
"The reality of Sinclair TV stations being disrupted is just another example of threat actors taking advantage of soft targets. Generally speaking, you don’t see big banks being held hostage to ransomware attacks because they have taken precautions to secure their perimeter, minimize their blast radius, and control internal lateral movement if a breach were to occur.
“The sad part of the story is, many small and medium size businesses (aka; bunny rabbits) don’t have the wherewithal, both financially and technologically to protect their assets. It simply has not been part of their program. This is what makes them a soft target.
“Recent attacks against critical infrastructure and the food supply bring this looming problem to the forefront. My supposition is this problem will get worse before it gets better.
“However, this is not all gloom and doom. There are fundamental steps companies can take such as turning on multi factor authentication, providing security awareness training for users, implementing intrusion detection and prevention tools, and regularly testing their business resiliency plans.”
Garret Grajek, CEO of YouAttest, doesn't think that Sinclair was either naive or poorly resourced, and he finds that troubling:
“Penetration of all our key systems, water, energy, transportation and media is a grave concern for western countries. The fact that a major media outlet like Sinclair was affected shows how vulnerable even those w/ security resources are to cyber-attacks. Sinclair revealed that they conducted a enterprise-wide password reset - which implies they may feel it was a compromised credential that begot the attack.
“Enterprises need to go beyond just password resets and even 2FA and start understanding the scope and capabilities of all the identities in their enterprises. This mean practicing the principle of least privilege to ensure that all accounts, especially when they are compromised, do not have access to resources they do not need access to but could inflict damage if the account falls under control of malicious party. User accounts are easily stolen and guessed by the hackers which then conduct lateral movement across the enterprise and privilege escalation to obtain access to valued resources. Enterprises must be aware of the rights granted and triggered when privileges are modified.”
Tim Erlin, VP of Strategy at Tripwire, noted that adequate preparation against ransomware goes beyond simply backing up data. In this case a company's ability to delver services was affected:
“No one wants to be the victim of a ransomware attack. Being prepared involves more than having backups. A ransomware incident tests multiple facets of a cybersecurity program. Investigation into how the ransomware infiltrated and moved within the organizations identifies preventive controls that were insufficient. The operational impact highlights how data and assets are critical to the business. The response fully tests the incident response and communications process. Learning from other organizations can help reduce the probability and impact of a ransomware incident in your business.”
And, finally, Sam Curry, CSO of Cybereason, shared thoughts on how organizations might respond to similar attacks:
“The reports of a ransomware attack on Sinclair broadcasting is a reminder of the resilience and diligence needed by all companies to turn the tables on ransomware attackers. While it is far too early to know the severity of the damage caused by this attack, I guarantee that if broadcasting networks are taken offline, the U.S. government would likely respond against the attackers if their identities are learned. After all, we witnessed a swift and decisive response earlier this year after the Colonial Pipeline and JBS Foods ransomware attacks caused disruptions to gasoline deliveries on the East Coast and nationwide food disruptions.
"If we have learned anything from the deluge of ransomware attacks in 2021, the public and private sector need to invest now to ratchet up prevention, detection and improve resilience. We can meet fire with fire. We can slow them down. We can limit what they see. We can ensure fast detection and ejection. We can—in short—make material breaches a thing of the past. We can keep them out of the castle by planning and being smart ahead of time and setting up the right defenses.
"Cybereason recommends not paying ransoms as it doesn't pay-to-pay unless it is a matter of life and death or national emergency. In fact, Cybereason's ransomware study of more than 1,200 global organizations shows that 80 percent of companies that paid a ransom were hit a second time, often by the same attackers. And in instances where the attackers handed over decryption keys to the victims after a ransom was paid, nearly 50 percent of the time the company's data was corrupted, slowing down the recovery phase even further.”