Governments, local and federal, provide certain services to
the people they represent. These may consist of snow removal, unemployment insurance,
defense, assistance during disasters, and other services. Canada is clearly no
different providing a vast number of services to its citizens. All of these
services require data for processing and record-keeping. This data and the
computer systems processing and storing these are certainly viable targets for
the attackers.
Attack
To access these services, Canadian citizens need to
login to the service portal. This was set-up much like any other login screen
where the user puts in their username and password into the website. Normally,
this runs very smoothly as the user puts their credentials in. The problems
start when the user has the same password across many domains. There have been
so many breaches, most people’s passwords are for sale and probably has been
sold many times. These passwords provide the basis for the credential stuffing
attack. The attackers use the passwords per person across many domains in the
hope the user has used the same password several times. This makes the attacker’s
job much easier since they already the sample passwords to begin their work
with.
This is what happened in this case. The attackers used prior
used passwords on other domains to check if the users have the same password
across many different services. The attack was detected on August 7th.
While this occurred in Canada, this form of attack could occur anywhere. The
successful attack is indicative of a systemic issue with user passwords. Using
the same password is an incredibly bad idea for several reasons. The attack is
a clear and shining example of this.
The attack, per the Office of Chief Information Officer for
Canada affected 9,041 GC Key accounts and approximately 5,500 Canadian Revenue
Agency (CRA) accounts. The GC Key accounts were used in a fraudulent manner in
an attempt to access government services. Once this was detected the GC Key
accounts were canceled.
Mediation
Fortunately, the attack was contained. The users should
really not re-use the passwords, since this is the requirement for the attack.
Each website or service really should have its own password. If the users have
too many passwords to remember, there is always a password manager to handle
the issue. The users should also use MFA. This severely reduces the potential
for this type of attack to remotely occur. Post-attack, the affected users
should monitor their online accounts. Once detected the citizens were contacted
after the accounts were deleted. The users were informed on how to receive a
new GC Key. Granted this was a hassle for the users, however, if the same
password was not used across multiple domains this would not have been a problem.
The CRA accounts access was disabled also. The Canadian agency is working with
people to restore access to the CRA MyAccount.
From a law enforcement aspect, the Royal Canadian Mounted
Police (RCMP) was contacted on August 11th. The office of the Privacy
Commission was contacted to alert them of a possible breach also.
This issue provided many lessons for users to use
different passwords, and not use the same for several domains.
Resources
Breen, K. (2020, August 15). Hackers targeted thousands of
cra, government service accounts in credential stuffing attacks. Retrieved from
https://globalnews.ca/news/7278345/canada-hackers-credential-stuffing-attack/
Bronskill, J. (2020, August 18). CRA expects online services
restored Wednesday following cyberbreaches. Retrieved from https://www.nationalobserver.com/2020/07/18/news/cra-expects-online-services-restored-wednesday-following-cyberbreaches
Coop, a. (2020, August 16). Thousands of government service
and CRA accounts hit by credential stuffing attack. Retrieved from https://www.itworldcanada.com/article/thousands-of-government-service-and-cra-accounts-hit-by-credential-stuffing-attack/434578
Government of Canada. (2020, August 15). Statement on GC key
credential service and recent credential stuffing attack. Retrieved from https://cybergc.ca/en/news/statement-gckey-credential-service-and-recent-credential-stuffing-attack
Government of Canada. (2020, August 15). Statement from the
office of the chief information officer of the government Canada on recent
credential stuffing attack. Retrieved from https://www.canada.ca/en/treasury-board-secretariat/news/2020/08/statement-from-the-office-of-the-chief-information-officer-of-the-government-canada-on-recent-credential-stuffing-attack.html
IT World Canada. (2020, August 16). Thousands of government
service and cra accounts hit by credential stuffing attack. Retrieved from https://o.canada.com/techology/tech-news/thousands-of-government-services-and-cra-accounts-hit-by-credential-stuffing-attack/wcm/
Jones, R.P. (2020, August 17). Cyberattacks targeting cra,
canadian’s COVID-19 benefits have been brought under control: officials.
Retrieved from https://www.cbc.ca/news/policies/cra-gckey-cyberatack
Kilpatrick, S. (2020, August 17).
CRA resumes online service with new security features after cyberattacks.
Retrieved from https://o.canada.com/personal-finance/cra-resumes-online-services-with-new-security-features-after-cyberattacks/
Kirk, J. (2019, December 31). How
can credential stuffing be thwarted? Retrieved from https://covid19.inforisk.today.com/interviews/how-credential-stuffing-be-thwarted-i-4551
Muncaster, P. (2020, August 17).
Canadian citizens lose #COVID19 funds after government account hijacking.
Retrieved from https://www.infosecurity-magazine.com/news/canadian-citizens-credential/
Net News Ledger. (2020, August 17).
Credential stuffing of government of Canada computers update. Retrieved from https://www.netnewsledger.com/2020/08/17/credential-stuffing-of-government-of-canada-computers-update/
Rautmare, C. (2020, August 17). Credential-stuffing attacks
affect canadian services. Retrieved from https://www.inforisktoday.com/credential-stuffing-attacks-affect-canadian-services-a-/4839
Rubins, A. (2020, August 19). Cyber-attack target 1,000s of canadian
tax, benefits accounts. Retrieved from https://www.cybernewsgroup.co.uk/cyber-attacks-target-1000s-of-canadian-tax-benefits-accounts/
Security Info Watch. (2020, August 18). ‘Credential stuffing’
attacks wreak havoc on government accounts in Canada. Retrieved from https://www.securityinfowatch.com/cybersecurity/information-security/news/21150744/credential-stuffing-attacks-wreak-havoc-on-government-accounts-in-canada
TH Author. (2020, August 18). Canadian government issues
statement on credential stuffing attacks. Retrieved from https://www.threatub.org/blog/canadian-government-issues-statement-on-credential-stuffing-attacks/
The Canadian Press. (2020, August 19). CRA resumes online
services with new security features after cyberattack.
No comments:
Post a Comment