The first quarter of 2023 is now in the rearview, and already a few big names have fallen victim to cyberattacks. While it remains true that cybercriminals are becoming more advanced in their tactics, the top attacks of Q1 were relatively unsophisticated. Tried-and-true methods like phishing, social engineering, and credential-stuffing all played a role, reminding us of the importance of good cyber hygiene and basic security best practices. These include enforcing the principle of least privilege, validating user identities before granting access, and using multi-factor authentication (MFA).
T-Mobile has a less-than-pristine record when it comes to cyberattacks, having disclosed 18 incidents since 2018. Most recently, in November of 2022, an unauthorized actor leveraged a T-Mobile API to collect customer information including names, home addresses, and phone numbers for some 37 million customers. T-Mobile wasn’t aware of this latest incident until January 2023 but claims to have remediated the issue within a day of discovering it.
While the unauthorized activity wasn’t detected for more than a month, this was not an elaborate attack and at least one publication claims “T-Mobile’s latest customer data breach wasn’t a ‘hack’” at all. Indeed, there was no need to hack any systems because T-Mobile effectively left the door open by failing to secure their API. This allowed the perpetrator to simply connect and grab the freely available data.
It goes without saying that T-Mobile needs to properly secure their API. The best option from a security perspective would be to follow the principle of least privilege and enable access only for those who need it to do their jobs.
However, it is possible that T-Mobile intended for its API to be accessible to the broader developer community. Still, some basic security precautions like identity verification, ideally including MFA, need to be put in place. Every user, whether internal or external, wishing to access the API should be required to show a legitimate reason for connecting to the API (or any other resource). For external or other potentially risky connections, a zero-trust access solution could also record sessions and provide auditing capabilities for faster detection of suspicious activity.
In January, MailChimp suffered a breach after hackers gained access to employee credentials through a social engineering attack on MailChimp staff and contractors.
The attack was first detected in January when MailChimp noticed an unauthorized user accessing its customer support and admin tools. The actors accessed the data of 133 MailChimp customers, including the WooCommerce ECommerce plugin for WordPress. WooCommerce then had to email its own customers warning them that the MailChimp breach had exposed their names, store URLs, and email addresses.
If this breach is anything like previous MailChimp breaches, the data may later be used in further social engineering attacks on end users.
Social engineering isn’t going away anytime soon, but MailChimp can limit the possibility for damage by enforcing zero-trust access for all employees and contractors. Even if a perpetrator succeeds in their social engineering attack on a single user, zero trust would prevent lateral movement and make it much less likely that the attacker could reach admin tools. In fact, they would not even be able to even see which assets exist in the network, which is cloaked in the zero-trust model.
In addition, it’s worth emphasizing that WooCommerce and their customers also suffered harm in this attack despite not even being the initial target. WooCommerce simply uses MailChimp as a third-party vendor – but in today’s cyberthreat landscape that is enough to put them at risk. It is therefore crucial to have the proper security measures in place, like zero-trust access, to protect your own organization even if one of your suppliers or vendors is breached.
In January, Guildford County Schools detected an intrusion into its network. The Vice Society ransomware group stole hundreds of files and posted the records on their leak site. The files likely contain sensitive internal documents with information about at-risk students.
This comes after a possibly-related cyberattack the week before, which affected the school’s IT and phone systems. The incident continues a spate of attacks on U.K. schools targeting highly confidential data.
Schools often run on outdated systems and software, and they regularly lack the IT resources and expertise to effectively secure their networks. Simply put, an expensive, disruptive overhaul of IT systems is simply not possible for most school districts. The good news is that an advanced zero-trust access solution like Cyolo can enable the Guildford County Schools to extend modern security protocols like MFA and single sign-on (SSO) to their legacy systems with minimal change management or disruption.
Beyond this, zero-trust access provides an excellent defense against ransomware. In the zero-trust model, each user is connected only to the systems they need and not to the full network. Even if an attacker manages to get access and infect one user with ransomware, its ability to spread - and thus to wreak havoc for the organization – would be substantially limited. Stealing confidential information like student records would also be more difficult, because the principle of least privilege would prevent most users from having access to this sensitive data.
As Microsoft defends its $69 billion acquisition of Activision against EU antitrust regulations, Activision confirmed in February that attackers breached the company’s systems last year and exfiltrated employee data and information about unreleased game content.
The breach was enabled by a successful SMS phishing attack on a privileged Human Resources team member. The threat actor also attempted to phish other employees who did not fall for the ploy; however, the would-be victims did not report the attempt to Activision’s Information Security Team.
This is another incident that reveals the importance of enforcing least privilege access, a key pillar of zero-trust security. Organizations should ensure that their users have access to the assets and resources needed to do their jobs - and nothing more. Least privilege access not only prevents authorized users from accidental informational leaks but also restricts the amount of damage intruders can cause. Coupled with lateral movement prevention, least privilege access goes a long way toward keeping a data breach from becoming a massive, reputation-destroying security incident.
In the particular case of Activision, it’s also worth pointing out that the compromised account was that of a privileged user. While it’s not immediately clear whether an HR employee should have access to unreleased game content (again, a problem that least privilege access can solve), there is no denying that HR departments do require access to sensitive employee details and other confidential company information. Users who access particularly sensitive data are considered high-risk and should be among the first to have their accounts secured with zero-trust access. A zero-trust access solution like Cyolo can also extend additional protections for privileged or high-risk users, including session recording and real-time session monitoring to detect unusual or anomalous behavior.
Between December 2022 and February 2023, threat actors nicked data from over 70,000 Chick-Fil-A loyalty accountsusing an automated credential-stuffing attack. Credential stuffing is when attackers use usernames and passwords exposed in earlier data breaches to try and log in to widely-used applications. They hope users are lazy enough to use weak passwords across multiple services.
Unfortunately, they’re often right. Verizon’s 2022 Data Breach Investigations Report shows that bad password hygiene is a leading contributor to breached businesses.
MFA is a security best practice and an essential part of most zero-trust access solutions. By requiring MFA as part of its loyalty program sign-in process, Chick-Fil-A could limit the ability of cybercriminals to use stolen passwords to access customer accounts. Credentials from previous breaches become much less useful when an attacker also needs to provide a second factor of authentication, such as a one-time password or a biometric measure. Many threat actors will simply move on to an easier target that has not implemented strong authentication.
MFA is also a requirement of many compliance regulations, including the updated Payment Card Industry Data Security Standard 4.0 (PCI DSS 4.0) for all businesses that accept or process payment transactions. Some reports allege that the Chick-Fil-A customer rewards data, which included billing and credit card information, was being stored unencrypted and unredacted. If true, this would put the chicken chain in violation of PCI DSS standards. This incident serves as a reminder it is crucial to secure access not only for employees but also for customers as well.
While the cybersecurity industry is evolving to provide companies with better insulation against bad user hygiene, we can all, as individuals, help out by being aware of cybersecurity best practices. No matter what innovations emerge, shortcuts like re-used passwords and shared accounts will always pose a threat to security.
Author
Jennifer Tullman-Botzer is a cybersecurity nerd by day and a history nerd by night. She has over a decade of experience in cybersecurity marketing and is as tired as you are of hackers-in-hoodies stock images. Jennifer joined Cyolo in 2021 and currently serves as Head of Content. Prior to Cyolo, she worked in a variety of marketing roles at IBM Security. She lives in Tel Aviv, Israel.