From the recent SolarWinds hack and state sponsored attacks on covid-19 vaccine research, to the seemingly endless flow of ransomware attacks and social engineering campaigns causing economic destruction by the boat full, 2020 witnessed more than its fair share of new cyber risk.
While the full appreciation of these (and the countless other) significant cyber-attacks of 2020 are still in its infancy, it’s important to take a deep look back at some of the highest profile and industry altering attacks and reflect on the lessons learned.
Estée Lauder: 440 million internal records were reportedly exposed due to middleware security failures.
On Jan 30, a massive attack on the records of 440,336,852 users belonging to cosmetic mega firm Estee Lauder was reported by senior security researcher Jeremiah Fowler. While Estee Lauder was quick to restrict access to the database, the time taken to close the gaps left critical data exposed and resulted in the exposure of secure user information, payment details and private email correspondence.
According to Fowler, “The database appeared to be a content management system that contained everything from how the network is working to references to internal documents, sales matrix data, and more. A danger of this exposure is the fact that middleware can create a secondary path for malware, through which applications and data can be compromised.”
Microsoft suffered a data breach in which up to 250 million records were exposed online. The information including email addresses, IP addresses and support case details, were held on leaky Elasticsearch servers.
In an official statement posted to the Microsoft company blog on January 22, Microsoft revealed that they uncovered a series of misconfigured security rules in a database on December 29. While the information in question was from an internal company database used for analytics, apparently not normally accessible to the outside world the nearly month-long gap between the attack and the patch left customer service records exposed.
According to Microsoft, “As part of standard operating procedures, data stored in the support case analytics database is redacted using automated tools to remove personal information. Our investigation confirmed that the vast majority of records were cleared of personal information in accordance with our standard practices. In some scenarios, the data may have remained unredacted if it met specific conditions.”
Most concerning of all, the server which was compromised “included conversation logs dating as far back as 2005 between Microsoft support personnel and customers from across the world. According to Comparitech, the database wasn’t password-protected.”
Pakistani mobile users: Data belonging to 44 million Pakistani mobile users was leaked online.
In an attempt to gain huge profits from the attack on 44 million Pakistani mobile users, cyber criminals attempted to sell a package containing 115 million Pakistani mobile user records last month for a price of $2.1 million in bitcoin.
Unlike most of the other attacks on this list, the scale and scope of personal data leaked in the event could cause even the most battle tested IT professionals to voice personal concern.
According to a ZDNet analysis of the leaked information, “the data contained both personally-identifiable and telephony-related information.
This includes the likes of:
- Customer full names
- Home addresses (city, region, street name)
- National identification (CNIC) numbers
- Mobile phone numbers
- Landline numbers
- Dates of subscription
The data included details for both Pakistani home users and local companies alike.”
The data attack is currently under investigation in Pakistan, through the Pakistan Telecommunication Authority (PTA) as well as the Federal Investigation Agency (FIA) who have been investigating matter February when hackers first attempted to sell the entire 115 million batch on a hacker forum
MGM Resorts: A hacker put the records of 142 million MGM guests online for sale.
In February 2020, MGM admitted suffering a significant security breach after a cache of 10.6 million MGM hotel guests’ data was offered as a free download on a hacking forum. With initial estimates assuming a total loss of data for (just) 10.6 million users, these predications have been increased to the range of approximately 142 million hotel guests, according to a recent review for ZDNet.
While the cache contains numerous valuable data points, it was notable lacking “Financial information, ID or Social Security numbers, and reservation (hotel stay) details”, according to MGM
The revision of anticipated data loss was the result of an ad on a hacker’s forum offering to sell “the details of 142,479,937 MGM hotel guests for a price just over $2,900.”
It is believed that the MGM breach occurred in the summer of 2019 when hackers accessed one of the hotel’s cloud servers and stole vital information on the hotel’s past guests. Much like many of the other major cyber event of this list, companies may have become aware of the devastation in 2020 but the cyber-attacks and the data accessed can be years in the making.
SolarWinds & Fire Eye
By far the most publicized and potentially impactful hack of the entire year, the FireEye and resulting SolarWinds events dramatically shaped the perception of malware attacks in 2020. The waves of aftershocks centered on these attacks will surely alter cyber risk assessments for years to come.
Starting in the first week of December 2020, the realization of a breach by FireEye set off frantic chain of events when it was disclosed that suspected state sponsored hackers had breached their secure network and obtained FireEye’s red team tools. A week later FireEye disclosed that its hack was the result of a attack of enormous magnitude on the supply chain of SolarWinds.
“FireEye dubbed the backdoor campaign “UNC2452” and said it allowed threat actors to gain access to numerous government and enterprise networks across the globe.” According to a statement from the FBI, the Cybersecurity and Infrastructure Security Agency and the Office of the Director of National Intelligence, the SolarWinds attacks are ongoing. The FBI and CISA believe the that the Orion supply chain compromise is not to the infection vector leveraged by the APT actor
According to official statements from SolarWinds “We have been advised this attack was likely conducted by an outside nation-state and intended to be a narrow, extremely targeted and manually executed attack, as opposed to a broad, system-wide attack,”
What have we learned?
From hotel chains, and mobile service carriers to software vendors of governments and even cosmetic companies, 2020 has shown that no sector, business or individual is safe from cyber-attack. While these are just a few of the countless major cyber events perpetrated in 2020, we feel they are reflective of the broader trends of malware and cyber risk from the previous year.
From ransomware and social engineering programs which have targeted business of all sizes to vastly sophisticated hacker networks intent on compromising international governments and major corporations, the significant cyber-attacks of 2020 are reflective of the broader trends in cyber risk, and lay the foundation for a future ripe with malware threats, state sponsored cyber terrorism and none aligned malicious networks of hackers all bent on compromise secure data and personal privacy.