And if that year seems far away to you, let’s look at some data and trends: 

• Nearly ½ of all cyber attacks (43%) are aimed at SMEs. And only 14% of them have a proper cybersecurity strategy in place – data from Accenture.com;
• A report titled “State of Cybersecurity” by Ponemon Institute, are outlined the 3 biggest threats to organisations – phishing and social engineering attacks, devices being stolen, and breach of credentials; 
• Embroker.com published a report with cyber attack information for 2021 where they show that the costs of a cyberattack continue to trouble organisations months and years after the incident. 

The fact is that there have been major increases in the numbers and the frequency of the most major types of cyber attacks (check the report from Embroker.com above). In this article in our blog, we will focus on the biggest cyber attacks and data breaches of the year. 

We don’t want to scare anybody. Just put caution in your mind. You are going to pay the price for the level of cybersecurity in your organisation. It is better to be before you get hacked. Here is the list of the most interesting cyber attacks and data breaches we picked for you: 

The Pegasys Spyware Scandal

2021 was the year marked by the Pegasus Spyware Scandal. The software developed by the NSO group in Israel became a prime news story. Over 50 000 phone numbers worldwide were potential targets of this software. 1000 of them were traced to their owners and guess what – they belonged to people who should not be in the scope of surveillance by the software. They belonged to politicians and high-ranking officials and the already mentioned journalists and human rights activists. It is stated that countries like the UAE, India, Morocco, and Azerbaijan used it to spy on local journalists. The scandal still unfolds and will probably be a major story in 2022 as well. One of the most recent events is related to the fact that Cambridge University halted a deal for over 400 million pounds with the UAE over the findings of the scandal. 

NFT hack scam costs a fan of Banksy over 330 000$

Some might argue that this is not a major cyberattack or data leak. However, it is one of the biggest in the NFT world. With the growing popularity of NFTs as digital assets, we think it deserves to be showcased. 

The story got in the news of media like BBC and CNN. And it is very interesting to follow it. Here is what happened: 

• An art collector paid a large amount of over $330 000 for what he thought was an original Banksy NFT artwork;
• Once he made the bid in an auction and it was accepted, the money was transferred and the auction was over. And then the victim realised he was frauded; 
• The case caught the attention of the media and became a major news story; 
• The money was returned to the victim. 

Yes, there was a happy ending to all of this, but later on, it was found out that probably the website of Banksy was hacked and this was the root of the whole thing. A cybersecurity expert told the BBC that he warned Banksy’s team about vulnerabilities on the website of the artist several times and had no response. And since there is no official comment yet, this seems the most likely scenario. 

The hacker attack and the leak of VPN Account Passwords From 87,000 Fortinet FortiGate Devices

This one is particularly interesting because it is most likely a result of negligence in most cases. The breach took place back in September. User names and passwords of around 87 000 users from around the world leaked due to a hacker attack. All of them were 87,000 FortiGate SSL-VPN devices. The leak happened after attackers exploited an unpatched “CVE-2018-13379 at the time of the actor’s scan.” (stated by the company). 

Fortinet states that this was an old flaw in security they fixed back in 2019. Since then they communicated with their customers to make the needed updates to fix these issues. However, The Hackers News wrote that: “CVE-2018-13379 also emerged as one of the topmost exploited flaws in 2020, according to a list compiled by intelligence agencies in Australia, the U.K., and the U.S. earlier this year.”.

Although the company warned about the problem many times and offered a solution, the customers didn’t seem to take the measures needed. And this made the leak of user names and passwords possible. 

For the cherry on top, we left the top 3 data breaches for the year, according to securitymagazine.com:

• Facebook — 553 million accounts from 106 countries containing e-mails and other information;
• LinkedIn – 700 million users – almost 93% of all registered accounts; 
• Cognyte — Over 5 billion data records. Some of them contained passwords and other information. 

These cases are only a few selected ones. There are many more stories similar to those. Cybercrime will get more vicious and more widespread. However, countermeasures can be taken. You just have to make cybersecurity a priority for your organisation. Remember that this is not a one-time effort. It is a constant and evolving process that needs to adapt to the needs you have. The first step is realizing you need to take measures.

The post What are the biggest cyber attacks and data breaches of 2021? appeared first on 3Cyber-Sec.

What happened?

At the beginning of September, CNN reported that an art collector paid a large amount of over $330 000 for what he thought was an original Banksy NFT artwork. A web page on the website of Banksy himself appeared and redirected his fans to an auction on a platform for NFT bidding. The name of the user that listed the item for sale was identical to one that Banksy himself used as a moniker a while back.

And since the source of the artwork seemed legit, the art collector made the purchase for over 330 000$ in crypto. Once he made the bid and it was accepted, the money was transferred and the auction was over. And then the victim realised he was frauded. However, the story has a happy end, since the person transferred the money back soon after. 

An ethical hack or a hacker that got scared?

When he spoke to CNN, the art dealer assumed that there were two possible scenarios: 

1. The whole thing was an ethical hack that was done as a statement; 
2. The case drew huge attention not only online but from mass media and the hacker decided that it is better to be safe and return the money. 

This is just the tip of the iceberg in such cases. It is quite common that in such auctions the artworks that are sold can be the property of some other author or the artwork itself is not made by the famous artist as claimed. NFT investors should be very careful and do extensive research before they transfer huge amounts of money for digital art. They might not be so lucky to receive them back. 

The cybersecurity side of the story

From a cybersecurity point of view, it is interesting to explore how there was a base to commit such fraud in the first place. The art collector suggested both for BBC and CNN that the website of Banksy might have been hacked. However, this has not been confirmed by representatives of the artist. The BBC published a comment by a spokesperson for Banksy who told that the artist has no affiliation to NFT auctions in any form. 

And while there is no official explanation, the scenario of website hacking seems more plausible after a cybersecurity expert told the BBC that he warned Banksy’s team about vulnerabilities on the website of the artist several times and had no response. The neglect of these warnings might have led to the NFT scam. 

Moral of the story

At the end of the day, there is a happy end. The money is back in the collector and probably after this case, Banksy will get his team to strengthen the cybersecurity of his website. This goes to show that even what seems a legitimate operation can be the cover for a scam. Be aware and pay extra attention to any potential red flags. Better to be safe rather than with an empty wallet. And this goes to show that even the best in their industries need to consider cybersecurity as a priority. If you need a consultation or advice on such matters for your organisation, feel free to get in touch with us. 

The post NFT hack scam costs a fan of Banksy over 330 000$ appeared first on 3Cyber-Sec.

The user credentials were for people and entities from all over the world, with the leading number of accounts from the USA. Among other countries are France, Italy, India, and Taiwan. 

The leak itself came after attackers exploited an unpatched “CVE-2018-13379 at the time of the actor’s scan.”, the company stated. According to Fortinet, “this incident is related to an old vulnerability resolved in May 2019. At that time, Fortinet issued a PSIRT advisory and communicated directly with customers.”. Despite encouraging the customers to upgrade the affected devices, a lot of them didn’t. The company provided instructions on how people and companies with affected devices can protect themselves and directed them to recommended upgrades. 

Who is Fortinet and what are FortiGate devices?

Fortinet is one of the biggest network security providers. It was founded back in 2000 in California and provides security services for large enterprises, service providers, and even government organisations. According to their website, “Fortinet ranks number one in the most security appliances shipped worldwide and more than 500,000 customers trust Fortinet to protect their businesses.”. 

FortiGate is one of the products of the company, presented as a “next-generation firewall”. The devices come in different series, according to the needs of the business clients and how big they are. The function of this firewall is like a filter – scanning all the data that comes in and letting only the safe and good information reach the business that uses it. In the presentation from Fortinet’s platinum partner, it is mentioned that the firewall can protect from various cyber threats from malware, through blended network attacks and up to Intrusions. 

Fortinet also offers VPN through FortiGate to its clients with FortiClient. In multiple reviews, it is stated to be one of the most secure solutions. 

How did the leak happen and how big is it?

As we mentioned before in the article, the leak was a result of an unpatched vulnerability that the devices had. And although an updated version was available, a lot of the clients didn’t bother to upgrade to a safe version that would fix this problem. It is interesting to note that this bug was fixed in May 2019 and yet The Hackers News wrote that: “CVE-2018-13379 also emerged as one of the topmost exploited flaws in 2020, according to a list compiled by intelligence agencies in Australia, the U.K., and the U.S. earlier this year.”.

The leaked 87 000 login credentials look like the cherry on top. The leak was first noted after a post was made on the dark web. It was on a private cybercrime forum and contained a free copy of a small portion of the list with VPN log information. The online media “The Record” mentioned in an article about the breach that “sources familiar with the existence of this collection told The Record the list had been compiled more than a year ago and had been sold in private circles to different threat actors, including groups who carried out ransomware attacks.”.

The affected accounts are from 74 different countries around the world. 

Prevention measures and lessons learned

There are a few things here worth mentioning – the company claims that it warned the clients multiple times to upgrade to a new version after the flaw from May 2019 was fixed: “This incident is related to an old vulnerability resolved in May 2019. At that time, Fortinet issued a PSIRT advisory and communicated directly with customers. And because customer security is our top priority, Fortinet subsequently issued multiple corporate blog posts detailing this issue, strongly encouraging customers to upgrade affected devices. In addition to advisories, bulletins, and direct communications, these blogs were published in August 2019, July 2020, April 2021, and again in June 2021.”.

On the other hand, this issue remained one of the most exploited (as you have seen above). That suggests that a lot of the clients of Fortinet may not have followed the instructions to upgrade their devices and that left them vulnerable. We are yet to see how this will affect the market and if there are going to be further similar cases down the road. 

Cybersecurity – a top priority for any organisation

Such cases show that cybersecurity measures and policies should be adopted and updated regularly in any organisation – public or private entity. Nowadays, cyber-attacks are getting more frequent and more vicious. However, a little prevention can go a long way. You can protect your business with measures such as penetration testing, vulnerability assessment, and staff awareness training. In 3Cyber-Sec, you will find a trusted partner with a lot of experience and flexibility, that will help you build up your cybersecurity defenses with tailor-made solutions to your needs.

The post The big leak of VPN Account Passwords From 87,000 Fortinet FortiGate Devices appeared first on 3Cyber-Sec.

The first sight of Pegasus was almost 5 years ago – in 2016 when it was detected on the phone of a civil rights defender with the help of Citizen Lab. In 2021, the name of Pegasus was heard again when reports detailing the problems with Pegasus were released by organisations and working on the Pegasus Project. It is an Initiative with 17 different media and the coordinating help of Amnesty International. And the first report that started it all was published by them in mid-July this year. A little later the network of journalists Forbidden stories released an in-depth article about the usage of the software to invade the privacy of journalists worldwide. 

What is Pegasus Spyware? 

If you are coming across the news for the first time, we will brief you a little bit. The Pegasus Spyware is a form of software developed by an Israeli company that goes by the name of NSO Group. The software function, as provided by the company, is to detect and prevent terrorist threats for big governmental institutions. Sounds nice, right? Well, an investigation in which the British media giant – The Guardian participates gave us another point of view. 

The software was installed on the phones of people that some governments wanted to be tracked. “With just a single line text, it can bypass your phone’s security and install spyware that grants complete control of your device”, says a representative of The Guardian in a news video that gives details about the scandal. 

According to the media, Pegasus can gain access to: 

• All of your texts and messages; 
• Your GPS and location data; 
• The ability to turn on your mic and camera; 
• All the files you have; 
• Do screen recording. 

The worst part? You won’t even notice that this is happening and have no way of detecting it. The Guardian refers to it as “probably the most advanced piece of spyware ever developed”. Here even end-to-end encrypted applications won’t help, since this is on your phone device. The main way of penetration is through zero-day vulnerabilities – ones that even the companies that made the phones are not yet aware of.

“It is effectively the most invasive form of surveillance imaginable”, The Guardian continues. It is proven that Pegasus can infiltrate both main operating systems – Android and iOS devices. 

How big is the scandal and what is it about? 

Let’s sum it up. We have a company that created spyware software that can be on your phone and track everything you do and give access to all of your data away. And some governments are clients of that company and want to spy on some people like journalists. When we put these two together we get one of the biggest scandals of 2021. The Guardian stated that some of the governments that bought and used Pegasus were using it for their agenda. 

It is enough to say that it is used against human rights activists as well as journalists as Al Jazeera English says. According to a Bloomberg report that came in mid-July this year over 50 000 phone numbers worldwide were potential targets of this software. 1000 of them were traced to their owners and guess what – they belonged to people who should not be in the scope of surveillance by the software. They belonged to politicians and high-ranking officials and the already mentioned journalists and human rights activists. 

Which countries use Pegasus? 

The video story from The Guardian gave us the names of some of the countries that are clients of NSO Group. It is worth mentioning that in some of them there is a form of conflict between the government and the population. It is not clear which ones use the software to spy on members of civil society. Please, keep that in mind as you go down this list:

• Hungary; 
• Azerbaijan; 
• Kazakhstan;
• Rwanda;
• Bahrain;
• Mexico; 
• India; 
• Morocco;
• Dubai;
• UAE;
• Saudi Arabia. 

In a tweet, Ashok Swain, Professor of Peace and Conflict Research at Uppsala University pointed out some of the countries where journalists were targets of Pegasus in something he called a “wall of shame”: 

1. 38 journalists in Morocco; 
2. 48 journalists in Azerbaijan;
3. 38 journalists in India; 
4. 12 journalists in the UAE. 

Although the software might be used to prevent terrorist attacks and threats as well, we can only assume the agenda of the people spying on government officials and civil society representatives. 

What are the reactions and what follows next?

After the scandal went out, the NSO Group told The Guardian that “it will investigate any credible claims of misuse and take appropriate action based on the results of these investigations”. Some of the governments connected to the scandal denied using Pegasus for such activities (Rwanda, Morocco, Hungary, and India), while others (Azerbaijan, Bahrain, Kazakhstan, Saudi Arabia, Mexico, the UAE, and Dubai) did not respond to The Guardian’s request for comment. 

While the scandal still unfolds, we are about to see what happens next. At the end of July 2021, Euronews reported that one of the potential politicians that were a target was the president of France himself. The French authorities began an investigation into the matter.

In mid-September, the MEPs in Strasbourg will discuss the scandal with Pegasus. One of them told Euronews that countries that used it should be held accountable.  We are about to see what other actions will follow worldwide. 

The end of privacy as we know it?

This statement has been used around in the past 20-30 years a lot. Spyware and Malware software will get more complicated and be harder to track in time. The scandal with Pegasus has shown us that. However, it is important to remain calm – cybersecurity threats may be on the rise, but there are also good guys in the picture. Professionals in companies like 3cyber-sec have dedicated their professional careers to the detection and prevention of cybersecurity breaches and hacker attacks. Businesses can rely on them for advice, training, and consulting on how to improve their cybersecurity defenses. 

In the meantime, remember not to store any sensitive information on your devices. In the meantime, there are already ways to check if your smartphone has been infected by Pegasus. 

The post The Pegasus Spyware Scandal: What We Know So Far? appeared first on 3Cyber-Sec.

We’ve witnessed several US federal agencies and thousands of businesses being compromised with (possibly) a single supply chain cyberattack targeting SolarWinds – a company that provides network monitoring products to top USA state-owned and public organizations. What’s unique about this attack is its sheer magnitude. It was executed in a professional and precise manner with the help of complicated techniques. The cybercriminals behind it were highly knowledgeable and experienced hackers. They used sophisticated methods that enabled them to attack multiple companies while remaining undetected for at least 10 months. 

While the investigation as to what exactly happened, who is responsible, and what will be the consequences is still ongoing, we’re here to take a look at this curious case and shed light on the key findings available to the public so far.

How was the SolarWinds cyberattack performed, who was compromised, and who is responsible?

The SolarWinds hack was a supply-chain attack.

Cyberattacks of this kind can compromise the security of a given organization through third-party providers who have access to the organization’s network, systems, and data. In this case, the hacked third-party provider was SolarWinds. As a result, over 18 000 networks, systems, and data were compromised. Additionally, more than 200 private businesses (including big names such as Microsoft, Cisco, FireEye, and Intel) and several federal agencies including the US Department of Commerce, the US Department of Homeland Security, the US Department of the Treasury, the National Institutes of Health, the US Department of Energy, and the National Nuclear Security Administration were also affected by the attack.  

Although it is still not confirmed who is responsible for the hack, US government officials and popular media websites such as The Washington Post, have claimed that the attack was performed by a Russian hacking group referred to as APT29 or Cozy Bear. The idea that the hacking group was state-funded and a part of Russia’s foreign intelligence service was also mentioned to the public. Donald Trump, on the other hand, posted a tweet about two weeks after the attack’s discovery in which he expressed his beliefs that China may be the one behind it. That said, for the time being, there is no proof that either of the two countries was involved.

According to Microsoft, there were more than a thousand cybercriminals who participated in the creation of the SolarWinds cyberattack and they must have had incredible skill sets. It is believed that the initial hack took place way back in September 2019 when the attackers used a highly sophisticated malicious software referred to as SUNSPOT to insert the now-infamous SUNBURST malware into SolarWinds’ IT management software product Orion. The cybercriminals were able to replace one of Orion’s source files and add the SUNBURST backdoor code to it, which allowed them to bypass the cybersecurity defense systems that were in place, gain access to SolarWinds’ networks, as well as to SolarWinds’ clients’ networks, transfer files, execute files, profile the system, reboot the machine, and disable system services. As FireEye shares:

The malware masked its network traffic as Orion Improvement Program (OIP) traffic and stored reconnaissance results within legitimate plugin configuration files, enabling it to blend in with legitimate SolarWinds activity. 

The SUNBURST backdoor enabled the attackers to introduce another malicious software, which was used to trojanize a series of Orion update fails, which were released by the IT service provider SolarWinds between March 2020 and June 2020, as CSO shares. Once they gained access to the compromised systems, the hacker group was careful not to leave any traces and preferred to steal and use credentials to move laterally through the networks and establish remote access.

Detection and Response

The hack was first detected by the cybersecurity company FireEye at the beginning of December 2020. FireEye discovered that there has been unauthorized access to their systems and traced back the trail to SolarWinds. On the same day, 13th of December 2020, the USA’s Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive with instructions for mitigating SolarWinds Orion Code Compromise. Furthermore, SolarWinds started informing its clients via Tweets that they need to immediately upgrade the Orion Platform to another version to address the vulnerability. Shortly after, SolarWinds introduced two additional updates that were meant to serve as “hotfixes” along with instructions for their implementation.

In mid-December, FireEye discovered a “killswitch”, which could block the functions of the malware and prevent it from doing further harm. However, as darkreading.com shares: 

FireEye’s fix wasn’t effective for networks where the attackers might have already deployed additional persistence mechanisms. 

The scope of the attack became clear by the end of December when the majority of the victims were named in the press. At the beginning of January 2021 a joint statement by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA) was released. The statement informed that the National Security Council staff has stood up a task force construct composed of the FBI, CISA, and ODNI and supported by NSA. The task force group was named Cyber Unified Coordination Group and its main purpose was to “coordinate the investigation and remediation of this significant cyber incident involving federal government networks”. On the 6th of January CISA issued supplemental guidance in relation to the emergency directive for mitigation of the SolarWinds hack. Furthermore, the security agency updated the directive with additional information and instructions once more – on the 22nd of April. 

At the end of January 2021, CISA issued a malware analysis report with technical details about the malicious software used for the attack, while SolarWinds also published a security advisory with information about the company’s response to the incident. Around one month later, in late February, the national security adviser Jake Sullivan announced during an interview for CNN that the US administration is working towards addressing those responsible for the attack within weeks: 

We are in the process now of working through a series of steps to respond to Solar Winds, including steps that will hold who we believe is responsible for this and accountable, and you will be hearing about this in short order. We’re not talking about months from now, but weeks from now, that the United States will be prepared to take the first steps in response to solar winds.

The cyberattack was so sophisticated that it became the reason for several council hearings the first of which was held on the 23rd of February by the US Senate intelligence committee. During the hearing executives from SolarWinds, Microsoft, FireEye, and CrowdStrike discussed the attack. As Associated Press informs, the CEO of FireEye, Kevin Mandia, told the Senate that his company has had nearly 100 people working to study and contain the breach since they detected it in December 2020. On February 26th the executives from SolarWinds, FireEye, and Microsoft were summoned once more to testify before a joined house hearing held by the US House of Representatives’ Oversight and Homeland Security Committees. The main topics of the hearing were concerned with how and why did the SolarWinds hack happened, was classified government information compromised, and what are the existing vulnerabilities to the cyber supply chain.

At the beginning of March 2021, CISA issued another set of guides on remediating networks affected by the SolarWinds hacks and encouraged affected organizations to review and apply the necessary guidance. At the end of the same month, news broke that the SolarWinds hacker group also managed to access email accounts belonging to the Trump administration’s head of the Department of Homeland Security and DHS cybersecurity staff members whose jobs included hunting threats from foreign countries, as Associated Press shares. 

One of the last actions in response to the SolarWinds cyberattack was undertaken a couple of weeks ago when on June 21st the US Securities and Exchange Commission started an investigation that aims to determine if any of the compromised companies failed to disclose that they had been affected by the SolarWinds hack, as reported by Reuters.

Consequences of the SolarWinds Cyberattack

Even now, one year and nine months after the initial SolarWinds cyberattack and seven months after the hack’s discovery, the investigation and remediation activities continue. According to Brandon Wales, the acting director of CISA, officials will have fully secured the compromised government networks not earlier than 2022. Additionally, Wales said that even fully understanding the extent of the damage will take months and it could take up to 18 months before the US government recovers from the SolarWinds hack: 

There are two phases for response to this incident. There is the short-term remediation effort, where we look to remove the adversary from the network, shutting down accounts they control, and shutting down entry points the adversary used to access networks. But given the amount of time they were inside these networks—months—strategic recovery will take time.

Of course, the biggest, scariest, and most obvious outcome of the SolarWinds attack is the fact that thousands of private and several government organizations were compromised. It shouldn’t come as a surprise that according to a survey by Domain Tools, 96% of the 200 respondents, amongst which global security specialists and executives, were concerned by the SolarWinds cyberattack. Furthermore, 60% of the impacted respondents said they were still not sure whether the compromised data was breached and 21% admitted that their sensitive data was in fact breached. 

It is not a secret that cyberattacks often lead to a damaged reputation and the SolarWinds case isn’t an exception. SolarWinds was planning to spin out SolarWinds MSP – another service offered by the company which provides monitoring and management IT solutions. After the attack, however, SolarWinds decided to re-brand their MSP business, which is now known as N-able. According to channele2e.com, although company officials have stated that the N-able business and associated MSP software were not involved in the Orion attack, the January 2021 sales in the MSP software business were slightly impacted by it.

The attack is also going to cost a lot of money. According to MSSP Alert, SolarWinds said that it already had to pay $3.5 million in one-time expenses related to the hack. Furthermore, the company’s executives said that they estimate costs of $20 million to $25 million related to the hack and going towards upgrading the company’s security posture in 2021. 

No one is safe against innovative cyberattack methods – that is the essential lesson to learn from the sophisticated SolarWinds hack. Businesses have to be cautious when trusting third-party providers regardless of how well-known their brands are. Furthermore, cybersecurity experts and companies should continuously strive to better their defense mechanisms so that they can respond adequately and mitigate future risks. Last but not least, organizations need to achieve greater visibility concerning the vulnerabilities of their systems and networks. 

If you need help with identifying the vulnerabilities of your systems or if you seek expert cybersecurity advice, contact us for a free consultation. 3Cyber-Sec is a boutique cybersecurity consultancy company. Our primary focus lies in the development of cyber and information security control frameworks, infrastructure as well as vulnerability management solutions.

The post The Curious Case of The SolarWinds Cyberattack appeared first on 3Cyber-Sec.

It is not a secret that cyberattacks often aim to cause data breaches. According to the RiskBasedSecurity report, data breaches exposed 36 billion records in the first three quarters of 2020. And of course, we shouldn’t forget that social platforms also store massive amounts of sensitive data related both to the users and to the particular network as well. Furthermore, personal data was involved in 58% of last year’s breaches, as shared by varonis.com. Just a few months ago, a hacker who tackled a vulnerable feature of Facebook in 2019, leaked the personal data of more than 533 million Facebook users for free. As Business Insider shares, the exposed data includes the personal information of users from 106 countries, including over 32 million in the US, 11 million in the UK, and 6 million in India. It includes their phone numbers, Facebook IDs, full names, locations, birthdates, bios, and, in some cases, email addresses.

So we shouldn’t be surprised that one of the biggest data breaches of the century was extremely similar to Facebooks’ sensitive data leak. It targeted the Chinese microblogging website Sina Weibo, which is often referred to as the Chinese Twitter.

The Sina Weibo Data Breach

At the end of March 2020, the former security chief of Alibaba Wei Xingguo announced via a Weibo post that the personal data of more than 538 million of the Twitter-like platform users, including his own, was compromised and leaked online. The breach included details such as real names, usernames, user IDs, number of Weibo tweets, number of followers and accounts users are following, gender, and geographic location. Fortunately, no passwords were leaked, however, this does not mean that the exposed information could not lead to scams, fraud, and other types of impersonation attempts.

To make things worse, the sensitive information of 172 million of all compromised user accounts was sold on the dark web for as little as 1,799 Chinese Yuan or approximately 250 U.S. dollars, as Security Boulevard shares. It isn’t hard to believe that the incident resulted in negative public outbursts and was covered by a number of Chinese and international media.

Sina Weibo’s Official Statement

On the 21st of March last year, Sina Weibo posted an official statement in regards to the breach. The company acknowledged the incident as a severe one and expressed its beliefs that the breach is a result of a so-called dictionary attack. A dictionary attack is a form of brute-force attack which aims to guess a password or another security code by trying thousands or millions of likely possibilities. For example, previously used passwords or lists with key phrases, which are usually obtained from past security breaches.

Sina Weibo claimed that back in 2011 the company introduced a special service that enabled users to look for other Weibo accounts by matching them to the list of their smartphone contacts. However, the company clarifies that users could only gain information about a given number-related account name. In the same statement, Weibo assured users that their passwords are protected with one-way encryption and are not stored as plain text. The company warned users that although their passwords are safely stored, their Weibo accounts could still be stolen in case their password is used for multiple platforms and websites.

Additionally, according to IT Pro Portal, Sina Weibo stated its engineers had identified certain accounts that tried to upload large batches of contacts in late 2018 in order to match them with phone numbers held in the database. It’s interesting that the attack allegedly occurred in 2018, but it was either not noticed for a couple of years, or the information about it was simply silenced. Furthermore, Sina Weibo’s statement is not particularly convincing, because it contains contradictory points. The company claims that passwords were not leaked, however, implies that the attack was initiated because hackers were able to obtain users’ passwords and thus gained access to the leaked information (usernames, gender, location, etc.). As tesonet.com shares, Chinese security experts also detected technical irregularities with the company’s claims. A definite conclusion hasn’t been reached yet and the question of how the data was obtained is still up for debate.

Weibo’s Director of Information Security Luo Shiyao also commented on the attack, downplaying it as cited by Security Affairs:

“Phone numbers were leaked due to brute-force matching in 2019 and other personal information was crawled on the Internet. When we found the security vulnerability we took measures to fix it. We also reported to the police as soon as possible and submitted related information to them. Besides, we have been investigating the ‘gray industry’ because we take user personal information very seriously, especially when the personal data contains phone numbers. Don’t be credulous. Both password fields and Know Your Customer (KYC) data fields are not shown in the description. Don’t worry too much. Good night.”

The Consequences of Sina Weibo Data Breach

Soon after the breach was announced, China’s information technology regulator summoned Sina Weibo for a face-to-face meeting over the leak. The Twitter-like platform was obliged to enhance its internal data security management and eliminate further risks. As yicaiglobal.com shares, the Chinese Ministry of Industry and Information Technology issued a press release which confirmed that Sina Weibo has taken action in response to the information breach, such as updating its interface security strategy. However, there is no official information about whether Sina Weibo was fined because of the breach or not. As varonis.com shares, usually, the average cost of a data breach is $3.86 million as of 2020.

Even if the company hasn’t been fined yet, it did suffer reputational damages which resulted in a decrease in Sina Weibo users. As reported by China Internet Watch, users now are 4% less than the same period last year. The average daily users also suffered a 5% year-over-year decrease.

Stay Safe

While your organization may be protected against cybercriminals, the third-party website you use may still propose risks for you and for your company. Cyberattacks on social media can compromise your company’s data if you have created an account for your business. However, you shouldn’t let fear stop you from growing and expanding your organization.

Stay safe by having a thorough cybersecurity program with clear response plans in place. If you need help with keeping your organization safe in the cyber world, don’t hesitate to contact us. 3Cyber-Sec is a boutique cybersecurity consultant that protects its clients from cyberthreats by crafting tailored security solutions. We use a unique collaborative approach to guide our clients throughout their cyber journeys safely.

The post One Of The Biggest Data Breaches Of The Century: Sina Weibo appeared first on 3Cyber-Sec.