Overview of high-profile cyber incidents of 2020

Main article: Cyber attacks

Attacks on the supply chain and contractors

The attack on SolarWinds in the fall of 2020 requires separate consideration. This is an example of that extremely dangerous attack on the supply chain. Hacking the systems of the software manufacturer SolarWinds, further compromising the Orion software distributed by him and the introduction of the SUPERNOVA backdoor into it - all this went without detection. The spread of the infected package with updates throughout the customer chain of the manufacturer led to a lot of unpleasant consequences.

In particular, the theft from the client of SolarWinds, company, FireEye tools cyber security and essentially replicas of hacker tools that attackers can use not only for research purposes. Orion is also associated with compromising attacks on both the Ministry of Finance Federal Judicial System USA and the Telecommunications and Information Administration, Microsoft Department, state hospitals California Kentish university Malwarebytes, the Angara group of companies says.

Other SolarWinds customers who have installed this software can potentially suffer: Intel, Nvidia, Cisco Systems, VMware, Belkin and Deloitte.

As an expert, I am interested in an attack on SolarWinds, "comments Roman Zhukov, director of the Garda Technologiya competence center. - For how many years, the expert community warned about the danger of attacks of supply chain attack and waterhole types, that service providers (products) need to pay more attention to their own security, and their customers do not hesitate to clarify about the measures taken by them. Remember, the situation was completely similar with encryptors: before the appearance of WannaCry and NotPetya, no one paid attention to extortion against home users until the problem acquired a corporate and planetary scale. Unfortunately, the SolarWinds story will add skepticism to the service approach and clouds. But the evolution cannot be stopped, so the advice will be brief: give maximum attention to the security mechanisms of the services offered and insist on a clear SLA and fixing areas of responsibility.

A few more examples of this kind of attack in 2020:

• Gerrit found an infection on the OpenDev.org site - hosting for the official source OpenStack and a number of other Git repositories. After detection, the software was turned off, users were recommended to check the commits in the last 2-3 weeks from the moment of detection.
• Lazarus Group launched an entire campaign in South Korea to install Lazarus remote access tools on victims' devices through infection of the legitimate Wizvera VeraPort software, designed to protect a Windows-based device when working with a client-bank. This software is mandatory for installation according to the laws of the country and is installed from a legitimate but compromised website.
• One of the large-scale attacks on Israeli companies was carried out in December. Companies involved in the import of goods into the country, including food and other socially important goods, suffered. The attack occurred by compromising the Amital software company and distributing malware. Since the ransom demand did not follow, experts suggest that the main goal of the attack was to disable part of the country's economic activities.
• The site BitBucket infected at the beginning of the year more than 500 thousand. PCs around the world. Compromised distributions contained infostilers Vidar, Azorult, Predator, cryptomainer Evasive Monero Miner, ransomware STOP, trojan Amadey, IntelRapid and other malicious. ON Among bait programs:,, Adobe Photoshop Microsoft Office etc.

We also see supply chain attacks when there is none of the above-mentioned actions by intruders, but a subsidiary or software provider is compromised through which the target company is further infected. It is almost impossible to defend against such attacks and here only tools to detect anomalies within the corporate network - SIEM-, NTA-systems, etc.

The use of legitimate software to distribute its malicious tools was used the Chinese by the APT31 grouping. She used fake links to GitHub to allegedly download software components to users anti-virus. McAfee Distribution took place through phishing email mailing and, thanks to the use of legitimate repositories (GitHub,), Dropbox phishing was difficult to detect.

In February, Operation Thesaurus or Rubicon gained publicity for intercepting the US CIA and German BND intelligence of secret correspondence from more than 120 countries. The interception was carried out at the expense of the Swiss company Crypto AG for encrypting messages, which, as it turned out, has been owned by special services since 1970. Crypto AG supplied encryption equipment to governments in 120 countries (with the exception of Russia and China). The operation was closed in 1993, according to participants from the German side. And the company was liquidated in 2018. However, equipment is still in use in a number of countries.

Contractor compromising is one type of attack on the supply chain. So the leak of data from the Nitro service for working with PDF files led to the sale and publication of data from client companies, including Google, Apple, Microsoft, Chase, Citibank. And the attack and compromising of the State UC of Vietnam entailed the massive introduction of a backdoor on user systems through compromised certificates.

Hacking in the fall of cloud provider systems BlackBaud led to the leak of confidential data of hundreds of service customers.

Probably, the personal information of millions of people fell into the hands of hackers. Among the companies using BlackBaud services, mainly medical institutions, universities, colleges, as well as museums and charitable foundations. This incident is a loud bell, reminding of the responsibility that lies with the partners of the companies, "comments Andrei Arsentiev, head of analytics and special projects of the InfoWatch Group of Companies.

COVID and phishing

I must say that the topic coronavirus in phishing appeared en masse in January 2020. And after the WHO situation with the official name "COVID-19" and the "pandemic" in February, the increase in fraudulent sites associated with these names amounted to more than 2 thousand per day!

All topics were exploited: from "new treatments" to "how to get a benefit" or "what assets to acquire in a coronavirus crisis." There were even options with steganography in which the bank trojan IcedID hid. There were especially many reports from allegedly WHO, - explained in the group of companies Angara.

Data from F5 Labs researchers recorded in 2020 an increase in phishing attacks during lockdowns by 220% above the norm of previous years, with 72% of incidents using TLS encryption, which makes it difficult to block them.

The graph from the F5 SOUND, where hundreds of thousands of phishing sites are analyzed, shows how this activity developed (Fig. 1).

Fig. 1 - Phishing activity development trend according to F5

In March, the distribution of AZORult infostiler malware began under the guise of an application to monitor the current state of the pandemic, as well as strengthening the distribution of Emotet software in phishing letters about allegedly official notifications of the coronavirus situation. IBM experts discovered a malicious campaign with an e-mail mailing on behalf of the Director General of the World Health Organization (WHO) Tedros Adan Gebreisus with a built-in keylogger HawkEye.

And Sophos experts revealed a similar phishing campaign on behalf of WHO in order to collect cryptocurrency donations allegedly to combat COVID-19, intended for the COVID-19 Solidarity Response Fund. Towards the end of the month, a campaign to distribute the Vidar infostiler is being revealed under the guise of an application from WHO. The increase in the number of DDoS attacks on food delivery services begins, also with a demand for redemption.

Even the Zeus Sphinx software (also known as Zloader or Terdot) that has lingered in recent years has resumed activity during the pandemic. Malicious files are distributed under the name "COVID 19 relief" or "COVID 19 Relief."

Cybercriminals use phishing mailings on the subject of COVID-19 and the massive transition of companies to remote work. A large number of employees connect to internal networks of organizations from their home devices, which do not reach corporate security. As a result, if an employee's home device is infected with any malware, and this VPO has the functionality of network distribution, account theft or keylogger (a program for intercepting keyboard-entered information), then the organization has every chance to encounter an IS incident.

From January to April, the administration of the city of Wuhan and the Ministry of Emergency Management of the PRC are subjected to cyber attacks. The alleged source of attacks is the Vietnamese cybercrime group APT32 (also known as OceanLotus). The traditional method is phishing letters on the topic of coronavirus.

Networks US Department of Defense are also subject to COVID-19 phishing bombing. Presumably, industrial enterprises were subjected to a phishing attack with documents allegedly related to COVID-19. Azerbaijan The purpose of the infection was to introduce a RAT trojan for remote access to PoetRAT. Cisco Talos researchers suggest that the supplied malware was intended for - SCADA systems.

{{quote 'Due to the pandemic and the transition to remote work, the percentage of phishing attacks on the subject of COVID-19 has increased. And although the topics of the newsletters have changed, but they still exploit such feelings of people as fear, greed, curiosity, etc., "add the specialists of the Center for Monitoring and Response. UserGate }}

By the summer, the number of phishing applications for tracking patients' contacts increased significantly. The targets of malware are standard: theft of credentials and payment data, attempted theft and withdrawal of funds, then monetization of transfers through distribution schemes in accounts of different countries and "money mules." For example, the IB company Anomali claims to detect at least 12 such applications. Instead of the requested function, the user receives an infostiler for financial and confidential data and accounts.

In turn, applications actually created by government and other services to monitor the coronavirus situation, due to the tight time frame for their development, are endowed with many critical vulnerabilities, including allowing for espionage and unauthorized collection of user data.

IoT

Attention to the IoT industry and its potential in connection with the introduction of 5G networks has decreased somewhat. But a number of interesting incidents are still worth mentioning.

In February, the vulnerability of Kr00k Wi-fi chips Broadcom and Cypress was revealed. More than a million IoT devices are at risk of attack, including Amazon (Echo, Kindle), Apple (iPhone, iPad, MacBook), Google (Nexus), Samsung (Galaxy), Raspberry (Pi 3), Xiaomi (RedMi), as well as access points from Asus and Huawi. The vulnerability allows you to remotely intercept and decrypt some wireless network packets. By the way, a little earlier, one of the large botnets abandoned its activities in favor of a new business model and published the credentials of more than 500 thousand servers and home routers, IoT devices. This incident confirms the thesis that any home kettle with built-in Wi-Fi and a simple password will immediately become part of the botnet.

In April, with the help of a credential stuffing attack on routers (Dasan Zhone, D-Link and Asus), DVRs and thermal imaging cameras, the dark_nexus bot network quickly gathered.

A curious fraudulent advertising operation with ICEBUCKET smart TVs occurred in the United States. In it, advertising visits were rolled out through bots introduced into devices and imitation of real advertising views in the amount of up to 2 million views. The defrauded company suffered major commercial losses.

Break-ins of teapots, routers, refrigerators and chambers - a massive spike in incidents using such devices has become fruitful ground for forming a new direction in the protection of IoT. However, active discussion and modeling is one thing. The use of real methods and means to avoid such situations is completely different. These incidents partly intersect with the "beautiful" hacking PickPoint (for this incident, see below - Approx. author). Only in some cases, as a result of hacking, electronic cells are opened, in others data are widely available or for resale. In any case, solving such problems is not only due to the absence of certain technical protection tools - here, first of all, a detailed study of the solution architecture and all possible threat models is needed. Part of this study is a detailed analysis of the used standards and protocols related to the work of the IoT, excluding in advance the most vulnerable in terms of attacks.

Zoom

Against the background of the sharp departure of the whole world to the remote in March-April, popularity ON video conferencings and, in particular, increased significantly. Zoom The service was not ready for such close attention to itself, which the attackers immediately used hostings : thousands of videos of confidential Zoom sessions, publications of compromised user accounts began to appear on various open ones.

The Zoom team urgently had to close a dozen critical vulnerabilities, data about which almost immediately appeared on cybercrime forums.

In the fall, Group-IB revealed phishing activity against users with compensation offers in Zoom services. The URL, as usual, led to a fake website stealing payment and personal data. Interestingly, the letters were sent not from the fake domain, but from the official service, for this the fields "Name" and "Last Name" were used, where the text about compensation and the malicious URL were entered.

According to Kaspersky Lab, fraudsters actively exploited the popularity of instant messengers and video and conference services, including Zoom, under the guise of which malicious software was distributed. In 2020, the company revealed almost 1.7 million unique malicious files around the world, masking in this way. Most often, these files were downloaders or advertising software - programs that flood the victim's device with unwanted ads, and can also collect their personal data for transfer to third parties.

Iran and Israel

The cyber confrontation between Iran and Israel is increasingly becoming a full-fledged cyber war.

When using cyber attacks in such cases, the most knowledgeable people involved in the construction of such systems are involved (not necessarily at the attacked enterprises). Most often, they know the weaknesses and build attacks precisely taking into account these places, "Nikolai Romanov comments on the current situation. - Attacks carried out on APCS subsystems have formed a whole direction in the cyber defense industry. The key factor has long been that for unification, many of the elements of these systems used began to be taken on the basis of massively used platforms (Windows/Linux), although previously exclusively specialized and proprietary components were used. In addition, some services have been made available from the Internet. And given the mass nature of decisions and the huge number of vulnerabilities in them - the consequences were not long overdue. The concept of environmental limitation (most applicable to such systems), as well as network control using industrial protocols, is a minimum program that should be guided when implementing the protected work of APCS.

A cyber attack on a uranium enrichment plant in the Iranian city of Natanz led to a fire and explosion on the underground part of the plant. The responsibility was claimed by the opposition group Cheetahs of the Motherland. The incident was a response to an attempt to disable the Israeli water supply system of the country by cyber attack, in which, if successful, the level of chlorine and, accordingly, the level of danger to citizens could increase.

In May, more than a thousand Israeli sites were attacked by a deface cyber attack. The Iranian group Hackers of Saviou claimed responsibility, presumably in response to an attack on an Iranian port earlier this month, which did not entail significant blackouts.

Further, at the end of July, a group of Iranian hackers Cyber Avengers attacked the Israeli railway system and servers that operate 28 railway stations in Jerusalem, Tel Aviv, etc.

In the fall, a large-scale campaign by a hacker group was discovered MuddyWater on Israeli organizations with the aim of cyber espionage and damage. The campaign used two types of attacks:

• Sending the harmful PDF file or Excel which installed the loader and through OpenSSL with C&C-серверы loaded PowGoop payload.
• Exploit the Zerologon or Microsoft Exchange CVE-2020-0688 vulnerability, using modified SSF (Socket) for horizontal distribution of the same PowGoop.

In December, hackers from Iran again demonstrated access to the APCS of Israeli water supply facilities. According to a published video review of the attack, hackers gained access to a man-machine interface (HMI), which was directly connected to the Internet without authentication and other security mechanisms. The attack, fortunately, ended with a video review, and the authentication mechanism was turned on in the system. But for systems of this level of significance, this is a necessary, but hardly sufficient, protection mechanism.

IB Events in Time History

Quarantine Life - January and February

The beginning of the year has not yet brought down the horrors of the pandemic on the whole world (not counting the local region of China). And cybercrime remained quite traditional.

Mass attack on celebrities (actors, directors, musicians, pop idols, chefs, etc.) in South Korea extortion software on Samsung smartphones with the threat of releasing personal data. The ransom by the attackers was requested from $43 thousand to $860 thousand of the victim. By the way, 2019 ended with a message about the presence of a backdoor in Samsung in the Device Care function of the Chinese company Qihoo 360. These messages did not reduce the purchase of Samsung products. And in the third quarter of 2020, according to an IDC report, Samsung has already emerged as a leader in smartphone sales (Fig. 2).

Fig. 2 - Top five smartphone brands for Q3 2020

Completion of Interpol's Goldfish Alpha operation to eliminate a network of hacked MikroTik routers that mined cryptocurrency. According to Interpol, the level of crypto jacking as a result of the operation in Southeast Asia decreased by 78%. By the way, if you look at the course of Bitcoin (Fig. 3), then in the spring there was a noticeable surge (data from the portal cryptocompare.com). There are, of course, many reasons, and the primary is rather hidden in quarantine. But the influence of crime disclosure factors should not be denied.

Fig. 3 - Bitcoin rate during the year

Another major cryptocurrency incident occurred in the United States - a mining operation in a large medical company was revealed. The malware was distributed through a WAF file and exploit EternalBlue (for vulnerability in SMBv1). Cryptocurrency regularly encounters such incidents, so we will not further focus on them.

Not only negligent sellers of mobile operators are exposed to the criminal practice of "draining" data. In France, in January, a 33-year-old DGSI employee of the General Directorate of Internal Security of the French Ministry of Internal Affairs was charged with illegal trade in confidential data and fake identity cards. During the investigation, it was found that 90% of the information requested by the accused in the DGSI systems is not related to his actual work. Thus, an internal system of analytics and data access control helped detect fraudulent illegal activities.

Major attacks of extortion software during this period begin to gain momentum:

• Ransomware REvil (Sodinokibi) attacked the exchange provider, Travelex as a result of which the British,, banks Lloyds Barclays HSBC Royal Bank of Scotland and could not process transactions. Ransom requested: $6 million.
• Electronics manufacturer Electronic Warfare Associates (EWA), a contractor for the US Department of Defense, was also attacked - this time by ransomware Ryuk. In addition to encrypting internal EWA resources, several group websites and subsidiaries were also infected.
• Japanese manufacturers NEC and Mitsubishi Electric also suffered massive attacks in a short time. Japanese experts suggest that the sources of attacks are Chinese hacker groups Tick and BlackTech or others.

February began the release of data leaks to more than a million customers of microfinance organizations in Russia (Bystopengi, Seimer, eKapusta, Lime and MicroTreasure), including passport data. According to the structure of the data, IB experts suggest that the leak occurred among the partners of the companies.

In the same month, there were several other major leaks: Alfa-Credit had more than 40 thousand records, Estee Lauder had more than 440 million customer records and company technical information.

A powerful phishing campaign with the download and installation of a bank trojan has hit Android users. The APK file is disguised as an invoice, and the request to install and allocate permissions looks like an offer to the user to "enable Google Play Protect." The Angara group of companies notes that in fact the Trojan is looking for banking and retail applications and replacing the authorization window in them with phishing in order to steal credentials. Plus, the malware knows how to make screenshots, keylogging, turn on sound recording, make calls and send SMS, has an encryption module, can receive commands through Telegram and Twitter, install and run VNC - that is, it can gain full control over the device.

In the state of Florida, the prosecutor's office had to suspend and withdraw 11 cases of trafficking in prohibited substances due to the destruction of the evidence base (photo and video) by the Ryuk cryptographer. The required ransom is $300 thousand, which the city administration refused to pay.

Spring

Attacks became more, and they became technically easier, because companies simply had to publish their entire IT park outside. And just "sin not to take advantage." If inside the company the data were at least somehow protected, then at home employees have no significant means of protection at all.

Despite an open statement by hackers about "non-aggression against medical organizations" in these exceptional times, attacks on the health sector immediately began:

• Several cyber attacks on virologists of the National Research Center for Epidemiology and Microbiology named after N.F. Gamalei, who were engaged in the development of the vaccine, were recorded.
• At the beginning of the month, an attack occurred on the largest medical laboratory in the Czech Republic in Brno. All IT systems are down. Patients were sent to other clinics, operations were postponed.
• DDoS attacks: on the networks of the US Department of Health and Human Services, on the European network of hospitals Assistance publique - Hôpitaux de Paris (AP-HP) in Paris, which was successfully reflected, the hospital's IT infrastructure was not affected.
• Operators of the Maze software attacked the Hammersmith Medicines Research Company (HMR), which is to conduct trials of a possible vaccine against COVID-19. As a result of the attack, the personal data of thousands of former patients leaked into the network.
• A California biotechnology company investigating drugs for coronavirus infection (COVID-19), as well as about 10 other US medical organizations, were attacked by the REvil group and their extortion software.

Attacks on medical institutions have long occupied their niche in the lists of incidents, "said Nikolai Romanov. - For some time, the purpose of such attacks was to demonstrate the insecurity of IP in hospitals and, in part, this could be considered a "good intention." Now, in most cases, such attacks have become similar to similar activities against banks and commercial enterprises - the focus was to obtain direct benefits. As for attacks on research centers, they clearly relate to cyber espionage. And in the context of the special significance of the data that attackers are trying to obtain, neglect of modern principles of building protection leads to very serious consequences.

Despite the enormous burden on the global nurse system, we have all witnessed attacks on hospitals and medical centers of various groups of hackers. Unfortunately, humanity is not all, and these attacks have resulted in civilian casualties and harm to health. As a rule, such attacks are carried out using phishing letters that launch malware and give access to the IT infrastructure. In conditions of constant physical and moral stress, the attention of employees of medical centers is blunted, this contributed to the creation of gaps in IT security. Installing high-quality IB tools and training employees in antifish would help strengthen cyber protection.

The organizers of complex attacks think strategically and may not be limited to one area of ​ ​ activity. All companies related to the development and implementation of the vaccine should be as ready as possible to repel cyber attacks, "comments Sengsu Park, Kaspersky Lab cybersecurity expert in the Asian region.

The unprecedented instant transition to remote operations first accelerated the transition to a digital environment in almost all companies. Staff and partners have started working anywhere, forcing organizations to switch to technologies that can provide services when needed. These factors significantly increased the risk surface. Therefore, ensuring secure access to applications and systems from anywhere has become a top priority for all organizations. In this regard the organizations began to switch the used technologies of cyber security from "defense of perimeter" to "protection of access to applications and systems", - Orhan Yildirim, COO of the Krontech company explains.

This could not but lead to an increase in incidents of major leaks of information. Including, for example, the leak of a complete database of customs services of the Russian Federation for 2012-2019, which includes all declarations and information about goods and participants in foreign economic activity. Leaks at the US Census Bureau: 200 million records of personal data of residents of the country, leaks in April at the Marriott hotel chain: data on more than 5 million guests. Lockheed Martin, SpaceX, Tesla and Boeing have leaked sensitive military-industrial data through a successful attack by extortion software DoppelPaymer on their industrial contractor Visser Precision. The companies refused to pay the ransom, and their internal documents were published online. The Italian bank Monte dei Paschi di Siena suffered from a hack into the mailboxes of its employees, which is fraught with an TECHattack, including on bank customers, one of the most difficult to detect and financially negative cyber attacks.

The main problem with the SOUNDattacks is that they do not contain either VPO or dangerous links to phishing pages. The attack is aimed exclusively at knowing the context of business correspondence, as well as at certain tricks used to mislead the victim. And it is almost unrealistic to solve this problem by some technical methods - serious work with staff is required (especially with those who have the ability to directly make a decision on money transactions), "said Nikolai Romanov.

Interestingly, in the management of the state they were able to assess the preliminary damage from a cyber attack - about $7 million. By the way, this is still a rare case when the company can assess the losses caused by the incident, "adds Andrei Arsentyev, head of analytics and special projects of the InfoWatch Group of Companies. - The municipal authorities will direct another $5 million to strengthen cyber defense systems. If the leaders of the territorial entity had been preoccupied with improving the direction of IB by introducing a more effective access control system, motivating employees to use complex passwords and change them regularly, correctly configuring DLP, then problems could be avoided or at least minimize the damage from the attack, detecting the penetration of intruders at an early stage.

In March, a cyber attack occurred on the European Network of Transmission System Operators for Electricity (ENTSO-E). Critical power management systems were not affected by the incident, but the attack affected the office infrastructure, which is not connected to the TSO segment (electricity operator network).

Opening a phishing letter with Emotet software and transferring his credentials to attackers with this action, one of the employees of a large unnamed organization "laid down" the entire computer network of the company. Through the current credentials, the malware was loaded into the network and caused a malfunction in Windows-based hosts through an increase in CPU load, overheating and hanging, and disabling Internet connection. At the same time, Emotet avoided detection by antivirus solutions through regular updates from a C & C server controlled by attackers. The infection was eliminated only by joint efforts with Microsoft experts.

GitHub suffered from the Sawfish phishing campaign with malicious landing pages that stole user credentials on the service. Repository content was uploaded from compromised accounts. In the central Russian region, against the background of quarantine measures, fraudulent schemes appeared with obtaining exit permits during the quarantine period, due to which personal and payment data were lured from the victims.

Examples of extortion software attacks during this period: Ragnar Locker encrypted the IT systems of the Portuguese transnational energy giant Energias de Portugal (EDP) and demanded a ransom of $11 million, Cognizant Corporation suffered from extortion software Maze. In May, the British electric power company Elexon was attacked by extortion software. Company experts suggest that extortion software got into IT systems through a vulnerability in the SSL VPN server Pulse Secure of an outdated version and affected only the company's internal office networks. The world's largest supplier of technologies and devices for non-cash payments the Diebold Nixdorf company also suffered from the attack extortionate ON ProLock. The amount of redemption amounted to a six-figure amount, which the company decided not to pay. The courier company Pitney Bowes and the state bank of Costa Rica Banco de Costa Rica were infected with extortion software Maze.

It should be noted that in the spring of 2020, a new method of monetization from cybercriminals was finalized - stolen data for which a ransom was not received is put on an operator-controlled forum or website in the format of an auction. Began this practice REvil, picked up Maze, Egregor, Clop, DoppelPaymer, Nefilim, Netwalker, Cl0ud SecuritY and others. Threats to victims, in addition to the publication or destruction of data, were replenished with a new danger - notification of a leak of the local data protection compliance authority (GDPR), which entails quite serious fines. The re-profiling of the attackers themselves towards rapid monetization is also noted by Roman Zhukov, director of the Garda Technologiya competence center.

Now we see thousands of ransomware options with names such as Ryuk, Dreamon, Ragnar Locker, Crysis, RansomEXX, Clop, Netwalker, WastedLocker, Egregor, Netwalker, Nefilim, CryptoMix, Sodinokibi, SymmyWare and DoppelPaymer. Like any other business enterprise, extortion programs have turned from early versions into a full-fledged product that is packaged and available at a certain price for everyone as a Ransmoware-as-a-Service service.

May was remembered for the publication of several major leaks: LiveJournal"" (and the leak from 2014, apparently, has already ceased to make a profit), WeLeakData.com,, SDEK, mobile application Wishbone the British budget airline, the source EasyJet codes of the automobile company, Daimler AG consoles Microsoft Xbox and 3.5, Windows NT Corp. Mitsubishi Electric Company leaks the Japanese telecommunication NTT Communications about its customers. Publication of 169 letters of confidential correspondence Donald Trump stolen earlier from databases of law firms Grubman, New York City Shire, Meiselas and Sacks.

more Critical infrastructure Germany precisely, electric and water companies are attacked by the Berserk Bear group, including through target attacks specially developed software.

There was confirmation of mass malicious implementations in online store software in order to embed a malicious script for stealing customer payment card data. For hacks, a vulnerability was used in the Magento Mass Import plugin.

The reincarnation of malicious software ComRAT (ART-group Turla) and several attacks using it were recorded: on two foreign ministries in Eastern To Europe and the parliament of one of the Caucasus countries.

Summer

The election race in the United States began and was immediately marked by cyber attacks on both competing presidential candidates - Donald Trump (on behalf of the Iranian APT35) and Joe Biden (on behalf of the Chinese APT31). And already on July 20, the US Congress introduced a bill on the economic impact on foreign hackers and their employers trying to steal data on the coronavirus vaccine: blocking property and banning their entry into the United States.

The light saw USBCulprit - developed by the Chinese group Cycldek, aka Goblin Panda or Conimes, a USB tool for data theft from physically isolated PCs. As well as widespread web skimmer from, presumably, Magecart Group 9, embedded in EXIF metadata of favicons.

From leaks: LLC Medical and Legal Company working under the ПризываНет.ру brand and data on clients and accounts department, data leakage about 5 million students and employees of Skyeng, leak from the Israeli website Promo.com of these 22 million clients and the database of the following services: Appen.com, Chatbooks.com, Dave.com, Drizly.com, GGumim.co.kr, Hurb.com, Mathway.com, Promo.com, Swvl.com, TrueFire.com and Wattpad, Havenly, Indaba Music, Ivoy, Proctoru, Rewards1, Scentbird and Vakinha. And in August, a stolen archive of Intel technical materials was published - and, according to the company itself, the leak occurred by the hands of an internal intruder with access to the company's resource and design center (Intel Resource and Design Center). Also in August, passport data of Russians participating in electronic voting were stolen and put up for sale - more than 1 million records and information about about 1 million Moscow motorists.

Software operators DopplePaymer hacked into the network of Digital Management Inc. - NASA IT contractor. And later there was an attack by Sodinokibi (REvil) software on the Brazilian electric power company Light S.A. The victims of Maze in August were LG, Xerox, Canon. Their data was stolen but not encrypted. The company refused to pay the ransom, the data were made public.

This spurred hackers to ask for ransom more and more. And they are already asking for several tens of millions of dollars. Well, thanks to the weak regulatory framework regarding cryptocurrency - you can pay the ransom to criminals anonymously, "adds Denis Batrankov, information security consultant at Palo Alto Networks.

Literally following the attack on Garmin, there was an attack on Carlson Wagonlit Travel (CWT), a business travel management company. The company also decided to pay the required ransom of $4.5 million. Even the cybercrime group Lazarus, known more for commercial and military espionage, created its own extortion program VHD at the beginning of the year.

Fall

In the fall, many government-level cyber espionage campaigns were unveiled: hacking British Foreign Office computer systems and stealing classified documents about activities in Syria, a cyber espionage campaign against the Indian armed forces, an XDSpy campaign against Eastern Europe and the Balkan Peninsula, which allegedly worked since 2011.

The watch manufacturer Swatch Group, the glasses manufacturer Luxottica and the owner of the Ray-Ban brand suffered from an attack by extortion software. Companies were forced to temporarily shut down their IT systems or production in one form or another. 13 Washington government agencies were affected by Trickbot and Emotet malware. Also, a private medical company Universal Health Services (UHS) suffered from the attack (presumably extortion software Ryuk). Software AG was attacked by a Clop ransomware. The ransom required - $20 million - is a huge amount even in the chronology of the ransom history.

In early autumn, the vulnerabilities of Zerologon service Netlogon and BLESA - Bluetooth Low Energy Spoofing Attack were announced. And since October there has been a massive use of the vulnerability of Zerologon, including:

• Attacks by the Iranian cyber espionage group MuddyWater. Typical targets are telecommunications companies, government IT services and representatives of the oil industry in the Middle East and Asia.
• Microsoft and the FBI warned of the active exploitation of Zerologon vulnerability by ART groups. This additionally uses the VPN vulnerability (CVE-2018-13379), infected software updates and the execution of malicious scripts through Windows Script Host (wscript.exe).

In September, several new botnets were discovered:

• Ttint - from Tenda devices, with full control of bot devices and, among other things, with the modification of DNS on infected devices - is the ground for phishing attacks.
• HEH - Attacks the brutforce of IoT and * NIX devices with factory credentials on ports 23 and 2323 throughout the open Internet, as long as the main action is "brushing" and complete control over the device.
• Devices under the control of CMS WordPress, Joomla, Magneto and Drupal were hacked and assembled into a botnet. KashmirBlack The main goal of the botnet is to disable IT systems, deface web resources, cryptocurrency mining, fraud. Presumably up to a million attacks per day.

In both summer and autumn, attacks on health systems continued:

• An attack on the University of California, San Francisco (UCSF), developing a vaccine for COVID-19. The university's IT systems were attacked by an encryption virus, presumably Netwalker software.
• The ransomware affected the provider of medical software eResearchTechnology and indirectly affected IQVIA and AstraZeneca (development of a vaccine against COVID-19), the pharmaceutical company Bristol Myers Squibb.

Attacks by extortion software on more or less large businesses also continued: the largest USA book seller, Barnes & Noble game makers Ubisoft and Crytek, the Indian pharmaceutical company Dr Reddy's, a public health system (transport Montreal ransomware RansomExx), French IT company (Sopra Steria ransomware Ryuk), Indian news agency Press Trust of India, energy company Enel Group, gaming Japanese technogiant Capcom, toy manufacturer, web Mattelhosting Managed.com, Italian alcoholic beverage manufacturer Campari Group, Supreme Court, network Brazil American device manufacturer, Belden manufacturer of industrial devices "" (), a Internet of things IIoT company Advantech the Taiwan whose Compal factories were manufactured for Apple,,,,, laptops , and, Acer Lenovo the French Dell Toshiba HP Fujitsu telecommunications company Banijay Group, the Brazilian SAS aircraft company Embraer. In November, an ransomware attack with a major leak of confidential data occurred at, which caused a large Manchester United Club negative reaction among investors. Hackers demanded a ransom of several million pounds. Even repeatedly Vatican subjected to cyber espionage attacks in 2020.

Extortion through threats appeared: the British currency company Travelex came the threat of a DDoS attack in the event of non-payment of ransom. The company refused to pay and received a powerful DDoS storm. In the same way, the operators of extortion software SunCrypt began to operate.

Of the high-profile episodes with iCloud, there was a moment with the publication of personal intimate photos of four British athletes. And the Spotify service was attacked in November by Credential stuffing.

The attack using the LinkedIn brand took place on the British drugmaker AstraZeneca. Her employees received mass offers from allegedly recruiters to the LinkedIn, which contained malicious attachments to gain access to data on the PC.

October was remembered for leaking data from hacked home CCTV cameras. A video archive the size of several terabytes of recordings, with more than 50 thousand home surveillance cameras, including interior, was put up for sale by attackers. And November was remembered for the leak of the database of the loyalty program "Russian Railways Bonus."

In October, Microsoft completed a coordinated operation to disable the Trickbot botnet. The company was obtained through the court control over many bot agent management servers and their disconnection was made. Trickbot operators retaliated: they began to actively use the Trojan BazarLoader, which is difficult to detect and easy to fuss, downloading occurs most often through phishing newsletter. Backdoor BazarBackdoor, in turn, downloads malicious components: Cobalt Strike, BloodHound and Lasagne, Ryuk ransomware.

There is information that the Maze ransomware operators ceased their activities and most of the employees moved to the Egregor software grouping.

The phishing company, using the Munich Security Conference and the Think 20 Summit, massively passed through government organizations, politicians, scientists, and big business leaders. The purpose of phishing was to steal confidential and credentials.

The city IT systems of the Canadian city of St. John were heavily attacked. Most public services were disabled for a long period of recovery.

In early December, the PickPoint postamat service was attacked. Several thousand postamats opened along with unearned orders. And although about 40,000 orders were threatened, thanks to the operational response to the incident, the company estimates the total losses at no more than 2 million rubles.

December

As the holidays approached, more traditional phishing about gifts, annual bonuses and other traditional topics returned to us. It was even nice to look at after such a non-trivial year.

A curious leak of credentials happened thanks to the mechanism of the Yandex search engine. The fact is that links to certain documents in the closed IT system of medical institutions were sent to organizations in the form of a table with lines like "sz.closed name сайта.ru/sz/ n" plus a pair of "login and password." And since the link navigation was most often carried out through the Yandex search string, queries were indexed, and they were included in general search suggestions for all users. Opening the resource using leaked links allowed access to confidential information. Yandex specialists fixed the problem some time after its discovery.

At the end of December, one of the most high-profile incidents of the year occurred - hacking SolarWinds systems and compromising Orion software. About it and its consequences - see above in the section "Attacks on the supply chain and contractors."

Major victims of extortion software in the last month of the year were: the aircraft company Embraer, the payment card processing company Total System Services (TSYS), the manufacturer of fragrances Symrise, the network of clinics Hospital Group, the manufacturer of components for VoIP telephony Sangoma, the Israeli IB company Portnox, etc.

The European Medicines Agency (EALS), as a result of the hack, leaked data on the testing and certification of Pfizer and BioNTech vaccines for coronavirus. In Moscow, there was a leak of data on Muscovites affected by coronavirus infection, including their residence address, passport numbers and other personal data. The traditional data leak about the new game console occurred on Nintendo Switch.

And finally, on December 31, 2020, we said goodbye to Flash technology. Bright memory and thanks for the beautiful, although not devoid of shortcomings, interactive.

Conclusions

Whatever the ultimate destructive actions of cyber attacks, the most common hacker tools that allow an attack to occur are:

• phishing with attachments and fraudulent URLs,
• exploiting vulnerabilities, not some marginal, but quite "loud," for example, Zerologon,
• low-security services published on the network, such as RDP, are poorly configured.

For each of these methods of attack, there are whole classes of protective equipment and measures, they minimize the risks of infection and complete compromising of the network, "comments Denis Kuvshinov, PT Expert Security Center. - Such tools include network sandboxes, SIEM systems, NTA solutions, EDR, etc. Organizational measures include the use of various IS policies, training for employees, penetration testing, regular scanning of IT infrastructure for vulnerabilities, inventory of the external perimeter of the organization, etc.

In this case, if the data is successfully leaked and threatened with publication, the information will be a "porridge" of bytes, from which company secrets cannot be obtained without decryption.

Stopping the main attack vectors is important. No matter how complicated the code of the ransomware is, the infection must still penetrate your systems. This is done in three main ways: using phishing, one of the most common methods of hacking organizations; by obtaining unauthorized access to systems through the selection or theft of credentials; and by using known vulnerabilities through which an attacker can download a ransomware program, "believes Alexander Serebryakov.

Its recommendations to the IB experts are as follows:

• Examine and compile a list of potential attack objects.
• Decrypt all data in and out of the company, use solutions to analyze it (for example, SSL Offload).
• Use strong authentication.
• Always keep an eye on updates and critical vulnerabilities.

2020 has taught us a lot from the point of view of responsible use of technologies. Users had not used the means for remote interaction so actively before, they were not sufficiently aware of online threats and as a result were vulnerable. The same can be said of companies for which the transition to remote operation took place in a hurry: many of them primarily wanted to achieve the health of the infrastructure, and its security was a secondary task. I had to learn by stepping on rakes: assessing real risks, business representatives realized the importance of reliable protective solutions, as well as the need to increase cyber literacy, "comments Dmitry Galov, Kaspersky Lab cybersecurity expert.

Kaspersky Lab also recommends that organizations adhere to the following cybersecurity measures:

• Make sure employees know who to turn to if they have problems with IT or cybersecurity. Pay special attention to those who have to work with personal devices: they need special security recommendations and appropriate policies.
• Conduct training for employees to improve their digital literacy. This will teach them how to manage accounts and passwords, and how to safely use email and end devices.
• Take key measures to protect enterprise data and devices, including setting a password, using enciphering working devices, and providing backup data.
• Ensure that devices, software, applications, and services are updated regularly.
• Install proven security software on all end devices, including mobile devices. This will also ensure that only approved online services are used for business purposes.

In recent years, many privacy laws have entered into force in different regions of the world, and data protection laws have become more mature. Compliance with data protection laws cannot be resolved with a single tool or application, but requires a holistic approach that involves changing business processes, adapting new tools and technologies, providing internal training, new roles and responsibilities in organizations, and more. This complexity means higher risks of non-compliance for organizations and, in addition, as consumers and customers become more concerned about how and why their personal data is processed, the economic impact of data breaches becomes even greater.

Author: Anna Mikhailova