A confidential report from the Verizon investigations team detailing the 2011 Stratfor cyber-attack and data breach has recently leaked to the press.
Stratfor is a geopolitical intelligence firm that basically serves the same functions as most retailers – selling, “strategic analysis and forecasting to individuals and organizations around the world.” In 2011, the hackers stole more than five million sensitive emails and sold them to WikiLeaks.
The hackers also said they had details for more than 90,000 credit card accounts. Among the organizations listed as Stratfor clients: Bank of America, the Defense Department, Doctors Without Borders, Lockheed Martin, Los Alamos National Laboratory and the United Nations.
What the Verizon investigation showed is how prevalent privileged account abuse was to this breach. According to the Verizon report:
- Stratfor allowed insecure and unmonitored remote access that was left permanently enabled (RDP and SSH).
- For example, web and database servers were accessible over the Internet – and admin access to these systems was designed to be accessible both internally and externally – however Stratfor IT personal did not know about this. Employees would routinely access these powerful accounts from home, office, and everywhere.
- To compound matters, all remote access used single factor authentication.
- The attackers breached the SMTP server through SSH and employee credentials, showing that they knew the password and only needed to brute-force the account name.
- Once inside, the hackers were able to access troves of customers’ credit card details, documents and email – including credit card information on its database servers that was unencrypted.
Basic security steps could have significantly reduced risk of this breach, including:
- Securing Remote Access – privileged session management is a critical requirement for any security-conscious organization. Companies need to isolate, control and monitor privileged user access and activities. This acts as a jump server, providing a single access control point, preventing malware from jumping to a target system, and recording every keystroke and mouse click for continuous monitoring.
- Credentials Management – the report stated that, “a password management policy does not exist within Stratfor.” Several unused accounts were present on each of the examined systems, and that several accounts were shared by multiple users. There wasn’t even a policy to prevent users from using the same password to access company email and remotely access servers containing sensitive information.
- Eliminating Privileged Escalation – the attackers used from lower privilege personal user to higher privileged root on the servers they accessed. By controlling privileged accounts, Stratfor could have stopped the attack early in the attack life cycle.
Once again privilege is discovered to be the key to lateral movement once an attacker has breached the perimeter, enabling the most damage to be done. Other examples include the MobileIron breach, BlackPOS attack on retailers, Edward Snowden and U.S. tax return crime wave breaches. Given the preponderance of privileged-based attacks, revisiting best practice security procedures is worth a look. Check out our paper, The Three Phases of Securing Privileged Accounts.