pan-unit42-casestudy-social
Introduction Rising to the Challenge The First Steps Finding a Solution In-Depth Analysis Contact How Can Unit 42 Help?

A Popular Social
Media Site May Have Been Compromised

  • Was there in fact a breach?
  • If so, what was the impact?
  • How can they strengthen their defenses for the future?
Let’s explore the incident and Unit 42’s expert approach

Rising to the Challenge

A popular social media site had reason to believe it had inadvertently exposed a significant amount of customer data

The company needed to bring in a third-party investigation firm to determine:

  • What happened
  • The scope of potential exposure
  • How to properly secure the site’s servers

Enter Unit 42

The First Steps

The First Steps

The Unit 42 team validated that a database was indeed exposed

Findings:
Anyone who found the port could query the data, which contained personally identifiable information (PII).

The port was exposed following a database configuration change. The database was configured to log only errors, not successful queries.

Additionally, there were no firewalls, load balancers or other network infrastructure in place that could have logged access to the database.

In Unit 42 cases:

45%

of inadvertent disclosure events resulted in a breach determination in 2019, exposing 713K individuals’ records per incident on average.

Finding a Solution

In Unit 42 cases:

45%

of inadvertent disclosure events resulted in a breach determination in 2019, exposing 713K individuals’ records per incident on average.

Finding a Solution

Faced with a lack of data, the
Unit 42 team had to be creative

By “living off the land” (finding tools that already exist in the client environment), Unit 42 identified Datadog, a third-party utility used to track server metrics. Datadog tracks processor and memory usage, disk errors, and daily network bandwidth (bytes transmitted and received).

Logs are retained for this client for more than a year, covering the window of exposure and giving Unit 42 a baseline of what “normal” looks like for six months prior to the exposure.

IT Industry:

IT was the largest industry represented in Unit 42’s inadvertent disclosure cases in 2019, representing 18% of these types of cases.

In-Depth Analysis

IT Industry:

IT was the largest industry represented in Unit 42’s inadvertent disclosure cases in 2019, representing 18% of these types of cases.

In-Depth Analysis

Datadog logs showed that network usage remained consistent during the window of exposure

There was a large spike at the end, representing Unit 42’s queries into the database as they were identifying its contents. It is not uncommon for an attacker to perform this type of identification when they gain access to a database.

Unit 42 did not identify any other spikes during the period Datadog covered, leading the team to believe that a threat actor had not accessed the data. Unit 42 validated this finding using the “atop” tool included in many Linux distributions.

Conclusion

Conclusion

Collectively, these findings helped the client and their legal counsel draw conclusions on their breach notification obligations

Ultimately, these findings were central to avoiding a substantial data notification effort. Because of Unit 42’s “extra mile” efforts, the team was able to not only provide insight into the likelihood of a breach, but also save a company from significant disclosure and regulatory scrutiny.

Unit 42 provided the client much-needed peace of mind that their customer data was secure and helped them to become more secure in the future.

How can Unit 42 help?

How can Unit 42 help?

Learn more about our expert services today 

2021 Ransomware
Threat Report

Download the report 