A US-based cloud solutions provider, PCM Inc., has experienced what KrebsOnSecurity called a “digital intrusion,” which enabled hackers to access the email and file-sharing systems of some of the company’s clients.
“Sources say PCM discovered the intrusion in mid-May 2019. Those sources say the attackers stole administrative credentials that PCM uses to manage client accounts within Office 365, a cloud-based file and email sharing service run by Microsoft Corp,” Krebs wrote.
Krebs said it is unclear whether there is a link between the Wipro compromise and this latest incident at PMC. "As a bystander, it does seem possible that both the Wipro and PCM compromises are connected. As for the connection to Cloud Hopper, it is not surprising that Chinese groups are attacking the ISPs and cloud providers,” said Jonathan Oliveira, cyber-threat intelligence analyst at Centripetal.
“The growing trend of targeting employees who work at cloud providers makes plenty of sense because why would an attacking group want to waste time and resources brute-forcing when employees statistically offer the best avenue of approach into a network? These employees are increasingly becoming high-value targets and, in most cases, do not realize how valuable they are to an attacker,” Oliveira said, adding that investing in technology does little to defend against human behaviors.
Financially motivated attackers go after the lowest-hanging fruit, and it’s no surprise that cyber-criminals are exploiting attacks that will reward them with fast cash, said Kevin Gosschalk, CEO, Arkose Labs.
“The lasting impact of this breach – like every data breach involving exposed PII and credentials – is not yet fully realized. Each breach empowers fraudsters with more ammunition to attack businesses in a highly targeted manner, and the large amount of exposed credentials on the dark web is responsible for the steady rise in account takeover attacks. Companies must make it a priority to secure their attack surface so hackers cannot extract economic reward from their company, and sensitive data is protected.”
The news raises concerns given that criminals have been more frequently targeting the cloud to use stolen passwords, API vulnerabilities or user misconfiguration and take over accounts, which gives them access to information as if they were an authorized user, thus bypassing all security controls, according to Pravin Kothari, CEO of CipherCloud.
"As more and more information, the crown jewels of business, migrate to the cloud, organizations just do not have the visibility and control that they had with their traditional enterprise security capabilities. Businesses need to change their approach to security from network- and access-centric to data-centric,” Kothari said.