A warning from OVH, a webhosting company, has recently been issued following a security breach that has impacted its global customer base. An advisory on the company website stated that a hacker had obtained access to an email account of one of its system administrators, which the hacker was ultimately able to make use of to ‘compromise the access of one of the system administrators who handles the internal backoffice’. Once the attacker had successfully hijacked this privileged account, they were then able to recover a database housing information on customers in Europe and gain access to an installation service in Canada.
John Worrall, CMO at Cyber-Ark, has made the following comments: “This breach is yet another example of why the theft and exploitation of privileged accounts is a critical and devastating part of the advanced threat attack cycle. In this case, the details of how the perimeter was breached have yet to be divulged, however, this is arguably a secondary concern. Businesses now have to assume that attackers are already on the inside. Indeed, the critical part of this attack, and what every organisation should take away from it, is the fact that the attacker specifically targeted the system administrator to gain their privileged access. Once successful, the attacker was effectively able to move from system to system undetected until they reached the information they were looking for. In the case of OVH, this was personal information, such as names, addresses, cities, telephone records and account passwords.
“This same pattern has been detected time and again and has been used in some of the most devastating breaches in recent memory, including Saudi Aramco, South Korea, Global Payments, the South Carolina Department of Revenue, and the U.S. Department of Energy among many others. Businesses need to proactively secure these privileged accounts, making sure all activity is monitored and that a complete audit trail of who accesses the account and what they did with it, is available. In addition, organisations must be vigilant in demanding that cloud and hosting providers enact tight security controls around their own privileged accounts – if the provider can’t do this satisfactorily, then data and assets are put at undue risk.”