Brian Krebs recently broke the news that there was an intrusion at PCM Inc., a major U.S.-based cloud solution provider. The hackers were able to access email and file sharing systems for some of the company’s more than 2,000 clients. Sources say PCM discovered the intrusion in mid-May 2019. Those sources say the attackers stole administrative credentials that PCM uses to manage client accounts within Office 365. One security expert at a PCM customer who was recently notified about the incident said the intruders appeared primarily interested in stealing information that could be used to conduct gift card fraud at various retailers and financial institutions.
Exclusive: Breach at 6th-largest cloud solutions provider PCM Inc. let intruders rifle through Office365 email/documents for a number of customers. The goal of the intrusion, as in the Wipro breach, appears to have been stealing gift card accounts https://t.co/xqjQTMgDB1 pic.twitter.com/fm7pKHOF5d
— briankrebs (@briankrebs) June 27, 2019
Experts Comments:
Jonathan Bensen, CISO at Balbix:
“As a global cloud solution provider that generated about $2.2 billion in revenue in 2018, it is surprising that PCM did not at the very least have multi-factor authentication (MFA) enabled on their systems to thwart the malicious third-party that falsely obtained PCM’s administrative credentials for the company’s file sharing systems with its clients. As a result of this incident, the hackers could potentially conduct gift card fraud at various retailers and financial institutions.
By failing to secure its Office 365 with tighter controls and therefore putting its clients’ bottom lines at risk due to gift card fraud, PCM and its customers stand to suffer significant damage. PCM could lose some customers who have lost faith in the company to its competitors such as Zones, CDW or PC Connection. Not to mention the brand reputation and potential for lawsuits.
To avoid suffering the same fate as PCM, enterprises must implement security solutions that scan and monitor all assets and detect vulnerabilities that could be exploited—like PCM’s lack of MFA or other identity verification features within its Office 365 system. Proactively identifying and addressing vulnerabilities that put organizations at risk before they become entry points for attackers is the only way to stay ahead of breaches.”
Pravin Kothari, CEO at CipherCloud:
“As more and more information, the “crown jewels” of business, migrate to the cloud, organizations just do not have the visibility and control that they had with their traditional enterprise security capabilities. Criminals are also finding it far easier to target the cloud to utilize stolen passwords, API vulnerabilities or user misconfiguration to take over accounts and access all information like an authorized user, thus bypassing all security controls. Businesses need to change their approach to security from network and access centric to data-centric. This has given rise to a new generation of Cloud Access Security Brokers that help protect your data with encryption and rights management, not just control the access and detect malware.
With the growing number of regulations on data privacy of individuals, such as EU GDPR (The General Data Protection Regulation), HIPAA and the California Consumer Privacy Act, organizations must be aware of the growing risk with their email and other data in the cloud and always protect personal identifiable information (PII) and protected health information (PHI). Exposure of such data can result in extensive reputational damage as well as stiff penalties.”
Jonathan Oliveira, Cyber Threat Intelligence Analyst at Centripetal:
“As a bystander, it does seem possible that both the Wipro and PCM compromises are connected. As for the connection to Cloud Hopper, it is not surprising that Chinese groups are attacking the ISPs and cloud providers. The growing trend of targeting employees who work at cloud providers makes plenty of sense because why would an attacking group want to waste time and resources brute forcing when employees statistically offer the best avenue of approach into a network. These employees are increasingly becoming high value targets and, in most cases, do not realize how valuable they are to an attacker. Through money on expensive systems and surveillance means nothing, if an employee will fall for a phishing email.
Using cloud providers is important for many companies who worry about their overhead, but that still essentially consolidates everyone’s data into a giant Bank that the attackers want to rob. Since PCM used Office 365 to manage accounts of clients, I can’t see how minimum impact to customers is the case. The information a cloud provider has about client networks is critical because this can contain internal network topology, critical systems, client administrators etc. This unfortunately can help set up more future attacks. “
Colin Bastable, CEO at Lucy Security:
“We are under siege, in an undeclared cyberwar.
The outsourcing of skills and resources, and the leveraging of third party expertise, has driven global economic growth, but at a hidden cost: increased and unquantifiable cybersecurity risk from third parties.
Massive and continuing investment in defensive technology represents a challenge to which State actors are more than equal. It is more rewarding to lay siege with social engineering to stores of data than it is to defend the data with technology alone. We need a holistic defense against cyberwarfare, treating people and technology as part of the whole defense strategy. Hackers will still succeed, but the evidence clearly demonstrates that the ongoing education of employees will significantly reduce the risks of data breaches.”
Kevin Gosschalk, CEO at Arkose Labs:
“Every data breach is financially motivated, so it is not surprising that PCM intruders were looking for fast cash opportunities. The PCM breach not only exposed administrative credentials that manage client accounts within Office 365, but also gave hackers unprecedented access to email and file sharing systems for a number of clients. This is especially dangerous because proprietary information left vulnerable on file sharing systems or in company email can also be high-value to intruders – and have severe business consequences if compromised. The lasting impact of this breach – like every data breach involving exposed PII and credentials – is not yet fully realized. Each breach empowers fraudsters with more ammunition to attack businesses in a highly targeted manner, and the large amount of exposed credentials on the dark web is responsible for the steady rise in account takeover attacks. Companies must make it a priority to secure their attack surface so hackers cannot extract economic reward from their company, and sensitive data is protected.”
Robert Prigge, President at Jumio:
Having your personal email hacked is one thing (not to understate the plight of identity theft victims), but having the administrative credentials stolen from PCM — the same credentials they use to manage client accounts within Office 365 — is next level.
After all, if these hackers can access the Office 365 accounts of PCM’s customers, they can unlock a lot of personal data and sensitive business documents. Think about it — if a hacker has access to your Office 365 account, they can reset your password and lock you out. What’s worse, they may use that same email address as their username for other online accounts. So, if you have 100 employees, and those employees each have just 10 accounts connected to their Office 365 email addresses, that’s 1,000 accounts associated with your company that the hackers can potentially now monitor and control. Yikes!
This is why we need to collectively leverage stronger methods to authenticate users, even for logins as seemingly trivial as our email accounts. We use our face to unlock our phones, and perhaps it’s time to start using our face to unlock all of our online accounts too.”
Anurag Kahol, CTO at Bitglass:
“The latest breach at PCM is another example of how cybercriminals are targeting employees who work at cloud data and tech companies that manage IT assets for huge numbers of other organizations. As more and more businesses move to the cloud, it makes sense that hackers will go after these types of companies in order to gain access to large amounts of data in one fell swoop. As such, organizations must put advanced, cloud-specific security controls in place in order to defend data as it travels across third party services, organizations, and devices. Fortunately, cloud access security brokers (CASBs) that boast features like cloud security posture management (CSPM), data loss prevention (DLP), user and entity behavior analytics (UEBA), and encryption of data at rest can help ensure that enterprise data is truly safe wherever it goes.”
Chris Kennedy, CISO and VP at AttackIQ:
“This incident reminds us that it’s not always consumer information that is on the line with data breaches. In this case, PCM exposed its customers, other businesses and government agencies. According to PCM, the attackers seem to mostly be interested in data that could help them commit gift card fraud at retailers and financial institutions, but this is just one way malicious actors could abuse access to these types of files and accounts.
Additionally, security issues like this could pose an issue for PCM in regards to its acquisition by Insight Enterprises. As organizations are evaluating companies for mergers and acquisitions deals, it’s important the cybersecurity posture and incident history is evaluated. Historical incidents could mean onboarding existing liability, IP loss, and embedded threat actors already emplaced in the acquired company’s network which could then be used to attack the onboarding company. Evaluating the company’s security posture through attacker emulation via capabilities like AttackIQ is becoming commonplace in the M&A process.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.