A whistlestop tour of some of the years biggest cyber security stories

Bears, scares and ransomware

       Well, what a year it's been. 2020 kicked off as it meant to go on, with news emerging from China of a new virus which lead to a swiftly imposed lockdown in the city of Wuhan. Looks grim, we thought, but it will probably peter out like previous viruses before it. How wrong we were.

To coincide with our Deskflix Cyber Security event, here’s a look back at t

he last 10 months as covered under Computing’s Security tag. January Travelex’s 2020 got off to a bad start, with a ransomware attack on New Years eve. Not that they admitted that, instead choosing the well-trodden deny, distract and cover up route, and failing to notify the ICO in the process. It then turned out that the company had ignored a warning about insecure Pulse VPN software in September and was in trouble with creditors, after which its fate was seemingly sealed. What followed was a distinctly Hogarthian tale of dissolution and downfall.

After initial denials, it eventually emerged that Travelex had been struck by Sodinokibi ransomware, a name we got very used to seeing in 2020. Other strains including Maze, Ryuk, REvil and Phobos became almost as familiar as SARS-Cov-2. During 2020 we were reacquainted with a variety of bears, including Cozy, Fancy, Energetic and Venomous, and TrickBot a banking malware Trojan and botnet kept turning up like a bad penny. February February introduced another major theme of 2020 - the war on Chinese tech, in particular Huawei. A presence at the heart of the UK’s communications infrastructure for two decades, the Johnson government originally said it was welcome to remain in all but the most sensitive locations, but pressure from the US and backbench MPs led to the first of many U-turns. Chinese app TikTok was also to come under attack from the US. An opening salvo was fired by Reddit CEO Steve Huffman who called the video-sharing app. ‘fundamentally parasitic’ and little more than ‘spyware’. Then there was the police’s use of facial recognition software, which saw seven people wrongfully detained after it screwed up, prompting questions about its accuracy and capabilities, and indeed whether the police should be using it at all. Sports retailer Decathlon spilled 123 million records, including unencrypted employee passwords, and this month’s ransomware victim was Redcar and Cleveland Borough council whose website and payment systems were out of action for three weeks. March March, of course, marked the start of Lockdown I, the furlough scheme and a global race to find a vaccine. And as the world stayed at home, the great scamming game began with numerous attempts to defraud the authorities, trick people into parting with their cash, and with disinformation brokers spreading false stories about Covid-19, including it being linked to 5G. Hackers also tried to breach research institutes and the WHO. In March, we ran our first story of the year about an attack on critical infrastructure, this one concerning the European power grid. More were to follow.

Spring had sprung and the bears were out of hibernation. Venomous Bear, or Turla, targeted websites belonging to Armenia, the same Armenia which is now at war with neighbouring Azerbaijan, incidentally. We also learned that in spite of Microsoft releasing patches to cover some serous vulnerabilities in Exchange Server, eighty-five per cent of instances were still unpatched several weeks later. Oh and those TrickBot guys were back, this time with a new campaign against telecoms firms. Something tells me that won’t be the last we hear of them. Meanwhile, the pox scars on Travelex’s face were becoming harder to cover up with ointment and powder.

April So what happened in April? Zoom happened that’s what. A locked down world desperate to communicate turned to a charismatic hero who’d just ridden into town. But was Zoom to be trusted? Well, no. Zoom’s promises of end-to-end encryption turned out to be so much barroom braggadocio (end-to-end encryption for all would not arrive til October), calls were Zoombombed with porn and racist trolling, and this new friend turned out to be possibly leaking your secrets to Zuckerberg. Meanwhile, crafty bandits were making big money selling Zoom zero-day exploits on the black market.

Encouraged by the stories that Exchange admins couldn’t be bothered to patch their servers, hackers started going after them too, big time. And while China announced some promising vaccine candidates, state-sponsored hackers linked to Vietnam were accused of trying to steal them. Ransomware victim of the month? Cognizant, whose Maze susceptibility would cost it up to $70 million that quarter. May First to fall to ransomware in the not so merry merry month of May was Pitney Bowes, who must have been particularly irritated since the exact same thing happened seven months earlier. Honda also said its networks had been affected by what was thought to be Snake ransomware. Hackers were found to be modifying Ragnarok ransomware specifically to go after an SQL injection zero-day in Sophos firewalls. There were more warnings from intelligence services of attacks on Covid research, and some unusual Madonna memorabilia turned up on the Dark Net. Airlines were not having the best of years and in May, Easyjet confessed to an attack in January that affected the data of up to 9 million customers. June In June, we learned more about TikTok’s kleptocratic capabilities, including mining the iPhone’s clipboard, and Magecart the prolific ecommerce cyber criminals whose victims include BA was discovered to have found new ways to secrete their credit card skimming malware, concealing a script in favicon images' EXIF data. Cybervictim of the month? Ironically it was American spy agency the CIA who found itself on the receiving end of what it often dishes out.

The extent of the Covid-related scamming was revealed in a Citizens Advice report which found that one in three Britons had been targeted by scammers since the start of coronavirus crisis. Reacting to the death of George Floyd in Minnesota, IBM announced that it would no longer be selling facial recognition software, but Amazon’s and Microsoft’s announcements of a pause in sales to the police left much more in the way of wriggle room. July Not exactly security, perhaps, but certainly a story to watch was privacy activist and lawyer Max Schrems' July victory against the US - EU Privacy Shield data transfer mechanism, the one which replaced Safe Harbour, the previous arrangement that the indefatigable Mr Schrems also managed to bring down. Schrems II' is currently being debated in Europe and its final outcome could will have far-reaching implications for data protection. After months of inactivity, Emotet banking malware suddenly sprang back to life and started installing the TrickBot Trojan on infected Windows computers via a fresh spam campaign targeting people in the UK and USA. And in the ongoing Huawei tale, the UK government bowed again to US pressure, or saw the light, depending on your point of view, anouncing a speeding up of the vendor’s removal, much to the annoyance of telecom operators who fear that ripping out Huawei will be hugely expensive and will delay the high speed internet rollout.

In an operation codenamed Venetic, police forces from several countries managed to infiltrate criminal gangs by breaking the encryption used by EncroChat, a supposedly secure messaging tool. 750 arrests were made in the UK with many more collars felt in France and the Netherlands. A cyberattack caused an explosion on an Iranian nuclear facility in July, with the finger pointed at Israel. Cisco Systems released security patches to fix 31 vulnerabilities affecting many of its routers and firewall devices. First ransomware hit of the month was Garmin which reportedly paid a good proportion of the $10 million sum demanded for the attackers to unlock its systems. Another was cloud company Blackbaud, whose services are used by numerous UK universities and the National Trust. Blackbaud paid a ransom after being promised stolen data would be destroyed, but said it was all encrypted anyway so there was little danger of compromise. And Twitter was hacked by a bunch of teenagers who then tweeted from the accounts of Elon Musk, Barack Obama, Joe Biden and Bill Gates. August In August it was revealed that globally, cybercriminals make an estimated 19 billion a year from ransomware, which prompted calls to make paying ransoms illegal. UK companies paid 200 million in ransoms in 2019. Hotel chain Marriott faced a class-action-style lawsuit over a massive 2018 data breach that exposed personally identifiable details of more than 300 million customers. Trading on the New Zealand Stock Exchange NZX was disrupted after it experienced DDoS attacks over a few days originating abroad'. Meanwhile, a Tesla employee was offered a one-million dollar bribe to install malware on the car company’s systems, according to Elon Musk.

And in August the final chapter of Travelex’s sorry saga played out, as parent company Finablr collapsed with a billion dollars worth of debt. Around the same time, 900 passwords for Pulse VPN, whose vulnerabilities were partly resposible for Travelex’s demise, were found on a hacker forum.

September In September, a study by IBM revealed the ransomware problem had been getting significantly worse as the year 2020 had progressed, with cyber crime groups blending ransomware attacks with data theft and extortion. And just in time for students returning, what happened at two universities in Newcastle? You’ve guessed it, a ransomware attack. Watchmaker Swatch was another victim. Meanwhile a leaked Chinese database revealed the country was profiling all sorts of people including the Australian PM, with threat actors from that country also targeting known vulnerabilities in Pulse VPN - the one used by Travelex - as well as F5, Citrix and Microsoft Exchange. Quick plug: In September we boosted our security portfolio, adding AI Enhanced Security to our existing IAM and CASB market intelligence reports in Computing Delta. October Which brings us to October, and what did the season of mist and mellow fruitfulness have in store for us? More bears and more ransomware of course. Energetic Bear was found rummaging through local and state networks in the US like so many bins. Tiring of the pesky bears, the US blacklisted the Triton malware gang, and the EU weighed in with sanctions of its own against GRU bigwigs. Meanwhile, Microsoft had had enough of TrickBot announcing a major offensive to take down its backend infrastructure. BA must be mightily relieved that an expected ICO fine of 138 million for the 2018 Magecart breach was reduced to just 20 million because of the pandemic. Marriott also saw its anticipated fine significantly downsized by the regulator.

This month’s ransomware victims included Carnival Cruises, Hackney Council, and another IT services company, Sopra Steria, which succumbed to a Ryuk attack. Blackbaud the cloud company attacked in July, revealed that - surprise, surprise - not all the stolen data was encrypted, reversing a previous assurance. Could Blackbaud be the next Travelex? We wouldn’t be at all surprised. US agencies CISA and the FBI warned that hospitals were under ‘imminent threat’ of ransomware attack. Many criminal actors had eased off such attacks during the pandemic, but a group called Wizard Spider apparently has no such scruples. And an old favourite, the war on maths' was rekindled once again as governments demanded back doors to encryption that somehow only the good guys would be able to use. Back to the ’90s we go.

Author: john.leonard@incisivemedia.com(John Leonard)

Date: 2020-11-05

URL: https://www.computing.co.uk/analysis/4022650/whistlestop-tour-biggest-cyber-security-stories

computing.co.uk