Recent incidents of data breaches have become a great concern for organizations. Regardless of the organization’s size, threat actors are targeting every business type. Threat actors have also started targeting medical organizations. The latest incidents with Medibank have shown how worse it can be. As per the reports, 9.7 million people (Medibank customers) were affected by the data breach and the data was worth 200GB.
Breached data is exposed to the public. And this data leak can result in the loss of billions of confidential records and impacts not merely the breached organization but also the individuals whose private data may have been stolen by cybercriminals. However, the risk of such data breaches can be mitigated using proactive strategies.
What Can be Done to Mitigate Data Breaches?
To stop such cyber-attacks, we have to understand the root cause of such incidents, like how threat actors operate, what loopholes they target, and how they monitor activity. We will discuss all these methods and try to understand how such data breaches happened.
We are going to discuss every cause step by step and will understand how threat actors use them to attack an organization.
Application vulnerability is the major cause of data breaches in an organization. If we look at the data, we can see that most attacks were successful because of the vulnerable application running by the organization. Although there are so many application bugs that can cause highly severe vulnerabilities, we will talk about the simplest bugs which can cause some big impact.
What Type of Application Vulnerabilities is at the Highest Risk?
To prevent data breaches, businesses need to oversee high-risk application vulnerabilities like –
During our pentest at Kratikal, we have seen most web applications we audit were running the default credentials, most of these vulnerabilities occur when organizations have set up their server and have not changed the default settings which causes most attacks.
The below screenshot shows an example of a default apache/tomcat error report which is also leaking server version information. This gives the attacker an idea if the server version is vulnerable to any available exploits which can be found at exploit-db or on Github also.
Another reason for a data breach is using the default configuration, and this can cause attacks such as directory listening and leaking of sensitive files. An attacker can get access to these files by brute forcing directories. In the screenshot below it can be seen that the server is leaking its directory which gives an idea to the attacker about the structure of a webpage.
Here we can see it’s leaking the server logs which are showing IRC logs that can also reveal sensitive information. And for application security, no logs should ever be visible publicly.
These security flaws are easy to find because an attacker just needs to use an automated tool on the vulnerable website which doesn’t require expertise and knowledge of the hack and can be exploited by a threat actor to gain access inside your highest privileged accounts.
Not every data breach happened due to vulnerable web applications, recent cyber-attack on GoDaddy happened because the attacker was able to install malware inside their organization. According to GoDaddy, this led to the redirection of their customer website.
Let’s try to understand how malware gets inside an organization that led to such cyber-attacks and data breaches.
- Malvertising: Threat actors have started using fake advertising to distribute malware for their initial access. The below screenshot from abuse.ch shows how such attacks have been recently used by threat actors for distributing malware. In the screenshot below we can see the ransomware operators have used google ads to distribute IceID ransomware.
- Pirated software: When people use some pirated version of software/games or should we say “cracked” version of the software that’s where the attackers can easily make their way into an organization.
In the below video, we have made a PoC to show how a threat actor can create a fake activator to infect your system with ransomware.
As we are talking about data breaches there is a way a threat tries to get inside your organization, they use previously leaked or breached passwords to gain access inside your organization.
Here’s how this happened: The threat actor got the leaked password database from a breach forum or some dark web forum. They try to log in with those credentials inside an admin panel or to some employee account and if the employee is using the same password again this will lead to unauthorized access to that threat actor.
A recent Paypal data breach tells us shows an example of credential stuffing where the hacker has compromised at least 35,000 users.
How Do These Malicious Actors Get These Leaked Credentials?
These hackers get these leaked credentials from an old data breach or hack forums. These hackers sell these data on such forums which other blackhats use for their malicious purpose.
The below screenshot shows a threat actor sharing the leaked username and password of Twitter accounts on a leaked forum.
This is the most challenging for organizations, insider threats are someone from inside the companies and organizations where someone from inside gives access to malicious actors or intentionally leaks the data online to someone on the dark web.
How Can Someone Unintentionally Leak Data On The Internet?
That’s where social engineering comes in, threat actors use this method to lure the target by exploiting the “people” vulnerability. This social engineering technique can be phishing, vishing, or smishing. These threat actors monitor the user activity and then deploy the attack based on the user’s profile.
Such insider threats are called The Pawn. For example, if an organization’s HR has posted a candidate requirement on LinkedIn, then based on the profile requirement the threat actor can prepare a strong candidate profile and contact the HR. The threat actor can send some malicious type of payload in the form of “doc” which when the HR downloads and opens will give the threat actor unauthorized access to the threat actor.
Below is a simple example of such phishing attempts where a threat actor tries to phish a user with the fake Adobe login form.
In A Nutshell
A data breach or security breach occurs in an organization when a malicious actor invades a data source and steals sensitive information. The reason behind it is the poor security posture of the organization and lack of cyber security awareness.
To strengthen the security posture of your organization, trust Kratikal, a CERT-In-empanelled firm. We hold years-rich experience in VAPT and compliance and have served over 600 SMEs and 100 big enterprises. We believe in delivering robust vulnerability assessment and pentest to ensure the security of IT infra and conducting compliance audits within the organizations to assist them in maintaining seamless business operations and functions and avoid penalties and data breach possibilities.
Take action to secure your business with us right away.