Hacker Tracker: January 2023
While many spent the final weeks of 2022 winding down for the holidays and spending quality time with family, hackers stayed focused.
The sheer variety of attacks cybercriminals carried out shows that, more than ever, they’re infiltrating every type of system and resource.
The incidents range from the very serious, like the theft of data relating to critical US infrastructure and the breach of the FBI InfraGard program, to the downright bizarre, like the scheme to hack the taxi system at JFK airport.
Read on for our full analysis of the most significant hacks that occurred as 2022 drew to a close.
Rackspace Technology
When it happened
The company became aware of the attack on December 2.
What happened
Rackspace Technology, a major cloud computing company, suffered a ransomware attack. This caused an outage in its email hosting service, affecting thousands of customers.
Method of attack
Rackspace Technology has not yet disclosed many details about how ransomware infiltrated its IT systems. However, according to security researcher Kevin Beaumont, it’s likely the attackers exploited vulnerabilities in ProxyNotShell Microsoft Exchange.
The fallout so far
In an SEC filing, Rackspace Technology said that the disruption caused by this attack will cause a loss of revenue in its Hosted Exchange Business, as well as other “incremental costs.” Moreover, the company hasn’t disclosed yet if customer data has been leaked or the size of the ransom they’ve been asked to pay.
DraftKings
When it happened
DraftKings discovered the breach on November 18.
What happened
The betting company DraftKings revealed in a data breach notice that they suffered a credential stuffing attack that led to over 67,000 customers having their personal data breached.
Method of attack
The attackers obtained leaked customer login credentials for other websites from a non-DraftKings source. They then used automation software to carry out credential stuffing against DraftKings accounts, succeeding in more than 67,000 breaches. The attackers subsequently sold the personal and financial information they obtained.
The fallout so far
DraftKings said that there’s no evidence that Social Security numbers, driver's license numbers, or full financial details have been breached. Nonetheless, the theft of personal data like phone numbers and addresses occurred. This is damaging for the company, as is the fact they’ve had to refund up to $300,000 of stolen deposits to account holders.
LastPass
When it happened
The company disclosed the breach on November 30.
What happened
LastPass, a leading password manager, suffered their second cyberattack this year, the first was a breach in August.
Method of attack
The hackers used data obtained from the August breach to attack the organization again, this time stealing customer vaults that included a combination of unencrypted and encrypted data, as well as customer account and usage information from a cloud backup.
The fallout so far
Loss of account information and customer vaults is a worrisome development that opens users up to offline attacks that would not be possible otherwise. Users with master passwords that are easily guessed or are available in past credential compromises should change all passwords in their vaults. Additionally, all LastPass customers should be on heightened alert for phishing attacks due to the substantial sensitive name, address, and location information that was compromised. Nonetheless, the company has experienced a number of data breaches in recent years, so suffering yet another will likely exacerbate the reputation costs involved.
Okta
When it happened
Early December
What happened
Okta, a prominent Identity and Access Management (IAM) software company, revealed that its private GitHub repositories were hacked in early December. The attack, which Okta disclosed in a “confidential” email, saw threat actors steal the company's source code.
Method of attack
Okta said that it was notified by GitHub about suspicious activity on its code repositories earlier in December. After investigating further, Okta discovered that hackers used this access to copy code repositories related to the company’s Workforce Identity Cloud (WIC) solution.
The fallout so far
Okta stated that although its source code was stolen by hackers, the company's service and customer data were not accessed or compromised. This is because Okta does not rely on the confidentiality of its source code for security purposes. While this limits the damage, the attack posed yet another headache in what has been a difficult year for Okta’s cybersecurity. The company suffered two other attacks in 2022, including one by the notorious Lapsus$ group.
It is difficult to not worry about these assurances given the similarity in pattern to the LastPass compromise described earlier.
InfraGard
When it happened
The stolen information was put up for sale on December 10.
What happened
InfraGard, an FBI-run program that facilitates threat information sharing with the private sector, had its database of contact information for over 80,000 members put up for sale on a cybercrime forum. In addition, the hackers communicated directly with Infragard members through the organization’s portal, having successfully impersonated a financial industry CEO.
Method of attack
The attacker said they created a new InfraGard account with the personal information of a CEO at the kind of major financial corporation that would be eligible for InfraGard membership. This was possible as the CEO was not contacted directly by the FBI to verify that they’d personally made the InfraGard application, and also because the attacker was able to easily bypass Infragard’s legacy multi-factor authentication system using the email address they signed up with and controlled. Once in, the InfraGard user data was easy for them to access through an API incorporated into several parts of the website.
The fallout so far
The attacker didn’t gain access to much data—only about half of the user accounts contained an email address. However, the user data may not have been the main target of the hack. The attacker was using the imposter account to send messages as the CEO to other executives through the InfraGard messaging portal. In one such message, they attempted to set up a meeting with a corporate leader. While the attacker doesn’t appear to have achieved any success with this, the infiltration of an FBI program is certainly alarming and demonstrates the boldness and capabilities of modern cybercriminals.
Comcast Xfinity
When it happened
The attacks started on December 19.
What happened
Comcast Xfinity customers’ accounts have been hacked, with the attackers bypassing two-factor authentication (2FA). The compromised accounts were then exploited to reset passwords for other accounts belonging to the users, such as crypto exchange accounts.
Method of attack
The hacks on Comcast Xfinity accounts were likely carried out using credential stuffing methods. Once they gain the correct credentials, the attackers use a privately circulated one-time password (OTP) bypass to successfully get past the system’s inadequate two-factor authentication (2FA). Having obtained full access to an Xfinity email account, the attackers can then hack other accounts belonging to the customer by resetting their passwords via the compromised email account.
The fallout so far
This is a concerning incident and damaging to the reputation of Comcast Xfinity. Traditional MFA is no longer adequate for any organization, but it’s particularly important for something as critical and sensitive as a leading email server to be protected by up-to-date cybersecurity solutions.
Social Blade
When it happened
The hacker claims to have stolen the data in September and put it for sale on a hacker forum on December 14.
What happened
Social Blade, a social media analytics platform, confirmed that it suffered a data breach after it came to light that its database had been put up for sale on a hacking forum. The stolen database, which the hacker claimed contains 5.6 million records, includes data such as IP addresses, email addresses, and encrypted passwords.
Method of attack
All we know so far is that Social Blade thinks that the person who stole the data exploited a website vulnerability to gain access to it.
The fallout so far
Social Blade assured its customers that no credit card information was leaked. However, given that data like email addresses was stolen, tens of millions of users will need to be on guard for scams and phishing attacks that may use the compromised information to deceive them.
Lake Charles Memorial Health System
When it happened
The attack happened on October 21. Data breach notices were sent out in late December.
What happened
The Lake Charles Memorial Health System (LCMHS), the largest medical complex in Lake Charles, Louisiana, informed almost 270,000 of its patients that their data was stolen. The attackers hacked into LCMHS's network and stole files containing sensitive information like medical records, health insurance data, and payment details.
Method of attack
This was a ransomware attack by the Hive group, who targeted 1,300 companies worldwide and took $100 million in ransom money.
The fallout so far
Hive released details of the attack on their website, which suggests that LCMHS refused to pay the ransom demanded. The attackers also released what they claim are the files they’ve stolen. While the files’ authenticity hasn’t been confirmed, the damage to LCMHS and their patients will be significant if they are, given that they allegedly contain the kind of highly sensitive data that opens up the risk of identity theft.
Other News
CISA phishing infographic
CISA created a useful infographic outlining the steps taken by threat actors in successful phishing attacks. It includes data on the likelihood of different types of phishing "bait" being clicked on, and can help to educate employees on how to recognize and avoid phishing attacks.
Advisories
December was a big month for advisories:
- The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint CSA on Cuba ransomware.
- The FBI issued a Public Service Announcement about cybercriminals placing ads in search engine results that impersonate those of well-known brands.
- The US National Security Agency published an advisory warning that Chinese state-supported hackers are exploiting a zero-day vulnerability in two popular Citrix networking products.
Phishing news
- Russian state-sponsored threat group SEABORGIUM reportedly impersonated several leading organizations—including Global Ordnance, UMO Poland, Blue Sky Network, and The Commission for International Justice and Accountability—in a large-scale phishing operation.
- Security researchers Checkmarx and Illustria reported that a phishing group launched a large automated campaign by uploading over 144,000 malicious open-source packages to three open-source repositories.
Vulnerabilities found and exploited
- Trend Micro cybersecurity researchers identified a new infostealer campaign that uses open-source software and file-sharing services to distribute malware
- SafeBreach researcher Or Yair discovered a method of using the data deletion functions in commonly used endpoint detection and response (EDR) and antivirus (AV) software from Microsoft, SentinelOne, TrendMicro, Avast, and AVG to transform them into data wipers, a destructive form of malware.
- Researchers found that the Passwordstate enterprise password manager, produced by Australian company Click Studios, had significant vulnerabilities allowing an attacker to potentially steal passwords, replace all stored passwords within the database, or gain higher privileges within the application. Click Studios stated that they’ve now fixed the security flaws.
Preventing attacks with phishing-resistant MFA
The variety and sophistication of these recent attacks demonstrates that no system or resource is safe from being targeted by hackers. Any and all security flaws will be preyed upon by cybercriminals.
Beyond Identity's phishing-resistant multi-factor authentication (MFA) system can protect your organization by replacing vulnerable factors like passwords with three secure factors:
- Local biometrics (fingerprint and facial recognition)
- Cryptographic security keys stored only on trusted devices
- Device-level security checks at login
To learn more about how Beyond Identity’s passwordless MFA can prevent credential-based attacks, schedule a demo today.