2020 will be known not only as the year of COVID-19 pandemic, a global tragedy that changed the way we communicate, collaborate and work. It will also be known as the year of cyberattacks, with the attack surface available to threat actors expanding massively during the year.
In the last 12 months, security experts observed a massive number of cyberattacks targeting public and private organizations. Ransomware and malware attacks, phishing campaigns, data breaches and supply chain attacks made the headlines on almost a daily basis.
With that in mind, let’s take a look at some of the biggest.
#1 SolarWinds supply chain attack
Without a doubt, the biggest cyberattack in 2020 was the SolarWinds supply chain attack that impacted major private firms, including FireEye, Microsoft, NVidia and Cisco, and several US government agencies.
On December 13, FireEye announced that a nation-state actor, tracked as UNC2452, has compromised the supply chain of the SolarWinds Orion product. The popular software was used by numerous government agencies and enterprises across the globe.
The investigation is still ongoing: security firms already identified the DLL backdoor, tracked as Solorigate, implanted in SolarWinds updates and various second-stage malware, which allowed the attackers to deliver Cobalt Strike loaders, such as Teardrop and Raindrop.
The level of sophistication of the attack, the TTPs of the threat actors, the scope, and the high-profile victims suggest that this intrusion could be one of the biggest cyberattacks of the last decade.
#2 Marriott International
In March 2020, Marriott International disclosed a data breach that exposed the personal information of roughly 5.2 million hotel guests. The incident was detected at the end of February 2020.
The following information may have been involved:
- Contact details (name, mailing address, email address, and phone number)
- Loyalty account information (account number and loyalty points balance, but not passwords)
- Additional personal details (company, gender, and birth date)
- Partnerships and affiliations (linked airline loyalty programs and numbers)
- Preferences (stay/room preferences and language preference)
In response to the incident, the company forced password reset for Marriott Bonvoy members impacted by the data breach and prompted users to enable multi-factor authentication.
In July 2020, Twitter suffered one of the biggest cyberattacks in its history. The hackers breached a number of high-profile accounts, including those of Barack Obama, Joe Biden, Jeff Bezos, Bill Gates, Elon Musk, Uber, and Apple.
Twitter was the victim of a “coordinated social engineering attack” against its employees who gave the attackers access to its internal tools.
The attackers compromised all of the accounts simultaneously and used them to promote a cryptocurrency scam. They posted messages urging the followers of the hacked accounts to send money to a specific bitcoin wallet address to receive back larger sums.
“Everyone is asking me to give back, and now is the time,” reads a message posted from Bill Gates’ Twitter account.
“You send $1,000, I send you back $2,000.”
Using this fraudulent scheme, the threat actors obtained nearly $120,000 worth of bitcoin (approximately 12.86 bitcoins were amassed by the attackers in their wallet) from the unsuspecting followers of the hacked accounts.
Attackers initially breached cryptocurrency-focused accounts, such as Bitcoin, Ripple, CoinDesk, Gemini, Coinbase and Binance, all of which were displaying the following Tweet:
“We have partnered with CryptoForHealth and are giving back 5000 BTC to the community.”
The message included a link to a phishing website. Then, hackers breached the Twitter accounts of Apple, Uber, Elon Musk, and Mike Bloomberg, inviting their followers to send them bitcoin.
Once the attack was discovered, Twitter locked out the attackers and deleted the fraudulent tweets from the compromised accounts.
Two weeks later, the US authorities announced the arrest of 17-year-old Graham Ivan Clark from Tampa, Florida, who is suspected to have orchestrated the Twitter hack. The arrest is the result of an operation coordinated by the FBI, the IRS, and the Secret Service. Hillsborough State Attorney Andrew Warren filed charges against Clark for being the “mastermind” behind the attack that compromised 130 accounts.
On July 23, 2020, smartwatch maker Garmin has shut down several of its services due to a ransomware attack that targeted the company’s internal network and some production systems.
The cyberattack also impacted Garmin call centers, making it impossible for the company to provide information to its users.
Most of the services used by customers of the company rely on the Garmin Connect service to sync data about their runs and bike rides with its servers. Initially, the company did not disclose any details about the attack, but several employees shared some information about the alleged ransomware attack on social media.
Some employees later told the security website BleepingComputer that the ransom demand was $10 million. Experts speculate that the attack involved a new strain of ransomware called WastedLocker.
On July 27, Garmin announced that its computer networks were coming back after the ransomware attack.
A few weeks later, BleepingComputer confirmed that the malware family involved in the attack was the WastedLocker ransomware, after the publication gained access to an executable created by the Garmin IT department to decrypt a workstation.
This means that the company allegedly paid the ransomware operators to obtain the decryptors for its files.
“To obtain a working decryption key, Garmin must have paid the ransom to the attackers. It is not known how much was paid, but as previously stated, an employee had told BleepingComputer that the original ransom demand was for $10 million.”reported BleepingComputer.
#5 Software AG
In October, the German software giant Software AG was the victim of a ransomware attack that also caused a major data breach.
Software AG is an enterprise software company with over 10,000 enterprise customers in over 70 countries. The company is the second largest software vendor in Germany, and the seventh largest in Europe.
The screenshots shared by the Clop ransomware operators showed employee passport and ID scans, employee emails, financial documents, and directories from the company’s internal network.
The company declined to pay the ransom and the ransomware gang published confidential data stolen from its systems.
The software giant revealed that the malware disrupted part of its internal network, while services to its customers, including its cloud-based services, remain unaffected.
In May, EasyJet announced that a “highly sophisticated” cyberattack exposed email addresses and travel details of around 9 million of its customers.
“Following discussions with the Information Commissioner’s Office (“ICO”), the Board of easyJet announces that it has been the target of an attack from a highly sophisticated source,” - reads a statement from the company.
“Our investigation found that the email address and travel details of approximately 9 million customers were accessed.”
Threat actors also accessed a small subset of customer accounts and obtained credit card details for 2,208 individuals. No passport details were exposed.
According to Reuters, who cited two people familiar with the investigation, hacking tools and techniques used by attackers point to a group of suspected Chinese hackers that targeted multiple airlines in recent months.
How to reduce exposure to cyberattacks?
According to the UK National Cyber Security Centre, organizations can protect their infrastructure from cyberattacks by establishing basic cyber defenses.
The adoption of security controls could drastically reduce the exposure of organizations to cyberattacks.
The following controls are outlined in Cyber Essentials, along with more information about how to implement them:
- Boundary firewalls and internet gateways — establish network perimeter defenses, particularly web proxy, web filtering, content checking, and firewall policies to detect and block executable downloads, block access to known malicious domains and prevent users’ computers from communicating directly with the Internet.
- Malware protection — establish and maintain malware defenses to detect and respond to known attack code.
- Patch management — patch known vulnerabilities with the latest versions of software, to prevent attacks which exploit software bugs.
- Whitelisting and execution control — prevent unknown software from being able to run or install itself, including AutoRun on USB and CD drives.
- Secure configuration — restrict the functionality of every device, operating system and application to the minimum needed for business to function.
- Password policy — ensure that an appropriate password policy is in place and followed.
- User access control — include limiting normal users’ execution permissions and enforcing the principle of least privilege.
The UK NCSC also recommends to put in place additional controls set out in the 10 Steps to Cyber Security guide when an organisation is likely to be targeted by state-sponsored hacker groups:
- Security monitoring — to identify any unexpected or suspicious activity.
- User training and awareness — staff should understand their role in keeping your organisation secure and report any unusual activity.
- Security incident management — put plans in place to deal with an attack, as an effective response will reduce its impact on your business.