At a glance.
- Misconfigured Thomson Reuters databases left unprotected.
- Twilio hit twice by phishing scammers.
- US hospital system suffers patient data breach.
- Australian clinical breaches and national policy.
Misconfigured Thomson Reuters databases left unprotected.
The researchers at Cybernews have discovered that multinational media giant Thomson Reuters left exposed three public-facing ElasticSearch databases, one of which contained at least 3TB of sensitive customer and corporate data, including third-party server passwords. The names of the indices indicated that the company was using the database as a logging server to collect data gathered through user-client interaction, making it a tempting target for threat actors looking to launch a supply chain attack. Mantas Sasnauskas, Cybernews’ Head of Security Research, explains, “This instance left sensitive data open and was already indexed via popular IoT [internet of things] search engines. This provides a large attack surface for malicious actors to exploit not only internal systems but a way for supply chain attacks to get through. A simple human error can lead to devastating attacks, from data exfiltration to ransomware.” Thomson Reuters claims that two of the three misconfigured servers were designed to be publicly accessible, while the third was a non-production server focused on pre-production/implementation. Still, experts say the breach could have serious consequences. Benjamin Fabre, co-founder and chief executive of bot protection company DataDome SAS, told SiliconANGLE that threat actors and the bots they deploy “can (and will) leverage personally identifiable information to conduct all sorts of attacks, including account takeover, credential stuffing, carding and more. This likely won’t be the last we hear of this breach.”
Benjamin Fabre, Co-Founder and CEO DataDome, sees another breach that was open and active for a long time before it was detected and closed. "It's concerning that the dataset was open for so long," he said. "Threat actors -- and the malicious bots they deploy -- are opportunistic and can wreak havoc very quickly once they get ahold of sensitive data. Bots can (and will) leverage PII to conduct all sorts of attacks, including account takeover, credential stuffing, carding and more. This likely won't be the last we hear of this breach."
Jerrod Piker, Competitive Intelligence Analyst at Deep Instinct noted that threat actors can be highly motivated:
"Threat actors are extremely ruthless when it comes to exploiting weaknesses in organizations. Once an organization/industry is viewed as vulnerable, threat actors will continue to bombard that organization or industry until they successfully identify an exploitable gap. Once in, threat actors will do everything they can to establish persistence and maximize their damage and/or profits.
"Thomson Reuters recently collected and leaked at least 3TB of sensitive data. Though the issue was fixed immediately, a significant disconnect remains between how senior decision-makers perceive their organization’s cyberattack preparedness, and how prepared the organization actually is. Additionally, this particular gap not only exposed sensitive data to attackers, but it also left third-party credentials in plaintext. This creates a huge risk of Thomson Reuters being an unassuming party to multiple supply chain attacks. Because of the inherent trust that business partners place in each other, this is a very alarming discovery to say the least. To combat this, all organizations should come together in the unifying fight against threat actors. This means reexamining entire security programs to identify gaps in visibility and control."
"Enough is enough and it is time for businesses to look at prevention of cyberattacks before threat actors can breach the network. We should not see threat actors being able to breach an organization’s information assets as the norm, either the first time or repeatedly moving forward. Especially in this case, where sensitive data was left unguarded, a shift toward a prevention-first mindset can, at the least, minimize the impact of the next attack and mitigate the issue of unguarded sensitive data from the outset."
Amit Shaked, CEO, Laminar, points out that poorly secured databases are a widespread problem:
"Unsecured ElasticSearch databases are extremely common and can affect nearly any company -- leading to important information being exposed to potential compromise. Because these cloud hosting solutions often fall on the outskirts of data and security teams' visibility range, this incident serves as a reminder for business leaders to ask: where is our sensitive data?
"As many companies transition into primarily cloud-based environments, this leads to scattered data stores that instantly increase organizational security risk. Many companies do not know where their sensitive data is located within the cloud. The presence of unknown or 'shadow' data -- like the databases in this instance -- is increasing and is a top concern for 82% of data security professionals.
"To safeguard against a majority of today’s cyberthreats and accidental exposures, organizations must have complete observability of their cloud data. It is critical to know where it resides, who is accessing it and what its security posture is."
Twilio hit twice by phishing scammers.
Cloud communications firm Twilio has confirmed a new data breach stemmed from a previously disclosed August 2022 security incident, Bleeping Computer reports. In June, Twilio states, the threat actors used a voice phishing, or “vishing” scam to coerce an employee into sharing their login credentials, which the attackers then used to access customer contact data. "The threat actor's access was identified and eradicated within 12 hours. Customers whose information was impacted by the June Incident were notified on July 2, 2022," Twilio stated. The cybercriminals responsible for the August breach had accessed the data of over two hundred customers and nearly one hundred Authy end users using employee credentials stolen in an SMS phishing attack. After infiltrating Twilio’s administrative portals, the hacker registered their own devices to obtain temporary tokens. The attack was part of a larger campaign from the Scatter Swine threat group (aka 0ktapus) that hit upwards of 130 organizations, including MailChimp, Klaviyo, and Cloudflare.
US hospital system suffers patient data breach.
Michigan Medicine, an academic medical system located in the US state of Michigan, has begun notifying approximately 34,000 patients that their health information was potentially compromised in a data breach. In August, mlive explains, the attacker used phishing tactics to lure employees to a website where their login credentials were harvested. A total of four employee accounts were hacked, and upon discovery, Michigan Medicine administrators locked the accounts to prevent further unauthorized access. The exposed data include identifiable patient information such as name, medical record number, street address, date of birth, diagnostic and treatment information, health insurance details, and in one case, Social Security number. The medical system’s chief compliance officer Jeanne Stricklandsaid in a statement that Michigan Medicine “took steps immediately to investigate this matter and is implementing additional safeguards to reduce risk to our patients and help prevent recurrence.” Let’s hope so, as this is Michigan Medicine’s second data breach this year; the data of about three thousand patients were exposed in March in an unrelated incident.
Australian clinical breaches and national policy.
We've received additional comment on the recent data security incidents at Australian healthcare organizations. Ken Jenkins, Vice President of Cybersecurity and Resilience Services at SecurityScorecard, commented on the implications of these incidents for national policy:
"The recent cyberattacks in Australia have highlighted the need for significant changes in cybersecurity processes throughout the country. The cyberattack on Australia’s Clinical Labs comes shortly after the attack on the country’s largest telecommunications Optus and one day after Medibank announced that its breach exposed the personal data of all of its customers.
"The cost of cyberattacks is the highest in the healthcare industry, as personally identifiable information (PII) can be sold for top dollar on the dark web, putting patients’ safety at risk. Cybersecurity challenges within the healthcare industry are increasing as the sector grows more dependent on technology to perform daily operations. Understanding these challenges can help to protect healthcare organizations from current and future threats. Healthcare organizations must take steps to improve their cyberhealth. This includes monitoring expansive vendor and IoT ecosystems. Health organizations can quickly identify risks and prioritize remediation activities when they have a comprehensive view of their IT infrastructure"While staying compliant is important, it cannot be the only step in an organization's security strategy. Compliance consists of policy, procedures, plans, and implementation but doesn't necessarily include measuring and managing the effectiveness of security controls and posture. With the lack of staff and resources caused by the COVID-19 pandemic, it is essential that organizations proactively and continuously assess security controls via a trusted third party Additionally, security teams should participate in tabletop exercises and threat emulation to ensure they are familiar with countering and responding to threat actors."