Customer PII (name, phone number, email address), masked Credit Card data (first 4 and last 4 digits of the 16 digit card number)
The Threat
Inc42 published a report regarding Juspay data being leaked on the dark web. The report claims that the data dump contains PII (Personally Identifiable Information) and card data of 10 Crore users. CloudSEK has done a detailed analysis of this incident and the key findings are summarized below.
Overview
Juspay had a security breach in August 2020 when a group of hackers hacked into their Payment MetaData servers and downloaded a few databases.
Juspay did not disclose this incident to authorities – rather concealed the breach.
In January 2021, Inc42 reported that Juspay was beached and its customers’ PII information was leaked on the dark web.
The databases contain 16 fields including masked card data and PII (email address, first and last name, mobile numbers), among other sensitive information.
Impact
The leaked data does not contain full card data – it mainly exposes users’ PII along with masked card data.
There is no direct impact on other banks as the card numbers are masked, i.e. only the first 4 and last 4 numbers are visible.
It is impossible to reverse engineer or brute force card numbers because card issuers (Visa, MasterCard, Rupay) block an invalid card after 100 failed attempts.
The PII can be used to carry out social engineering attacks on the affected users.
The direct impact of this leak is negligible for banks and other organizations as full card data was not compromised and the chances of retrieving full data from partial data is impossible.
Advice to Security Teams
We will see increased targeted phishing attacks on card users in the coming months.
In case of a successful phishing attack – banks are advised to keep a close watch on credit cards that have been through JusPay gateway using internal fraud monitoring technologies.
Detailed Technical Analysis
CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post on a data sharing platform, selling user databases of multiple companies. Our Threat Intelligence researchers did a detailed analysis on the same. The companies affected are:
Juspay.in
Teespring.com
MyON.com
Knockcrm.com
Mindful.org
Clickindia.com
Chqbook.com
Bigbasket.com
Reddoorz.com
Hybris.com (SAP.com)
Wedmegood.com
Wongnai.com
Geekie.com.br
Anyvan.com
Accuradio.com
Everything5pounds.com
Cermati.com
Netlog.com (Twoo.com)
Reverbnation.com
Fotolog.com
Pizap.com
ModaOperandi.com
Eventials.com
Wahoofitness.com
Sitepoint.com
Singlesnet.com
Impacted Assets
The most recent post contains a sample of the Juspay database though the data has not been validated. Here are some sample screenshots from the leak:
Schema 1
The “stored_card” database contains the following fields:
id varchar
version bigint
card_brand
card_exp_month
card_exp_year
card_fingerprint
card_isin
card_issuer
card_last_four_digits
card_reference
card_token
card_token_of_vault_provider
card_type
customer_id
date_created
last_updated
masked_card_number
merchant_account_id
name_on_card
nickname
vault_provider
card_global_fingerprint
Schema 2
The “customer” database contains the following fields:
id
version
date_created
email_address
first_name
last_name
last_updated
merchant_account_id
mobile_country_code
mobile_number
object_reference_id
Threat Actor
The threat actor joined the forum in December 2020. And since then, the threat actor has shared 2 posts, attempting to sell databases from their private collection.
One of the posts advertises multiple databases while the other post is selling the Gympass database.
The pharmaceutical industry has been in the crosshairs of cyber attacks, more frequently than ever, in the last few years. The industry appeals to cybercrooks, who are motivated by financial gains, as they generate and manage some of the most sensitive data. State-sponsored actors, with the support of governments and with the intention of settling scores with other countries, target their healthcare industries. In the event of a full-scale cyberattack, the pharmaceutical sector could incur huge losses, both financially and in terms of its invaluable data. The data, which includes Intellectual Property (IP) of patients, is then invariably sold on the dark web or held “hostage” for ransom.
As a result, the affected organization sustains:
Legal penalties,
Fines,
Damage to business, brand reputation,
Lack of confidence in customers,
Declining revenue,
Network, utility outages,
Risk of supply chain disruption.
Recent COVID- Themed Cyber Attacks Based on the Region
India and APAC
Indian pharmaceutical giant Lupin confirmed a security incident that impacted its IT systems in November 2020 after a similar ransomware attack targeted Dr. Reddy’s Laboratories. The recent surge in cyber attacks in the Indian pharmaceutical sector is also because they are in the process of delivering affordable medicine on a large scale, owing to COVID-19.
Interestingly enough, the ransomware attack that hit Dr. Reddy’s was soon after the company had received DCGI’s (Drug Control General of India) approval to conduct clinical trials of the Russian Sputnik-V vaccine. The personal information of individuals who participate in clinical trials are also at a risk of data exposure. Such attacks aim to derail the race towards a successful vaccine in India as well as other countries. The surge in cyber attacks against pharmaceutical companies in the APAC (Asia-Pacific) region has cost the industry close to $23 Million.
Europe
From a global perspective as well, cyber crimes are increasingly targeting pharmaceutical companies. Recently, several European pharmaceuticals such as Swiss giant Roche, were attacked by a hacking group dubbed Blackfly. The activities of this group was traced back to China and it points to the conclusion that these attacks were state-sponsored. Blackfly, also known as the Winnti Group, deploys Winnti malware in all of their attacks, a malware known for its supply chain attacks. European manufacturers BASF and Henkel were also victims of the same ransomware group.
Moreover, drug regulators like EMA (European Medicines Agency) have also not been spared from cyber attacks. The EU Drug regulator EMA confirmed that it was hit by a cyber attack and that the actors managed to access documents related to a COVID-19 vaccine. German biotechnology company BioNTech is in the process of developing a vaccine to treat COVID-19 along with strategic partner Pfizer. The duo suffered a cyber attack earlier this month and confirmed that its regulatory submission was accessed.
Although EMA didn’t agree to the nature of the attack, it stated that few documents related to the regulatory submission by Pfizer and BioNtech vaccine candidates, stored on the EMA server, have been viewed. The timing of these attacks was impeccable, as EMA was working on getting the approval for 2 COVID-19 vaccines and it could have had devastating effects on the entire process.
America
The US drug regulatory authority FDA (Food and Drug Administration), however, outsmarted threat actors looking to steal data from them and had COVID-19 related sensitive documents delivered to them physically through FBI agents.
Experts across the globe have traced most COVID-related attacks on pharmaceuticals back to China, North Korea, and Russia. And although the victims of these attacks have not been named, we can confirm that at least some of these companies were infiltrated successfully.
Countries like India, UK, US, Canada, France and South Korea are all at different stages of clinical trials and development of COVID-19 vaccine; and they have all been targeted by threat groups during this global health crisis. Reports have attributed the attacks to Russia-based threat group Strontium and North Korean threat actors Zinc and Cerium. Some of the methods believed to be part of their tactics are password spray and brute force attacks (by Strontium) to steal login credentials and spear-phishing, fake job offers (by Zinc). In one of the recent examples of phishing attacks, the operators behind Cerium sent spear-phishing emails masquerading as World Health Organization (WHO) officials.
The Way Out
Businesses should identify their most important digital assets as well as critical assets that facilitate smooth business operations and product development. This includes identifying critical data, its location, who has access to them, the network on which their mission-critical data resides, what are the attractive propositions for threat actors. Once the critical assets are identified, organizations should segregate and protect their assets.
They should also allocate budget for a well-rounded security system which covers intrusion detection systems and threat intelligence software. This in turn keeps them updated regarding the status of their assets. With the help of a SaaS-based vulnerability alerting platform such as CloudSEK’s XVigil, your organization is equipped to protect their data, brand, and internet exposed infrastructure, against imminent cyber threats and breaches.
Ransomware is one of the most disconcerting security issues in the cybersecurity ecosystem. It has evolved since its first appearance in 1989, when it was only a primitive trojan that spread via discs, injecting host computers with a virus that encrypts files and hides directories, which are returned only when the victim pays a ransom. They are significantly more sophisticated and costly now.
The release of CryptoLocker in the year 2013 was a milestone in the evolution of ransomware. Unlike its predecessors, this ransomware does not adhere to bullying, which only makes it worse. It directly encrypts all the files on the system and demands a ransom in exchange for its decryption. And now with the likes of Sodinokibi and Maze the ransomware lineage is operating at a huge scale.
Over the years, malicious ransomware operators have expanded the scope of the virus to include screen locker capabilities along with the ability to overwrite boot data records. And thanks to the prevalence of ransomware families, today, ransomware is a global threat that has advanced extortion capabilities and tactics. The perpetrators behind such ransomware groups also target the victim’s personal records and files.
To ensure the complete surrender of victims, threat actors have switched to two-fold attack techniques. If the victim refuses to pay the ransom, their data is leaked on public domains or data leak websites.
In this blog, we explain the evolution of the data leak extortion ecosystem through the advancements made by ransomware groups over the last three decades.
Police Lockers
The mid 2010s were dominated by Trojans that took away users access to their screens or browsers. In the year 2012, a fresh scam that involved one such Trojan invaded browsers. It sent messages and fake alerts that masqueraded as the law enforcement agency, only to dupe unsuspecting victims. The message would claim that the victim’s device was found to be involved in illegal activities such as copyright violation or child pornography. The victims are then scared into paying an amount as ransom using prepaid cards like MoneyPak, Paysaf, or Ukash.
During the same period, another ransomware that spread disguised as the FBI victimized thousands of computer users. However, this ransomware came with the additional ability to lock the host computer’s IP address, Windows version, location, and ISP name.
CryptoLocker
2013 witnessed yet another iteration of the malicious software that was capable of encrypting data. CryptoLocker was the first ransomware of this kind and it used 2048-bit RSA encryption. Also, the victims were asked to pay the ransom in Bitcoins for the first time or using prepaid cards. Over time, the operators behind CryptoLocker increased their demand from $100 to $600 per computer. The despicable success of this ransomware led to the launch of other such malicious software like PClock, CryptoLocker 2.0, and TorrentLocker.
Emergence of Ransomware-as-a-Service (RaaS)
In 2015, advanced groups of cybercriminals decided to monetize ransomware through RaaS platforms. In attacks that follow, customers procure ransomware from such platforms on the dark web and share the profit with the authors of the ransomware. RaaS has advanced tracking tools embedded as part of its services. It has been the reason for a surge of ransomware attacks across the world.
Locky Ransomware and KeRanger
The Locky ransomware that was released in 2016 spread malicious Microsoft Word macros, infecting millions of PCs around the world. Another ransomware that made an entry during this period was KeRanger, which leveraged the asymmetric RSA cryptosystem to lock down the victim’s data. KeRanger operators usually demand for $500 from the victim in exchange for the decryptor and instruct victims to visit sites hosted on Tor (anonymity network).
WannaCry and Notpetya
With time, ransomwares have been developed to be stealthier and devastating. In the year 2017, there were multiple ransomware outbreaks, namely WannaCry and Notpetya. These attacks were not detected initially. And today, threat actors clearly distinguish between individuals and businesses, when they demand a ransom. They consider businesses and organizations to be juicier targets. The biggest pay-outs until then, that were a result of ransomware attacks, were reported in the year 2016.
A decline in the prices of Bitcoin and improved security awareness have indeed forced ransomware operators to revamp their mode of attack. Today, local governments, small and medium sized businesses, health care organizations, and educational institutions are major targets of the threat actors.
Ransomware groups like Sodinokibi and Ryuk spot unsecured ports like RDP ports to access networks. Most recent attacks show that actors are so sophisticated that once they hack service providers, they even invade networks of partner organizations.
Maze
Recently, in November 2019 Maze ransomware resurfaced the cyber ecosystem, and hacked a plan to attack a security organization – Allied Universal.
The group behind the attack extorted 7GB data, contacted the organization’s management, and demanded 300 Bitcoins in ransom. The actors even threatened to leak sensitive information about the organization unless the management of Allied Universal paid them. When the management refused to pay up, the operators sold around 700 MB of data to Russian hackers and uploaded the remaining data in the wild.
Conclusion
Ransomware is growing continuously and exponentially, adding new, sophisticated tools and methods to their arsenal. Businesses that fall prey to their attacks not only lose access to crucial data, but the entire incident tarnishes their reputation. To top it off, ransomware attacks invite lawsuits and compliance issues. To stay safe and to counter the threat actors, organizations need to have proper mitigation mechanisms in place. Maintaining a backup for the data wins you half the battle, but in the long run organizations need to use reliable security software such asCloudSEK’s XVigil to prevent most file encrypting threats.
Every day more businesses migrate from their traditional IT infrastructure, while the pandemic has only accelerated the adoption of cloud technologies among remote workforces. Cloud services such as Amazon Web Services (AWS) have been widely accepted as a channel for cloud computing and delivering software and applications to a global marketplace, cost effectively and securely. However, cloud consumers tend to wash their hands of the responsibility towards securing their cloud infrastructure.
Cloud service providers and consumers share the responsibility of ensuring a safe and secure experience on the cloud. While service providers are liable for the underlying infrastructure that enables cloud, users are responsible for the data that goes on the cloud and who has access to it.
The AWS Well-Architected Framework is a guide/ whitepaper issued by Amazon on AWS key concepts, design principles, and architectural best practices. Security is one of the five pillars that this Framework is based on, upholding the fact that protecting your data and improving security is crucial for AWS users. This blog intends to summarize the whitepaper on the security pillar and discuss:
Design principles for AWS
Few use case scenarios, and
Recommend ways to implement a securely designed AWS infrastructure.
AWS provides a variety of cloud services, for computation, storage, database management, etc. A good architecture commonly focuses on the efficient methods for reaching peak performance, scalable design, and cost saving techniques. But other cloud infrastructure design aspects are given more importance, quite often, compared to the security dimension.
The security of the cloud infrastructure can be divided into five phases:
Identity verification and access management with respect to AWS resources.
Attack detection, identification of potential threats and misconfigurations.
Controlling access via defining trust boundaries, applying best practices in operation.
Classifying all data, protecting data at all states: rest and transit.
Incident response: Pre-defined mechanisms to respond and mitigate any surfacing security incident.
The Shared Responsibility Model
As I mentioned earlier, it is the collective responsibility of the user and the AWS service provider to secure the cloud infrastructure. It is important to keep this in mind while we explore the different implementation details and design principles.
AWS provides plenty of monitoring, protection and threat identification tools to reduce the operational burden of its users, and it is very important to understand and choose an appropriate service to achieve a well secured environment.
AWS offers multiple services of different nature and use cases such as EC2 and Lambda. Each of these cloud services have varying levels of abstraction that enable users to focus on the problem to be solved instead of its operation. The share of each party’s responsibilities similarly vary based on the level of abstraction. With higher levels of abstraction, the share of responsibility to provide security in the cloud shifts further to the service providers (with some exceptions).
AWS – Shared Responsibility Model
Management and Separation of User Accounts to Organise Workload
Based on the nature of processes that are run on AWS, and the sensitivity of the data that is processed, workloads can change. They must be separated by a logical boundary and organised into multiple user accounts to make sure that different environments are isolated. For instance, the production environment commonly has stricter policies, more compliance requirements, and must be isolated for the development and test environments.
It is important to note that the AWS root user account must not be used for common operations. And using AWS Organizations one could simplify things and create multiple users under the same organisation, with different access policies and roles. Also, it is ideal to enable Multi-Factor Authentication, especially on the root account.
Managing Identity and Permissions
AWS Resources can be accessed by humans (such as developers or app users) or machines (such as EC2 instance or Lambda functions). Setting up and managing an access control mechanism based on the identity of the requester is very important, as these individuals seeking access could be an external or internal part of the organization.
Each account should be granted access to different resources and actions using IAM (Identity and Access Management) roles, with policies defining the access control rules. Based on the identity of the user account and the IAM attached, certain critical functionalities can be disabled. For example, denying certain changes from all the user accounts, with exceptions for the Admin. Or preventing all users from deleting Amazon VPC flow logs.
For each identity added on AWS Organisation, they should be given access to only a set of functions that are necessary to fulfil the required tasks. This will limit unintended access to functionalities. And unexpected behaviours arising from any identity will only have a small impact.
Leveraging AWS Services to Monitor and Detect for Security Issues
Regular collection and analysis of logs generated from each workload component is very important to detect any unexpected behaviour, misconfiguration or a potential threat. However, collection and analysis of logs is not quite enough. The volume of incoming logs can be huge, and an alerting and reporting flow should be set up along with an integrated ticketing system. AWS provides services such as these to ensure automated and easy processes:
CloudTrail: Provides the event history of the AWS account activity which includes all AWS services, Management console, SDKs, CLIs, etc.
Config: Enables automated assessment, auditing, and evaluation of the configuration of each AWS resource.
GuardDuty: Continuous security monitoring service that flags malicious activity surfacing within AWS environments by analysing log data and searching for patterns that may indicate any sort of privilege escalation, exposed credentials, established connections to malicious IPs, or domains.
Security Hub: Presents a comprehensive view of the security status of AWS infrastructure by enabling aggregation, prioritization, deduplication of security alerts from multiple AWS services and even third party products.
Protecting the Infrastructure: Networks and Compute
Obsolete software programmes and outdated dependencies are not unusual and it is essential to patch all systems in the infrastructure. This can be done manually by system administrators, but it is better to use the AWS Systems Manager Patch Manager which basically automates the process of applying patches to the OS, applications and code dependencies.
It is crucial to set up AWS security groups in the right way, mainly during the phase when the infrastructure is growing at a fast rate. Things often go wrong when unorganized, messy security groups are added to the infrastructure. Creation of security groups and assignment of them should be dealt with caution, as even a slight overlook can result in the exposure of critical assets and data stores, on the internet. Security groups should clearly define ingress and egress traffic rules, which can be set under the Outbound traffic settings.
If some assets are required to be exposed on the internet, make sure your network is protected against DDoS attacks. AWS services such as Cloudfront, WAF, and Shield help to enable DDoS protection at multiple layers.
Protecting the Data
The classification of all data stored at multiple locations inside the infrastructure is essential. Unless it is clear which data is most critical and which ones can be directly exposed on the internet, setting up protection mechanisms can be a bit of a task. Data resting inside all the different data stores must be classified in terms of sensitivity and criticality. If the data is sensitive enough to prevent direct access from users, policies and mechanisms for ‘action at a distance’ shall be put in place.
AWS provides multiple data storage services, the most common ones being S3 and EBS disks. Application data can usually be found lying around inside data stores self hosted on EBS volumes. Also, all sensitive data that goes into S3 buckets should be properly encrypted prior to that. In fact, it would be better to enable encryption by default on these.
Protecting in transit data is also equally important, and to do that, secure connections are required, which can be obtained using TLS encryptions. Making sure that data is transferred over secure channels should be enough. AWS Certificate Manager is a good tool to manage SSL/ TLS certificates.
Preparing and Responding to Security Incidents the Right Way
Once all the automation has been set up, and security controls are put in place, designing incident response plans and playbooks becomes easier. A good plan must cover the response, communication, and recovery steps following any security incident. This is where the logs, snapshots and backups, GuardDuty findings play a critical role. They make the task relatively more efficient. Overall, the aim should be to prepare for an incident before it happens and to iterate and train the entire team to thoroughly follow the incident response plan.
70% of successful breaches are perpetrated by external actors whose attacks originate on the internet. Since these actors don’t have access to your organization’s internal assets or networks, they rely on data available on the internet. With 8.5 billion records compromised, in 2019 alone, adversaries can find an employee’s credentials, or your organization’s API keys, within a few hours. Allowing them to infiltrate your organization, spread malware and ransomware, or steal intellectual property and sensitive documents.
Apart from the direct operational impacts, cyber-attacks affect an organization’s hard-earned reputation and revenue as well. Snapchat shares dropped by 3.4% the day after their source code leak was made public. And in addition to the immediate backlash, companies that have experienced a breach, underperform the market by > 15%, even 3 years later.
Considering the stakes, it is important to take a closer look at the types of leaked data that threat actors seek out, and ways to effectively prevent them from getting their hands on it.
In almost all cyber-attacks affecting an organisation, credentials are involved either as a target of theft or as a means to furthering access in a network. This includes email credentials and hardcoded access credentials that can be used to access confidential emails, systems, and documents.
Target was breached using stolen credentials
In one of the first major breaches, threats actors uploaded BlackPOS to Target’s point-of-sale (PoS) network, allowing them to steal customers’ credit card information and other personal details. It was later found that threat actors were able to compromise Target servers using credentials stolen from Fazio Mechanical Services. Fazio, Target’s HVAC vendor, had access to Target servers. And since the network was not properly segmented, threat actors were able to compromise Target’s PoS network.
While source code can be exposed on purpose, by malicious insiders, most often it is exposed by developers being careless while pushing code from their machines to GitHub. Leaked source code could potentially expose SSH keys – digital certificates that unlock online resources, Application Programming Interface (API) keys, and other sensitive tokens. Using the source code, threat actors can find vulnerabilities that can be exploited, to launch cyber-attacks on the company.
After discovering one of Daimler AG’s Git web portals, a researcher registered an account on Daimler’s code-hosting portal and downloaded 580 Git repositories from the company’s server. The repositories contained the source code of onboard logic units (OLUs) used in Mercedes vans, which provide live vehicle data. The researcher then uploaded the files to file-hosting service MEGA, the Internet Archive, and on his own GitLab server, thus making it public.
Sensitive data such as credit card details, healthcare information, customer PII, etc. often end up on the dark web after being exposed on unsecured databases or cloud storage. This information could be used to launch phishing attacks. It could also lead to your intellectual property being exposed to the public.
540 million Facebook users’ records were exposed on unsecured S3 buckets
Mexico based digital media company Cultura Colectiva exposed 146 GB of Facebook user data, including comments, likes, account names, reactions, and Facebook IDs, on an unsecured Amazon S3 bucket. Another S3 bucket, belonging to Facebook integrated app At The Pool, exposed 22,000 Facebook users’ friend lists, interests, photos, group memberships, and check-ins.
How to eliminate these low hanging fruits that expedite attacks?
As seen from the above examples, despite their best efforts, Target, Mercedes, and Facebook were not able to prevent their data from leaking. This can be attributed to the highly distributed, interconnected, and globalized nature of modern businesses. This means, there aren’t enough resources to monitor every employee, vendor, and vendor’s vendor. But the good news is, if you can detect data leaks in time, and have them taken down, their impact will be greatly reduced.
Usually, a data breach lifecycle is 279 days, 206 days to identify a breach, and 73 days to contain it. Instead of 206 days, if a data leak can be identified within a few hours, its presence across the surface web and dark web can be contained. However, this cannot be done manually. The only way to effectively identify and curb data leaks is to adopt AI-driven real-time monitoring.
Continuous monitoring for leaked or exposed data
Incorporate processes and tools that ensure data leaks related to your organization are monitored continuously. This includes real-time monitoring of the surface web, deep web, and dark web, for credentials, source code, and sensitive information. Deploy a comprehensive threat monitoring tool such as CloudSEK’s XVigil, whose AI-driven engine scours the internet for threats and data leaks related to your organization, prioritizes them by severity, and provides real-time alerts. Thus, giving you enough time to neutralize the data leaks before it can have adverse impacts on your business.
With cyber threats on the rise, and the recent implementation of remote work across businesses and organizations, in-house IT teams are struggling to preserve their security posture. Furthermore, an increasing number of employees are using applications, hardware, software, and web services that their IT departments are not aware of. A Forbes Insights survey found that more than 1 in 5 organizations have experienced a security incident due to shadow IT resources.
Amidst the COVID-19 crisis, with entire workforces confined to their homes, the use of personal networks and devices is growing rapidly. This allows employees to install or work with external applications and infrastructure that complements their skills and/ or requirements. While this may improve employee productivity, it exposes employees and their organizations to a wide range of cyber threats.
What is Shadow IT?
Shadow IT refers to the use of diverse Information Technology (IT) systems, devices, software, applications, and services, without the authorization of IT departments. Although shadow IT enhances efficiency, it also subjects users and their organizations to heightened risks of data breaches, noncompliance issues, unforeseen costs, etc.
Microsoft 365, work management apps such as Slack, Asana, Jira, etc., messaging apps like Whatsapp, cloud storage, sharing, and synchronisation apps such as OneDrive and DropBox are the most common examples of shadow IT. Obviously, these applications are not inherently threatening, and are usually installed with the best intentions, but they tend to endanger the overall security of the organization, in the event of misuse or negligence.
What are the different forms of shadow IT and which is the most popular one?
Users employ various forms of shadow IT applications and services. Broadly, they can be classified as:
Hardware: Personal devices, systems, servers and other assets.
Ready-to-use software: Adobe Photoshop, MS Office, etc.
Cloud services: Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS) services.
While users subscribe to various IT services that are not administered by their IT departments, the most common form of shadow IT are SaaS-based cloud services. SaaS based applications are gaining popularity across workforces, regardless of the industry or sector. This is because, such publicly available applications, often outperform on-premise applications and infrastructure.
Why do employees prefer shadow IT?
A research by the Everest Group found that shadow IT accounted for 50% or more of the IT spending in large organizations. So, dismantling shadow IT means, organizations have to devote more funds to build and maintain approved applications and infrastructure. However, employees prefer external applications even with the availability of in-house applications, simply because they are comparatively sophisticated.
Here are some common reasons for employees opting for shadow IT solutions:
Efficiency and agility
This is probably the most common reason behind the increasing use of shadow IT. Users employ external IT resources to produce better results. Also, because it makes work pretty easy. Latest research by Entrust Datacard reported that 77% of the surveyed IT employees believed that organizations could be frontrunners if they were successful in meeting the shadow IT needs of their employees.
Inadequate coordination
Poor communication and coordination between various teams and the IT department is not conducive for productivity. Therefore, it could cause employees to choose shadow IT over onsite software and applications.
Inconsistency
If customers’ programs cannot be integrated with the organization’s systems/ software, employees may resort to using external services for better results.
Readily available tools
Clearance from the IT department could be time-consuming. So, when the necessary software, service, or hardware is readily available, and is compatible on any device, naturally employees would choose to use them.
What are the potential risks associated with shadow IT?
Security
On the subject of employees using shadow IT, security is definitely the principal concern. As IT departments are not aware of certain applications that employees use, it would be impossible for them to provide security updates and patches, or test the newly adopted applications. Unpatched vulnerabilities can cost organizations a fortune, such as in the case of Maersk in 2017, when hackers exploited their computers because it lacked the latest Microsoft security patches. This incident cost Maersk over $200 million in lost revenue.
Data breaches, leaks
Shadow IT applications that support file sharing, storage, and collaboration are prevalent among employees of every organization. As effective as they are, they can cause data breaches and leaks. Since IT departments are not familiar with these additional software deployed on its network, they eventually lose control over the organization’s data. In 2018, Gartner predicted that in 2020, one-third of successful attacks that target organizations will be through their data located in shadow IT resources and shadow IoTs.
Non-compliance and violation of regulations
If and when organizations fail to conduct risk assessments and take preventive measures with regard to unauthorized applications, it could burden them with severe sanctions for non-compliance. These actions also risk violating regulations such as HIPAA, GDPR, etc. On becoming aware of such shadow IT applications that are in use within the organization, they are forced to conduct a separate security audit which results in unforeseen costs.
What can organizations do to avoid these risks?
Regular monitoring of networks and vulnerability scanning
Monitor your organization’s network continuously for any shadow IT applications. And scan such applications along with other in-house assets for vulnerabilities that could expose your organization to cyberthreats. Ensure to install the latest updates.
SaaS Management
The IT department could set up a system of SaaS Management or simply Software Asset Management, to keep track of all the applications used within the organization.
Internal monitoring tools
We would also encourage organizations to leverage digital risk monitoring tools such as CloudSEK’s XVigil. XVigil helps to detect data leaks, pertinent to the organization, caused by shadow IT, early on. Giving you sufficient time to address these issues, before it affects your security posture.
Train employees
Security/ IT teams should create awareness among employees. This could also give you an idea of the various shadow IT devices, or applications that your employees use. While security/ IT teams are on it, they may also want to educate employees on the different types of data that they deal with and the responsibilities that come along with it.
Address employees’ technology needs
Organizations should address employees’ technology requirements, to eliminate the need for external applications. Employees often cite long approval processes and delays in acquiring sanctioned applications, as reasons for adopting external solutions to meet their immediate needs.
Prepare a list of usable applications or devices
Keeping in mind that not all applications or devices pose a threat, organizations could prepare a list of approved applications/ devices and encourage employees to use them.
A recently uncovered spear phishing campaign, orchestrated by the PerSwaysion group, targeting 150+ executives across the globe, is a prime example of the growing trend of concerted cyber attacks on CXOs and VIPs. This process of targeted attacks on VIPs is commonly known as Whaling. Whaling tactics are similar to general spear-phishing. But they differ in the fact that it specifically targets high-level and important individuals within an organization.
Threat actors are slowly moving from large-scale, low-value attacks, which target a general population, to small-scale, high-value attacks, which target the key personnel of an organization. Furthermore, the Verizon 2019 Data Breach Report found that senior executives are 12 times more likely to be targets of social incidents, and 9 times more likely to be targets of social breaches. This is because high-profile personnel have exclusive clearances, privileges, and access to:
Confidential and sensitive information including financials, trade secrets etc.
Authorize or order other employees in the organization to carry out certain tasks.
Valuable assets including networks, devices, and facilities.
How do threat actors target C-level executives?
Research and reconnaissance
To orchestrate a typical attack, threat actors perform extensive reconnaissance and research, to understand an organization’s structure and functions.
Using this information, they narrow down the list of potential targets and their associates.
They then collect personal information about the shortlisted VIPs. Most companies publish their executives’ details on social media, news media, and their own websites. Thus, a simple Google search will give the threat actor access to this information. Moreover, the executives themselves have personal accounts on platforms such as Facebook and LinkedIn. And often, the privacy settings on these accounts are lax.
They further search for exposed account credentials from previous data leaks. Given that most of us, executives being no exception, use the same password for multiple accounts, the exposed credentials can be used to gain access to the executive’s official email account.
Data theft attacks
Once hackers have obtained access to C-suite executives accounts, through brute-force attacks or other means, they steal valuable information. This may include client lists, customer data, financial data, internal processes, business strategy and plan, and more.
Impersonation attacks
Threat actors could hijack executives’ social media accounts and post harmful messages. And, this could tarnish the reputation of the executive and their organization.
Using the email access, threat actors decipher the communication frequencies and styles within the organization. For example: If there is a trail of audit related emails, threat actors can send requests for audit related details in continuation to the ongoing communication.
If threats actors cannot get access to an executives’ credentials, they create fake email IDs. These email IDs closely resemble one of the executives’ email IDs or that of the HR department or Accounting department. From the fake ID they send an urgent, actionable, and believable email to a C-level executive.
Extended attacks
Threat actors bank on executives having limited time, or relying on assistants, to read and respond to emails. They also ensure the emails are believable. For this, they add references to the executive’s interests and hobbies, which are gleaned from their social media profiles. The emails usually request the email recipient, who is also an executive or VIP, for sensitive information, wire transfers, or to download an attachment.
If the recipient falls for the trap, they will end up revealing sensitive information or authorizing someone else to do so. They could also authorize transfers to the fake account details shared by the threat actor. A malicious attachment could drop a malware or ransomware payload in their systems. The recent PerSwaysion campaign used a fake Microsoft Outlook login page, from where they were able to collect 150+ executives’ login credentials. The credentials can be used to orchestrate other attacks or could be sold on the Dark Web, to the highest bidder.
How to protect C-level executives from these attacks?
Given the heightened risk to VIPs, here are a few measures to combat and mitigate threats:
Continuous monitoring
Deploy a real-time monitoring tool that will scour the internet – surface web, deep web, and dark web – for potential threats. A comprehensive SaaS platform such as CloudSEK’s XVigil tracks VIP’s personal email IDs for their presence in past security breaches. Organizations are alerted to such threats immediately, along with other significant details pertaining to the risk.
Review social media presence
Ensure the executives’ social media accounts have the highest level of privacy. Report duplicate accounts and delete dormant accounts on a regular basis.
Multi-layered protection
Enable Multi Factor Authentication (MFA) for all their accounts, including email, company assets and network.
Regular cybersecurity refreshers
Since threat actors are constantly changing and upgrading their whaling tactics and ruses, periodic training will help executives spot and avoid such traps.
An attack on a VIP doesn’t just affect them personally, it also affects their organizations revenue and brand image. Threat actors could gain access to the company’s central database, and steal employee and customer details, and leak them or even sell them. It takes years of painstaking effort to build a company’s brand image, and any damage to this intangible asset can have very serious and far-reaching consequences. Hence it is important to enable processes, and tools such as XVigil, to continuously monitor and protect VIPs and their organizations.
From the outset of the pandemic, we have seen a dramatic increase in the number of cyber attacks and data breaches. And with much success, threat actors are abusing the fear and panic these adverse conditions are causing. As a result, there has been a precipitous rise in the number of COVID-themed trojans, ransomware attacks, as well as scams and phishing attacks across organisations and verticals. As more organizations shift to remote work, with inadequate policies and strategies in place, they gamble on their own employee and business data security, and privileged controls. And this has served as a catalyst, for an increased number of data breaches, across the globe.
This article delves into the various ways in which data breaches can occur, and safety practices to ensure that you organization is not impacted by:
Cloud misconfigurations
Elasticsearch exposures
Exposed Internal API/ portals
Phishing attacks and credential disclosure
Insecure WiFi/ no VPN
Cloud Misconfigurations
Cloud misconfigurations have led to massive data breaches. For example, The “Capital One” and “Imperva” data breaches were caused by the disclosure of AWS API keys.
Fugue’s survey shows that 84% of the 300 IT professionals surveyed believe that they are already victims of undiscovered cloud breaches.
Fugue Survey
As pointed out by the survey, the most common causes of cloud misconfigurations are:
Lack of awareness of cloud security and related policies,
Insufficient controls and lapse in supervision,
Too many cloud APIs to adequately govern, and
Negligent internal activities
Although Cloud operations take a considerable load off of developers, and facilitate the smooth management and monitoring of multiple services, enforcing proper access control policies, user management, access key management, API access control becomes essential.
How to prevent cloud misconfiguration
Understand and utilise the ‘shared responsibility’ security model.
Ensure multiple checks while shifting operations to the cloud giving careful consideration to IAM roles, user account permissions, key rotations, test accounts, and storage bucket permissions.
Review inbound and outbound traffic rules carefully for the VPC. Security groups are also susceptible to misconfigurations. Therefore, enforce a zero trust policy, and enable VPC logs and monitoring.
Set up behavioural analysis and activity monitoring in addition to strict access policies.
Elasticsearch Exposures
Elasticsearch is a search engine that indexes data in the form of documents. Typically, the size of data that this engine indexes is quite large and the indexed result comprises metadata, personal user information, emails or application logs, and more. The service, by default, runs on TCP port 9200. Moreover, most Elasticsearch instances are self-hosted free versions of the software.
CloudSEK XVigil’s Infrastructure Monitor has detected a significant increase in Elasticsearch instances running on the default port. But it is not rare these days. Recently a UK-based security firm accidentally exposed an Elasticsearch cluster, leaking more than 5 billion documents of breached data between 2012 and 2019.
How to secure Elasticsearch
Prevent access to Elasticsearch clusters from the internet. This is the best approach for most databases.
Practice ‘security by obscurity,’ whereby, the installed services are not run on the default port. This measure does not merely fix the problem, but drastically reduces the chances of exploitation even via unfocused attacks.
Perform periodic assessments of vendors’/ partners’ networks and ensure that their security controls are set properly. The misconfiguration of privately-owned infrastructure, as well as that of partners and vendors in possession of critical data, adversely impact businesses.
Analyse and test every potential entry point to any critical data source/ functionality. This includes supplementary tools, used to expand an application’s capabilities. Most users instal Kibana along with Elasticsearch, which helps to visualise the data Elasticsearch indexes. Kibana dashboards are usually left unauthenticated, inadvertently granting anyone access to the indexed data.
Encrypt the stored data, to render the data useless to the attacker, even if it is accessible.
Employ Elasticsearch’s security methods for authentication, including:
Active Directory user authentication
File-based user authentication
LDAP
SAML
PKI
Kerberos
Enforce role-based access control policy, for users who access the cluster.
Update Elasticsearch versions regularly, to safeguard the cluster from frequent exploits that affect the older versions.
Back up the data stored in the production cluster. This is as important as the security measures adopted. A recent attack campaign accessed as many as 15,000 Elasticsearch clusters, and their contents were wiped using an automated script.
Exposed Internal APIs/ Portals
Organizations deploy various applications for internal use. This includes HR management tools, attendance registration applications, file sharing portals, etc. In the event that the entire workforce shifts to remote work, such as times like now, it becomes difficult to track the access and usage of these applications. To top it off, applications are increasingly allowed traffic from the internet, instead of local office networks. As a result, applications and APIs, which lack authentication or use default credentials, are increasingly surfacing on the internet.
In the past couple of weeks, a number of HR Portals, payroll applications, lead management dashboards, internal REST APIs, and shared FTP servers have surfaced on the internet. Most of the applications are self-hosted, and their default passwords can be used to access them. XVigil has detected multiple instances of directories that contain transaction reports, employee information documents, etc. being served without any authentication.
How to prevent data disclosure through APIs/ portals
Security teams must test these applications thoroughly.
Continuously monitor all internet facing servers.
Phishing attacks and credential disclosures
With a remote workforce communicating primarily via text-based channels such as emails, chats and SMS, it has been much easier for phishing campaigns to take advantage of the distributed workforce. Consequently, the number of spear phishing attacks have surged. Barracuda researchers have observed 3 main types of phishing attacks in the last couple of months:
Scamming
Brand impersonation
Business Email Compromise (BEC)
Individuals fall prey to phishing attacks, especially during the pandemic, due to:
Lack of direct communication
Absence of processes and strategies for situations such as this
Lack of awareness
Since emails that use the word COVID have higher click-rates now, scammers are increasingly using them as lures to spread malicious attachments. Once the attachment is downloaded and the malware payload is dropped, threat actors can access keystrokes, files, webcam, or install other malware or ransomware. (Access CloudSEK’s threat intel on COVID-themed scams and attacks)
Phishing mail (https://blog.f-secure.com/coronavirus-spam-update-watch-out-for-these-emails/)
How to prepare for phishing attacks
Be extremely cautious about any mail you receive.
Verify the source of the email, before clicking on any links or attachments.
Even if the links look legitimate, double-check for malicious files. For example: hovering over the attachment will show its actual URL.
Insecure WiFi/ No VPN
Today, every remote workforce is connected to their personal devices and networks. So, the connectivity of such devices should be secured.
How to prevent attacks via WiFi
To avoid brute force attacks, set complex passwords for the router. If the router is an old model, it may use weak encryption for connections, which can be cracked in no time.
Employees working from shared spaces such as hostels, may be connected to shared wifi networks as well. So, to ensure that the data is not tampered within such insecure channels, set up a VPN. In case your organization does not provide a Business VPN, do not download free VPNs which might log your traffic data.
