September '22 Corvus Policyholder Update

Our takeaways from the Uber breach, a deeper look at CVES, & more.

A friendly reminder that it’s PSL (pumpkin spice latte) season. We know it, you probably know it, and, uh, threat actors know it? In a classic turn of events — cybercriminals ruining our mood — Starbucks Singapore experienced a breach this month impacting 219,000 of its customers. 

Starbucks Singapore alerted its customers that the following information may have been stolen: names, mobile numbers, emails, birthdays, and residential addresses. The breach is only consequential to customers who have shopped at any of the chain’s 125 Singapore stores.

While we ponder if anything is sacred, keep reading for more cybersecurity trends and tips from the pros:

Risk + Response Tips 

Security tips and service updates from VP of Risk + Response Lauren Winchester

We talk about Common Vulnerabilities and Exposures (CVEs) a lot (one might call it a passion). If you scroll down to the Threat Alert portion of the newsletter, you’ll see which ones we think are most pertinent to you. But before that, a quick CVE refresher. What’s in a name?


[SMART INSURANCE DIAGRAM] Common Vulnerabilities and Exposures (CVEs)

The CVE number, identifier, or sometimes called ID, is the publicly referenced identifier assigned to a vulnerability and looks something like this: CVE-2022-38005.

  1. All CVE’s begin with the “CVE” prefix denoting that it’s a vulnerability and part of the CVE database.
  2. The second section contains the year that the CVE was assigned.
  3. The third number is sequential and gives each CVE a unique value for a given year.

Together the three parts comprise a unique identifier for a vulnerability. In this case, CVE-2022-38005 tells us: 1) this is a vulnerability that is part of the CVE database, 2) it was added to the database in 2022, 3) it has a unique identifying signature.

Still wondering: “What is a CVE, exactly?” Get all the details here.

CISO Corner

Noteworthy trends in cybersecurity from Chief Information Security Officer Jason Rebholz

Ride-sharing service Uber announced that they were responding to a “cybersecurity incident.” Allegedly, the hacker behind the attack is an 18-year-old who gained access to company systems through social engineering. How did it happen? (Spoiler: It looks a little familiar to the Cisco breach). 

  1. The hacker used a popular tactic known as “MFA fatigue.” After sending a flurry of MFA push notifications to a targeted employee, the attacker reached out through WhatsApp and claimed to work for Uber IT. The message was straightforward — approve the login, and the notifications will stop.
  2. Once gaining credentials, the threat actor logged into Uber’s internal network via the corporate VPN. As they scanned for sensitive information, they found a PowerShell script containing admin credentials to the privileged access management vault — the tool used to store credentials to many internal and external tools and applications. This provided the attacker even more administrative credentials to internal systems and tools.
  3. The hacker announced the breach through Uber’s Slack server. It has been described as a “total compromise,” which as self-reported by the attacker, includes the following systems: Amazon Web Services, Duo, GSuite, OneLogin, Slack, and VMware.

Our takeaways: A theme you may have noticed for the past few months is an emphasis on MFA, specifically on where it can fall short. That’s not to say it isn’t an important value-add to security — we will shout our appreciation for MFA implementation from the rooftops! — but threat actors continue to find workarounds to bypass popular security measures (kind of like their livelihoods depend on it). 

  • The last man standing. As we see more examples of cybercriminals stealing session cookies or prompt bombing victims, we also see more situations where the user is left as the primary defense mechanism. If the last thing standing between your organization and a breach is an unrealistic expectation for your employees to not make mistakes, then you have room to improve your security posture (as we all do!).
  • An emphasis on FIDO2 solutions. FIDO2 brings additional security that significantly improves the security posture of your MFA solution by binding the MFA factor to a legitimate website, so phishing sites won’t trick users and it binds MFA to a session, so threat actors can’t steal the session cookie.

Power to the people (and phishing-resistant MFA). The most secure approach is combining a phishing-resistant MFA solution with up-to-date user education on social engineering attacks.

Monthly Alerts


Threat Alerts

What to watch for this month. 


The Corvus Scan is a powerful asset that enables us to identify which policyholders are at risk for new vulnerabilities. You’ve probably already heard from us about the following if your organization is at risk, but we’ve gathered the monthly round-up of alerts and updates below:

Magento Vulnerability

On September 22nd, security researchers published a report detailing an uptick in threat actors compromising vulnerable instances of the Magento Open-Source and Adobe Commerce e-commerce platform. Read more about the vulnerability here.

ICYMI - the September Threat Intel Updates

This newsletter and its contents are intended for general guidance and informational purposes only. This newsletter is under no circumstances intended to be used or considered as specific insurance or information security advice.