Full Report
Cushman & Wakefield activated incident response protocols after serial extortionists issued separate threats
Analysis Summary
# Incident Report: Cushman & Wakefield Vishing-Derived Data Breach
## Executive Summary
Cushman & Wakefield (C&W) fell victim to a data breach originating from a "vishing" (voice phishing) attack, leading to the unauthorized exfiltration of internal data. The incident gained public attention after two separate threat groups, ShinyHunters and Qilin, issued extortion threats within days of each other. While C&W confirmed the breach was limited in scope, ShinyHunters claims to have stolen over 500,000 Salesforce records containing Personally Identifiable Information (PII).
## Incident Details
- **Discovery Date:** Early May 2024
- **Incident Date:** May 1, 2024 (reported by attackers)
- **Affected Organization:** Cushman & Wakefield
- **Sector:** Real Estate / Commercial Property Services
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** May 1, 2024
- **Vector:** Vishing (Voice Phishing)
- **Details:** Attackers used social engineering over the phone to manipulate an employee into providing credentials or granting access to corporate systems.
### Lateral Movement
- **Details:** Specific lateral movement techniques were not disclosed, though the attackers successfully reached internal corporate data and potentially integrated CRM environments (Salesforce).
### Data Exfiltration/Impact
- **Details:** ShinyHunters claimed responsibility for the theft of over 500,000 Salesforce records. The data reportedly includes PII and internal corporate data. On May 4, the Qilin ransomware group also listed the company on its leak site, indicating either a second breach or shared access.
### Detection & Response
- **Discovery:** Detection occurred following internal monitoring or the receipt of extortion demands from the threat actors.
- **Response Actions:** Activation of incident response protocols, engagement of third-party cybersecurity experts, and containment measures to isolate unauthorized activity.
## Attack Methodology
- **Initial Access:** Vishing / Social Engineering.
- **Persistence:** Not explicitly disclosed; likely via compromised credentials.
- **Privilege Escalation:** Not disclosed.
- **Defense Evasion:** Use of legitimate employee credentials (via vishing) to bypass traditional perimeter security.
- **Credential Access:** Obtained via phone-based social engineering.
- **Discovery:** Reconnaissance of Salesforce CRM environments.
- **Lateral Movement:** Movement from employee workstation/account into cloud-based CRM environments.
- **Collection:** Gathering of PII and corporate records.
- **Exfiltration:** Exfiltration of approximately 500,000 records.
- **Impact:** Data breach and extortion.
## Impact Assessment
- **Financial:** Potential regulatory fines (GDPR/CCPA) and costs associated with forensic investigations.
- **Data Breach:** High volume; 500,000+ records containing PII.
- **Operational:** Low; C&W reported that systems and operations continued to run normally.
- **Reputational:** High; concurrent targeting by two notorious groups (ShinyHunters and Qilin) increases public visibility of the breach.
## Indicators of Compromise
- **Network Indicators:** None disclosed in the initial report.
- **File Indicators:** None disclosed (No ransomware deployment confirmed by the victim).
- **Behavioral Indicators:** Unusual login patterns following phone-based inquiries; unauthorized mass exports from Salesforce.
## Response Actions
- **Containment:** Steps taken to isolate and stop the unauthorized activity.
- **Eradication:** Engagement of third-party advisors to purge threat actor access.
- **Recovery:** Diligent investigation and monitoring of systems to ensures normal operations continue.
## Lessons Learned
- **Human Factor Vulnerability:** Even robust technical controls can be bypassed if employees are successfully targeted via social engineering/vishing.
- **Dual-Threat Landscape:** Modern incidents may involve multiple threat actors (or "access brokers" selling to multiple groups), as seen with both ShinyHunters and Qilin claiming the victim.
- **CRM Security:** Salesforce and other CRM databases are high-value targets for serial extortionists due to the richness of PII.
## Recommendations
- **Enhanced Awareness Training:** Implement specialized training focused on vishing and social engineering tactics.
- **Multi-Factor Authentication (MFA):** Ensure phishing-resistant MFA (e.g., FIDO2 keys) is used to prevent the misuse of credentials obtained via vishing.
- **Access Monitoring:** Implement stricter "Impossible Travel" alerts and monitoring for bulk data exports in CRM environments.
- **Communication Verification:** Establish a verified internal process for employees to validate the identity of IT or helpdesk personnel requesting sensitive information.