A series of cyberattacks targeting the Canada Revenue Agency has led to a shutdown of services after thousands of accounts were breached.
The attack follows two recent trends:
- Cybercriminals across the world are increasingly targeting government institutions to maximise disruption.
- Usernames and passwords continue to be an inefficient and failing defense mechanism for protecting accounts. With the proliferation of stolen PII (Personally identifiable information) for sale on the dark web, cybercriminals can fraudulently hack into accounts with relative ease and access government services.
This attack was due to “credential stuffing”, which is the practice of automatically injecting breached username/password combos into other services with hopes of gaining access to user accounts. Certainly, it’s not a user’s fault when a service they’re registered with is breached, however, the bigger issue here is password reuse. If users aren’t reusing passwords between services, then a password breach won’t follow them across the internet. Look at it this way, just because a hobby forum I’m a member of gets breached, doesn’t mean that my bank account, 401k, and email should now be vulnerable as well. However, if I reuse passwords then that will be the case!
While websites providing multi-factor authentication is a discussion worth having with regard to credential stuffing mitigation, users should be proactively protecting themselves by not reusing passwords and by using password managers. Password managers allow users to diversify their passwords, generate complex passwords and rotate those passwords, all while only needing to remember a single password to log-in to the service and use these passwords. Even better, any password manager worth its salt makes sure everything is encrypted, so if they’re breached your stored passwords aren’t in danger. Ultimately, it’s unfortunate when a data breach occurs, however, users shouldn’t leave themselves so vulnerable by reusing passwords across the internet.
Canada has been dealing with cyber-attacks recently, and this is the third attack on the Canadian Revenue Agency, which in addition to collecting taxes provides urgently needed access to COVID-19 relief programs, veteran’s programs, and a broad array of services to citizens.
Canada has a strong history of infosec responsibility. The most recent attack resulted from a software vulnerability that let attackers bypass security questions, which was fixed almost immediately upon notification of the problem.
In this third attack, a credential stuffing attack deployed a botnet in an attempt to access and compromise the accounts of some 12 million Canadians, using previously exposed, stolen passwords and usernames. It’s a “front door” attack – using information that’s already out there. The ability of attackers to use the same usernames and passwords that were harvested previously is a key factor. The good news is that of the 12 million ID-and-password combinations the attackers attempted to use, some 98% or more were no longer valid.
It’s important that everyone understands they’re a potential target for cybercriminals, whether or not they believe they’re likely to be. The important steps that every consumer should take: a) use a password manager and create unique, non-intuitive and lengthy passwords – preferably 30 characters or more; b) use 2FA wherever it’s available, and unfortunately, many government services have been slow to offer 2FA and allowing more than 30 character passwords; and c) never reuse a password, and change existing password frequently. Also, anyone directly affected by this breach should reach out to the CRA immediately either by phone or email – they’ll re-authenticate you and restore services.
There are several lessons to be learned from this attack against Canadian government sites. Here, the attackers are using credentials acquired in other breaches to try and access government systems. It\’s easy for a site to identify the flood of failed logins, but it can be hard to separate legitimate users accessing the site from the attackers using stolen credentials. It may be easy for an internal security analytics system to identify malicious behavior, but it is always best to keep the wolves at bay.
These attacks are possible because people will often reuse credentials. While that may not be an issue for logging into a person\’s favorite web forums, it should never be done with a site that houses important information. Unique, strong, passwords are the order of the day, and should be backed with multi-factor authentication. User education and good password hygiene helps mitigate attacks like this, but they will happen, which means organizations will still need to bolster their internal defenses.
Credentials reuse is a big issue getting a lot of smart people to think about getting rid of passwords as an authentication method altogether. But we’re not there yet, so I’m glad the government of Canada was able to spot the brute force attempt quickly. Can you imagine if this was perpetrated slowly over months instead of hours? It is possible that the attack would go undetected.
The breach appears to be the result of ‘credential stuffing.’ Attackers who had already obtained usernames/passwords are simply reusing them for the same users for their government accounts. The bottom line is that usernames and passwords are not a safe method for authentication. It is unfortunately common for consumers to reuse passwords for everything from social media to banking or tax accounts, and changing those habits has proven difficult or impossible. MFA as an opt-in method could have helped here, but the Government of Canada needs to look at non-password based authenticators.