Canada Revenue Agency (CRA) Locks Out 800,000 Accounts

Canada Revenue Agency (CRA) Locks Out 800,000 Accounts 

The Canada Revenue Agency (CRA) recently revoked 800,000 CRA user IDs and passwords. According to the CRA, the IDs and passwords “may have been obtained by unauthorized third parties” or “have been identified as being available to unauthorized individuals.”

“Out of an abundance of caution, and to prevent unauthorized access to these accounts, the CRA took swift action to lock these accounts,” CRA said in a statement. “The total number of accounts impacted is roughly 800 thousand.”

The Agency said the revocation of the hundreds of thousands of CRA user IDs and passwords wasn’t a result of a breach of CRA’s online systems. The Agency attributed the cause of the revocation to external causes, including email phishing schemes or third-party data breaches. “We wish to reiterate that these user IDs and passwords were not compromised as a result of a breach of CRA’s online systems, rather they may have been obtained by unauthorized third parties and through a variety of means by sources external to the CRA, such as email phishing schemes or third party data breaches,” CRA said.

Past Data Breach

In August 2020, the Government of Canada, through the Treasury Board of Canada Secretariat, issued a statement about the data breach on the Canadian Government's GCKey – a system used by 30 Canadian federal departments as a single sign-on (SSO) system to access government services. GCKey is particularly used to access the CRA accounts.

According to the Treasury Board of Canada Secretariat, out of the nearly 12 million active GCKey accounts in Canada, the passwords and usernames of 9,041 users were acquired fraudulently and used to access government services. The Treasury Board of Canada Secretariat added that out of the total number of accounts fraudulently accessed by the attackers, nearly 5,500 CRA accounts were fraudulently accessed.

Tests conducted by BleepingComputer on CRA’s web portal showed that multi-factor authentication and security CAPTCHA (short for Completely Automated Public Turing Test To Tell Computers and Humans Apart in use) weren't enabled. "When signing-in from a new computer, the user would be asked a security question (e.g. pet's name), however, there is no mechanism prompting the user for a 2FA code, for example, to be sent via a text message (SMS)," BleepingComputer said.

In a press conference in August 2020, Marc Brouillard, acting Chief Technology Officer for the Treasury Board of Canada Secretariat said that at one point, the CRA web portal was attacked by a large amount of traffic using a "botnet to attempt to attack the services through credential stuffing". Brouillard said the attackers bypassed the CRA security questions and fraudulently access CRA accounts by exploiting a vulnerability in the configuration of security software solutions that the Government of Canada used.

Cyberattack Methods

The acting Chief Technology Officer for the Treasury Board of Canada Secretariat mentioned three methods of attacks used by the attackers in the 2020 CRA web portal data breach: botnet, credential stuffing, and exploitation of a software security vulnerability. The recent cyber incident at the CRA, meanwhile, was attributed to email phishing schemes or third-party data breaches.

Botnet

Botnet, also known as zombie army, is a cyberattack that uses a group of hijacked computers (including IoT devices), each injected with malicious software (malware) and controlled by the attacker from a remote location without the knowledge of the computer's owner.

Credential Stuffing

Credential stuffing is a cyberattack in which an attacker uses a large number of stolen username and password combinations from other websites and tests these stolen credentials to login to other websites. This type of attack is based on the assumption that username and password combinations are typically reused. To scale the process of testing these stolen credentials from one website to another website, botnets are used to automate the process.

Exploitation of Software Security Vulnerability

In the exploitation of software security vulnerability, an attacker exploits either a publicly known software security vulnerability or a security vulnerability that’s only known to the attacker. In most cases, attackers exploit known security vulnerabilities and those with available fix, also known as a patch, as attackers assume that users delay the application of the available patch.

Email Phishing

Email phishing is a type of cyberattack in which the attacker masquerades as a trusted entity, and tricks the victim into opening an email. The email recipient is further tricked into opening a malicious attachment or link, which can lead to the installation of malware on the email recipient’s computer, enabling the attacker to conduct malicious activities on the email recipient’s computer. Activities could include stealing of sensitive information.

Third-Party Data Breaches

Third-party data breach, also known as supply chain attack, is a type of cyberattack in which an attacker infiltrates the systems of the initial victim with the end goal of infiltrating the customers of the initial victim.

Cybersecurity Best Practices

As exemplified in the August 2020 data breach at the CRA and the recent cyber incident at the CRA, attackers are employing not just one but multiple attack methods in order to compromise their target. Below are some of the best practices in order protect your organization from the above-mentioned cyberattack methods:

• Use CAPTCHA
• Use multi-factor authentication (MFA)
• Use Web Application Firewall – allowing legitimate traffic and preventing malicious traffic
• Keep all software up to date
• Train employees to be on guard of suspicious emails
• Practice network segmentation – a practice in which a network is subdivided into sub-networks. This ensures that if anything bad happens to a sub-network, the other sub-networks won’t be affected.