author photo
By Bruce Sussman
Wed | Aug 12, 2020 | 9:45 AM PDT

Cybersecurity training platform SANS Institute says it suffered a security incident last week which revealed 28,000 records of Personally Identifiable Information (PII).

Here is what we know about how the data breach started, how it was detected, and an expert opinion on this type of cyberattack strategy.

How did the SANS data breach start?

In its Data Incident Notice, SANS says the cyberattack started the same way more than 90% of cyberattacks do:

"We have identified a single phishing e-mail as the vector of the attack. As a result of the e-mail, a single employee's email account was impacted. Aside from the affected user, we currently believe that no other accounts or systems at SANS were compromised."

How did the SANS data breach evolve?

Once the hacker gained access to the SANS employee's email, they used an extremely popular cybercrime trick to monitor things. They set up email forwarding rules that most users never check for or utilize. Thankfully, SANS did detect this activity after awhile:

"On August 6th, as part of a systematic review of email configuration and rules we identified a suspicious forwarding rule and initiated our incident response process. This rule was found to have forwarded a number of emails from a specific individual's e-mail account to an unknown external email address.

The forwarded emails included files that contained some subset of email, first name, last name, work title, company name, industry, address, and country of residence. SANS quickly stopped any further release of information from the account.

As a result of this incident, 513 emails were forwarded to an unknown external email address. Most of these emails were harmless, but some of these emails contained files with personally identifiable information (PII). As a result, approximately 28,000 records of PII were forwarded to an unknown external email address."

What actions did SANS take upon discovering the attack?

As SANS mentions above, it activated its incident response plan immediately:

"Upon discovery of the malicious activity, our IT and security team removed the forwarding rule and malicious O365 add-in. We have also scanned for any similar occurrences within all other accounts and across our systems. We have found no other indications of compromise.

SANS digital forensics instructors are heading up the investigation. We are working to ensure that no other information was compromised and to identify opportunities to harden our systems and improve our response. When the investigation is complete, we will run a webcast to outline our learnings if there is information that we think would be useful to the community."

And we know they have some incredibly smart instructors at SANS who will no doubt uncover every last detail of this incident.

Email forwarding rules a popular tactic in BEC attacks

In light of this cyberattack on SANS, here is a question you should be asking at your organization: are you monitoring forwarding rules on your Office 365 or other email accounts? Are you reminding your end-users to check them and telling them how to do it?

According to one of the top Business Email Compromise (BEC) investigators in the United States, this is a very common attack strategy for those involved in BEC attacks. 

Chris McMahaon is with the United States Secret Service, and he tells SecureWorld he repeatedly sees two major money making reasons cybercriminals set up forwarding rules after compromising an email account.

One of these reasons is invoice fraud:

"We've seen this in multiple small municipalities and towns and cities across the country where a contractor may be doing work for a town or a school, and the bad actor is sitting on that email address. And when it's time to do the invoice, they'll go ahead and create the invoice that looks legitimate, but the bad actors account information is on that invoice. And so it happens that quickly, right? Because the bad actors are sitting on that on that email address. They're watching and continually watching that those emails come back and forth and so they know exactly when to send a fraudulent email. So it doesn't look like it's out of place."

And another major reason is to go after the money involved in buying and selling property:

"The real estate industry gets hit frequently with the BEC fraud. And so the bad actors are sitting on say, a title company or real estate agent's email address, and they're watching the emails come come through there.

They set up forwarding rules. So they're being forwarded all the emails, paying attention to the the important ones.

And so say you say you're buying a house and you have a closing at the end of the week. Well, the bad actor will then send an email that looks legitimate from the title company to the buyer, and which will say hey, go ahead and wire your money to this account so you don't hold up closing on Friday.

Well, to the buyer, it makes sense because they don't want to hold up closing on Friday. And it looks like it's coming from the title company. So everything looks legitimate. However, typically the bank account on the for the wire instructions, is a bank account that the bad actor is set up already."

At some point, organizations typically become aware that someone has gained unauthorized access to an account and so they initiate a password reset. 

However, because the forwarding rules are not changed, organizations often keep unknowingly forwarding this information and the attack remains ongoing.

I asked McMahaon about these things on the SecureWorld podcast episode, "The Enterprise Business Model of Cybercrime," which you can listen to in your browser right now by clicking the arrow, or it is available on all major podcast platforms.


Tags: Data Breach,