1.888.900.DRIZ (3749)
The Driz Group
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog

Cybersecurity Blog

Thought leadership. Threat analysis. Cybersecurity news and alerts.

3/15/2021

0 Comments

Canada Revenue Agency (CRA) Locks Out 800,000 Accounts

 
Canada Revenue Agency data breach

Canada Revenue Agency (CRA) Locks Out 800,000 Accounts 

The Canada Revenue Agency (CRA) recently revoked 800,000 CRA user IDs and passwords. According to the CRA, the IDs and passwords “may have been obtained by unauthorized third parties” or “have been identified as being available to unauthorized individuals.”

“Out of an abundance of caution, and to prevent unauthorized access to these accounts, the CRA took swift action to lock these accounts,” CRA said in a statement. “The total number of accounts impacted is roughly 800 thousand.”

The Agency said the revocation of the hundreds of thousands of CRA user IDs and passwords wasn’t a result of a breach of CRA’s online systems. The Agency attributed the cause of the revocation to external causes, including email phishing schemes or third-party data breaches. “We wish to reiterate that these user IDs and passwords were not compromised as a result of a breach of CRA’s online systems, rather they may have been obtained by unauthorized third parties and through a variety of means by sources external to the CRA, such as email phishing schemes or third party data breaches,” CRA said.

Past Data Breach

In August 2020, the Government of Canada, through the Treasury Board of Canada Secretariat, issued a statement about the data breach on the Canadian Government's GCKey – a system used by 30 Canadian federal departments as a single sign-on (SSO) system to access government services. GCKey is particularly used to access the CRA accounts.

According to the Treasury Board of Canada Secretariat, out of the nearly 12 million active GCKey accounts in Canada, the passwords and usernames of 9,041 users were acquired fraudulently and used to access government services. The Treasury Board of Canada Secretariat added that out of the total number of accounts fraudulently accessed by the attackers, nearly 5,500 CRA accounts were fraudulently accessed.

Tests conducted by BleepingComputer on CRA’s web portal showed that multi-factor authentication and security CAPTCHA (short for Completely Automated Public Turing Test To Tell Computers and Humans Apart in use) weren't enabled. "When signing-in from a new computer, the user would be asked a security question (e.g. pet's name), however, there is no mechanism prompting the user for a 2FA code, for example, to be sent via a text message (SMS)," BleepingComputer said.

In a press conference in August 2020, Marc Brouillard, acting Chief Technology Officer for the Treasury Board of Canada Secretariat said that at one point, the CRA web portal was attacked by a large amount of traffic using a "botnet to attempt to attack the services through credential stuffing". Brouillard said the attackers bypassed the CRA security questions and fraudulently access CRA accounts by exploiting a vulnerability in the configuration of security software solutions that the Government of Canada used.

Cyberattack Methods

The acting Chief Technology Officer for the Treasury Board of Canada Secretariat mentioned three methods of attacks used by the attackers in the 2020 CRA web portal data breach: botnet, credential stuffing, and exploitation of a software security vulnerability. The recent cyber incident at the CRA, meanwhile, was attributed to email phishing schemes or third-party data breaches.

Botnet

Botnet, also known as zombie army, is a cyberattack that uses a group of hijacked computers (including IoT devices), each injected with malicious software (malware) and controlled by the attacker from a remote location without the knowledge of the computer's owner.

Credential Stuffing

Credential stuffing is a cyberattack in which an attacker uses a large number of stolen username and password combinations from other websites and tests these stolen credentials to login to other websites. This type of attack is based on the assumption that username and password combinations are typically reused. To scale the process of testing these stolen credentials from one website to another website, botnets are used to automate the process.

Exploitation of Software Security Vulnerability

In the exploitation of software security vulnerability, an attacker exploits either a publicly known software security vulnerability or a security vulnerability that’s only known to the attacker. In most cases, attackers exploit known security vulnerabilities and those with available fix, also known as a patch, as attackers assume that users delay the application of the available patch.

Email Phishing

Email phishing is a type of cyberattack in which the attacker masquerades as a trusted entity, and tricks the victim into opening an email. The email recipient is further tricked into opening a malicious attachment or link, which can lead to the installation of malware on the email recipient’s computer, enabling the attacker to conduct malicious activities on the email recipient’s computer. Activities could include stealing of sensitive information.

Third-Party Data Breaches

Third-party data breach, also known as supply chain attack, is a type of cyberattack in which an attacker infiltrates the systems of the initial victim with the end goal of infiltrating the customers of the initial victim.

Cybersecurity Best Practices

As exemplified in the August 2020 data breach at the CRA and the recent cyber incident at the CRA, attackers are employing not just one but multiple attack methods in order to compromise their target. Below are some of the best practices in order protect your organization from the above-mentioned cyberattack methods:

  • Use CAPTCHA
  • Use multi-factor authentication (MFA)
  • Use Web Application Firewall – allowing legitimate traffic and preventing malicious traffic
  • Keep all software up to date
  • Train employees to be on guard of suspicious emails
  • Practice network segmentation – a practice in which a network is subdivided into sub-networks. This ensures that if anything bad happens to a sub-network, the other sub-networks won’t be affected.
0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Author

    Steve E. Driz, I.S.P., ITCP

    Picture
    View my profile on LinkedIn

    Archives

    January 2023
    December 2022
    June 2022
    May 2022
    February 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    February 2017
    January 2017
    December 2016
    October 2016
    August 2016
    May 2016
    March 2016
    January 2016
    November 2015
    October 2015
    August 2015
    June 2015

    Categories

    All
    0-Day
    2FA
    Access Control
    Advanced Persistent Threat
    AI
    Artificial Intelligence
    ATP
    Awareness Training
    Botnet
    Bots
    Brute Force Attack
    CASL
    Cloud Security
    Compliance
    COVID 19
    COVID-19
    Cryptocurrency
    Cyber Attack
    Cyberattack Surface
    Cyber Awareness
    Cyber Espionage
    Cybersecurity
    Cyber Security
    Cyber Security Consulting
    Cyber Security Insurance
    Cyber Security Risk
    Cyber Security Threats
    Data Breach
    Data Governance
    Data Leak
    Data Leak Prevention
    DDoS
    Email Security
    Fraud
    GDPR
    Hacking
    IoT
    Malware
    MFA
    Microsoft Office
    Mobile Security
    Network Security Threats
    Phishing Attack
    Privacy
    Ransomware
    Remote Access
    SaaS Security
    Social Engineering
    Supply Chain Attack
    Supply-Chain Attack
    Third-Party Risk
    Virtual CISO
    Vulnerability
    Vulnerability Assessment
    Web Applcation Security
    Web-applcation-security
    Web Application Firewall
    Web Application Protection
    Web Application Security
    Web Protection
    Windows Security
    Zero Trust

    RSS Feed

Picture

1.888.900.DRIZ (3749)

Managed Services

Picture
Web Application Security
​Virtual CISO
Compliance
​Vulnerability Assessment
Free Vulnerability Assessment
Privacy Policy | CASL

About us

Picture
Testimonials
​Meet the Team
​Subsidiaries
​Contact us
​Blog
​
Jobs

Resources & Tools

Picture
​Incident Management Playbook
Sophos authorized partner logo
Picture
© 2023 Driz Group Inc. All rights reserved.
Photo used under Creative Commons from GotCredit