Human nature tends to favor interest in things that happened over things that did not materialize or have any consequences. But in cybersecurity, as in life, prediction and anticipation are at the core of our industry as we play out what-if scenarios in order to predict, and alert on, potential breaches. In that spirit, the following is about a potential breach.
Several weeks ago, a significant financial sector attack that could have affected some of the largest insurance providers did not take place (including RBC, MassMutual, Prudential, Equifax, Mutual of Omaha, Anthem, Blue Cross Blue Shield of Florida, Gerber Life Insurance, Cigna and AAA Life Insurance Company). Such an attack would have exposed the personal data of untold numbers of customers.
Even though an attack never occurred, it is worth our time to take a deep dive into the vulnerabilities that could have easily led to one occurring and what its avoidance teaches us going forward. Here’s what I mean:
The Attack (That Never Happened)
A critical vulnerability was identified in the DNS operations of Tranzact — which runs the premier marketplace for the distribution of direct-to-consumer insurance products. As part of its sales and marketing services to the blue-chip global insurance and financial services brands mentioned above, Tranzact creates or manages several domain records for those organizations.
Tranzact hosts some of its DNS operations on a public cloud infrastructure, and a cloud misconfiguration issue created the potential for hackers to hijack one of the DNS servers. The vulnerability could have been leveraged by threat actors to fully control the assets that Tranzact manages on behalf of its customers.
Consider this — threat actors would have gained access to, and control over, the online presence of some of the largest insurance and financial services providers in the world. They could have read and sent emails under domains of AIG, issued valid certificates for domains of Anthem or set up login forms that appeared to be a legitimate Prudential web property. Just like the SolarWinds supply-chain attack, in this case, the breach of a single third-party vendor could have exposed employees and customers of these insurance institutions to a serious breach.
Abused by hackers, this vulnerability could lead to a breach of the scale of Equifax, or even larger.
Thankfully, a breach didn’t happen. A white hat cybersecurity researcher identified the vulnerability and notified Tranzact, which immediately mitigated the risk. And that’s why we never heard about this attack in the media.
But we should have.
Takeaway: Watch Your Digital Supply Chain
Solarwinds, Codecov and most recently Kaseya (not to mention thousands of their customers) are among this year’s victims of massive supply chain attacks. Tranzact (and its customers) was almost added to this list.
The major takeaway from this attack that never happened is simple: hackers have turned their attention away from the enterprise perimeter and are actively probing the enterprise’s external attack surface: the internet-facing IT that they outsource to a third-party (i.e., Tranzact). This is a serious, real and rapidly-growing threat to the business continuity of nearly every organization.
Why are these attacks happening? Today’s internet-facing services are built on an interconnected ecosystem of third (and fourth and fifth)-party services and infrastructures. A single page in a web application can include, and expose users to, content and code from literally hundreds of different sources. Even as enterprises and governments invest billions in the cybersecurity of their own networks, hackers have begun turning their focus towards easier downstream targets. These are targets that may be less hardened and whose compromise may be much harder for security teams to monitor, let alone discover.
Some of these third-party sources and services indeed have a contractual requirement for certain security practices, but as you go further out into the ecosystem, there is no clear line between the enterprise and an “Nth”-party. These vendors are tied into an organization’s sensitive digital assets — websites, applications, online services — but not under the direct oversight of the security team. A breach anywhere along this digital supply chain could lead to a compromise of services, users, customers and business. That’s why analysts like Gartner are recommending adopting an external attack surface management (EASM) approach, reinforcing our belief that the boundary of an organization no longer exists online.
The Bottom Line
The threat of catastrophic, trans-industry damage posed by the Tranzact almost-attack should not be understated. This is a vendor that provides services to a significant portion of the US financial services industry. An exploit of this single vulnerability could have compromised dozens of insurance companies, banks and 10s of millions of their customers.
Vulnerabilities like the one found in Tranzact are becoming a key source of attacks. And because they don’t traditionally fall under the direct oversight of enterprise security teams, they are the most difficult to find. To ensure that the next massive attack like this doesn’t happen, it’s time to rethink the way we address digital supply chain security.
Cyberpion’s Ecosystem Security platform was uniquely developed to discover and assess the vulnerabilities throughout the entire ecosystem. If you are curious about the threats that exist across your external attack surface and beyond, we offer a complimentary attack surface assessment.
