Canada Revenue Agency shuts down after cyberattack – hacked login credentials at fault

A series of cyberattacks targeting the Canada Revenue Agency has led to a shutdown of services after thousands of accounts were breached.

The attack follows two recent trends:

  • Cybercriminals across the world are increasingly targeting government institutions to maximise disruption.
  • Usernames and passwords continue to be an inefficient and failing defense mechanism for protecting accounts. With the proliferation of stolen PII (Personally identifiable information) for sale on the dark web, cybercriminals can fraudulently hack into accounts with relative ease and access government services.
EXPERTS COMMENTS
Chloé Messdaghi, VP of Strategy,  Point3 Security
August 18, 2020
The ability of attackers to use the same usernames and passwords that were harvested previously is a key factor.
Canada has been dealing with cyber-attacks recently, and this is the third attack on the Canadian Revenue Agency, which in addition to collecting taxes provides urgently needed access to COVID-19 relief programs, veteran’s programs, and a broad array of services to citizens. Canada has a strong history of infosec responsibility. The most recent attack resulted from a software vulnerability that ....
[Read More >>]
Dan Piazza, Technical Product Manager,  Stealthbits Technologies
August 18, 2020
Users shouldn’t leave themselves so vulnerable by reusing passwords across the internet.
This attack was due to “credential stuffing”, which is the practice of automatically injecting breached username/password combos into other services with hopes of gaining access to user accounts. Certainly, it’s not a user’s fault when a service they’re registered with is breached, however, the bigger issue here is password reuse. If users aren’t reusing passwords between services, the ....
[Read More >>]
Saryu Nayyar, CEO,  Gurucul
August 18, 2020
These attacks are possible because people will often reuse credentials.
There are several lessons to be learned from this attack against Canadian government sites. Here, the attackers are using credentials acquired in other breaches to try and access government systems. It's easy for a site to identify the flood of failed logins, but it can be hard to separate legitimate users accessing the site from the attackers using stolen credentials. It may be easy for an int ....
[Read More >>]
Mounir Hahad, Head ,  Juniper Threat Labs, Juniper Networks
August 18, 2020
Credentials reuse is a big issue.
Credentials reuse is a big issue getting a lot of smart people to think about getting rid of passwords as an authentication method altogether. But we’re not there yet, so I’m glad the government of Canada was able to spot the brute force attempt quickly. Can you imagine if this was perpetrated slowly over months instead of hours? It is possible that the attack would go undetected. ....
[Read More >>]
Jason Soroko, CTO of PKI,  Sectigo
August 18, 2020
Attackers who had already obtained usernames/passwords are simply reusing them for the same users.
The breach appears to be the result of ‘credential stuffing.’ Attackers who had already obtained usernames/passwords are simply reusing them for the same users for their government accounts. The bottom line is that usernames and passwords are not a safe method for authentication. It is unfortunately common for consumers to reuse passwords for everything from social media to banking or tax acco ....
[Read More >>]

