Hacker Tracker: February 2023
The new year has kicked off with cybercriminals picking up where they left off in 2022. In January we saw a string of attacks against major companies, government agencies, and NGOs. A number of organizations that recently suffered cyberattacks have been targeted again, having failed to secure their IT systems adequately. And the trend of hackers bypassing password-based MFA, through phishing and credential stuffing, is showing no sign of abating.
Read on for our reporting and analysis of the biggest hacking news in what was a busy start to 2023.
Housing Authority of the City of Los Angeles
When it happened
The hackers publicized the leak on December 31.
What happened
The Housing Authority of the City of Los Angeles (HACLA), which offers public housing to over 19,000 low-income families and Section 8 housing vouchers to another 40,000+ families in LA, has allegedly suffered a significant data breach. The prolific LockBit ransomware gang is claiming to have stolen 15 terabytes of data from HACLA, including personal details of individuals seeking housing assistance as well as data from the housing authority’s payroll, HR, and accounting records.
Method of attack
HACLA has not provided much detail about the nature of the attack. What we know about LockBit, however, is that they use a "ransomware-as-a-service" model, with a core team creating the malware and licensing it to affiliates who actually conduct the attacks. Their latest LockBit 3.0 ransomware, also called LockBit Black, incorporates features of Black Matter ransomware and significantly enhances obfuscation capabilities over previous versions.
The fallout so far
If this attack has occurred as alleged, it represents a significant headache for the Los Angeles authorities, given that the LA Unified School District suffered a similar ransomware attack by the Vice Society just months ago. This ultimately resulted in the release of vast quantities of sensitive data when the LAUSD refused to pay the ransom, an outcome that may well repeat itself here.
GitHub
When it happened
December 6
What happened
An unidentified group of attackers obtained access to some of GitHub’s development and release planning repositories, resulting in the theft of encrypted code-signing certificates for the company’s Desktop and Atom applications.
Method of attack
The repositories were replicated using a compromised Personal Access Token (PAT) that was linked to a machine account. These repos were connected to GitHub Actions for CI/CD coordination and contained two Digicert code signing certificates used for Windows application signing, and an Apple Developer ID certificate.
The fallout so far
Fortunately, the fallout from this attack appears to be quite limited, as GitHub has said that none of the compromised repositories contained any customer information and that the security breach posed no threat to GitHub.com services.
CircleCI
When it happened
December 16
What happened
Cybercriminals gained access to the internal systems of CircleCI, a leading continuous integration/development (CI/CD) platform, by compromising the account of one of their engineers. They then stole data, including customer environment variables, keys, and tokens.
Method of attack
The CircleCI engineer was infected on December 16, 2022 with information-stealing malware that went undetected by the company's antivirus software. The malware stole the engineer’s corporate session cookie, which had already been two-factor authenticated. This meant that the attacker could log in as the user without having to go through 2FA again. They then used the engineer’s privileged system access to conduct reconnaissance and exfiltrate data on December 22, 2022.
The fallout so far
CircleCI was forced to tighten its cybersecurity stance in several ways once it learned of the attack, a decision long overdue given how many recent cyberattacks have exposed 2FA as being inadequate and outdated. Additionally, all customers were advised to rotate all secrets and environment variables stored in CircleCI. While the full implications of the data theft are as yet unclear, we know this attack has impacted the security of at least one high-profile CircleCI customer, cloud security company Datadog, whose RPM GPG signing key and passphrase were exposed.
Chick-fil-A
When it happened
Ongoing
What happened
Fast food corporation Chick-fil-A is investigating reports of “suspicious activity” and has issued an alert to its customers in the wake of social media reports of customer accounts being hacked and orders being placed without their consent.
Method of attack
According to Bleeping Computer sources, the attackers are using credential-stuffing methods to breach customer accounts, and then using the compromised accounts with temporary email addresses to make purchases. Access to the stolen accounts is being sold for anything from $2 to $200, with the price varying based on the account balance.
The fallout so far
This attack hasn’t entailed Chick-fil-A’s internal systems being breached, limiting the damage. However, the company could have taken the more robust protective actions that it has just introduced (like banning disposable email addresses) sooner. These account takeover attacks do not appear to involve hacked point-of-sale systems, as was speculated in breaches of actual consumer card numbers in 2014.
Maternal & Family Health Services
When it happened
Affected individuals were notified starting January 3. However, the company became aware of the breach on April 4, 2022, and the attack may have occurred as early as August 21, 2021.
What happened
Maternal & Family Health Services (MFHS), a Pennsylvania-based healthcare non-profit, suffered a breach whereby cybercriminals gained access to the sensitive personal information of nearly half a million current and former patients, employees, and vendors. The exact number affected was confirmed in this data breach notification.
Method of attack
This was a ransomware attack, but no group has claimed responsibility, so we know little more about the exact methods used.
The fallout so far
The sensitive data exposed was basically the complete package: medical and health insurance information, financial and card information, driver's license numbers, Social Security numbers, dates of birth, addresses, and login credentials. As a result, almost half a million people will be at serious risk of identity fraud, making this a hugely damaging incident for MFHS. This attack comes in the broader context of healthcare providers being heavily targeted by ransomware gangs, with 25 healthcare providers being targets of this type of attack in 2022.
Gen Digital
When it happened
December 1, but the company began notifying affected customers in January.
What happened
Gen Digital (formerly NortonLifeLock) has issued data breach notifications to its customers, informing them that their Norton Password Manager accounts have been breached by successful credential-stuffing attacks.
Method of attack
The attacker used username and password combinations stolen from other accounts belonging to the users—purchased from the dark web—to launch credential-stuffing attacks. The company was alerted to this by an unusual spike in failed login attempts on December 12, 2022.
The fallout so far
The company has warned customers that their private vault information may have been obtained by hackers, potentially resulting in the compromise of other online accounts, loss of digital assets, and exposure of secrets. Gen Digital is trying to prevent this from occurring again by resetting passwords on affected accounts and introducing new security measures. Nonetheless, it’s disturbing that something as sensitive as a password manager was insufficiently protected with outdated, password-based cybersecurity protections.
T-Mobile
When it happened
The company became aware of the attack on January 5, but it had been ongoing since November 25, 2022.
What happened
T-Mobile has announced that a “bad actor” stole the personal information of 37 million current customers after discovering a poorly secured Application Programming Interface (API).
Method of attack
The attacker likely found a flaw in the company’s API that allowed them to obtain customer data without the need for authentication, but T-Mobile hasn’t provided official details.
The fallout so far
T-Mobile says that while customer account data, such as email addresses, phone numbers, and dates of birth were stolen, more sensitive data such as payment information and social security numbers were not compromised. It seems unlikely the company will be particularly relieved, given that this is the eighth cyberattack they’ve suffered since 2018. The reputational cost has undoubtedly been huge, as has the financial cost, which included paying a $500 million dollar settlement in a class-action lawsuit stemming from an August 2021 attack.
PayPal
When it happened
The attack occurred between December 6-8, and the company started sending out data breach notifications in January.
What happened
Payment processor PayPal is issuing data breach notifications to almost 35,000 users whose accounts were compromised, resulting in the exposure of personal data, including some sensitive information like social security numbers. However, according to the company, no fraudulent transactions were successfully completed by the hackers.
Method of attack
This was a credential-stuffing attack, a method where hackers attempt to access accounts by using username and password pairs obtained from data breaches, with automation software trying many different combinations of the compromised credentials on login portals.
The fallout so far
PayPal has said the credentials used in the attack didn’t result from their own internal systems being breached, but from other compromised websites. However, the company is still providing free credit monitoring protection to the victims, who are now at risk of identity fraud. Cybersecurity protection that relies on passwords will always be vulnerable, and this is just another case in point. Additionally, the scope of PayPal’s disclosure raises important questions about storage of sensitive PII in portals, and inadequate masking of SSNs or Tax IDs.
GoTo
When it happened
The attack happened in November 2022, and the company notified customers affected on January 23.
What happened
GoTo, a flexible work software provider and the parent company of LastPass, sent out data breach notifications to customers warning them an attack on its development environment in November 2022 resulted in the theft of encrypted customer information, as well as an encryption key for some of the data.
Method of attack
The hacker was able to steal GoTo’s encrypted backups from a third-party cloud storage service, the same one that was the origin of the very damaging attack on password manager LastPass. While encrypted backups afford some level of security, exfiltration opens them up to offline attacks that are not ordinarily possible.
The fallout so far
GoTo has stated that it doesn’t store payment details, dates of birth, home addresses, or social security numbers, which makes this attack less damaging than the one on its subsidiary LastPass in August. However, given that LastPass is currently the subject of a class action lawsuit, this is a sign of real problems for the company. This attack is a good example of how difficult it can be to rebuild a company’s cybersecurity defenses after an attack, as hackers can often exploit the stolen data or access gained in an initial attack to launch more.
JD Sports
When it happened
The date of the attack is unknown. JD Sports disclosed it in a London Stock Exchange notice on January 30.
What happened
Fashion retailer JD Sports has disclosed that the personal and financial information of 10 million customers may have been hacked. The breach affected data stored on online orders made between 2018 and 2020 for several of the brands under the company’s umbrella.
Method of attack
JD Sports hasn’t provided any information about exactly how the attack was conducted.
The fallout so far
The company said the attackers wouldn’t have been able to access the full payment details of customers. However, the kind of personal data exposed still means that affected individuals will now be vulnerable to phishing attacks, and JD Sports is likely to face not only reputational damage but also fines and regulatory action.
Google Fi
When it happened
It was disclosed on January 30, but the attack likely happened in November.
What happened
Google Fi, Google's cell network provider, suffered a breach of limited customer information, including phone numbers, account status, SIM card serial numbers, and mobile service plan details. The breach is believed to be related to the recent security incident at T-Mobile (see above), whose network Google Fi operates on, although this hasn’t been confirmed.
Method of attack
Google hasn’t provided any details about the method of attack. However, as mentioned, it’s believed the T-Mobile attack stemmed from the hacker exploiting a weakness in the company’s API.
The fallout so far
In terms of damage to Google and its customers, the fallout is relatively limited compared to other high-profile attacks recently. According to the company, the hackers didn’t gain access to personal information, payment card data, passwords, PINs, or the contents of text messages or calls. However, as with GoTo and LastPass, this is an example of how an initial cyberattack—the one on T-Mobile in this case—can have damaging spillover effects on other companies. Given the level of SIM swapping attacks seen in the last few years, any compromise of sensitive mobile customer information is worrisome.
Other news
Ransomware reports
- According to an Emsisoft report, in 2022 over 200 large organizations in the US public sector (in a conservative estimate) were affected by ransomware attacks. According to information gathered from various sources, data theft occurred in roughly half of these incidents.
- However, Chainanlysis research was released showing that ransomware attacks are becoming less lucrative for cybercriminals as more victims refuse to pay ransom demands. There has been a 40% decrease in ransom payments from $765.6 million in 2021 to $456.8 million in 2022.
Vulnerabilities fixed
- Security vulnerabilities in software used by luxury vehicles from brands including Ferrari, BMW, Rolls Royce, and Porsche have been fixed. These flaws had exposed vehicle owners to the threat of attackers controlling vehicles remotely and stealing personal data.
- Auth0 resolved a remote code execution vulnerability in the widely used 'JsonWebToken' open-source library, which is used in projects from major companies including Microsoft, Twilio, Salesforce, BM, DocuSign, and Slack.
NCCoE Zero Trust guide
- The NIST National Cybersecurity Center of Excellence (NCCoE) released the second version of volumes A-D and the first version of volume E of a draft guide, "Implementing a Zero Trust Architecture." The guide outlines how NCCoE and its partners are using commercially available technology to construct interoperable, open standards-based ZTA examples.
AI-Generated phishing
- According to research from WithSecure, OpenAI’s GPT-3 can be utilized to help with spear-phishing emails, online harassment on social media, fake news articles, and other forms of content that cybercriminals use to malicious ends.
U.S. government credential theft
- The 2022 Government Threat Report by Lookout highlights a rise in mobile phishing and device vulnerability risk at US government agencies. In 2021, nearly 50% of phishing attacks targeting government staff aimed to steal employee credentials, a 30% increase year on year.
Protect your organization against credential-based attacks
Beyond Identity’s phishing-resistant multi-factor authentication (MFA) eliminates the risk of credential-based attacks by replacing vulnerable login details with three secure factors:
- Biometrics (fingerprint and facial recognition) stored on the device
- Cryptographic security keys stored on trusted devices
- Device-level security checks during login
Schedule a demo to discover more about how Beyond Identity's Zero Trust Authentication can protect your organization from damaging breaches.