At a glance.
- Cisco attack attributed to Lapsus$ ransomware gang.
- U-Haul discloses data breach.
- Update on IHG data breach.
Cisco attack attributed to Lapsus$ ransomware gang.
Networking giant Cisco disclosed last month that it had experienced a data breach, and yesterday Cisco’s Talos Intelligence team confirmed the incident was a failed ransomware attempt carried out by the Lapsus$ ransomware gang. "Based upon artifacts obtained, tactics, techniques, and procedures (TTPs) identified, infrastructure used, and a thorough analysis of the backdoor utilized in this attack, we assess with moderate to high confidence that this attack was conducted by an adversary that has been previously identified as an initial access broker (IAB) with ties to both UNC2447 and Lapsus$," the Cisco Talos team explained.
As Dark Reading recounts, the breach stemmed from a social engineering attack that gave the attackers access to an employee's personal Google account. After a series of sophisticated voice phishing attacks, the hackers convinced the employee to accept multifactor authentication push notifications, allowing the attackers to use the employee’s credentials to log into Cisco’s corporate VPN. Once inside, Lapsus$ compromised the company’s systems, elevated privileges, dropped remote access tools, deployed Cobalt Strike and other offensive malware, and added their own backdoors into the system – all activities, as Talos explains, that were indicative of the gang’s “pre-ransomware” techniques.
Tim Prendergast, CEO, strongDM, observed that, "Attackers are continually going after credentials because people inevitably make mistakes when moving fast to keep up with the pace of day-to-day operations. Employees might miss a misspelled word, an unknown email address or other phishing sign while going from task to task. Eliminating this risk isn't about providing more training or putting up more access walls. Instead, organizations need to implement a process whereby users never know their credentials to critical infrastructures like servers, databases or Kubernetes clusters. Rather than point fingers, it is important for CISOs to re-evaluate the visibility and control of access across both applications and infrastructure."
Arti Raman, CEO & Founder, of Titaniam, notes that Cisco isn't the first large and capable corporation to sustain a phishing attack:
“Cisco is the latest corporation to see an employee fall victim to a phishing attack, resulting in data exfiltration followed by extortion. This attack, just like most of the attacks these days, shows that despite thorough security protocols, corporate information can be compromised via privileged credentials. It also confirms that data-related extortion has become the sole purpose of a majority of attacks and companies need to put strong data immunity measures in place ahead of time.
"The most effective solution for keeping customer PII safe and minimizing the risk of extortion is data-in-use encryption, also known as encryption-in-use. Encryption-in-use provides enterprises with unmatched immunity to data-focused cyberattacks. Should adversaries gain access to structured or unstructured data by any means, data-in-use encryption keeps the sensitive information encrypted and protected even when it is actively being utilized. This helps neutralize all possible data-related leverage and dramatically limits the impact of a data breach.”
Amit Shaked, CEO and co-founder, Laminar, distinguishes the Lapsus$ Group from conventional ransomware gangs:
"While the Lapsus$ ransomware group didn't actually deploy ransomware, they still managed to access Cisco's files and leak them online, seemingly to extort the company. Information within an organization’s network is valuable to both businesses and attackers because it holds the key to a company's competitive advantage. This incident occurred through compromised Google and Box accounts, which reminds us that with a majority of the world’s data residing in the cloud, it is imperative that security becomes data-centric and solutions become cloud-native. Solutions need to be completely integrated with the cloud in order to identify potential risks and have a deeper understanding of where data resides. Using the dual approach of visibility and protection, data security teams can know for certain which data stores are valuable targets and ensure proper controls, which allows for quicker discovery of any data leakage.”
Add data theft to the many reasons why moving is simply the worst.
Bleeping Computer reports that moving truck company U-Haul International suffered a data breach after a customer contract search portal was hacked. An investigation was launched after suspicious activity was detected in July, and it was determined that the intruders accessed customer rental contracts between November 5, 2021, and April 5, 2022 by compromising two unique passwords needed to access the contracts search tool. "After an in-depth analysis, our investigation determined on September 7, 2022, the accessed information includes your name and driver's license or state identification number," U-Haul stated in a notification letter sent to impacted customers last week. Though the attack was limited to the contracts portal and no financial data was exfiltrated, U-Haul is providing affected customers with one year of free identity theft protection services just to be on the safe side.
Would complimentary bubble wrap soften the blow? Who knows? But Identity-theft protection is a good gesture. In any case, the U-Haul disclosure evoked a great deal of comment from industry experts.
Erfan Shadabi, cybersecurity expert with data security specialists comforte AG, said:
“Often we focus more intently on data breaches involving exposure of financial information, assuming that because they deal with monetary information they are more damaging and news-worthy. However, sensitive information includes non-payment information too, such as personally identifiable information (PII) which exposes peoples' true identities. This type of information is critical to highly detrimental activities such as identity theft, which usually winds up negatively affecting people financially anyway.
"In this case, the leak of customers' driver's licenses proves the value of PII within illegal marketplaces and demonstrates why threat actors go after PII. The good news is that, by taking a different approach to data security, one less focused on protecting borders and perimeters around the data and more focused on protecting the data itself, breaches such as this one can be thwarted ahead of time. Data-centric security such as tokenization replaces sensitive information with meaningless tokens, so no matter where that data goes the meaning behind the tokens cannot be derived or compromised. Even if leaked, the sensitive data is meaningless, and thus worthless.”
Ralph Pisani, president, Exabeam, shared some thoughts on the role of credentials in defending an enterprise and its data:
"Credentials are supposed to be the castle's front gates - they are the new perimeter, but SOCs still fail to detect credential-based attacks. As a result, the cybersecurity industry must rethink its strategy to analyze how credentials are used and stop intrusions before they become more significant issues.
"Proper education, feedback loops, visibility, and effective technical capabilities are the keys to identifying and responding to attacks caused by compromised credentials. The most effective detective capability is the development of a baseline for normal employee behavior, specifically to assist organizations with identifying the use of compromised credentials for initial access and later maintaining network access. If you can establish normal behavior first, only then can abnormalities be known - a great asset in uncovering unknowingly compromised accounts."
Arti Raman, CEO & founder of Titaniam, notes the way things have changed for the attackers:
"There used to be a time when cyber attackers had to truly 'break into' networks before they could access resources and data. These days hackers are simply 'logging in' just like regular credentialed users. By impersonating legitimate users, attackers are able to move undetected across networks, observing confidential activity and stealing sensitive data. Stolen data now constitutes a huge revenue stream for attackers as they can use it to extort their victims, victims’ employees, their customers and their partners. After all that is done, they can then sell this valuable data for further revenue.
"So what can companies like Uhaul do to keep their data safe? How can they be expected to protect their customers' data when even the strictest security controls cannot tell the good guys from the bad guys?
"In such scenarios, enterprises should look into true zero trust data security such as what is provided by encryption-in-use. Being able to run entire applications and backend data platforms on encrypted data without any decryption except to display a few items to logged-in users, is a very powerful security mechanism. It is perhaps the only way in which we can secure data in the face of credentialed attackers or malicious insiders. Encryption-in-use is in the market today and it is being used by leading enterprises to stay ahead of data breaches and ransomware as it provides unprecedented immunity against data-based attacks."
And Tim Prendergast, CEO of strongDM, also point out that credentials need to be properly managed for effective security:
"Attackers are continually going after credentials because too often they represent the keys to the kingdom for an organization, and the U-Haul breach is a good example of where having more than one password isn’t necessarily better. Eliminating this risk isn't about providing more training or putting up more access walls. Instead, organizations need to implement a process where users never need to know their credentials in order to access critical infrastructure like servers, databases or Kubernetes clusters. Rather than point fingers, it is important for CISOs to re-evaluate the visibility and control of access across both applications and infrastructure."
Liat Hayun, CEO of Eureka Security, sees some sophistication in this particular attack: "In today's world, bad actors are getting more and more sophisticated. The only way businesses operating in this environment can get in front of this is by treating the security of data like gold, and that requires more than remediations after the fact. You must continuously know what data exists in your cloud, where it resides and who has access to it. This needs to be done in a way that isn't overly complex and further, is actionable today."
Lior Yaari, CEO and co-founder of Grip Security, remarked on the continuing value identities and credentials have in the C2C market:
“Identities and credentials continue to be the number one target for cybercriminals. The additional safeguards companies take to prevent password compromise will likely fail, and this type of breach will be repeated over and over again. Rather than adding more band-aids, the industry needs to take a fresh approach that removes the burden of securing passwords from employees. The passwords compromised in this U-haul attack were clearly not governed or protected properly. There are probably other passwords that may have already been compromised that U-haul and hundreds of other companies are unaware of and will not become aware of until another breach like this occurs.”
Update on IHG data breach.
British multinational hospitality giant IHG Hotels & Resorts was hit with a cyberattack earlier this month that has caused continued disruptions to its booking system and mobile apps. As the hotelier works to restore its systems, IHG has been tightlipped about the details of the incident, but experts say the system outage and the continued disruption point to a ransomware attack. IHG has confirmed that the incident is not linked to a recent LockBit ransomware attack on an Istanbul Holiday Inn, stating that the impacted hotel is a third-party franchisee and therefore only its local systems were compromised. As of yet, no stolen IHG data has surfaced on any cybercrime forums, indicating that, whatever the nature of the attack, the threat actors do not appear to be using double extortion tactics.
Chris Vaughan, AVP of Technical Account Management for EMEA and Tanium told CPO Magazine that this is just the latest in a wave of attacks targeting the hotel sector. “As IHG grapples with this latest incident, it needs to analyze all the devices connected to the corporate network to find any problematic ones and then take appropriate action to mitigate any further risk,” Vaughn stated. “This could include rolling out a patch or removing certain devices from the network. The problem is, most organizations do not have this level of visibility due to the complexity of their IT environments and the number of different tools that they are using. They can’t fix an issue that they can’t see, so this area is vital.” It’s worth noting that this is IHG’s second high-profile data breach in recent years; the company was attacked in 2016 but failed to disclose the breach until 2017, resulting in a $1.5 million class action lawsuit settlement.