The Worst Corporate Hacks

From Operation Shady RAT to Red October to WannaCry, hacks occur every day worldwide. Some of the largest and most influential companies have fallen victim to cyber-attack.


We’ve assembled this Top 10 list together with an analysis of how the hackers infiltrated the systems and the damage caused.  Additionally, we’ve included discussions of the practical measures to resolve and/or mitigate the risks—identifying key technologies your organization can use to protect you from falling victim to the next hack.

Target

70M Records Stolen

Hack

In the days prior to Thanksgiving 2013, someone installed malware in Target’s security and payments system designed to steal every credit card used at the company’s 1,797 U.S. stores. At the critical moment—when the Christmas gifts had been scanned and bagged and the cashier asked for a swipe—the malware would step in, capture the shopper’s credit card number, and store it on a Target server commandeered by the hackers.

How

Target was exposed through a partner relationship with an HVAC company. Hackers got the credentials of the HVAC vendor and then began to leverage these credentials inside of Target's systems to move around the environment before anyone did anything about it, even though this activity was detected prior. 

Mitigation

If Target had used EMS with ATA in place, they would have potentially been able to see the lateral movement of the hackers, which is not typical of their current environment. If Target had used OMS, they would be able to see abnormal activities on their servers. OMS monitors inter server communications and can detect abnormalities. Using network segmentation and modern workstation management they would have been able to greater isolate the compromised end point devices. It is hard to traverse networks to places where critical information is kept. The system should not have had a path to where customer data was kept.

Use of JEA (Just Enough Administration) or multifactor authentication would have prevented this. As a result of this hack, technologies were developed to help mitigate these types of offences in the future. Target could have used monitoring systems such as Windows 10 and E5 which includes Windows Defender ATP. If the HVAC vendor also used this they would have detected the infection of their device and the potential breach and would alerted Target. Isolation of network segments could have also prevented the cross-system infection. By leveraging ServiceNow, Target could have had a more robust incidence response process.
Close X

Panama Papers

11.5M Records Stolen

Hack

In early April, 2016, the International Consortium of Journalists leaked a wealth of sensitive documents known as the Panama Papers. The leak consisted of 2.6 terabytes of data from the Panamanian law firm Mossack Fonseca, and linked 140 world leaders from more than 50 companies to secret offshore accounts in 21 different tax havens. Hackers broke into Mossack Fonseca's sytems through their website which was using an outdated and vulnerable version of WordPress 4.1.

How

There is limited information on "how" the Panama Papers were hacked, with exception that an "email server" was compromised. Some researchers have also suggested that older versions of Wordpress / Drupal were to blame for the initial access.

Mitigation

The mitgating factors for this are very similar to other scenarios, especially the ability to spot lateral movement within the network and security around endpoints.
Close X

Hollywood Presbyterian

Personal Records Compromised

Hack

In February 2016, attackers took computers belonging to the Hollywood Presbyterian Medical Center in Los Angeles hostage using a piece of ransomware called Locky. Computers were offline for more than a week until officials caved to the extortionists’ and paid the equivalent of $17,000 in Bitcoin.

How

The hackers used a type of malware to capture access to critical information in the application infrastructure. This ultimately prevented access to critical systems from the IT administration and end users until the incident was resolved. The lack of ability to recover quickly was unavailable as a mitigating factor, then causing the hospital to give in to some of the demands.

Mitigation

In addition to client-side protections (such as Defender ATP) to mitigate the risk and server-side mitigations (such as OMS) the organization's gap was an inability to recover the critical systems and data without giving in to the hackers. This is very common, as recovery is expensive. Newer recovery systems such as Azure Site Recovery, or more real-time backup solutions built into SQL, etc. could have enabled recovery with little downtime and without the need to risk paying the hackers.

Close X

DNC

*Unknown

How

Relied on Crowd Strike which was executed through the back door using PowerShell. This allowed the hackers to launch malicious code after a certain period of time so they could connect to the system and transfer out information without detertion. At campaign rallies, hackers used a "pineapple" to hack cell phones and other devices to get access to authentication and passwords. 

Mitigation

For the Data Center hack, if they were leveraging OMS, there would have been a feature to detect malicious activity on their servers. This activity would have been detected due the payload they were using on the server. For the WiFi hack- they should have moved away from pre-shared keys and use of certificate based WiFi. The pineapple allowed them to set up a fake network to which people connected unknowingly and surrendered all of the information flowing through that network.
Close X

Yahoo (2013)

60–250M Records

Hack

After the 2016 hack, Yahoo announced that hackers, in a separate attack, compromised one billion of the company’s user accounts back in August 2013. The breached data included names, email addresses, phone numbers, birthdays, hashed passwords, and a mix of encrypted and unencrypted security questions and answers. 

How

The Yahoo platform was vulnerable to a "Union-based" SQL injection attack that allowed user information to be compromised. The SQL injection exposed user information stored in a database in clear text (something that should not be done) vs. hashes. In the end, both the injection and the method used to store the passwords were issues.

Mitigation

This is an example of the necessity of using modern development practices, with automated testing (especially automated security testing), using Visual Studio Team Services in conjunction with external tests with Application Insights and other external testing tools. If the additional %2 of development work was built into the system to include automated testing and release, the attack could have been prevented. This is also an example of where an organization chose to build their own user identity solution vs. leverage something like Azure AD B2C, which would mitigate issues like this.

Sources

Close X

Anthem

80M Records

Hack

In January 2015, hackers broke into the health insurance giant’s records and pillaged names, Social Security numbers and other sensitive information for up to 80 million customers.

How

In this case, the information was retrieved from unencrypted fields in a database leveraging an existing administrator's credentials. The adminstrator credentials were used to bypass security protocols. The intruder was present for an extended period before the IT organization noticed the database had been compromised. Assuming additional controls were placed around the users, database encyryption could be used to limit access to sensitive information.

Mitigation

This hack reinforces the importance of seperation of administrative access from normal user access, increased scrutiny around administrator accounts, and JEA (Just Enough Administration) techniques to limit access. Monitoring servers through tools like OMS, and authentication with ATA would help identify the lateral movement and look for "non-typical" authentications which could also be used to detect these scenarios.
Close X

JP Morgan Chase

76M Records

Hack

The largest bank in the nation was the victim of a high-profile cyberattack during the summer of 2014. The breach compromised the data of 76 million households—more than half of all U.S. households—and 7 million small businesses. 

How

Hackers stole the login credentials of an employee, allowing access to the internal network. The bank did not use two factor authentication through the channel used by the attackers. After gaining access, the attackers were able to access over 90 servers over an extended period of time.

Mitigation

This hack reinforces the importance of strong password controls, paticularlly the use of two-factor authentication to gain access to the network and to critical servers. This can use technologies like smart cards, biometric, and text-based two-factor auth. The presence of technologies for monitoring authentications would have helped detect the unusual activity, such as ATA and OMS.  
Close X

The Home Depot

56M Records

Hack

The Home Depot admitted in September 2014 that hackers had used malware to break into the company’s system and had exposed 56 million debit and credit cards.

How

Hackers install malware on self-checkout payment systems, (BlackPOS), then moving laterally within the Home Depot network. The malware would siphon data off of credit cards as they were swiped, exposing over 40,000,000 credit cards of Home Depot customers. The card numbers were then re-sold through the same agency that sold the information from Target.

Mitigation

This hack reinforces how important endpoint security is. Many business have critical endpoints (cash registers / manufacturing floor) which are woefully behind, either running completely unsupported operating systems with rampant security flaws, are not properly maintained, or secured. In this case, a declarative, re-deployable operating system that could re-deploy the intended state, as well as the presence of technology like Defender ATP would have mitigated this risk. Limiting access to install software on uncontrolled endpoints and removing non-essential platform components through declarative configuration.

Source

http://krebsonsecurity.com/2014/09/home-depot-hit-by-same-malware-as-target/
Close X

Experian / T-Mobile

15M Records

Hack

In the fall of 2015, Experian discovered an unauthorized party accessed T-Mobile data housed in an Experian server. Some 15 million people who used the company’s services, among them customers of cellular company T-Mobile who had applied for Experian credit checks, may have had their private information exposed.

How

There is limited information about "how" the hackers were able to gain access to the information from within the network, but we do know that it includes such detail that it would be very easy to orchestrate complex identity theft scenarios.

Mitigation

The mitigating factors for this are very similar to other scenarios, especially the ability to spot lateral movement within the network and security around endpoints.
Close X

Yahoo (2016)

*Unknown

Hack

In September 2016, YAHOO disclosed an enormous 500 million-account breach. Hackers used forged cookies to bypass security protections and access users’ accounts without a password. Yahoo says that it believes this situation is connected at least in part to the allegedly state-sponsored hackers. 

How

Hackers were able to access a critical system within Yahoo's network responsible for account management. This access allowed the hacker to perform a "cookie minting" measure to facilitate access to accounts within the Yahoo offerings and persist for over a year inside the network, until discovered in 2016.

Mitigation

This could have been mitigated through technologies like OMS (detecting malicious activity on servers and communication between servers that is abnormal), ATA (authentication that is abnormal), and network segmentation (preventing lateral movement). The presence of a more sophisicated incident response process might have also allowed better detection over time. Finally JEA (Just Enough Administration), multi-factor authentication to critical systems, and jump-servers to administration networks would have provided a substantial difference. The idea of "redeployability" to regularly bring systems back into the correct state using declarative infrastructure also would have made a difference, especially if it put in place additional security controls.

Source

https://www.bloomberg.com/news/articles/2017-03-16/here-s-how-russian-agents-hacked-500-million-yahoo-users
Close X

Maximize your IT security investment. Get started right now.