Deloitte Confirms Email Server Compromise

Hackers broke into the email service of professional services giant Deloitte and reportedly accessed confidential messages, usernames, passwords, IP addresses, business diagrams and other information belonging to its clients.

The security breach was discovered in March, but hackers might have had access to the email server since October or November, The Guardian reported Monday citing unnamed sources. According to the newspaper’s sources, the hackers gained access to the system, which was hosted on Microsoft’s Azure cloud platform, by compromising an administrator account that didn’t have two-factor authentication enabled.

“The attacker accessed data from an email platform,” the company confirmed in an emailed statement.

The subsequent investigation revealed that “very few clients” were impacted and helped Deloitte establish “precisely what information was at risk and what the hacker actually did.”

The incident highlights that even a company like Deloitte which offers cybersecurity consulting services to businesses and helps them manage cyber risks can suffer breaches due to basic access control oversights.

“Email is the lifeblood of most modern companies,” said Richard Stiennon, chief strategy officer of Blancco Technology Group and director of the International Data Sanitization Consortium. “A complete data governance regime should put email at the top of concerns. While health records, financials and PII usually are considered first, it must be acknowledged that all of that critical information passes through email, too. Email should be first protected against unauthorized access.”

An estimated 5 million emails were stored in Deloitte’s cloud-based email platform and could have been accessed, according to The Guardian’s sources. However, Deloitte claims that just a fraction of those emails were put at risk.

In response to the incident, the company implemented a “comprehensive security protocol” and set up a team of internal and external security experts to investigate the breach. It also contacted law enforcement authorities and notified the impacted customers.

“No disruption has occurred to client businesses, to Deloitte’s ability to continue to serve clients, or to consumers,” the company said. “Deloitte remains deeply committed to ensuring that its cybersecurity defenses are best in class, to investing heavily in protecting confidential information and to continually reviewing and enhancing cyber security.”

Acquiring credentials is increasingly easy for hackers so static passwords cannot provide effective corporate protection, said Rich Campagna, CEO of data and threat protection vendor Bitglass. “Enterprises must follow best practices in authenticating users, starting with a proactive approach to identifying suspicious logins. Dynamic identity management solutions that can detect potential intrusions, require multi-factor authentication, and integrate with existing systems for managing user access can be much more effective than basic password protection.”

Oracle Patches Critical Apache Struts Flaws in Its Products

Oracle has released patches for a wide range of products, including many from its financial services suite, to incorporate several vulnerabilities in Apache Struts 2.

The patches include fixes for CVE-2017-9805, CVE-2017-7672, CVE-2017-9787, CVE-2017-9791, CVE-2017-9793, CVE-2017-9804 and CVE-2017-12611. These flaws have been fixed in Apache Struts in July, August and September and several of them can lead to remote code execution.

The CVE-2017-9805 vulnerability that was patched in September is particularly dangerous because it affects a widely used component called the REST plugin. An exploit for the vulnerability is already available and attackers are already targeting it in the wild.

“Oracle strongly recommends that customers apply the fixes contained in this Security Alert as soon as possible,” said Eric Maurice, Oracle’s director of security assurance said in a blog post. “Furthermore, Oracle reminds customers that they should keep up with security releases and should have applied the July 2017 Critical Patch Update (the most recent Critical Patch Update release).”

Oracle’s patches come after U.S. credit monitoring bureau Equifax admitted that its failure to patch an older vulnerability in Apache Struts in time led to the data breach that exposed the personal information of 143 million people in the United States.

The list of Oracle products that use Apache Struts and are affected by these flaws include the Oracle MySQL Product Suite, Oracle Communications Policy Management, Oracle Financial Services Applications, Oracle Insurance Data Foundation, Oracle Retail Applications, Siebel Applications and Fusion Middleware.

Apache Struts is a development framework for Java-based web applications that is popular in corporate environments. However, many companies don’t keep track of what components they use in their applications and often fail to update them. The fact that the framework is also included in many enterprise products from third-party vendors makes it even harder for companies to determine where on their networks they might have vulnerable deployments.

According to a recent report from software supply chain automation company Sonatype, more than 46,000 organizations downloaded vulnerable versions of Struts or its components over the past 12 months despite patched versions being available at the time.

Featured eBook
The Complete Guide on Open Source Security

The Complete Guide on Open Source Security

This joint report by Microsoft and WhiteSource discusses the difference in finding & fixing vulnerabilities in open source components opposed to proprietary code, how to grasp the unique challenges of open source security and how to tackle them, as well as how to master the best practices of managing your open source security risks. This ... Read More
WhiteSource

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 199 posts and counting.See all posts by lucian-constantin

One thought on “Deloitte Confirms Email Server Compromise

Comments are closed.