(Photo | Courtesy of Upstart Cyber)
Bad Actors & Compromised Credentials
Cyber security experts generally agree that identity-driven attacks are one of the most common causes of cyber security breaches in both the public and private sectors. For example, analysis from Upstart Cyber suggests that over six in ten (60 percent) of breaches are identity-driven. These modern attacks often bypass traditional cyber security structures by leveraging compromised credentials to manipulate unsuspecting audiences within vulnerable organizations.
Unfortunately, identity-driven attacks are extremely hard to detect. When a valid user’s credentials have been compromised and an adversary is masquerading as that user, it is often very difficult to differentiate between the user’s typical behavior and that of the hacker using traditional security measures and tools.
Costly Troubles Close To Home
Of course, most of us think this is a problem for someone else, but we need look no further than the City of Portland, Oregon to realize that cyber threats are real and costly if ignored or poorly managed. In the spring of 2022, cybercriminals made off with $1.4 million in taxpayer money — the single biggest theft of funds in the city of Portland’s history.
In Portland’s case, the breach was complicated by the fact that the hacker had total control over the emails of a housing bureau employee.
A few days before the April 25 transfer, the employee, whose job includes requesting wire transfers for new developments, likely fell for a phishing attack and provided their password to a bad actor, according to a recap of the incident sent by the then-housing bureau director Shannon Callahan to the city’s new chief administrative officer.
With access to the email account, the hacker was able to convincingly impersonate an official with Central City Concern, which was about to put in a draw request for $1.4 million from their contract with the city to cover more construction costs.
The hacker would hold on to access to the account for the next month. The city technology staff later realized the account had been severely breached with logins occurring from locations across the globe including Texas, Germany and Nigeria (officials say the hackers were using a virtual private network to mask their location).
The $1,400,000.00 payment was intended for Central City Concern, a local nonprofit building an affordable housing project called The Starlight in the heart of the Old Town neighborhood. The city’s housing bureau signed a $17 million contract with the Central City Concern last March to construct the building and had been routinely wiring the group money to cover construction costs.
Before the wire transfer went out on April 25, treasury officials reached out to the housing bureau asking staff to confirm Central City Concern’s banking information was accurate, as those very same treasury officials were concerned the name on the bank account for Central City Concern did not match the name of the account receiving the wire transfer.
The lesson here is that any account; IT administrator, employee, remote worker, third-party vendor or even customer, can become privileged and provide a digital attack path for adversaries, organizations must be able to authenticate every identity and authorize each request to maintain security and prevent a wide range of digital threats, including ransomware and supply chain attacks.
If your organization hasn’t already done a cyber security assessment, you might consider contacting the experts at Upstart Cyber: UpstartCyber.com.