What Happened?

On the early afternoon of February 17^th, our CEO, Ken Soh, was greeted with an urgent message by Louis Hur, CEO, NSHC, one of our official security experts from the Good Hackers Alliance (gha).

Using Darktracer, an application that searches the net for data leaks, he was one of the first to discover a page on the dark web that featured freshly leaked data of about 129,000 of Singtel’s customers. The data stolen included customers’ NRIC, names, date of birth, mobile numbers, and addresses.  Additionally, it also had information stolen from 25 other firms.

On their website, they demanded $250,000 worth of bitcoin in order to “avoid this situation”.

Singtel and the relevant authorities were subsequently informed. The news was later revealed to the public later the same day.

How did this happen?

According to CNA (link), a third-party vendor (Accellion) to Singtel had its file-sharing system FTA “illegally attacked by unidentified hackers”.

On January 23^rd, Accellion had detected a new vulnerability in the system. Singtel then took the system offline while Accellion attempted to patch it. However, an anomaly alert had been triggered on January 30^th when Singtel was trying to patch the new vulnerability, causing a rousing suspicion that the system had already been breached. Unfortunately, their suspicions were not unfounded.

It was confirmed that many sensitive files had been taken and the news was announced to the public on February 11th.

Investigations by Singtel had revealed that the breach had occurred on January 20^th, 3 days before it had even been detected.

The last known patch had been applied on December 27^th of the previous year.

What are the consequences?

From history, we can observe that a breach in data usually results in large legal fees and monetary costs to salvage the situation. For example, Adobe’s data breach of 153 million user records in October 2013 had cost them $1.1 million in legal fees and another $1 million paid to customers.

Additionally, such a large-scale leak would result in the loss of confidence from both customers and prospective customers and tarnish the organization’s reputation.

How can we avoid this?

It was reported that the hackers had found several zero-day vulnerabilities in the Accellion FTA, specifically one of them being an SQL injection.

In our opinion, this could have been alleviated by, on top of maintaining update-to-date patches, having constant VAPT assessments on the systems to ensure that potential vulnerabilities are found and fixed in time before malicious actors have the chance to exploit them. Organisations typically run VAPTs at most once or twice a year due to constraints in terms of cost, time and manpower. However, this is not enough. To solve this issue, a newer trend of automated VAPT tools have been emerging, allowing users to perform automated VAPT as often as they would need at a fraction of the cost. With that, gha has since been carrying out automated VAPT to the industry since 2020 and found direct benefits in such approach.

This gives rise to two main ways to do VAPTs – manual VAPT and automated VAPTs.  

Manual VAPT refers to when a group of white hat hackers would attempt to ‘hack’ a system, following which they will update the owners on the vulnerabilities and weaknesses of their program, as well as how to patch them. gha comprises a group of experienced white hat hackers with state-level experiences that provide such services as per this link.

While automated VAPTs are similar to manual VAPTs, its main difference is the fact that the process is automated by a program. While it is more convenient, cheaper, and takes a shorter amount of time, the depth of an automated VAPT may not be as customized when compared to doing it manually and the risk of having a false positive may be higher. Since the outcome varies from case to case, please feel free to contact us to explore forth.

Ideally, it would be best to have a combination of both manual and automated VAPT as they complement each other’s weaknesses.

Apart from having reliable VAPT services, it is also integral that a company has a good source code scanner, especially one that can white-box scan even binary files. A reliable source code scanner would have easily detected weak coding practices e.g. codes with SQL injections vulnerability. An example of a source code scanner would be Solar appScreener. Solar appScreener reviews vulnerabilities and binary codes without the need of its source code. This is directly useful to uncover vulnerabilities in 3^rd party codes or plug-in’s such as undocumented feature, back-door and common vulnerability and exposures (CVEs).

Closing verdict

Evidently, the setbacks that come from security breaches are severe and long-lasting. Even if the capital can be eventually recouped, it would be uphill to regain the trust of the customers. Malicious hackers prey on complacency and strike when the victim least expects it. As such, cybersecurity is an integral investment that goes a long way. We must always stay vigilant and secure to ensure that our network and information stays confidential, for both our customers and ourselves.

Disclaimer:  The outcome of best practices introduced in this material may vary due to environmental and contextual parameters. Neither BH Global Corporation Ltd, Athena Dynamics Pte Ltd nor the writers is responsible for any direct or indirect implications/impacts to the readers due to the adoption of these practices.

Neither BH Global, Athena Dynamics nor the writer guarantees full and timely accuracy of the write-up. Readers shall read with their own discretion, judgement and research if in doubt. If you wish to contribute further writings, please feel free to contact us.

Not for General Distribution. Copyright © 2020 All Rights Reserved. No part of this presentation materials may be distributed/reproduced without the writers’ expressed consent.