Why are Data Breaches Rising at a Rapid Pace?
Cyber researchers have estimated the global annual cost of the data breaches in the year 2020 to be over $2.1 trillion. At Cyble, we continually monitor darkweb and deepweb threat actors and their activities. Just this morning, Cyble disclosed 197 new data breaches. Since January 2020, The Cyble Research Unit (CRU) has detected more than 13,000 data breaches around the globe. Based on our analysis, we have identified four key themes thus far.
1. Weak Configuration of Cloud Servers
With the proliferation of cloud computing, many organizations are choosing to move their computing operations to the cloud, and these systems will often contain sensitive information which typically requires a high level of security protection. An organization might be ready to embrace the benefits of the cloud infrastructure, but on the same side, they must also be sure to address the potential security risks in cloud computing.
For instance, a simple misconfiguration can open the organization’s server up to remote access by anyone with an internet connection. For example, in 2018, Tesla, which is an American electric vehicle and clean energy company based in California, was cyber struck where cybercriminals compromised several servers hosted on AWS S3 compute nodes to mine bitcoin. Recently an open Elasticsearch server led to the exposure of more than 5 billion records from the Keepnet Lab’s database. It may not come as a surprise, but there are thousands of unprotected and vulnerable systems which are exposed on the Internet. Cyble has detected more than 8000 open Elasticsearch (ES) servers which might potentially expose billions of sensitive user records.
These are just a few examples of cyberattacks that highlight the organization’s lack of care taken when securing sensitive data services within the cloud. Security weaknesses and threats are often posted due to misconfiguration in database systems. Choosing the right cloud service provider is an important decision; however, understanding and implementation of appropriate security controls are prudent. Most of the cloud service providers offer basic and advanced security measures. However, the implementation of these primarily relies on their users and organizations. It is critical to acknowledge that organizations are still responsible for securing their customers, partners, suppliers and users’ information. AWS, one of the leading cloud service providers, have published their view of shared responsibility model. See below:
AWS summarized view of the shared responsibility model
2. Lack of Basic Cyber Hygiene Measures
Basic cyber hygiene measures refer to good practices and other activities that computer system administrators and users can undertake to improve their cybersecurity maturity. Public research suggests that unpatched vulnerabilities are a primary driver and directly responsible for 60% of all data breaches. Beenu Arora, CEO of Cyble and Member of Forbes Technology Council, commented –“proper implementation of ASD Essential 8 by an organization can lead to 80% successful cyberattacks reduction”. Adding to it, in 2019, two hacking attacks on the ACT government which took place in less than six months signifies the lack of basic cyber hygiene in their territory’s online security system. Beenu further added: “Organizations should take a risk-based approach to implement appropriate security controls across the organizations”.
3. Credentials Stuffing on the Rise
The OWASP foundation defines credentials stuffing as a subset of the brute force attack category, which is an automated injection of a breached username or password pairs in order to gain access to user accounts fraudulently. Credential stuffing, which is one of the simplest cybercriminal exploits, has become the most popular example of digital transformation on the darknet. Recently, at the RSA security conference, it was mentioned that 99.9% of the Microsoft enterprise accounts that were being compromised by cybercriminals lack Multi-Factor Authentication (MFA). Microsoft stated that on an average, around 0.5% of its accounts get hacked every month, as it just recently happened in January, which included the compromising of about 1.2 million number of accounts approximately. Alex Weinert, the director of Identity Security, said, “If you have an organization of 10000 users, 50 of them are going to be compromised this month”.
Several threat actors’ groups have been using password spraying attacks on US organizations such as a recent report citing the “Magnallium” group targeting the US utility sector. Citrix Systems suffered a cyber-attack and perpetrators gained access to their sensitive data such as employee records, financial data, etc. It is alleged that the hackers gained initial access to their systems through password spraying attacks. Cyble is also reporting a sharp increase in the volume and sophistication of cyber-attacks leveraging COVID-19 as a threat vector.
Since Jan 2020, Cyble has identified over 1.2 Bn new records from the deepweb and darkweb, indexed on their data breach monitoring and alerting engine, AmIBreached.com. In 2019, Cyble released a report in which they evaluated and ranked the cyber risk exposure of the Australia stock exchange-listed Top 50 companies’, based on their traces and mentions on the darkweb and deepweb. The report highlighted that the financial and banking sector, along with Energy, Utilities and Mining was at the most significant risk based on their information exposure on the darkweb.
Essentially, not using the MFA mechanism opens the doors for hackers to enter the organization and access the data by just knowing one valid password of one of their employees. When multi-factor authentication is implemented correctly, it is significantly more difficult for a cybercriminal to steal a complete set of credentials as the user has to prove they have physical access to a second factor that either they have (e.g. a physical token or software certificate) or are (e.g. a fingerprint or iris scan).
The graph from the Cyble Darkview Index Q3 2019
4. Cybercrime Markets becoming highly Lucrative
The cybercrime markets are tending to become more profitable than before, and their affiliates’ networks are expanding at a rapid pace. Recently, Cyble has uncovered several ransomware families which are being tested by the cybercriminals, and the CRU does not see this trend slowing down. The ransomware attacks are rapidly rising, and these attacks are estimated to cost organizations $20 billion by 2021 (Source: Ransomware Statistics). There was a sharp increase of 41% in the number of ransomware attacks in the year 2019 over the previous year. The ransomware market operates in the same way as any other market, involving demand and supply acting as the determinants. For instance, according to CoveWare, in the last quarter of 2019, the average ransomware payment amount increased by 104% to $84,116 from $41,198. This sharp increase in the ransomware payment can be easily depicted by the determinants of the market (Demand and Supply).
Graph Illustrating the Boom in the Ransomware Market
As organizations are unwillingly paying out ransom amounts to the cybercriminals, it is resulting in new ransomware attacks with more features and sophistication. Beenu commented on it – “Cyber insurance companies are indirectly causing a surge in these ransomware attacks. For instance, one of the trends that has been followed in the industry is that some cyber insurance companies have started to pay the ransoms because it costs them less than going and doing the remediation or going back to do the backups.”
CRU unit reporting a credible threat actor recruiting ransomware affiliates in a darkweb market (March 17,2020)
Cyble Inc.’s mission is to provide organizations with a real-time view of their supply chain cyber threats and risks. Cyble offers SaaS-based solutions powered by machine learning and human analysis provides organizations’ insights to cyber threats introduced by suppliers and enables them to respond to them faster and more efficiently.
Cyble strives to be a reliable partner/facilitator to its clients, allowing them unprecedented security scoring of suppliers through cyber intelligence sourced from open and closed channels such as OSINT, the dark web and deep web monitoring and passive scanning of internet presence. Furthermore, the intelligence clubbed with machine learning capabilities fused with human analysis also allows clients to gain real-time cyber threat intel and help build better and stronger resilience to cyber breaches and hacks. Due to the nature of the collected data, the company also offers threat intelligence capabilities out-of-box to its subscribers.
Besides products, Cyble provides value-add cyber defence consulting services as well.