If 2019 passed under the banner of hacked Elastic, MS SQL and other server databases. In this year we hardly remembered them. It looks like leaks with hacked DBs have faded into the background, if not mention a few incidents. Attackers introduced a new scheme this year: removing the contents of found databases and extorting a ransom to restore it.
I personally remember 2020 as the year of extortionists of all stripes. And the healthcare sector and large and medium-sized businesses were especially hard hit. Attackers monetized “with all their might.” New schemes of extorting have appeared even among the operators of ransomware, more about them below in this article.
To maintain information security at an up-to-date level, it is necessary to understand the main goals of cybercriminals and, accordingly, their methods. And one of the most effective ways of knowing has always been the analysis of incidents that have already occurred.
This article highlights some events and subtypes of attacks in logically separated sections.
Supply chain and contractor attacks
The attack on SolarWinds in the fall of 2020 requires a separate review. This is an example of a very dangerous type of attack – the supply chain attack. Hacking the systems of the software manufacturer SolarWinds, and compromising the Orion software it distributes, injecting the SUPERNOVA backdoor into it – all this went without detection. So the distribution of the infected package with updates throughout the manufacturer’s client chain led to a lot of unpleasant consequences. In particular, to theft from the SolarWinds client, FireEye. Hackers stole cybersecurity tools that, in fact, can be used for hacking purposes. Attacks on the US Treasury and the Federal Judiciary and the Telecommunications and Information Administration, Microsoft, California Department of Public Hospitals, University of Kent, Malwarebytes are also associated with the compromise of Orion. Also, other SolarWinds customers who have installed the software are potentially affected: Intel, NVidia, Cisco Systems, VMware, Belkin, and Deloitte.
“As an expert, I am interested in the attack on SolarWinds. – comments for Angara Technologies Group Roman Zhukov, Director of the Competence Center of Garda Technologies – “For many years the expert community warned about the dangers of supply chain attacks and waterhole attacks. Therefore service (product) providers need to pay more attention to their own security. And their customers should not hesitate to clarify about the measures. Remember, the situation was absolutely similar to ransomware. Before the advent of WannaCry and NotPetya, no one paid attention to extortion against home users, until the problem became corporate and global. Unfortunately, the SolarWinds story will add skepticism about the MSSP and the clouds. But evolution cannot be stopped, so the advice will be short: pay maximum attention to the security mechanisms of the services offered. And customer should insist on a clear SLA and fixed areas of responsibility. “
A few more examples of this kind of attacks in the past year:
• Hackers infected Gerrit software on the OpenDev.org website. OpenDev.org is hosting for the official source OpenStack and a number of other Git repositories. After discovering an incident, security experts disabled Gerrit software and advised users to check commits for the last 2-3 weeks from the moment of detection.
• The Lazarus Group has launched an entire campaign in South Korea to install Lazarus remote access tools on victims’ devices. It was distributed by infecting the legitimate Wizvera VeraPort software designed to protect Windows-based devices when working with a client-bank. This software is required to be installed according to country laws. And affected users installed it from a legitimate but compromised website.
• One of the large-scale attacks on Israeli companies occurred in December. Attacks affected companies associated with the import of goods into the country, including food and other socially important goods. Attackers compromised the software developer Amital and distributed malware to their customers. Since there was no demand for a ransom, experts believe that the main purpose of the attack was to disable part of the country’s economic activities.
• BitBucket infected more than 500 thousand PCs worldwide at the beginning of the year. So the compromised distributions contained info-stealers Vidar, Azorult, Predator, Evasive Monero Miner cryptominer, STOP ransomware, Amadey Trojan, IntelRapid and other malware. Decoy programs include Adobe Photoshop, Microsoft Office, and others.
Denis Kuvshinov, head of the threat research group at the PT Expert Security Center, notes with Angara Technologies Group experts:
“We also observe supply chain attacks when there is none of the aforementioned actions by attackers. But a subsidiary or software vendor is compromised, through which further infection of the target company occurs. It is almost impossible to defend against such attacks, and here only the means of detecting anomalies within the corporate network – SIEM-, NTA-systems, etc.”
The Chinese group APT31 used legitimate software to distribute its malicious tools. And they used fake GitHub links to allegedly download McAfee anti-virus software components to users. It was spread through phishing e-mails. And due to the use of legitimate repositories (GitHub, Dropbox), it was difficult to detect phishing.
In February, Operation Thesaurus or Rubicon was made public to intercept the US CIA and the German BND of secret correspondence from more than 120 countries. The interception was carried out at the expense of the Swiss company Crypto AG. Which, as it turned out, has been owned by the special services since 1970. Crypto AG has supplied encryption equipment to governments of 120 countries around the world. The operation was closed in 1993, according to participants from the German side. And the company was liquidated in 2018. Nevertheless, the equipment is still used in a number of countries.
Compromising a contractor is one type of attack on the supply chain
So the data leak from the Nitro service for working with PDF files led to the sale and publication of data from thiers client companies, including Google, Apple, Microsoft, Chase, Citibank. And this attack and compromise of the State CA of Vietnam led to the massive introduction of a backdoor on user systems through compromised certificates.
Hackers compromised Cloud provider BlackBaud system in the fall. Which resulted in the leakage of confidential data of hundreds of service customers. “Probably, the personal information of millions of people got into the hands of hackers. Companies that use BlackBaud’s services are mainly medical institutions, universities, colleges, as well as museums, and charitable foundations. This incident is a loud bell, reminding of the responsibility that lies with the partners of the companies. ” – comments Andrey Arsentiev, Head of Analytics and Special Projects at InfoWatch Group.
Attention to the IoT industry and its potential somewhat with the introduction of 5G networks has diminished due to coronavirus pandemic. But a few interesting incidents are worth mentioning.
In February security experts disclosed the Kr00k Wi-fi vulnerability of Broadcom and Cypress chips. So more than a million IoT devices was at risk of attack, including products from Amazon (Echo, Kindle), Apple (iPhone, iPad, MacBook), Google (Nexus), Samsung (Galaxy), Raspberry (Pi 3), Xiaomi (RedMi), and hotspots from Asus and Huawei. The vulnerability allows remote interception and decryption of some network packets of a wireless connection. By the way, a little earlier, one of the major botnets abandoned its activities in favor of a new business model and published the credentials of more than 500 thousand servers and home routers, IoT devices. This incident confirms the thesis that any home kettle with built-in and turned-on Wi-Fi (and a simple security password) will immediately become a part of a botnet.
In April, a “credential stuffing” attack on routers (Dasan Zhone, D-Link and ASUS), video recorders and thermal cameras quickly assembled the dark_nexus botnet. A curious ICEBUCKET smart TV ad fraudulent occurred in the United States. It boosted advertising visits through bots introduced into devices and simulated real views of ads in the amount of up to 2 million views. So the defrauded company suffered heavy business losses.
Nikolay Romanov, Trend Micro, comments for Angara Technologies Group:
“Hacking of kettles, routers, refrigerators, and cameras are a massive surge of incidents using such devices has become fertile ground for the formation of a new direction in IoT protection. However, active discussion and modeling is one thing. Applying real methods and means to avoid such situations is another matter entirely. Only in some cases, as a result of hacking, electronic cells are opened, which happened with PickPoint company in Russia. In others, the data is widely available or resale. In any case, the solution to such problems is not only related to the lack of certain technical means of protection. Here’s required, first of all, a detailed study of the solution architecture and all possible threat models. Part of this elaboration should be considered a detailed analysis of the standards and protocols used related to the operation of the IoT. Excluding the most vulnerable in terms of attacks in advance. “
Against the background of the urgent switching of the whole world to remote work in March-April, the popularity of video conferencing software and, in particular, Zoom, has significantly increased. Because of the service was not ready for such close scrutiny, hackers have immediately taken advantage of this. Thousands of videos from confidential Zoom sessions and publications of compromised user accounts began to appear on various open hacker sites.
The Zoom team urgently had to close many of critical vulnerabilities, data on which almost immediately appeared on cybercriminal forums.
In the fall, Group-IB detected phishing activity on Zoom services against users with an offer of compensation. The URL, as usual, led to a fake site stealing payment and personal data. Interestingly, the letters were sent not from a fake domain, but from an official service. And for this, hackers used the “Name” and “Surname” fields. They placed the text about compensation and the malicious URL in these fields.
According to Kaspersky Lab, the fraudsters actively exploited the popularity of instant messengers and video and conferencing services, including Zoom, under the guise of which they distributed malicious software. In 2020, the company identified nearly 1.7 million unique malicious files around the world disguised in this way. Most often, these files were downloaders or adware. Malicious programs flood the victim’s device with unwanted ads, and can also collect their personal data for transfer to third parties.