Analyst Breach Insights, Week of November 20: Undetected Breaches, Accidental Exposure, and VPN Risks
In this week’s analyst breach insights, we discuss four of the breaches in last week’s news, which will lead us from the topics of anti malware to threat intelligence to the rise of publicly accessible data.
To analyze these breaches, we sat down with three senior members of Dtex’s analyst and expert team: VP of Field Engineering Steven Spadaccini, SVP of Customer Engineering Rajan Koo, and Manager of Insider Threat and Cybersecurity Investigation Armaan Mahbod.
IT company is hacked and attacker remains in their system for two years -- only learning of the incident when the server ran out of space.
Utah-based IT company InfoTrax Systems, which rents out server space and hosted applications to multi-level marketing (MLM) companies, was breached in May 2014 by a hacker that exploited a website vulnerability to upload malicious code that enabled remote control of the company’s website and server infrastructure. The attacker maintained this backdoor access from May 2014 to March 2016 without being discovered, until they created an archive file so large that it devoured all remaining disc space on one of the servers.
This week, the FTC and InfoTrax agreed to a settlement, in which the IT company agreed to make major security advances, including a means to detect malicious file uploads and a cybersecurity safeguard to detect unusual activity on the network.
While the breach itself is quite old, and it ended up in the news this week only because of the recent FTC settlement, this one still caught our eye because it strongly relates to scenarios that we still see in the field. We have worked with numerous companies specifically to detect backdoor malicious outsiders like this.
In a theme that we’ve seen more and more frequently as of late, this situation illustrates the need for companies to look at the big picture over minutae, even when it comes to external attacks like this. Many companies rely on EDR and threat intelligence feeds to catch backdoors such as this one. But the problem is, if they miss the exploit itself -- one singular event that could slip through the cracks -- the threat will remain undetected unless you’re looking for large-scale changes in behavior.
“There are lots of ways an attacker can get into a server environment to hack a service account,” Rajan Koo said. “An organization might see the drop, they might see the exploit detonate, and they could waste a ton of time looking for signatures the way that EDR and AV tools do, but those don’t look for ongoing changes in behavior. If there’s enough data being created to fill a disc, that’s certainly hugely anomalous behavior.”
“This particular account was a service account, and yet the company only found out the account was compromised when they ran out of server space,” Steven Spadaccini said. “What the security team really needed to be asking was, ‘Are all service accounts doing this? Do we see other service accounts doing these things?’ Asking the right questions to contextualize this behavior in comparison to other similar accounts would have allowed them to detect this much sooner and quickly investigate once it was brought to their attention.”
Ultimately, Koo added, “If you look for the exploit, there’s a good possibility that you miss it. But if you look for massive changes in behavior, this should have been easy to pick up.”
Outdoor and sporting goods retailer Orvis accidentally leaked hundreds of internal passwords on pastebin.com for several weeks last month. The credentials spanned a wide variety of internal services and accounts, including those used to manage security tools, servers, and admin accounts. Though the company claims that the credentials had only been exposed on the site for a day, the file was actually available on two separate occasions during the month of October, and had been picked up by an aggregator.
The issue of accidental data exposure on PasteBin is particularly difficult to detect. A DLP rule, for example, is not going to stop this, and because the tool is browser-based most tools wouldn’t alert on it. This is yet another reason why visibility is important.
But this story is also significant because it speaks to a growing problem: that of accidental data exposure via file and cloud sharing networks. In our 2019 Insider Threat Intelligence Report, we found publicly exposed data in 98% of threat assessments -- a 20% increase from the year before. Now that cloud sharing tools have become ingrained in our daily lives and workflows, careless use and accidental data exposure becomes an unignorable problem for every organization.
“This story, and even some of the statements in the article itself, prove that it’s not just us talking about this increase in accidental data exposure via file sharing,” Armaan Mahbod said. “This is an extremely common occurrence. It’s not unusual, and it’s very important to monitor for these types of threats. Employees will always have access to the internet and keep in mind that when one website becomes popular or taken down, 10 more follows in its footsteps. Organizations must be far more critical on anomalous data movement outside the organization, especially via browsers to have awareness and control on their IP. Without the proper visibility to do so, this issue will only become more rampant and blocking site access is not the answer.”
NordVPN has confirmed that one of their data centers was breached in March 2018, a fact that is just now coming to light after a Twitter post drew attention to leaked expired private keys. The server leak was from a third party data center that, NordVPN claims, did not make the company aware of the breach when it happened. No credentials or user details were exposed.
TorGuard and VikingVPN also appear to have been hacked by the same culprit.
All of these VPN tools are typically used for personal use rather than corporate use, but that doesn’t mean that enterprise security professionals don’t need to worry about these kinds of breaches. Just because a tool is corporately sanctioned doesn’t mean that employees aren’t still downloading and using them.
The greatest risk with VPN tools and similar tools is the risk that the tool is being used to circumvent company security. “There are a number of questions that you need to ask when you discover the use of personal VPN tools on a corporate device,” Spadaccini said. “First of all, why did they install it? Why is it there? Is it used to circumvent other solutions? There’s the immediate intent question to answer.”
But this breach proves that even if the user in question didn’t install the VPN tool for nefarious purposes, the tool itself poses a security risk.
“These VPN tools pose an inherent risk even if the user themselves isn’t intentionally causing a threat,” Koo said. “We have often seen the VPN tool HOLA used, for example. What users often don’t realize is that when they use that tool, they’re listing their own endpoint to become an exit. They’re using someone else’s network, and someone else is using theirs. So, in situations where this tool is being used on a corporate device or corporate network, the whole corporate network is exposed to an outsider.”
Mahbod added, “We mostly see people using these tools for non-malicious reasons, like for sports or media content, especially around big sporting or media events broadcasted globally as well as users wanting to see particular content only provided to particular countries. But even though they aren’t usually being used for exfiltration directly, you still need to look at the security impact that these tools can create.”
Solara Medical Supplies reported that its system had been breached and exposed for several months. Multiple employees clicked on a phishing email that resulted in an outsider being given access to their Office365 accounts. The breach was discovered on June 28, 2019, and the accounts were exposed from April 2 through June 20. A large amount of information from patients and employees were compromised, including highly-sensitive data like SSNs, medical information, passwords, billing info, etc.
Once again, we see a breach that went undetected and unmitigated for a very long period of time. We aren’t given many details, but the information that is here does serve as a reminder of the different ways that vulnerabilities can be exploited -- even human vulnerabilities, as is the case with phishing attacks.
We could not help but compare this situation to a recent phishing attack that Dtex detected and investigated at a financial institution. The phishing email and resulting malware slipped through email security and AV defenses, though Dtex alerted on it immediately. More importantly, that situation was resolved within hours because the team was able to quickly and accurately answer the questions that they needed to understand what happened and who was affected. Based on the information we have, that doesn’t seem to be the case with Solara’s situation.
“There are a lot of questions implied within this breach,” Spadaccini said. “How did they know that it was a phishing attack? Who told them? How did they know that multiple employees clicked on it, and who? They were able to figure it out, but it took a long time to put together those answers, and the breach itself went undetected for months.”
Conclusion: It’s always about the answers.
Multiple breaches in this week’s round-up draw into sharp focus the inherent weaknesses in relying on threat intelligence or EDR solutions alone. More than one of these breaches involved an exploit that went undetected and a breach that remained active for a very long period of time. Mitigating this problem requires visibility, yes, but it also requires that data to be contextualized within the bigger picture and easily accessible.
“It’s not just about having a large raw quantity of data,” Spadaccini said. “If I had all the time in the world, I could sit here and build you a spaceship. But if I called NASA, I could be there tomorrow. With a large amount of manual work and a large amount of data, you might be able to find these answers, but how long will it take you? Can you do it in seconds? Can you do it over hundreds of thousands of endpoints? These are the questions that organizations need to be asking themselves if they want to avoid breaches like these.”