The Worst Corporate Hacks

Hack

Access to 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers, in addition to an undisclosed number of people's names, addresses, credit scores, credit limits, balances, and other information, according to the bank and the US Department of Justice.

How

A criminal complaint says Paige Thompson tried to share the information with others online. The 33-year-old, who lives in Seattle, had previously worked as a tech company software engineer for Amazon (AMZN) Web Services, the cloud hosting company that Capital One was using, the Justice Department said. She was able to gain access by exploiting a misconfigured web application firewall, according to a court filing.

Mitigation

Thompson was arrested Monday in connection with the breach, the Justice Department said. Thompson's attorney could not be immediately reached for comment.

Capital One (COF) said the hack occurred March 22 and 23. The company indicated it fixed the vulnerability and said it is "unlikely that the information was used for fraud or disseminated by this individual." However, the company is still investigating.

Hack

The latest hack of facebook was the largest in the company’s 14-year history. The hack exposed personal information of nearly 50 million users, including those of Mark Zuckerberg and Sheryl Sandberg.

How

Hackers exploited a feature in facebook code to gain access to user accounts and potential take control of them. Attackers took advantage of two bugs in the site’s “View As” feature, which was originally intended to give users more control over their privacy. These flaws were compounded by another bug in the video-uploading program that allowed attackers to steal access tokens that allow access to an account.

Mitigation

This hack reinforces the importance of strong password controls, particularly the use of two-factor authentication to gain access to the network and to critical servers. This can use technologies like smart cards, biometric, and text-based two-factor auth. The presence of technologies for monitoring authentications would have helped detect the unusual activity, such as ATA and OMS. 
 

Hack
Malicious actors stole personal data on hundreds of thousands of Uber drivers and 57 million Uber users. The company allegedly covered up the breach for one year and reportedly paid the attackers $100,000 to keep quiet.

How
According to new CEO Dara Khosrowshahi, the Uber breach was due to two malicious actors accessing "a third-party cloud-based service" -- reportedly GitHub and Amazon Web Services (AWS) -- in late 2016 and downloading files containing names and driver's license information on 600,000 U.S. Uber drivers and other personal information addresses and phone numbers for 57 million Uber customers from around the world.

Mitigation
This is an example of the necessity of using modern development practices, with automated testing (especially automated security testing), using Visual Studio Team Services in conjunction with external tests with Application Insights and other external testing tools. If the additional development work was built into the system to include automated testing and release, the attack could have been prevented. This is also an example of where an organization chose to build their own user identity solution vs. leverage something like Azure AD B2C, which would mitigate issues like this.
 

 

Hack
Besides amassing data on nearly every American adult from Equifax, the hackers also sought information on specific people. It's not clear exactly why, but there are at least two possibilities: They were looking for high-net-worth individuals to defraud, or they wanted the financial details of people with potential intelligence value. Eventually the intruders installed more than 30 web shells, each on a different web address, so they could continue operating in case some were discovered. 

How
Equifax was exposed due to a lone employee error, says Former CEO, Richard Smith. CERTS notifications on Apache Struts flaws went unheeded. The IT team failed to deploy patches and scans for lingering vulnerabilities and compromised data was not encrypted. It is also believed that hackers may have had help from an Equifax insider.

Mitigation
The vulnerability that attackers exploited to access Equifax's system was in the Apache Struts web-application software, a widely used enterprise platform. Equifax confirmed that attackers entered its system through a web-application vulnerability in May of 2017 that had a patch available in March. In other words, the credit-reporting giant had more than two months to take precautions that would have defended the personal data of 143 million people from being exposed. It didn't.
 
Experts point to an Equifax web portal for handling credit-report disputes from customers in Argentina used the embarrassingly inadequate credentials of "admin/admin." Ongoing discoveries such as these increasingly paint a picture of negligence—especially in Equifax's failure to protect itself against a known flaw with a ready fix.

Hack

In early April, 2016, the International Consortium of Journalists leaked a wealth of sensitive documents known as the Panama Papers. The leak consisted of 2.6 terabytes of data from the Panamanian law firm Mossack Fonseca, and linked 140 world leaders from more than 50 companies to secret offshore accounts in 21 different tax havens. Hackers broke into Mossack Fonseca's sytems through their website which was using an outdated and vulnerable version of WordPress 4.1.

How

There is limited information on "how" the Panama Papers were hacked, with exception that an "email server" was compromised. Some researchers have also suggested that older versions of Wordpress / Drupal were to blame for the initial access.

Mitigation

The mitgating factors for this are very similar to other scenarios, especially the ability to spot lateral movement within the network and security around endpoints.

Hack

In February 2016, attackers took computers belonging to the Hollywood Presbyterian Medical Center in Los Angeles hostage using a piece of ransomware called Locky. Computers were offline for more than a week until officials caved to the extortionists’ and paid the equivalent of $17,000 in Bitcoin.

How

The hackers used a type of malware to capture access to critical information in the application infrastructure. This ultimately prevented access to critical systems from the IT administration and end users until the incident was resolved. The lack of ability to recover quickly was unavailable as a mitigating factor, then causing the hospital to give in to some of the demands.

Mitigation

In addition to client-side protections (such as Defender ATP) to mitigate the risk and server-side mitigations (such as OMS) the organization's gap was an inability to recover the critical systems and data without giving in to the hackers. This is very common, as recovery is expensive. Newer recovery systems such as Azure Site Recovery, or more real-time backup solutions built into SQL, etc. could have enabled recovery with little downtime and without the need to risk paying the hackers.

How

Relied on Crowd Strike which was executed through the back door using PowerShell. This allowed the hackers to launch malicious code after a certain period of time so they could connect to the system and transfer out information without detertion. At campaign rallies, hackers used a "pineapple" to hack cell phones and other devices to get access to authentication and passwords. 

Mitigation

For the Data Center hack, if they were leveraging OMS, there would have been a feature to detect malicious activity on their servers. This activity would have been detected due the payload they were using on the server. For the WiFi hack- they should have moved away from pre-shared keys and use of certificate based WiFi. The pineapple allowed them to set up a fake network to which people connected unknowingly and surrendered all of the information flowing through that network.

Hack

In January 2015, hackers broke into the health insurance giant’s records and pillaged names, Social Security numbers and other sensitive information for up to 80 million customers.

How

In this case, the information was retrieved from unencrypted fields in a database leveraging an existing administrator's credentials. The adminstrator credentials were used to bypass security protocols. The intruder was present for an extended period before the IT organization noticed the database had been compromised. Assuming additional controls were placed around the users, database encyryption could be used to limit access to sensitive information.

Mitigation

This hack reinforces the importance of seperation of administrative access from normal user access, increased scrutiny around administrator accounts, and JEA (Just Enough Administration) techniques to limit access. Monitoring servers through tools like OMS, and authentication with ATA would help identify the lateral movement and look for "non-typical" authentications which could also be used to detect these scenarios.

Hack

The largest bank in the nation was the victim of a high-profile cyberattack during the summer of 2014. The breach compromised the data of 76 million households—more than half of all U.S. households—and 7 million small businesses. 

How

Hackers stole the login credentials of an employee, allowing access to the internal network. The bank did not use two factor authentication through the channel used by the attackers. After gaining access, the attackers were able to access over 90 servers over an extended period of time.

Mitigation

This hack reinforces the importance of strong password controls, paticularlly the use of two-factor authentication to gain access to the network and to critical servers. This can use technologies like smart cards, biometric, and text-based two-factor auth. The presence of technologies for monitoring authentications would have helped detect the unusual activity, such as ATA and OMS.  

Hack

In September 2016, YAHOO disclosed an enormous 500 million-account breach. Hackers used forged cookies to bypass security protections and access users’ accounts without a password. Yahoo says that it believes this situation is connected at least in part to the allegedly state-sponsored hackers. 

How

Hackers were able to access a critical system within Yahoo's network responsible for account management. This access allowed the hacker to perform a "cookie minting" measure to facilitate access to accounts within the Yahoo offerings and persist for over a year inside the network, until discovered in 2016.

Mitigation

This could have been mitigated through technologies like OMS (detecting malicious activity on servers and communication between servers that is abnormal), ATA (authentication that is abnormal), and network segmentation (preventing lateral movement). The presence of a more sophisicated incident response process might have also allowed better detection over time. Finally JEA (Just Enough Administration), multi-factor authentication to critical systems, and jump-servers to administration networks would have provided a substantial difference. The idea of "redeployability" to regularly bring systems back into the correct state using declarative infrastructure also would have made a difference, especially if it put in place additional security controls.

Source

https://www.bloomberg.com/news/articles/2017-03-16/here-s-how-russian-agents-hacked-500-million-yahoo-users