Cryptocurrency holdings targeted by HubSpot hackers
On March 18, 2022, HubSpot discovered that a bad actor, using a compromised HubSpot employee account, breached almost 30 portals of its clients. The attack seems to have been targeted at HubSpot customers in the cryptocurrency industry.
The companies affected by the breach have said their operations were not affected and they have not lost any funds.
How might you feel if your cryptocurrency was stored with one of those companies? Disquieted, at the least. And so the lingering questions and disquiet in those firms, and among their clients, are object lessons in the importance of guarding any SaaS against hackers.
When businesses subscribe to a SaaS service, they want to trust that security issues are buttoned up, keeping their data, customers, and finances safe. But MSPs, and indeed any business, should be aware of some risks from any SaaS – and how those risks can be mitigated by both common sense measures and with technical hardening of defenses.
SaaS applications can be especially vulnerable for these two reasons
First, because of market pressure from cutthroat competition and clients who constantly demand better, more innovative capabilities, SaaS applications are under constant, often rapid development. This means that even if an application is securely buttoned up at any given moment, hackers can hope (and regularly probe) for security vulnerabilities inadvertently created by an update, bug fix, or new version.
Second, SaaS applications are almost universally cloud distributed, meaning they bring vulnerabilities including gaps in security that can arise when companies share data or don’t have clearly delineated responsibilities for security. In addition, these relationships can encounter vulnerabilities from inadequate due diligence of one or more partners. (Such partnerships can even include a branched chain of partnerships that further dilute responsibility and increase vulnerability down the line.)
The most common ways hackers gain access
Although highly technical hacks do occur, in which dark-side computer engineers or programmers find and exploit zero-day holes in security or other public-facing, code-based vulnerabilities, these events are relatively uncommon compared to the more prevalent, less dramatic exploits. The most common breaches occur via misconfigurations, using credentials obtained under false pretenses, and using built-in capabilities of the software via valid accounts.
Phishing is just one way hackers get in
Phishing is when an attacker deceives a legitimate user into revealing login credentials or other information that facilitates an exploit. It’s extremely common, because it requires almost zero technical ability and is virtually costless via email or social media communication. Consequently, there are always rivers of phishing attempts flowing against the walls of any organization with data to steal. Sophisticated phishing includes spoofed email apparently sent from trusted accounts, in effect impersonating trusted co-workers or partners.
To avoid and limit the damage from phishing exploits, MSPs and partners can deploy email filters and anti-spoofing technology to prevent the phishing emails from ever landing in inboxes. They can also conduct employee training for recognizing phishing attempts, implement multi-factor authentication, and opt for alternative login credentials such as biometrics, physical smart cards, or USB drives. Finally, since phishing exploits often depend on the user privileges assigned to the stolen credentials, it’s best to limit all user privileges to only what a given role requires.
The biggest vulnerabilities are in software misconfiguration
Because SaaS applications are almost universally user-configurable, the biggest vulnerabilities are in software misconfiguration. Any SaaS application, no matter how reliable and secure it may be when configured correctly, can become highly vulnerable with incorrectly configured settings. Furthermore, configuration and permission settings are usually more complex than users may realize, and can result in surprising and alarming levels of vulnerability.
SaaS app misconfigurations resulting in potentially disastrous data leaks are an ongoing concern, since every app requires configurations that are designed to allow the right users to access information, while keeping it hidden from others. Fortunately, the solution is straightforward, if sometimes complex – make sure all settings, with particular attention to security and access settings, are configured correctly. Since low-code apps are designed and sold for low-code use, it’s never a bad idea to hire an expert consultant to audit security settings after an installation, major upgrade, or migration.
3rd-party apps and plugins
Low-code apps allow users to modify software for specific, efficient use and higher productivity. That’s the whole point. But embedded in this strength are potential vulnerabilities which must be guarded against. Misconfiguration is only one of those potential vulnerabilities. Another is 3rd-party plugins and apps designed to work with no-code or low-code SaaS apps.
3rd-Party apps and plugins should be published by reliable developers, also configured correctly, and used only with oversight from an IT department. It’s crucial to manage which apps and plugins are in use, keep an inventory of them, and use a whitelist of approved apps. You want to be sure that a user doesn’t download their own version of an app, or use an app or plugin that isn’t approved.
Buttoned-up access control
Access control management fundamentals include giving access to data, on a highly granular basis, only to those users who need it, and for as long as they need it. It’s important to have built-in to your management processes periodic reviews of who has access to what, and removing access for employees that have departed the company or who no longer have a need.
Multi factor authentication
Especially for sensitive data, multi factor authentication (MFA) is a key safeguard. Also called two-step verification, it creates a significant extra level of security as it requires sign-ins to include not only a username and password, but also another authentication step which can include another item of knowledge, proof of access to a physical device (smartphone or USB key), or biometric data (fingerprint or eye scan or face recognition).
Logging as a crucial defense
The behavior of bad actors inside a system differs, often dramatically, from the behavior of legitimate users, and so logging is a crucial defense. Capturing logs is among the most fundamental cybersecurity processes. Logged activity can provide the information required to track down or prevent a cybersecurity breach. That’s why logging, together with machine or human analysis of logged data, is critical for security.
Organizations looking for unified security logging in cloud SaaS environments may need to turn to specialized 3rd-party solutions, since native logging in SaaS can prove less than adequate due to multiple dashboards, log files, users, mobile devices, remote machines, and level of subscription.
Cyber loss insurance
Just as no driver, no matter how careful, and no matter how safely designed the car, can be 100% sure no accidents will occur, and just as no homeowner or business can be 100% sure a fire won’t occur, no MSP or other business can guard with 100% certainty against a successful cyber attack.
Implementing the defenses sketched in this article not only hardens your defenses and makes your data and business safer, it also puts you in a position to purchase cyber loss insurance.
Data loss and data breaches are at least on a par with risk of fire and theft, for which responsible leaders purchase insurance against loss. Cyber loss provides an additional level of security for your business – even in the event that a cyber loss occurs.
The past year has been overwhelming in many ways, but cyber threats really took off and became a primary concern for all businesses, no matter the size. The 2022 Verizon Data Breach Investigations Report (DBIR) summarizes four key paths, all of which pervasive and should be a focus for organizations: Credentials, Phishing, Exploiting vulnerabilities, and Botnets.
Ransomware Biggest Concern
This year, ransomware threats have continued to rise at almost 13% and Ransomware-as-a-Service has been become increasingly popular. Blocking the 4 key paths mentioned above helps to block the routes ransomware commonly uses to take over your systems. The threats we faced in last year such as Solar Winds, Log4j, and Kaseya showed us how one supply chain incident can lead to a wide range of consequences.
The Cyentia Unit 42 Ransomware Threat Report 2022 shares that the average ransom demand on cases handled by Unit 42 last year was 2.2 million, and the average payment rose 78% to 541,010. According to the NetDiligence Claims Study, the average total cost for a ransomware incident for SMEs is $267,000 and $16.6 million for large companies. The average costs for business interruption are $316k total for SMEs and $50 million for large companies.
Human Risk is Cybersecurity Risk
Human error continues to be a trend that drives data breaches; often influenced by misconfigurations of cloud storage, stolen credentials, phishing, or other simple security errors. People continue to play a large role in incidents and breaches, so don’t discount the importance of employee awareness training and the risk your own employees pose to your organization.
Data Breaches are a concern, especially as they are now often part of a ransomware attack
Some of the main causes of data breaches were use of stolen credentials, ransomware, and phishing. Web applications and email are the top two vectors for breaches, followed by carelessness, which are errors such as mis-delivery and misconfiguration- often human errors. The next vector is Desktop Sharing Software such as RDP and third-party software that allows users remote access other devices. It is important to note that if it’s easy for you to log, it’s probably not too difficult for a hacker either.
It’s Never Just One Thing
It is important to note that the pattern of system intrusions can consist of complex attacks that involve a combination of actions such as Social, Malware, Hacking, and Ransomware, and even threats originating from partners and vendors. In the past year, we learned the importance of choosing your partners and vendors wisely with all the third-party and supply chain breaches.
Top Causes of Loss for SMEs
According to the NetDiligence study, the top causes of Loss at SMEs are ransomware, hackers, business email compromise, staff mistakes, and phishing. These categories accounted for 70% of claims and 80% of total incident cost. The top affected sectors are consistent with the past few years: professional services, manufacturing, healthcare, technology, retail, and financial services.
Cyber threats are becoming more sophisticated, and cyber insurance is now more important than ever to your business. Luckily, if you are incorporating the necessary security controls to combat these threats, you are putting yourself in a better position to attain cyber insurance with better pricing and better terms. Read the reports for yourself and keep your organization educated on the trends in cybersecurity and cyber insurance, and very importantly, put security controls in place to combat all key paths and threat patterns.
Our nation has been facing some serious cybersecurity threats recently. A year ago, the nation was hit with the Colonial Pipeline ransomware attack that showed us how serious these threats really are. Other incidents such as the Kaseya hack and Log4Shell vulnerability showed businesses they need to prioritize their cybersecurity to stay on top of these evolving threats.
Currently, we are expecting an influx of phishing threats due to Russia’s war in Ukraine and bracing ourselves for other types of threats. Because of these recent events, the cyber insurance market is hardening; carriers are increasing their requirements, raising their premiums, and getting their war exclusion policies in order. There are several things businesses can do to protect themselves, their clients, and keep themselves insurable.
When it comes to phishing campaigns, the hacker is after your personal/sensitive information, usually trying to take control of your systems. Employee cybersecurity awareness training is crucial to combating these types of phishing attacks. These threats often use fake social media profiles, acting as recruiters, or impersonating an administrative role at a trusted company, sending malicious emails attempting to steal information and compromise your system. In fact, many insurance carriers are requiring employee cybersecurity training as well as the following and more.
Offsite Backups and Backup Testing
Multi-Factor Authentication (particularly for admin and remote access)
Endpoint Detection and Response (EDR)
Security Awareness Training
Luckily, having these security controls in place will help you better protect yourself and your clients, while getting you better coverage for lower rates and keeping your prepared for our nation’s next threats.
“We’re going to need a bigger boat.” There’s more phish in the digital seas this year.
Researchers from Kroll analyzed data from security incidents they responded to during the first quarter of 2022. The analysis showed a 54% increase in phishing incidents for initial access compared to the first quarter of 2021.
The analysis also showed ransomware attacks dropped 20% between Q4 of 2021 and Q1 of 2022, partially due to law enforcement’s disruption of malicious activity. However, data collected from this quarter suggests ransomware attacks may pick up again. Recently, ransomware groups have been getting involved with Russia in the war against Ukraine, which may lead to some large threats.
How can businesses ensure they don’t fall victim?
Email attacks from Russia are already on a surge. Especially now, be cautious of any suspicious emails and double check the sender. Many phishing attacks are sending legitimate looking emails from administrative members or CEOs of organizations. If something doesn’t seem right, reach out to that person directly. Educate your employees on what to look for and how to not fall victim to these types of attacks through security awareness training and phishing simulations.
Okta has recently admitted to making a mistake by delaying the disclosure of a hack that occurred in January. Okta says that in January the company believed this was an unsuccessful account takeover by Lapsus$ data extortion group, targeting a Sitel engineer that required no further action. This “attempt” impacted 366, 2.5% of Okta’s customers. This was an issue of Incident Response gone bad. The cause was a hacker obtaining Remote Desktop Protocol access to a Sitel employee’s laptop.
Another similar incident is the Blackbaud hack in 2022, where the company identified a months-long ransomware attack, paid an undisclosed ransom, and the hacker had already compromised the data of over 120 organizations. The company faced criticism for downplaying the incident and waiting weeks to disclose information related to the attack.
Events like these highlight the importance of having strong Incident Response plans in place, including plans on communication in the event of an event, as well as testing and practicing these procedures before an incident occurs. Take this as a lesson and keep your company and your clients secure, by doing the necessary preparation, properly investigating if you notice anything suspicious, and having cyber insurance in place before an incident occurs.
CISA (The Cybersecurity and Infrastructure Security Agency) is warning organizations that Russia’s invasion of Ukraine could include malicious cyber activity against the U.S. and stated that “evolving intelligence indicates that the Russian Government is exploring options for potential cyberattacks”. CISA asks that organizations report any malicious cyber activity. Additionally, during this time, every organization should adopt a heightened cybersecurity posture to be prepared to respond in the event of a cyber incident.
CISA provides recommended actions and resources to reduce the likelihood of a cyber intrusion, quickly detect a potential intrusion and ensure the organization is prepared in the event of an incident. These actions include but are not limited to:
Require MFA for all remote, privileged, or administrative access to the organization’s network.
Disable all ports and protocols that are not essential to the business.
Confirm the organization is protected by antivirus/anti-malware software and update signatures in the tools.
Routinely test backup procedures and have an incident response plan in place.
Conduct employee awareness training to educate all personnel on how to prevent and spot a cyber-attack and improve your organization’s overall digital wellness.
Do not click any links that seems suspicious.
If you have been neglecting your digital hygiene, now is the time to get back on track, CISA advises organizations to plan for the worst-case scenario. Reference the recommended actions and materials provided by CISA and keep your organization educated and up to date on the potential risks and the importance of digital hygiene at this time.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.