Yesterday I reported on a significant hack on the Canada Revenue Agency. Today, more details have been revealed by the Canadian Government. Apparently attackers used a technique called credential stuffing, along with bugs in the Canada Revenue Agency online services gained access to Canada Revenue Agency accounts. Which in turn allowed the attackers to apply for and get the Canada Emergency Response Benefit.
In total, at least 5600 accounts out of 15 million CRA accounts were affected. And affected accounts have been taken offline. And those affected will get a letter from the Canada Revenue that they were pwned, and how to fix this. Another 9,000 or so accounts were affected by a attack on the Government’s GCKey system. In total 24 different Government departments were affected by this.
I watched the news conference related to this, and while they were handing out important and valid information, and giving a cursory overview of what happened and how they are responding to it, there was a bit of “blame the victim” at play here by the Government. Yes you should use unique passwords, update your OS, and use multi-factor authentication as well as being aware of spear phishing attacks. But there were issues that the Government has addressed that led to this hack. Such as not having the means to defeat credential stuffing. So to heavily push the narrative that it is all the fault of Canadians is a bit of a #fail. Another problem is that that the RCMP was called in on August 11th, but Canadians didn’t find out about this until the weekend. And the systems weren’t taken down until the weekend after multiple attacks occurred. That’s a #fail as well.
Serious questions need to be asked to the Government about this. Especially since the Canada Revenue Agency has been pwned before. Canadians need to hold the Canadian Government accountable for this and for making sure these online systems are actually secure.
UPDATE: David Masson, Director of Enterprise Security at Darktrace had this to say on this hack:
Threat actors will always look to exploit a crisis. During the ongoing pandemic, we have seen attackers capitalize on the fear, uncertainty and doubt surrounding COVID-19, particularly by increasing spear phishing attacks. Since the public is desperate for information, successful attacks are able to take advantage of their desperation by getting victims to click on links, view attachments, visit fake websites and even give up personal information.
Many pre-pandemic spear phishing attacks were successful, and continue to be successful, since this method leads to a treasure trove of personal information. Threat actors may use this information in a variety of ways – some may sell passwords on the dark web, while others may use this information for “credential stuffing” attacks. During these attacks, bad actors simply try to use known passwords to get into a system, and since many people continue to use the same password for several applications and websites, threat actors can end up being lucky. In the case of these attacks against the CRA – the bad guys have been lucky over five thousand times!
Any individual can avoid such an attack by using different passwords for every login. It is simple – if you use a strong, unique password for every application, you will massively reduce the risk of compromised credentials.
For businesses and organizations, prevention is a bit trickier. Only security solutions that leverage artificial intelligence can really prevent these sorts of threats before damage is done, since AI is able to provide full visibility of an entire digital infrastructure.