2020 has seen a wide range of attacks and the evolution of the threat landscape. Ransomware attacks have dominated the headlines, alongside state-sponsored APT groups targeting the global COVID-19 response effort. New threat actors have emerged, and well-established groups have persisted undeterred, using upgraded tactics, techniques, and procedures (TTPs).
#1 Global malicious email campaigns
Throughout 2020, a large number of high-profile attacks began with users opening phishing emails and executing the malware concealed inside. The return of the Emotet spam botnet saw a further increase in phishing attacks, which often resulted in data exfiltration or ransomware deployment. For around five months, the Emotet botnet pushed the latest iteration of the downloader Trojan with multiple new additions. This included its hashbusting mechanism to spawn tens of thousands of variants, none of which shared the same hash; as well as its thread hijacking ability, enabling it to steal and reply to older email conversations. Proofpoint recorded over 13 million messages linked to Emotet in 2020.
#2 Sophisticated and targeted ransomware attacks
Ransomware attacks have dominated the 2020 threat landscape. Some of the most impactful breaches took place against Managed Service Providers (MSP) and software solution providers such as Blackbaud, Sopra Steria, Finastra, Cognizant, and Software AG. These incidents affected the supply chains of multiple sectors, all of which depend on these services. The Ryuk ransomware group (also known as Wizard Spider or UNC1878) returned after several months to hit Sopra Steria and Universal Health Services (UHS), a hospital and healthcare provider for over 400 locations across the US, Canada, and the UK.
#3 Attack campaigns targeting global COVID-19 response effort
In July, the US NSA and UK NCSC issued a joint advisory regarding Russian cyber threat actors targeting organisations involved in coronavirus vaccine development. The group responsible is also known as APT29 (often called Cozy Bear or The Dukes), which used a variety of tools and techniques including spear-phishing and custom malware. APT28 (also known as Fancy Bear or Sofacy) has also been documented targeting companies involved in the process of testing COVID-19 vaccines. Other state-sponsored threat groups from the Korean peninsula targeted a number of pharmaceutical companies: Thallium (also called Kimsuky) was notable for this. Dark Hotel reportedly attempted to breach the systems of the World Health Organization (WHO). A large number of WHO staff credentials were also leaked to 4Chan, the anonymous message board site, alongside credentials from the US CDC, the Gates Foundation, and the Wuhan Institute of Virology.
#4 Compromise of virtual private network (VPN) devices
The US CISA issued multiple security advisories after threat actors affiliated with the Chinese Ministry of State Security (MSS) and the Iranian Revolutionary Guard Corps (IRGC) were actively exploiting multiple vulnerabilities in virtual private network (VPN) devices. The groups use open source information to plan and conduct cyber operations. They use readily available exploits and toolkits to opportunistically engage target networks. The main vulnerabilities targeted by these APT groups are as follows:
CVE-2020-5902: F5 BIG-IP TMUI
CVE-2019-19781: Citrix ADC/Gateway appliances
CVE-2019-11510: Pulse Secure VPN Servers
CVE-2018-13379: Fortinet FortiGate VPN appliances
#5 Mass exploitation of critical vulnerabilities in Microsoft products
In October, the ZeroLogon vulnerability was disclosed, tracked as CVE-2020-1472. This involved a critical authentication bypass bug in the NetLogon Remote Protocol (MS-NRPC) in Windows environments. To exploit the bug, the attackers required an initial foothold, which many ransomware operators already had. Consequently, these threat actors deployed it to escalate privileges and take over Domain Controllers. Groups such as TA505 (the Clop ransomware operators) and Wizard Spider (the Ryuk operators) began widely monetising this exploit shortly after the public disclosure of a number of proof-of-concept (PoC) exploits. State-sponsored threat groups, such as MuddyWater, were also observed leveraging ZeroLogon for intelligence gathering campaigns in the Middle East.
#6 Data leaks released to underground forums
Throughout 2020, a prolific data broker and leaker in the underground community known as ShinyHunters dumped nearly 400 million user records from over 20 different organisations. The data was leaked to multiple forums: as such, anyone with the URL can download and access the records. In November, the now-defunct ‘data breach index’ site, known as Cit0day, had its data sets leaked to multiple underground forums, Telegram channels, and Discord servers. In total, 23,618 databases were leaked: this included 50GB of 13 billion user records – over 50% of which had never been leaked before. Most of the databases had reportedly been stolen from smaller sites vulnerable to SQL injection.
#7 Breaches in the hospitality sector
2020 saw yet another large data breach from the Marriott International hotel chain. The data of over 5.2 million guests was reportedly exposed in February. Another international hospitality brand, MGM resorts, exposed the data of 10.2 million customers in July. This was later leaked to underground forums with several users confirming its authenticity. These breaches came at a poor time for the hotel chains: they have been severely impacted by the COVID-19 pandemic and, for Marriott, it is the second time in under two years that such a serious data security breach has occurred.
#8 Point-of-Sale malware attacks
In January, 30 million stolen credit cards were added to Joker’s Stash – one of the most infamous carding markets on the darknet. The payment data was reportedly taken from Wawa, the US convenience store and petrol station chain. The breach reportedly affected its Point-of-Sale (POS) systems at all 850 Wawa locations. Customer credit cards were stolen from its payment processing servers by an undisclosed POS malware family. In October, another three million cards were added to Joker’s Stash: these had reportedly been stolen from the US-based Dickey’s Barbeque Restaurant chain. The breach was also reportedly due to POS malware on the restaurant’s payment servers.
#9 High-profile Twitter account hijacks
In July, multiple high-profile Twitter accounts were hijacked to spread cryptocurrency scams. The attackers began by hijacking cryptocurrency exchanges and traders, eventually switching to celebrities, business people, and other famous names, such as Elon Musk, Bill Gates, Barack Obama, Joe Biden, Jeff Bezos, Warren Buffet, Mike Bloomberg, Kanye West, Kim Kardashian, and Floyd Mayweather, among others. A statement from Twitter indicated that the threat actors behind the attack are believed to have targeted 130 accounts; only a small number were compromised and used to send the scam tweets. The attackers also managed to view the private direct messages (DMs) of 36 accounts. Twitter later confirmed that a small number of its employees had been targeted in a phone spear-phishing attack (known as ‘vishing’). The company’s employees were tricked over the phone into providing their credentials to gain access to internal systems. From these Twitter employee control panels, the attackers were able to send out tweets from the high-profile accounts.
#10 SolarWinds supply-chain attack
In December, FireEye disclosed that the US cybersecurity firm was hit by a “state-sponsored attack” resulting in the theft of its Red Team tools. The following week, SolarWinds announced it was compromised by a sophisticated threat actor – tracked as UNC2452 – that had backdoored its automatic software updating system to distribute a malware known as SUNBURST. The company estimates that up to 18,000 customers may have downloaded the backdoored updates for its Orion monitoring products. As one of the largest network management systems (NMS) in the world, SolarWinds constitutes an attractive target for an adversarial intelligence agency due to the breadth of its access to systems on its customers’ networks.
SolarWinds’ customers include 425 of the US Fortune 500 companies; the ten largest US telecommunications companies; all five branches of the US military; multiple US federal agencies; the top five US accounting firms, VISA, MasterCard, Booz Allen Hamilton, and numerous organisations operating critical national infrastructure. Notable clients outside of the US include the UK’s GCHQ, the National Health Service, the Ministry of Defence, European Parliament, and COVID-19 vaccine developers, among others.
In Summary
The state of cybercrime and the threat landscape continues to shift as new vulnerabilities, APT groups, and attack techniques emerge. One factor that has measurably increased the potential fallout of cyberattacks has been the creation and liberal use of darknet leaks blogs by ransomware operators. These attacks severely impact not only the initial victim but also their business partners whose information is present in the leak. This threat will continue to evolve: over 20 ransomware operators are known to perform data-theft-extortion hybrid attacks and, based on current trends, this number only stands to increase in 2021. Although still under investigation, at the time of writing, the SolarWinds attack appears to be one of the most serious intrusions against US government, military, and Fortune 500 enterprises in history. It has already demonstrated that no matter the size of the organisation, or the amount it spends on defence, there is almost always a way to compromise a target.