A commentary and insights from Mark Sangster, Vice President and industry security strategist at eSentire, discussing the Reddit hack, where Reddit channels were hacked and defaced to show messages in support of Donald Trump‘s reelection campaign.
The Reddit Hack
“The Reddit hack follows on the heels of hacks against specific, high-profile Twitter accounts and YouTube. Similar to the Twitter attack, the Reddit cyber assault appears to target numerous high-profile subreddit (special interest channels).
Like all cyber attacks, the details slowly emerge. Without direct line of sight, it is difficult to determine root cause and factors. However, mismanaged data dumps, stolen credentials through harvesting, and tricking insiders into relinquishing credentials are top methods.
Given that moderator accounts appear to be hacked, this is likely the result of a concentrated phishing campaign to harvest the credentials of Reddit moderators with privileges to change and modify their specific subreddits. It’s a tried and tested method used by cyber criminals and activists. It starts with cultural engineering, posing as an industry or business insider, to circumvent traditional trust controls, and establish instant rapport. Assumed an insider, targets relax their guard and often fall prey. It demonstrates an investment on the part of the criminal to learn the jargon, procedures and ecosystem of the target industry or entity.
In the case that non-public systems or accounts were tampered with, it reeks of what we call hands-on-keyboard attacks. Once the legitimate credentials are stolen, they are used to access the business through the security controls, such as encrypted private networks and remote access tools. Once inside, these doppelgangers create new accounts with privileged administrative rights, and move around the system as any legitimate employee would. This is called living-off-the-land and it’s extremely hard to detect with the naked eye. It takes detailed scrutiny, at the microscopic level, to detect and stop.
The Risks Of Carrying Politically-Charged Content
This serial attack on social outlets highlights the risks of carrying politically-charged content. Even as agnostic news aggregators and carriers, organizations that provide platforms for free speech and political content are likely to be targeted more frequently leading up to the U.S. presidential election this year. While the Twitter hackers were arrested last week, it’s clear that their tools and methodologies have been shared and made an impression on the hacker community, are easy to use, and will be tested more frequently against major platforms.
We are likely in for a bumpy ride when it comes to misinformation, subversion and tampering in this election season. This establishes a new norm to which we have to adapt, and seek new ways to assess candidates and establish what we consider the facts. It seems virtual reality is less about avatars, simulated senses, and alien worlds and instead, it’s about the Black Mirror world of liquid identities, fluid facts and nebulous truths. In essence, this virtual world has less and less substance to which we can anchor our values and assess our options.
What’s worse, Reddit’s has a history of being hacked, and was called out for not having multi-factor authentication (MFA), considered a tablestake of cybersecurity. Assuming the organization adjusted their program to include MFA and other security improvements, it becomes imperative to publicly establish root causes and contributing factors so other firms can learn from this event and avoid the same fate.
How Organizations Can Reduce Risk
Organizations can reduce their risk:
- Evaluate your participation in high-risk activities or associations (politically charged topics, products or clients, locations in destabilized regions, etc.) and consider how to address the risk through cybersecurity programs.
- Do the basics: proper password hygiene paired with multi-factor authentication, encrypt data and remote connections (use a VPN), user Identity and Access Management tools (IAM) to further control user privileges, and restrict administrative rights.
- Consider using Privileged Access Management (PAM) to further restrict and monitor administrative activities and remove privilege from basic password-based security.
- Heighten monitoring of sensitive information and high profile employees.
- Restrict access to sensitive information about the high-profile client.
- Ask yourself: Is the business worth the cyber risk? Sometimes it’s not.”