By Andrew Paulette and Mesay Degefu
1.) Massive Equifax hack reportedly started 4 months before it was detected (September 20, 2017)
Summary: Hackers behind the massive Equifax data breach began their attack no later than early March, more than four months before company officials discovered the intrusion, according to a report published Wednesday by the Wall Street Journal.
Why it matters: The hackers behind the Equifax data breach began interacting with the system as early as March 10, less than a week after the patch for this vulnerability was released by Apache. In all fairness, this is a short turn around time for patching not only the software used by Equifax, but also recompiling any vulnerable code created by the Struts framework without a disruption to services.
However, this is why defense-in-depth is critical for organizations. Attackers will quickly exploit any vulnerability that has been publicly disclosed, and expecting to keep a network safe only through patching is not sufficient in today’s world. The length of time the attackers were able to stay in Equifax’s network and the fact that they were successfully able to set up 30 web shells speaks to inadequate security controls and detection capabilities in Equifax’s network.
2.) Deloitte hit by cyber-attack revealing clients’ secret emails (September 25, 2017)
Summary: One of the world’s “big four” accountancy firms has been targeted by a sophisticated hack that compromised the confidential emails and plans of some of its blue-chip clients, the Guardian can reveal. Deloitte, which is registered in London and has its global headquarters in New York, was the victim of a cybersecurity attack that went unnoticed for months.
Why it matters: Organizations have to make sure that multifactor authentications are in place. In addition, organizations need a process in place segregating privileged accounts based on tasks and tier levels. The process will also include monitoring and auditing privilege accounts regularly.
3.) DELOITTE: ‘VERY FEW CLIENTS’ IMPACTED BY CYBER ATTACK (September 25, 2017)
Summary: Deloitte, one of the “big four” global accounting firms, admitted Monday it fell victim to a cyber attack, but downplayed the incident saying it only affected a few of its high profile clients.
Why it matters: For Deloitte, an auditing company that offers Cyber Risk services to their clients, the fact that their network was infiltrated due to a compromised password on an administrator account and the length of time attackers were in their network is not a good look for their business. The unfortunate reality, however, is that these organizations are prime targets for attackers looking to profit from their efforts.
Larger organizations are a larger target of opportunity for attackers and will no doubt have more blind spots where security is not at its finest. It is imperative that these organizations start thinking from the perspective that their IT infrastructure has already been breached, and design their security policy from that assumption.
4.) In a first, Android apps abuse serious “Dirty Cow” bug to backdoor phones (September 26, 2017)
Summary: A serious vulnerability that remains unfixed in many Android devices is under active exploit, marking the first known time real-world attackers have used it to bypass key security protections built in to the mobile operating system.
Why it matters: This article is a clear indicator of one of the biggest problems with the Android OS environment: how Android vendors handle patching. Many Android phones currently in use will never see a patch for this vulnerability even though Google has released one due to the fact that down-chain vendors will not distribute the patch on their devices.
While Google has tried to limit the potential exposure through policing the Google Play store to control the flow of unscrupulous apps, some are bound to slip through. Finding a solution to their supply-chain patching problems will continue to be a top priority for Google in order to avoid an embarrassing incident that affects a large number of unpatched devices.
5.) Breach at Sonic Drive-In May Have Impacted Millions of Credit, Debit Cards (September 26, 2017)
Summary: Sonic Drive-In, a fast-food chain with nearly 3,600 locations across 45 U.S. states, has acknowledged a breach affecting an unknown number of store payment systems. The ongoing breach may have led to a fire sale on millions of stolen credit and debit card accounts that are now being peddled in shadowy underground cybercrime stores, KrebsOnSecurity has learned.
Why it matters: Industries that franchise their name and brand to independent owners face a unique challenge for incident response, as many of the franchises’ POS terminals are operated by 3rd-party vendors – not directly by the corporation. This can complicate incident response and recovery and prolong the attacker’s access to some POS systems.
Much like companies utilizing cloud services, organizations should work with their franchises to ensure that terms of service with other third-party providers are in place to ensure that adequate security measures are included. While this won’t immediately solve the problem, it will give organizations better legal ground to push their providers to patch systems faster after evidence of a breach.