Forrester Research hackedTuesday, October 10, 2017
Research firm admits compromise by hackers, research IP stolen
Research firm Forrester Research has been forced to admit it has become a victim of a cybersecurity incident recently, when hackers successfully accessed restricted-access reports.
The incident follows significant breaches at a slew of top firms in the last month, including Deloitte, the SEC and of course the widening Equifax web application leak, resulting in a wide range of information from business data to consumer finance records leaking.
The respected research company issued a statement, acknowledging the incident, but claimed that the “attack was limited to research reports made available to Forrester clients on Forrester.com. There is no evidence that confidential client data, financial information, or confidential employee data was accessed or exposed as part of the incident.”
Steven Peltzman, Chief Business Technology Officer at Forrester Research continued: “The outside hacker stole valid Forrester.com user credentials that gave the hacker access to Forrester.com. The hacker used that access to steal research reports made available to our clients.”
Ilia Kolochenko, CEO High-Tech Bridge said: “In light of tremendous data breaches and large-scale password re-use attacks, such incidents have become pretty common and are not very risky.”
However, Kolochenko urged caution on dismissing the threat too lightly: “There are some hidden dangers to bear in mind. For example, paid customer accounts almost always have access to some exclusive features, security of which is likely untested due to complexity of providing demo accounts with real data or similar issues. Thus, such an account provides a wide spectrum of attack vectors to cybercriminals.
“Paid Forrester research is of a quite low interest for the attackers, but Forrester clients – are very attractive targets. Placing malware or providing wrong technical advice to the customers – are probably the most trivial avenues to abuse customers’ trust and breach their corporate networks. This is why research companies from all the industries should care about their security and follow the most recent security standards.”
The strategy of compromising a trusted third party in order to gain access to a specific victim organisation is certainly not new, but has been hitting the headlines recently. Perhaps most memorably in the case of CCleaner, where a multi-stage malware payload was concealed within an update from distributor anti-virus firm Avast.
The compromise appears to have occurred deep within the company, as researchers for Cisco Talos pointed out that as here was a valid digital signature on the malicious CCleaner binary, portions of the development or signing process may have been compromised.
"Given the presence of this compilation artefact as well as the fact that the binary was digitally signed using a valid certificate issued to the software developer, it is likely that an external attacker compromised a portion of their development or build environment and leveraged that access to insert malware into the CCleaner build that was released and hosted by the organization," the researchers explained.
"It is also possible that an insider with access to either the development or build environments within the organization intentionally included the malicious code or could have had an account (or similar) compromised which allowed an attacker to include the code." they added.
Seems unquestioning enterprise trust in third parties should be in very short supply at the moment...