Listen to learn about the top 10 breaches of 2021.
Matthew Heffelfinger (Director of SIEM Operations, GSTRT, CyRP (Pepperdine), GRCP, SSAP, ITIL4-F, GISF, PECB) and Forrest Barth (SOC Analyst, CISSP, CMNO, Security+) sits down with Host and Principal Security Analyst Jen Stone (MCIS, CISSP, CISA, QSA) to discuss the top 10 breaches of 2021.
Outline of breaches:
0:00 - Intro
2:16 - #10 - Kroger (Via Accellion) Breach
5:27 - #9 - Carnival Cruise Breach
10:07 - #8 - Neiman Marcus Breach
12:41 - #7 - Robinhood Breach
18:34 - #6 - JBS Meat Plant Breach
23:28 - #5 - T-Mobile Breaches
27:19 - #4 - Facebook Breach
31:55 - #3 - Socialarks Leak
34:49 - #2 - Microsoft Exchange Breach
40:51 - #1 - Colonial Pipeline Breach
50:16 - 2022 Cybersecurity Predictions
Download our Guide to PCI Compliance! - https://www.securitymetrics.com/lp/pci/pci-guide
Download our Guide to HIPAA Compliance! - https://www.securitymetrics.com/lp/hipaa/hipaa-guide
[Disclaimer] Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.
Hello, and welcome back to the SecurityMetrics podcast. I'm Jen Stone. I'm one of the principal security analysts here at SecurityMetrics. So excited today to talk to you.
This is our final episode of season two. Season three is gonna be amazing. And with me today to talk about what happened this season, I have Heff and Forrest. Will you please I know what people a lot of people know you already.
You have your own podcast with SecurityMetrics where you do the news. But if you wouldn't mind, in case people here, on this podcast are new to you, please introduce yourself so people know who you are, what you do here.
Well, first of all, Jen, thank you for inviting us on your show. We love we love coming down. We love hanging out with you and talking with you.
Always a good time.
Yeah. And and especially shedding a tear, this is the last episode of the year.
I know. It feels like it's how is this year already gone?
Yeah. Too fast. Yeah. But it was damaging this year, and I can't wait to talk about that. But I am Hef. I am part of the SecurityMetrics Security Intelligence Center and the Threat Intelligence Center here, and I am the director. And our job is to kinda find the bad guys, stop them, notify our clients, and and do that.
So Yeah. I'm Forrest. I'm a security operations center analyst. So I hunt down the badness and report it. So Yeah.
Yeah. And if if people have been following along, Forrest and I actually went to Defcon and we got to do a little bit of recording there together. It was super fun. It was actually my favorite time ever of going to Defcon because nobody was there.
I know that sounds rude, but yeah, I mean, I got to go into yeah. It was empty. I got to go into all the labs. Unknown reasons, really.
Wow.
I mean, who would have figured?
But Yeah.
Today, this topic is is super exciting because we get to talk about the top ten breaches of twenty twenty one. Now It's a crowd noise. Yeah.
What was funny about this is, of course, being very logical people I got these questions. The the largest in terms of impact, the largest in terms of, records taken.
What do you mean by largest?
Oh, yeah. Definitions. Yeah.
It's so hard to pick.
I mean, that's a challenge. What do you go on? Do you go on all those metrics?
Or Nope.
Here's what we went on. Go by what's the most fun to talk about, and that's what we're gonna do. So Yes.
Starting in the tenth place, we have Kroger via Excelion.
Oh, yes. And Excelion, this thing just snowballed.
Oh, yeah.
And it there I mean, there Jen, there were probably hundreds and hundreds. I mean, University of Stanford got caught up in this. Defense contractors, everyone and anyone got caught up with with the Excelion breach.
Yeah. Yeah. Bunch of places, Shell, Qualys, Morgan Stanley. Like, it it just goes on and on. Tons of universities. Like, it was it was absurd.
In in my opinion, I think this one should have been higher up, but that's just that's just me.
Yeah. The, what I thought was pretty interesting about this was, the five eyes countries. So US, Canada, Australia, New Zealand, the UK issued a joint security advisory.
That never happens.
Like, yeah, that was like, woah, all right. Hold the phone.
But yeah, for for for a product that was essentially reaching end of life. Right. Like it was it was on its way out to being sent to pasture. And then it just it got owned hard.
And then that I mean, just goes to show you, we hear all the time as as auditors, well, this is going to be sunsetted anyway. We're we're we're changing over to this new thing, so this isn't gonna really matter. Do we really have to talk about this?
Right. The end of life stuff. The especially in this example, you have Exelion FTA appliance. It's on prem Mhmm.
Which makes it already dangerous. And then you have folks that are just not following the the directive that, hey. We're not gonna support this anymore. Exelion's saying that.
Yeah. And then, we they I think they released a patch in December. And then if you did not do that patch and you missed out on the next patch, which a lot of people a lot of businesses missed out on the email, and that's all Exelion did. So they they were in a little hot water about that where they sent out the notification, but if your IT admin missed it to do the patch, uh-oh.
And how many emails do we get every day?
I got that exploded. Oh. But but, you know, Jen, what what made this dangerous, especially for people like companies like Kroger, is you have all those medical records, the pharmacies that they have. Yeah.
And I think there was something like one point four seven million records or something. Medical records, Jen, that were caught up in this. So I think that's why we we kinda have it in there. I know from a from an attribution standpoint, the bad guy was they they attributed to the CLOP ransomware gang Yeah.
And Finn eleven. Finn eleven. Yeah. Yeah. And Finn eleven, they're they're very dangerous folks out there.
They they love to target certain industries. They love to go after the financial aspects Mhmm. Of, you know, getting their ransom and so on. So it's Yeah.
There are some groups that will not go after health care, but, most of them just do not care. Kroger said they only lost one percent of its customers were affected.
Well, and you remember that that number's a little misleading. That's one percent of customers that are actually registered as shopping at Kroger. So there's a lot of people that don't that that go in there, and they don't have their, you know, typical their Kroger card.
Do you have a shopper's card? I always say no because guess what? Don't. Are you paying cash?
You're not gonna be part of this this bridge.
Just use eight six seven five three zero nine.
Jenny, Jenny. Alright. Let's go to number nine. Carnival.
Do You like to cruise ship?
You know, I can't I have never been on a cruise.
I got talked into agreeing to go on a cruise this spring, and I am stressed about it because you know why?
Why? You're you're trapped on a boat. What am I gonna I can't face it. It's gonna be.
You smuggle, liquor in shampoo and conditioner bottles. That's what you do.
Oh, so you go and just have a wild rager for, like, a week.
Don't follow Forrest advice. Okay?
But, Jen, this was their fourth data breach in two years. Oh. That's that's what's disgusting. Yeah. I mean, it's filthy. Disgusting.
Not not only that. This was the second time they got hit with ransomware. Yeah. They they they apparently didn't learn the lesson the first time.
And when you look at all the times that they have gotten hit with ransomware or any kind of damage, cybersecurity damage, it's like you would think they would have learned. I mean, one time it was a phishing email. Another time it was just unsecured hardware.
When this breach got announced in March, prior to that, you're talking in eighteen months, four times in eighteen months where they're they had this happen. And and Carnival, the amount of data they collect is ridiculous. Every part of the guest experience is tracked or data is collected in some way, shape, or form. So is it necessary? I I don't know about that, but all of that data got got breached. And you're talking, again, Social Security numbers, health information, passport numbers, because you're on a boat. I'm on a boat.
I would I would be don't make me sing again.
I would be interested to know, are these boats under whose laws do they fall under?
Because if you have a data privacy concern and you want your data scrubbed from an ocean going vessel, how I need to look that up.
I remember there was there was a lot of of, you know, yelling happening because a lot of these cruise lines had them, registered as being, under a different country's country of origin. Yeah. So when it came time for, you know, the the TARP payments and, COVID and getting that that bailout money, they're like, oh, we need this. And it's like, but you're saying that your ship is registered under whatever country so you don't qualify.
There was there was a there was a lot of Chaos on the scene.
One more thing about this carnival breach is they're very not, forthcoming with what happened to your data. They we still don't know to this day who the attribution is. We don't know who the bad guy is, and we haven't really got any updates, from Carnival and any kind of press releases or anything like that. So, again, it it it seems shady is what it comes down to. You do I trust myself on a on a company that is not being forthcoming with how they're handling my deal?
In my heart of hearts, I really don't like regulations and I don't like compliance. Why am I I am an auditor is beyond the wrong job. I know. It's weird, but, actually.
But you're good at it, though.
But, you know, and if if there's a purpose behind it, right, if there is if we can increase security by enforcing compliance, I am I am one hundred percent on board for that. But the question is, is this caused because, like you said, well, who is in charge of these ships? Who gets to say what the rules are for them? You know?
And if the rules are, then, who who forces them except for their customers? And are there are there typical customers going to know that they've had breaches? Is their typical customer going to understand even if they do had if did have a breach and then they hear the marketing, we care very much about your Oh, yeah. Whatever.
It's the same lame press release. And we've talked a lot about this on our show where we talk about the how poorly written these press releases are about these data breaches.
And Just fluff pieces.
Fluff. Yeah. And the good thing is, you know, the governments, especially in the US, they're working on, legislation right now to clear up breach notification. And and you talk about a law, a standardized breach notification law. What you need to see in these press releases Yeah. That go out is gonna be critical. You'll see that trend over the next decade.
Yeah. We're seeing some good things come out of HIPAA of all places. Yeah. Because when breaches happen and then, they go through the whole process of settlement, the the HHS OCR takes and publishes what they found and they publish what they're going to do about it and and what what caused the thing in the first place. We learned so much about data breaches in the health care industry because of that publication. And just imagine what we could do if we had, deeper insight into some of these other organizations.
Well, should we, should we go on one, to number eight, Neiman Marcus?
This yeah. And this is a tough one to talk about. It's it's big because it's the name. Right? It's the name Neiman Marcus. But, you know, when you look at the records that were were compromised, it was only four point six million records.
Only. Right?
But, yeah, it wasn't as many as what you're as you're gonna see the audience is gonna see over the next couple, breaches that we talk about here. But but, you know, talk about four point six million, credit cards, payment information, virtual gift cards.
And we still at this time, that was a new breach. That Neiman Marcus just happened in September. Yeah. So we don't really have I don't think we have attribution on that yet. Who did it?
Not as far as I could see. It it's kind of interesting to note that that, all of this, came about after they had filed for chapter eleven. Oh.
So they they apparently have come out of that now. They they got bought bought by, some investment firms, to to float them back up. But I I would not doubt that as part of that process that, you know, security probably was not at the forefront of their minds. And after all, IT is a cost center. Right?
You know?
So, I I I do wonder if that had some type of role in, in this in this breach. Good call.
Yeah. That's, you know, it's frustrating when you're right. Four and a half million people.
It's a small number compared to some breaches. But then that's four and a half million people who have had to deal with fraud against their credit cards, potential identity theft.
The inconvenience factor.
The the in yeah. The inconvenience factor alone. But then when you take into account well, you know, depending on how much information they had from them, they could have, really, caused some problem for people's everyday lives. And that's why I love security is knowing that the work that we do affects people positively in their just their day to day. I mean, we've all lost a credit card, right?
Yeah.
And then it's a hassle or or a or a driver's license. But imagine a bad guy having it. Yeah. And how much worse that is. And so that's where I like this.
But, again, you know, in the Neiman Marcus case, the the press release folks was horrific. I mean, it didn't really tell you anything. And to and, again, it just happened in September. And to this day, we still don't really have much information on what we should be doing or how we should be handling our lost Neiman Marcus account. So Yeah.
I mean, it's it's fine. It's, you know, it's Neiman Marcus. They're rich enough to, you know, have somebody run wild on their car.
Nothing to see here, folks. Move along. Move along.
Hey. Let's move on to the little people. Number seven, Robinhood. Robinhood has been in the news this year. Right?
Yep.
Yep. Retail investors.
Stock trading app Robinhood.
Yeah. It's been, it's been a wild ride for them. And, I don't know. You guys probably remember earlier in the year where where a few small groups of people took what was it?
Shoot GameStop.
GameStop. That's the name. The game.
That's what they yeah.
These were games. Up and they All Street bet apes.
Yep. Yeah. Oh, man.
What a I'm shocked how many people use Robinhood. And I I mean shocked. I didn't realize it was that popular. I didn't know seven million people used, and that's how many records were caught up in this breach.
Seven million just happened. This thing just broke this story just broke a few weeks ago, if you're watching this. So but, you know, we don't have attribution yet. We don't know who the bad guy is.
We do know that the vast majority of people that were affected, according to the press release, they basically just lost their email address and their full name. But as far as we know, there were small select group of people, like three hundred and ten people who lost everything. You know, name of name of, name, date of birth, ZIP codes, you know, more extensive account information was caught up in that smaller percentage.
Why? What was that what what was different about that three hundred and ten?
You know, there there's some inner circle type conversations that I've heard that are, social engineering was used Mhmm.
To convince an employee to give up access to certain systems within Robinhood's infrastructure.
And they did it through their customer support. So it sounded like social engineering was used Mhmm. To get through a customer support representative, and that's how some of that light information got out. So that's why it was only such a a small amount of people is because that customer support representative only had access to that small amount of people.
Interesting.
Still still dangerous, though.
I mean, especially, you know, if you're running all your investments through one app, what company, one bank?
Well, apparently, it's very popular with, like, the twenty somethings. Yeah. Two of my three kids use Robinhood, and I had no idea. But they think it's fun, and they think it's interesting. And and, yeah.
Could I could I just add? I mean, if if you are using Robinhood, there are anytime you experience this, there are some things you can do. Obviously, change your passwords. Right.
Forest will talk talk about this forever. You know, never use the same password, multiple accounts. Turn on MFA. Robinhood actually allows you to do that.
Nice. You know, setting up short term fraud alerts Yeah. For something like Robinhood is important. Freezing your credit report.
I'm sure people heard that before. Yep. Blocking your credit report, which is a good good tactic to do. You know, credit monitoring service.
You'll probably get another year subscription for free. Right. And because they give that forever.
Tired of hearing this, and yet it's the right thing to do. These are the things that we just do. Just like, you know, getting your oil changed.
Yeah. Locking your door when you leave the house. Yeah.
Forrest actually said, I mean, if you use Robin Hood, you should probably watch the movie too to get your mind off the damage that's been done. Robin Hood men in tights, the Mel Brooksman.
Okay.
That was That's the best thing he recommended. Clearly.
That's what he So I think I thought we were I thought we were going with the, Kevin Costner.
I was what was this? Anyway.
Robin Hood. Yeah.
Yeah.
Well, and while we're on the topic of of, you know, apps that allow you to do MFA and for people, I I'll bet all of our listeners know this, but just in case, MFA is multifactor authentication. It's where you have a user usually okay. Usually, it's this. You have a username, you have a password, and then you have some other, like, authentication app on your phone or you have a text that comes to you with a number, something like that.
But it's a it's out of it's different than just a username, password, and another thing you know. It has to be something else that comes to you. Right? Or a physical token, something like that.
So MFA is really important because and people often hate it because they're like, well, it slows me down.
Yes. But it protects you.
It's if it slows you down Do it.
Imagine what it does to the bad guys.
My my argument for that is, if it's properly implemented, it will usually be faster.
For instance, if you mentioned one of those physical tokens, you know, somebody has a YubiKey, you literally reach down and you touch the side of your computer and you're there it is. Like Yeah. That's Magic. That's the the standard that that developers should be striving for. I know I have vented about this many times in the past, but please, like fishing, all these kinds of things, it's a solved problem.
Yes. And you be keys besides which it's like you said, it's easy to use. They're kind of cool. What do you use? I got YubiKey.
Yeah. Right? But you know what else offers multifactor authentication that everybody should be using and they don't often think about it. And because I was thinking of twenty somethings, Instagram.
Oh, yes. Right.
And Facebook. And Facebook. Do you know that they offer multifactor authentication? And a lot of people don't think, well, it's just my account.
No. Nope. It's more than that because this is where a lot of social activity happens, but it's also where a lot of business happens. And so I, man, I just wish everybody would kinda get used to the idea that MFA is just something that you do.
And if you don't have it installed, something's wrong.
It always amazes me too, like, the amount of people that get popped on Facebook.
My Facebook account's been hacked. My Instagram account's been hacked. And my response is always saying, did you not know they had MFA? Could you please turn it on?
That'll save you from this conversation because it's multiple times a year. I see this. Yeah. Just turn it on.
It that it's that simple.
Yeah. Yeah. Save yourself the embarrassment of, oh, I didn't write those messages. Yeah. Unless that's just your crappy cup.
Ignore my ignore my message to you. Yeah. Ignore my text maybe.
Terrible thing to say for Don't drink in social media.
Yeah. I think that's probably wise. So what you're saying is I should not take a laptop on the trip on the cruise. Yes.
Okay. When when you when you crack into your chicken bottle. Yeah.
Number six. I oh, this one made me so mad. And that's why it's so high up because bacon is life.
So number six, JBS USA meat plant.
Jen, this one this is heartbreaking. Yeah. You know, folks, in the audience, it's the largest attack ever on our food production.
That right there Yeah.
Moves it to the at least to the beginning part of this this list that we have for you. The largest attack on food production.
I I should probably withhold my, my opinions of, meat.
Vegan.
Eleven Not not quite vegan. Eleven million dollar in ransom payments. They actually paid the ransom. Yeah. So that makes you even more frustrated on top of the largest attack on the food production plant.
The just the the amount of the the ransom that was paid was was pretty incredible. Yeah. Yeah. It was they they had requested I think it was twenty five million initially. Yep. Negotiated it down to eleven.
That was still a pretty massive price tag compared to even some of the the breaches that we still have coming up in in, you know, Dallas.
And this happened in May, but it really wasn't until July where you start to really hear about it in the news. You start to see meat prices rise. And how much of that is is justified? We don't know.
But, I mean, people were panicking when they heard this happen. You know, people were worried about losing their jobs. And you think about how big GBS is. It's Brazilian based company, but they got meat packing plants all over the slaughterhouses.
You have Canada, US, Australia. That's a huge footprint Yeah. To talk about.
It's massive. And then, also, when you consider and I think all of us have experienced this over the last year, year and a half is, food chain, food supply insecurities.
Yeah.
I think we're seeing that there are some some ways that they're not as solid as we thought. You can't just go to the store anytime you want and get anything you want. I think we understand that now. Yeah. And this this attack on food production should be considered a attack an attack on critical infrastructure.
Right. Right.
Because our our food supply is something that that is pretty important to us. And so when we look at that, people who are in, in the business of supplying food, what kind of cybersecurity do they have in place?
None. None. And that's what the takeaway is you get on this. And, Jen, what makes this even worse, the attribution on this was Reville. And we've we've talked numerous times on our show about Reville and the damage, and and and I'm sure Forrest, he can rant and rave about Reville. But preceding this attack, there were some forty additional attacks that get that got glossed over in the news that you didn't even really hear about. Forty additional attacks on different food producers.
You're talking about proceeding in the twelve months, preceding the GBS attack, including Molson Coors. So and I know that that the when the beer supply got attacked, people were really upset about that too. Don't mess with the beer. Right?
Well, was Rival also the one responsible for attack on our on our water supply system, in in Tampa? Or was that a different group?
They they all go together.
It's Yeah.
Right. I think you're right on that. At this point. I could be wrong about who did that.
But I just remember, you know, we we were getting attacks on things that are immediately affect our health and well-being.
And and we can joke about Molson Coors, but, I mean, it is the banquet of beers. So Right. Right.
Just But, you know, we don't even have that water supply attack you're referencing.
Yeah. That's not even in our top ten list, but it's a critical piece of infrastructure. And I'll probably highlight that if we have an after show here. But, yeah, that that water supply attacking on the water supply, attacking the food supply, you you just don't do that.
No. And now we fast forward in time. Revill's been shut down. They've been re they rebranded themselves.
They I mean, very quickly, they went offline to try to minimize the, the damage. Yeah. I wonder And they released the decrypt.
Smacked them pretty hard, I guess. Yeah.
Yeah. Yeah. My so my husband was working in Tampa at the time that that attack happened. And it and as soon as attacks start feeling personal, people start taking action on, what does this mean to my business? But the hope is that even if your business hasn't been affected, even if people are still secure, the takeaway is learn from other people's mistakes.
Because if you don't, it gets much more expensive to fix the mistake than to even though I understand cybersecurity is expensive, but you know what's worse?
Cyberattacks.
Yeah. Damage. And the number one thing that you take away from all of these breaches, Jen, is the human element, and you and you'll hear about that a lot. It's the human element.
And nearly all of these breaches where the human either clicked on the fish, or they didn't do the patching, or they didn't do the basic steps, the cyber hygiene steps that we talk about all the time. Yeah. They didn't do it. And that's why we keep having this.
Yeah. Yep. So we're gonna keep talking about it until everybody's great.
Yes. Yes.
So that takes us to number five, T Mobile.
I I wanna get up right now and walk out. That's how upset I am. This one got me more upset and more fired up than any of the other breaches. Alright. Even more than the food supply for us.
Do you have T Mobile?
Former. Former. So, that's the thing. That was the thing that was really infuriating about it is that even though I no longer use their service, I was still impacted by this.
Oh, no.
Like, they were no longer getting my money. They were no longer providing me service.
But, you know, they they still had your data.
Breached my info.
Eighth data breach in three years. Let that sink. I'm gonna repeat it. Alright? That's how important it is.
Eighth data breach in three years. Fifty four million records. And then they tried to gloss over it. And the initial report, Jen, they came out with was like, oh, it's just forty million records.
That was the original press release. Oh, and then we revised it to say fifty four million records. And and, Jen, the way this went down was atrocious. The attribution part of it, how it actually happened.
Do you you wanna try to explain them or you want me to?
The the what I I thought was incredible was the the the attacker then came forward.
This dude in Turkey, John Binns.
Just slap it in our faces.
Yeah. Just like he he didn't care. He's like, I I want people to know how bad their security is. Yeah. Like Oh.
That at that, like He he came out in the news and he said it awful.
T Mobile security was awful.
Oh, clearly. Yeah.
Yeah. And the way he said it was, you know, I was able to get access to their data center. Everything was left unprotected. I was able to get in, found store credentials on their servers.
I was able to get access to more than a hundred servers. I got in there, and guess what I did, folks? I got fifty four million Social Security numbers, names, addresses, driver's license, IMEIs from the phone, IMSIs from the phone, anything with that was stored with those accounts. John, an American now living in Turkey, was able to get access to.
And then to go on TV and the news and brag about it and and just, this this breach, there's so many little things that Yeah. That have me so upset. I'm ready to throw the laptop.
Right? Yeah. The and the the, you know, the the compensation, was basically, oh, we'll give you some some subscription services, for free for a while, and we'll give you a couple years of identity protection. And it's like, okay.
When I actually tried to sign up for it, you just get a sales runaround. They're trying to get you to give them money. It's like, no, no, no. Yeah.
They make great TV commercials. They sponsor stadiums wonderfully. And, oh, by the way, now we're gonna give you, Disney plus. We'll give you a year of Paramount plus, and we'll, we'll throw an Apple TV for a year. And, oh, MLB's TV subscription. It's like, you just they'll clean up your act.
Reach as lost leader is not that's just not classy. No. No.
No. Fix it. You know? Absolutely scummy in my opinion.
And then when you think about, you know, there are people like you who were affected, regular everyday folk, but in a in that you know, in records that are that many and then they have enough information about the phone, do they have enough that they could, clone the phone?
Well, SIM swap. Yeah.
Yeah. Let's talk about that. Could they have could they have SIM swap with this information? Possibly.
And so then you think, well, how many world leaders had T Mobile's? How many heads of industry had T Mobile? So it's not just the, frustration and and, and impact to the individuals, but also people who have enough power in in our lives that it it could cause additional harm to a greater group of people.
Yeah. Once again, going back to the the whole idea of critical infrastructure.
This most definitely fits that criteria, and, I would really like to see, them clean up their act because, man, yeah.
How how many times how many times does it take before Yeah.
They they Honestly, shame on you, team. We will get it together.
Alright. So then is oh, why are these guys on the list? Number four. I mean, I know why they're on the list, but I don't like talking about them.
Facebook.
Well, it's now called meta meta something. Right? They changed the names. Hey.
But, you know, number three and number four can kinda go together because the number four breach on our list is five hundred thirty three million records leaked Mhmm.
As part of Facebook. But prior to that that that happened in April. But prior to that in January, there was another leak of Facebook information and Instagram and LinkedIn, via Social Larks. So we kinda numb those two together.
The the January leak was caused by the Chinese company, a social media management company called Social Larks. So what happened then is by April, the threat actors, they gathered up all of that original data from the leak in January and packaged it with another round of leaks. And most of this all came out of these API, these data scrapes, which, do you wanna kinda dive? We talked a lot about data scraping.
Yeah. Yeah. Basically, just requesting web pages and copying the information, but done, thousands of times a second.
Automated bots are scraping the API, and they're collecting all that data that's available open in the in the API that's not locked down. And then there's reselling that and packaging on the dark web.
Yeah. Yeah. But it's not a breach. Open. It's it's not a breach, Matt.
But that's this is for a soapbox.
Right? Yeah. It's, yeah. That information was was publicly available. And it's like, okay.
Like Oh my goodness.
You guys have no controls in place to stop somebody making all these thousands and thousands of requests.
Like Feels a little bit like what what the definition of is is.
But that that that was damaging in that with Facebook and LinkedIn and, you know, Instagram, they just downplay these data scrapes. Like, oh, it's nothing to see or nothing big. Don't worry about that.
Let's put it perspective for people. Five hundred and thirty three million records. What's the population of the United States of America?
Three hundred and sixty some odd, you know?
Three thirty, three sixty, somewhere in there. I don't know. I'd have to go look it up again. Yeah.
But look, and that's more than that, just to put it in perspective for people. I mean Because sometimes big numbers are really hard to get in our head. So we're talking of course, these are from other other countries as well. But also, of course, a lot of our population is below the age that should even have a Facebook.
So what we're talking about is is pretty much affected everybody.
You know? Yeah. One one in fourteen people globally. Yeah. If we will. Like, come on.
To be very clear, though seen. In the April Facebook, data scraping where you had these five hundred thirty three million records, it also included the data from that January breach with Social Larks. And the Social Larks, Chinese that Chinese social media company, that was actually caused by an unsecured, stop me if you've heard this before, an unsecured elastic database. And that we've talked, I mean, countless times. The no breach is because of you have an unsecured database.
It's a bit obscene. I I I think it's actually kinda hilarious. I I once went to, an elastic engineering, certification course that was hosted in a Marriott the week after they disclosed that they got breached because of their insecure elastic centers.
Lovely. It was.
Good takeaways from those. Yeah. I hear a lot about how, oh, the cloud can't be secured, yada yada. And I think that that's a dangerous message.
Yeah. Because then people, A, don't use a tool that is excellent, in many purposes, but also B, they just say, well, you know, everybody's going to get breached, so we just have to kind of plan for it. But securing your cloud environment is it is a known thing. What you have to do is not it's not magic.
Oh, we couldn't secure it because nobody had secure magic.
Right.
Somebody just straight up didn't follow the instructions. And and, I've been to through a lot of AWS, documentation that goes step by step by step. Here is what you do for security. Here's what you do to make sure you have done that step correctly.
And they have videos. Yep. Exactly. Videos that are free.
They're free. Yeah. Yeah. Yeah. Yeah.
It's it's it's very damaging, and it's very disheartening to hear that that especially with with today's knowledge of cloud and cloud security and knowing that this is such an important threat vector for the bad guys to enter your place that you you gotta you gotta have that on the forefront of your mind. Yeah. Yep.
Yeah. So so we actually have number three listed what we just talked about, and we kinda swept right from Facebook into the whole Facebook, Instagram, the link LinkedIn social arcs thing. Yeah.
And so when you consider the two hundred and fourteen million from that unsecured, the unsecured database and then the five hundred thirty three million, you know, added onto it from the scraping.
You know, Facebook's gotta They got some problems.
They did they did patch it, and they did I think it was twenty nineteen where Facebook came out, and they they tried to patch it or something. But it's not just them. It's countless other companies where their API is just vulnerable. I mean, we could go through through hundreds of these use cases Mhmm.
Where this past year, we had a breach, and the breach was caused by the data being scraped from the API. But it's not a breach, folks. So Yeah. Nothing to see here.
Moving along. In some way, I think the message has to be, you know, taken not just to, businesses, but also developers.
Yep. And and because what I see is that somebody will have an idea and they'll develop a thing without thinking at all about security.
Okay. If you're of a developer and you wanna develop this thing, that's fine. And if you don't know the security, that's fine too. But you know what?
There are lots of people out there who do know it, and you should maybe run past them what it is that you're doing instead of developers sometimes. And I'm not trying to knock on developers. I love developers. But sometimes they try to wear all the hats when they don't know all the hats.
Yep. And we brought that up last week in our show where we talked about they talked about the Discord breach and how Discord prioritizes functionality in their app over security. Mhmm. And when you have that mindset, it's all security is always gonna lose out.
Yeah.
And then we, as a customer, lose out on that that ability to protect our data.
Yeah. Yeah. It's it's I I I feel a lot of the time, developers are put in a hard place where, they're they're given some very strenuous time constraints.
Mhmm.
And it's like, you need to get this thing done by this point in time.
That's it. Move on to the next thing and just pump it out one after another. Yeah.
So it's It's not an easy job for them at all.
Yeah.
It's not. And if you look at the the, so a lot of people are in the agile world and they do the scrum type things. But and and they they fail to recognize the real definition of done because the real definition of done is is it on production systems with security applied. And and that just doesn't somehow get into the big visible charts that everybody uses so that everybody knows. So something has to be done to shift that even if they're not the ones doing the work on the production systems, doing the work on the security controls. They need to make sure that that gets put into what the that definition of done so you don't wrap up something and go on to something else without really hitting that finish line.
Yeah. And and, you know, I always say it's I care about my data in transit. Is it encrypted? My data at rest? Is it encrypted? Those are the kind of things. If you get that in the forefront of your mind in the way you're coding, you've we got a good shot here at maybe stopping the bad guys.
Yeah. So number two, MS Exchange breach. What happened there?
Oh, boy. What what didn't happen there?
Oh, so, yeah, four zero day exploits, were leveraged, by China according to attribution.
Yeah. Hafnium, I believe, was in a half. Hafnium. Yeah. And at least nine other threat actors were involved in this.
Yeah. Yeah.
Later on, once, once they started publishing patches and everybody just hopped on board at that at that point, it was, you know, reverse it and see what you can get out of it.
And I'm glad you mentioned that because a lot of people don't know when a patch gets released, that's when you're really vulnerable because you have to get it installed. Otherwise, the bad guys have already gone and said, oh, what's this patch do?
Oh, I know how to breach this vulnerability. Yeah.
They start scanning. Mhmm. And that's what they did in this in this situation.
There's an estimated two hundred and fifty thousand servers at one point that were vulnerable that did not have these patches done. And, you know, Jen, you're talking not just anyone that uses Microsoft Exchange, but you're talking about MSSPs and these providers, these service providers, that are using a countless government agencies, businesses around the world. I mean, Forest, like, Norwegian Parliament. Right?
Yeah. They got hit. I think it was the European Banking Authority. Yep. Anybody that had exchange in their environment that was not patched.
And and this this started, like, really December. The first exploit got announced in January, but it did pick up steam in the news, and people, businesses, and their patch management teams did not jump on this till, like, March.
Mhmm.
That means, like, the threat actors had thirty, sixty, ninety days of window time Mhmm. To start scanning for these vulnerable servers and just taking advantage of them.
Yeah. Yep. Yeah. It was and and a lot of it wasn't even discovered until it was already being exfiltrated.
You know? They they would see all of a sudden, you know, massive account downloads, like, grabbing all the email for specific accounts. Like, that's when it was tipped off. It was like, woah.
Hey. Hold on. Something's not right here.
Hold up. Wait a minute. Something ain't right. Yep. We were all over it, though. I'll tell you, our SecurityMetrics Threat Intelligence Center, the minute we found out about it Yeah. January, we were on the phone with our clients going, hey.
Let's let's work up let's work some magic and get this thing fixed for me.
Because you have ears out. You guys actually love this threat hunting thing. And so many times when I ask, you know, customers, especially the first year, where do you go for your threat intelligence? Where do you go to make sure that you know what's going on?
And they'll say, well, I mean, we have a WSUS server. And and, like, that's fine. That is good. I'm glad you have that.
But if you don't have someone in the company that loves knowing what's going on in the world of the big bats, you're gonna miss out. Yeah. Right?
So And if your patch management stuff's not automated Yeah.
Then you're gonna miss out as well. I mean, there's so many little cyber hygiene type activities that can be done.
You know what's really hard for some groups is, they can't patch out a band. There are some companies that are so big, and and have, so many complexities that kind of intertwine that for them to do a patch out of band is a it's it really affects their business. They they they really struggle to to keep up with that. And so to get zero days And then so then that's the question always from from the side of, you know, like Microsoft. Well, we have zero days. Do we re release a patch out of band knowing that some of these massive companies cannot apply this patch yet, or do we hold knowing that some of the bad guys know about the exploit?
Because if we release the patch, then all the bad guys are gonna know about the exploit. Right? So it's that kind of balance of when you know it's bad, if you hear about an out of band patch being released, that's news, and that's something that your your patching group should know about and be on top of.
Yeah. Most definitely. At the point, kind of tangential to that, I think, is, you know, maybe, if your organization is is one such that you're not able to easily apply those kinds of patches, maybe you should be, outsourcing that. You know?
But make that somebody else's responsibility to to do the patching. I mean, largely, Office three sixty five and Exchange Online were not impacted by these. These were on prem. Yeah.
So, you know, weigh that out. Like, at that point, then it's Microsoft's problem.
Right.
You know? I I I I do think, kind of putting yourself in in this, larger school of fish is a very valid, defense. You you know, if you if you are amongst, thousands of others Yeah.
You know, is unless you're being targeted or something gets everything en masse, Mhmm. There's there is some safety in numbers.
Zebras in a herd. Yep. Right?
But also somebody else whose responsibility, whose job it is to be on top of these things and take care of them.
That helps.
You want that. You want that on your side. So, I and I know that that, and I'm not trying to sell things, you guys. I always feel uncomfortable talking about what our services are, but maybe people wanna know. But the fact that you guys have that, kind of a a service that the security operations center as a service, threat hunting as a service.
Yeah.
And I one of the things I love is that these guys do a weekly internal threat briefing. We get to hear all of the cool stuff they find and what they're doing about it and and how it affects customers.
And you guys are just doing just a bang up job. It's really exciting to to listen to that.
Thank you. It's a lot of fun. I I tell you, well, you know, you have to have the heart for it. You have to have the wherewithal to wanna be a threat hunter. You have to have, what's what's the right word? The, intestinal fortitude, the just this hunger and this thirst.
Sense of masochism.
That's crazy. Slight sense of OCD.
Our our industry is ripe for burnout. So, you know, it's one of those things too. You have to find that balance that you don't get burned out.
Yeah. Just take a cruise sometimes.
It'll be fine.
Yeah. Uncardable.
Alright. That brings us to our number one most fun thing to talk about this time, Colonial Pipeline. You've heard it before here. You will hear it again.
This one was aggravating.
Oh, yeah. Yeah. I would love to hear in the comments if people wanna tell us what they think of their top ten or, you know, their thoughts. But this Colonial one, I I you know, it it wasn't the largest ransom paid this year. I think Colonial paid something like two point three million Bitcoin to get their stuff back online. But the disruption and the chaos that this created, people were I mean, I would be not going nuts too on the East Coast. Yeah.
Forty five percent of the oil supply running through the Colonial Pipeline and to have it go offline Mhmm.
And then the fear factor that kicks in. Like, are we not gonna have gas? Or is is when when is the pipes gonna be turned back on again? You know, all those are the prices gonna go up?
Yeah.
Yeah.
Just just seeing the the mob mentality of mass panic buying and people literally putting gasoline in garbage bags was yes.
Oh, I remember that.
That was devastating because people don't know enough about about things to know. Okay. First of all, that's a fire hazard, but, also, that will eat right through a garbage bag. And so not knowing how to prepare and and I am all about prepare for things, but not in the midst of a panic.
Yeah. So, like, when people when there was no toilet paper, we had tons, not because we went out and buy it then, but because my husband plans ahead and goes, how many people are in the house right now? How much stuff? We need a year's worth of everything.
Right? And so that kind of mentality is is not common. And as a matter of fact, a lot of people will look at that and say, oh, preppers are crazy. But you have to have that mindset.
If you're a business and you rely on certain specific things to make your business go, what are you thinking is gonna be there for you that won't?
Yeah. I I think you're starting to see a lot of that, mentality really start to to pop up with these, supply chain crunches.
You know, everything has been tuned to be just in time. Yeah. And everything needs to be working exactly and have these super thin margins and overhead. And now you're starting to see a lot of that come back to bite you where it's like, oh, crap. We need all of this, and now it's not available suddenly.
So We do need to talk about who the bad guy was in this situation. Oh, yeah. Let's get it.
Was Darkseid, and they got a lot of heat for this. Because what Darkseid does is they run this thing called a ransomware as a service. Mhmm. So they have affiliates.
And what you do is you pay Darkseid to become an affiliate. In return, they give you the tools, you help negotiate, or you as the affiliate, you break in and ex and infiltrate the environment, and then they then work the the affiliate service will try to help negotiate the ransom part of the the payment. Well, out of all this, Darkseid got shut down. When you go after the pipeline in the United States, you're gonna get some heat.
Yes.
And they got some heat on it.
Should've.
Yeah. They've they've got, five million dollar bounty now for any Darkseid affiliates, ten million dollar bounty now from the state department for anyone, in Darkseid directly.
Yeah.
Not just the affiliates. So And I Yeah.
Of course, I thought what's interesting about this case was Darkseid actually has, like, a rules of engagement. So, Jen, if you're gonna buy their services and use their tools, they say, hey, don't go after health care facilities or critical infrastructure. Well, this affiliate that bought their service, they did not listen. They just said, we're gonna go after Colonial anyway.
So weird that criminals are not gonna do what criminals are telling the criminals.
We're not gonna follow your rules, Darkseid.
What? Well, they didn't. And then, you know, they wonder why. I mean, how the just the the absolute, what's the right word I'm looking for? The the chain effect Yeah. Of what this caused. I mean, you you know, when you when you jack with the pipeline Yeah.
The the ancillary things that happened because of that Yep.
Yep.
Supply chain, trucks Mhmm. Airlines, you know, fuel to run houses, all that stuff just starts collapsing.
Oh, yeah.
Not a good choice.
You started seeing a lot more of these ransomware as service, operators move further underground. I mean, they were they were getting banned off of forums. Like, no ransomware here. Like, it was too hot to handle.
Nobody wanted a part of it.
Yeah.
Yeah.
And so, yeah, just drove it further underground, and yet we still see people getting popped with it. So it's it's still there. It's just it's just a lot, more hidden away from view. What what I thought was funny was they they paid the ransom seventy five Bitcoin, which at that time was somewhere, like, five million dollars ish, four point four something. Anyway and then they ended up restoring from their backups anyway because the decryption was too slow.
Yeah. The decrypter was slow. I remember that now.
Talk talk about insult to injury. Yeah. And then, the feds then later were able to recover, like, sixty three some out of the Bitcoin.
So But a hundred gigabytes of their data was stolen too. Colonial Pipeline. So not only did the damage come from losing the gas, losing the use of the pipeline, paying the ransom, but then they lost their data on top of that. So, yeah, I don't know who's out there paying for that kind of hundred gigabytes of Colonial Pipeline data. I don't know how valuable that would be, but I'm sure they're gonna find a market on the dark web for it.
Yeah. I'm sure FSB is interested in that.
Well, and the director of IT there, that that job opened up, like, a week later.
Yeah. That's right. They were looking for a CISO or something.
They were. But we also know a little bit about why it happened because they had their business functions on the same network as their operations function.
No segmentation.
No segmentation. And for people who don't know about that, if you segment networks, then something bad that happens in one subnet has a less chance of affecting another subnet. So let's say you have email business databases going on over here and you have the functioning of the pipeline over here. If this gets popped, which it did because somebody clicked on something bad in an email that and takes down that, they could have still been able to run their pipeline if they had not had them so connected.
Yeah. Yeah. It was it was the the, flow functionality.
The operational technology was still functional.
They shut down because they couldn't keep track.
Technology was still functional.
They shut down because they couldn't keep track of how much fuel they were shipping, so they couldn't bill for it.
Yeah.
So, it was very interesting that that that's that was the what caused that that stoppage.
But, initially, it was a, a compromised VPN account. Somebody had reused credentials.
Oh, okay.
So it was found on some other breach somewhere.
Alright.
And then they went and password spray, and and gave it a shot, and sure enough, they got in.
You have a good memory.
I I you were all the little old to me.
I I don't I have no I have a terrible memory.
You find out what happens kind of in bits and pieces along. Yep. And so I think I heard an earlier story before that that was actually confirmed to be that way. So, yeah, when you wanna know why something happened, you should always trust Forrest over me.
It's that whole, you know, gotta be focused on the threats.
Alright. Well, that is a really cool top ten list. And I also wanna make sure people know we did this in, not January. Sorry. We did this in November.
What year is it?
I don't even know who am I. This is is November, and so something massive might still come up.
Don't say that. Don't say that.
Well, guess what's coming up?
Oh, yeah. Black Friday. Yeah. The hackers love that. It's a Yeah. Buffet. Yeah. And we have the Christmas holiday, Thanksgiving holiday.
Yeah.
That yeah. End of the year is is I mean, that's when we saw SolarWinds. You know? So it's yeah.
And it's also reporting period too. Yeah. A lot of these businesses Mhmm. That maybe have been breached in September and August Yeah.
They actually wait to make their announcements about their breaches till December, the holiday period, when the news media is not you know, people aren't really watching the news as much. Yeah. So they try to try to slide under the radar. So we may see something big happen.
That may have happened, like, in the summer months, but now it's just now making the news.
And then add on top of that, every security guy that I know has been massively overworked this year.
Yeah.
Because we we know about the changes. Like, there were changes of of people went from working in the office to working remotely. And then you know what? We had another massive change that a lot of people didn't prepare for, which was working remotely and coming back in the office.
So the threats and vulnerabilities that that they had to deal with and the changes in configuration and addressing these security controls. So here we are coming towards the end of the year. All of these guys probably have not taken sufficient days off and have and a lot of them have to probably take it or lose it. Right?
So we're coming into a time when we have increased potential threats because there's an increased richness of targets and fewer security guys, able to to take care of it. I would be surprised if we didn't have something massive happen between Thanksgiving and Christmas, holidays.
Yeah. You brought it up a little bit, but the expanded attack surface is just massive right now. And there's so many creative tactics, techniques, procedures, not just the API data scraping, but we had talked about on our show the exotic code and malware. They're hiding malware now in processors and GPUs.
And, you know, if companies aren't out there looking at securing their network perimeter, they're they're in for a lot of a lot of trouble. You know? It's not just the remote workers. It's it's a lot bigger, attack surface. A huge footprint Yeah. For companies and businesses to try to protect.
So what what is your prediction for either the, the end of the year or the coming year? What are you seeing if you if you look into the future?
I I don't know. I don't know. Prediction prediction is hard for me. Yeah. I I I generally like to try and reflect on what has happened and get some ideas based off of that.
I I think there's probably gonna be more trouble with IoT stuff.
I I think that a lot of these devices are just ticking time bombs waiting to happen.
Mhmm.
And and I would not I would not be surprised to see a massive botnet, come out of those kinds of things.
Well, we saw that too with the pink botnet.
Yep.
We had talked about that on our show as well.
The pink botnet was something like one point six million fiber routers. Fiber routers. The largest botnet ever just happened a week or two ago as of this recording. So I'm sure that's gonna they're just like testing the waters. Right? Oh, we could do one point six. I wonder we could double that.
What else can I do?
The three three million botnets?
Yeah. Well, when you consider, some of the things that that some of these social media companies and some of the, like, Nest and Ring and and these other groups are trying to do to increase communication, increase use of their products, but they're possibly not doing it in a secure way. So when you're sharing your local network with your neighbors and everybody's on, how is that properly secured?
Yeah. And there's a big challenge right now. It's a it's a hot mess. We had talked about on our show about the smart home protocols that are out there and how it's just dumpster fire. Right? You've got ZigBee competing with Z Wave. You got Google versus Amazon and and Lutron Connect RF and all these fancy protocols.
And and and just last week, Amazon said we're gonna get ourselves behind Matter, which is the new protocol that's coming in the future, Yeah.
Which is supposed to be more secure. But right now, a lot of these devices, they don't talk to each other. Yeah.
You know what's more secure?
Analog.
Yeah. Yeah.
I actually took all of the smart home things out of my home, all of them. Nest, ring, doesn't matter. All of the things that connect it are gone. Now if you wanna change the the, temperature, you actually have to go do this. If you wanna open the door, you actually have a key. Right?
I the more I I see what's happening with, everybody's getting popped. Right? Everybody's getting popped. And and and so if you can take over all the entire Ring network, well, can you lock people out of their homes? Can you let people in their homes? Can you I just don't want it.
Yeah. Convenience versus security, for sure. I mean, yeah, there's there's so many of these devices that even once matter is out, right, like, once that is the standard, like, not everybody's gonna go through and rip and replace all their gear. Like, that's not that's completely unrealistic. You're gonna have a bunch of these vulnerable devices that are out in the wild for who knows how long.
Yeah.
I mean I mean, I lied a little bit.
I do still have a webcam in my chicken coop.
So Well, the chickens have to be protected too.
This has been, absolutely fantastic, session with you guys. Thank you so much for coming and talking to me. Anything else you wanna say before we wrap it up?
You know, I would just say that the ransomware issue, I you you folks in the audience are probably tired of hearing about ransomware.
Yeah.
But, I mean, it's gonna continue to be the cyber weapon of choice. Mhmm. You're still gonna have ransomware as a service affiliates. They're still gonna grow.
You're gonna continue to hear about ransomware two point o. Yeah. It's not just data exfiltration. It's encrypting your data.
It's holding it hostage. But, you know, right now, we have about as of this recording, we have about a hundred and twenty four separate families of ransomware that are out there, and hackers are very adept at these hundred and twenty four different families. That's gonna continue to grow. And unless you have a plan Yeah.
To get a hold of what happens if you have ransomware in your environment or you have defensive mechanisms Sure. And user education and awareness.
I mean, all that stuff has to be part of your thoughts going forward.
Extortion is big business.
Yeah. Oh, yeah. Oh, yeah. The the the double dip on on the old ransomware. Yeah. It's pretty nasty stuff.
Big takeaway for me, use multifactor. Use a password manager. Yeah. Like, you shouldn't know your password. The only password you should know is for your password manager.
Can you give me your password? I literally cannot.
Yeah. I couldn't if I wanted to. You know, rubber hose attack? Hey, Hang on.
Alright. Well, that's been fantastic. Sure. Appreciate it. And I you know, we should do this again and do it soon. I really appreciate your time.
We love hanging out with you.
And Awesome. I'm sure that that our listeners got a lot out of it too. Thank you again for joining us here on the SecurityMetrics podcast. Again, this is our last one for season two.
But starting in January, we're going to have season three starting. I'm very excited because Hunter, who we never see, but sometimes I talk to, is going to change up the look. So come back and see what it looks like in our next episode. Take care and talk to you soon.
Thanks for watching. To watch more episodes of SecurityMetrics podcast, click on the box on the left. If you prefer to listen to this podcast, it's available on all your favorite podcast platforms. See you on the slopes.
.svg)
