January 10, 2021 | By Guy Liberman VP Cyber Security
Surviving 2020 – “no one saw it coming”, can describe the year 2020 impeccably
2020 was a year that had unprecedented threats, risks, and challenges which the world had never seen or experienced until now, from real life to virtual reality. While the world was engaged in handling the waves of 2020 disruption, adversaries took advantage of the ongoing changes in the environment to carry out large scale sophisticated campaigns.
The year 2020 had forced organizations to test their stability and endurance, at the same time mandating them to develop dynamic capabilities to adjust to the changing times. In this article, we summarize this unusual year and jog your memory of the events which made this year unforgettable from a cybersecurity standpoint:
- Data breach across 18 companies: 386 mn user records from 18 companies were stolen in data breaches. ShinyHunters a cyber-criminal/hacking group uploaded 386 million user records stolen from 18 companies across a public forum.
- Experian Breach: Another massive data breach was identified in South Africa, which impacted 24 million users and 793,749 local businesses impacting consumer credit reporting agency Experian
- MGM Hotel data breach: 6 million MGM hotel guest details were posted on a hacking forum. The data exfiltration commenced in 2019 and the stolen information was periodically shared from then on to the public hacking forum.
- WHO, Gates Foundation: Approx. 25,000 email addresses and credentials from reputed organizations such as WHO, Gates Foundation and NIH were leaked online.
- Cognizant: During the early months of 2020, Cognizant was hit by Maze ransomware for which the organization paid out approx. $50-70 Million for ransom to the adversaries.
- California University attack: The University of California in San Francisco, was attacked by adversaries with a ransomware attack in which the attackers demanded $3 million. They eventually negotiated the ransom amount and were eventually extorted approx. $1.14 million.
- Energies de Portugal (EDP): The Portuguese multinational energy company EDP faced one of the largest incidents in 2020 wherein, due to a ransomware attack called RagnarLocker the adversaries made an extortion attempt of $10.9 million.
FireEye breach: FireEye had revealed that they were infiltrated by a nation-state hacking operation in which their red team hacking tools were stolen by attackers. By way of this attack, the adversaries were able to get hold of FireEye’s IP – the red team assessment tools. Several security companies have been breached over the last decade and this was a reminder that no one is impermeable to an attack including security companies.
Solarwinds: Another global campaign was identified wherein the compromise was via the software supply chain targeting multiple industries. Delivered via a widely used IT infrastructure and network management software, this campaign demonstrated the sophisticated technique using state-sponsored threat actors. Approximately 18000 customers including leading tech companies and hospitals were affected and this had a sweeping impact, with the scale still being analyzed as new information transpires.
Hosting Provider attack: Thousands of web portals hosted by a hosting company – UPress were hacked by the anti-Israel community, as a part of a pre-planned attack. Web portals vandalism and stealing of information have been a risk that needs to be mitigated by the web site hosting vendors.
Widespread Israeli Breach Campaign: Cyber radical group that has hit over 80 Israeli companies in widespread cyber-attack, attacked a large conglomerate with ransomware wherein organizations’ intellectual property was also stolen and leaked.
Netlogon Remote Vulnerability: A new vulnerability was detected that can cause unwanted elevation of privileges. An attacker could potentially establish a vulnerable Netlogon secure channel connection to a domain controller using the Netlogon Remote Protocol (MS-NRPC). Adversaries who successfully exploits this vulnerability can run a specially crafted code on the affected domain controller.
During the challenging times in 2020, the TSOC team was all actively involved to support organizations to make it through. While the attack vectors were as we expected, but the scale and impact were overwhelming.
- Phishing with an emphasis on BEC – (Probability: 5, Impact: 3)
Our team at TSOC were least surprised by the scale of phishing campaigns, but as far as the impact for some organizations across industries is concerned – the implications of phishing attacks especially in 2020, included being susceptible to financial fraud or resulted in a full environment recovery due to high privileges being compromised.
- Misconfigurations – (Probability: 3, Impact: 4)
We observed open RDP ports, access misconfigurations, and legacy authentication abuse, which led to some critical incidents. Once again, it sets a reminder for organizations that even the most sophisticated technology in place, cannot shield them against human errors.
- Vulnerabilities on public exposed interfaces – (Probability: 2, Impact: 5)
In 2019 & 2020 multiple critical vulnerabilities were introduced, which made life easy for adversaries to gain access and privileges without utilizing any special tool or technique. We believe that some of the noted campaigns above started with acquiring compromised credentials which were harvested by these vulnerabilities.
- Privileged users – (Probability: 5, Impact: 5)
Excessive privileges and insecure working methods with those privileges (i.e., domain admins, DBA, network admins, etc.) will continue to create black holes in our timelines. It is considered a challenge to remove high privileges; but, it is even more challenging to overcome an attack with one. It is thus recommended to ensure wherever possible, privileged access is removed and if not, create a correct process for privilege account usage to minimize the risk and implement supplementary mechanisms.
- Supply Chain – (Probability: 1, Impact: 999+)
The rising star of 2020 – until this year, for the vast majority of organizations, these risks didn’t exist, and the supplier was considered to be trustworthy with products especially those of largely known vendors impenetrable. We have seen that supply chain risks were addressed mostly in the financial organization or security industries, but, in 2020, while the high gain of compromising a “crossroad” organization always existed, it seems that the impact of the latest campaigns will crown these attack types as the “holy grail” for the threat actors across industries.
What to expect in 2021
With remote work, migration to the cloud, and digital transformations across industries, the attack surface is incrementing and getting broader. With such technological advancements and cultural change, we believe, organizations may possibly relax the security controls on the lines of – least privilege, access as per need to know, compartmentalization, segregation of duties, and more.
Thus, it is highly possible that the threat actors may emphasize the ability to manipulate exposed interfaces or compromised credentials rather than deliver malicious payloads using automated mechanisms.
While 2020 educated us with the fact that we can never expect what is coming, but we still urge you to ensure you are ready to face 2021 with the learnings from last year. We have also composed a shortlist of recommendations; your organization must have in its arsenal:
- Endpoint Detection & Response (EDR) – EDR tools should support behavior-based prevention, data acquisition, advanced query capabilities, and response capabilities (e.g., remote terminal & isolation).
- Change Management – Every change should be documented and managed. Each change should have a documented procedure on “how to perform”. Changes must be reviewed for potential risks that they might impose.
- Patch Management – Be it East-West or North-South, moving in the environment is never as easy, as utilizing unpatched systems. As some of the recent attacks made use of unpatched firewalls to compromise credentials and then wander around the environments, it is recommended to ensure you are able to manage your vulnerabilities and patches. This is a routine that must be documented and managed carefully.
- Visibility & Monitoring capabilities – Implementing security products without a skilled SOC team to monitor and respond, is like building a 100 feet tall wall without watching if anyone digs a tunnel beneath it. For almost any breaches we investigated, a bell was ringing – but unfortunately, no one was there to hear it.
- Incident Response SLA – It needs to be ensured that in times of trouble, not only Mother Mary will be there for you, but, also a skilled incident response team, who are familiar with your environment and can provide you services as per the defined SLA. This IR team can be internal or external as long as you are prepared for a doomsday at the end.
- Incident Management Process – Unlike documented procedures, the incident process should refer to the business side of an incident. It needs to be ensured that your process refers to legal, business, and other aspects of your activity. Most organizations find it easy to hide behind the technological procedures and best practices – but those won’t tell you if you should pay the ransom or not. High-impact incidents should be managed by the organization leaders who should be prepared to answer all questions and navigate the ship during these hard times. If you don’t understand the difference – you don’t have one, and we urge you to begin today.
- Supply Chain Review Process – the last one on our shortlist, it is highly recommended to review your supplier`s permissions, audit their activities, manage the risks that you are exposed to and ensure you align to your security standards on any perimeter where your data is held.
There are probably tens and hundreds of other recommendations we can provide, but we will keep some for 2022. See you next time.