Intelligence & Analytics June 16, 2023
By Mike Elgan 3 min read

Hack me once, shame on thee. Hack me twice, shame on me.

The popular email marketing company, MailChimp, suffered a data breach last year after cyberattackers exploited an internal company tool to gain access to customer accounts. The criminals were able to look at around 300 accounts and exfiltrate data on 102 customers. They also accessed some customers’ AIP keys, which would have enabled them to send email campaigns posing as those customers.

This data breach attack wasn’t especially noteworthy — until less than six months later, it happened again. As before, an intruder accessed internal tools to compromise data on 133 MailChimp accounts. The breach was made possible by a social engineering attack on employees and contractors to gain access to employee passwords.

The attack engendered follow-on attacks. One of MailChimp’s customers was the cloud service provider, DigitalOcean. As a result of the attack, that company was unable to communicate with customers for a few days and had to request that customers reset their passwords.

After the first breach, MailChimp told TechCrunch it had added an unspecified “additional set of enhanced security measures” and replaced its CISO.

The experience of getting attacked in a similar manner as a previous attack isn’t rare. In fact, it’s very common.

MailChimp is just one example of many

Repeated attacks are actually the norm, not the exception. Some two-thirds (67%) of companies attacked get attacked again within one year, according to a global study by the security posture management company, Cymulate. And 10% of companies experienced 10 or more incidents within a single year.

For ransomware attacks specifically, the number of companies suffering repeated ransomware attacks rose to 80%, according to an international Cybereason survey.

Which raises the question: Why are repeat attacks so incredibly common?

What goes wrong in attack recovery that invites new attacks?

Here’s an under-appreciated fact about what happens after a cyberattack: Malicious actors learn what’s possible.

In the MailChimp example, cyberattackers learned that 1) internal tools were vulnerable, and 2) they could be used to steal customer data.

Once that knowledge was out there, it gave cyber crooks an incentive and a target. In other words, we can assume that the most likely next attack will target the same vulnerabilities as the last attack. The second a cyber incident is publicized, the clock starts ticking on a copycat attack.

The worst thing a company can do is nothing.

The best thing is to focus like a laser beam on the specific vulnerabilities that lead to the attack in the first place so that copycat attackers can’t exploit the same issues.

What should companies do to prevent repeat attacks?

While, of course, all companies should do all they can to prevent cyberattacks, it’s especially important to prioritize protection against the kind of attack that has already occurred.

The right response to a major cyberattack is to launch a thorough reset of the organization’s cybersecurity approach and posture. The SolarWinds hack is one great example.

In December 2020, we learned of a sophisticated supply chain cyberattack launched by a nation-state using the SolarWinds Orion network management system. Through this software, the Russian-backed cyberattackers (APT29, aka Cozy Bear) breached systems inside multiple U.S. and European government agencies and private companies, including multinational drug and biotech company AstraZeneca. The attack was discovered by the security firm FireEye when it was itself compromised by the attack.

Changes to industrial and national policy after the SolarWinds catastrophe are well known. But less appreciated are the steps SolarWinds itself took after the attack. They handled the aftermath well.

SolarWinds added a cybersecurity committee to its board of directors, added former CISA Chief Chris Krebs and former Facebook and Yahoo Security Chief Alex Stamos as consultants to the board, and they instituted major changes to how they build software to support strong cybersecurity.

Of course, it’s unlikely most companies are going to bring on board two of the most prominent names in cybersecurity. But the SolarWinds example captures the necessary spirit of change — boosting security best practices into everything from how leadership leads to company code.

Effectively regrouping after an attack

After a major attack, every organization should do some soul-searching. It’s important to evaluate how leadership failed to lead, how the company failed to invest, how the policies were inadequate and how the company culture around cybersecurity was insufficient to prevent malicious attacks through social engineering or other methods. The result of this postmortem should be:

  • Changes in the org chart: Additions to the staff of senior-level security specialists like a CISO, a change in who reports to whom or the injection of strong cybersecurity experience to the board of directors.
  • A total overhaul of cybersecurity training for employees
  • Strong improvements to how and when patching and updates happen
  • The overhaul of the security posture to embrace Zero Trust.

In short, the particular vulnerabilities that opened the door to a cyberattack need to be aggressively prioritized for remediation. Because the bad guys see the published details of a cyberattack as an instruction manual to launch another one.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: U.S. hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

 |  |  |  |  |  |  | 
Mike Elgan

More from Intelligence & Analytics
September 12, 2023

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

September 7, 2023

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

August 9, 2023

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

August 8, 2023

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…

© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature