The Worst Corporate Hacks

From Operation Shady RAT to Red October to WannaCry, hacks occur every day worldwide. Some of the largest and most influential companies have fallen victim to cyber-attack.


We’ve assembled this Top 10 list together with an analysis of how the hackers infiltrated the systems and the damage caused.  Additionally, we’ve included discussions of the practical measures to resolve and/or mitigate the risks—identifying key technologies your organization can use to protect you from falling victim to the next hack.

Uber

57 million users

Hack
Malicious actors stole personal data on hundreds of thousands of Uber drivers and 57 million Uber users. The company allegedly covered up the breach for one year and reportedly paid the attackers $100,000 to keep quiet.

How
According to new CEO Dara Khosrowshahi, the Uber breach was due to two malicious actors accessing "a third-party cloud-based service" -- reportedly GitHub and Amazon Web Services (AWS) -- in late 2016 and downloading files containing names and driver's license information on 600,000 U.S. Uber drivers and other personal information addresses and phone numbers for 57 million Uber customers from around the world.

Mitigation
This is an example of the necessity of using modern development practices, with automated testing (especially automated security testing), using Visual Studio Team Services in conjunction with external tests with Application Insights and other external testing tools. If the additional development work was built into the system to include automated testing and release, the attack could have been prevented. This is also an example of where an organization chose to build their own user identity solution vs. leverage something like Azure AD B2C, which would mitigate issues like this.
 

 

Close X

Equifax

143 million SSN

Hack
Besides amassing data on nearly every American adult from Equifax, the hackers also sought information on specific people. It's not clear exactly why, but there are at least two possibilities: They were looking for high-net-worth individuals to defraud, or they wanted the financial details of people with potential intelligence value. Eventually the intruders installed more than 30 web shells, each on a different web address, so they could continue operating in case some were discovered. 

How
Equifax was exposed due to a lone employee error, says Former CEO, Richard Smith. CERTS notifications on Apache Struts flaws went unheeded. The IT team failed to deploy patches and scans for lingering vulnerabilities and compromised data was not encrypted. It is also believed that hackers may have had help from an Equifax insider.

Mitigation
The vulnerability that attackers exploited to access Equifax's system was in the Apache Struts web-application software, a widely used enterprise platform. Equifax confirmed that attackers entered its system through a web-application vulnerability in May of 2017 that had a patch available in March. In other words, the credit-reporting giant had more than two months to take precautions that would have defended the personal data of 143 million people from being exposed. It didn't.
 
Experts point to an Equifax web portal for handling credit-report disputes from customers in Argentina used the embarrassingly inadequate credentials of "admin/admin." Ongoing discoveries such as these increasingly paint a picture of negligence—especially in Equifax's failure to protect itself against a known flaw with a ready fix.
Close X

Target

70M Records Stolen

Hack

In the days prior to Thanksgiving 2013, someone installed malware in Target’s security and payments system designed to steal every credit card used at the company’s 1,797 U.S. stores. At the critical moment—when the Christmas gifts had been scanned and bagged and the cashier asked for a swipe—the malware would step in, capture the shopper’s credit card number, and store it on a Target server commandeered by the hackers.

How

Target was exposed through a partner relationship with an HVAC company. Hackers got the credentials of the HVAC vendor and then began to leverage these credentials inside of Target's systems to move around the environment before anyone did anything about it, even though this activity was detected prior. 

Mitigation

If Target had used EMS with ATA in place, they would have potentially been able to see the lateral movement of the hackers, which is not typical of their current environment. If Target had used OMS, they would be able to see abnormal activities on their servers. OMS monitors inter server communications and can detect abnormalities. Using network segmentation and modern workstation management they would have been able to greater isolate the compromised end point devices. It is hard to traverse networks to places where critical information is kept. The system should not have had a path to where customer data was kept.

Use of JEA (Just Enough Administration) or multifactor authentication would have prevented this. As a result of this hack, technologies were developed to help mitigate these types of offences in the future. Target could have used monitoring systems such as Windows 10 and E5 which includes Windows Defender ATP. If the HVAC vendor also used this they would have detected the infection of their device and the potential breach and would alerted Target. Isolation of network segments could have also prevented the cross-system infection. By leveraging ServiceNow, Target could have had a more robust incidence response process.
Close X

Panama Papers

11.5M Records Stolen

Hack

In early April, 2016, the International Consortium of Journalists leaked a wealth of sensitive documents known as the Panama Papers. The leak consisted of 2.6 terabytes of data from the Panamanian law firm Mossack Fonseca, and linked 140 world leaders from more than 50 companies to secret offshore accounts in 21 different tax havens. Hackers broke into Mossack Fonseca's sytems through their website which was using an outdated and vulnerable version of WordPress 4.1.

How

There is limited information on "how" the Panama Papers were hacked, with exception that an "email server" was compromised. Some researchers have also suggested that older versions of Wordpress / Drupal were to blame for the initial access.

Mitigation

The mitgating factors for this are very similar to other scenarios, especially the ability to spot lateral movement within the network and security around endpoints.
Close X

Hollywood Presbyterian

Personal Records Compromised

Hack

In February 2016, attackers took computers belonging to the Hollywood Presbyterian Medical Center in Los Angeles hostage using a piece of ransomware called Locky. Computers were offline for more than a week until officials caved to the extortionists’ and paid the equivalent of $17,000 in Bitcoin.

How

The hackers used a type of malware to capture access to critical information in the application infrastructure. This ultimately prevented access to critical systems from the IT administration and end users until the incident was resolved. The lack of ability to recover quickly was unavailable as a mitigating factor, then causing the hospital to give in to some of the demands.

Mitigation

In addition to client-side protections (such as Defender ATP) to mitigate the risk and server-side mitigations (such as OMS) the organization's gap was an inability to recover the critical systems and data without giving in to the hackers. This is very common, as recovery is expensive. Newer recovery systems such as Azure Site Recovery, or more real-time backup solutions built into SQL, etc. could have enabled recovery with little downtime and without the need to risk paying the hackers.

Close X

DNC

*Unknown

How

Relied on Crowd Strike which was executed through the back door using PowerShell. This allowed the hackers to launch malicious code after a certain period of time so they could connect to the system and transfer out information without detertion. At campaign rallies, hackers used a "pineapple" to hack cell phones and other devices to get access to authentication and passwords. 

Mitigation

For the Data Center hack, if they were leveraging OMS, there would have been a feature to detect malicious activity on their servers. This activity would have been detected due the payload they were using on the server. For the WiFi hack- they should have moved away from pre-shared keys and use of certificate based WiFi. The pineapple allowed them to set up a fake network to which people connected unknowingly and surrendered all of the information flowing through that network.
Close X

Anthem

80M Records

Hack

In January 2015, hackers broke into the health insurance giant’s records and pillaged names, Social Security numbers and other sensitive information for up to 80 million customers.

How

In this case, the information was retrieved from unencrypted fields in a database leveraging an existing administrator's credentials. The adminstrator credentials were used to bypass security protocols. The intruder was present for an extended period before the IT organization noticed the database had been compromised. Assuming additional controls were placed around the users, database encyryption could be used to limit access to sensitive information.

Mitigation

This hack reinforces the importance of seperation of administrative access from normal user access, increased scrutiny around administrator accounts, and JEA (Just Enough Administration) techniques to limit access. Monitoring servers through tools like OMS, and authentication with ATA would help identify the lateral movement and look for "non-typical" authentications which could also be used to detect these scenarios.
Close X

JP Morgan Chase

76M Records

Hack

The largest bank in the nation was the victim of a high-profile cyberattack during the summer of 2014. The breach compromised the data of 76 million households—more than half of all U.S. households—and 7 million small businesses. 

How

Hackers stole the login credentials of an employee, allowing access to the internal network. The bank did not use two factor authentication through the channel used by the attackers. After gaining access, the attackers were able to access over 90 servers over an extended period of time.

Mitigation

This hack reinforces the importance of strong password controls, paticularlly the use of two-factor authentication to gain access to the network and to critical servers. This can use technologies like smart cards, biometric, and text-based two-factor auth. The presence of technologies for monitoring authentications would have helped detect the unusual activity, such as ATA and OMS.  
Close X

The Home Depot

56M Records

Hack

The Home Depot admitted in September 2014 that hackers had used malware to break into the company’s system and had exposed 56 million debit and credit cards.

How

Hackers install malware on self-checkout payment systems, (BlackPOS), then moving laterally within the Home Depot network. The malware would siphon data off of credit cards as they were swiped, exposing over 40,000,000 credit cards of Home Depot customers. The card numbers were then re-sold through the same agency that sold the information from Target.

Mitigation

This hack reinforces how important endpoint security is. Many business have critical endpoints (cash registers / manufacturing floor) which are woefully behind, either running completely unsupported operating systems with rampant security flaws, are not properly maintained, or secured. In this case, a declarative, re-deployable operating system that could re-deploy the intended state, as well as the presence of technology like Defender ATP would have mitigated this risk. Limiting access to install software on uncontrolled endpoints and removing non-essential platform components through declarative configuration.

Source

http://krebsonsecurity.com/2014/09/home-depot-hit-by-same-malware-as-target/
Close X

Yahoo (2016)

*Unknown

Hack

In September 2016, YAHOO disclosed an enormous 500 million-account breach. Hackers used forged cookies to bypass security protections and access users’ accounts without a password. Yahoo says that it believes this situation is connected at least in part to the allegedly state-sponsored hackers. 

How

Hackers were able to access a critical system within Yahoo's network responsible for account management. This access allowed the hacker to perform a "cookie minting" measure to facilitate access to accounts within the Yahoo offerings and persist for over a year inside the network, until discovered in 2016.

Mitigation

This could have been mitigated through technologies like OMS (detecting malicious activity on servers and communication between servers that is abnormal), ATA (authentication that is abnormal), and network segmentation (preventing lateral movement). The presence of a more sophisicated incident response process might have also allowed better detection over time. Finally JEA (Just Enough Administration), multi-factor authentication to critical systems, and jump-servers to administration networks would have provided a substantial difference. The idea of "redeployability" to regularly bring systems back into the correct state using declarative infrastructure also would have made a difference, especially if it put in place additional security controls.

Source

https://www.bloomberg.com/news/articles/2017-03-16/here-s-how-russian-agents-hacked-500-million-yahoo-users
Close X

Maximize your IT security investment. Get started right now.