As we come to the end of 2020, is is customary to review what has happened in the previous 12 months and learn from any events that happened.
At the beginning of 2020, no one could have foreseen the chaos that the novel coronavirus COVID-19 would bring. While the start of it was in China back in December 2019, I think the whole series of events that rolled out over the beginning of 2020 caught governments and companies napping and ill prepared for what was about to happen.
Bill Gates did a Ted Talk back in 2015 where he predicted precisely what happened this year and told the world we needed to prepare. We didn’t!!. You can view the Ted talk below.
Everyone Work from Home …
Prior to 2020 a lot of companies held the belief that working from home, or remotely, was not a productive way to conduct business and the nay-sayers were promoting in-office collaboration to be the gold standard. Then came March 2020 and all of a sudden we were faced with a global pandemic. Governments around the world were giving total lockdown orders, forcing the closure of businesses and requesting where possible people should work from home.
I was truly impressed at how quickly a lot of companies switched to a work from home approach. Those that had invested in the Cloud, or had an active VPN giving access to company resources, were at an advantage. Those who did not have this infrastructure pushed everyone home to use their personal devices to do their jobs the best they could.
We posted a couple of blogs around helping people stay safe while working from home (Cyber Security during a Pandemic and Productive and Secure Remote Working). However, a lot of people were ill equipped to do large scale remote working. We saw a large number of cyber attacks occur attempting to penetrate personal devices being used for work. Inadequate security on home routers and networks that do not have the degree of monitoring and security patching an office network would have. We posted a number of blogs to help remediate this:
- Business Email Compromise Attacks (18 July 2020)
- Router Vulnerabilities (27 June 2020)
- The Human Firewall (30 May 2020)
- Securing your Remote Desktop (2 May 2020)
- Account and Password Management (18 April 2020)
- Securing your Internet Router – A Pocket Guide (22 March 2020).
However, we have also seen a lot of innovation within the past 12 months. A lot of companies quickly accelerated their plans to migrate to the cloud with sometimes multiple years of digitisation work occurring in a very condensed timeline. Satya Nadella (CEO Microsoft) quoted that 2 years of digital transformation occurred in 2 months. However, with this rapid migration to the cloud also came a lot of problems where the move to the cloud was not fully thought out and introduced a number of cyber attack vulnerabilities along the way.
The number of cyber attacks on home computers and networks, phishing attacks and in particular Business Email Compromise attacks rose very sharply in the second quarter. There is no decline in these attacks towards the end of 2020. These attacks included:
- Fake cures
- Fake News
- Work from Home attack vectors
- VPN attacks
- Phishing and other social engineering attacks
- Healthcare organisations hit by ransomware
- Vaccine researchers hacked
- Fake infection tracking sites that look like the official ones but distribute malware.
We are now seeing vaccination scams occurring.
The Pandemic has accounted for a large number of cyber attacks this year. One example is that Phishing attacks in February were at the 5000 a month, while in April these had risen to more than 200,000 a month.
There are a considerable number of registered domains on the Internet that contain the terms: “coronavirus”, “corona-virus”, “covid19” and “covid-19”. While some are legitimate websites, cybercriminals were (and still are) creating thousands of new sites every day to carry out spam campaigns, phishing, scams or to spread malware. Cybercriminals also took advantage of the widespread global communications on the coronavirus to mask their activities. Malware, spyware and Trojans have been found embedded in interactive coronavirus maps and websites. Spam emails are also tricking users into clicking on links which download malware to their computers or mobile devices.
Hospitals, medical centres and public institutions were also being targeted by cybercriminals with ransomware attacks – since they are overwhelmed with the health crisis and cannot afford to be locked out of their systems, the criminals believed they were more likely to pay the ransom.
We are seeing no let up in this either as we come to the end of 2020.
So, this has happened. We are now much more digital in how we operate our businesses and this won’t go away any time soon. If anything it will now accelerate. We are also seeing major companies adopting a work from home approach, examples from the tech industry are:
- Google extends WFH for all employees till Sep 2021, mulls flexible work model | The News Minute
- Microsoft to expand its WFH policy, make it permanent for some staff – The Financial Express
- Apple, Facebook to continue WFH for most employees until June, 2021 (hrkatha.com)
- Facebook to let employees work from home until July 2021, will give $1,000 for home offices (indiatimes.com).
Some are entertaining a permanent work from home approach, while others are suggesting 30% rotating staff in office/work from home. I really don’t think the post COVID business landscape will be anywhere near what is was at the beginning of 2019.
One other thing that seems to have happened is that bug bounty programmes seem to have flourished in 2020.
What else has happened … More Cyber Attacks
In the US there was a Presidential Election. Following on from the fallout from the 2016 elections and how companies like Cambridge Analytica affected the outcome through targeting social media, a lot has been done to reduce this effect since then. However, this didn’t stop things from happening. As an example, Microsoft published a blog post saying that they had seen an increased number of cyberattacks targeting U.S. elections.
- Typosquatters target US Presidential election
- Fake election domains could put US voters at risk online
- Facebook announces measures to protect the U.S. elections
- Twitter announces new steps to beef up security of high-profile political accounts
- Emotet malware takes part in the 2020 U.S. elections
- Hackers used VPN flaws to access US govt elections support systems
- US shares info on election interference tied to Russia, China, Iran
- Historic data breach exposes practically all US voters ahead of election
- US election 2020 malware scam targets undecided voters
- Google caught Iranian and Chinese state hackers targeting the Trump and Biden campaigns.
As you can see from the selection of articles above, just because one avenue was hindered, more opened up.
Microsoft also worked to stop an Iranian hacking group called Phosphorus from attacking attendees at the Munich Security Conference in October. The attack centred around sending spoofed email invitations and also offered remote sessions to help mitigate the danger from travelling during the pandemic. They were targeting former ambassadors and other senior policy experts, so this was more of a spear phishing attack than a general opportunistic attack.
In January the United Nations confirmed a major Cyber Attack that took down 42 servers that occurred in 2019. At the time this was not fully attributed to any one hacking group, but was believed to be initiated by an Advanced Persistent Threat (APT) Nation State actor. The attack centred around the exploitation of a known, but unpatched, vulnerability in Microsoft’s SharePoint server.
In December the US government confirmed a major cyber attack thought to have been initiated as a Nation State attack from an APT based in Russia that affected multiple government agencies and potentially 18,000+ individual targets. The hack centred around a Supply Line Attack in which SolarWinds (a vendor of network monitoring software) had a software update compromised with malware. This hack was thought to have started in late 2019. At the time of writing this is still being investigated, with potentially multiple attack vectors involved and what appears to be a highly sophisticated piece of malware. I expect this will probably go down as the biggest cyber attack of its kind in 2020, possible going back several years. The fallout is still being assessed.
After Iranian Maj. Gen. Qassim Suleimani was killed by a U.S. airstrike at the Baghdad airport in Iraq, the US Cybersecurity and Infrastructure Security Agency (CISA) sent out an advisory to expect a wave of cyber attacks from Iran. The U.S. Department of Homeland Security (DHS) warned that these cyber attacks were thought to focus on disrupting critical infrastructure (e.g. power grid, communications, transportation). However, Iran was also active elsewhere:
- New Iranian data wiper malware hits Bapco, Bahrain’s national oil company
- European Energy Firm Targeted by RAT Linked to Iran – Infosecurity Magazine
- Iranian hackers target US government workers in new campaign
- Iranian APT group hacking VPN servers for “Fox Kitten Campaign”
- Iranian APT Targets Govs With New Malware
- Big Leak Reveals Iran Targeting US Military With Super Speedy Google Account Hacks.
The above are just a selection of the early 2020 reports on what Iran is thought to have been up to.
The above serve as examples as to the global effect of Cyber Attacks and how they have persisted in 2020. Some of them have been the result of Advanced Persistent Threat (Nation State) actors seeking to achieve political and terrorist gains. Others seem to be more for monetary gains.
When I look back at all the reports of Ransomware attacks during 2020, I appear to have over 400 reports. And, this is the tip of the iceberg! Ransomware has not stopped. In fact it has increased with an evolution of what we started to see in 2019.
The typical attack now follows this approach:
- Infiltrate the network and persist (through multiple attack vectors including OS vulnerabilities and social engineering)
- Extract confidential documents
- Launch the ransomware attack by encrypting everything they can find
- Demand a Ransom
- If a Ransom is not paid they threaten to disclose the extracted documents on hacker forums which they may do anyway
- Even if the ransom is paid, they often don’t provide the decryption key and may sell on the documents anyway
- Hide in an unaffected part of the network and continue to infiltrate, extract information and install back-doors.
We blogged about this multi-stage attack variant in Multi-Phase Cyber Attacks back in July, which isn’t just limited to ransomware.
Bleeping Computer also published a List of ransomware that leaks victims’ stolen files if not paid.
In January, some Ransomware operators were offering a holiday discount to entice victims into paying a ransom demand. Cheaky #@?%$&*~.
Here are a few of the (400+) reports I found this year:
- Ransomware attack takes US maritime base offline
- Ransomware Attack Topples Telemarketing Firm, Leaving Hundreds Jobless
- VPN warning: REvil ransomware targets unpatched Pulse Secure VPN servers
- Sodinokibi Ransomware Hits New York Airport Systems
- DoppelPaymer Ransomware Sells Victims’ Data on Darknet if Not Paid
- New ransomware doesn’t just encrypt data. It also meddles with critical infrastructure
- Why you can’t bank on backups to fight ransomware anymore
- This ransomware campaign has just returned with a new trick
- Maze ransomware group hacks oil giant; leaks data online
- New VCrypt Ransomware locks files in password-protected 7ZIPs
- PonyFinal Ransomware Targets Enterprise Servers Then Bides Its Time
- This ransomware poses as a Covid-19 tracing app (oops, more Covid-19 stuff, but it is 2020)
- Business giant Xerox allegedly suffers Maze Ransomware attack
- This botnet has surged back into action spreading a new ransomware campaign via phishing emails
- Over 25% of all UK universities were attacked by ransomware
- US staffing firm Artech discloses ransomware attack, data breach.
We are also seeing various hacking groups combining to increase their effectiveness. One in particular is were the ProLock ransomware teamed up with the QakBot Trojan to access victims’ networks and using QakBot to bolster persistence, anti-detection and credential-dumping techniques.
In reviewing the above articles for this review, I think a full on review of how Ransomware is operating is now called for, so look out for a blog in the new year.
Something that surfaced this year was the ability to attack air-gapped computers. These are computers that are not attached to a network and are typically standalone. This is a subject that we are researching and will write a blog on in the new year.
We blogged about Deep Fakes in June. This is where video and audio can be faked to appear like it is a celebrity or politician speaking by using Artificial Intelligence. The example we posted was:
This has become more of an issue where deep fakes can be almost indistinguishable from the real thing and was used in the US elections to spread fake news. While this is useful in producing Hollywood style films, this is now being used as an attack vector for malware:
- Faking audio, for example from a CEO to execute a BEC attack
- Spreading fake news
- Political activism.
Artificial Intelligence has seen a vast improvement over the year and as continues to improve, so will this.
Which brings me onto … Artificial Intelligence
While deep fakes have been evolving, the Artificial Intelligence (AI) and Machine Learning (ML) technology is being used in more applications. Some of the applications I saw this year include:
- VirusTotal Adds Cynet’s Artificial Intelligence-Based Malware Detection
- Digital Asset Management
- AI-Enabled Voice Cloning
- This girls-only app uses AI to screen users’ genders
A lot of reports have also been surfacing around the use of AI to screen people for various applications and have been shown to be biased on race and gender grounds. The ‘Only Girls’ app link above used AI to screen girls who were not girls. This is sort of OK if you want to exclude men from a female only space, but it also rejected genuine Transgender women which is against the law in the UK. AI is also continuing to be used to screen Job Recruitment. We also found that Twitter Posts are Indexed by Google and used to investigate applicants online activities. It’s coming to the stage where if you don’t have an online CV and a social media presence, your CV can be rejected before even getting to the recruiter irrespective of your suitability for the job. AI is also using to predict potential crime waves and incidents, which was largely condemned for racial bias.
We are also seeing AI driven tools to defend networks against intrusion and malware.
It is evident that companies are not prepared for the AI revolution and need to set their strategies accordingly. This needs to be addressed as a matter of urgency in 2021. In addition a call to regulate AI deployment has been been received from from various quarters. The problem with technology is that it advances ahead of the regulation. With AI there is a potential to outstrip regulators capability to regulate and by the time they do act it may well be too late. Regulation needs to be enacted at the international level and it needs to be done urgently.
Expect this to continue in 2021 and beyond.
Data breaches have continued to evolve and become more of a problem. Most data breaches seem to be centred around IT administrators leaving databases unprotected by suitable security, firewalls and more basically by changing the default password if one was ever applied. Amazon Web Buckets seem to be a particular target, although we have seen other cloud providers attacked along similar lines.
Ransomware has also evolved to be a data breach attack vector (see above).
We have also seen attacks where:
- Crypto wallet data breaches compromises hundreds of thousands of users
- Online retailers have been attacked and data sold on the dark web
- 3 Million Pluto TV Users’ Data Was Hacked
- Insurance firms
- Healthcare providers
- Web hosting providers
- Gaming Companies.
Twitter was also hacked by a few school kids from the US and the UK. The primary hacker (identified as Graham Ivan Clark from Florida) gained access to Twitter’s backend, took over several high-profile accounts and tweeted on their behalf to promote a cryptocurrency scam. He now faces 30 felony charges in the US. The bitcoin wallets received 12.83 bitcoin, or around $117,000 at the time, so not that lucrative. However, this does demonstrate how this could have been catastrophic if they had been more organised.
Keeping track of all the various data breaches is becoming a full time job.
The above is just a sample of what has happened in 2020. Clearly the Covid-19 pandemic has seen a major uptick in cyber crime this year. Working practices have changed opening up more attack vectors for cyber criminals to exploit. We have also see a major hack emerge attributed to a nation state actor (likely to be Russia) which is turning out to be a highly sophisticated attack utilising supply lines as well as additional vulnerabilities.
If we needed furthered examples that we need to even more vigilant then just keep watching our Twitter Feed.
In the mean time, I hope you have learnt from the events of 2020 and look forward to being better prepared in 2021 to protect yourself from the relentless onslaught from cyber crime and nation state hackers.
Happy New Year 2021 to everyone of our followers both on our website and on twitter.