Article

April 12, 2021

Lessons From the Biggest Data Breaches of 2021 So Far With Arctic Wolf

Every month, we partner with a leading solutions provider in the IT industry to help our clients, and all IT professionals, understand  the solutions available to them. Last month, we spoke with Arctic Wolf about the biggest data security breaches in 2021 so far, what we can learn from them and what companies need to know about cybersecurity solutions.

Here are a few of our favorite excerpts from the webinar transcript - and you can watch the full webinar at the end of this post!

What Do People Often Misunderstand About Data Breach Headlines?

When there's a massive breach, it seems to just pop up out of nowhere, as if there was no indicator beforehand that something bad was about to happen. But we all know that once you actually dig into these incidents, and look at the timeline of what happened, it's usually much more complicated than that. And there's usually many opportunities along the way to detect the intrusion, and to prevent the execution of the attack. And so that's what we're going to get into here.

How Did Hackers Compromise a Water Treatment Plant in Florida?

So the first example here is a water treatment facility cyber attack near Tampa Bay, Florida. This happened just before the Superbowl. To summarize, an attacker broke into the water treatment plant control computer, and changed the chemical balance of the processing in the treatment of the water supply. If those changes would have gone through to production or to the actual delivery of the water, it would have ended up in deaths of residents. So the way this happened was essentially, a bad security practice. The mothership, the facility, was using TeamViewer to manage multiple computers within their installation. They installed TeamViewer and used one set of admin credentials across all of the different machines that they were able to access. So the attacker was able to get access to the TeamViewer account, that could have been a fishing incident or maybe they found it on the dark web, but one way or another, they got access to that TeamViewer account. They were able to find the critical control system and log into that and start making changes. It just so happened that while they were in there, making those changes, there was a plant operator that was sitting in front of the machine and watching the screen. And he saw the the mouse cursor moving around and was able to sound the alarm. He first reached out to see who was managing that computer with TeamViewer, when he realized that it was none of the authorized people, he was able to change the settings for the control point so that it did not put that high level of chemicals in the water. So luckily, because he was sitting there at that moment, he was able to avoid disaster. But imagine if he hadn’t been sitting there?

How Did Hackers Use Ransomware To Compromise Donald Trump’s Law Firm?

The next example that I want to get into is the Jones Day law firm data breach, who was hit with ransomware, their data was exfiltrated and posted online. This is a severe incident, because the files that were posted were confidential, legal, financial, health, pieces of evidence, contractual agreements, statements by witnesses, things like that. So this is an extremely damaging incident. And it also happens to be the law firm that handles Donald Trump's losses. So all the different legal actions that he's been taking, are basically in the hands of these attackers, and some of them have been posted online. How did this happen? There was a vulnerability found in a file transfer application by Excel and the vulnerability was basically an SQL injection. So once the attacker used that SQL injection, they were able to launch a webshell called “do mode.” Then they ran remote commands in order to fetch data from within the FTP application, even though they had no authorized access to the system. Once they downloaded all this data, they sent out emails to Jones Day and other firms that they had attacked demanding the companies either pay them a ransom, or they're going to start releasing data. With this type of attack, as the clock ticks, they release more and more data, and the ransom goes up. So it's pay now or else, and there's a huge motivation to pay so that they start releasing your data, but there's no guarantee that they will.

So once you refuse to pay, the attackers published a large portion of the data and this is when the headline came out. Then it looks like it happened all the sudden, but in actuality, these attackers first found the vulnerability and had time to install the webshell to go in and be able to remotely take the files. This highlights the importance of monitoring network traffic, monitoring the applications you use, and making sure that there is no unauthorized accesses of critical systems, like your file transfers. To this day, so many other firms have been hit by attacks like this, and not just law firms.

=Was the SolarWinds Hack Preventable?

The next breach I want to talk about because it's a really good example of an extremely sophisticated attack, that most tools would simply just never catch. It underscores the importance of security operations, constant monitoring, being able to process data and understand what is happening in real-time in your environments. So the first stage of the FireEye data breach was that attackers gained access to a Solarwinds DevOps environment. And they were able to insert malicious code and hack into the SolarWinds Orion product. Now, this didn't happen overnight, this was actually a long term attack as well, because the attackers had such long term access, and they were actually able to run tests. So they took on, they ran some tests, they inserted some code into the Iranian code base, and it didn't do anything, it basically just left the signature behind. And then the attackers analyzed the latest release from Orion. And they found that their code deployment had been successful, the signature was present. And so after they discovered that was possible, they went ahead and inserted their sunburst malware into the Iranian codebase. With the next update of Orion, that malware rolled out to all customers who installed the update. The thing that's really insidious about this, and potentially very damaging, is that this file appeared to be a trusted certified science application, meaning there is no way for a customer to know that, this is actually a piece of malware. It was installed as a teardrop, which is basically a beacon that allows remote code execution. So it allows the remote control of the machine by the attacker so they can send down instructions to the machine and those instructions will get executed. They were able to use teardrop to start harvesting credentials and sensitive data. In the final phase, the attackers were able to exfiltrate the red-team penetration tools from FireEye. They weren't detected. Finally, as they were attempting to log in to the VPN to get further access and download more folders, FireEyes operation center noticed that there was a new device accessing the VPN, and they started analyzing the user that was connecting. This is how they found out that it was an impossible travel situation user who was in two locations at once.

Did Anything Good Come From the SolarWinds Data Breach?

FireEye are a great member of the security community, because they investigated the issue immediately, released their findings, and shared the threat intelligence around this issue. Other city operations centers around the world were able to roll that threat intelligence into their platforms. We were able to instantly help our customers determine not only if they had this issue in their environment, but also exactly what devices had this installed. This result is often one of the only good things to come out of a data breach of this magnitude - it helps save others from a similar fate.

Did Anything Good Come From the SolarWinds Data Breach?

So the way that we deliver our services is through a custom built platform that resides across four different security operations centers in terms of physical location. The platform can grow and expand out as our demand does. It’s auto-scaling and very, very high performance. A traditional approach for a SOC would be to license a security information management management system and then use that off the shelf. But we knew that in order to serve the amount of customers that we want to serve, and to be affordable, we wouldn't be able to do that. So we built our own platform from the ground up. We leverage the different security tools that you've already invested in - we do not come in and require you to use certain tools - we're vendor agnostic. We have integrations with over 100 different tools, marketplace with firewalls, antivirus, MFA systems. We leverage what you've already invested in. This is a really big differentiator between us and other MDR providers, for example, where it's an all or nothing solution, you have to use all of their tools. We’re integrating all those tools and information, we analyze all those SOCs, we detect when there's security events, we move out the false positives, and then we elevate issues that are true positives to you. That escalation and support happens through our concierge security team. So this is a layer on top of the SOC that helps you through the remediation process whenever there are issues and they're also going to be those security experts. You can leverage them on a day to day basis to help you improve your environment. We sit down with our customers monthly or quarterly and give you visibility into what's happening in your environment, help you improve your management over time, explore new tools or simply advise you on changes to configurations or policies.

How Do Managed Detection and Response Services Differ From Managed Risk Services?

We offer niche detection & response services and risk management services. And each of those services has cloud add-ons that we call managed monitoring. With our managed detection and response services, we’re going to be monitoring the environment 24/7, looking for security breaches and early indicators of those breaches, so that we can stop them before they become damaging. With our managed risk services, we're going to be constantly scanning your environment, looking for any vulnerabilities and helping you make sense of those vulnerabilities, prioritize them, and plan out projects to take care of them. For each of those services, we can also connect to cloud sources such as Office 365, Google Workspace, AWS, Azure, and so on.

Want to learn more about Arctic Wolf’s cybersecurity solutions and expertise? Watch the full webinar below and contact us today, we’d be happy to coordinate an introduction and quotes at no cost.

Get Started

Get experienced help with your next IT decision.

Talk with a Technology Advisor