In this edition of This Week in Cybersecurity (TWiC), we have updates on the SolarWinds breach, Salesforce data leak and a $1.4 billion cyber insurance denial case involving Merck. The SolarWinds breach, which was discovered by the US Department of Justice six months earlier than originally reported, highlighted the importance of having an incident response plan and cybersecurity partner to help navigate the situation. Meanwhile, misconfigurations in Salesforce Community led to the exposure of sensitive data across various organizations. Finally, a New Jersey appellate court ruled that Merck is entitled to a $1.4 billion payout in a cyber insurance lawsuit, setting a precedent for cyber insurance coverage for non-military companies affected by cyberattacks originating from government or sovereign powers.
SolarWinds Breach Detected 6 Months Earlier Than Originally Reported
The SolarWinds breach, which saw Russian hackers insert a backdoor into the software maker’s systems, was discovered by the US Department of Justice (DoJ) six months earlier than previously reported. nGuard reported on the breach in January 2021, with a follow-up detailing additional vulnerabilities discovered in February. However, the scale and significance of the breach were not immediately apparent and the DoJ had engaged Microsoft and Mandiant to help determine whether the server had been hacked. Although suspicions were raised that the hackers had breached the DoJ server directly by exploiting a vulnerability in the Orion software, the investigation failed to find any vulnerability in SolarWinds’ code and even SolarWinds’ own engineers could not find any vulnerability in their code that could have led to the breach.
In December 2020, it was publicly announced that at least nine US federal agencies were among those affected by the SolarWinds campaign. The DoJ initially claimed that its chief information officer had discovered the breach on December 24. When breaches like this happen, it’s crucial to have an incident response plan and a cybersecurity partner to help triage the incident. For organizations that are dealing with high-impact events like this, nGuard offers a policy development and incident response serviceconsle that can help them navigate the situation.
One of the most important items for forensic analysis in the aftermath of a breach are logs. nGuard’s Managed Event Collection and Correlation service can help incident response engineers navigate the events and determine the root cause of a breach. However, it’s important to remember that prevention is always better than cure when it comes to cybersecurity. Organizations should make sure they have strong security measures in place, such as firewalls, anti-virus software, and regular patching to reduce the risk of a breach occurring in the first place.
Overall, the SolarWinds breach was a wake-up call on the importance of cybersecurity to organizations around the world. By working with experienced partners like nGuard, organizations can ensure that they are better prepared to detect and respond to breaches when they occur and reduce the risk of serious damage to their systems and reputation.
Salesforce Leaking Sensitive Data
Misconfigurations in Salesforce Community, the cloud-based software product that allows organizations to quickly create websites, have led to the exposure of sensitive data across a variety of organizations from state government, banking and health insurance. Customers can access a Salesforce Community website as either an Authenticated user, which requires a login or guest user, which does not require a login. The guest access role allows unauthenticated users to view specific content and resources without the need to log in. However, the misconfiguration in Salesforce Community allows an unauthenticated user to access records that should only be available after logging in, leading to unauthorized users accessing an organization’s private information and leading to potential data leaks. Organizations such as banks and healthcare providers have been leaking private and sensitive information from their public Salesforce Community websites without being aware of it. Until recently, the state of Vermont had at least five separate Salesforce Community sites that allowed guest access to sensitive data including a Pandemic Unemployment Assistance program that exposed applicant’s full name, Social Security number, address, phone number, email and bank account number. Other organizations, such as Huntington Bank, have had similar issues. The problem arose in August 2021 when security researcher Aaron Costello published a blog post explaining how misconfigurations in Salesforce Community sites could be exploited to reveal sensitive data.
Salesforce provides several tools and information to help check for guest user access, user experience and best practices when configuring the guest profile.
- Guest User Access Report
- Control Which Users Experience Cloud Site Users Can See
- Best Practices and Considerations When Configuring the Guest User Profile
nGuard has been conducting configuration security audits as a part of our wide array of security assessments for over 2 decades. Configuration security audits are system-level analyses of physical systems, network devices, cloud environments, or SaaS solutions like Salesforce where, as appropriate, looks for use of best practices to harden the device or system from unauthorized access or misuse. If you require assistance to check your Salesforce deployment for security best practices and hardening, contact nGuard today.
Merck Entitled to $1.4 Billion Payout in Cyber Insurance Lawsuit
Merck, the pharmaceutical company, may be eligible for a large insurance payout due to the high-profile NotPetya cyberattack according to a ruling by a New Jersey appellate court. The court ruled that the “hostile/warlike action” exclusion clause cannot be applied to a cyberattack on a non-military company, even if it originated from a government or sovereign power. In this case, the hack was tied to Russia as part of its aggression against Ukraine. Merck previously received a $1.4 billion payout after suing insurers who had denied coverage for the NotPetya attack and eight insurers disputed nearly $700 million in coverage in appeal. The case stemmed from a ransomware attack Merck suffered in June 2017 which the U.S. government later attributed the attack to Russia’s military intelligence operations.
Because cyber Insurance requirements continue to evolve, nGuard detailed some of the new requirements in a recent Security Advisory. Often, to be eligible for even the most basic level of coverage your organization needs to be doing security awareness training and testing, internal and external vulnerability scanning, and continuous monitoring.