Cyber security – what could go wrong.

Cybersecurity scenarios for organisations span a wide range of risks that can disrupt operations, compromise data, damage reputations and result in significant financial loss.

According to the latest Report by Check Point Research, overall global attacks increased by 44% since 2023, averaging 1,673 attacks per week.

Higher Education, Government and Healthcare & Medical industries are still the top three targets.

Image source: https://engage.checkpoint.com/security-report-2025/items/report–cyber-security-report-2024

While Cloud hosting infrastructure has become a necessity for enterprise level companies, it can be subject to vulnerabilities and misconfiguration.

Setting up and maintaining secure environments effectively is not easy, and is a constant process of improvement to stay on top of change. There are many settings and configurations, and unless you have years of experience managing mission-critical systems in a specific cloud provider, you are highly likely to make some mistakes.

How do I reduce my organisation’s cyber security risk?

Being aware of some of the most common scenarios of ‘what could go wrong’ is key. Then, you can implement preventive measures to minimise the risks.

The three key issues causing cyber security risks include: software bugs, infrastructure issues and human factor.

Software bugs

No one is 100% protected at all times. Even when a software provider prioritises security, bugs can happen. An unpatched site targeted with an exploit for the right one of these bugs can be abused to steal your database. This may include full user lists, logs of their site activity, IP addresses and site data including uploaded files.

Like with any software, Moodle occasionally has bad bugs. A specific example can be found here, where an attacker with the capacity to add or modify quiz questions could craft malicious calculated questions; which, once processed, would execute malicious code on the server. This is a high severity error that can lead to full server compromise. Avoiding certain functions, in this case ‘eval()’ with user supplied input and replacing it with safer alternatives would be best practice. The immediate action, however, is to update the Moodle site to the latest patched version.

If this malicious activity was coupled with the use of multiple compromised passwords, then a much larger attack surface is exposed and an unauthorised user can wreak havoc on your site. A singular unauthenticated user may only be allowed to make login requests, and access a small amount of static content. But with greater access to the system, they are allowed to run more code, and there is always potential for error in that code. User accounts staying under control of the intended people is beneficial to the overall safety of the LMS.

Earlier this year, a different bug (MSA-25-0011: Unauthenticated REST API user data exposure) allowed an unauthenticated attacker to retrieve password hashes from sites with a specific set of login configurations.

This alone is not enough to log in as the user, but does enable an attacker to make an unlimited, and considerably cheaper, number of guesses against the password hash offline, without alerting anyone to the password guessing activity.

If a weak or known password was chosen by a user, it will eventually be matched to the password hash, revealing the user’s real password which could then be used to login.

Mitigations against this include strong and unique user password choices, and password peppering. In this case the attacker would not have been able to recover the unique site-specific pepper value added to the password prior to hashing with this exploit alone.

Keeping privileged accounts in the right hands through the use of strong passwords and multi-factor authentication is a key mitigation against issues like this.

It is also crucial to keep hosted web applications updated at a fast pace, and to have strong security controls in your backing infrastructure, limiting the scope of these compromises and allowing a fast response.

Infrastructure issues

Hosting infrastructure is complex and changes. Administrators often make mistakes which is evident in the repeated serious incidents in some large, perceivably trusted companies. Believe it or not, there are still permissionless S3 buckets out there, exposing personally identifiable information (PII) such as drivers licenses and bank account details.

Here are four recent examples that we know of from the last couple of months, where configuring S3 buckets had gone wrong:

• 200,000 workers’ PII at risk in Work Composer S3 SNAFU
• ‘Uber for nurses’ exposes 86K medical records, PII in open S3 bucket for months
• ‘Juicy customer data’ leaked from Nine
• Misconfigured Australian fintech server leaks 27k records

The issue with poorly managed S3 buckets is not new, and we have seen many similar stories as the above for a number of years.

Another common scenario in infrastructure space is administrators leaving ad-hoc cloud infrastructure open to the world.

Trusted Cloud service providers like Catalyst IT, where security is truly a priority, heavily control against such situations by implementing layered defenses in their infrastructure set up.

Human factor

Various human factors can contribute to cyber security attacks including:

• Poor password choices by users / poor password policies by organisations
• Credential theft via social engineering
• Trusted insider threats

Poor password choices

Passwords that are not strong enough and/or are repeatedly used across multiple sites is an underestimated risky behaviour by employees.

As per the above-mentioned example, prior to August 2024, an attacker with a stolen teacher account could have abused the creation of calculated questions in course material for a remote code execution in Moodle.

Keeping privileged accounts in the right hands through the use of strong passwords and multi-factor authentication is a key mitigation against issues like this.

We recently had a scenario where one of our client’s staff members’ email address had been hacked and used to sign in to their LMS. The client promptly reported this to our team, so we were able to use indicators of bot activity to find out exactly which accounts were compromised by this attacker and what they were trying to do.

In this case, the purpose of this hacker’s exercise was merely to redirect a client’s site to some advertising. However ongoing access to a privileged account can be very useful to an attacker in future and for more nefarious reasons.

Strong, unique passwords and/or the use of multi-factor authentication would have prevented this particular attack from happening.

Catalyst’s approach to security is one of defense in depth, where each system built is evaluated for risk and mitigating controls are applied. Given this strategy, the account compromise did not result in further access to any infrastructure.

Trusted insider threat

The Trusted Insider Threat is probably one of the most difficult security issues to deal with.

A trusted insider can be your employee, contractor, business partner or anyone who has legitimate access to an organisation’s systems and data.

There are two categories of trusted insiders: malicious and non-malicious.

Malicious insiders seek to use their access for personal gain or revenge. Having some monitoring in place, watching things like:

• access to systems at unusual times
• data transfer levels
• disgruntled / stressed employees

is something organisations can do to mitigate the risk.

Non-malicious insiders (or negligent insiders) are often unaware of the risk of their actions, unintentionally exposing data e.g. by clicking on a phishing link and entering credentials.

Regular security training for staff is key to avoid such accidents happening.

Some of the famous examples of insider threat include:

In 2023, former Tesla employees leaked PII data to a foreign media outlet. The information included names, addresses, phone numbers, employment records and social security numbers of over 75,000 current and former employees; as well as customer bank details, production secrets and communication records such as complaints about Tesla’s Full Self-driving features.

While legal actions were taken against the employees responsible, the stain on a brand’s reputation is irreversible.

In May 2022, a research scientist at Yahoo stole proprietary information about the company’s AdLearn product, after receiving a job offer from competitor. He downloaded about 570,000 pages of Yahoo’s IP to his personal devices.

In conclusion:

While Cloud hosting infrastructure has become a necessity for enterprise level companies, it is always subject to vulnerabilities. Understanding ‘what could go wrong’, investing in strong security culture (including ongoing staff training) and working with a trusted Managed Service Provider will help mitigate risks.

Why trust Catalyst IT with your managed service:

• We are ISO27001 security certified and have a dedicated security team in-house who keep our compliance requirements updated and ensure ongoing internal and external communication flows, so all our stakeholders are aware of any critical information or action that needs to be taken at all times.
• We work with partners we can trust and collaborate on various developments in our products and services, including innovative approaches to handling security issues.
• Our partnerships and 24/7 Follow the Sun Support model ensure we can deal with any emergencies anytime, wherever our clients are.
• Our usage of encryption is standard across the company including at-rest database backups and in-use databases.
• Multi-factor authentication plugin comes standard with all our Moodle installations.
• Our people, from all departments, undergo comprehensive security training during on-boarding and are required to complete refresher training at regular intervals.

Host your Moodle in a secure, optimised environment. Contact our team today.