On September 25, 2017, Deloitte announced that they detected a breach of the firm’s global email server via a poorly secured admin email in March of this year. Further, the attackers most likely had control of the server since November of 2016.
Deloitte’s initial statement indicated that only six of their consultancy clients were impacted by the breach, but insider sources later disclosed to the media that the attack most likely compromised every admin account at the firm. The startling severity of the breach has brought attention to Deloitte’s other cybersecurity practices, which, as we can see here with a likely Active Directory server, are not ideal. (There are valid applications for self-signed certificates, but the larger problem here is that the server is exposed to the outside internet at all, running unnecessary services.)
An admin account subversion is not very shocking, given that a significant number of Deloitte email accounts can be found on paste sites, most of a low complexity suggesting the firm has minimal password policies, and lack of a threat intelligence capacity to identify and recover leaked PII. A quick scan of pastebin.com showed a significant amount of Deloitte data from various locations, going back five years. A portion of those pastes were email credentials—the primary breach vector—as shown below.