Attackers took a novel route to compromising end users by targeting Mozilla’s sensitive security information, the company announced last week.
The attacker gained privileged access to Bugzilla, the company’s bug-tracking service, and used sensitive security information to exploit vulnerabilities against Firefox users. Mozilla has since patched the vulnerabilities, but the episode serves as a reminder not to neglect the security of internal security information.
A Compromised Credential Snowballs to a Data Breach
The method of access in this attack points to the absolute necessity of defense in depth. Mozilla fell victim to death by a thousand cuts: a series of small security shortcomings that collectively lead to a significant security failure.
The incident originated when an unrelated data breach leaked the credentials of a Bugzilla user. The story could have ended there, but the user apparently duplicated the stolen password across several online services, including Bugzilla. The attacker then gained access to the Bugzilla account with the reused password obtained through the third-party breach.
What’s frightening is the ubiquity of these minor vulnerabilities. 92% of companies have at least one login credential for sale on the Darknet. And, the average enterprise has 143 files with the term “password” right in the file name stored in Office 365 alone. Similarly, reusing corporate passwords is by no means a rare occurrence; according to a study by Joseph Bonneau of the University of Cambridge, 31% of passwords are duplicated across services. Combine this with the fact that the average employee uses 28 different cloud services, and companies have a massive attack surface to consider.
Get Smart to Compromised Accounts with Security Intelligence
The natural place to start with preventing this type of attack is the security fundamentals: strong passwords, multi-factor authentication, and restricting privileged access to fewer users. But these best practices are not foolproof, and the strongest security posture is a resilient one.
Companies need to prioritize detection of persistent unauthorized access. Mozilla confirmed the attacker had access to Bugzilla’s system since September 2014, with the possibility that the incident began an entire year earlier.
The only safe premise for security professionals is to assume the network has already been compromised. To detect incidents as they develop, companies are turning to security intelligence. This is a catch-all term for a reason: the richer the dataset of user behavior, the more powerful and accurate the insights into security risks.
Mozilla’s shortcoming illustrates the importance of multiple feeds of data. Leveraging Darknet intelligence can guide security teams to increase the risk associated with exposed users. It is also critical for companies to understand the data that is stored and shared in their file sharing and collaboration platforms so they can avoid obvious security blunders, such as employees storing password master lists in their cloud services. Compromised credentials exposure is just one part of the story, however. A large enterprise may have thousands of logins for sale online.
User behavioral analytics can help companies granularly measure activity and risk and define more accurate thresholds for security incidents. For example, monitoring access to sensitive data and the volume or geographic location of data downloads can raise red flags for potential attackers operating within the corporate network. Ultimately, tracking risk profiles should prompt at-risk accounts to go through increased security measures like multi-factor authentication. With breaches of login credentials happening nearly every other week, implementing geo-location analytics, behavioral analytics and adaptive authentication should be a best practice for stopping threats before the damage is done.