Top 5 Cyber Security Breaches of 2019 So Far
Recap and updates of cyber attacks and incidents first half of the year
Each Friday, Cyber Security Hub scours the internet to provide readers with a notable ‘incident of the week.’ The popularity of this type of article is growing on the CSHub.com website, most likely due to the fact that they are loaded with best practices and tips on incident response — whether it’s how to handle the situation, as well as in some cases, what not to do.
As we’re coming up on the first 6 months of 2019, we’re pausing to roundup what has happened so far. From password spraying to ransomware to data leaks (and everything in between), we looked into the numbers to see what is top-of-mind for CS Hub readers, and here are your top 5 cyber security breach headlines so far, starting with the fifth most-viewed story and working our way down to #1:
The Fast Facts: On April 15, investigative reporter Brian Krebs wrote about the breach of Indian IT outsourcing and consulting giant Wipro Ltd. According to KrebsOnSecurity.com, two trusted sources spoke anonymously to Krebs saying that Wipro’s systems were seen being used “as jumping-off points for digital phishing expeditions targeting at least a dozen Wipro customer systems. The security experts said Wipro’s customers traced malicious and suspicious network reconnaissance activity back to partner systems that were communicating directly with Wipro’s network.”
On April 17, Wipro was quoted in an Indian daily newspaper saying that it did in fact experience a phishing incident. Wipro confirmed its IT systems were hacked and said it hired a forensic firm to handle the situation, stating that it was ‘dealing with a multi-month intrusion from an assumed state-sponsored attacker’ and that Wipro’s systems were seen being used to attack at least a dozen of its clients.
Some Quick Tips: The handling of the incident (or lack thereof) has sparked some buzz among industry influencers, leaving Krebs compelled to later write a follow up article on the incident explaining that Wipro executives were asked on a quarterly investor conference call to respond to his reporting. Wipro COO Bhanu Ballapuram told investors that many of the details in Krebs’ reporting were in error, and implied that the breach was limited to a few employees who got phished.
Krebs decided to join the quarterly call and add a question on the incident to the queue to which Wipro gave him the opportunity to speak on the call. Security reporter Graham Cluley was able to record the bit of the call and post it on Twitter.
From the aforementioned series of events, Krebs offered a recap of Wipro’s public response so far in his follow up article of, “How not to acknowledge a data breach:”
- Ignore reporter’s questions for days and then pick nits in his story during a public investor conference call.
- Question the stated timing of breach, but refuse to provide an alternative timeline.
- Downplay the severity of the incident and characterize it as handled, even when they’ve only just hired an outside forensics firm.
- Say the intruders deployed a “zero-day attack,” and then refuse to discuss details of said zero-day.
- Claim the IoCs you’re sharing with affected clients were discovered by you when they weren’t.
Story Update: According to a more recent article published on May 2nd, the attackers were found to have used remote access tool ScreenConnect to compromise employee machines within Wipro. It has also been found that the attackers could be linked to older malicious activities from 2017 and even possibly 2015, and had reused most of the infrastructure of previous attacks for their current ones.
The Fast Facts: Dunkin’ Donuts first reported a credential stuffing attack at the end of November last year, and is now notifying users of more account breaches following a new attack. This attack, which happened in January, is similar to the first in where hackers leveraged user credentials leaked at other sites to enter DD Perks rewards accounts.
The type of information stored in a DD Perks account, which provides repeat customers a way to earn points and get free merchandise or discounts, includes the user’s first and last names, emails (usernames) and a 16-digit DD Perks account number and QR code.
According to ZDNet, the hackers weren’t after users’ personal information stored in the rewards accounts; instead, they were after the account itself in order to sell on Dark Web forums.
Some Quick Tips: According to advice from Trend Micro, here are some ways to strengthen security against these types of attacks:
- Practice good password hygiene. Avoid reusing the same email and password combination for multiple online accounts, and change your access credentials frequently.
- Enable two-factor authentication (2FA) whenever possible. Layered protection is always better than single access authentication.
- Observe your network traffic and system. A significant increase in network inquiries, access, or slowdowns may indicate an attack. Run security software to find and remove malware infection.
The Fast Facts: Toyota revealed the issue on its official website on March 29, 2019, saying the breach potentially affected 3.1 million people. The company is still looking into whether the cybercriminals could access and read the data but says the compromised server did not contain credit card details.
February was a disruptive month for Toyota, too, but in the Australian market. On February 21, 2019, Toyota stated it experienced an attempted cyber attack. The news came via a similarly brief press statement consisting of only five sentences.
The company said it did not believe the hackers accessed private customer or employee data in that instance. It also confirmed Toyota's IT team communicated with international cyber security experts for advice in getting to the bottom of the matter.
Lesson Learned: Since there are so few specifics about what happened surrounding Toyota's cyber security breaches, it's best for customers to be exceptionally vigilant regarding any communications from people claiming to be from Toyota or its subsidiaries. There's no way to know for sure, but the hackers could use the customer data obtained in the Japanese breach to orchestrate phishing attempts.
The Fast Facts: The FBI is investigating allegations that employees from one of Walmart’s technology suppliers was illegally monitoring the retailer’s e-mail communication.
The New York Times reports that in late 2015 through early 2016, Compucom employees assigned to Walmart’s help desk were using their access to monitor specific e-mail accounts at the retailer and allegedly using that information to get an edge over competitors.
The scheme was discovered after a Compucom technician took a photo of an email about an internal Walmart disciplinary matter and sent it to a Walmart employee he had been chatting with on an instant messaging system, according to the F.B.I. filing.
Lesson Learned: The case exposes a potential vulnerability for companies that rely on contractors for technical work, giving outsiders broad access to sensitive internal documents with little oversight in the process. It also raises questions about how technicians hired to support the computer system of one of the world’s largest and most insular corporations were able to gather information from employee emails.
“Companies with an extensive communications network like ours require the support of different partners and a high level of trust,” Walmart spokesman, Randy Hargrove, told the NYT. “We relied on this vendor but their personnel abused their access and we want those responsible to be held accountable.”
The Fast Facts: On March 6, 2019, the FBI contacted Citrix to advise they had reason to believe that international cyber criminals gained access to the internal Citrix network, according to Stan Black, CISSP and the CSIO of Citrix.
While the FBI is still investigating the details, thehackernews.com reported that the Iranian-backed Iridium hacker group hit Citrix in December last year and again this time, stealing at least 6 terabytes of sensitive internal files, including emails, blueprints, and other documents.
The Iranian-linked hacking group was also behind recent cyber attacks against more than 200 government agencies worldwide, oil and gas companies, technology companies and other targets.
The hacker group’s proprietary techniques include bypassing multi-factor authentications for critical applications and services for further unauthorized access to VPN channels and SSO (Single Sign-On).
Some Quick Tips: Here are 6 key learnings every enterprise should apply to their organizations to avoid being part of a password spraying cyber attack:
- Use strong passwords: Create a password that is not less than 10 characters and preferably 16 characters; avoid using a common phrase, your name, nickname or address. Always use a unique password, never repeat and never store passwords in your browser.
- The NCSC advises firms to configure protective monitoring over externally-reachable authentication endpoints to look for password spraying attacks and enforce multi-factor authentication on externally-reachable authentication endpoints.
- Encourage checks of common passwords through Troy Hunt’s HaveIBeenPwned password checker, or other free or commercial tools.
- Consider using two or multi-factor authentication.
- Perform a routine systems check to make sure there aren't any easy access points, back doors or areas where privileges could be escalated.
- Check to make sure hackers haven’t added any additional user accounts.
Story Update: According to Securityweek.com, it is now being reported that the hackers had access to the company’s network for roughly five months:
“In a data breach notification submitted by Citrix this week to the California Office of the Attorney General, the company said the hackers had intermittent access to its network between October 13, 2018, and March 8, 2019.
The company also confirmed that the attackers removed files from its systems. Some of these files stored information on current and former employees and, in some cases, beneficiaries and/or dependents. The compromised data includes names, social security numbers, and financial information.
It’s unclear how many people have been impacted by the incident, but it’s at least 500 as California legislation requires companies to disclose breaches to authorities if more than 500 of the state’s residents are affected.”
Contacted by SecurityWeek, Citrix refused to say exactly how many are impacted. The company noted, “We are notifying all potentially impacted individuals out of an abundance of caution, and providing these individuals with credit monitoring and fraud protection services free of charge where possible.”
Read Last Week's Incident: Impact Of Docker Security Breach