Easy Read Time: 6 Minutes

What is Security Breach?

Security breach is a type of cybercrime that is done in order to access the cyber or cloud data, application, devices, or any network through an unauthorized and unauthenticated way. It comes out in sensitive data or personal information being hacked or gained without any legal authorization. It all happens when the insider becomes able to gain and bypass all the inner security mechanisms [1].

Examples of Security Breach

Whenever a top notch company or an organization faces the security breach, it hits all the channels and breaks as a headlines: Such examples of security breach are as follows:

Equifax

A website application susceptibility made Equifax to lose personal details of its employees and even company’s data along with the data of 145 million Americans in 2017. The hackers hacked the names, driver’s license numbers and SSNs. This security breach was kept on for a period of three months [1].

eBAY

eBAY faced a security breach on a larger extent in 2014. Customer’s credit cards and their password information was hacked even though PayPal user’s cards were not at risk and were fully secured, still the data was compromised. Company took a quick response and inform their users through emails and ask them to immediately change their login passwords to remain secured from the security breach [1] [2].

Facebook

Facebook faced security software breaching and flaws that took this social platform to loss of personal data and information of about 29 million app users recently in 2018. One of the most embracing thing that happened in this security breach was that the account of company’s CEO Mark Zuckerberg also got hacked.

Yahoo

3 billion user accounts got hacked on Yahoo in 2013. A phishing attempt was taken by hackers to access the yahoo network.

Marriot Hotel

Marriot Hotels announced security breach in its information data that affected up to 500 million clients’ records, in 2018. In addition to that, its guest reservations system was also hacked back in 2016. The breach remained undiscovered for two years and was announced in 2018.

AVAST

Czech form AVAST announced security breach in its company even though it is itself one of the companies who provide security to its customer’s network and provide cybersecurity. Avast was breached in 2019. Hacker managed to hack the employee’s VPN information and credentials. Though this breach did not affect the client’s details but aimed at inducing malicious virus into the AVAST antivirus software [1].

Adult Friend Finder

This breach was specifically sensitive for its account holders in lieu of the services this particular site used to offer. The “Friend Finder Network”, that included unintentional friendly hookup and adult content websites like “Adult Friend Finder”, was attacked and breached in mid of October in 2016. The breached data spanned almost 20 years over six databases and was comprised of names, email addresses and passwords of its users [3].

LinkedIn

It is a significant social platform for business professionals. But in 2012 and 2016, it had to face a security breach through social engineering attack. In 2012, company made it public that 6.5 million unlinked passwords have been stolen by the hackers and were posted over the “Russian hackers forum”. Till 2016, the complete scenario of this attack was not announced. At that time, same attacker was found to be selling account and passwords of LinkedIn account for a prices of 5 bitcoins which were $2000 at that time. LinkedIn immediately made acknowledgement regarding the attack that the platform has been made aware of the breach, and reset the passwords of affected accounts [3].

CANVA

In May 2019, “Australian graphic design” tool website known as “Canva” faced a security attack. That attack disclosed email addresses, usernames, cities of residence, names of the users and salted and hashed with bcrypt passwords of over 137 million customers and clients. The hackers could manage to see, but not steal the files having partial credit card information and user’s payment data.

The CANVA company later confirmed the breaching incident and then notified all the users, asking them to change or alter their account passwords, and reset the “OAuth tokens” [3].

DUBSMASH

In December 2018, US-based video messaging service known as “Dubsmash” as holding email addresses, passwords hashes, usernames, personal details and information like birth dates of about 162 million persons. All of this information was put up for sale after hacking over the “Dream Market dark web market”. The information and credentials were being hawked as part of a gathered dump that included the information about the likes of “MyFitnessPal” (more on that below), “MyHeritage (92 million and “Armor Games” [3].

FireEye

FireEye is the top cybersecurity company around the globe that serves major government organizations all over the world. This firm holds a significant research on “state sponsored” threat performers and is having capabilities to response to the cyber-attack incidences. From the past few decades, this firm investigates the high profile security breaches within the organizations and state government [4].

FireEye Breaching

Fire Eye attack is considered to be attacked by highly professional and trained hackers with world class attacking capabilities. The attackers seemed to be trained for operational security. The hackers used breaching methods to counter forensic examination and security tools. This breach is considered to be the first of its kind ever happened in the history of data breaching.

It is reported that this Fire Eye breach was done by Russian Intelligence service by penetrating into the Red Team tool of Fire Eye organization.

Red & Blue Team Tools and Techniques

Red Team is a security professional group that is organized and authorized to imitate the abilities of cyber criminal’s attacks or exploitations over the organization’s security system in order to check its potential. It tests the security system and company’s cyber defending tools known as “Blue Team”, its strength, its ability to response to any cyber or criminal attack and the power to control the potential security breach.

As per news circulating from FireEye company, the stolen tools range from simple for network investigation to more enhanced, improved and advanced hacking frameworks similar to various other penetration testing tools available publically. Some of them are CobaltStrike or Metaspolit. These tools were specifically built for Red Team. Some of the Red Team Tools of the company were public as “open source VM (virtual machine)” known as CommandoVM having open source scripts and packages. The stolen Red Team tools of fire Eye were not containing any zero-day exploitation [5].

How Fire Eye Security Breach Occurred?

Even though, it is still not confirmed who attacked the Fire Eye security tool and still under investigation how the attackers attacked and stole such a protected system but it is circulating that Russian Intelligence Service was behind all this scenario. Their Intelligence service took the extra ordinary measures to not be seen while hacking and attacking the organization’s and its customer’s information. Following are the possibilities, the attackers might have taken in order to perform the attack:

  • Millions of Internet Protocol (IP) addresses must have been generated within the United States (US).
  • All of these IPs must be different and unique as they might have never been used in any kind of cyber-attacks before.
  • By making use of these IP addresses, the attacker addressed to perform their hacking operation in Fire Eye.
  • This might be the method that took hackers in order to conceal their real identity and their whereabouts.

Why Attackers Stole Fire Eye Tools?

The attackers might have hacked and stole those tools because they could get a know how about the insight of that tool and technique and know the security systems that Fire Eye firm and its customers use against attackers. The risk that can be involved in making Red Team tool public at any point in near future is that companies that no more use Fire Eye’s tools and security techniques may not have identification or detection for them as they used to be undetectable for Red Team arrangements and activities [6].

Countermeasures Taken by Fire Eye Firm

From the Fire Eye case, it is still not sure either attackers have used and disclosed the Red Team tools publically or not. But out of caution, Fire Eye developed huge number of countermeasures approximately equal to 300 countermeasures for its customers and other large pool of cyber community to make use of those countermeasures to lessen the latent effect of theft of such security tools [4].

In order to ensure the security and protection of community against “attempted use of Red Team tool”, following steps have been taken by Fire Eye [5]:

  • Prepared countermeasure for detecting and blocking the use of Red Team tools that were stolen.
  • Implemented these countermeasures in to the Fire Eye systems and security products.
  • Shared these remedies and countermeasures with a large pool of Fire Eye customers and colleagues in cyber security group for them to update their security tools.
  • Disclosed several activities of Advanced Persistent Threat (APT) groups to empower the broader security community to detect and block new and emerging threats.
  • Refinement and sharing of any kind of additional mitigation for Red Team tools would be kept on announcing related to Red Team tool as they become available, both on public platforms and directly with the other security colleagues.

References

[1] “What is a security breach?,” www.kaspersky.com, Sep. 10, 2020. https://www.kaspersky.com/resource-center/threats/what-is-a-security-breach (accessed Jan. 07, 2021).

[2] “eBay Breach: 145 Million Users Notified – BankInfoSecurity.” https://www.bankinfosecurity.com/ebay-a-6858 (accessed Jan. 07, 2021).

[3] D. Swinhoe, “The 15 biggest data breaches of the 21st century,” CSO Online, Apr. 17, 2020. https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html (accessed Jan. 07, 2021).

[4] L. Constantin, “FireEye breach explained: How worried should you be?,” CSO Online, Dec. 10, 2020. https://www.csoonline.com/article/3600893/fireeye-breach-explained-how-worried-should-you-be.html (accessed Jan. 07, 2021).

[5] “Unauthorized Access of FireEye Red Team Tools,” FireEye. https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html (accessed Jan. 07, 2021).

[6] “FireEye, a Top Cybersecurity Firm, Says It Was Hacked by a Nation-State,” Dec. 08, 2020. https://www.nytimes.com/2020/12/08/technology/fireeye-hacked-russians.html (accessed Jan. 07, 2021).