SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Major firms disclose breaches in the wake of SolarWinds attack
Wed, 14th Apr 2021
FYI, this story is more than a year old

In recent weeks, Russian hackers acquired emails from Homeland Security officials in the US through the SolarWinds attack; Black Kingdom ransomware was discovered on 1,500 unpatched Microsoft Exchange servers; Shell disclosed a data breach due to Accellion's file transfer appliance hack; and Indian mobile payments platform MobiKwik lost 8 TB of data but denied any breach.

Alleged Russian hackers behind the SolarWinds attack obtained access to then-acting Homeland Security Secretary Chad Wolf's email accounts. The hackers obtained non-confidential schedules of officials at the Energy Department. At least one other Cabinet member was also affected. The Energy Department stated there had been no evidence that their networks were compromised.

As part of an ongoing investigation, it was discovered that the SolarWinds attackers used US-based infrastructure, including the hosting services of Amazon Web Services and GoDaddy, to evade detection by US intelligence agencies.

Microsoft says web shells deployed by Black Kingdom ransomware operators were discovered on 1,500 unpatched on-premises Exchange servers. The Black Kingdom ransom demands $10,000 in bitcoins in exchange for a decryption key. Microsoft has issued a one-click migration tool and security updates to patch ProxyLogon attack vulnerabilities in Exchange. Microsoft disclosed that by March 22, 92% of on-premises Exchange servers had been patched or mitigated.

Energy giant Shell joins the list of companies who have suffered data breaches due to attacks targeting zero-day vulnerabilities in Accellion's legacy File Transfer Appliance (FTA). According to Shell, the attack did not affect Shell's network and IT system, and the company has addressed the vulnerabilities. Yet personal data of stakeholders and data from Shell subsidiaries was accessed. The attack is linked to the FIN11 cybercrime group and the Clop ransomware gang.

In the most significant breach thus far in India, 8.2TB of personal and financial data was stolen from fintech firm MobiKwik and put up for sale. MobiKwik denied a breach occurred, suggesting data from customers visible on the dark web were from other breaches.

The alleged seller of the stolen data later withdrew the sale listing and claimed to have deleted the stolen data because of the risk to the public, calling MobiKwik's handling of the alleged breach ‘incompetent' and stating, ‘we just don't want to see a company dig themselves deeper.'

Security researchers have warned MobiKwik of misconfigured Amazon S3 buckets exposing sensitive data since January 2021.

Secure access service edge (SASE) technology can protect organisations from exposure of sensitive information, malware and web-based attacks.

The security needs of modern organisations are changing. While digital transformation and cloud migration improve productivity, flexibility and mobility, these benefits need to be balanced with the proper security controls.

As data moves off-premises and beyond the reach of conventional tools like firewalls, the enterprise needs to think differently to identify how best to secure it. With the proliferation of cloud computing, mobile devices and remote work, security must be delivered for and from the cloud.

Organisations need to secure access to cloud services, block threats like malware, prevent data leakage, enable secure remote work, and comply with compliance frameworks.

Legacy network security solutions built around on-premises appliances cannot support the evolving demands of cloud and mobile. Digital transformation of IT also demands transforming security to a cloud-first architecture. At least one comprehensive SASE solution exists for securing digital transformation.

SASE refers to the consolidation of cloud security solutions into flexible, cloud-first platforms that are designed to protect data wherever it goes. Seek an offering that comprises its multi-mode cloud access security broker (CASB), a secure web gateway (SWG), and real-time zero trust network access (ZTNA).

A typical enterprise may use dozens of public cloud applications such as Office 365, G Suite, Salesforce, Box, ServiceNow, and Tableau. While application providers secure their underlying infrastructure, the applications themselves are freely accessible by any user, on any device, from anywhere in the world.

As a result, it is the organisation's responsibility to secure its data as it is stored and accessed on each application. When infrastructure as a service (IaaS) is used, cloud customers have an even greater responsibility for security.

Seek a solution that provides a multi-mode cloud access security broker offering end-to-end protection for data in any cloud service and any device. With support for managed apps like Office 365 and Salesforce as well as IaaS platforms like AWS and Azure, such a solution is designed to protect corporate data in real-time across officially sanctioned enterprise resources.

Only recently introduced technology provides granular data protection, zero-day threat protection, robust identity and access management and comprehensive visibility, both with and without agents. With these four pillars of CASB in place, organisations can rest assured that their data is truly safe.

Users accessing the web are exposed to threats and data leakage risks. Unfortunately, ‘VPNing into' the corporate firewall for traffic inspection is a cumbersome bottleneck, particularly when there are remote users.

On-premises solutions require the use of expensive appliances to maintain and are challenging to scale as organisations grow. Likewise, backhauling traffic to a cloud proxy SWG introduces a latency-inducing network hop and invades user privacy because all user content is inspected at the proxy, including login credentials.

A comprehensive solution provides an on-device secure web gateway. Traffic is decrypted and inspected directly on users' devices, and only security events are uploaded to the cloud.

This enables the solution to preserve user privacy, eliminate latency-inducing network hops, and deliver thorough web security. Threat URLs and unmanaged applications are blocked before they can be visited, and employee access to content is controlled by variables like category, destination trustworthiness, user group, device type, and location. Automated certificate management occurs directly on each endpoint, with the SmartEdge agent as the CA.