Separate Incidents Expose Third-Party Security Risks

Two incidents highlighted third-party risk again as companies seek to take advantage of the cloud; but must also contend with the potential insecurity and exposure of data and credentials stored offsite.

Brian Krebs in his Krebs on Security blog reported a digital intrusion at El Segundo, Calif.-based direct marketing company PCM Inc., a cloud-provider of technology products, services and solutions to businesses as well as state and federal governments, allowed hackers to access email and file sharing systems for some of the company’s clients. PCM has nearly 4,000 employees, more than 2,000 customers, and generated more than $2.1 billion in revenue in 2018.

Krebs reported sources said PCM discovered the intrusion in mid-May 2019 and attackers stole administrative credentials that PCM uses to manage client accounts within Office 365, the cloud-based file and email sharing service run by Microsoft Corp.

It is unclear whether PCM was another victim from the Wipro breach, Krebs noted, in which a phishing campaign caught dozens of employees and more than 100 computer systems at India’s third-largest IT outsourcing firm.

PCM claimed in a statement, limited impact to its systems and the matter remediated. Nevertheless, the PCM incident elicited much commentary from security experts.

Robert Prigge, president of Jumio, said, “Having your personal email hacked is one thing (not to understate the plight of identity theft victims), but having the administrative credentials stolen from PCM — the same credentials they use to manage client accounts within Office 365 — is next level.” Prigge added, “What is worse, they may use that same email address as their username for other online accounts.”

Kevin Gosschalk, CEO, San Francisco-based Arkose Labs, warned, “Every data breach is financially motivated, so it is not surprising that PCM intruders were looking for fast cash opportunities.” Gosschalk added, each breach empowers fraudsters with more ammunition to attack businesses in a highly targeted manner.

“As more and more information, the “crown jewels” of business, migrate to the cloud, organizations just do not have the visibility and control that they had with their traditional enterprise security capabilities. Criminals are also finding it far easier to target the cloud to utilize stolen passwords, API vulnerabilities or user misconfiguration to take over accounts and access all information like an authorized user, thus bypassing all security controls.” Pravin Kothari, CEO of CipherCloud, said.

According to Jonathan Oliveira, cyberthreat intelligence analyst at Centripetal, “The growing trend of targeting employees who work at cloud providers makes plenty of sense because why would an attacking group want to waste time and resources brute forcing when employees statistically offer the best avenue of approach into a network.” Oliveira also suggested these employees are increasingly becoming high value targets and, in most cases, do not realize how valuable they are to an attacker.

Colin Bastable, CEO of Lucy Security, warned “We are under siege, in an undeclared cyberwar. The outsourcing of skills and resources, and the leveraging of third-party expertise, has driven global economic growth, but at a hidden cost: increased and unquantifiable cybersecurity risk from third parties.” Bastable added, massive and continuing investment in defensive technology represents a challenge to which state actors are more than equal.

“As a global cloud solution provider that generated about $2.2 billion in revenue in 2018, it is surprising that PCM did not at the very least have multi-factor authentication enabled on their systems to thwart the malicious third-party that falsely obtained PCM’s administrative credentials for the company’s file sharing systems with its clients.” Jonathan Bensen, CISO, Balbix, said.

Anurag Kahol, CTO, Bitglass, explained, this latest breach, at PCM, is another example of how cybercriminals target employees who work at cloud data and tech companies that manage IT assets for other organizations. “As more and more businesses move to the cloud, it makes sense that hackers will go after these types of companies in order to gain access to large amounts of data in one fell swoop.”

Chris Kennedy, chief information security officer and vice president of customer success, AttackIQ , said, “This incident reminds us that it’s not always consumer information that is on the line with data breaches. In this case, PCM exposed its customers, other businesses and government agencies.” Additionally, Kennedy pointed out security issues like this could pose an issue for PCM in regards to its acquisition by Insight Enterprises, announced June 24. “Historical incidents could mean onboarding existing liability, IP loss, and embedded threat actors already emplaced in the acquired company’s network which could then be used to attack the onboarding company”

In another incident, data management and protection company Attunity Ltd, headquartered in Kfar Saba, Israel, exposed internal files including passwords and network information, sensitive emails and technology designs from high-profile customers including Ford Motor Co., and Toronto-Dominion Bank.

Researchers at cybersecurity company UpGuard Inc., according to a report they published, found more than a terabyte of data left unsecured by Attunity last month on Amazon Web Services cloud-computer servers.

Attunity’s data buckets included files about Ford’s tech architecture and details on internal project plans. Documents attributed to TD Bank included invoices, agreements between the companies, and files about technology configuration.

Jake Olcott, a vice president at BitSight, advised, “It’s no wonder that third-party risk has become the most significant cyberissue for organizations around the globe – lax understanding of third parties’ security posture and practices is creating a massive weak spot for all organizations across all industries.” Olcott added simply trusting business partners to do the right thing is irresponsible.

“Attunity leaving sensitive data publicly exposed that belongs to some of their top-tier clients is unacceptable, especially after having left terabytes of AWS data exposed only one month ago,” Todd Peterson, identity and access management evangelist at Aliso Viejo, Calif.-based One Identity, said. He added, “In order to prevent putting yourself or your valued customers in a similar situation and making headlines for all the wrong reasons, it’s vital that you integrate a comprehensive privileged account management program.”