Updated: May 19
In the Spotlight This Week:
2020 in review: the worst hacks of the year
Financial services industry hit with tens of millions of attacks daily
SolarWinds hackers linked to known Russian spying tools
Suspected Russian hackers behind SolarWinds attack use Microsoft vendors to breach customers
Ryuk rakes in USD 15M in ransom payments
Dassault Falcon Jet reports data breach after ransomware attack
From Twitter to SolarWinds, 2020 saw more than its fair share of high profile hacks. With the mass exodus to work-from-home environments, cyber security concerns in the workplace were exacerbated, as spear phishing and ransomware cases saw a significant increase in frequency and impact. In this article, WIRED takes a look back at the strange year and the breaches, data exposures, ransomware attacks, state-sponsored campaigns, and digital madness that shaped it.
Leading content delivery network (CDN) services provider for software delivery and cloud security solutions, Akami highlighted in its latest “State of the Internet” report that in the past year, the financial services industry was hit with millions or tens of millions of attacks per day. In September 2020 alone, Akamai tracked 33 million web application attacks against the financial services industry. The report found that the bad threat actors primarily used common attack paths, such as SQL injection, local file inclusion, and cross-site scripting.
Investigators at Moscow-based cybersecurity firm Kaspersky said the "backdoor" used to compromise up to 18,000 customers of US software maker SolarWinds closely resembled malware tied to a hacking group known as "Turla," which Estonian authorities have said operates on behalf of Russia's FSB security service. The findings are the first publicly-available evidence to support assertions by the United States that Russia orchestrated the hack. Head of global research and analysis at Kaspersky, Costin Raiu said there were three distinct similarities between the SolarWinds backdoor and a hacking tool called "Kazuar" which is used by Turla. The similarities included the way both pieces of malware attempted to obscure their functions from security analysts, how the hackers identified their victims, and the formula used to calculate periods when the viruses lay dormant in an effort to avoid detection.
The suspected Russian hackers behind the SolarWinds attack leveraged reseller access to Microsoft’s services and penetrated targets that had no initial compromised networks. While updates to SolarWinds’ Orion software was previously the only known point of entry, CrowdStrike found out that hackers had won access to the vendor that sold them their Microsoft Office licenses and used that to try to read CrowdStrike’s email. Many Microsoft software licenses are sold through third parties, and those companies can have near-constant access to clients’ systems as the customers add products or employees. While Microsoft has not identified any vulnerabilities or compromise of their products or cloud services, high alert and vigilance are strongly recommended at this time.
The Ryuk ransomware gang has earned an estimated $150 million, according to an examination of the malware’s money-laundering operations. Joint research from HYAS and Advanced Intelligence was able to trace payments involving 61 Bitcoin deposit addresses attributed to the Ryuk ransomware operators. The Ryuk criminals sent a majority of their Bitcoin to firms such as Huobi and Binance through an intermediary to exchange and cash out for traditional paper money.
Dassault Falcon Jet disclosed a data breach caused by Ragnar Locker ransomware that may have led to the exposure of personal information belonging to current and former employees, as well as their spouses and dependents. According to media reports and the dates of breach reported by the company, the attackers maintained access to Dassault Falcon Jet's systems for roughly six months between June 6th and December 7th. The ransomware gang was also able to infiltrate the network of several Dassault Falcon Jet subsidiaries. Upon discovery of the breach, the company took all affected systems offline and engaged with third-party cybersecurity experts and law enforcement to conduct an investigation.
Subscribe Here to receive Blackpanda thought leadership, webinar invitations, and cyber intelligence direct to your inbox.