Welcome to the latest edition of Pardon The Intrusion, TNW’s bi-weekly newsletter in which we explore the wild world of security. 2020 is finally over. The year was already surreal and tough enough, thanks to the pandemic. But the en masse shift to remote work and the race to find a vaccine created unique threats in cyberspace, allowing criminals and threat actors to mount a variety of attacks, ranging from phishing scams to sophisticated espionage campaigns aimed at stealing COVID-19 research. Ransomware attacks exploded in number, with an endless stream of compromises hitting schools, hospitals, government agencies, and private companies. Attackers not only demanded massive ransoms, but also extracted large quantities of sensitive data and threatened to publish them unless their demands are met. The average ransom payout increased from about $84,000 in 2019 to about $233,000 last year. 2020 was also a great year for data breaches, which became a regular occurrence. Worse, weak or stolen passwords were tied to 37% of the breaches. Some of the notable companies that were crippled by data breaches and ransomware attacks include Garmin, Vastaamo, Foxconn, Nintendo, Marriott, EasyJet, Big Basket, Dr. Reddy’s, and Luxottica. Web skimming attacks against ecommerce websites to steal credit card information flourished as well. The operators behind the campaigns stepped up their efforts to hide their malicious code inside image metadata and favicon files, and even use Telegram messenger to exfiltrate the data. Then came the great Twitter hack in July, when a number of high profile accounts were taken over to advertise a cryptocurrency scam. Subsequent investigation found that the attackers had tricked an employee into clicking on a phishing site that harvested the credentials of its internal systems. They used this administrative password to reset the passwords of the target Twitter accounts and take control. The most devastating of the hacks in 2020 was also saved for the last. Threat actors, likely from Russia, compromised a routine software update released by network monitoring software maker SolarWinds, and used it to deliver a backdoored update to as many as 18,000 customers, including FireEye, Microsoft, Cisco, VMware, and more. The breach came to light earlier on December after cybersecurity firm FireEye disclosed that it had suffered a breach and hackers had stolen its cache of Red Team tools it uses to assess the security infrastructure of its customers. What makes the SolarWinds supply chain attack more damaging is the level of sophistication and tradecraft used to stealthily break into the company’s software distribution system as early as October 2019 before making their move in March. Cybersecurity is an endless tussle between digital thieves and defenders. It’s a form of modern warfare playing out across an increasingly advanced threat landscape. And if 2020 is any indication, these attacks will only get more sophisticated.

US intelligence agencies formally accused Russia of orchestrating the SolarWinds supply chain attack, police in Singapore can now use data collected by its COVID-19 contact tracing app to aid criminal investigations, and hackers gained access to the Finnish Parliament’s IT systems.

Law enforcement agencies in Singapore are now authorized to use data collected by its COVID-19 contact tracing app to aid criminal investigations. [CyberScoop] Hackers gained access to the Finnish Parliament’s IT systems in recent months in an incident that allowed them to compromise some emails belonging to members of Parliament. [The Parliament of Finland] Prof. Matthew Green made a great Twitter thread about how law enforcement agencies actually break into locked iPhones. It hinges on your phone being in the “After First Unlock” state, where the phone is locked but was unlocked at least once after it was powered on by the owner. [matthew_d_green / Twitter] Law enforcement agencies in the US and Europe took down Safe-Inet VPN service for facilitating criminal activity. The UK’s National Crime Agency also arrested 21 people for buying breached personal data from WeLeakInfo.com, a now-defunct online service that had been selling access to data hacked from other websites. [The Hacker News]

Certificate authority Let’s Encrypt said it has found a workaround that will extend older Android phones’ compatibility with its certificates by three years. [Let’s Encrypt] 28 shady browser extensions used by more than 3 million users were found to collect their browsing histories, redirect traffic to phishing sites, and download additional malware onto their devices. [Avast] Israeli private intelligence firm NSO Group allegedly used location data from thousands of unsuspecting people to pitch its COVID-19 contact-tracing tech to governments and journalists. The company said the “demo material was not based on real and genuine data related to infected COVID-19 individuals,” but didn’t say where the data came from and how it was obtained. [TechCrunch] In other NSO Group-related news, at least 36 Al Jazeera journalists had their iPhones targeted with a “zero-click” exploit in iMessage that was used to stealthily deliver the company’s Pegasus spyware. The flaw was eventually addressed by Apple in iOS 14. [Citizen Lab]

Ticketmaster will pay $10 million for hacking rival ticket seller CrowdSurge repeatedly between 2013 and 2015 in an attempt to “cut [the company] off at the knees.” [The US Dept. of Justice] NBC News’ Olivia Solon goes on a deep-dive into the data that car infotainment systems have on you, and how looser privacy standards are making it a treasure chest of data for law enforcement to solve crimes. [NBC News] Motherboard compiled a fantastic list of cybersecurity stories that they wished “we had reported and written ourselves” in 2020. [Motherboard] The past fortnight in data breaches, leaks, and ransomware: American Express, Apex Laboratory, Ho Mobile, Juspay, Kawasaki, Koei Tecmo, Ledger, Livecoin, Nissan, People’s Energy, T-Mobile, TaskRabbit, The Hospital Group, and Whirlpool.

Data Point

As COVID-19 cases continue to rise, so have the cyberattacks against the healthcare sector, making them the most targeted sector since November 2020. According to Check Point Research, there has been an increase of over 45% in the number of attacks seen against healthcare organizations globally, compared to an average 22% increase in attacks against other industry sectors. Central Europe has been hardest hit in the past two months, with a 145% increase in healthcare-related attacks, followed by East Asia, Latin America, and then the rest of Europe, North America, and South Asia. Overall, an average of 626 attacks was recorded on a weekly basis against healthcare organizations in November 2020, in comparison to 430 in October last year.

Pardon the Intrusion  34  Cyberbaddies had a field day in 2020 - 32Pardon the Intrusion  34  Cyberbaddies had a field day in 2020 - 55Pardon the Intrusion  34  Cyberbaddies had a field day in 2020 - 30