As in recent years, in 2020 there was an endless stream of ransomware reports, data breaches, and mass account takeovers that moved on and off the headlines, but the worst was saved for last. In December, the hack of a network monitoring software, reportedly backed by the Russian government, was the most dangerous cyber event discovered in the already cataclysmic year of the COVID-19 pandemic.
In its list of what they considered the most memorable hacks of 2020, Ars Technica described a familiar landscape that seems to become more threatening each year. Dan Goodin’s article, describing the top 10 memorable hacks and breaches of 2020, included eight bad exploits, one brilliant positive hack, and an example of how dangerous state-backed malware can be.
TWITTER BITCOIN SCAM
On July 15, 2020, more than a dozen high-profile Twitter accounts were commandeered by hackers who sent out tweets from the accounts of now President-Elect Joe Biden, Elon Musk, Bill Gates, Michael Bloomberg, Jeff Bezos, and others.
The fraudulent tweets offered a “double your bitcoin” scam that wasn’t new to the internet but was now appearing under the names of some very famous accounts. Although the co-opted accounts were shut down quickly by Twitter, bitcoins worth approximately $110,000 were transferred to the scammers’ bitcoin wallets. It’s believed that Twitter insiders were socially engineered into providing the hackers with access to Twitter’s administrative tools. The cofounder of the cybersecurity company CrowdStrike, Dmitri Alperovitch, called it “the worst hack of a major social media platform yet.”
Hospitals have become a popular target for ransomware hackers, and Goodin includes the outage at University Hospital of Düsseldorf in his list, along with successful attacks of Garmin and Foxconn that also caused lockdowns.
At the navigation company Garmin, the outage lasted four days, shutting down access to GPS services for millions of customers, including airplane pilots who needed the guidance systems for flight planning and mapping.
The ransomware attack on the electronics manufacturer Foxconn brought with it the demand for $34 million in ransom to unlock the encrypted company assets. That amount was the highest ransom sought in this kind of cyberattack.
Small businesses are the usual targets for ransomware attacks, and that’s due to the inability of many to afford the cybersecurity to protect against this kind of exploit. To make things worse, though it’s gotten more difficult to harden systems against ransomware, it’s become ridiculously easy for even rank amateurs to launch these attacks.
According to the security blog by PurpleSec, a cybersecurity company based in Washington, D.C., even novices can purchase ransomware kits that require little or no technical expertise on the dark web for as little as $175. Or there is RaaS, ransomware as a service, now also available online. Business Insider reports, “Agents [will] download the virus either for free or a nominal fee, set a ransom and payment deadline…. If the victim pays up, the original author gets a cut— around 5% to 20%—and the rest goes to the ‘script kiddie’ who deployed the attack.”
Personal data of millions of guests and passengers of Marriott International and easyJet was stolen in two separate attacks on the companies. Roughly nine million customers of easyJet and 5.2 million guests of Marriott were exposed in what are becoming all too frequent breaches of corporate security.
A WHITE-HAT HACK
Not all hackers are vandals or thieves. There are security professionals who spend their days also looking for unauthorized back doors into systems as well as more efficient ways to plant viruses and Trojans into systems. They do this in order to warn users and to help software providers patch vulnerabilities. Goodin includes in his 2020 memorable hacks Ian Beer’s zero-click exploit of iPhones that doesn’t require the victims to do anything more than to have their phone on and be in the vicinity. The hack provides “full access to every iPhone within range of [Beer’s] malicious Wi-Fi access point.”
Along with being easy, the attack is “wormable” so that the exploit can pass from one iPhone to others within range. Goodin explains, “The exploit is one of the most impressive hacking feats in recent memory and shows the damage that can result from a single garden-variety vulnerability.” Luckily, Ian Beer is a member of Google’s Project Zero vulnerability research team, and he reported the vulnerability in the iPhone system to Apple, and they patched it.
THE SOLARWINDS HACK
On the other hand, the worst news came last when, late in the year, a devastating breach of a number of high-level U.S. government departments was discovered. Goodin describes the SolarWinds attack as cyber espionage that was “one of the most damaging espionage hacks visited on the US in the past decade, if not of all time.”
What made it so dangerous was the length of time the malware lay hidden, embedded within government computers for eight or nine months, the number of top-level agencies that were involved, and the fact that it was delivered into the systems through a vital software supply chain. And it certainly didn’t boost anyone’s confidence that the intruders weren’t first discovered by the government agencies themselves.
The Texas-based SolarWinds company provides network monitoring software to 300,000 customers. In December 2020, the company notified its customers of a breach. Approximately 18,000 users, private and government customers, had downloaded a software update from SolarWinds that included a Trojan horse planted in the Orion suite of the software. The origin of the malware is generally agreed to be the Russian-backed hacker group known as APT29 or Cozy Bear. The malware provided the hackers with a foothold in the customers’ systems. That list of victimized users continues to be investigated, and in a January 2, 2021 story, The New York Times updated the count.
“Among those who use SolarWinds software are the Centers for Disease Control and Prevention, the State Department, the Justice Department, parts of the Pentagon and a number of utility companies. While the presence of the software is not by itself evidence that each network was compromised and information was stolen, investigators spent Monday trying to understand the extent of the damage in what could be a significant loss of American data to a foreign attacker.”
The Times also notes that the National Security Agency (NSA) “apparently did not know of the breach in the network-monitoring software made by SolarWinds until it was notified last week by FireEye. The N.S.A itself uses SolarWinds software.” On December 8, 2020, the California-based cybersecurity firm FireEye detected the state-sponsored attack and reported it to the NSA.
According to securityweek.com, the foothold was established in SolarWinds software no later than October 2019. Once a proof of concept was successfully demonstrated in the same month, the hackers worked from December 2019 to February 2020 setting up a command-and-control infrastructure in several cloud service accounts from Amazon, Microsoft, GoDaddy, and others.
In March 2020, they began to plant remote access malware in the Orion updates for the SolarWinds software so that when a user installed the update, that would download the tools. After a dormancy of 12 to 14 days, the malware would begin communicating with the command-and-control servers in a way that looked like normal SolarWinds communications with which users were familiar. How much information and data were stolen from the victims is still unknown.
One result of this penetration of our highest-level security agencies by a nation-state was expressed in a blog post from Recorded Future, a cybersecurity company in Somerville, Mass. Because the malware was delivered by an external supply-chain partner, victims now face a new responsibility beyond protecting their own systems.
The post on recordedfuture.com explained, “This attack proved that threat actors can and will infiltrate the software supply chain, and we’ll likely see this attack type in the future. Organizations must account for the digital supply chain as part of their attack surface. Additionally, even though an enterprise may not rely on SolarWinds Orion, an organization may still be at risk through third parties.”
The reminders in 2020 were dramatic and abundant. Every year, the attackers get smarter, and the attack surfaces for enterprises and organizations get wider. This past year, the additional dimension of widespread cyber espionage has made the situation even less stable than the year before.