Posted: November 29th, 2022

Data Breaches Attack Vectors

Data Breaches Attack Vectors
I have identified the main attack vectors as:
1. Social Engineering _ Phishing
2. Web Application Attacks
3. System Intrusion – Malware used
4. Privilege Misuse – Insider attack or deliberate attack from internal employees with access to sensitive data.
5. User error – employees sending sensitive data by mistake

For each point (1 to 5) could you:
Provide an example of the data breach it was used for (British Airways, Equifax etc…). Ideally in the last 5-10 years.
Explain how the attack unfolded and was carried out. For example steps by steps or a diagram of how the incident was carried out. These explanations need to be as detailed as possible, for example, provide the CVE of the vulnerability that was used.
Any questions let me know.
Data Breaches Attack Vectors
1. Social Engineering _ Phishing
The biggest social engineering attack has to be the spear phishing scam on Google and Facebook that happened between 2013 and 2015. This phishing attack was perpetrated by a Lithuania citizen known as Evaldas Rimašauskas who together with his associates cheated the tech giants out of over $100 million (Pallivalappil & Jagadeesha, 2021). They primarily sent phishing emails to particular employees in the two goods, invoked them for goods and services that the manufacturer ghad genuinely produced hence luring the employees toi deposit money into their fraudulent accounts.
Specifically, these attackers established the nucleus of this scheme to be a fake ‘Quanta Computer; in which Rimasaukas had set up in Latvia in 2013. He maintained bank accounts using this company’s name in both Latvia and Cyprus (Pallivalappil & Jagadeesha, 2021). The second step was setting up email accounts that would appear to belong to legitimate Quanta Computer employees. The email accounts would be used to send invoices to the two tech giants. In order for the emails to appear even more legitimate, contracts and letters were used to evade bank scrutiny which has forged signatures of company executives and also used false embossed corporate seals for some of the cases. The subsequent step was to have specific employees targeted with the fraudulent emails. With the doctored documents making them look like they are coming from a legitimate chinese supplier, the hacker was able to lure these employees to wire over $100 million as payments for genuinely rendered goods and services.
The main CVE for this attack was the fact that the human systems users are normally the weakest link to an information system. As a social engineering tactic, the spear phishing approach was able to go around the different kinds of defenses that Google and Facebook had implemented including the network security measures and the endpoint protection to obtain access into the system given by the employees. The targeted employees were duped into believing that the invoice requests were legitimate and allowing payments into the hackers’ accounts. According to the FBI, these kinds of phishing attacks are considered the Business Email Compromise (BEC) which is a commonly used cyber attack vector (Graphus, 2021). It is impossible to fully rely on the human being used to properly identify all cybersecurity attacks against their systems. The malicious attackers such as Rimašauskas and his associates do extensive research on how they can get into a system and will attain higher success rates since the targeted systems have not recognized the system vulnerabilities that could be exploited.
2. Web Application Attacks
Web application attacks come in various forms with one of them being the Denial-of-service (DoS)/ distributed-denial-of-service (DDoS) attack which happen when an attacker sn attacker directs massive amounts of traffic in the website to try and overwhelm the hosting server to disrupt the services availed or even paralyze the entire application. Amazon’s AWS DDoS Attack in 2020 was one of the notable web application attacks which was the largest DDoS attack it has ever recorded. Through the AWS Shield Service, Amazon was able to stop the 2.3 Tbps attack (Bisson, 2020).
This AWS attack was based on the Connection-less Lightweight Directory Access Protocol (CLDAP) DDoS reflection attack which in conjunction with the amplification attacks creates one of the high-volume attacks. The CLDAP reflection is a known UDP reflection vector attack that entails the malicious party sending a CLDAP request to a LDAP server with a spoofed sender IP address which is the targeted system’s IP address (Riley, 2021). Specifically, the attacker sent fake UDP requests and considering the targeted IP address for these packers was spoofed, the attacker sticks with the victim’s IP address within the source IP address field and not their own IP address which is normally what they do. Each packet has been destined to get to a random reflector server and thus the spoofed packet traverses the internet to eventually get to the reflector server. The server ends up mounting a bulked up response at the target’s IP address to cause the reflection attack on the target (Riley, 2021). Simply, the reflector server ends up receiving the fake packet and after carefully assessing it, iy sends the response back in good faith which is however directed to the victim. The main aim was flooding the target with extensive data amounts or rather a large volume of response packets which it had not requested initially. Subsequently, this ends up disrupting the website such that the applications hosted on the server cannot respond due to a congested network and an interrupt storm. The attack lasted for three days and peaked at an astounding 2.3 terabytes per second.
The main CVE in this attack arose from the proliferation of IoT (Internet of Things) devices. Most of the IoT devices that have been set with default access credentials that are never updated allows the malicious parties to take control of the devices (Chinnasamy, 2021). The attacker is able to compromise numerous vulnerable IoT products to generate the traffic that will take the target down. Normally, the wieners of these insecure IoT devices are unaware that their devices have been comp[romised and that their power to generate traffic is being used in taking the target down.
3. System Intrusion – Malware used
In June 2020, the multinational automotive manufacturer, Honda suffered a ransomware attack that led to a temporary disruption of production operations in various countries. This is because the attack led to employees not being in a position tio access their emails and internal servers while the affiliated financial corporation not being able to answer calls, fund contractual agreements, provide the payoff quotes noy servicing the customer accounts. Specifically, the organization was attacked by the Snake Ransomware which is also known as EKANS which has the ability of obfuscating all forms of the anti-malware solutions. The ransomware first targeted the system and removed the shadow volume copies. Subsequently, it killed all the processes related to the SCADA systems, virtual machines, industrial control systems, remote management tools, network management software among others (NIST CSF, 2020).
This malware attack at Honda was launched using a file called nmon.bat with the .bat extension meaning that the alert tools will identify the scriptable or batch file that was used in the network. Then the attackers used the file titled KB3020369.exe for the attack. However it is important to note that the Microsoft Knowledge base number 3020369 is the Windows 7 Servicing Stack patch (NIST CSF, 2020). Thus, when the attackers use this specific file name, the main intention is for them to hide the malicious files they use in plain sight from the technology professionals. This malware encrypts ths files then drops the ransom note that has been named “Fix-Your-Files.Txt” with both an email address and a ransom demand. The threat analysis on a sample of the file encrypting malware that was uploaded toi VirusTotal which is a malware analysis service that references an internal Honda subdomain, mds.honda.com (Whittaker, 2020). The ransomware only encrypted files in the systems that are capable of resolving the domain but since the latter did not exist within the clear net. Many systems would not be able to resolve the domain. Thus, it would exist in the internal name server that was used in honda’s intranet which was a solid indicator that the company had been hit by Snake.
There has been speculation that the Remote Desktop Protocol (RDP) was the attack point for the incident considering that the organization had machines with RDP access publicly exposed (NIST CSF, 2020). Thus, the primary CVE for Honda’s system was the insecure RDP configurations that allowed the EKANS distribution via several approaches including spam and malicious attachments among other methods. RDP has actually been called out for being one of the attack points preferred by attackers as it is rarely securely protected. The EKANS malware was specifically designed for attacking the industrial control systems (ICS) that is not only focussed in the individual machine but the entire ICS network.
4. Privilege Misuse – Insider attack or deliberate attack from internal employees with access to sensitive data.
Edward Snowden was a contractor working as a systems administrator for the NSA who deliberately raised his privilege level to gain more access rights into the agency’s electronic surveillance program. As the systems administrator, Snowden was issued a CAC smart card that had digita;l certificates and keys. He also had the SSH keys the systems heed was required to administer. Therefore, Snowden had valid access to particular data which opened his way to roam around (Boceck, 2013). It is this initial privileged access granted to Snowden that allowed him to single-handedly access and copy confidential information without being detected. Under the authorized access that Snowden had on the systems which they can control, he would then gain access to users’ credentials on these systems which actually had access to other different systems. Therefore, Snowden was able to ‘leapfrog’ across the NSA systems to the networks that would normally visit nor were they under his privileged access rights (Burgess, 2014). By using the stolen user credentials, he appeared to be the legitimate users accessing the other systems apart from NSA and hence triggered no alarms for possible unauthorized access. As a system administrator, Snowden knew how to identify and access the privileged accounts. Therefore, with the credentials available to provide administrative access to any device with a microprocessor, Snowden accessed the privileged accounts giving him access to the most sensitive areas of the agency’s and other network’s digital assets.
Also, Snowden, who already had his privileged access, could petition other employees for access to information for reasons such as completing their tasks to this effect. Snowden induced his colleagues to provide access to the privileged and sensitive information through the latter’s credentials. Snowden was also found to ask his colleagues for their credentials which they would give him. Specifically, one NSA employee acknowledged providing Snowden with his PKI (Public Key Infrastructure) credential (Burgess, 2014). Other coworkers including an active duty member of the US military and a contract employee did provide their access credentials to Snowden. Finally, Snowden would also fabricate the digital keys to obtain privileged access to the area’s way above his clearance. For the data to gout unnoticed, Snowden had to transfer it without being noticed. Therefore, he encrypted the data transfer sessions through self-signed certificates hence the transfer was unnoticed.
The primary CVE here was that the NSA had poor visibility on the user activity and minimal awareness of the keys and certificates in the present IT environment at the time. NSA’s failure to detect anomalies permitted Snowden to create new keys, obtain the unauthorized keys and create trust for new keys. NSA’s failure to properly manage the privileged access it gives to its system users allowed Snowden to obtain access to massive amounts of sensitive information that ended up being leaked to demonstrate the extensive domestic spying done by the United States government (Vizard, 2021).
5. User error – employees sending sensitive data by mistake
In May 2020, an employee at Serco, which is a business services and outsourcing company, unintentionally cc’d instead of bcc’ing almost 300 email addresses. The email addresses were particularly personal data that belonged to the new recruits as COVID-19 contact tracers. Contact tracing is a system which focuses on slowing down the spread of infectious diseases such as COVID-19 (Hawkins, 2020). This organization which is in the UK was part of this government’s initiative of hiring more contact tracers with some of them being healthcare professionals. In this case of user error, the Serco employee sent an email to the new recruits that gave consent to have their personal email addresses used. However, these email addresses ended up being visible to other recipients. It was an evident case of BCC and CC not being used properly. The email primarily indicated that the trainees were not required to contact the helpdesk in case they had any training questions (Proctor, 2020). The error did not comprise the patient’s information hence the organization determined this error as low-risk.
The primary CVE here was the absence of proper training of the system’s users in terms of how to be careful when interacting with personal information. User errors primarily happen when persons do not effectively interact with the website or application. All human beings are susceptible to making errors. Notably, to mitigate the possibility of user errors, the organizations have to conduct extensive training sessions to ensure that they are constantly careful in whatever they do while interacting with the system. The user error that happened at Serco did demonstrate some of the allegations made against the organization which is contact tracers saying that they have not received any virtual training (ICaaS, 2021). The contact tracers said that they end up not doing any work at all which is an actual waste of human resource. It is important the organization realized that its people needed to be kept busy, and should receive rigorous and detailed training needed for this fundamental role that would see the country protected from the health pandemic.

References
Bisson, D. (2020, June 18). Amazon web services mitigated a 2.3 Tbps DDoS attack. Retrieved from https://www.tripwire.com/state-of-security/security-data-protection/amazon-web-services-mitigated-a-2-3-tbps-ddos-attack/
Boceck, K. (2013). Infographic: How Snowden breached the NSA. Retrieved from https://www.venafi.com/blog/infographic-how-snowden-breached-nsa
Burgess, C. (2014, July 12). Privileged access and how Edward Snowden ‘Snowed’ his coworkers. Retrieved from https://news.clearancejobs.com/2014/02/19/privileged-access-edward-snowden-snowed-coworkers/
Chinnasamy, V. (2021, September 16). Understanding cloud DDoS attacks and cloud-based DDoS protection. Retrieved from https://www.indusface.com/blog/understanding-cloud-ddos-attacks-and-cloud-based-ddos-protection/
Graphus. (2021, February 22). 3 lessons from the Facebook and Google loss of $100M to a spear phishing attack. Retrieved from https://www.graphus.ai/blog/3-lessons-from-the-facebook-and-google-loss-of-100m-to-a-spear-phishing-attack/
Hawkins, R. (2020, May 20). Coronavirus: Serco apologises for sharing contact tracers’ email addresses. Retrieved from https://www.bbc.com/news/uk-52732818
ICaaS. (2020, May 21). Serco apologises for sharing contact tracers’ email addresses. Retrieved from https://myicaas.com/business/serco-apologises-for-sharing-contact-tracers-email-addresses/
NIST CSF. (2020, July 27). Lessons learned from Honda ransomware attack. Retrieved from https://kybersecure.com/honda-ransomware-attack/
Pallivalappil, A. S., & Jagadeesha, S. N. (2021). Social Engineering Attacks on Facebook–A Case Study. International Journal of Case Studies in Business, IT and Education (IJCSBE), 5(2), 299-313.
Proctor, K. (2020, July 1). Serco accidentally shares contact tracers’ email addresses. Retrieved from https://www.theguardian.com/business/2020/may/20/serco-accidentally-shares-contact-tracers-email-addresses-covid-19
Riley, D. (2021, July 8). AWS was hit by the largest reported DDoS attack of 2.3 Tbps. Retrieved from https://www.a10networks.com/blog/aws-hit-by-largest-reported-ddos-attack-of-2-3-tbps/
Vizard, M. (2021, October 21). The Snowden case is an object lesson in managing privileged access. Retrieved from https://blog.barracuda.com/2016/09/02/snowden-case-is-an-object-lesson-in-managing-privileged-access/
Whittaker, Z. (2020, June 9). Honda’s global operations halted by ransomware attack – TechCrunch. Retrieved from https://techcrunch.com/2020/06/09/honda-ransomware-snake/

Order | Check Discount

Tags: Data Breaches Attack Vectors