Latest report on cost of breaches

 

In a recent survey conducted by IBM, based on data from 550 global organizations across 17 sectors that experienced data breaches between March 2021-2022, the average cost of a breach was $4.35 million. By industry sector:

 

• Healthcare: $10.1m
• Financial: $6.0m
• Pharmaceuticals: $5.0m
• Technology: $5.0m
• Energy: $4.7m
• Industrial: $4.5m
• Education: $3.9m
• Transportation: $3.6m
• Retail: $3.3m
• Public Sector: $2.1m

The numbers from last year's IBM survey were: 

• Healthcare: $9.2m
• Finance: $5.7m
• Pharmaceuticals: $5m
• Technology: $4.9m
• Energy: $4.7m
• Services: $4.7m
• Industrial: $4.2m
• Global average: $4.2m
• Entertainment: $3.8m
• Education: $3.8m
• Transportation: $3.8m

Crypto hacking has become North Korea's key source of income

North Korea’s army of 6,800 hackers have stolen millions in cryptocurrency in recent years -- helping the  regime withstand economic sanctions & run its nuclear program.

• North Korean hackers stole $400m in cryptocurrency in 2021 & close to $1B so far in 2022 (the country earned only $89m in official exports in 2020).
  
  
• In April 2022, the U.S. Treasury Dept. linked North Korea’s Lazarus hacking group to the theft of $620 million in cryptocurrency from videogame Axie Infinity.

The lack of regulation and compliance rules, as well as the decentralized nature of cryptocurrency platforms have made it easier for North Korean hacker to move the stolen funds around and eventually cash out.

NYT Article: https://www.nytimes.com/2022/06/30/business/north-korea-crypto-hack.html?

15.3-M RPS DDOS attacks blocked at Cloudflare

This attack is at the application layer, which is more expensive to launch as the attacker would have to first establish the TLS handshake.

The attack was against a crypto launchpad. 

This attack was launched from a botnet of approximately 6,000 unique bots. It originated from 112 countries around the world. Almost 15% of the attack traffic originated from Indonesia, followed by Russia, Brazil, India, Colombia, and the United States.

https://blog.cloudflare.com/15m-rps-ddos-attack/

Security operations functions

- Threat intelligence: 

        identify the adversary, extract TTPs, create a plan (e.g will the procedure the adversary uses trigger alerts?). Good source for TTPs: https://www.thedfirreport.com

- Security operations centers

- Threat hunting

- Incident response

- Forensics

- Vulnerability management/Blue team

- Red team (offensive. Stealth engagement)

- Purple team (virtual team)

Below is the procedure for the purple team exercise against a TTP. It is important to measure how quickly an attack can be detected and responded to, to limit the potential damage. 

Another crypto hack via cross-chain bridge

Ronin is a sidechain of Ethereum. It is where the play-to-earn game Axie Infinity runs. 

The reason that the game runs on Ronin instead of directly on Ethereum is simple: Ethereum is slow and expensive.

To help people swap between their tokens in the Axie ecosystem (SLP, AXS, RON, WETH) and mainstream tokens people use popular digital wallets such as MetaMask to manage, Ronin developed a bridge between the Ronin network and Ethereum. A bridge is a pair of smart contracts that run on both sides of the bridge, locking and releasing tokens and guaranteeing payment versus payment (PvP).

The only problem is that Ronin only has nine nodes using a POA protocol. The hacker was able to compromise 5 nodes and therefore gain majority control to issue bogus transactions. 

The end result: 173,600 ETH and 25.5 million USDC that had been locked in the bridge were drained. At prices as of the hack, this was worth more than $625 million.

https://blog.mollywhite.net/axie-hack/

https://rekt.news/

Third-party, social engineering, cryptocurrencies

This attack is hitting multiple buzzwords.

MailChimp has confirmed that some of their employees fell for a social engineering attack that led to the theft of their credentials.

"The incident was propagated by an external actor who conducted a successful social engineering attack on Mailchimp employees, resulting in employee credentials being compromised."

These credentials were used to access 319 MailChimp accounts and to export "audience data," likely mailing lists, from 102 customer accounts.

In addition to viewing accounts and exporting data, the threat actors gained access to API keys for an undisclosed number of customers, which have now been disabled and can no longer be used.

Using these compromised API keys, a threat actor can create custom email campaigns, such as phishing campaigns, and send them to mailing lists without accessing MailChimp's customer portal.

This attack is reminiscent of recent breaches by the Lapsus$ hacking group, who used social engineering, malware, and credential theft to gain access to numerous well-known companies, including Nvidia, Samsung, Microsoft, and Okta.

The Okta breach was accomplished through a similar method as MailChimp, by social-engineering a contractor who had access to internal customer support and account management systems.

Hydra was shut down

U.S. & German law enforcement announced the shutdown of Hydra -- a Russian “darknet” marketplace that facilitated ransomware, drug deals & other crimes.
- Hydra accounted for 80% of all darknet-related cryptocurrency transactions in 2021 & cleared $5.2b in crypto since 2015.
- German authorities secured Hydra’s servers, closed the service & seized $25 million worth of bitcoin.
In the context of sanction against Russia, shutting down Hydra became a priority  as the U.S. & its allies want to cut off any potential backdoor funding for Putin’s regime.

In this area, the following are recent accomplishments:

• In Feb. 2022, the DoJ’s seized $3.6b in bitcoin stolen during a 2016 hack of Bitfinex -- the agency’s largest ever financial recovery.

• In Nov. 2021, U.S. & EU authorities arrested multiple hackers affiliated with REvil & the DoJ recovered $6.1m tied to REvil ransom profits.

• In June 2021, U.S. law enforcement recovered $2.3m of the ransom Colonial Pipeline paid when it was hit by ransomware.

Additional actions that should be considered:

• Shut down support infrastructure: including the hardware/software vendors, malware developers, money launderers & others that enable criminal gangs.

• Regulate exchanges: Regulate crypto exchanges under the same rules as U.S. brick-and-mortar banks.

• Sanction offshore exchanges: Deny offshore crypto exchanges access to U.S. markets if they don’t prevent ransomware payouts.

• Require ransomware disclosures: Breach disclosures by private companies would improve the chances of decrypting data or tracing payments.