NetworkTigers discusses how simple hacks take down big companies.
How can hackers get access to some of the biggest and best-protected companies on the globe and steal valuable information hidden behind firewalls, passwords, and end-to-end encryption? The truth is often shockingly simple. Consider these easy ways big companies got hacked and discover if your company shares any of the same vulnerabilities.
Examples of simple hacks big companies fall for
1. Third-party developer loopholes
Third-party developers often leave larger companies with data management or social networking features at risk. Facebook is one example of a company that has often been burned by third-party apps and developers. In April 2019, cyber-risk assessment company UpGuard found 540 unsecured user data records of Facebook users on public Amazon S3 cloud servers. The blame eventually fell upon Cultura Colectiva, a Mexican media company that failed to take the simple measure of password-protecting their database. The result was around 146 gigabytes of exposed data, including Facebook user names, IDs and account names, comments, likes, reactions, check-ins, photos, and more.
2. Failure to update systems
Third-party vulnerabilities have long been a straightforward way for hackers to access major companies. A big firm is only as protected as its least cyber-secure vendor. However, when big companies fail to update their internal systems, the damage can be exponentially worse than what one third-party flaw might allow. The infamous 2017 Equifax data breach resulted from a patchable vulnerability in the third-party web portal Apache Struts. This was bad enough; however, even once this breach was discovered, Equifax failed to update its internal servers to account for the fix. As a result, hackers could stay active within the financial giant for 76 more days. Equifax had allowed their Public Key Infrastructure (PKI) to expire, which derailed cybersecurity professionals from detecting unusual activity. At the same time, they had failed to implement basic network segmentation, instead allowing their users broad permissions across wide swaths of data. By the time the hack came to light, executives were accused of insider trading as they had already begun to dump their stock.
The Equifax breach is an example of a perfect storm of simple cybersecurity procedures gone wrong. Failure to use secured third-party vendors, failure to update systems once a leak is reported, failure to segment networks, failure to keep PKI up to date, and failure to report the data breach all led to around 163 million people worldwide (as well as 148 million Americans) being affected in the hack.
3. Data scraping
Data scraping is a controversial kind of leak because it does not necessarily involve an internal system flaw. While data scraping is at times a legal method of aggregation, other data scrapes can be a violation of terms of service. In 2021, LinkedIn reported that over 700 million user records had been subjected to a data scrape that exploited the company’s API. Scraped data included users’ email addresses, phone numbers, full names, user names, geolocation data, genders, resumé information, and more.
While the company tried to argue that some of the information was already publicly available, others, for example, email addresses and employment information, had been set to private. This information is especially valuable in a social engineering hack or phishing attempt. Cybercriminals posted the data set online in exchange for $7000 worth of Bitcoin as soon as it was available.
4. Zero-day vulnerabilities
Zero-day vulnerabilities are software, hardware, or firmware bugs that are as-yet unknown to developers. The Microsoft Hafnium hack in 2021 is an example of a simple premise that took down a major company. The hack, which has been blamed on Chinese cyber group Hafnium by the FBI, targeted Microsoft for months but relied upon two key and very simple conditions:
- Company email servers with connection to the internet.
- On-premises, locally managed systems.
Locally managed systems can sometimes be beneficial to data security. However, they became a liability in this case as the hackers could gain server access to emails sent between local government entities and small businesses. The emails appeared legitimate because they seemed to have been sent by systems on the premises, meaning many Microsoft employees had less reason to question them. Throughout the hack, the hacking group exploited these zero-day vulnerabilities and breached over 30,000 Microsoft Exchange servers. If the individual local system did not update its software, the hacking group was allowed to use the same loophole repeatedly, despite Microsoft’s ability to fix issues remotely.
5. Website design flaws
Sometimes the mistake that takes down a big company is baked in from the start. First American Financial Corp.’s 2019 leak is an example of a simple mistake in web design that allowed hackers to access 885 million private records. The company’s site employed Insecure Direct Object Reference (IDOR). This flawed setup allowed anyone with a link to documents to bypass verification or security measures. Additionally, a simple change in the URL allowed hackers to access additional documents because First American logged their records in sequential order.
Any of these simple ways in through common vulnerabilities can prove deadly to a company of any size dedicated to cybersecurity best practices. They have already been effective for many hackers targeting some of the biggest companies in the world. Don’t let your own firm be next.
About NetworkTigers
NetworkTigers is the leader in the secondary market for Grade A, seller-refurbished networking equipment. Founded in January 1996 as Andover Consulting Group, which built and re-architected data centers for Fortune 500 firms, NetworkTigers provides consulting and network equipment to global governmental agencies, Fortune 2000, and healthcare companies. www.networktigers.com.
All articles sponsored by NetworkTigers.
