This Week in Cybersecurity 13 September 2024

This past week has been a whirlwind in cybersecurity, with several high-profile incidents making headlines. From public infrastructure breaches to attacks on financial giants, it's clear that no organization is safe from the ever-evolving threat landscape. However, it's important to remember that these incidents were not inevitable. Let's dive into some key events and explore how Hedgehog Security's SOC365 service could have mitigated these incidents, reducing their likelihood and impact.

Transport for London (TfL) Under Attack: A Wake-Up Call for Public Infrastructure

This past week, Londoners experienced firsthand the disruption that a cyber attack can cause when Transport for London (TfL) was forced to suspend renewal applications for its Oyster photocards, including Zip cards. The attack, which initially seemed to have little effect on public services, quickly escalated, leading to significant inconvenience for thousands of commuters and raising serious concerns about the security of public infrastructure.

TfL’s first public admission of the attack came with the suspension of Oyster photocard renewals. While TfL initially assured the public that no customer data had been compromised, a later update revealed a more troubling scenario. Around 5,000 users' bank details, including bank account numbers and sort codes, may have been exposed as part of the attack. In addition to the potential data breach, the incident forced TfL to pull large chunks of its IT infrastructure offline, further disrupting services.

The attack has not only affected the renewal of Oyster photocards but also limited TfL staff's access to essential systems, leading to delays in customer service and other operational challenges. The suspension of applications for new cards and the inability to issue refunds for incomplete pay-as-you-go journeys have caused widespread frustration among regular commuters. The situation has been compounded by the requirement for 30,000 TfL employees to reset their passwords in person, a process that is both time-consuming and resource-intensive.

‍

"The TfL breach highlights the vulnerability of public infrastructure, where outdated systems and complex networks often make it difficult to implement comprehensive security measures. The impact on the public is immediate and far-reaching, affecting daily commutes and exposing sensitive data. This incident likely stems from a lack of proactive security monitoring and patch management, which allowed attackers to exploit weak points in the system." - Peter Bassill

It is strange to think that TfL was not able to see the attack coming. Our SOC365 service, which offers continuous 24x7 monitoring, would have provided early detection of any unusual activity within TfL's network. As a critical infrastructure provider, TfL should be asking some difficult questions of its SOC provider. With our proactive approach, such incidents can be prevented before they even occur, providing a sense of reassurance to your organization.

Fortinet Customer Data Compromised: Even Security Giants Aren't Immune

Fortinet admitted that a bad actor accessed customer data stored in a cloud-based file drive. While the company insists the breach was limited, the incident raises concerns about data security, especially for organizations that should be at the forefront of cybersecurity.

Fortinet’s announcement revealed that the breach involved unauthorized access to a third-party cloud-based shared file drive. The files accessed included sensitive customer information, though Fortinet has stressed that less than 0.3 percent of its customer base was affected. According to the company, the breach did not impact its operations, products, or services, and there is no evidence of further unauthorized access beyond the files in question.

However, this breach comes at a particularly troubling time for Fortinet. The company has had a challenging year, grappling with multiple security issues and vulnerabilities in its products. The recent breach adds to the growing list of security concerns and raises questions about the effectiveness of Fortinet’s own cybersecurity measures.

Adding to the controversy, an individual using the alias "Fortibitch" posted on a dark web forum, claiming responsibility for the breach. This individual offered 440GB of data, allegedly stolen from Fortinet's cloud storage, for download. The stolen data reportedly includes sensitive customer information stored in an open Amazon S3 bucket, a glaring security oversight that should have been easily avoidable.

The dark web post also mentioned that a ransom demand was made to Fortinet, which the company reportedly refused to pay. The individual behind the breach criticized Fortinet for not disclosing the incident to its shareholders through an SEC Form 8-K, a move that would typically alert stakeholders to material events that could impact the company’s financial condition.

‍

"Fortinet's breach is a stark reminder that even the most reputable security firms can be targeted. The root cause is likely a misconfiguration in their cloud environment or insufficient access controls, which allowed unauthorized access. The impact, though limited in scope, is significant due to the nature of the data compromised, and it highlights the ongoing challenge of securing cloud environments." - Peter Bassill

ICBC London's Ransomware Nightmare: A Massive Data Heist

In one of the most alarming cybersecurity incidents this year, the London branch of the Industrial and Commercial Bank of China (ICBC), the world’s largest bank by assets, has reportedly been targeted by the ransomware gang Hunters International. The cybercriminals claim to have stolen more than 5.2 million files, amounting to 6.6 terabytes of sensitive data, and have threatened to release this data unless their demands are met by September 13. This attack highlights the escalating threat that ransomware poses to financial institutions and the potentially devastating consequences of such breaches.

Ransomware attacks have become a preferred method for cybercriminals, offering a potentially lucrative return on investment. In this case, Hunters International—a relatively new but already notorious ransomware-as-a-service operation—managed to infiltrate ICBC’s network and exfiltrate a massive amount of data. The stolen files likely include highly sensitive financial information, customer records, and internal communications, all of which could be used for extortion, identity theft, or sold on the dark web if the ransom is not paid.

ICBC, with $6.3 trillion in assets and $113 billion in annual revenue, represents an attractive target for ransomware gangs. Financial institutions hold vast amounts of sensitive data, and the potential fallout from a data breach can be enormous, both in terms of financial loss and damage to reputation. This makes them more likely to consider paying ransoms to avoid the public exposure of their data.

However, at the time of reporting, ICBC has not confirmed the legitimacy of the stolen data or commented on the breach. This silence is not uncommon in such high-stakes situations, as organizations often deliberate on how to respond, weighing the risks of paying the ransom against the potential consequences of not doing so.

‍

"The ICBC ransomware attack is a clear example of how devastating ransomware can be when proper defenses aren't in place. The likely cause is a phishing attack or a vulnerable system exploited to gain entry. The impact is potentially catastrophic, not just in data loss but also in the reputational damage and regulatory scrutiny that will follow. This is a stark reminder that no organization, regardless of size, is immune from such attacks." - Peter Bassill

Ransomware attacks are among the most devastating cyber threats. SOC365's robust detection and automated response capabilities could have isolated the affected systems as soon as the ransomware was detected, minimizing its spread and impact. Furthermore, our regular penetration testing and dark web monitoring would have helped identify potential risks before they materialized into full-blown attacks.

Read our in-depth analysis of this breach.

Capgemini Data Breach: 20GB of Sensitive Data Leaked

This week, Capgemini, a global leader in IT services and consulting, found itself at the center of a significant cybersecurity breach. A cybercriminal, using the alias "grep," claimed responsibility for compromising Capgemini's systems and exfiltrating 20GB of sensitive data. This data allegedly includes source code, credentials, private keys, employee information, and internal details about Capgemini’s clients, including major names like T-Mobile. The breach has sent shockwaves through the IT and cybersecurity communities, highlighting the vulnerabilities even within companies that specialize in digital transformation and security.

"The breach at Capgemini likely resulted from weak access controls and possibly unpatched vulnerabilities within their systems. The current impact includes exposing highly sensitive data, including source code and credentials, which could have far-reaching consequences for Capgemini and its clients. This incident underscores the importance of a multi-layered security approach that includes regular auditing and real-time monitoring." - Peter Bassill

‍

Read our in-depth analysis of this breach.

In Closing

The breaches we've seen this week underscore the importance of robust cybersecurity measures. Hedgehog Security's SOC365 service is not just another security solution. It's a comprehensive protection system, designed to provide proactive monitoring, advanced threat detection, and rapid incident response to keep your organization secure. In a world where cyber threats are becoming more sophisticated and frequent, SOC365 ensures that your business stays one step ahead of the attackers, giving you a sense of security and peace of mind.

We're committed to keeping the pricks on the outside at Hedgehog Security. So your business can focus on what it does best. Don't wait for the subsequent headline-grabbing breach to take action. Be more Hedgehog.

‍

‍