2020 is truly an extraordinary year (and some aspects worse than others). This year was also made up of some pretty significant events in the cyber threat landscape, and I thought I’d highlight the three most important ones in my mind to round up what happened in these crazy months and get a glimpse of what will happen next.
Event 1: The Campaign of the Year, SolarWinds
The one event to rule them all is the most recent supply-chain attack leveraging the SolarWinds’ Orion platform. Just when we thought we’d seen it all in 2020, security researchers uncovered a highly sophisticated and targeted attack using trojanized versions of Orion. The attackers had been stealthily accessing networks of important public and private sector organizations since March 2020.
As we discussed in our blog about the aftermath of this attack’s discovery, it is still unclear who the responsible threat actor behind this operation is and their intentions. The beginning of 2021 will be likely marked by the continuous unfolding of this story that will reveal this campaign’s actual extent. But in the meantime, as it was revealed that many heavy-hitting names were compromised in this operation, the SolarWinds story has undoubtedly gained a place in this year’s threat landscape podium.
Event 2: Ransomware goes Mainstream
2020 has also been the year of ransomware attacks. We first saw operators of the “Maze” ransomware using the double extortion technique – encrypting systems alongside threatening to publicly release victims’ information– when they published a sample of the stolen data belonging to the Southwire Company in January 2020.
This technique has since been adopted by dozens of other ransomware operators seeking to expand their own offensive toolkit by mimicking other criminal groups’ successful methods. This game of “monkey see, monkey do” has been characteristic in 2020 and it’s another testament to the growing professionalization of the ransomware industry.
New variants that emerged this year also launched directly into using the double-extortion technique – Egregor, Conti, and many more all set up leak websites to do so. This method’s widespread adoption suggests that moving forward this “pay-or-get-breached” approach may represent the default technique where ransomware attacks are concerned. Perhaps some off-shoots will be possible in the future, but we can rest assured that future ransomware attacks will most likely involve the public release of stolen information.
Event 3: The Vulnerability of the Year
And the software vulnerability of the year goes to… The elevation of privilege vulnerability in Netlogon, aka “ZeroLogon” (CVE-2020-1472). Since the vulnerability was disclosed, several threat actors have exploited it such as the Iran-linked “MuddyWater” Advanced Persistent Threat (APT), the “Chimborazo” threat group, and state-sponsored actors linked to the People’s Republic of China.
Likely a testament to the tremendous impact that attacks exploiting ZeroLogon can achieve, security researchers have found that exploiting this vulnerability can also greatly reduce the time required to conduct ransomware attacks. For example, in October it was reported that the operators behind the “Ryuk” ransomware managed to conduct a fully-fledged attack, meaning from initial infection to full encryption, in just five hours. A staggering improvement considering that it normally took them 29 hours when ZeroLogon was not exploited.
It’s Business as Usual Under the Surface
Although I’ve identified just three main events in the threat landscape, business continued just as usual for most cyber threat actors. Data breaches are still reported at a staggering pace, and APT groups go on with their traditional information-gathering operations.
With the COVID-19 pandemic being The Event of the year, most cyber activities also revolved around the pandemic this year. Cyber threat actors capitalized on our anxiety and eagerness to receive updates around the pandemic. They tailored phishing lures using COVID-19 themes, some pretending to contain news related to the pandemic, others pretending to include financial reliefs resulting from the economic downturn due to lockdown measures. If there was a way to exploit the uncertainty generated by this global pandemic, cybercriminals certainly made sure to use them for their nefarious purposes.
Although some threat actors initially claimed they would avoid hitting vulnerable sectors, the reality has been a bit different. The healthcare sector was hit multiple times by ransomware attacks, adding more strain to medical staff during these tough months. In September of 2020, a German hospital reported its first alleged death resulting from a ransomware attack. Although reports have suggested that the poor health was the ultimate reason for the patient’s death, and not a cyber attack, tragedies as a result of cyber attacks on hospitals being denied access to patient care resources and having to focus on cyber attack remediation are not so inconceivable.
The education sector was not let off either, as ransomware operators went after schools and students slowly adapting to distance learning tools and methods. In the US, the FBI has issued security alerts, warning that the K-12 school sectors were especially vulnerable. A similar alert was also issued by the UK NCSC on the threat posed by ransomware groups to the education sector. These alerts were well warranted—throughout 2020, we saw a total of 34 educational institutions or organizations operating in the education sector being named on the dark-websites of ransomware groups, indicating that it was likely these institutions have experienced some form of cyber incident during this period. One might think that targeting schools is hardly lucrative, but the reality is far from this. To regain access to their files and research,, the University of San Francisco paid a ransom amounting to about USD 1.2 million after a ransomware attack in June 2020.
Even in Singapore, the tiny red dot on the map, cyber activities are ongoing. In 2020, we’ve had our significant share of cyber attacks. Personally identifiable information (PII) remains a commodity that is easily monetized for further attacks such as identity theft and account takeover. On this front, homegrown companies such as RedMart, ShopBack, and RedDoorz all disclosed data breaches this year, indicating a growing interest from cybercriminals for this “new gold”.
Size and industry don’t seem to matter for ransomware operators. These attackers didn’t pass up the opportunity for encryption, as ST Engineering got implicated in a Maze attack. Despite our small size, our global connectedness meant that an attack here will at times lead to further compromise elsewhere. The ever-arduous task of securing the supply chain is consequently a crucial step for most organizations given the pervasive presence of third-party providers and suppliers across every industry.
As we discussed in our 2021 forecast blog, you can be sure that most attacks will continue in 2021. After all that has transpired in 2020, you can’t really blame someone if they say they don’t hold out many hopes for 2021. But, amid dark times, we in Singapore are looking forward to brighter days.
As the country slowly eases restrictions to curb the coronavirus’ spread, this week we also received our first shipment of COVID-19 vaccines. Good news for sure, but it still does not indicate that life is back to normal. Malicious cyber activity will also not rest for sure. Cybercriminals have previously taken advantage of the public’s need for face masks to conduct scams. Previous government initiatives in Singapore related to the pandemic were also exploited by threat actors—the mask collection drive saw opportunistic threat actors spoofing the government’s maskgowhere.gov.sg domain, likely to host malicious content and fraudulent activity. It is also highly likely that threat actors will find a way to exploit vaccine-related initiatives for fraudulent activity (spoofed vaccinegowhere domains, anyone?).
Apart from that, news has broken that our sunny shores will play host to the World Economic Forum’s (WEF) Special Annual Meeting in May 2021. This marks the first WEF global leadership event to be held in Singapore and Asia, and the significance of this event means that malicious actors are likely to jump on the bandwagon and milk this opportunity too. APT groups working to collect information advantageous to their political masters have often taken advantage of prominent global events. So I’m pretty certain phishing lures using content related to the meeting, targeting government officials involved in WEF or other government-led programs are likely in the lead-up to this WEF meeting in May next year.
Fostering a stronger and more secured cybersecurity posture can be costly and immensely challenging. But the first steps don’t need to be so painful. There are some relatively easy measures to ensure a more secure environment– strong password policies, regular monitoring of suspicious activity, and overall, being mindful of the emails received and not downloading attachments until you’re absolutely certain the files are legit. Ultimately, a safer surfing and browsing environment starts with you.
With great pandemic, comes…greater sanitation habits. These habits do not just apply to our every day– they are also important when keeping in mind cyber hygiene. With new threats emerging all the time, it can be extremely challenging, not to mention, exhausting to remain updated on the different types of malicious activity happening around us all the time. Life is tough, but so are you. With the new year upon us in a matter of days, I am going to take the time to rest and before the going gets…going again!