[BreachExchange] The scariest security horror stories of 2020

[Audrey McNeil]

https://www.itpro.co.uk/security/358164/the-scariest-security-horror-stories-of-2020

The last 12 months have been utterly chaotic for both IT professionals and
businesses, and this seemingly endless uncertainty has provided a prime
opportunity for cyber criminals to wreak havoc across the globe. From
COVID-19-themed phishing exercises to state-backed operations against
vaccine research, the security landscape has shifted in a number of unusual
and unexpected ways.

The combination of COVID-inspired attacks, numerous major data breaches and
evolving trends makes distilling this year’s security highlights all the
more tricky. As the dust settles on 2020, however, we can identify a number
of emerging themes in cyber security, and we’ve rounded up the most
significant incidents that caught our eye over the past 12 months.

Travelex crippled by ransomware

The year really started with a bang as Travelex found its systems
compromised by a ransomware attack courtesy of the Sodinokibi cyber gang.
Details of the incident were scarce at first, with the company claiming in
a statement that it shut down all its systems as a precaution while it
contended with the “computer virus” that had infiltrated its networks.

The incident meant its currency exchange services were knocked offline, and
customers were unable to access their money while abroad, though it also
had implications for Travelex’s corporate partners. The likes of HSBC and
Virgin Money, for example, found themselves unable to exchange currency due
to their reliance on the firm’s platform.

Only several months later did the wider details and context around the
incident begin to emerge. First, we learned the nature of the attack was
indeed ransomware, but reports then revealed that Travelex paid the
attackers $2.3 million in Bitcoin in order to regain access to its
networks. This is something the security community and law enforcement
generally advise against. We also learned that the attackers exploited two
unpatched software flaws to gain a foothold in the Travelex corporate
network, for which fixes were available.

The Zerologon vulnerability

Widely considered the most frightening vulnerability of 2020, Zerologon
sparked the US Cybersecurity and Infrastructure Security Agency (CISA) to
consciously direct all US agencies to patch their server systems
immediately.

Rated a maximum 10.0 on the CVSS severity scale, Zerologon is a critical
flaw in Windows Server that allows attackers to compromise an Active
Directory domain controller and grant themselves administrative privileges.
The flaw lay in the Microsoft Windows Netlogon Remote Protocol (MS-NRPC), a
core authentication component of Active Directory, and attackers would only
need to to set up TCP connections with a vulnerable domain controller. They
wouldn’t require any domain credentials, and the vulnerability can be
exploited to completely compromise all Active Directory identity services.
Following glaring warnings, Microsoft confirmed that hackers were indeed
exploiting Zerologon in the wild, suggesting that exploits for the flaw had
been incorporated into attackers’ playbooks.

The flaw became renowned within the security community as an example of an
issue which, while widely reported, became lost in a constant flow of
security news and updates, according to Glasswall’s CTO and CISO Dinis Cruz.

“If you look at the impact, it’s one of the most insane vulnerabilities
we’ve had for a while. That’s zero to a hundred in literally seconds,” he
said at a security roundtable hosted by Redscan. The event was also
attended by the firm’s head of threat intelligence George Glass, curator of
technology and engineering at the Science Museum Dr Liz Bruton, and the
security researcher who originally disclosed the Zerologon flaw, Tom
Tervoort.

“As soon as you hit the domain controller you become the main admin; it
doesn’t get worse than that,” Cruz added. “If there’s one that everybody
should have gone ‘big red button’, it’s this one, but I don’t think we did.
Some people patched it, but the fact that there’s still a lot of places
that are vulnerable to this shows that I don’t think it’s being taken with
the level of seriousness that it should be.”

The COVID-19 Supremacy

The most significant change for many businesses during 2020 has been office
closures leading to a massive shift to remote working patterns. Beyond
vastly changing our working habits and threatening to disrupt the work-life
balance, this has also posed a massive headache for IT teams. Not only did
IT estates become vastly more spread-out and difficult to manage, but it
required a hearty effort to prime workers with the necessary tools and
equipment to do their jobs remotely, such as laptops, collaboration tools
and virtual private networks (VPNs).

Research has confirmed as much, and IT professionals report that cyber
security is far more important now than ever before, with secure access
posing the biggest challenge when supporting remote workers. This is
particularly worrying because the shift has coincided with a staggering
220% surge in phishing attacks over the past few months, according to cyber
security researchers. Contact tracing apps, too, have been exploited by
scammers hoping to dupe users into handing over personal information.

However, this may pale in comparison to reports of state-backed hackers
working to actively disrupt COVID-19 vaccine development efforts.
Microsoft, for example, flagged “unconscionable” attacks by North Korean
and Russian groups in November, with various attackers targeting research
organisations and pharmaceutical companies.

More recently, hackers accessed documents relating to the Pfizer/BioNTech
vaccine in a cyber attack against the European Medicines Agency. This,
incidentally, was reported just days after IBM revealed a global phishing
campaign was targeting organisations working to ensure the
temperature-controlled storage and transportation of COVID-19 vaccine. We’d
expect such incidents and attacks to seriously ramp up as we move into 2021
and vaccines become more readily manufactured and distributed.

Teens compromise high-profile Twitter accounts

In what was clearly a gigantic scam, the Twitter accounts of Barack Obama,
Bill Gates, Jeff Bezos and Bill Gates were all seen in July posting bizarre
messages asking for payment in Bitcoin. These requests were part of a
scheme whereby the high-profile individuals in question would allegedly
double your money, in an effort to “give back”.

This was certainly one of the most extraordinary security stories of the
year - and gained a lot of traction primarily due to the heavy-hitters
involved. A comprehensive Twitter investigation found that roughly 130
accounts were targeted by attackers during the incident, with the
perpetrators gaining the ability to send tweets and even access direct
messages from compromised accounts. The firm was also probing the
possibility that an employee was bribed for access to the internal company
tools used to carry out the scam.

The authorities arrested and charged a number of US and UK-based teenagers
for their involvement in the attack. Though in another bizarre twist, the
virtual trial hearing of one 17-year-old, hosted over Zoom in August, was
initially cut short after it was hijacked by a member of the public, who
shared a pornographic clip with meeting participants.

BlackBaud clients fall like dominos

When the University of York revealed that it had suffered a data breach,
nobody expected this to be the first start of a chain reaction that would
grow to include a staggering 120 incidents at least. Although it was the
university’s data that was compromised, all attention was instead
redirected to one of its suppliers, the software company and cloud
computing provider Blackbaud.

Although Blackbaud’s customers, and subsequently the public, were informed
of the alleged compromise in July, the actual ransomware attack took place
several months prior, in May. Not only that, but Blackbaud revealed that it
agreed to pay the ransom because its customers’ data was its “top
priority”. Unfortunately, the pool of affected customers gradually expanded
over the coming days, growing from the University of York, to a few other
institutions, and then to dozens of organisations. All were informed two
months after the incident, and all were quick to write to their own
stakeholders apologising for the fact that their data had been potentially
compromised on Blackbaud’s watch.

It soon became clear that it wasn’t just dozens, but well over 100
organisations that had been caught up in the monstrous attack, including
the Labour Party, Bletchley Park, and a donkey sanctuary. To add insult to
injury, following the beginnings of legal action in September, Blackbaud
admitted the following month that financial information was among the data
exposed during the hack, with “unencrypted fields” accessed by the hackers.

The devastating SolarWinds ‘single point of failure’

Our final entry is also the most recent. In early December, FireEye
confirmed that it had been compromised by the work of alleged Russian
state-backed hackers. This was initially rather ironic, and deeply
concerning, since FireEye is a security firm often used by national
governments to fend off such attacks.

By the weekend, however, concern grew as it began to emerge this incident,
in which “highly sophisticated” attackers stole FireEye Red Team tools, was
only one piece in a far larger puzzle. FireEye, Microsoft and the US
security arm CISA, established the attackers were only able to target the
company, alongside what has now emerged to be tens of thousands of other
businesses and US government agencies, because they had already compromised
the software giant SolarWinds.

FireEye’s security team established, while examining its own breach, that
the hackers had a backdoor into SolarWinds. The company had fallen victim
to “highly sophisticated, manual supply chain attack” orchestrated by a
nation state actor and “intended to be a narrow, extremely targeted, and
manually executed attack”. CISA, as a result, ordered all US government
agencies to immediately disconnect from the SolarWinds Orion security
platform, while the company itself advised users to upgrade to the latest
iteration, version 2020.2.1 HG 1. This was, and still is, available through
the customer portal.

Although the flaw in question is patchable, SolarWinds suggested as many as
18,000 of its 300,000 customers may have been affected by the devastating
supply chain attack. Indeed, the attackers gained access to a vast array of
victims including more than 425 of the Fortune 500 companies, all ten top
US telecoms firms, all five branches of the military; and all of the top
five accounting firms, according to Guardian analysis. The absolutely
monstrous scale of this attack also means we may well be unpicking the full
impact well into 2021.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20201221/c2659c13/attachment.html>