Cyber Incident Weekly Report - Week of October 7, 2024

ADT Confirms Encrypted Data was Stolen Following Third-Party Compromise

WHAT HAPPENED: The home security company ADT, confirmed in a filing that the threat actors responsible for the breach used compromised credentials from a third party to “exfiltrate certain encrypted internal ADT data associated with employee user accounts.” ADT does not believe that customers ’ data has been exfiltated. At the time of writing, there is no indicator that this incident is related to the incident previously reported in August.?

CONCERNING: ADT, Data Breach, Third-Party Risk, Compromised Credentials.?

SENSCY'S ANALYSIS: This new ADT incident highlights the persistent risks related to third-party risk management and compromised credentials. An IBM X-Force intelligence report observed a 71% increase in valid account credentials attacks in 2023, making it the most common entry point. Protecting against attacks using valid account credentials (also known as credential stuffing, account takeover, or brute force attacks) is critical. To defend against these types of attacks, SensCy recommends that organizations implement a range of measures including Multi-Factor Authentication (MFA) to add extra verification steps beyond passwords. Enforce Strong Passwords and prevent password reuse or weak passwords. Provide a password manager to your employees to help create and store strong unique passwords. Additionally, enforcing regular credential rotation limits the impact of stolen credentials. SensCy also recommends monitoring the dark web to alert users when their credentials are compromised. In the case of ADT, the credentials were stolen from a third party, in this case, ADT failed to recognize the risk related to a third-party breach. Here are a couple of proactive steps ADT could have taken to reduce the impact of the third-party breach: Creating a predefined incident response plan that includes steps to be taken in the event of a third-party data breach, and working with the third party to ensure they have robust breach response capabilities, including notification protocols and recovery processes. By applying these proactive strategies, ADT can significantly reduce the risk of third-party data breaches and protect its own and its customers’ sensitive information.

Internet Archive's "The Wayback Machine" Confirms? Data Breach and DDoS Attack

WHAT HAPPENED: The Wayback Machine suffered a data breach after a threat actor compromised the website and stole a user authentication database containing 31 million unique records. Users began seeing JavaScript alert messages created by the hacker: "Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!” (HIBP refers to Have I Been Pwned.) Troy Hunt, the creator of HIBP confirmed that the stolen data was a 6.4 BG SQL file named "ia_users.sql." The stolen data contains authentication information for registered members, including their email addresses, screen names, password change timestamps, Bcrypt-hashed passwords, and other internal data. On Wednesday, the Internet Archive suffered a DDoS attack claimed by the BlackMeta hacktivist group.?

CONCERNING: Wayback Machine, Data Breach, Distributed Denial of Service.

SENSCY'S ANALYSIS: While at the time of writing it is still unclear who stole the database and why, it is highly likely that the threat actor responsible used stolen information available on the dark web to access the data, allowing for a minimum effort attack. On the other hand, the hacktivist group responsible for the DDoS attack justified its attack on X “They are under attack because the archives belong to the USA, and as we all know, this horrendous and hypocritical government supports the genocide that is being carried out by the terrorist state of “Israel”. The Internet Archive is NOT connected to the US Government. SensCy believes it is highly unlikely that the same group responsible for the DDoS is behind the breach. In the meantime, here are SensCy’s recommended actions you can take if you are, or suspect you may be impacted by this breach: Change your password to a strong unique password. Enable MFA. Check for additional information related to the breach as vendors will find out what happened and provide specific advice. Watch for phishing and scam attempts. Finally, set up an identity monitoring alert system to notify you if your data is found in a breach.?

Cyber Attack at MoneyGram Leads to Stolen Personal Information

WHAT HAPPENED: The money transfer company MoneyGram began notifying customers of a data breach on October 7. MoneyGram discovered on September 27 that a threat actor accessed and obtained the personal information of certain customers. The threat actors gained access to the systems between September 20 and 22. The stolen data includes including transaction information, email addresses, postal addresses, names, phone numbers, utility bills, government IDs, and social security numbers. Crowdstrike is assisting MoneyGram with the investigation. The first indicators of the breach revealed that MoneyGram was breached through a social engineering attack targeted at the IT help desk. Moneygram confirmed it was not a ransomware attack.

CONCERNING: Money Transfer, MoneyGram, Data Breach, Personally Identifiable Information (PII), Financial Information, Social Engineering.

SENSCY'S ANALYSIS: SensCy continues to observe multiple social engineering attacks targeted at the IT help desk since the beginning of 2024. While there is no evidence connecting the MoneyGram incident to other similar attacks, such as the Scattered Spider breaches in late 2023 that targeted multiple organizations by compromising helpdesk environments using Okta credentials, this incident demonstrates the devastating effectiveness of even a basic social engineering attack. SensCy strongly believes that social engineering attacks will become more difficult to stop as threat actors implement new Artificial Intelligence (AI) technologies. AI plays a significant role in social engineering attacks by automating and enhancing techniques that manipulate human behavior. In attacks targeting IT help desks, AI can generate highly convincing phishing emails, voice synthesis for impersonating legitimate employees, or even chatbots designed to mimic real-time communication. These AI tools can gather personal information from social media and company databases, tailoring attacks to increase their success rate. For instance, an AI-driven system could simulate a legitimate request for password resets or privileged access to systems by exploiting the trust help desk employees have in seemingly authentic inquiries. To protect against these threats, SensCy recommends companies implement stricter identity verification processes, such as multi-factor authentication (MFA) for every request related to sensitive accounts or data. Regular training for employees, focusing on recognizing AI-based social engineering techniques, can also strengthen defenses. AI-powered cybersecurity tools that detect unusual behavior or suspicious communication patterns can further mitigate risks. Additionally, limiting the amount of personal data accessible to IT help desk staff can reduce the potential damage from a successful attack.