The Worst Corporate Hacks

From Operation Shady RAT to Red October to WannaCry, hacks occur every day worldwide. Some of the largest and most influential companies have fallen victim to cyber-attack.


We’ve assembled this Top 10 list together with an analysis of how the hackers infiltrated the systems and the damage caused.  Additionally, we’ve included discussions of the practical measures to resolve and/or mitigate the risks—identifying key technologies your organization can use to protect you from falling victim to the next hack.

Facebook

50M Users

Hack

The latest hack of facebook was the largest in the company’s 14-year history. The hack exposed personal information of nearly 50 million users, including those of Mark Zuckerberg and Sheryl Sandberg.

How

Hackers exploited a feature in facebook code to gain access to user accounts and potential take control of them. Attackers took advantage of two bugs in the site’s “View As” feature, which was originally intended to give users more control over their privacy. These flaws were compounded by another bug in the video-uploading program that allowed attackers to steal access tokens that allow access to an account.

Mitigation

This hack reinforces the importance of strong password controls, particularly the use of two-factor authentication to gain access to the network and to critical servers. This can use technologies like smart cards, biometric, and text-based two-factor auth. The presence of technologies for monitoring authentications would have helped detect the unusual activity, such as ATA and OMS. 
 
Close X

Uber

57 million users

Hack
Malicious actors stole personal data on hundreds of thousands of Uber drivers and 57 million Uber users. The company allegedly covered up the breach for one year and reportedly paid the attackers $100,000 to keep quiet.

How
According to new CEO Dara Khosrowshahi, the Uber breach was due to two malicious actors accessing "a third-party cloud-based service" -- reportedly GitHub and Amazon Web Services (AWS) -- in late 2016 and downloading files containing names and driver's license information on 600,000 U.S. Uber drivers and other personal information addresses and phone numbers for 57 million Uber customers from around the world.

Mitigation
This is an example of the necessity of using modern development practices, with automated testing (especially automated security testing), using Visual Studio Team Services in conjunction with external tests with Application Insights and other external testing tools. If the additional development work was built into the system to include automated testing and release, the attack could have been prevented. This is also an example of where an organization chose to build their own user identity solution vs. leverage something like Azure AD B2C, which would mitigate issues like this.
 

 

Close X

Equifax

143 million SSN

Hack
Besides amassing data on nearly every American adult from Equifax, the hackers also sought information on specific people. It's not clear exactly why, but there are at least two possibilities: They were looking for high-net-worth individuals to defraud, or they wanted the financial details of people with potential intelligence value. Eventually the intruders installed more than 30 web shells, each on a different web address, so they could continue operating in case some were discovered. 

How
Equifax was exposed due to a lone employee error, says Former CEO, Richard Smith. CERTS notifications on Apache Struts flaws went unheeded. The IT team failed to deploy patches and scans for lingering vulnerabilities and compromised data was not encrypted. It is also believed that hackers may have had help from an Equifax insider.

Mitigation
The vulnerability that attackers exploited to access Equifax's system was in the Apache Struts web-application software, a widely used enterprise platform. Equifax confirmed that attackers entered its system through a web-application vulnerability in May of 2017 that had a patch available in March. In other words, the credit-reporting giant had more than two months to take precautions that would have defended the personal data of 143 million people from being exposed. It didn't.
 
Experts point to an Equifax web portal for handling credit-report disputes from customers in Argentina used the embarrassingly inadequate credentials of "admin/admin." Ongoing discoveries such as these increasingly paint a picture of negligence—especially in Equifax's failure to protect itself against a known flaw with a ready fix.
Close X

Google Plus

496,951 Records Stolen

Hack

496,951 users’ full names, email addresses, birth dates, gender, profile photos, places lived, occupation and relationship status were potentially exposed, though Google says it has no evidence the data was misused by the 438 apps that could have had access. 

How

A security bug allowed third-party developers to access Google+ user profile data since 2015 until Google discovered and patched it in March, but decided not to inform the world. When a user gave permission to an app to access their public profile data, the bug also let those developers pull their and their friends’ non-public profile fields.

Mitigation

If Google+ had used EMS with ATA in place, they would have potentially been able to see the lateral movement of the hackers, which is not typical of their current environment. If Google+ had used OMS, they would be able to see abnormal activities on their servers. OMS monitors inter server communications and can detect abnormalities. Using network segmentation and modern workstation management they would have been able to greater isolate the compromised end point devices. It is hard to traverse networks to places where critical information is kept. The system should not have had a path to where customer data was kept.

Use of JEA (Just Enough Administration) or multifactor authentication would have prevented this. As a result of this hack, technologies were developed to help mitigate these types of offences in the future. Google+ could have used monitoring systems such as Windows 10 and E5 which includes Windows Defender ATP. If the HVAC vendor also used this they would have detected the infection of their device and the potential breach and would alerted Google+ Isolation of network segments could have also prevented the cross-system infection. By leveraging ServiceNow, Google+ could have had a more robust incidence response process.
Close X

Panama Papers

11.5M Records Stolen

Hack

In early April, 2016, the International Consortium of Journalists leaked a wealth of sensitive documents known as the Panama Papers. The leak consisted of 2.6 terabytes of data from the Panamanian law firm Mossack Fonseca, and linked 140 world leaders from more than 50 companies to secret offshore accounts in 21 different tax havens. Hackers broke into Mossack Fonseca's sytems through their website which was using an outdated and vulnerable version of WordPress 4.1.

How

There is limited information on "how" the Panama Papers were hacked, with exception that an "email server" was compromised. Some researchers have also suggested that older versions of Wordpress / Drupal were to blame for the initial access.

Mitigation

The mitgating factors for this are very similar to other scenarios, especially the ability to spot lateral movement within the network and security around endpoints.
Close X

Hollywood Presbyterian

Personal Records Compromised

Hack

In February 2016, attackers took computers belonging to the Hollywood Presbyterian Medical Center in Los Angeles hostage using a piece of ransomware called Locky. Computers were offline for more than a week until officials caved to the extortionists’ and paid the equivalent of $17,000 in Bitcoin.

How

The hackers used a type of malware to capture access to critical information in the application infrastructure. This ultimately prevented access to critical systems from the IT administration and end users until the incident was resolved. The lack of ability to recover quickly was unavailable as a mitigating factor, then causing the hospital to give in to some of the demands.

Mitigation

In addition to client-side protections (such as Defender ATP) to mitigate the risk and server-side mitigations (such as OMS) the organization's gap was an inability to recover the critical systems and data without giving in to the hackers. This is very common, as recovery is expensive. Newer recovery systems such as Azure Site Recovery, or more real-time backup solutions built into SQL, etc. could have enabled recovery with little downtime and without the need to risk paying the hackers.

Close X

DNC

*Unknown

How

Relied on Crowd Strike which was executed through the back door using PowerShell. This allowed the hackers to launch malicious code after a certain period of time so they could connect to the system and transfer out information without detertion. At campaign rallies, hackers used a "pineapple" to hack cell phones and other devices to get access to authentication and passwords. 

Mitigation

For the Data Center hack, if they were leveraging OMS, there would have been a feature to detect malicious activity on their servers. This activity would have been detected due the payload they were using on the server. For the WiFi hack- they should have moved away from pre-shared keys and use of certificate based WiFi. The pineapple allowed them to set up a fake network to which people connected unknowingly and surrendered all of the information flowing through that network.
Close X

Anthem

80M Records

Hack

In January 2015, hackers broke into the health insurance giant’s records and pillaged names, Social Security numbers and other sensitive information for up to 80 million customers.

How

In this case, the information was retrieved from unencrypted fields in a database leveraging an existing administrator's credentials. The adminstrator credentials were used to bypass security protocols. The intruder was present for an extended period before the IT organization noticed the database had been compromised. Assuming additional controls were placed around the users, database encyryption could be used to limit access to sensitive information.

Mitigation

This hack reinforces the importance of seperation of administrative access from normal user access, increased scrutiny around administrator accounts, and JEA (Just Enough Administration) techniques to limit access. Monitoring servers through tools like OMS, and authentication with ATA would help identify the lateral movement and look for "non-typical" authentications which could also be used to detect these scenarios.
Close X

JP Morgan Chase

76M Records

Hack

The largest bank in the nation was the victim of a high-profile cyberattack during the summer of 2014. The breach compromised the data of 76 million households—more than half of all U.S. households—and 7 million small businesses. 

How

Hackers stole the login credentials of an employee, allowing access to the internal network. The bank did not use two factor authentication through the channel used by the attackers. After gaining access, the attackers were able to access over 90 servers over an extended period of time.

Mitigation

This hack reinforces the importance of strong password controls, paticularlly the use of two-factor authentication to gain access to the network and to critical servers. This can use technologies like smart cards, biometric, and text-based two-factor auth. The presence of technologies for monitoring authentications would have helped detect the unusual activity, such as ATA and OMS.  
Close X

Yahoo (2016)

*Unknown

Hack

In September 2016, YAHOO disclosed an enormous 500 million-account breach. Hackers used forged cookies to bypass security protections and access users’ accounts without a password. Yahoo says that it believes this situation is connected at least in part to the allegedly state-sponsored hackers. 

How

Hackers were able to access a critical system within Yahoo's network responsible for account management. This access allowed the hacker to perform a "cookie minting" measure to facilitate access to accounts within the Yahoo offerings and persist for over a year inside the network, until discovered in 2016.

Mitigation

This could have been mitigated through technologies like OMS (detecting malicious activity on servers and communication between servers that is abnormal), ATA (authentication that is abnormal), and network segmentation (preventing lateral movement). The presence of a more sophisicated incident response process might have also allowed better detection over time. Finally JEA (Just Enough Administration), multi-factor authentication to critical systems, and jump-servers to administration networks would have provided a substantial difference. The idea of "redeployability" to regularly bring systems back into the correct state using declarative infrastructure also would have made a difference, especially if it put in place additional security controls.

Source

https://www.bloomberg.com/news/articles/2017-03-16/here-s-how-russian-agents-hacked-500-million-yahoo-users
Close X

Maximize your IT security investment. Get started right now.