News is breaking that AMD suffered a data breach on January 5th at the hand of a new threat actor, RansomHouse, who claimed that over 450GB of sensitive data was stolen.
TechCrunch reported that a portion of the stolen data suggested that AMD employees may have been using passwords such as “password,” “123456” and “Welcome1.” In fact, RansomHouse boasted on its own data leak site about the sad fact that, “technology giants like AMD use simple passwords to protect their networks from intrusion,” gloating that “these real passwords (are) used by AMD employees, but a bigger shame to AMD Security Department which gets significant financing according to the documents we got our hands on – all thanks to these passwords.”
Currently, there is no news of a ransom demand paid or which systems were targeted or if customer data was accessed has been revealed yet by AMD.
We’ve gathered commentary from top security experts who shared their insights on how this will influence security efforts both here and internationally.
Gorka Sadowski, chief strategy officer, Exabeam
“No matter how robust your security stack is, your organization will still be vulnerable to incidents stemming from compromised credentials. In this case, RansomHouse claims to have compromised AMD due to the use of weak passwords throughout the organization. According to the latest Verizon DBIR, over 80% of breaches involve brute force or the use of lost or stolen credentials. Credentials are interesting assets for bad actors, both to initially access an organization or to establish persistence. Proper training, feedback loops, visibility, and effective technical capabilities are the keys to defending against attacks caused by compromised credentials. A helpful defender capability is the development of a baseline for normal employee behavior that can assist organizations with identifying the use of compromised credentials and related intrusions. If you can establish normal behavior first, only then can abnormalities be known – a great asset in uncovering unknowingly compromised accounts.”
Neil Jones, director of cybersecurity evangelism, Egnyte
“The alleged data breach of chipmaker AMD by RansomHouse is a stark reminder of the ongoing importance of an effective password management program. For as long as I can remember, easily-guessed passwords such as 123456, qwerty and password have dominated the global listing of most commonly-used passwords, and they are undoubtedly in use in many corporate settings. Unfortunately, weak passwords can become a literal playground for cyber-attackers, particularly when they gain access to your organization’s remote access solution and view corporate users’ ID details. Key components of an effective password management program include the following:
1) Employee education about the significance of password safety, social engineering awareness and spear-phishing avoidance.
2) Establishment of mandatory password rotations, including forcing employees to change their passwords on a routine basis.
3) Re-visiting your company’s account lockout requirements, to ensure that users’ access is immediately disabled after multiple failed login attempts. Finally, it is also a reminder that cyber-attackers are increasingly making claims of attacks — whether proven or unproven — to proactively generate payouts from organizations. You need to have a plan in place now for that future inevitability.”
Arti Raman (She/Her), CEO and Founder, Titaniam
“In the recent ransomware attack on AMD, bad actor group, RansomHouse, claims they have stolen 450GB of sensitive data, stating that AMD’s password practices were abysmal and they used simple credentials to get in. While practicing a more pointed password protocol is important, to truly minimize the risk of potential extortion and minimize lost clear text data, a data security platform, specifically data-in-use encryption, also referred to as encryption-in-use, is the only option for ransomware protection.
“Utilizing data-in-use encryption technology provides unmatched immunity. Should adversaries break through perimeter security infrastructure and access measures, data-in-use encryption keeps the sensitive data encrypted and protected even when it is being actively utilized. This helps neutralize all possible data-related leverage and limits the need for breach disclosure.”
Aaron Sandeen, CEO and co-founder, Cyber Security Works (CSW)
“Password and identity management is increasingly becoming an organization’s largest liability and executives must implement stronger policies that formalize practices that have been proven to work. Routine resets of user credentials and required two-factor authentication is the first necessity to a secured network. It is understated how such a small step can not only insulate one’s own organization but protect clients and users downstream as well.
As organizations continue to improve their cybersecurity posture using advanced defenses such as attack surface management and early warning vulnerability predictions, it is absolutely crucial to institute smart policies that cover the lowest of defenses and most publicly accessible assets.”
Roshan Piyush, Security Research Engineer at Traceable AI
“While ransomware isn’t a new attack method, double extortion is on the rise as hackers seek higher payouts. With this situation, the AMD systems were infiltrated and sensitive files were exfiltrated then used as leverage. The days of keeping bad actors out with prevention-focused solutions like firewalls are long gone. They will one day find a way in, and organizatons like AMD, can address this by monitoring behavior on their systems. It’s important to utilize adaptive tools that establish a baseline of how users interact with a network and can flag unusual activity that could be indicative of a malicious attack. There’s a place for prevention today, but it needs to be supported by threat detection to minimize the impact of breach attempts.To add as the stolen data suggests AMD employees were using passwords as simple as ‘password,’ ‘123456’ and ‘Welcome1.’ The attackers could have possibly used credential stuffing (where known or breached credentials from other sources are stuffed on the login page to see which succeeds). It is much less a simple attack and could have been executed by anyone on the internet that can access login entry points to their systems. APIs here play an important role in providing attackers with the access vector, making API observability, monitoring, and rate-limiting important for organizations.”
