The pen testing team performed urgent assessments of key assets and identified vulnerabilities in web-facing servers that could have proven catastrophic had they been noticed by hacktivists. In two cases, a SQL injection vulnerability and an unpatched application with known vulnerabilities were identified. It was later found that both servers had been targeted with reconnaissance activities.
After about two weeks of defending against attacks on all fronts, an attack was finally successful. One of CMI’s websites appeared to have been defaced: The site was not accessible and had been replaced with a message claiming responsibility and blaming CMI for inviting this retribution. The posted message claimed that CMI's servers had been hacked and customer data would be leaked unless certain actions were performed. Verizon determined the defacement was not the result of a compromised system, but rather the website's URL was being redirected to another server hosting the message.
It was later determined that the domain registrar for the effected domain had been targeted in a social engineering attack, during which the threat actor successfully impersonated CMI staff. They were able to gain access to the account on the domain registrar’s service and modify the relevant DNS records, which caused visitors to the CMI website to be redirected to another website.
The affected site was not CMI’s principal website and was only used by a small subset of its customers. The DNS issue was quickly resolved and the affected domain was migrated to CMI's principal domain registrar, whose security practices were superior.
- Don’t rock the boat. Stay off the radar of any potential hacker.
- Keep an ear to the ground. Base defenses, detection mechanisms and response capabilities on sound threat intelligence.
- Secure your environment. Implement a timely and effective patch management program; conduct regular penetration-testing activities.
- Protect social media accounts. Use two-factor authentication, strong and varied passwords, as well as proper security awareness training for staff members who manage the social media presence.
- Protect third-party services. Protect account credentials; use a reputable domain name registrar that offers two-factor authentication or approved IP address whitelisting.
- Prepare and initiate your incident response (IR) plan. Establish an IR plan early, and then regularly review, test and update it.
- Scope and triage the incident quickly. Effectively scope and task prioritize; be prepared to manage simultaneous, yet distinct, incidents.
- Proactively communicate with affected entities. Confirm facts quickly; develop a remediation strategy and communicate this to customers.
- Engage law enforcement at the right time. Consider legal and regulatory responsibilities in conjunction with advice from legal counsel.
Down to the wire
Here is another Verizon case from their client’s CIO:
“I asked in this day and age, how is it even possible for threat actors to initiate fraudulent wire transfers?”
Sign up for CIO Asia eNewsletters.