[Security Weekly] Canadians Lose COVID-19 Benefits After Cyberattack Hits Federal Government
3rd Week of August 2020
1. Government of Canada hit by cyberattack, citizens lose COVID-19 benefits
Over the weekend of August 15, the Government of Canada suffered a cyberattack that compromised 5,600 user accounts of Canada Revenue Agency (CRA), Canada’s tax agency, and 9,000 accounts of GCKey, an online portal that allows Canadians to access services provided by up to 30 federal agencies, including employment insurance and immigration applications.
On August 17, a statement made by the Treasury Board of Canada Secretariat suggested that the attackers obtained the login credentials from a previous credential stuffing attack, and exploited a vulnerability in the website’s configurations allowing them to bypass two-factor authentication. Since many users use the same login credentials across all websites, the attackers easily gained access to thousands of accounts.
Apart from gaining the personal information of the users, the attackers also used these accounts to claim for the $2,000-per-month COVID-19 relief funds and changed the direct transfer information so that the funds were redirected to themselves.
Luckily, the attack was detected at a very early stage, limiting the number of affected accounts in the thousands. All the affected accounts were deleted, and impacted users are given guidance for setting up new accounts.
The government is offering credit protection to all victims and is advising all Canadians to use unique passwords for different services.
The Royal Canadian Mounted Police (RCMP) is investigating the source of the attack and currently does not rule out the possibility of a foreign state-backed attack.
A reliable multi-factor authentication solution must be adopted to prevent credential stuffing attacks. ISign+ is an appliance-type single sign-on (SSO) multi-factor authentication (MFA) solution, certified by the Korean National Intelligence Service. Click here to learn more about ISign+.
2. Credit agency Experian leaks personal data of 24 million South Africans
On August 19, consumer credit reporting firm Experian’s South African branch office disclosed a data breach incident in which the company accidentally handed over personal data of local consumers to a fake client.
According to the South African Banking Risk Information Centre (SABRIC), a non-profit formed by local banks to combat organized bank-related crimes, this data breach compromised the personal data of 24 million South Africans and the detailed information of nearly 800,000 local businesses.
After the incident was reported, South African police were able to trace the criminal and delete the stolen data. Experian stated that there was no evidence that the data had been used for fraud activities before being deleted.
3. Jack Daniel’s maker falls victim to REvil ransomware, 1TB of data stolen
Brown-Forman, one of America’s largest makers of liquors and wines behind some of the most well-known brands such as Jack Daniel’s, Early Times, and Finlandia, was recently hit by the REvil ransomware.
The operators behind the ransomware claimed to have obtained access to Brown-Forman’s IT system since a month ago. During this time, they were able to traverse through the network and infect both on-premises and cloud-based servers.
Brown-Forman stated that it detected and stopped the attack at an early stage before the ransomware had a chance to encrypt any data and disrupt its operations. However, the attackers did successfully exfiltrate over 1TB of data, which are now being used to threaten the company in exchange for a ransom payment.
The compromised data likely included records of internal communications, contracts, financial documents, and personal data of employees.
4. World’s largest cruise operator Carnival suffers ransomware attack and data breach
Carnival Corporation & plc, the largest travel leisure company and cruise operator in the world with over 120,000 employees and 100 ships, reportedly suffered a ransomware attack that may have compromised the personal information of its employees and guests.
The attack took place on August 15. According to a Form 8-K filed by Carnival with the US Securities and Exchange Commission (SEC), the attackers obtained access to a portion of the company’s IT system and downloaded sensitive files before encrypting the database with ransomware.
Although still under investigation, Carnival expects the exfiltrated data to include personally identifiable information (PII) of some employees and guests. However, it suggested that the incident is not likely to cause any disruptions to operations.
5. Google rushes through temporary fix after Gmail flaw published online
On August 19, Google engineers raced through a temporary fix for a flaw in the Gmail and G Suite servers after it was publicized online. This had led to hours of service disruptions for Gmail and G Suite users, where many were not able to attach files to their emails or sync files with the cloud.
The flaw allowed attackers to send spoofed emails with a forged Gmail address, bypassing both email security standards: SPF and DMARC.
This flaw was initially discovered and reported to Google by a security researcher named Allison Husain back in April. Google had been delaying the fix since then and planned to work on it in September. However, the tech giant did not expect Allison Husain to publish the details of the flaw online as soon as the non-disclosure agreement ended after four months.
When a zero-day vulnerability goes public without a patch, it becomes very dangerous because the whole world now knows it exists and how to exploit it. This is why a temporary mitigation to the problem was made within only seven hours after the flaw was publicized. Google later announced that an official patch would be released in September.
Check out Penta Security’s product lines:
Web Application Firewall: WAPPLES
Database Encryption: D’Amo
Identity and Access Management: ISign+
Car, Energy, Factory, City Solutions: Penta IoT Security