NEED SUPPORT? CALL (855) 422-8283

Virtual Armour
5 Major Companies Were Recently Breached: Where Are They Now?

5 Major Companies Were Recently Breached: Where Are They Now?

2020 was a record-breaking year in the cybersecurity world, both when it comes to the amount of data lost in breaches as well as the eye-watering number of cyber attacks on companies, governments, and individuals. Ransomware attacks alone have risen 62% since 2019, and this trend doesn’t appear to be waning.

In this article, we will discuss five major companies that were attacked between 2019 and 2021, including the impact of those breaches and how these organizations responded.

If you have experienced, or are currently experiencing, a cybersecurity attack please contact our team immediately for assistance by calling (855) 422-8283 anytime 24/7/365 and consider reading our educational article Hacked? Here’s What to Know (and What to Do Next).

Capital One (2019) 

The Attack

The Capital One hack was first discovered on July 19th, 2019, but likely occurred at the end of March that same year and impacted credit card applications as far back as 2005. The attacker, Paige Thompson, was able to break into the Capital One server and access:

  • 140,000 social security numbers
  • 1 million Canadian social insurance numbers
  • 80,000 bank accounts
  • An undisclosed number of names, addresses, credit limits, credit scores, balances, and other personal information

This devastating attack impacted nearly 100 million Americans and an additional 6 million Canadians. In June of this year, the US Department of Justice announced that they were adding to the charges. Originally charged with one count each of wire fraud and computer crime and abuse, Ms. Thompson now faces six additional counts of computer fraud and abuse and one count of access device fraud.

Capital One’s Response

In an official statement to impacted customers on their website (last updated April 16, 2021, as of the writing of this article), CapitalOne lays out the damage done and the number of individuals impacted. They go on to stress that no login credentials were compromised.

The statement goes on to provide answers to some pressing questions in the Q&A section and offers practical advice about what Capital One cardholders can do to protect their accounts, including additional steps that individuals can take to protect themselves against fraud and identity theft. American cardholders can find additional information on this FAQ page.

The official FAQ page linked above goes on to mention that all affected Capital One customers will be provided with two years of free credit monitoring and credit protection. The FAQ states that impacted individuals should have received either an email or a letter outlining the enrollment process for this service, including an activation code.

The FAQ goes on to discuss what individuals should do if they received a possible scam email, call, or text related to the incident, which indicates scammers are piggybacking on this breach in an attempt to further victimize impacted individuals.

Capital One also agreed to pay an $80 million fine to US regulators over the incident.

Capital One did have a plan in place to recognize and respond to the breach (highlighting the importance of having an incident response plan). The incident was discovered via a vulnerability report, and once the incident was discovered, Captial One responded swiftly and worked hard to ensure impacted individuals were kept in the loop. Ms. Thompson was arrested a mere 12 days after the initial vulnerability report was released.

Facebook (2019) 

The Attack

The Facebook data breach was discovered in April 2019 when it came to light that two third-party Facebook app datasets had been exposed to the wider internet. This database (containing private information on 533 million accounts) was then leaked on the Dark web for free in April of 2021, increasing the rate of criminal exposure. 

The data exposed included phone numbers, DOB, locations, past locations, full names, and some email addresses tied to compromised accounts. In an official blog post, the company stated that “malicious actors” had scraped the data by exploiting a vulnerability in a now-retired feature that allowed users to find each other via phone number.

cybersecurity software that protects you and your business

Facebook’s Response

Facebook chose not to notify impacted individuals in 2019, and according to this NPR article published in April 2021, they still have no plans to do so. According to a company spokesperson, the company isn’t entirely sure which users would need to be notified and that the decision not to contact users stemmed at least in part from the fact that “the information that was leaked was publicly available and that it was not an issue that users could fix themselves.”

Though Facebook claims to have addressed the vulnerability that allowed attackers to access this data, that is cold comfort for Facebook users. “Scammers can do an enormous amount with a little information from us,” said CyberScout founder Adam Levin when interviewed by NPR. “It’s serious when phone numbers are out there. The danger when you have phone numbers, in particular, is a universal identifier.” Phone numbers are frequently used to connect users to their digital presence, including using them as additional identifiers via two-factor authentication text messages and phone calls. 

As a response to the incident, the US Federal Trade Commission fined Facebook $5 billion for violating an agreement the company had with the agency to protect user privacy. Facebook CEO Mark Zuckerberg will also be held personally liable by the FTC for any future privacy violations.

If you are concerned that your personal information may have been leaked during the breach, you can use the data tracking tool HaveIBeenPwned to learn whether your Facebook account or other digital accounts, including email, have been compromised.

SolarWinds (2020)

The Attack

Cybersecurity company FireEye first discovered the back in December 2020. The attackers, which are believed to be affiliated with the Russian government, used a supply chain attack to push malicious updates to FireEye’s popular network monitoring product. 

Impacted FireEye customers include

  • Multiple US government departments
  • 425 of the US Fortune 500 companies
  • The top ten US telecommunications companies
  • The top five US accounting firms
  • All branches of the US military
  • The Pentagon
  • The State Department
  • Hundreds of universities and colleges worldwide 

The total extent of the damage may never be known, but this attack continues to impact affected organizations. For example, in July 2021, attackers were able to gain access to the Microsoft Office 365 email accounts of 27 US Attorneys’ offices. The accounts were originally compromised during the SolarWinds attack.

FireEye’s Response

The larger attack was discovered when FireEye’s internal team of investigators was investigating the original, smaller, FireEye attack. During this investigation, the backdoor within the SolarWinds code was discovered, prompting the FireEye team to contact law enforcement. Though the SolarWinds attack was devastating, the fact that the attackers decided to use FireEye as a vector might have actually lessened the damage. According to Charles Carmackal, senior vice president and CTO of Mandiant, FireEye’s incident response arm, “one silver lining is that we learned so much about how this threat actor works and shared it with our law enforcement, intelligence community, and security partners.” 

FireEye took the crucial step of publicly reporting the attack (instead of waiting for impacted customers to discover the issue), conducted a thorough review of the incident, and made sure to share all their information with law enforcement and the US government. As such, the extent of the attack was learned quickly, so impacted companies and government bodies could take appropriate steps. If FireEye had tried to hide the attack from their customers, the damage could have been even worse.

Keepnet Labs (2020)

The Attack

Keepnet Labs is a threat intelligence company that collects and organizes login credentials exposed during other data breaches. If a customer’s details are discovered, Keepnet Labs notifies impacted individuals and offers advice on steps they should take to best safeguard their data and minimize damage.

The Keepnet Labs incident is a little unusual in that it wasn’t actually Keepnet Labs user data that was exposed. Instead, Keepnet Labs had compiled a database of usernames and passwords that had been leaked during a variety of cybersecurity incidents between 2012 and 2019. Attackers were able to exploit a vulnerability in this Elastisearch database, which was (according to Keepnet) actually maintained by a contractor, not Keepnet Labs themselves. 

While performing scheduled maintenance, an employee of the contracted company briefly turned off a firewall to speed up the process, inadvertently exposing the sensitive data for about ten minutes. However, in that short window of time, the database had already been indexed by BinaryEdge, a security-focused company that acquires, analyzed, and classifies internet-wide data. The vulnerability itself was discovered by Bob Diachenko, who accessed the data via BinaryEdge.

As such, the leak wasn’t technically as bad as others mentioned on this list since all the data exposed had already been exposed in previous incidents. However, Keepnet Labs’ handling of the incident was far from ideal.

Keepnet Labs’ Response

After discovering the vulnerability, Diachenko published a security report, which was picked up by a variety of cybersecurity news outlets and blogs which were covering the leak. However, Keepnet Labs felt that a number of these publications had made misleading statements and contacted several reporters to ask them to edit their articles. 

Graham Cluley, a popular security blogger, received one such email from Keepnet. Though he felt his representation of the facts was fair, he was willing to give Keepnet the chance to tell their side of the story. However, instead of an official statement or a chance to speak to a company spokesperson, he instead was contacted by Keepnet’s lawyers, who threatened him with legal action if he didn’t edit his article and remove the company’s name. 

This heavyhanded reaction was only one of several failings on the part of Keepnet to manage the fallout of the attack. It took almost three months for the company to release an official statement to set the record straight, and they refused to work with reporters and bloggers like Cluley to provide accurate facts. Though the security incident itself may tarnish Keepnet’s reputation, their poor handling of the aftermath is likely to cause far more damage.

While performing scheduled maintenance, an employee of the contracted company briefly turned off a firewall to speed up the process, inadvertently exposing the sensitive data for about ten minutes. However, in that short window of time, the database had already been indexed by BinaryEdge, a security-focused company that acquires, analyzed, and classifies internet-wide data. The vulnerability itself was discovered by Bob Diachenko, who accessed the data via BinaryEdge.

As such, the leak wasn’t technically as bad as others mentioned on this list since all the data exposed had already been exposed in previous incidents. However, Keepnet Labs’ handling of the incident was far from ideal.

Microsoft Exchange (2021)

The Attack

The attack was first discovered on March 2, 2021, when Microsoft detected multiple zero-day exploits in their on-premises versions of Microsoft Exchange Server, which were being actively exploited by attackers. Over the following days, nearly 30,000 American organizations were attacked using these vulnerabilities, which allowed attackers to gain access to email accounts and install web shell malware to provide attackers with ongoing administrative access to the victim’s servers.

On the day the attack was first discovered, Microsoft announced that they suspected the culprit was a previously unidentified Chinese hacking group dubbed Hafnium. According to the Microsoft Threat Intelligence Center (MSTIC), this group is suspected to be based in China, state-sponsored, and focused on primarily targeting organizations based in the United States that depend on leased virtual private servers (VPSs).

The actual purpose of the attack is more nuanced. According to Garner analyst Peter Firstbrook, the attackers are really looking to test the defences of organizations and discover which organizations are lagging behind security-wise. Most organizations that use Microsoft Exchange Servers have moved away from on-premises models to the online Exchange, which means organizations still using on-premises solutions are likely to be late adopters or less security conscious, making them excellent targets.

It has also been speculated that the attacker’s real endgame is not the on-premises servers they are currently targeting but more of a fact-finding mission to help them set up future attacks on high-value targets with connections to those servers. This may include using these email servers to impersonate trusted individuals and use those email accounts to send phishing emails to sensitive targets such as the Defense Department. Much like the SolarWinds attack, the companies currently being attacked may not be the actual target.

cybersecurity on your laptop

Microsoft’s Response

Microsoft has released security updates addressing Exchange Server versions 2010, 2013, 2016, and 2019 to address the software vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065). 

Microsoft has also gone out of their way to try and get everyone to pay attention to this attack, particularly since impacted individuals and organizations may be relying on IT generalists (instead of specialized admins) and may not understand what this attack could really mean. If impacted organizations don’t take action, it could have widespread and devastating consequences for the sensitive companies and organizations (such as the Defense Department) that they do business with. Should someone at the Defense Department or another government body fall for a phishing scam perpetrated using these compromised servers, it could compromise US national security. 

An unfortunate truth about the modern security landscape is that it is no longer a question of if your organization will be targeted but when. Security incidents such as the ones listed above can have widespread consequences for the organizations that have been targeted, as well as the organizations and individuals that do business with them. 

The best thing you can do to safeguard your organization and its digital assets is cultivate a robust yet flexible cybersecurity posture, which starts with an incident response plan.

For more information about cybersecurity, or to get started shoring up your defences, please contact our team today.

Additional Reading

Knowledge is Power: Our Cybersecurity Predictions for 2021

How Apple’s Stance on Privacy May Impact Device Security in the Near Future

How Apple’s Stance on Privacy May Impact Device Security in the Near Future

In recent months, Apple has taken steps to improve user security and privacy. In February 2020, Apple announced that they had joined the FIDO (Fast Identity Online) Alliance. The Alliance’s goal is to help augment less secure forms of identity verification (such as passwords) by pairing them with more secure forms of authentication such as security keys and biometrics. Though this is noteworthy, Apple is also one of the last large tech companies to join the Alliance, whose ranks already included Amazon, Google, Facebook, and Microsoft.

The release of iOS 14 last September brought with it improved security features, and though users have been overwhelmingly supportive of these changes, advertisers such as Google and Facebook are much less enthusiastic.

What is the FIDO Alliance?

FIDO Alliance was founded in 2012 by a group of tech companies, including PayPal and Lenovo, with a mission to create authentication standards that reduce society’s reliance on passwords by promoting the widespread adoption of multi-factor authentication U2F tokens and biometrics

The Alliance aims to replace password-only logins with more secure login experiences for both websites and apps by promoting other forms of authentication, including security keys and biometrics (such as voice authentication, fingerprint scanners, and facial recognition). 

Apple added the ability to use FIDO-compliant security keys during its 13.3 iOS update.

What New Features Does iOS 14 Bring With It & How Do They Aim to Improve Security?

iOS 14’s new security features include:

Camera & Microphone Use Alerts

Though all apps on iOS already had to explicitly ask for permission to use the camera and microphone, starting with iOS 14, you will now be alerted whenever an app is accessing your camera or microphone. This is done using a dot in the upper right-hand corner: A green dot means your camera is currently in use, and an orange dot means the app is using your microphone.

The goal of this feature is to ensure you are never recorded without your knowledge.

Limit Photo & Location Access

This update offers a more granular configuration for your photo and location settings. This allows you to specify whether an app can never access location data, always access location date, or only access this data when the app is open or when you have granted explicit permission. 

The new Precise Location toggle switch also allows you to grant an app permission to know your general location while keeping your exact GPS coordinates private.

This update also allows users to specify whether apps can access all, none, or a few select photos.

Flagging Bad Passwords

Though Apple has had the ability to sync your login credentials across various accounts on your Apple hardware via iCloud for a while now, they have now implemented a password monitoring system that will alert you if your credentials are spotted during a data breach. This helps ensure potentially compromised credentials can be changed as soon as possible.

Discouraging Wi-Fi Tracking

Whenever a device connects to the internet, it is assigned a MAC (media access control) address, which allows your local network to keep track of the device. In recent years, internet service providers and, by extension, advertisers have been using this data to determine the time and place of your device when you log in. 

To discourage this form of tracking, iPhones are now granted a new MAC address for each unique wireless network they connect to. This means your iPhone or other Apple device will have one MAC address for your home network, one for your work network, etc. 

This feature is enabled by default on every new network you connect to.

Keeping an Eye on Your Clipboard

Data grabbing apps have proliferated in recent years, snooping on your clipboard even if you haven’t given them permission to do so. iOS 14 means that you are alerted when an app accesses your clipboard: if you just copied or pasted something, that is fine, but if you haven’t, you now know the app you are using is likely gathering data without your permission for their own purposes.

Most app companies quickly re-configured their products to eliminate this form of unauthorized data collection once Apple implemented this feature during beta testing and made this behavior public, but this feature helps ensure that underhanded app companies are no longer tempted to snoop where they aren’t explicitly welcome. 

Privacy Reports from Safari

Though Apple has blocked cross-site tracking cookies in Safari for quite some time (a feature that makes it more difficult for advertisers to string together your browsing history across various websites), this feature has been improved in iOS 14 by adding the privacy report feature

This feature gives you more details regarding what effect this blocking has on your browsing by showing you how many individual trackers on each page have been blocked over the past month. The reports don’t have an interactive component but do provide helpful information.

Coming Soon – Limiting App Tracking 

Though pushback from advertisers means this feature won’t be fully implemented until sometime in 2022, there are still steps users can take now to curtail apps’ ability to track you outside of the actual app itself.

However, even if you don’t explicitly give an app permission to track you, they may still try to do so per their individual privacy policies, curtailing users’ ability to opt-out of advertising tracking until this new feature is fully implemented. 

Coming Soon – Improved Access to App Privacy Information 

Though this feature is also not yet live, Apple did announce that one iOS 14 feature that is also coming soon is app privacy cards. These cards are designed to give users a clear picture of the types of data each app collects and how that data is used.

What Does This Mean For Advertisers?

It’s become common wisdom that if a product or service is “free,” then the users (or, more specifically, the data they generate) is the real product. Apple’s approach to improved privacy and security, even with significant compromises on limiting app tracking, has the potential to severely impact the ad targeting business. While this is good news for users, advertisers are not as excited.

Facebook, in particular, has already pushed back hard, announcing that its Audience Network will no longer use IDFA (identifier for advertisers) gathered from iOS devices because they can no longer guarantee the quality of that data collected. Google has also announced that they will remove select forms of advertiser tracking technology from popular apps (including Maps and YouTube) in response to Apple’s decision. 

“When Apple’s policy goes into effect, we will no longer use information (such as IDFA) that falls under ATT [the App Tracking Transparency feature] for the handful of our iOS apps that currently use it for advertising purposes. As such, we will not show the ATT prompt on those apps, in line with Apple’s guidance.“ Google Ads’ group project manager Cristophe Combette stated in the blog post responding to Apple’s changes.

Though GDPR and CCPA opened the door for more transparency into what information is gathered and used to track users, this change from Apple could represent a turning point when it comes to data security and privacy. Having agency over what data is collected (and how) is critical for any good cybersecurity posture by helping you maintain full visibility into your infrastructure by better monitoring endpoint activity. For more information about cybersecurity, or find out how your team can better safeguard your digital assets, please contact our team today.

The Ugly Reality of Randsomeware

The Ugly Reality of Randsomeware

This malicious software will kidnap your data, hold a gun to its head and say: your move. Some attacks go even further and plant incriminating evidence on your computer to prevent the authorities getting involved.
Ransomware exists in numerous forms and its methods are constantly evolving. Attackers employ this software to obtain leverage over you in the hope that you will pay to avoid the consequences. The new generation of cryptocurrencies, like Bitcoin, have enabled attackers to receive payments anonymously to continue wreaking havoc on personal and business computers across the world.
Untraceable Cryptoviruses
The FBI estimates that $21 million worth of revenue has been generated by the two leading Trojan viruses, CryptoLocker and CryptoWall. Many cyberattacks claim that your data will be lost unless you pay a ransom but this software actually follows through. These cryptoviruses encrypt multiple files on your computer – including videos, photos, and documents – and generate a strong encryption key that locks your data away.
The majority of these keys cannot be cracked, not even by the fastest supercomputers in the world – so your data is truly lost. Text files on the infected computer inform the user that their key will be destroyed after a short period of time. That is, unless you pay the ransom to retrieve the encryption key from the attacker’s server. The ransom is typically $400 and is paid via untraceable Bitcoin. Sometimes the data is returned after payment but the attackers are obviously under no obligation to return anything.
Leakware Threatens Company Reputations
An offshoot of ransomware, dubbed “leakware” has been targeting large businesses to obtain protected data. Leakware threatens to leak everything unless a ransom is paid. The healthcare and finance industries have been particularly targeted by these sort of attacks, since patient health records (which contain information like social security numbers, addresses, and medical records) are very high value and easily exploitable. A company’s financial records, along with all the employee information stored in the HR database, is another common target.
It gets worse. To further coerce the organization or individual to pay the ransom, illegal material, such as banned pornography or pirated content, is often planted on the computer. This deters users and businesses from reporting the incident to the police for fear of additional legal consequences or tarnishing their reputation.
Ransom Denial of Service Attacks
This last branch of ransomware will take down your websites instead of going after your data. For unprepared businesses, DDoS (Distributed Denial of Service) attacks can be even harder to protect against. DDoS attacks target your servers by overloading them with traffic. This traffic comes from botnets, which are large groups of infected computers across the globe. On such a large scale, it’s hard to distinguish which traffic is legitimate and which is not. This means traditional techniques like blocking single IP addresses don’t work.
While your websites are down and you’re scrambling to get them back up, the attackers will demand a ransom for them to stop. Businesses which rely on selling products or services through their website could potentially lose multiple days’ worth of revenue. Customer trust is also degraded when the uptime of your resources are affected.
Protecting Your Business From Ransomware Attacks
So what can you do to mitigate and prevent ransomware from affecting you? It all starts with your employees. Ransomware combines social engineering with malicious technology. The first step you can take is to educate your users to not open unknown files or attachments. In addition to this, they should not pay the ransom. It’s been reported that around half of the time, even after the victim pays the ransom, they don’t get the key to unlock their data. Bitcoin transfers are irreversible and attackers have no motivation to keep good faith.
It’s also critical to stress that every business has daily backups and a disaster recovery plan so that in the wake of an attack, they are able to restore their mission critical files. There are also NGES (next gen endpoint security) tools available to prevent the execution of ransomware in the first place. NGES solutions work by only allowing known good files and applications to run.
Furthermore, there are attacker deception technologies where traps or lures can be set up throughout your IT environment. These traps act as tripwires for the bad guys. Ideally, you insert so many traps that they outnumber your real assets, thereby making it more likely that ransomware will attempt to run on a fake/lure machine, which will alert your information security group to an attack.
Lastly, to mitigate against RDOS attacks, an organization would ideally have a two-prong strategy to deal with DDoS, a combination of an on-premise and a hosted data scrubbing solution. When an attacker realizes that an enterprise has DDoS mitigation in place, they will usually try their hand elsewhere.
It is important to realize that there is no magic bullet when it comes to information security – the best defense is the security-in-layers approach. To achieve a great security posture, an organization must take a security-focused mindset from the get-go and place as many deterrents as possible in all areas of their infrastructure.