This blog post was contributed by Cameron Smith, Principal Security Engineer at The Missing Link.
There’s no doubt about it: this year has been a huge one for for cybercriminals. Several high-profile data breaches have been discovered and reported in the media in a huge wake-up call for businesses who might not already be taking their cyber security controls seriously.
Some of the most infamous breaches of this year include the unauthorised access of Uber’s internal networks, the theft of Rockstar’s Grand Theft Auto 6 intellectual properties (including the game’s source code), and the Optus hack which compromised the personal information of 9.8 million Aussies. This isn't to mention the more recent notifications from Medibank and Australian Clinical Labs that more sensitive Aussie data has been accessed and exposed.
I’m a Principal Security Engineer at The Missing Link, and I lead our Security Engineering team. We work to protect businesses from attacks like these every day. In this blog post, I’ll share the who, what, when where, and why of these breaches. Then, I’ll discuss what your business can learn from them, whether it’s getting the basics right or drilling down to thoroughly reinforce and test your controls.
So, let’s dive in.
Let’s address the elephant in the room. Optus’ recent data breach has been labelled the most significant in Australian history. An allegedly unsecured API meant the hacker could request customer records without a password or authenticating their identity in any other way, exposing the valuable personal information of 9.8 million Australians. Unfortunately, the data of over 10,000 of these victims has already been exposed.
The fallout from the Optus data breach has been far and wide-ranging. Among the repercussions are an active Federal Government investigation and a program to remediate the cost of replacing identity documents, so it’s difficult to ascertain what the final cost and outcome might be.
The best way to describe the Optus data breach is leaving the spare keys to your house hanging off the front door and wondering how someone broke in. To avoid a similar fate, it’s important to invest in the basics of web application security and focus on getting them right. That includes engaging service providers for regular penetration tests, ensuring you have appropriate authentication AND authorisation controls in place for your APIs, and conducting vulnerability scans on your environment.
As remediation efforts continue, we hope the appropriate parties help impacted Aussies to re-secure their data and identities, and meaningful policy change is enacted to mitigate any future attacks of this scale in the future.
Uber’s alleged 18-year-old hacker (attributed to the LAPSUS$ group) announced they had accessed a colossal amount of the company’s internal network on an employee Slack channel. How? Social engineering.
At this stage, it looks like they approached a company employee over WhatsApp, gained their password, and tricked them into approving a multi-factor authentication (MFA) push notification. After that, it was all a matter of discovering administrative credentials to their Privileged Access Management solution (PAM) – Uber's so-called ‘crown jewels’. You don’t often hear about attackers stumbling upon the keys to the kingdom like this, but so far it looks like no sensitive data from customers has been accessed or exploited.
The breach appears to have had minimal impact on Uber’s operational services, however, the short-term cost of the remediation process and the apparent turnover in their security team will be high. In the long term, the reputational damage could be significant as Uber hosts a significant amount of their user’s personal information, for example, credit card numbers and trip history.
Uber’s response to its breach has been pretty textbook and helped remediate the breach. However, several things went wrong for Uber following the initial account compromise that we should talk about. Firstly, a well-configured and closely monitored SIEM, XDR or UEBA solution should have alerted after the numerous failed log-in attempts to the employee’s account (not to mention the subsequent log-ins to other accounts and devices within the network).
From there, the big no-no was having admin credentials to their PAM solution saved in plain text on a share drive. For context, most IT solutions have at least one default admin account that cannot be linked to a Single Sign On (SSO) or MFA solution. These accounts must be kept under lock and key, have their password rotated frequently, and be disabled when no longer required. Uber had apparently missed this.
Finally, not all solutions need to be technical. Basic user awareness failure was a large part of the initial breach, and strong security awareness training could have helped stopped the intruder in their tracks before they gained access. Users are always both the last line of defense and the weakest link.
The same group claiming responsibility for Uber’s hack (LAPSUS$ group) also alleged that they breached video game developer Rockstar’s network during September. They subsequently leaked more than 50 minutes of unreleased Grand Theft Auto 6 footage to an online forum, which they found on the company Slack channel.
Finally, the hacker/s posted in the same forum asking to negotiate a deal with Rockstar to protect source code files which they had stolen but hadn’t yet exposed. Both Nvidia and Microsoft have had gigabytes of source code leaked in recent attacks, so Rockstar is in good company here.
The leak of the game footage is sure to harm Rockstar’s marketing effort for the upcoming release of Grand Theft Auto 6 and cause some development downtime as Rockstar performs the remediation. Fortunately, it doesn’t sound like anything else was leaked, such as employee Personal Identifiable Information (PII). It's a solid assumption that the compromise was limited to Slack.
Additionally, there was a small drop in Take-Two’s stock price (Rockstars publisher) which has since partially recovered. Take-Two have released the following statement in an SEC filing: “At this time, Rockstar Games does not anticipate any disruption to its current services nor any long-term effect on its development timelines as a result of this incident."
There are a few ways you could protect your business from a similar breach to that of Rockstar and its counterparts at Microsoft and Nvidia. While it isn’t clear how the Rockstar employee’s account was compromised, the unusual behavior of the account following the login by the attacker should have been identified by a managed SIEM and UEBA solution.
Given the leaked videos appear to have been downloaded from Rockstar’s Slack workspace, a Cloud Access Security Broker could have prevented the attacker from accessing and downloading those files from an authorized source location.
While each of these cyber security incidents was different, they all highlighted the importance of reinforcing cyber security for your business – no matter its level of maturity.
We provide each of the security services listed above in a holistic offering designed to give your business the ultimate protection from compromise. If you’d like to take advantage of our expertise, reach out today.
Author
Cameron Smith
Principal Security Engineer
