Opening Day for MLB Cyber Attacks

10254724297?profile=RESIZE_400xThe 2022 Major League Baseball season is set to kick off next week, which means fans everywhere are trying to gauge how their team stacks up to the competition.  To prepare for the season Wapack Labs has skipped the analysis of Batting Averages, RBI’s, and On-Base Percentages in favor of measuring each team’s cyber security posture.  

Horizon Actuarial Services, LLC provided notice regarding a data privacy incident that occurred on 12 November 2021.  The incident involved the theft of data including names, birthdates, Social Security numbers, and health plan information.  The incident occurred between 10 November and 11 November or 2021, when attackers gained access to two of Horizon Actuarial’s servers.  After receiving an email from an account claiming to be the attacker, Horizon Actuarial contacted local law enforcement and began investigating the incident to determine the validity of the attacker's claims.  The affected accounts include the Local 295 IBT Employer Group Welfare Fund and the Major League Baseball Players Benefit Plan.  

A notice of the event was sent to the Plans on 13 January 2022, and notification to affected individuals was hitting mailboxes by 9 March 2022.  To prevent the unauthorized dissemination of the information collected from the incident, Horizon Actuarial paid the attackers on the condition that the attackers agree to delete and not distribute the stolen information.  Further actions to protect clients include providing customers with the option to enroll in complimentary identity monitoring services to prevent identity theft.

10254724489?profile=RESIZE_400x

Pictured below is a chart showing MLB team domains and the number of breach data hits shown in CTAC for the last 90 days. Clicking on the chart will show you the image larger.

 Sparked by the attack on Horizon Actuarial and the upcoming baseball season, we were inspired to check our data collections using the Cyber Threat Analysis Center (CTAC) and RedXray tools from Wapack Labs to see if we could find useful information about the security posture of each Major League Baseball Team.

Using both CTAC and RedXray we were able to find some information about 28 of the 30 Major League Baseball teams.  The information we acquired was in the “breach-data” dataset and shows how many credentials from each team’s domain were compromised or posted in a data breach on the dark web in the past 90 days.

Even though the league has 30 teams we only had data for 28 meaning the Cleveland Guardians and Seattle Mariners, the two teams missing from our chart did not yield any breach data from our collections.  The Guardian's omission could be that the team changed their name from Indians to Guardians during the off-season. 

A cursory look at the compromised accounts shows that the majority of the credentials belong to front office employees of the respective teams rather than Coaches, Players, or Team Managers.

Our initial hypothesis was that either the teams with the highest market value or lowest market value would have the most compromised credentials.  The logic behind these two opposing hypotheses was the highest market teams would be the most lucrative targets for the attackers, and the lower market teams would lack the security infrastructure needed to protect information.  What we found in our collections however does not support either hypothesis.

It appears that the attackers are opportunistic when breaching credentials and it does not matter which organization is targeted.  It does however matter how complex the passwords are. In our data collections, we found that the majority of the compromised credentials included simple passwords.  The average password policy requires a minimum length of 8 characters long, with at least one lowercase letter one upper case letter, one number, and one special character.  Nearly 250 credentials were compromised across the league, and among the compromised credentials only 11 users had passwords that met the minimum criteria.

Attackers are becoming savvier in their password attacks.  The implementation of a password policy is not new, and the requirements are often as previously described, an 8-character minimum, with at least one lowercase letter, one upper case letter, one number, and one special character.  Attackers are aware of these requirements and have gone as far as to predict the location of the characters making passwords easier to crack.  Password patterns are typically an uppercase letter followed by lowercase characters, forming a word, and then often end with between one and four numbers followed by a special character.

If it is time for your organization to update its password policy it is important to keep in mind that attackers are aware of the general requirements and have created patterns that allow them to successfully crack passwords, even when they are deemed “strong.”  Strong passwords can still be cracked, especially if they are mismanaged.  Using multi-factor authentication where applicable can help to protect your organization from password attacks.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments, or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com     

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/3702558539639477516

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!