Every hacker tries to spend less time, efforts, and money to compromise his target. This is why direct frontal attacks against their victims, regardless of who they are and what they do, are being superseded by chained attacks against numerous third parties from the victim’s business environment.
Customers, suppliers, partners, external consultants and lawyers – they all may have the [copy of] data the hackers are actually looking for, as the information security perimeter of these third parties is usually much more vulnerable than a victim’s corporate network. This makes various people and companies the primary target for professional cybercriminals, which is why you are at serious risk if, among your customers or business partners, you have just one VIP.
Vulnerable web applications are probably the easiest vector of intrusion today: everybody has a website or even several websites and web applications, while web security is often an afterthought. Moreover, web apps hacking usually doesn’t require the advanced skills used in server and application hacking (e.g. various overflows and related security-mechanisms bypasses are much more complex than SQL injections). This is why hackers will start their intrusion by testing your website’s robustness.
Often a website will not contain the necessary data on it, however it represents a great platform to launch further attacks. For example, many SMEs tend to use the same or similar passwords for their MySQL database, FTP and cPanel accounts. Once your cPanel account is compromised, hackers will get access to mailboxes that may contain huge amounts of precious data, including various credentials from other accounts, attachments, address book, etc.
Another vector of your website usage will be to host at a legitimate looking URL an exploit suited for the victim’s machine configuration. At High-Tech Bridge, we investigated a case, when a CFO of a large financial company received an email from their lawyers (who had never sent this email of course) with a link to the law firm’s website with some recent news about new financial regulations. Once the CFO opened the link, his machine was infected by the malware, however he didn’t suspect anything as the link contained information that the company used to receive regularly, while corporate intrusion prevention system and antivirus didn’t identify the compromise. It’s important to mention that the lawyer’s office in turn was compromised via their IT consultant who didn’t bothered about internal IT security thinking that nobody would ever attack them!
Password re-use is a great vector of attack that still works well in 2015. We have also investigated another breach of a small online gaming community. At the end, we discovered that the hackers’ actual target was a network engineer registered in the system (web forum), who was in charge of several critical servers in a pharmaceutical company.
Cybercriminals tried to reuse his password on various web resources of his employer, and… managed to get into their corporate web-based ERP system. Password policies are great, but they are mainly applied to common non-IT users who are forced to respect them, while the IT teams usually partially, or even completely, ignore these security policies themselves.
As you can see now, everyone has pretty good and equal chances to easily become a pawn in someone else’s chess game. Your reputation, business contracts, and your cash flaw are at risk. Moreover, don’t forget that if an intrusion comes from your network – you may be considered liable for the entire hack, as you may not be able to prove that you are the victim of highly-sophisticated chained attack.
The only way to survive in this hostile environment is to ensure that all your systems, and first of all your website and all externally accessible web applications, are correctly protected and are being regularly audited. Information security is an on-going process of continuous self-improvement and auditing, not just something you can buy once and forget. Otherwise, be ready to join the huge army of cybercrime victims.
Other threats to the enterpise are covered in a recent company blog post: How much is your website worth on the Black Market
Posted by Ilia Kolochenko, High-Tech Bridge’s CEO & Chief Architect of ImmuniWeb®