A large US cloud provider, PCM, has experienced a data breach which saw attackers access some client email and file-sharing systems according to KrebsOnSecurity.
The intrusion was apparently spotted by PCM in mid-May 2019, according to the security researcher, who went on to state that the attack saw PCM’s admin credentials for managing client Office 365 accounts compromised.
It has been speculated that the attackers were after data that could be used to conduct gift card fraud, echoing an attack on Wipro in April, which saw internal Wipro credentials compromised and used to obtain customer data. However, there is no hard evidence to link the two incidents.
Naaman Hart, cloud services security architect at Digital Guardian told SC Media UK that: "The breach seems to have been of limited impact, however there is an item of note that could’ve helped lessen any potential damage. The article mentions that admin credentials of PCM were compromised, which would allow the attacker to move between multiple customers. There’s absolutely no excuse for this if it’s true.
"Admin credentials, where they’re used for administering multi-tenant cloud systems, should be secured by multi-factor authentication of a form that’s physically bound to the individual. An admin should have to receive the secondary code on something they physically possess as an example. This would negate the risk of exposing multiple clients by poorly managing your administrative staff’s credentials."
PCM is an El Segundo, California-based cloud solutions company with approximately 4,000 employees, more than 2,000 customers, and approximately US$ 2.2 billion (£1.74 billion) in revenue in 2018. It was announced today that Insight Enterprises planned to acquire PCM for US$ 35 (£27.70) per share, valuing the business at approximately US$ 581 million (£460 million).
Richard Cassidy, senior director of security strategy at Exabeam told SC Media UK that it was time to tighten procedures to prevent similar cloud incidents: "Attacks of this nature, prove what is fast becoming the age-old adage of the current threat landscape, which is that, "credentials are king". Too many organisations focus their security practices and outcomes on network based threat detection only, or focus heavily on end-user device protection, but in actual fact, if an attacker compromises just a single credential, they can move at will, without challenge by almost all of the security tool sets/layers in place.
"Whilst sources indicate that this breach was focused on exfiltrating gift-card data, which is much easier to monetise on the dark-web, we should be under no illusions that with the level of access they've clearly had, that the breach fall-out is far wider than is being reported; due to the nature of the data this cyber-criminal group had (and may still have) access to.
"Breaches of this nature are a clear indication that implementing legacy security practices is clearly broken. We've got to stop asking black and white questions of our existing data-sets. Attackers have such a vast repertoire of tools, techniques and procedures (TTPs) available to them, that they're able to pivot their attack vectors with ease, creating a huge problem for security and risk teams with respect of where to focus time, effort and resources, when it comes to alerts. The net result is we will often miss the critical identifiers that eventually lead to this kind of data breach."
Although PCM has not responded to requests by SC Media UK for comment, a widely-quoted statement claims that the company announced that it: "recently experienced a cyber-incident that impacted certain of its systems. The incident did not impact all of PCM customers; in fact, investigation has revealed minimal-to-no impact to PCM customers. To the extent any PCM customers were potentially impacted by the incident, those PCM customers have been made aware of the incident and PCM worked with them to address any concerns they had."
Steve Armstrong, regional director UK, Ireland & South Africa at Bitglass commented that additional access controls should always be in place: "Credential theft has traditionally been the golden ticket for accessing systems for nefarious purposes. Yes, there is an argument to have strong controls in place to stop the initial credential theft. However, in this scenario, had other appropriate controls been in place to identify the device, location, OS etc, mitigating controls could have been invoked. A combination of UEBA and identity management would have highlighted that the hackers were accessing the systems from new devices, or perhaps from locations that did not correlate to traditional user activity."