Lessons Learned from a Spate of Recent and Significant Cyberattacks

For researchers, security providers, business leaders, and consumers, the constant barrage of news regarding data breaches and cybersecurity incidents is enough to cause some sleepless nights. This is especially the case regarding critical cyberattacks against some of the world’s largest organizations and components of critical infrastructure people depend on.

To better understand how to effectively move forward following news of devastating cyberattacks—some of which are personal given the immense amount of data stolen—it is important to reflect on what happened. Undertaking a review of some incidents can help us comprehend what should have been done to lessen the fallout and how stakeholders should operate moving forward to limit such events from happening again and again and again.

The past several months has seen several multi-billion-dollar organizations suffer significant cyberattacks, leading to the theft of tens of millions of customer data files. Some of the details that continue to emerge from these events offer valuable insights into the current state of the cyber threat landscape, including how a few security solutions can do a lot of good in restricting the impact of cyber breaches. What follows will be an overview of a few recent incidents: Roku, UnitedHealth, AT&T, and Muleshoe, Texas Water Supply.

Roku

Context: Roku experienced two separate attacks that may have been related in part, one ranging from December 2023 through February 2024. During the second attack, a threat actor accessed a database of user information via credential stuffing. It is possible they utilized usernames and passwords from the initial breach within the follow-up attack. Once the threat actor was in the network, they “bought streaming service subscriptions and Roku hardware products through several hundred accounts ” with payment information stored on file. These fraudulent charges have been reversed, though personal and sensitive information was still accessed and may have been stolen.

Impact: upwards of 576,000 user accounts were compromised to varying degrees, though the lasting effect is still to be determined.

Lessons Learned: In this case, threat actors utilized a tactic termed credential stuffing wherein they use stolen account credentials (usernames and password) to gain unauthorized access to user accounts through large-scale, automated login requests—these are often, but not always, details accessed in a previous breach. As a result of these twin breaches, Roku now requires multi-factor authentication (MFA) for all accounts and has reset passwords of all impacted users.

Moving Forward: A credential stuffing attack is something that would be identified by a reputable detection and response tool and remediated quickly by a trained team within a 24/7 Security Operations Center (SOC). That Roku now requires new safeguards like MFA is great, and also an indication that such actions must be implemented before something happens for them to be truly effective. Proactively implementing security improvements, requiring strong and regularly updated passwords, and improving visibility over account logins to detect brute forcing should be pushed on all user accounts held with businesses in possession of sensitive personal data.

UnitedHealth – Change Healthcare

Context: We covered this particular breach extensively in a previous newsletter , and since, though, some new information has come the light.

Impact: The organization is estimating a loss of $1.6 billion due to remediation, recovery, ransom, and other associated costs. Healthcare providers, both on individual and organizational levels, are still reeling from challenges within the payment portals. People speaking on behalf of the company have acknowledged that “files with personal information that could cover a ‘substantial portion of people in America’ may have been taken. Threat actors initially accessed the UnitedHealth system a reported 9 days before the actual launching of ransomware.

Lessons Learned: UnitedHealth is among the biggest businesses out there and this attacked confirmed that big does not mean secure. Early detection is key to safeguarding sensitive information, as threat actors were in the system for at least 1 week prior to the attack and data exfiltration. Furthermore, there are reputable claims that the login portal through which initial access was gained, one widely used and accessed by remote employees, did not have MFA set up meaning one could login with a simple username and password combination. This was not adequate.

Moving Forward: Much like the Roku incident, a case could be made that this incident could have prevented with a few simple practices. The first being proactive implementation of MFA for all accounts that have access to sensitive data. Additionally, having a detection and response tool supported by a 24/7 SOC should have seen the unusual and malicious activity at some point in the 9 days between the initial breach and deployment of ransomware.

AT&T

Context: Not a lot of information has been shared regarding the how of this massive incident. The consequences, however, are well known. The breach seems to have first come to public attention following a giant data dump onto the dark web, which was subsequently confirmed to be AT&T customer information.

Impact: 7.5 million current and some 65 million former customers had personal data stolen and listed for sale on the dark web.

Lessons Learned: Unfortunately, as of April 11, reports indicate that “AT&T…said it doesn’t know if the massive data breach ‘originated from AT&T or one of its vendors’”. This admission is problematic in that it implies the company neither had total network visibility at the time of the incident nor vetted its vendors thoroughly enough to understand potential vulnerabilities within their systems.

While an official cause or initial access point for the breach has not been identified or publicly disclosed, the company stated “it does not have evidence of unauthorized access to its systems”, which is unclear as it could indicate AT&T has not uncovered the cause or it may be an internal threat actor or another type of fraud through business email compromise or some similar process.

Moving Forward: AT&T functionally “reset passcodes for customers ” and will attempt to make user credentials more individualized to better prevent user account takeover. If the breach originated with the compromise of an active account, there are proactive steps to limit it in the future. By deploying a cloud application monitoring service backed by a 24/7 SOC, network visibility can be established to the point where individual account activity can be monitored for unusual or malicious activity and then remediated upon confirmation.

Muleshoe Water Infrastructure

Context: The small 5,000 resident town of Muleshoe, Texas was targeted for a currently unknown reason by a state-sponsored Russian threat group with alleged connections to the notorious Sandworm group controlled by the Russian military. The result of the attack—which was likely a demonstration of capabilities and the vulnerability of some critical infrastructure—was the mere overflowing of a municipal water tank at the treatment center. In the end, on-call workers remediated the situation via manual override . Two neighboring municipalities reported suspicious activity though neither were impacted. One, however, did register an attempted firewall breach.

Impact: Not deemed ‘significant’ in terms of what actually happened, though it should be a wake-up call for municipalities, utilities, and citizens. It is difficult to not recall the disastrous Colonial Pipeline and JBS attacks that severely impacted critical infrastructure throughout the country and further demonstrated both the sector’s vulnerability and importance.

Lessons Learned: All indications are that this attack was not targeted at Muleshoe’s infrastructure specifically but perhaps a focused attack against firewalls hoping to identify vulnerabilities. Furthermore, this incident “was discovered after a citizen called in some unusual activity – an overflowing water tank .” Limited safeguards were in place to detect and deter the attack in real-time, something that would have been identified by a strong security tool and remediated quickly by a human-led SOC.

Moving Forward: All components of critical infrastructure, not matter how remote, small, or unlikely a target must be safeguarded with top-tier cyber solutions. These include 24/7 SOC monitoring, the best in breed tool stack, and vigorous vulnerability and risk assessments designed to locate and patch any weaknesses.

Conclusions

Re-establishing the cybersecurity basics is the pre-eminent step: enhance visibility into network and personal spaces, utilize security safeguards all of the time, including MFA, enlist a 24/7 SOCaaS to actively monitor all network activity, maintain account hygiene with strong and frequently updated passwords, and keep an eye on personal accounts for any suspicious activity.

Respective responses to these attacks provide an insightful snapshot into how reactive measures should instead be proactive to harden overall security. There is no need to wait until forced by a business to practice effective cyber hygiene. Doing so now will help limit such incidents moving forward.

In the United States, Zurich Resilience Solutions managed security services are provided by SpearTip, LLC.

Copyright ? 2024 SpearTip, LLC