2020 will probably go down one of the most chaotic years in human history. From the Covid-19 pandemic to one of the most chaotic US elections in history, it has been a hectic year, to say the least. Of course, this chaos has been reflected in the cybersecurity space, as well.
In fact, let’s just sum up cybersecurity in 2020 in a nutshell:
Alright, for those of you who may want a bit more than that, let’s go deeper.
Cybersecurity trends of 2020
First, let’s go through the main cybersecurity trends of the year that dominated the headlines. We have mined out the following trends from KNOW – Netenrich’s threat intel platform.
- Covid-19-themed phishing
- Zoom bombing
- VPN vulnerability
- Covid-19 vaccine espionage
- Election hacking
- K-12 education disruption
- The SolarWinds hack.
Alright, let’s get into the details!
#1 Covid-19-Themed Phishing
The United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) had issued a joint alert on the growing use of Covid-19-related themes by malicious threat actors. APT groups and cybercriminals have actively targeted individuals, small and medium enterprises, and large organizations with COVID-19-related scams and phishing emails.
Examples of subject lines of these phishing emails include:
- 2020 Coronavirus Updates,
- Coronavirus Updates,
- 2019-nCov: New confirmed cases in your City, and
- 2019-nCov: Coronavirus outbreak in your city (Emergency).
These emails usually have a CTA that encourages the victim to visit a website that the malicious actors use for stealing data such as usernames and passwords, credit card information, and other personal information.
The NCSC has observed some SMS phishing attempts. Most of these messages use financial incentives—including government payments and rebates (such as a tax rebate)—as part of the lure.
Most of these messages have used UK government-themed lures to harvest email, address, name, and banking information.
Phishing has customarily been used for the following:
- Stealing credential theft: The emails mostly include Covid-19-related phishing to social engineering techniques complemented with urgent language to enhance the lure. If the victims enter their password on the spoofed page, the attackers will be able to access the victim’s password and access their online accounts, such as their email inbox. To further entice the recipient, the websites will often contain COVID-19-related wording within the URL (e.g., “corona-virus-business-update,” “covid19-advisory,” or “cov19esupport”).
- Deploying malware: Many threat actors have used COVID-19-related lures to deploy malware. In most cases, the actors create an email that persuades the victim to open an attachment or download a malicious file from a linked website. Upon opening the attachment, the malware is executed, compromising the victim’s system in turn.
#2 Zoom Bombing
Zoom bombing, aka Zoom raiding, is a term used to refer to unwanted, disruptive intrusion, generally by Internet trolls, into a Zoom conference call. As a result of the quarantine, many companies went remote, using Zoom as their preferred mode meeting platform.
Trolls took advantage of this and hijacked the online meetings. As per reports, these trolls have spread hate speech such as racist messages, threats of sexual harassment, and pornographic images.
#3 VPN Vulnerability
With the rise in remote work, there has been a rise in VPN usage as well. As you may have guessed, this obviously resulted in a rise in VPN exploitation attacks. Homeland Security and CISA had both issued warnings that an Iran-based malicious cyber actor was “routinely” exploiting unpatched VPNs in 2020.
It looks like the threat actor exploited the vulnerability to:
- Gain initial access to targeted networks.
- After that, they maintained access within the successfully exploited networks for several months using multiple means of persistence.
So, what were the VPN vulnerabilities that were actively exploited? There were two that were on top of the list:
- An “arbitrary code execution” flaw in Citrix VPNs
- An “arbitrary file reading” vulnerability in Pulse Secure.
Back in December 2019, Citrix reported a vulnerability in its systems. The vulnerability, labeled CVE-2019-19781, allowed a remote, unauthenticated attacker to perform arbitrary code execution. The major appliances that were affected were:
- Citrix NetScaler ADC and NetScaler Gateway version 10.5 – all supported builds before 10.5.70.12
- Citrix ADC and NetScaler Gateway version 11.1 – all supported builds before 126.96.36.199
- Citrix ADC and NetScaler Gateway version 12.0 – all supported builds before 188.8.131.52
- Citrix ADC and NetScaler Gateway version 12.1 – all supported builds before 184.108.40.206
- Citrix ADC and Citrix Gateway version 13.0 – all supported builds before 220.127.116.11
- Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO – all supported software release builds before 10.2.6b and 11.0.3b. (Citrix SD-WAN WANOP is vulnerable because it packages Citrix ADC as a load balancer).
Pulse Secure Vulnerability
Unpatched Pulse Secure VPN servers have been a constant thorn for SOC teams in 2020. The vulnerability, aka CVE-2019-11510, is an arbitrary file reading vulnerability that can get compromised in an attack.
So, what exactly does this vulnerability do?
By using this, any remote unauthenticated attacker may be able to gain access to all active users and their plain-text credentials. Attackers can also execute arbitrary commands on each VPN client as it successfully connects to the VPN server.
Affected versions include:
- Pulse Connect Secure 9.0R1 – 9.0R3.3
- Pulse Connect Secure 8.3R1 – 8.3R7
- Pulse Connect Secure 8.2R1 – 8.2R12
- Pulse Connect Secure 8.1R1 – 8.1R15
- Pulse Policy Secure 9.0R1 – 9.0R3.1
- Pulse Policy Secure 5.4R1 – 5.4R7
- Pulse Policy Secure 5.3R1 – 5.3R12
- Pulse Policy Secure 5.2R1 – 5.2R12
- Pulse Policy Secure 5.1R1 – 5.1R15
CISA expects to see continued attacks exploiting unpatched Pulse Secure VPN environments in 2021 and has warned users and administrators to upgrade and secure their systems.
#4 Covid 19 Vaccine Espionage
As the need for a proper Covid vaccine became higher than ever before, a number of state-backed threat actors started launching their respective espionage campaigns.
Cozy Bear’s attack
Russian spies, who were mostly Cozy Bear, were accused of targeting organizations trying to develop a Covid-19 vaccine in the UK, US and Canada. This was warning was reported by an international group of security services:
- UK’s NCSC
- Canadian Communication Security Establishment (CSE)
- United States Department for Homeland Security (DHS) and CISA.
- US National Security Agency (NSA)
The hackers had apparently exploited software flaws to access vulnerable computer systems. They used the WellMess and WellMail malware to upload and download files from infected machines. They also obtained login creds targeting individuals with spear-phishing attacks.
IBM’s report on supply chain attacks
IBM had also reported that the international vaccine supply was targeted multiple times by cyber espionage. The firm is also convinced that the sophistication of their methods hints at a nation state. The campaign started in September 2020. The attackers sent out phishing emails across six countries, which targeted organizations linked to the Cold Chain Equipment Optimisation Platform (CCEOP) of Gavi. Gavi is an international vaccine alliance.
This is how their phishing campaign worked:
- The attackers impersonated a real Chinese company that’s involved in the CCEOP supply cold chain.
- They sent phishing emails to organizations that provided transportation. These emails contained malicious code and asked for people’s login credentials.
- The end goal was to understand the infrastructure that these governments used to distribute vaccines.
As per IBM, the phishing campaign targeted:
- The European Commission’s Directorate General Taxation and Customs Union
- Companies involved in manufacturing solar panels. The panels can be used to keep vaccines cold in places where reliable power is not available
- A South Korean software-development company
- A German website-development company, which supports clients associated with pharmaceutical manufacturers.
#5 Election Hacking
The 2020 US elections were rife with threat actors looking to spread misinformation. Both the CISA and the FBI were aware of an Iranian advanced persistent threat (APT) actor targeting U.S.election websites. Apparently, this threat actor was responsible for the mass dissemination of voter intimidation emails to U.S. citizens and U.S. election-related disinformation in mid-October 2020.
CISA analysts in coordination with the FBI, found instances of cURL and FDM User Agents sending GET requests to a web resource associated with voter registration data. Suspicious activity was particularly noted between September 29 and October 17, with several hundred thousand queries being submitted and iterating through voter identification values, and retrieving results with varying success levels.
#6 K-12 Disruption
The pandemic forced the closure of nearly all elementary and secondary schools, affecting students and their families. Kindergarten through twelfth grade (K-12) educational institutions were forced to adopt distance education as their mode of teaching. However, going digital means attracting a slew of bad actors.
The FBI, CISA, and Multi-State Information Sharing and Analysis Center (MS-ISAC) announced that malicious cyber actors are targeting these K-12 institutions. Turns out that hackers look at these institutions as juicy targets since they lack resources. These disruptions are expected to continue into the 2020/2021 academic year.
Over 2020, these institutions have been attacked by ransomware (Ryuk, Maze, Nefilim, AKO, and Sodinokibi/REvil), malware (mostly ZeuS and Shlayer), distributed denial-of-service attacks, video conference disruptions, social engineering, technology vulnerabilities, and student data, open/exposed ports, and end-of-life software.
#7 The SolarWinds Hack
Cozy Bear managed to severely compromise U.S. government agencies, critical infrastructure entities, and private sector organizations in one of the worst cybersecurity incidents in history.
How did the attack happen?
One of the initial access points for this activity was the supply chain compromise of the following SolarWinds Orion products:
- Orion Platform 2019.4 HF5, version 2019.4.5200.9083
- Orion Platform 2020.2 RC1, version 2020.2.100.12219
- Orion Platform 2020.2 RC2, version 2020.2.5200.12394
- Orion Platform 2020.2, 2020.2 HF1, version 2020.2.5300.12432
The attackers infiltrated Orion by distributing backdoor software, dubbed SunBurst. They did so by compromising SolarWind’s Orion IT monitoring and management software update system. After an initial dormant period of 2 weeks, the backdoor retrieves and executes commands called “Jobs.”
Examples of Jobs include transferring files, executing files, profiling the system, rebooting the machine, and disabling system services. Sunburst uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.
The key takeaways from these monumental attacks are as follows:
- This was a patient adversary with a tremendous amount of resources. They were able to carry out a long duration activity on victim networks astutely.
- Other initial attack vectors apart from the supply chain compromise are currently underway.
Hackers break into the Treasury Department
The Senate Finance Committee revealed that the hackers could break into the email system used by the Treasury Department’s most senior leadership.
This is extremely serious because the Treasury Department has one of the most critical roles in the US government. They are responsible for making market-moving economic decisions, communications with the Federal Reserve, and economic sanctions against adversaries.
It seems like the hackers manipulated internal software keys to gain access to the email system. As mentioned, the hackers used SolarWinds update to get inside the Treasury’s plans and created an encrypted “token” inside Microsoft’s Office 365 system that identifies a computer to the larger network.
This counterfeiting enabled them to fool the systems into thinking that they were legit users and sign on without guessing usernames and passwords.
2020 Cybersecurity Trends: Lessons
The following graph shows you the most active trends as per KNOW.
As you can clearly see, Covid-19 was easily the most dominating trend of 2020. This is, of course, not surprising at all. However, it is fascinating to know that zoom bombing was the second most trending event, and by quite some margin.
So, what are the lessons that we have learned as we move into 2021?
- Themed phishing: Phishing attacks are becoming more sophisticated by the day. With Covid-19, we have seen a dramatic increase in themed phishing campaigns. User awareness is the only way that you can protect yourself from sophisticated phishing attacks. For example, you can search for a suspicious URL in our threat database and find out if it is malicious or not.
- Remote work cybersecurity: With companies going completely remote, their attack surface has gone out of control. The number of vulnerable points has increased exponentially. Bringing this under control and avoiding a potential disaster should be on top of your list. Check out what our CISO Brandon Hoffman has to say about cybersecurity and remote work.
- Cloud security: Cloud has become absolutely indispensable in everyday operations. Companies must do a thorough audit to make sure that their systems are properly bulletproof.
- Supply chain attacks: The hottest topic in cybersecurity right now is the supply chain attack faced by SolarWinds. The bad news here is that you can’t do anything to prevent getting hit by this attack. However, with Attack Surface Intelligence, you can identify all your exposed assets with continuous scanning and remediate risks with easy-to-follow instructions.
2020 Cybersecurity Trends Conclusion: Moving onto Part 2
As you can see, 2020 has been a pretty hectic year. It will be nearly impossible to document every single thing that happened in one article. This is why there is going to be Part 2 of our year-end observations. In the second part, we will be talking about:
- The top 5 ransomware groups of 2020.
- The top 10 vulnerabilities of 2020.
Subscribe To Our Newsletter!
The best source of information for Security, Networks, Cloud, and ITOps best practices. Join us.
Thank you for subscribing!