The Canada Revenue Agency (CRA) suspended online services after accounts were hit in a 3rd wave of credential stuffing attacks last weekend – giving bad players access to various government services.
Canadian authorities said almost 15,000 online accounts for various government services have been targeted in 3 recent waves of credential-stuffing attacks.
These accounts could give attackers access to Canadians’ tax-related and benefits information, Coronavirus relief fund money and more.
Credential-stuffing attacks are when bad players access accounts using usernames and passwords that were stolen from other previous hacks.
In a Mon. press meeting, Marc Brouillard, acting CIO of the Government of Canada, said that different govt. accounts have been affected by 3 waves of credential-stuffing attacks since early Aug. & the most recent of which occurred this past weekend.
Canada Revenue Agency (CRA)
Attackers compromised 5,500 Canada Revenue Agency (CRA) accounts, which connect to a portal enabling Canadians to view & manage their tax-related and benefits information online. They also targeted 9,041 accounts of GCKey, giving access to a portal used by 30 federal departments & 12m Canadians, providing to access online information & government services like employment, immigration & more.
“Access to all affected accounts has been disabled to maintain the safety & security of taxpayers’ information, and the Agency is contacting all affected individuals & will work with them to restore access to their CRA MyAccount,” according to the govt. of Canada, in a press release this weekend.
Of the 9,041 accounts GCKey accounts that were targeted, a third were used to access various services and are being further examined for suspicious activity, according to the government. These services can include employment services or coronavirus relief-funds offered by the Canada Emergency Response Benefit, which offers up to CAN$2,000 to eligible citizens. It must be noted that the internal services of GCKey itself were not compromised, says Brouillard.
Affected GCKey accounts were cancelled as soon as the threat was discovered & departments are contacting users whose credentials were revoked to provide instructions on how to receive a new GCKey.
After the attacks targeting the 5,500 CRA accounts, the Canadian Govt. has disabled services connected to My Account, My Business Account & Represent a Client on the CRA website. On Mon., the authorities said they expect these services to be resumed by Wed.
Also, on Mon. government officials revealed that a flaw in the configuration of the security software for CRA accounts allowed attackers to bypass security measures. This defect, which emerged from the security questions in place for the accounts, has now been patched, they commented. However, when asked for further details, Brouillard did not reveal either the security vulnerability or software.
Questions Around Security Measures
Many Canadians reported suspicious activity involving their CRA accounts going back to early August, with some taking to Twitter to say that attackers had modified their direct-deposit information and had utilized their information to apply for fraudulent coronavirus relief.
In a press briefing Mon., Canadian government officials said they 1st notified the Royal Canadian Mounted Police (RCMP) (Canada’s federal policing service) of credential-stuffing attacks on Aug. 11. After the 3rd wave of attacks occurred last weekend, the govt. suspended their online services.
When quizzed as to why Canadians were not informed of the attacks earlier, Brouillard explained “We’re constantly evaluating our security posture & this is an ongoing challenge. This is not a hacker trying to go through a backdoor.
They are going through the system like normal users & it is hard to detect that. We have systems in place to monitor these behaviours. That is when this particular attack was identified.”
This incident has also put the Canadian govt’s security measures for online services into some doubt. ‘Bleeping Computer’ tested the Canadian govt. website & found that many departs. did not implement multi factor-authentication measures for accessing Canadian services such as CRA or GCKey.
When asked about a lack of two-factor authentication (2FA), Brouillard observed “Some 2FA would have prevented this especially those where you’re required to have a key. But those are challenging, not everyone can have those things. It is a balancing act. We’re looking at ways of strengthening our systems.”
Stopping Credential Stuffing
The users tied to compromised accounts are all being notified of the security incident & all attacks have since been mitigated, authorities said. They encouraged users to ensure that their passwords are up to date. Security researchers for their part also encouraged users to prioritise password hygiene in order to avoid being a victim to credential stuffing attacks.
“Credential stuffing attacks are undeniably popular and can affect every organisation, regardless of their respective sector or geography, & provide initial access to victim accounts,” Kacey Clark, threat researcher at Digital Shadows, explained “As credential-stuffing attacks leverage password re-use, users are urged to use complex & unique passwords across all of their accounts.”
Joseph Carson, Advisory CISO at Thycotic, agreed that an important lesson learned is to never reuse passwords, & also counselled that any company with online services should also ensure that security protections, like 2FA, are also offered.
“Companies who offer authentication & login to their website must also move away from having a password as the only security control,” he outlined.
“2FA must be enabled for all customers as this reduces the risks of customers who reuse passwords from become a victim of a cyber-crime or credential-stuffing from being successful.
Additionally, endorse password managers to help customers make better password hygiene & decisions when creating new accounts & passwords.”