Travis Wentworth, PhD February 25, 2021
2020 was a year of major turmoil both socially and technologically. The move to remote work was accelerated exponentially and as such the tools and supporting infrastructure were stretched to their breaking point. This left us with an extremely interesting year in cybersecurity. Each attack has been chosen because it represents a unique vector and/or payload. I've ranked this list based upon a number of factors including company size and scope, severity and monetary impact, reputation loss, and overall technical impact.
With all that here are my top five security incidents of 2020.
#5 Zoom – Misconfigurations
Default configurations in Zoom allowed users to set-up unauthenticated meetings by default. The zoom encryption suite also had known vulnerabilities. Multiple CVE’s were reported at in Q2-Q3 2020 when the shift to remote work was increasing at an alarming rate. This led to increased scrutiny of the zoom code base hence the increase in reported CVE’s. Brian Krebs reported a zoom war dialing utility known as zwardial which was built buy a Kansas City security group known as SecKC. The tool showed how easily zoom meetings without authentication could be enumerated and how this information could be used for a number of malicious purposes specifically denial of service aka zoom bombing. As a result of the vulnerabilities and default misconfigurations zoom updated a number of their security policies. They started by requiring default passwords and furthered their commitment to security by purchasing Keybase primarily to acquire the team, known for their skill in developing end to end encryption products. While the monetary impact may not have been direct, the scope of the impact to the product and the response it elicited from zoom place I firmly in my #5 spot.
#4 Natural Gas Pipeline – OT Phishing
Operational technology attacks don't always get as much public coverage due to the private nature of the companies. The companies being attacked are often in industries such as oil and gas, chemicals, or other companies focused on physical transformation of products, manufacturing, mining, smelting etc. Regardless It is important to highlight OT, ICS and SCADA compromises when we are given the opportunity to read the reports. That being said the US cybersecurity and infrastructure Security Agency (CISA) reported a ransomware incident impacting a natural gas compression facility at an unidentified US pipeline operator. The ransomware impacted both the IT and OT of the facility and resulted in two days of outages. It should be noted that downtime for operational facilities like natural gas compression facilities directly translates to loss of profitability and at that scale this loss can be massive. This contrasts with software and SaaS service outages which effect sentiment resulting in stock price loss and customer frustration but is much less likely to result in a direct loss of profitability. While all the specifics are not known from the CISA report there are some very interesting components that were reported. First the ransomware initially breached the pipeline operator via phishing links contained in malicious emails which allowed the attacker to gain access to the network. Subsequent pivoting resulted in the compromise of the industrial control system (ICS) network assets. Fortunately it was reported that the compromise did not propagate to layer 1 devices. In the context of industrial control systems layer one devices constitute devices that directly impact the process controls, i.e. pumps, valves, programmable logic controllers (PLC), mass flow controllers (MFC). Because the scale of the compromised facility is unknown I have placed this incident at #4 but it could easily have been placed higher!
# 3 Garmin – Ransomware
Garmin was hit with a targeted ransomware attack on July 27th 2020. TechCrunch reported that the attack resulted in multiple service outages over the course of five days. The responsible party was identified as a Russian hacking group known aptly as evil Corp and it was reported that the group requested a ransomware in excess of $10,000,000. Reports indicated that the strain of malware that was used was known as the wasted locker ransomware virus. Images of the reported virus showed that it was likely to have been targeted specifically to the garment infrastructure. Bleeping computer reported initially that it believed Garmin must have paid the ransomware because of the lack of known weaknesses of the wasted locker virus and as a result of how quickly the garment infrastructure began to return after the five day outage which showed no signs of letting up. Subsequent reporting by Forbes also indicated that the ransomware was paid by Garmin through identification of tax deduction filings for the year 2020. Based on the high profile nature of the attack, the size of the effected company (Garmin has over 15,000 employees world wide) and the assumed 10MM$ price tag of the recovery this incident earned a spot in the top 3.
#2 Twitter – 0-Day+Social Engineering
Brian Krebs reported here that on July 15th 2020 there was a coordinated attack utilizing twitters internal dashboard to compromise a number of high profile Twitter accounts including those of some high profile cryptocurrency influencers, CEO's, former President Barack Obama then presidential candidate Joe Biden, Amazon CEO Jeff Bezos, Tesla CEO Elon Musk, Michael Bloomberg, Warren Buffett and others. The compromise was used to send a tweet from each of these accounts: in brief the tweet described a philanthropic effort with a fake partner called “cryptoforhealth”. The tweet included a link to a Bitcoin wallet where you could “donate” to the relief effort. In the first 24 hours after the post the Bitcoin wallet showed inflows of over $100,000 so it's safe to say that the effort was successful.
A follow up report by Twitter outline the severity of the attack. The report showed 130 Twitter accounts accessed, ultimately resulting in tweeting from 45 of those accounts, as well as accessing the DM inbox of 36 of those accounts and downloading Twitter data of 7 of the accounts. The report also noted the attack was a combination of a successful hack of twitters internal systems, as well as a spearfishing campaign informed by that hack to target specific Twitter employees who had access to the internal dashboard and utilities required to make these tweets, and download information.
ZDNet reported in August 2020 that the FBI had tracked down three hackers in association with the July events and had identified a UK national and two Florida residents as the perpetrators. the timeline indicated that the internal Twitter hacker occurred as early as May 3rd and at the events between May 3rd and the attack on July 16th were difficult to determine order and scope.
In the end, it was determined that 12.83 Bitcoin were sent to the wallet address. Due to the current increase in Bitcoin price that's nearly half a million dollars here in early 2021. Coinbase also reported that they took a proactive approach to preventing the transfer of funds from their wallets to the malicious address. Coinbase subsequently prevented another 20+ Bitcoin from being sent to the scammers. While the direct monetary impact may not have been as a large as the Garmin ransomware, the high profile nature of the effected accounts and reputation impact to one of the largest tech giants earned this incident the #2 spot.
# 1 SolarWinds – Supply Chain Attack
It was reported by ZDNet that a sophisticated supply chain attack was carried out over the course of months targeting the network monitoring and security tool SolarWinds. Krebs on security and a number of other sources reported that the code base of the SolarWinds networking monitoring tool Orion was compromised as early as March of 2020.
The first indicators of this attack were discovered by FireEye. Fireeye reported an internal tool that they had integrated into their codebase from SolarWinds was hacked. They also confirmed the tool was signed by SolarWinds. What this meant at the time was that there was a potential compromise of the SolarWinds tool, and it meant that SolarWinds needed to investigate the report to determine if the Orion tool was compromised internally before it was distributed.
SolarWinds subsequently investigated the FireEye report and determined that their product had been compromised! The product compromise was pervasive and it effected governmental entities, private businesses and academic institutions. However because it was so pervasive it is likely that the hackers only utilized the vulnerability to compromise very specific targets. The group responsible for the SolarWinds attack is likely a Russian hacking group, as such it seems very likely that they targeted governmental institutions preferentially.
Due to the far-reaching impacts of this compromise and the amount of time it was present before discovery this incident received the #1 spot on my list. While the incident response is still ongoing, I think it is clear the effects of this compromise will be felt for many years to come.
Very Nice! Loved the Video Too!!