Monthly Threat Report September 2024: Another Month – Another Massive Data Breach
Introduction
The Monthly Threat Report by Hornetsecurity brings you monthly insights into M365 security trends, email-based threats, threat-actor info and commentary on current events in the cybersecurity space. This edition of the Monthly Threat Report focuses on information from the month of August 2024.
As a reminder, this is NOT one of our quarterly editions, so we’ll forgo core data points in favor of industry news discussions, threat intelligence, and more! The Monthly Threat Report for October (covering data from September) will feature a quarterly update on threat statistics and will be the focus of next month’s edition.
Executive Summary
- A breach involving the data broker National Public Data has exposed 2.9 billion rows of records, exposing the personal data of countless people.
- The data stolen in the National Public Data breach will make it easier for threat actors to conduct convincing spear-phishing and help with social engineering
- A joint statement from multiple US government entities is warning businesses about the danger posed by the RansomHub ransomware and have provided a list of recommended actions and technical information regarding the threat.
- A curious case of extortion highlights the dangers of insider threats and the fact that those risks can exist even on trusted IT teams.
- Vendor overdependence is increasingly becoming a concern for organizations that leverage multiple critical business services from a single vendor
- With election season in full swing, eyes are on the election process and on the lookout for cyberattacks seeking to sway elections.
Major Incidents and Industry Events
National Public Data
Perhaps the biggest news in cybersecurity and privacy news for the month of August was the breach of National Public Data. National Public Data is considered to be a data broker. The company’s short statement (below) from their About Us page quickly highlights the gravity of this breach:
All our data is updated regularly. We guarantee freshness and quality. Search billions of records with instant results, and many searches are no hit/no fee. Our services are currently used by private investigators, consumer public record sites, human resources, staffing agencies and more. Join now and enjoy quality data with low fees.
The fact that NPD (National Public Data) mentions “billions of records” alongside the mention that the service is used by private investigators ironically brings the fallout from this breach into stark focus.
According to the official press release the type of data leaked as part of this breach includes the following:
- Names
- Email Addresses
- Phone numbers
- Social Security Numbers
- Mailing Addresses
While the full amount of impacted individuals seems to be unknown at this time, the trove is known to include the following according to multiple sources:
- 200 GBs of data
- 2.9 billion rows of records
- 134 million unique email addresses
More worringly the data set has been found to also enable cases where a threat actor may want to look up people associated with a given target such as family members, increasing the risk of more authentic spear-phishing attempts and more advanced social engineering.
This breach combined with countless others over the past several years brings a few key questions to mind as mentioned in the same article from Dark Reading.
- Why do the United States and other countries allow the mass collection of personal data?
- Why do we continue to use easily abused identification methods like Social Security numbers for core financial means?
As the number of incidents involving vast quantities of personal data continues to increase, governmental bodies need to start asking the question of “How much is enough?”. Meaning, when will we see meaningful regulation and proper damages levied against organizations with breaches of this nature? For example, Austrailia has imposed some of the harshest fines known on Austrailian organizations that suffer repeated breaches:
The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 increases the maximum penalties for serious or repeated privacy breaches from the current $2.22 million penalty to whichever is the greater of:
- $50 million;
- three times the value of any benefit obtained through the misuse of information; or
- 30 per cent of a company’s adjusted turnover in the relevant period.
It’s become clear over the last several years that businesses require a monetary incentive (or deterrent) in order to take the necessary steps to keep personal information safe.
As for government operations, it’s long past time for the US Federal Government and other countries (with similar methods) to look at alternatives for the easily bypassed Social Security Number Identity mechanism. Several other viable alternatives involving cryptography and block-chain could solve this problem and at least serve to make one part of personal identities more difficult to obtain. As a society and as a security industry, these are issues we’ll need to solve in the coming years to stave of yet more threat-actors and more stolen personal data.
Joint Advisory from Government Agencies Regarding Ransomhub
In an increasingly common manner, the FBI, CISA, the Multi-State Information Sharing and Analysis Center (MS-ISAC) and the Dept. of Health and Human Services (HHS) are warning the public about the breadth and scale of the RansomHub Ransomware. Since February 2024, over 200 victims have been identified from organizations involved in US critical infrastructure. Some of the victims according to Bleeping Computer include:
- Rite Aid
- Frontier Communications
- Halliburton
- Patelco
- Christie’s Auction House
- And others
It’s also worth noting that RansomHub’s Site was involved in the leak of stolen Change Healthcare data.
The recommendations made by the agencies are many of the common recommendations we see in the security space on a regular basis. This includes, regular patching of known vulnerabilities, implementing MFA, VPNs….etc.
If you’re interested in a full breakdown of the threat, the joint announcement has a full list of TTPs (Tactics, Techniques, and Procedures) along with a full list of IOCs (Indicators of Compromise). Security teams should read up on this threat and prepare accordingly.
Insider Risks Exist – Even on your IT Team
Every month we try to highlight at least one lesser talked about (but still dangerous) threat. An interesting case happened recently that perfectly highlights the dangers of insider threats. Typically, insider threats are disguntled employees that seek to do harm to the business or are seeking information for monetary purposes. What makes this case so unique is that the insider was a infrastructure engineer on the victim’s IT team.
The perpetrator, who has since been arrested, locked administrators out of 254 servers via a number of logic bombs he had setup remotely near the end of 2023. Ransom demands were made that if he was not paid $750k 40 servers on the company’s network would be shutdown each day. Ultimately the attacker was caught due to incriminating web searches.
This highlights the dangers of insider risks, even on trusted IT teams. One method that business’s can use to help prevent this is the use of a PIM (Privileged Identity Management) solution like Microsoft Entra Privileged Identity Management. PIM enables security teams with more granular control of access to resources, including critical infrastructure systems and would have likely prevented the attack in this case.
Threat Analysis
Vendor Risk Management
As businesses have moved to adopt more centralized “as a service” offerings for their software and business application needs, an old concept is coming up more in the industry and more aptly being applied to digital services. That issue is the concept of vendor overdependence, or “vendor risk management.” The idea behind the term is simple, as businesses become more and more dependent on a single outside vendor for critical business functions, the more at risk the organization is should that given vendor have difficulties.
While, again, the term isn’t a new concept, we’re seeing it applied to cloud services and digital offerings more now than ever before. For example, for those organizations that lean heavily into the Microsoft stack, you may use M365 for productivity and collaboration, along with Azure for infrastructure needs. What happens when Microsoft Entra goes offline (rare but it DOES happen)? You potentially lose all production systems until the issue is resolved. Not to mention that resolution is not under your control in any way.
This concept applies to security systems as well. What happens when you depend on the same vendor for productivity software as you do security tools? Would that vendor communicate a risk due to a flaw or vulnerability in one of it’s products for fear of impacting the sales of another? In fact, Microsoft has already been implicated in a situation like this. A security team member brought concerns about a critical bug to leadership, and the issue was ignored due to potential impact on sales according to a whistleblower report. It’s worth noting that this flaw, was what ultimately led to the Solarwinds attack in 2020.
IT and leadership teams would do well to consider this when choosing a given vendor. If you’d like more information on mitigating vendor risk, we covered this topic in a recent episode of the Security Swarm Podcast.
History of Election Tampering
With various elections having just wrapped up in the EU and the US election season in full swing, there has been much talk in the industry about the security of upcoming elections, and there are valid concerns. There are documented cases where bad actors have launched attacks against the election process, or election infrastructure in both the European Union and the United States.
There are a number of reasons that various threat actor groups do this. In most cases, it’s nation state threat actor groups looking to sway an election in one direction or another. In other cases hacktivist groups may be looking to conduct a high-visibility attack in an attempt to communicate their message. In either case, the attacks are disruptive to the democratic process.
If you’re interested in more on this subject, Umut Alemdar and Andy Syrewicze discussed this topic at length in a recent episode of the Security Swarm Podcast below.
Predictions for the Coming Months
- Election interference and cyber-attacks on election infrastructure will increase in the lead up to the US election. Additional attacks are likely.
- The breach of National Public Data will likely reignite the conversation around the acquisition of vast quantities of personal data. It should be noted as well, that the US government has historically been slow to respond on these issues, and there is no indication that it will be different this time, but we can hope for a different outcome.
Monthly Recommendations
- Communicate the breach of National Public Data to those individuals in your organization that are likely to be targeted by spear phishing attempts, let them know that due to the type and amount of data released, this could lead to more convincing spear phishing attempts. On top of that, if you haven’t implemented a next generation email scanning solution yet, do so.
- Read the advisory concerning RansomHub listed above and apply any needed remediation or recommendations.
- If you haven’t recently, take the time to consider insider risks to your organization – even on your IT team. Make a plan to account for this risk, and implement a solution, like PIM.
About Hornetsecurity
Hornetsecurity is a leading global provider of next-generation cloud-based security, compliance, backup, and security awareness solutions that help companies and organisations of all sizes around the world. Its flagship product, 365 Total Protection, is the most comprehensive cloud security solution for Microsoft 365 on the market. Driven by innovation and cybersecurity excellence, Hornetsecurity is building a safer digital future and sustainable security cultures with its award-winning portfolio. Hornetsecurity operates in more than 120 countries through its international distribution network of 12,000+ channel partners and MSPs. Its premium services are used by more than 75,000 customers.