There is a lot to learn from Reddit's recent data breach, which was the result of an employee falling for a “sophisticated and highly-targeted” spear phishing attack.
I spend a lot of time talking about phishing attacks and the specifics that closely surround that pivotal action taken by the user once they are duped into believing the phishing email was legitimate.
However, there are additional details about the attack we can analyze to see what kind of access the attacker was able to garner from this attack. But first, here are the basics:
According to Reddit, an attacker set up a website that impersonated the company’s intranet gateway, then sent targeted phishing emails to Reddit employees. The site was designed to steal credentials and two-factor authentication tokens.
There are only a few details from the breach, but the notification does mention that the threat actor was able to access “some internal docs, code, as well as some internal dashboards and business systems.”
Since the notice does imply that only a single employee fell victim, we have to make a few assumptions about this attack:
- The attacker had some knowledge of Reddit’s internal workings – The fact that the attacker can spoof an intranet gateway shows they had some familiarity with the gateway’s look and feel, and its use by Reddit employees.
- The targeting of victims was limited to users with specific desired access – Given the knowledge about the intranet, it’s reasonable to believe that the attacker(s) targeted users with specific roles within Reddit. From the use of the term “code,” I’m going to assume the target was developers or someone on the product side of Reddit.
- The attacker may have been an Initial Access Broker – Despite the access gained that Reddit is making out to be not a big deal, they do also mention that no production systems were accessed. This makes me believe that this attack may have been focused on gaining a foothold within Reddit versus penetrating more sensitive systems and data.
There are also a few takeaways from this attack that you can learn from:
- 2FA is an important security measure – Despite the fact that the threat actor collected and (I’m guessing) passed the credentials and 2FA details onto the legitimate Intranet gateway—a classic man-in-the middle attack—it’s far better to have MFA in place than to have no additional authentication factors in place.
- Employees play a major role in organizational cybersecurity – Reddit mentions that “soon after being phished, the affected employee self-reported, and the security team responded quickly, removing the infiltrator’s access and commencing an internal investigation.”
Users that are aware of how important they are in keeping the organization secure – something taught through continual security awareness training – can truly make the difference. With so many attacks involving threat actors lying undetected for literally months, it’s refreshing to hear about an attack where the threat actor was cut off quickly by the swift thinking of a user who knew exactly what to do once they realized they had been tricked.