Complacent or Complicit?

In December 2020 the world witnessed what would become known as the world's single largest cyberattack to date when SolarWinds were breached. It later emerged that they had fallen foul to Domain Admin Access to infiltrate the organisation and some 18,000 customers including US government offices. The perpetrators managed to move laterally over 9 months gaining more privileges and adding their own malicious code to distributed SolarWinds certificates. Like most major attacks, this one gained a name and that name was Sunburst.

They say there is nothing like a major catastrophe to heighten the senses and attitudes to what can often be considered as complacency, oversight or even neglect. So exactly what has been learned? Sadly not much. The above screenshot is of a SolarWinds domain, today the 5th May 2021, shows the domain is still using an obsolete SSL/TLS certificate.

SolarWinds have continued to maintain an insecure position facing and connected to the internet. The rating of F and score of 0 is the worse possible score and takes many factors into account including the SSL/TLS, Content Security Policy, Cookies, HTTP key pinning, HSTS, Redirections, Sub resource Integrity, X-Content, X-Frame and X-XSS to name a few.

Brazil were recently victims of a cyber attack which effected their Justice system among many other sectors. Our research confirmed that the governments main website, linked and connected to numerous other domains, was being maintained sub optimally with a plethora of issues that made the domains, the government and many others, exposed, vulnerable and exploitable.

SonicWall were breached recently and victims of Ransomware. The reaction was to blame the malicious SQL injection bug in SonicWall's SMA-100 series of remote access products. Which of course may be correct, however, hold that thought a moment, remote access, in other words, internet access... So would it be reasonable to expect this major security firm to ensure their internet security was spot on? The screenshot above demonstrates a Rating of F and a score of 0 however. Our email to Bill Conner SonicWall's CEO on the 15th February, was clearly a waste of our time and effort.

Pulse Secure's breach effected at least five Federal Agencies recently in yet another assault on the US government. This breach was originally blamed on China taking advantage of Pulse Secure's VPN. This VPN is a widely used remote connectivity tool, there's that word again, remote... China may well have used the VPN vulnerabilities, however Pulse Secure were also anything but secure with their internet facing and connected rating of F and 0.

CNA Insurance is a top ten global Cyber Insurance company. In March 2021 CNA declared it had been the victim of a 'sophisticated' attack and had its services adversely effected, and customers details compromised. The above security rating and score shows that no one had to be sophisticated to target and infiltrate CNA and what is more, that insecure position is being maintained. CNA's cyber insurance clients instead of mitigating their risks, have perversely added to them.

Last year UHNJ were hit with a several hundred thousand $ ransomware attack. The Local State, cyber insurers and the board of UHNJ agreed to pay the ransom. UHNJ had fallen victim to an attack because they, like every other company in this article, and thousands of others, had, and still have, poor internet security, they lack control and management of their connected domains. UHNJ were subsequently targeted and attacked because of the plain text data they enabled due to their obsolete TLS certificate. Again what have they, and others learnt?

Sadly absolutely nothing. Not only is their homepage still Not Secure due to the aforementioned obsolete TLS, but their overall security rating of F and 0, several months after being breached is rather telling and all too frequently systemic. Multiple attacks are indeed becoming more frequent. This is due to companies not bothering to ascertain the root cause and continuing to ignore basic security measures, especially at the all important and critical internet connectivity.

Marriott, one of, if not the world's largest Hotel groups have been breached on more than one occasion, it is hardly any wonder. When we swapped emails with their CEO to alert him to their insecure position and ratings, he, and his CSO were adamant they had everything covered...

Marriott created one of the world's largest ever breaches when they took over Starwoods and for several years, hundreds of millions people's PII data, including US military and service personal, had their PII Data exfiltrated. The post mortem showed a plethora of PKI issues that had been overlooked. It is believed by the US government that the PII data for every service man and woman has been exfiltrated including those who have retired.

Experian previously caused massive waves due to the scale of their breach and that was in the days when breached companies could get away with offering a free one years ratings as compensation. It is a shame then that Experian do not listen to their own advice or abide by their own Privacy statement. Their rating and score actually confirm that they, along with everyone else in this report, DO NOT take the privacy or security of their customers seriously. This is in total contravention of their own Privacy Statement that they, and all other companies have to provide. This also does not comply to any local privacy laws.

Let’s briefly consider the following questions:

1)What types of companies are targeted with Ransomware?

2)What data are cyber criminals looking for?

The answer to the first is undoubtedly a company where easy access can be achieved, an exposed, vulnerable and exploitable one ideally and a company that can afford to pay a ransom.

The answer to the second is a company that ideally has Plain Text data, they can exfiltrate the data then evidence it, encrypt it and then sell it back. Even better if like UHNJ above they then don't bother encrypting their own data again...Just like a farmer, they can return to harvest the crop again.

There are of course, myriad ways to infiltrate companies, however, there are few easier ways than when a company is Not Secure by using obsolete TLS certs, or having limited, to no control of their domains and being insecure because of the fact. Also worth noting, of the 1 billion plus current websites, a very large percentage are exposed, vulnerable and exploitable. It is often the first place a cyber criminal will commence their nefarious reconnaissance, just as our governments perfected over the last two decades...

The list of companies in this article have all been breached, hit by ransomware and only represent a tiny fraction of those that have. All have been guilty of security negligence to one extent or another. That negligence is the main reason they, and thousands of other organisations have been targeted and breached.

Please do not add your company to the ever growing list, get Whitethorn Shield or manage your internet facing and connected domains.