Interviews

Three significant cyber attacks

by Mark Rowe

David Higgins, EMEA Technical Director at the cyber firm CyberArk, goes over three cyber attacks that deserved more attention in 2021.

Unsurprisingly, 2021 saw no shortage of cyber security moments. Attacks that affected millions of people made headlines recurringly, as companies grappled with the aftermath of disruption and breaches.

The Colonial Pipeline cyber attack, alongside a series of other high-profile ransomware attacks, dominated the media and conversations. However, there were countless other significant incidents – with the potential for far-reaching privacy, regulatory and even human safety implications – that didn’t make headlines. While most were overshadowed by competing news, or simply brushed aside, it’s now time to take another look at these attacks, as many could provide lessons still waiting to be learnt.

Here are the three most significant cyber attacks that merit reflection:

The Florida water facility attack – beware of widespread vulnerabilities in industrial control systems

In February 2021, a threat actor attempted to poison the water supply of a Florida city. Reminiscent of a Hollywood movie scene, the cursor on a local water plant operator’s computer screen began moving independently and accessing applications that controlled water treatments. The attacker behind this allegedly boosted the concentration of sodium hydroxide in the water by a factor of 100.

No one was injured as a result of the operator’s prompt discovery and immediate steps to stabilise the water levels. However, the “might haves” loomed large, and the attack underlined how serious cybersecurity issues within critical infrastructure remain.

For a variety of reasons, the public utilities industry is particularly vulnerable to threat actors. For one thing, much of the infrastructure that controls industrial control systems – the systems supporting key services — was developed in the 1980s or 1990s. Because of the crucial nature of utility operations, the creators of these systems had to prioritise system availability and interoperability over security. As these systems got more integrated with internet-connected IT over time, they became more appealing targets for hackers.

Despite increased spending on cybersecurity operations and maintenance by both the government and private sector, many utility firms are still struggling to keep up with increasingly sophisticated and highly targeted attacks. And the stakes are high; public safety is potentially in danger, as proven by this episode, in addition to negative publicity, brand harm, and hefty regulatory fines.

“Unfortunately, that water treatment facility is the rule rather than the exception,” wrote Christopher Krebs, former director of the US Cybersecurity and Infrastructure Security Agency (CISA), following the attack. “Even the basics in cybersecurity are often out of reach when a business is battling to make payroll and keep systems running on a generation of technology produced in the last decade.”

The Verkada breach – don’t under-estimate the dark side of IoT

The Internet of Things (IoT) provides threat actors a large attack surface and continues to pose a daunting cybersecurity problem for businesses, with billions of connected devices (and counting).

Attackers infiltrated Verkada, a cloud-based video security firm, in March 2021, demonstrating how IoT devices, like other sensitive network assets, pose a danger. The attackers were able to traverse through live feeds of over 150,000 cameras stationed in factories, hospitals, classrooms, jails, and more, while also obtaining sensitive footage belonging to Verkada software clients, using authentic admin account credentials found on the internet. It was later confirmed more than 100 people within the organisation had “super admin” access, each of whom could access thousands of customer cameras — demonstrating the potential dangers of overprivileged users.

Fortunately, the incident caused only minor damage, but things could have been much worse. The breach was only the tip of the iceberg, demonstrating how dangerous unsecure IoT may be. This has raised new questions and fuelled ongoing privacy debates about how surveillance technology should be used, how sensitive data — such as bedside footage of a hospital patient or proprietary manufacturing processes in action — should be stored, and how access to this data should be managed.

While the incident did not receive much attention, it should not be overlooked, as daily life becomes more networked, the subject of “who watches the watchmen” will undoubtedly resurface.

The Twitch data breach – understand the importance of least privilege access

Twitch, a popular video game streaming network, was the subject of a potentially catastrophic data breach in October 2021. Threat actors allegedly took the platform’s full source code, as well as 125GB of sensitive data, including top user pay out information, and leaked it online in order to “promote further disruption and competition in the online video streaming industry.”

The problem was prompted by a “server configuration change that permitted improper access by an unauthorised third party,” according to a corporate statement. Such misconfigurations, particularly in cloud-based environments, are very common, and can potentially open a path to sensitive assets such as source code and other intellectual property. Traditional change control procedures for correct configuration are exceedingly problematic in the cloud due to its dynamic nature.

While Twitch later stated user passwords and bank account information were not accessed or disclosed as a result of the incident, privacy-conscious users were not waiting to find out. On the day the news broke, global web searches for “how to delete Twitch” increased by 733 percent, implying the platform’s popularity could suffer as a result of the hack. The attack highlighted the numerous issues businesses face when it comes to safeguarding cloud environments, as well as the importance of least privilege access in reducing risk and defending against internal and external attacks.

As it is often said, “history doesn’t repeat itself, but it sure does rhyme”. These 2021 cyber attacks faded from view fast, but the battle at the cyber front continues. As cyber tactics evolve and threat vectors increase, a look at the past gives us valuable lessons that are critical to future wins.

Related News

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing