Rewterz Threat Update – D-Link Employee Targeted in Phishing Attack Resulting in Data Breach

Severity

High

Analysis Summary

Taiwan’s networking equipment manufacturer D-Link has recently confirmed a data breach linked to a phishing attack that resulted in stolen data from its network that was put up for sale on the dark web earlier this month.

The threat actor claims to have stolen the source code for the D-View network management software as well as millions of data entries with personal information of employees and customers, which also includes the details of the company’s CEO.

“This does include the information of MANY government officials in Taiwan, as well as the CEOs and employees of the company,” the attacker mentioned.

The company stated that the stolen data was confirmed to not be from the cloud but instead it was from an old D-View 6 system, which was abandoned since 2015. This data was used for registration purposes, and so far, there is no evidence that it contained any user IDs or financial information.

The attacker provided samples of 45 stolen records with timestamps dating between 2012 and 2013, which confirms that the data is old. This stolen information has been up for sale on the dark forum since 1^st October and the threat actor demands $500 for it and the alleged D-View source code.

D-Link contradicts the attacker’s claims of having stolen millions of users’ data by saying that the compromised system contained roughly 700 records with outdated information. However, they have shut down the potentially affected servers and disabled almost all the user accounts that were used during the investigation.

They further add that the data breach occurred due to an employee becoming a victim to a phishing attack, which ended up granting access to the threat actor to the company’s network. D-Link also specified that the attacker accessed a product registration system, described as a “test lab environment” which was operating on an outdated D-View 6 system and had already expired in 2015.

It is suspected that the intruder tried to tamper with the recent login timestamps to make it look like a recent data theft. All in all, the company is sure that most of its existing customers are not going to be impacted by this incident.

Impact

• Sensitive Data Theft
• Unauthorized Access

Remediation

• Ensure that all systems, software, and applications are up-to-date with the latest security patches. Regularly check for and apply updates to eliminate known vulnerabilities that attackers could exploit.
• Educate employees about phishing emails, social engineering tactics, and safe online behavior. Effective training can reduce the likelihood of users inadvertently initiating an attack.
• Regularly back up critical data and systems to offline or isolated storage. Test the backup restoration process to ensure that it is effective in case of an attack.
• Deploy strong endpoint protection solutions that include advanced threat detection, behavior monitoring, and real-time protection against malware and ransomware.
• Employ robust email filtering and anti-phishing solutions to detect and prevent malicious attachments and links from reaching user inboxes.
• Conduct regular penetration testing and security assessments to identify vulnerabilities and weaknesses in your network and systems. Address any findings promptly.
• Thoroughly assess third-party vendors and software before integrating them into your environment. Ensure they have strong security practices and adhere to cybersecurity standards