The year's biggest cyber security stories

Bears, scares and ransomware

An update to our roundup which was originally published at the start of November as A whistlestop tour of the year's biggest cyber security stories.

Well, what a year it's been. 2020 kicked off as it meant to go on, with news emerging from China of a new virus which lead to a swiftly imposed lockdown in the city of Wuhan. Looks grim, we thought, but it will probably peter out like previous viruses before it. How wrong we were.

Here's a look back at the last 12 months as covered under Computing's Security tag.

January

Travelex's 2020 got off to a bad start, with a ransomware attack on New Years eve. Not that they admitted that, instead choosing the well-trodden deny, distract and cover up route, and failing to notify the ICO in the process.

It then turned out that the company had ignored a warning about insecure Pulse VPN software in September and was in trouble with creditors, after which its fate was seemingly sealed.

What followed was a distinctly Hogarthian tale of dissolution and downfall.

After initial denials, it eventually emerged that Travelex had been struck by Sodinokibi ransomware, a name we got very used to seeing in 2020. Other strains including Maze, Ryuk, REvil and Phobos became almost as familiar as SARS-Cov-2.

During 2020 we were reacquainted with a variety of bears, including Cozy, Fancy, Energetic and Venomous, and TrickBot a banking malware Trojan and botnet kept turning up like a bad penny.

February

February introduced another major theme of 2020 - the war on Chinese tech, in particular Huawei. A presence at the heart of the UK's communications infrastructure for two decades, the Johnson government originally said it was welcome to remain in all but the most sensitive locations, but pressure from the US and backbench MPs led to the first of many U-turns.

Chinese app TikTok was also to come under attack from the US. An opening salvo was fired by Reddit CEO Steve Huffman who called the video-sharing app. 'fundamentally parasitic' and little more than 'spyware'.

Then there was the police's use of facial recognition software, which saw seven people wrongfully detained after it screwed up, prompting questions about its accuracy and capabilities, and indeed whether the police should be using it at all.

Sports retailer Decathlon spilled 123 million records, including unencrypted employee passwords, and this month's ransomware victim was Redcar and Cleveland Borough council whose website and payment systems were out of action for three weeks.

March

March, of course, marked the start of Lockdown I, the furlough scheme and a global race to find a vaccine. And as the world stayed at home, the great scamming game began with numerous attempts to defraud the authorities, trick people into parting with their cash, and with disinformation brokers spreading false stories about Covid-19, including it being linked to 5G.

Hackers also tried to breach research institutes and the WHO.

In March, we ran our first story of the year about an attack on critical infrastructure, this one concerning the European power grid. More were to follow.

Spring had sprung and the bears were out of hibernation. Venomous Bear, or Turla, targeted websites belonging to Armenia, the same Armenia which is now at war with neighbouring Azerbaijan, incidentally.

We also learned that in spite of Microsoft releasing patches to cover some serous vulnerabilities in Exchange Server, eighty-five per cent of instances were still unpatched several weeks later.

Oh and those TrickBot guys were back, this time with a new campaign against telecoms firms. Something tells me that won't be the last we hear of them.

Meanwhile, the pox scars on Travelex's face were becoming harder to cover up with ointment and powder.

April

So what happened in April? Zoom happened that's what. A locked down world desperate to communicate turned to a charismatic hero who'd just ridden into town. But was Zoom to be trusted? Well, no.

Zoom's promises of end-to-end encryption turned out to be so much barroom braggadocio (end-to-end encryption for all would not arrive ‘til October), calls were Zoombombed with porn and racist trolling, and this new friend turned out to be possibly leaking your secrets to Zuckerberg.

Meanwhile, crafty bandits were making big money selling Zoom zero-day exploits on the black market.

Encouraged by the stories that Exchange admins couldn't be bothered to patch their servers, hackers started going after them too, big time.

And while China announced some promising vaccine candidates, state-sponsored hackers linked to Vietnam were accused of trying to steal them.

Ransomware victim of the month? Cognizant, whose Maze susceptibility would cost it up to $70 million that quarter.

May

First to fall to ransomware in the not so merry merry month of May was Pitney Bowes, who must have been particularly irritated since the exact same thing happened seven months earlier. Honda also said its networks had been affected by what was thought to be Snake ransomware.

Hackers were found to be modifying Ragnarok ransomware specifically to go after an SQL injection zero-day in Sophos firewalls.

There were more warnings from intelligence services of attacks on Covid research, and some unusual Madonna memorabilia turned up on the Dark Net.

Airlines were not having the best of years and in May, Easyjet confessed to an attack in January that affected the data of up to 9 million customers.

June

In June, we learned more about TikTok's kleptocratic capabilities, including mining the iPhone's clipboard, and Magecart the prolific ecommerce cyber criminals whose victims include BA was discovered to have found new ways to secrete their credit card skimming malware, concealing a script in favicon images' EXIF data.

Cybervictim of the month? Ironically it was American spy agency the CIA who found itself on the receiving end of what it often dishes out.

The extent of the Covid-related scamming was revealed in a Citizens Advice report which found that one in three Britons had been targeted by scammers since the start of coronavirus crisis.

Reacting to the death of George Floyd in Minnesota, IBM announced that it would no longer be selling facial recognition software, but Amazon's and Microsoft's announcements of a pause in sales to the police left much more in the way of wriggle room.

July

Not exactly security, perhaps, but certainly a story to watch was privacy activist and lawyer Max Schrems' July victory against the US - EU Privacy Shield data transfer mechanism, the one which replaced Safe Harbour, the previous arrangement that the indefatigable Mr Schrems also managed to bring down. ‘Schrems II' is currently being debated in Europe and its final outcome could will have far-reaching implications for data protection.

After months of inactivity, Emotet banking malware suddenly sprang back to life and started installing the TrickBot Trojan on infected Windows computers via a fresh spam campaign targeting people in the UK and USA.

And in the ongoing Huawei tale, the UK government bowed again to US pressure, or saw the light, depending on your point of view, anouncing a speeding up of the vendor's removal, much to the annoyance of telecom operators who fear that ripping out Huawei will be hugely expensive and will delay the high speed internet rollout.

In an operation codenamed Venetic, police forces from several countries managed to infiltrate criminal gangs by breaking the encryption used by EncroChat, a supposedly secure messaging tool. 750 arrests were made in the UK with many more collars felt in France and the Netherlands.

A cyberattack caused an explosion on an Iranian nuclear facility in July, with the finger pointed at Israel.

Cisco Systems released security patches to fix 31 vulnerabilities affecting many of its routers and firewall devices.

First ransomware hit of the month was Garmin which reportedly paid a good proportion of the $10 million sum demanded for the attackers to unlock its systems.

Another was cloud company Blackbaud, whose services are used by numerous UK universities and the National Trust. Blackbaud paid a ransom after being promised stolen data would be destroyed, but said it was all encrypted anyway so there was little danger of compromise.

And Twitter was hacked by a bunch of teenagers who then tweeted from the accounts of Elon Musk, Barack Obama, Joe Biden and Bill Gates.

August

In August it was revealed that globally, cybercriminals make an estimated 19 billion a year from ransomware, which prompted calls to make paying ransoms illegal. UK companies paid £200 million in ransoms in 2019.

Hotel chain Marriott faced a class-action-style lawsuit over a massive 2018 data breach that exposed personally identifiable details of more than 300 million customers.

Trading on the New Zealand Stock Exchange NZX was disrupted after it experienced DDoS attacks over a few days ‘originating abroad'.

Meanwhile, a Tesla employee was offered a one-million dollar bribe to install malware on the car company's systems, according to Elon Musk.

And in August the final chapter of Travelex's sorry saga played out, as parent company Finablr collapsed with a billion dollars worth of debt. Around the same time, 900 passwords for Pulse VPN, whose vulnerabilities were partly resposible for Travelex's demise, were found on a hacker forum.

September

In September, a study by IBM revealed the ransomware problem had been getting significantly worse as the year 2020 had progressed, with cyber crime groups blending ransomware attacks with data theft and extortion.

And just in time for students returning, what happened at two universities in Newcastle? You've guessed it, a ransomware attack. Watchmaker Swatch was another victim.

Meanwhile a leaked Chinese database revealed the country was profiling all sorts of people including the Australian PM, with threat actors from that country also targeting known vulnerabilities in Pulse VPN - the one used by Travelex - as well as F5, Citrix and Microsoft Exchange.

Quick plug: In September we boosted our security portfolio, adding AI Enhanced Security to our existing I&AM and CASB market intelligence reports in Computing Delta.

October

Which brings us to October, and what did the season of mist and mellow fruitfulness have in store for us? More bears and more ransomware of course.

Energetic Bear was found rummaging through local and state networks in the US like so many bins.

Tiring of the pesky bears, the US blacklisted the Triton malware gang, and the EU weighed in with sanctions of its own against GRU bigwigs.

Meanwhile, Microsoft had had enough of TrickBot announcing a major offensive to take down its backend infrastructure.

BA must be mightily relieved that an expected ICO fine of £138 million for the 2018 Magecart breach was reduced to just £20 million because of the pandemic. Marriott also saw its anticipated fine significantly downsized by the regulator.

This month's ransomware victims included Carnival Cruises, Hackney Council, and another IT services company, Sopra Steria, which succumbed to a Ryuk attack. Blackbaud the cloud company attacked in July, revealed that - surprise, surprise - not all the stolen data was encrypted, reversing a previous assurance.

Could Blackbaud be the next Travelex? We wouldn't be at all surprised.

US agencies CISA and the FBI warned that hospitals were under 'imminent threat' of ransomware attack. Many criminal actors had eased off such attacks during the pandemic, but a group called Wizard Spider apparently has no such scruples.

And an old favourite, the ‘war on maths' was rekindled once again as governments demanded back doors to encryption that somehow only the good guys would be able to use. Back to the '90s we go.

November

In November the NCSC, the cyber arm of GCHQ, reported a 20 per cent rise on security incidents year on year, with a quarter of them being Covid-related. GCHQ-proper also announced it was taking action against purveyors of disinformation around vaccines, using techniques previously deployed against ISIL.

With Brexit talks seemingly going nowhere, the UK government trumpeted a new trade deal with Japan, but privacy campaigners feared that dubiously cheaper soy sauce could come at the cost of opening up a channel to funnel personal data to the US via Japan.

And speaking of the US, an election happened there, one that was the "most secure in American history" with no evidence of compromise, according to CISA director Chris Krebs. Krebs added that he expected to be fired by the ex-host of The Apprentice for publicly making this statement, a prophecy that did indeed come to pass.

Ransomware victims this month included toy manufacturer Mattel, laptop maker Compal and Canon.

Least surprising but most read security story of the month: Fraudsters are targeting Christmas shoppers. Those nice chaps in the hoodies? Surely not.

December

In fact, some cyber crims can be positively helpful, at least after the fact. "Change your passwords and update your Windows domain config," ransomware gang DoppelPaymer urged Delaware County in Pennsylvania - after relieving the county of $500,000 in bitcoin, naturally

Criminal gangs aren't the only ones using security flaws to generate income. Increasingly state-backed hackers are operating money-making side scams on top of their everyday espionage activities too, although to be honest the line between state-backed hackers and criminal gangs is fuzzy and getting fuzzier all the time.

IBM warned that threat actors, state-backed or not, were targeting the Covid vaccine supply chain, and cyber intruders managed to access Pfizer-BioNTech vaccine data in an attack on the European Medicines Agency.

VMware urged users of Workspace One Access to patch a zero-day bug originally thought to be relatively harmless but which the NSA later said was being actively exploited by Russian hackers.

And it turned out the bears had been very busy. Cozy Bear was suspected of the theft of hacking tools from security firm FireEye, a major story that quickly grew much bigger after it was revealed that the US Treasury, Commerce Department and likely other organs of the state have been compromised for most of the year by what looked like the same group. The attackers gained entry to these networks via a compromised update to SolarWinds' widely-used Orion network management software. But don't worry, said SolarWinds, ‘fewer than 18,000 customers' have installed the malware-laced update. Consider us un-reassured....