Data breaches can have many causes, but most of them boil down to an organization failing to do something or detect something they should have if they had been following security best practices.
Even so, these attacks can reveal a lot about the bad guys' tactics, techniques, and procedures, the state of malware, and developing trends on the threat horizon.
Many ransomware attacks, for instance, might have a similar root cause — like a fundraiser taking donor contacts to a new job or a user clicking on a malicious attachment and downloading malware on their system. Yet today's ransomware attacks are very different from those of even a year ago. For example, many involve double- and triple extortion schemes where attackers encrypt data and use data theft and denial-of-service attacks as additional forms of leverage. As a result, the impact of ransomware attacks and their responses are different today than they might have been just a year ago.
Similarly, while phishing continues to be one of the most common initial attack vectors, phishing schemes themselves have become a lot more sophisticated and targeted, with many attacks now combining the use of email, text messages, and phone calls.
Here's a look at some breaches or clusters of similarly themed attacks over the past year that served up (or resurfaced) some key lessons for security leaders.
Microsoft Exchange Server Attacks and the Research-Clustering Effect
A China-based threat actor tracked as the Hafnium Group, and numerous other groups carried out a wave of attacks on a set of four vulnerabilities in the Microsoft Exchange server earlier this year. Hafnium's attacks alone impacted some 30,000 organizations. A lot of the attack activity targeting the so-called "ProxyLogon" vulnerabilities happened before Microsoft released a patch for the flaws in early March. The vulnerabilities sparked widespread concern because of the access they enabled attackers to gain on enterprise networks — and for how many organizations were impacted by them.
Colonial Pipeline Attack Was a Warning for Industrial Networks
Few breaches this year rattled the industry or had as broad an impact as a ransomware attack in May on US gas pipeline operator Colonial Pipeline. The attack — by a Russian group called DarkSide — forced the company to completely shut down operations for a day while it tried to recover its systems. The shutdown triggered a temporary fuel shortage across some sections of the US East Coast.
The breach garnered much attention because it hammered home how a well-chosen cyberattack could cause chaos on a national scale. Moreover, it showed how some threat actors were capable and willing to inflict damage on critical infrastructure targets that adversaries previously have avoided hitting for fear of repercussions.
Join 30,000+ fundraising professionals that receive our weekly Sunday newsletter with industry trends, tips, and analysis delivered right to your inbox
Accellion Breach Highlighted Importance of Software Assurance Practices
Several organizations, including general retailer Kroger, law firm Jones Day, the State of Washington, and security firm Qualys, were impacted in attacks earlier this year that exploited multiple vulnerabilities in a near-obsolete file-transfer appliance they were using from Accellion. The attacks resulted in lost sensitive data from many of the victims and later being made available for sale via a Dark Web site operated by a Russia-based group called FIN1.
The Accellion attacks drew some comparisons to the breach at SolarWinds because it impacted a widely used technology from a trusted vendor. However, the attacks highlighted the need for organizations to detect at least some components of an attack chain before full compromise.
The vulnerabilities in the Accellion attacks highlight the importance of continuous and robust software assurance and the need for organizations to detect at least some components of an attack chain before full compromise.
VPN Attacks a Lesson on Need for Prompt Patching
Larger organizations need no reminders about the importance of prompt patching. Yet a wave of attacks on VPN devices from Pulse Secure — and, to a lesser extent, from Fortinet and others — showed that many are still not heeding that practice. The attacks mainly targeted security flaws in VPN devices that vendors had patched long ago.
Many of these attacks appeared to be succeeding prompted broad concern from the Cybersecurity & Infrastructure Security Agency and others because they impacted devices that organizations are using to secure remote access to their networks for work-from-home employees and others. One primary concern was the privileged access that the vulnerabilities could allow attackers to gain a foothold on enterprise networks.
The VPN attacks also showed how the COVID-19-triggered move to a distributed work environment exposed more attack surfaces at many organizations and attracted more attention from adversaries. Targeted exploitation of highly privileged network equipment, in general, has increased as attackers look for new vulnerabilities in remote access infrastructure.
Kaseya Breach Highlighted New Levels of Threat Actor Sophistication
In July, numerous managed service providers (MSPs) using Kaseya's Virtual System Administrator (VSA) technology — and their customers — were impacted by a ransomware attack that a threat actor sneaked into their system. The hackers successfully chained together a set of three vulnerabilities in Kaseya's remote management technology.
The attacks were noteworthy for their sheer sophistication and planning. It took the attackers just two hours to exploit the VSA servers at the MSP locations and deploy ransomware in a highly automated fashion on endpoints belonging to potentially thousands of their customers.
Socialarks Breach Highlighted Human Error Risks
Security researchers expect that most breaches that happen in the cloud over the next few years will result from avoidable misconfigurations and other user mistakes. One incident that highlighted the risks this year involved China's social media management company Socialarks.
In January, researchers from Safety Detectives reported discovering a database containing 408 GB of data, with profiles of some 214 million social media users that Socialarks had scraped from Facebook, LinkedIn, and Instagram. Safety Detectives found the data stored in an Elasticsearch database that was left exposed to the Internet without password protection or encryption. In addition, the exposed data included personally identifiable information, such as email addresses and phone numbers.
The compromise was one of many in recent years that resulted from human error. Numerous companies have exposed staggering volumes of data because of such mistakes.
See how Gravyty is helping protect your employees and your donors without slowing your fundraisers down. Schedule your demo today: