Pirates teaming up with online spies, hackers “joyriding” in a water company’s network and a man working for multiple companies using outsourced labor to make hundreds of thousands of dollars—these are some of the story lines released in a briefing published by Verizon at the RSA Conference in San Francisco on March 1.
Verizon tracked each incident back to an information system compromise. In the case of the pirates—actual sea pirates, not digital pirates—the criminals would board a cargo ship as it passed Singapore on its way into the Indian Sea. The pirates targeted specific items—such as gems and jewelry—and they knew in which containers to look, Bryan Sartin, managing director of Verizon’s RISK Team, told eWEEK.
The security team found that the pirates had gained their intelligence from online attackers who had used a SQL-injection vulnerability in the victim’s Web-based platform for managing inventory and billing.
“They were able to get lists of ships, routes, cargo and delivery timeframe information from the system,” Sartin said. “And it was leading to raids. … The pirates would always go right to certain containers, armed with barcode and serial number information, cut open certain containers, take what they wanted and leave.”
The victim ended up shutting down the vulnerable system and rebuilding it with updated software.
The lesson of the incident is that companies need to regularly scan their systems for vulnerabilities and implement a formal patch management process, Verizon said in its Data Breach Digest report.
Unlike its annual Data Breach Investigations Report, which focuses on analyzing data behind compromises, the digest is a collection of anecdotes, which Verizon claims are all true, but which have few identifying details. The company plans to release the DBIR later in the year.
In total, the Data Breach Digest contains details of 18 incidents, with guidance on how likely each incident is for the major industries. Information services, for example, have to primarily worry about Web application attacks and crimeware, while utilities are overwhelmingly targeted by cyber-espionage groups.
In another incident, a water utility called in the firm to conduct an assessment of its defenses, but the provider was actually worried about some recent signs of an intruder in its systems. The utility’s systems were not well-secured, with multiple critical vulnerabilities on Internet-facing systems and the information and operational networks managed from the same system.
Attackers had found a simple flaw in the payment system application, extracted data, and then used the operational network as a playground, Sartin said. The intruders, among other serious acts, combined fresh-water supplies and sewage outflows and added extreme amounts of chlorine into the fresh water, he said.
“They got on a mainframe and were basically joy riding,” he said. “They were in there, and the meanest thing that they could find to do was to start opening and closing certain valves and duct paths in the water district.”
The report is meant to offer examples of the major types of attacks companies encounter. Verizon offers advice to companies on how to prevent the major classes of attacks.