Please fill in the form below to subscribe to our blog

The Week in Breach News: 03/23/22 – 03/29/22

March 30, 2022

Lapsus$ scores two big hits but it may have done itself in, a vishing tale at Morgan Stanley, a new checklist for your prospects and three risks your clients need to know about right now.  

Get ready to pack your bags for Connect IT 2022! Join us June 20-23 in Las Vegas for the industry’s premier event! REGISTER NOW>>


Exploit: Unauthorized Access

Microsoft: Software Company 

cybersecurity news gauge indicating extreme risk

Risk to Business: 2.337 = Severe

The Lapsus$ gang has released 37GB of source code that they snatched in a brazen hit on Microsoft’s Azure DevOps server. Microsoft confirmed the incident, saying that the threat actors gained access through a compromised employee account. The source code looks to pertain to various internal Microsoft projects, including for Bing, Cortana and Bing Maps. Microsoft made a blog post about its recent operations to track and potentially interfere with Lapsus$ last week. The company was quick to state, “Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk.” Lapsus$ is known to be a ransomware outfit, but no ransom activity was disclosed in this incident.

Individual Impact: No information about consumer/employee PII, PHI or financial data exposure was available at press time.

How It Could Affect Your Customers’ Business: Source code is a useful asset for cybercriminals that can help them develop new malware and attack techniques.

ID Agent to the Rescue: Learn why high cyber resilience is the ticket to a safer future for your clients (plus more MRR for you) and what you can do to help them build it. GET THIS EBOOK>> 


Exploit: Credential Compromise (Supply Chain Risk)

Okta: Identity and Access Management Solutions

cybersecurity news represented by a gauge indicating moderate risk

Risk to Business: 1.299 = Extreme

Lapsus$ also pulled off another high-profile attack, this time against access management company Okta. Lapsus$ announced that it had breached Okta’s security in January on March 22. Supporting the claim, the group published screenshots related to Okta’s internal apps and systems. This one had a bit of a bumpy acknowledgment process by Okta who originally said no customer data was accessed but later clarified, saying “a small percentage of customers – approximately 2.5% – have potentially been impacted and (their) data may have been viewed or acted upon.” A third-party service provider’s previous breach likely also played a part in the incident. No specifics on the data were given. As we stated above, Lapsus$ is typically involved in ransomware operations but no details of any ransomware activity have been reported.

NOTE: Lapsus$ hackers were allegedly detained by UK police following these incidents. 

Individual Impact: No information about consumer/employee PII, PHI or financial data exposure was available at press time.

How It Could Affect Your Customers’ Business Cybercriminals know that service providers are a quick avenue to exploit for vulnerabilities that may allow them to penetrate a bigger company’s security.

ID Agent to the Rescue: Help your clients navigate the tricky straits of third party and supply chain risk with great ways to mitigate the danger and stay safe in a dangerous world. GET EBOOK>>

United States – Morgan Stanley

Exploit: Social Engineering (Vishing)

Morgan Stanley: Financial Services

cybersecurity news represented by agauge showing severe risk

Risk to Business: 1.721 = Severe

Morgan Stanley Wealth Management, the wealth and asset management division of Morgan Stanley, says some of its customers had their accounts compromised in a vishing attack. The company notified clients that on or around February 11, 2022, a threat actor impersonating Morgan Stanley gained access to their accounts by impersonating a Morgan Stanley representative and persuading those victims to provide the imposter their Morgan Stanley Online account info. After successfully breaching their accounts, the attacker also electronically transferred money to themselves using the Zelle payment service. No specifics have been given regarding the number of customers swindled, but the firm has stated that those clients were reimbursed. 

Individual Impact: No information about consumer/employee PII, PHI or financial data exposure was available at press time.

How It Could Affect Your Customers’ Business: Brand impersonation is a rising risk that businesses and consumers need to be aware of. It always pays to check for authenticity before handing over your data.

ID Agent to the Rescue: Cybersecurity horrors lurk around every corner, lying in wait for unwary organizations. Learn how to defeat them in our eBook Monsters of Cybersecurity. DOWNLOAD IT NOW>>

remote workers pose a cryptocurrency risk

Solve five of the most exhausting remote and hybrid security problems fast with this handy infographic! DOWNLOAD IT>>

Russia – Miratorg Agribusiness Holding

Exploit: Malware (Nation-State)

Miratorg Agribusiness Holding: Meat Distributor

cybersecurity news represented by agauge showing severe risk

Risk to Business: 1.909 = Severe

Russian meat wholesaler Miratorg Agribusiness Holding has suffered a major cyberattack that encrypted its IT systems. The attack was reported by Rosselkhoznadzor, Russia’s veterinary medicine and agricultural production and byproducts oversight body. The attackers reportedly made use of the Windows BitLocker feature to encrypt files, possibly gaining access through a state veterinary information service. Rosselkhoznadzor has suggested that this may be a nation-state cyberattack. Miratorg Agribusiness Holding promised that attack will not affect its supply and shipments to Russian citizens.

How it Could Affect Your Customers’ Business Nation-state cybercrime is booming, especially around the Russia/Ukraine conflict.

ID Agent to the Rescue: Help your clients develop a security and compliance awareness training program by sending them the 6 Tips for Creating a Security Awareness Training Policy infographic. GET IT>>

Greece – Hellenic Post (ELTA)

Exploit: Ransomware

Hellenic Post (ELTA): National Postal Service

cybersecurity news represented by agauge showing severe risk

Risk to Business: 2.017 = Severe

ELTA, the state-owned provider of postal services in Greece, has disclosed a ransomware incident that has knocked most of the organization’s services offline. The organization announced that its IT teams have determined that the threat actors exploited an unpatched vulnerability to drop malware that allowed access to one workstation using an HTTPS reverse shell, encrypting systems critical to ELTA’s business operation. ELTA is currently unable to process mail, bill payments or any form of financial transaction orders with no estimate of when these services will be made available again. 

Individual Impact: No information about consumer/employee PII, PHI or financial data exposure was available at press time.

How it Could Affect Your Customers’ Business Cybercriminals love to target organizations in time-sensitive fields to increase their chance of scoring a big payday.

ID Agent to the Rescue Security and compliance training is a powerful weapon against expensive disasters. See why in Security Awareness Training: Your Best Investment. GET EBOOK>>

United Kingdom – Ministry of Defence

Exploit: Nation-State Hacking (Hacktivism)

Ministry of Defence: National Government Agency 

cybersecurity news represented by a gauge indicating moderate risk

Risk to Business: 2.811 = Moderate

The Ministry of Defence has suspended online application and support services for the British Army’s Defence Recruitment System after bad actors compromised some data held on applicants. The army was informed of the break-in on March 14 along with a rumored threat to expose the stolen data on the dark web. The recruitment operations system is run by Capita, a vendor that handles marketing, processing applications and candidate assessment centers. No further information on what data was stolen or when systems will be restored to full operations has been released.  

Individual Impact: No information about consumer/employee PII, PHI or financial data exposure was available at press time.

How it Could Affect Your Customers’ Business Cybercriminals are always hungry for fresh data, especially valuable personal or financial information.

ID Agent to the Rescue Find and slay dastardly vulnerabilities in your clients’ security strategy and emerge victorious with the Cybersecurity Monster Hunter’s Checklist! GET IT>> 

Scotland – Scottish Association for Mental Health

Exploit: Ransomware

Scottish Association for Mental Health: Healthcare Provider

cybersecurity news represented by agauge showing severe risk

Risk to Business: 2.176 = Severe

The RansomEXX ransomware group hit the Scottish Association for Mental Health, snatching 12 GB of sensitive client data from the charity. The organization confirmed the attack in a statement, explaining “We are devastated by this attack. It is difficult to understand why anyone would deliberately try to disrupt the work of an organisation that is relied on by people at their most vulnerable.” Attackers reportedly gained access to internal employee communications as well as other data sources. The charity has also said that they’re working with Police Scotland to resolve the situation. No ransom demand was made public.   

cybersecurity news represented by agauge showing severe risk

Rist to Individuals: 2.307 = Severe

The exposed data includes unredacted photographs of individuals’ driving licenses, passports, personal information such as volunteers’ home addresses and phone numbers, and some clients’ passwords and credit card details.  

How it Could Affect Your Customers’ Business This situation is especially unfortunate because in addition to an expensive incident response, the organization likely faces costly penalties.

ID Agent to the Rescue Ransomware 101, our most popular eBook, is full of tips and expert advice to guide you through securing your clients effectively from today’s scariest risk. READ IT>>

Our partners typically realize ROI in 30 days or less. See why nearly 4,000 MSPs in 30 countries choose to grow with ID AGENT solutions and support. BECOME A PARTNER>>

1 – 1.5 = Extreme Risk

1.51 – 2.49 = Severe Risk

2.5 – 3 = Moderate Risk

Risk scores for The Week in Breach are calculated using a formula that considers a wide range of factors related to the assessed breach.

Go Inside the Ink to see how today’s biggest threats can impact your MSP and your customers in our blog.

Just getting started in cybersecurity? This resource bundle will help you get up to speed to protect your clients fast! GET IT>>

Fresh ResourcesGet Tools to Help You Sell More! 

Give your prospects this checklist to help them evaluate their current dark web monitoring solution and decide if it’s time for an upgrade. GET THE CHECKLIST>>
Check out the webinar “The Tools and Techniques for MSPs to Close More New Clients” to learn how to juice up your revenue! WATCH NOW>>
Bolster your MRR with the tips in the webinar “Critical Components of a Profitable and Effective Security Awareness Program” WATCH NOW>>
Did you miss this? Give your clients this list of tips to kickstart a security awareness training program. GET INFOGRAPHIC>>

See how cyber insurance is changing and how to protect your clients from trouble. WATCH NOW>>

3 Potentially Business-Crushing Overlooked Risks Your Clients Face Right Now 

Help Your Clients Be Ready for Trouble

Risks evolve quickly in today’s fast-paced cyber threat landscape. It can be hard for IT professionals to stay on top of exactly which risks their companies (and your clients) need to be the most concerned about right now. After all, every organization works differently, giving each organization a unique array of risks that it needs to be concerned about at any one time. Getting to know these three often-overlooked risks can help you start conversations with your clients that help keep them better protected as well as make your MSP a little more profitable.  

Go deep into the cybercrime underworld in “Hacker Hotbeds and Malicious Marketplaces” WATCH THIS WEBINAR>>

Conversation Hijacking 

Your clients’ trusted contacts may not actually be that trustworthy. A surge in conversation hijack phishing has brought this technique back into prominence as a major risk for businesses, yet many business execs and corporate IT folks may not be aware of it. That’s a serious oversight because this type of phishing is highly sophisticated and correspondingly difficult for employees to detect because of its slick social engineering. A user might be wary at the start of an email conversation, but they’re not going to be so cautious about future communications and continued activity in the threads of already-established email conversations. But they should be – conversation hijacking attacks grew by almost 270% in 2021 over 2020’s numbers. 

Here’s what typically happens in a conversation hijacking scenario: 

A phishing message lures a victim at Company A into providing their login to the attacker, a common goal of phishing. The bad actor then takes over the victim’s email account.  

After reading through the victim’s correspondence, the attacker selects targets for another cyberattack. They may do this by checking out old and new conversations with internal and external business contacts to find conversations that can be exploited. No target is really off the table. 

During that process, the bad actor gains information about Company A’s business operations, learns about the company’s payment procedures and discovers potential deals in progress.     

The bad actors will then utilize the selected conversations to masquerade as the victim and perpetrate cyberattacks like business email compromise, spear phishing or malware deployment attacks against the victim’s contacts.  

It’s an ingenious scheme that leverages multiple social engineering tactics to produce a devastating result. By using their victim’s ongoing communication threads with business contacts, the bad guys are launching fresh operations from a place of trust with their targets. That false sense of security makes the victims more likely to follow links, download attachments, provide data or transfer payment as requested without suspicion until it’s too late and they’ve become victims themselves. If they’ve gained access to an email account that belongs to a well-respected organization or executive, it’s even better for the bad guys because they can then capitalize on the victim’s sterling reputation.   

Several contributing factors have made this a great time for cybercriminals to perpetrate conversation hijacking phishing attacks. Ongoing remote work creates an unusually good array of targets who are more likely to fall for phishing messages. The trick is so insidious that even cybersecurity savvy employees can be tripped up easily. Plus, the huge volume of email being sent in today’s email-dependent, cloud-focused workplace creates more opportunities to strike. Your clients and their people need to be aware of this threat and take steps to address it like increasing security awareness training

Learn how to spot and stop malicious insiders and educate users with this handy infographic! GET IT>>

Nation-State Threats 

Nearly nine in 10 (86%) organizations in an international study say that they have been targeted by a nation-state threat actor. That new study by Trellix and the Center for Strategic and International Studies (CSIS) also found that 92% of respondents have faced, or suspect they have faced, a nation-state or nation-state adjacent cyber-attack in the past 18 months or expect to experience one in the near future. 

That’s not a wild supposition. An estimated 90% of Advanced Persistent Threat Groups (APTs) regularly attack organizations outside of the government or critical infrastructure framework, something many organizations may overlook. But The Microsoft Digital Defense Report shows that enterprises are now the most common targets of state-sponsored cybercriminals. Microsoft says that more than 90% of the security alerts that they have generated in the last year have originated outside of infrastructure. That’s not to say that infrastructure isn’t at risk. An estimated 60% of nation-state activity zeroed in on IT organizations, followed by commercial facilities, critical manufacturing, financial services, and the Defense Industrial Base (DIB).  

Targets of Nation-State Cyberattacks   % of Total  
Enterprises 35%  
Cyber Defense Assets 25%  
Media & Communication 14% 
Government Bodies 12%    
Critical Infrastructure 10%  

Source: Dr. Mike McGuire and HP, Nation States, Cyberconflict and the Web of Profit   

Your clients need to understand that their organizations could be at risk of a nation-state attack, (especially right now with that risk elevated by the Russia/Ukraine conflict) no matter their size or sector. Russia-based credential-harvesting phishing attacks have jumped eight-fold. Russia is the most common origination point of nation-state cyberattacks, responsible for 58% of all nation-state attacks in 2021. Guide them into making the right preparations to resist this threat by helping them address phishing risks and reduce credential compromise risk.  

See why security awareness training is a security and revenue superstar that you & your clients need to invest in now. GET EBOOK>>

Incident Response Planning Gaps 

Incident response planning is the gift that keeps on giving, yet far too many organizations are sleeping on this incredible way to improve their security now and benefit later without a serious outlay of cash. That’s surprising considering the fact that 94% of executives say their firms have experienced a business-impacting cyber-attack or compromise within the past 12 months. It may seem logical that preparing for trouble is smart in today’s volatile threat landscape, but many organizations prefer to keep their heads in the sand –  1 in 3 businesses have neglected incident response planning to their detriment. 

Incident response planning is a powerful safeguard against cyberattacks.  IBM researchers determined that making, testing and maintaining an incident response plan immediately reduces an organization’s chance of ever experiencing a damaging cybersecurity incident, even if they never use the plan. Just under 40% of organizations that they studied with a formal, tested incident response plan experienced an incident, compared to 62% of those who didn’t have a plan.  

One reason for that is that making an incident response plan often uncovers unexpected and dangerous vulnerabilities, giving organizations a better idea of their actual threat picture and security or compliance gaps that they need to close. Plus, if the worst does happen, organizations that have a tested incident response plan can save 35% of the cost of an incident

Informing your clients of the danger presented by these potentially overlooked risks can give them a valuable chance to work with you to fix their vulnerabilities and address their possible exposure before the bad guys come knocking on their door.  ID Agent can help you get the job done. 

Security and Compliance Awareness Training 

BullPhish ID is the perfect security and compliance awareness training solution for companies of any size with an array of training options that enable you to provide the right training for each client’s individual business needs painlessly.  

  • A huge library of security and compliance training videos in 8 languages – and 4 new video lessons are added a month!  
  • Plug-and-play or customizable phishing training campaign kits with new kits released regularly 
  • Easy, automated training delivery through individual user portals 

Dark Web Monitoring 

Dark Web ID makes it easy for you to offer your clients best-in-class protection from dark web credential compromise risk that could be a fast pass to a data breach. An estimated 60% of data breaches involved the improper use of credentials in 2021.  

  • 24/7/365 monitoring using real-time, analyst validated data  
  • Fast alerts to compromises of business and personal credentials, including domains, IP addresses and email addresses  
  • Channel-leading performance and innovation

Plus, partnering with ID Agent gives you access to the best sales enablement program in the industry through Kaseya Powered Services. Learn more! 

Schedule your demo of Dark Web ID and BullPhish ID now.  

Don’t just take our word for it, see what these MSPs have to say:

It’s a bird, it’s a plane, it’s your revenue rising into the stratosphere with 6 Power-Ups That Will Make You a Sales Superhero. GET IT>>

Mar 30 – 31: Cybersecurity Expo REGISTER NOW>> 

Apr 5: The 3 in 1 Secure Access Management Powerhouse REGISTER NOW>>

Apr 5: The Must-Haves for Your MSP’s Insider Risk Protection Strategy REGISTER NOW>>

Apr 6: GlueTalks: Sales & Marketing REGISTER NOW>>

Apr 12: How Nation-State Cybercrime Affects Your Business REGISTER NOW>>

Jun 20-23 – Connect IT Global in Las Vegas REGISTER NOW>>

 Incident Response Planning Now Saves Headaches (and Money) Later 

Have you completed an incident response plan for your organization? If not, you’re missing out on amazing benefits! Incident response planning is the secret to better security success now and later without breaking the bank.  

One reason for that is that making and testing an incident response plan often uncovers unexpected vulnerabilities and potential compliance issues, giving organizations the chance to fix them before they become major problems.  

It’s extremely effective. Just under 40% of organizations in an IBM study with a formal, tested incident response plan experienced an incident, compared to 62% of those who didn’t have a plan. Grab this advantage for your organization with expert help from your MSP and reap the rewards fast. 

Do you have comments? Requests? News tips? Compliments? Complaints (or compliments)? We love to hear from our readers! Send a message to the editor.

ID Agent Partners: Feel free to reuse this post (in part or in its entirety) When you get a chance, email [email protected] to let us know how our content works for you!

let us help secure you against passwords reuse with contact information and the ID Agent logo on grey.

Our Partners typically realize ROI in 30 days or less. Contact us today to learn why 3,850 MSPs in 30+ countries choose to Partner with ID Agent!


Check out an on-demand video demo of BullPhish ID or Dark Web ID WATCH NOW>>

See Graphus in action in an on-demand video demo WATCH NOW>>

Book your demo of Dark Web ID, BullPhish ID, RocketCyber or Graphus now!