June 27, 2019

A digital intrusion at PCM Inc., a major U.S.-based cloud solution provider, allowed hackers to access email and file sharing systems for some of the company’s clients, KrebsOnSecurity has learned.

El Segundo, Calif. based PCM [NASDAQ:PCMI] is a provider of technology products, services and solutions to businesses as well as state and federal governments. PCM has nearly 4,000 employees, more than 2,000 customers, and generated approximately $2.2 billion in revenue in 2018.

Sources say PCM discovered the intrusion in mid-May 2019. Those sources say the attackers stole administrative credentials that PCM uses to manage client accounts within Office 365, a cloud-based file and email sharing service run by Microsoft Corp.

One security expert at a PCM customer who was recently notified about the incident said the intruders appeared primarily interested in stealing information that could be used to conduct gift card fraud at various retailers and financial institutions.

In that respect, the motivations of the attackers seem similar to the goals of intruders who breached Indian IT outsourcing giant Wipro Ltd. earlier this year. In April, KrebsOnSecurity broke the news that the Wipro intruders appeared to be after anything they could quickly turn into cash, and used their access to harvest gift card information from a number of the company’s customers.

It’s unclear whether PCM was a follow-on victim from the Wipro breach, or if it was attacked separately. As noted in that April story, PCM was one of the companies targeted by the same hacking group that compromised Wipro.

The intruders who hacked into Wipro set up a number of domains that appeared visually similar to that of Wipro customers, and many of those customers responded to the April Wipro breach story with additional information about those attacks.

PCM never did respond to requests for comment on that story. But in a statement shared with KrebsOnSecurity today, PCM said the company “recently experienced a cyber incident that impacted certain of its systems.”

“From its investigation, impact to its systems was limited and the matter has been remediated,” the statement reads. “The incident did not impact all of PCM customers; in fact, investigation has revealed minimal-to-no impact to PCM customers. To the extent any PCM customers were potentially impacted by the incident, those PCM customers have been made aware of the incident and PCM worked with them to address any concerns they had.”

On June 24, PCM announced it was in the process of being acquired by global IT provider Insight Enterprises [NASDAQ:NSIT]. Insight has not yet responded to requests for comment.

Earlier this week, cyber intelligence firm RiskIQ published a lengthy analysis of the hacking group that targeted Wipro, among many other companies. RiskIQ says this group has been active since at least 2016, and posits that the hackers may be targeting gift card providers because they provide access to liquid assets outside of the traditional western financial system.

The breach at PCM is just the latest example of how cybercriminals increasingly are targeting employees who work at cloud data providers and technology consultancies that manage vast IT resources for many clients. On Wednesday, Reuters published a lengthy story on “Cloud Hopper,” the nickname given to a network of Chinese cyber spies that hacked into eight of the world’s biggest IT suppliers between 2014 and 2017.


35 thoughts on “Breach at Cloud Solution Provider PCM Inc.

  1. The Sunshine State

    Keep the good articles coming !

  2. JellyK

    What a cluster****! This is why I didn’t want to use an MS partner. I wonder how many thousands of organizations use them as a partner? What is MS is going to do about this? This is going to be a lot bigger than any could ever imagine… seriously this blows my mind!

    1. JCitizen

      If you mean Microsoft, I hear you! I remember when Azure started several years ago, they were a den of nation state bad actors, and the only way to contact them about the problems was to send snail mail, and even then they just sluffed it off. There is no way I’d do business with Azure now, with that kind of attitude – even if they changed their procedures, I could never trust them again.

    2. Bernard Rigaud

      I am on the dark internet and it is most definitely by companies who’s servers were antiquated due to the sophisticated hackers; meanwhile, I for the rest of my life have to pay for Lifelock and Norton. What really disgusts me is government sues, yet us little people have to pay for someone else’s lack of IT protection. I am appalled that it still continues involving even more corporations and government entities.

  3. MarcC

    How lazy and negligent can a cloud “solution” provider be? Why wasn’t MFA set up on those multi-customer global admin accounts?

    1. NoahS

      My thoughts exactly, its commonplace to have those security features. How can you justify managing that much data that is not your own and not have literally the first line of defense in place.

    2. Dave

      Yup. Agreed! First thing that came to my mind. Brian doesn’t mention how long the breach was open. I was wondering if there were any detective/heuristics/baseline/anamoly type Controls in place that would throw an alert/warning on an abusive Admin account. Hopefully, the administrators have a standard account for normal day-to-day use and don’t use the Admin account all the time.

    3. JC

      I can tell you exactly why. Their Office 365 provisioning system doesn’t work with Azure MFA. I use them and refuse to turn off MFA so I can’t use the web interface & have to call to add any licenses.

      1. Patrick

        If not MFA, at least set some basic IP restrictions for the service account.

    4. Nick

      Exactly! MFA should be a REQUIREMENT – PERIOD. Don’t want to use it, go to gmail.

  4. AlanM

    If I was a company doing business with them, I’d be quite suspect when a company doesn’t even secure their website.

  5. Jacketfan

    If it has zero impact on your stock price (sale price), why would an organization even care. (yes there are a million good reasons they should, but if it is a dollars and cents discussion…there is no punishment for this sloppy/laziness on the companies part).

    Again, why spend good money mitigating risk if there is not a financial penalty to the risk?? Tough business question to answer unless all you have is altruism, or we are going to add cyber security spending of XX% as a “basic human right” (sorry, I could not resist)

  6. Donald

    Brian,

    Minor nitpick. I don’t think PCM ‘allowed’ the intrusion. Using your context if I pick the lock on your house and walk around in it did you ‘allow’ me in the house?

    1. beavis

      Reading comprehension: The “intrusion allowed”

      1. Donald

        You are right. I read it again. I withdraw my nitpick.

  7. Dennis

    Brian, the 4th paragraph from the top has some typo or maybe there’s a word missing. Otherwise, great job exposing these breaches!

      1. JimV

        I thought they were bigly out in farce, to be honest.

  8. ChrisSuperPogi

    “Those sources say the attackers stole administrative credentials that PCM uses to manage client accounts within Office 365, a cloud-based file and email sharing service run by Microsoft Corp.”

    I presume that 2FA was non-existent that allowed attackers to steal admin credentials?

  9. somguy

    Brian,
    Actually the cloud hopper article talks about how HP cloud services got hacked in 2010, so this has been going on closer to 10 years. Years during which they kept this secret for fear it would taint cloud services. Wave after wave of hack attacks. Years during which 5 of the worlds top 10 tech service providers were penetrated. Years during which untold numbers of client companies from there were penetrated. Companies including Sabre, Ericcson, and Huntington Ingalls Industries (the nations biggest naval provider, and one that does US nuclear submarines). It’s only now, since the two chinese nationals were indited, that we are finding out this, as investigative reporting is done. We still don’t know how many companies, or what they took.

    That could well be the biggest scale hack ever.

    I’m actually surprised you don’t have a full scale article on that, rather just a little blurb here. Seems much more meaningful than this $2 billion a year company this story is on. I’ve been checking repeatedly on your site, hoping to get more info on it since you always have excellent and in depth well researched articles.

    1. BrianKrebs Post author

      Thanks for your comment. For better or worse, I’m not in the habit of regurgitating stories from other news outlets. The exception being stories when I have something meaningful to add to the already reported story. In this case, I don’t.

      1. Brian Fiori (AKA The Dean)

        Not that you need my suggestions—or any more work to do. But what the hell.

        It might be a good resource if you did a weekly/monthly “top security stories/issues” where you would just supply a quick summary and links to the story. An intern could do it!

        OK, I’ll slither away now.

    2. acorn

      “HP cloud services”. Something I vaguely notice, from doing some checking, is not only cloud services. Note the comment in the cloud hopper article, “Also compromised by Cloud Hopper, Reuters has found: … Computer Sciences Corporation and DXC Technology. HPE spun-off its services arm in a merger with Computer Sciences Corporation in 2017 to create DXC”. CSC and DXC Technology are running regional-national networks–such as in Germany, Austria, and Denmark, and more than one network IP block on a regional net, such as on the Deutsche Telekom AG regional network).

  10. J

    Microsoft needs to start including the security features of EMS E3 and E5 as part of every enterprise license of O365. If that means increasing the pricing a couple dollars so be it. Unfortunately, itemizing security can result in having to go back to the executive well and often gets shot down.

    Until they do that, they have no interest in protecting their customers. Security shouldn’t be an itemized feature like Power BI or Exchange archival.

  11. Jim

    Ah, good job, good write-up on limited information. A lot of questions still out there.
    Interesting information on gift cards, for fast turnarounds. But, one would think they would have laundered them, like green cards.
    Next, cloud services are only secure if everyone is on the same page. As in books, some start at the last chapter, to see if they like the book. So not everyone is on the same page. And others like puzzles, it their entertainment, others make a business of puzzles. So how can a cloud service be secure. If they don’t train their customers, their workforce, and be on the forefront of security, they won’t be for long.

  12. Sandeep Kamble

    There is a need of an employee to learn about the basics of which emails that need to open and which email must ignore.

    If they are using Gsuite or O365, there must be some protection for the latest phishing campaign.

  13. Tammie

    Turn off the security alarms and look the other way? And do little if anything to address the security issue. Appears to me like a big game is being played. But that’s my silly thinking, I’m sure……

  14. M. Gallant Daigle, M.Eng

    Cloud service providers are under constant pressure to reduce operational costs. Wealthy organizations are not even able to prevent security breaches (Equifax, Desjardins, …). We would be stupid to think the others can do any better, with the current modus operandi.

    The following cybersecurity petition recommends increasing the level of technical collaboration between the manufacturers of connected devices, to secure our cyber-systems.

    https://lnkd.in/edkn82K
    PETITION (1 of 7) – Executives are asked to build a Worldwide Secret Key Infrastructure, and allow us to pave the road towards the SAFEST Internet 

    This petition is ambitious: At least one share secret key for every trustworthy network-connected device, worldwide. The was against cyber-crime will not be won in solo-mode.

    The infrastructure recommended by the petition cannot be patented and has nothing to sell. In order to be successful, it has to be provided free of charge for everybody to use, worldwide.

  15. Steve

    You get what you pay for! PCM is not the first choice for a MS Partner by any means!

  16. Javahunter

    Gotta wonder if it was a single set of creds for managing multiple clients.

Comments are closed.