Threat Thursdays: 2020 A Year in Review
We can finally bid a not so fond farewell to 2020. Looking back at our Threat Thursday series in reflection there is no way other than to say 2020 was a brutal year in cybersecurity. 2019 had already driven ransomware into high gear, but the seven-figure ransom extorted from Travelex really set the tone for what was to come this year. The New Year is a time to reflect, but most importantly it’s a time to learn from the past to create a safer, more secure future. Here’s our reflection on Threat Thursdays in this last year.
We discussed “Curveball” (CVE-2020-0601), a proof of concept which could bypass Windows CryptoAPI allowing a threat actor to introduce malicious code that would appear to have a valid signature. This had the potential to open a significant risk from software that looked like it was from a trusted vendor. This led our discussion to the importance of vendor risk management, a topic that would unfortunately also come up in December to wrap up the year.
The rise of ransomware attacks was prevalent as the FBI investigated a ransomware attack on a US natural gas compression facility. The attack was similar to attacks in 2019 involving Ryuk ransomware at another infrastructure facility. The incident was traced back to a phishing email as the initial vector of attack. Phil and I extended our vendor risk discussion into a broader risk management discussion.
This was the point in 2020 that we will all look back on years later. In the US, COVID-19 kicked into gear and started to explode globally. I think the term “Remote Work” will be a mental trigger for everyone in the work force in 2020 as most of us got to experience the rapid shift firsthand. I had just attended the RSA conference in San Francisco and shortly after returning home reports of cases at the show surfaced. I, as well as our entire event team, went into lock down nearly two weeks prior to the larger nationwide and global shutdowns as a precaution. Phil and I discussed the importance of tabletop exercises as part of a risk management program. This was also the beginning of the rapid escalation of threat actors targeting users with Coronavirus themed social engineering tactics which would be used to great effect for the rest of the year.
Threat actors proved to the world how quickly they can move to take advantage of an opportunity. Zues Sphinx made a return to the scene as a tool to exploit users targeting banks in the US, Canada, and Australia. The theme was around stimulus payments which were a point of much stress for many people at that time. Phishing attempts spiked 85% and over $20 million dollars in fraud had been reported in the first few months of the year. Healthcare organizations, already under strain from COVID-19, found themselves increasingly under attack by ransomware threat actors, leading to six figure ransom payouts becoming more commonplace.
Scattered Canary hits six US states exploiting limitations in filing of unemployment benefits. The Nigerian fraud ring had secured hundreds of millions of dollars in fraudulent claims. The Red Cross pleads for an end to healthcare attacks backed by Microsoft President Brad Smith and a host of others. This response was triggered by the Czech healthcare cyberattack and rising trend of targeting of healthcare organizations. Phil and I discussed the struggles that many organizations were having in trying to stabilize operations while their workforce operated entirely remotely. Many organizations were limping along operationally and needing to re-evaluate how to secure users while maintaining operations in this new world.
This month came with a blast from the past. WannaCry was still being exploited to great effects. Ransomware attacks shifted to exploiting the weaknesses in many routers. Ryuk and Trickbot were combined along with the WannaCry exploit to take advantage of flaws in MicroTik routers then to spread rapidly. Home routers, which most users never update also surfaced as yet an additional point of concern for organizations that previously was of less concern. Now that every user was connecting from home, those home routers became obvious weaknesses in the rapidly shifting attack surface.
More seven-figure ransom demands kicked down the door. Telecom Argentina was targeted by REvil. Over 18,000 computers and primary servers taken offline and recovery took several weeks. REvil and Ryuk had rapidly risen to the top of ransomware families plaguing the world. Garmin was also hit and an eight-figure ransom of $10 million was demanded as flyGarmin and consumer workout related services were impacted by a Wasted Locker ransomware attack. Israel’s water systems were also targeted in a cyberattack utilizing phishing and credential stuffing tactics. Phil and I discussed the devices on corporate networks and through extension into the home, devices on remote worker networks ranging from vulnerable routers to IoT devices.
Netwalker ransomware attacks hit higher education as the University of Utah fell prey and paid nearly $500k. At this point Netwalker had netted (yes, pun intended) $25 million in ransoms paid since March 2020. Brown-Forman refused to pay the ransom as REvil targeted Jack Daniels. I toasted the leadership at Brown-Forman for standing their ground and not paying the ransom, a trend that escalated through 2020 and reached an escalation point in October.
Warner Music Group was hit with a data breach. The Magecart attack had been suspected of running from April to August 2020, skimming transactions collecting customers PII and credit card information. Zerologon (CVE-2020-1472), a flaw that was resolved in August that could allow an attacker to take over a domain controller. Without the need to logon the attacker can impersonate the identity of any computer on a network, disable security features in netlogon authentication process, and even change a computer’s password on the domain controller’s Active Directory, was expected to be on a transition between August 2020 and February 2021 to allow companies time to adapt and prepare for the changes to Netlogon. This changed suddenly in mid-September as the DHS released Emergency Directive 20-04 requiring any federal agencies to ensure they had resolved the vulnerability completely by September 23rd. Suddenly a potential threat with a rollout change over the course of several months became a weekend emergency for anyone in the US Federal space. Many organizations followed suit in the rapid response to this threat.
The assault on Healthcare continued as Universal Health Services was hit in a massive ransomware attack that impacted over 80 of their 400 healthcare facilities. Nation State funded threat actors continued to target COVID-19 research as Philadelphia-based software company eResearch Technology was hit by a ransomware attack. This was yet another example of third-party vendor risk. Fortunately, Bristol Myers Squibb and AstraZeneca both take this very seriously and were well equipped to continue on when ERT was impacted. The US Department of the Treasury released an advisory warning of possible fines and legal liability for any organization who pays ransom to an entity on their Sanctions Nexus list. The advisory states that these actors pose a threat to US national security and any payments directly to or on behalf of your organization to these actors falls under this advisory. The question of paying the ransom got significantly more complicated and you can expect further escalations in 2021.
NOVEMBER and DECEMBER
Threat Thursday in November fell on the Thanksgiving holiday in the US. Phil and I took the month off of this series with plans to return in mid-December with our typical holiday special edition. We ended up recording this and releasing it as an on-demand webinar due to the chain of events that occurred this month regarding the FireEye breach. Check out the details of this event in my blog “If the best of the best can be bested, what chance do the rest of us have?” and view the on-demand recording here.
Let’s all bid farewell to 2020 but let’s not forget the lessons learned and let’s not forget that, globally, we have endured many challenges this past year and together we are entering the New Year. Together, we can define the future.