Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

LinkedIn data breach blamed for multiple secondary compromises

Steve Ragan | June 22, 2016
Services like Citrix's GoToMyPC provide front door access, but they're not at fault

The LinkedIn compromise has been linked to a number of confirmed incidents where data exfiltration has taken place. It's possible these incidents are only the tip of the iceberg though, as many of the organizations compromised are service providers with access to customer networks.

On June 18, Citrix posted an alert warning of an incident that forced the company to reset all of their customer's passwords. A day later, Citrix updated the alert and explained the problem.

"Citrix can confirm the recent incident was a password re-use attack, where attackers used usernames and passwords leaked from other websites to access the accounts of GoToMyPC users," the company wrote.

Multiple industry sources have shared additional details with Salted Hash, some confirming upwards of thirty instances where an organization has been compromised and sensitive information exfiltrated by the attackers.

However, this number is likely a low estimate, as the compromised organizations are service providers with access to customer networks.

Those who spoke to Salted Hash on the condition of anonymity are still working active cases to determine the full extent of the problems, but the fear is that the customers of the breached service providers have been compromised as well.

The organizations that have been targeted operate in the manufacturing industry, retail industry, and a number of other verticals.

The common thread in each case is the LinkedIn list, generic password policies, a lack of two-factor authentication, and remote access software from services such as GoToMyPC, LogMeIn, and TeamViewer.

Citrix called the incident a "very sophisticated password attack," but that isn't the reality of the situation, there's nothing sophisticated going on.

These are straight brute force attacks with a high degree of success, largely because the leaked LinkedIn records have allowed the attacker to reuse credentials directly, or enumerate them slightly, in order to gain access.

It isn't clear if the active cases are all related, or if there is more than one attacker or group conducting the raids. What is clear, is that some of the organizations caught-up in this situation are large ones and the only reason they're in this mess is due to recycled credentials.

There's a method to the madness:

An attacker who has the LinkedIn list knows a person's name, their work history, and their password. Thus, the attacker now has a list of possible targets, a good idea of how network IDs are generated, and some base passwords to start with. There's more work to be done, as the attacker has to identify services and systems exposed to the public, but this isn't an impossible task.

"Typically there would be two types of threat actors that would consume these stolen credential sets," explained Israel Barak, CISO of Cybereason.

 

1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.