2020: A Year In Review

What can be said about 2020 that has not already been said? Insert your choice of a meme on how 2020 has treated you, how 2021 will be better, or not be able to wait until it is over. 2020 has been a challenging year, with over 1.6 million deaths worldwide. Countless people have lost their jobs, many more millions have been hospitalized and are recovering from the worst global pandemic in a generation, and economies were decimated. In the worst of times, the world has also seen the best in people. Stories of frontline workers working more than anyone expected of them to keep the planet healthy and the economy going.

Beyond the global pandemic, we saw significant headlines and milestones in 2020, including:

• Australian brushfires
• The assassination of Iranian General Qasem Soleimani
• Brexit
• Kansas City Chiefs win the Super Bowl (defeating my San Francisco 49ers)
• Prince Harry and Meghan Markle leaving the royal family
• The impeachment of a sitting US president
• First foreign film to win the best picture at the Oscars
• The worst stock market crash since the Great Recession
• Civil unrest due to racial tensions in the US
• The worst hack in Twitter's history
• Tiger King
• The greatest stock market rally and the Dow Jones hitting 30,000
• Beirut explosion
• California wildfires
• The election of the first minority and female vice president in the US
• Operation Warp Speed developing a vaccine for COVID-19 in 10 months, a process typically taking ten years or more

In 2020, we said goodbye to far too many people taken too soon. Most notably:

• My uncle Marty
• A good friend's mother (From COVID)
• Kobe Bryant
• Regis Philbin
• Grant Imahara
• Chadwick Boseman
• Ruth Bader Ginsburg
• Eddie Van Halen
• Alex Trebek
• Sean Connery

2020 has fundamentally changed both the real world and the cyber world. At the time of writing, my son has lived more than a third of his life in lockdown. The world he knows now likely is always to wear a mask and stay at least 6 feet away from people. Terms like "social distancing," "new normal," and "mask mandate" only entered our lexicon ten months ago but have now become terms we use in everyday language.

On the cyber front, millions of workers face an unprecedented and immediate shift from working in an office to working from home almost overnight. Mandatory shutdown orders prohibited any types of gatherings to slow the spread of COVID-19. Coffee sitting in cups in offices worldwide are currently turning into moldy science experiments as they cannot be touched or moved until workers are allowed to return to work. The overnight shift to working from home amid a global pandemic opened the doors for malicious actors to take advantage of the panic, pandemonium, and rapidly-changing environment.

I always open my year-end reviews with what I observed to be on the decline for the year.

What's down in 2020:

Cryptomining Malware

Cryptomining malware saw another year of decline due to the low price of cryptocurrency (for most of the year) and the profitability of other hacking operations, namely ransomware. There is too much money to be made by taking a compromised server and leveraging that into another attack than to let it mine Monero with its CPU cycles. With the price of Bitcoin near its all-time high, 2021 may see a resurgence in cryptomining malware.

Spray-and-Pray Ransomware

Ransomware operators are no longer spraying their malware all over the internet and hoping for someone to pay $300 or even $20,000 to get their files back. Ransomware gangs turned their attention to big-game hunting in 2020 and would not even get out of bed for payment under $100,000. The decline in spray-and-pray malware proves to be comforting for individuals who no longer need to fear that their pictures and data will be held for ransom as most ransomware gangs have moved onto more prominent targets.

Election Hacking at a Massive Scale

The fears of another 2016, where a US presidential candidate had embarrassing e-mails slowly leaked, were mostly unfounded. The US election system took a lesson from 2016 and hardened its defenses for 2020 and ran a relatively smooth election from a cybersecurity perspective. Disinformation, deepfakes, and ransomware attacks on election day did not significantly affect the election outcome. However, the US cannot rest easy. The enemy will never stop thinking of ways to undermine confidence in the electoral system and midterm elections are only two years away.

False Flag Attacks

2020 saw a significant resurgence in attacks where attribution was reasonably straightforward. Ransomware crews pride themselves on their list of victims and their ransom amounts. As previously mentioned, election hacking was not as severe as initially predicted and a big part of false flag attacks are typically related to election meddling. After the US killed a high-ranking Iranian general responsible for the deaths of thousands of US troops, Iran vowed revenge, including cyberattacks against the US and Israel. 2020 was a year of personal attacks, so there was no need for false flags.

IOT-based Attacks

Botnets made up of millions of compromised IoT devices remained dormant for most of 2020. The internet-crushing DDoS attacks of previous years were nowhere to be seen in 2020. With the global pandemic fully underway and attack crews making huge profits with ransomware, IoT attacks no longer made financial sense. Many IoT botnet families pivoted to acting as delivery mechanisms for ransomware as it became increasingly profitable.

Onto the 2020 year in review...

Remote Access Gone Wild

With the unexpected demand for work from home technology due to the global pandemic, many organizations choose to take the more natural path to business continuity rather than the correct path. A common theme observed through this crisis is that getting the workforce back to work often takes precedence over doing it securely. One trend observed through online scanning tools like Shodan is an increase in internet-exposed machines running Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) services. Devices now exposing RDP increased 41% and exposed accessible VPN ports jumped 33% within the first month of the COVID crisis. With the increase in RDP and VPN services, security researchers also observed a 30% increase in attacker interest in these services in the form of network scans on the popularly used port numbers. Attackers are particularly interested in this type of traffic because organizations often deploy them without the proper security controls.

A security researcher recently discovered that hundreds of organizations are merely making their IT helpdesk and bug tracking software, Jira, public. This move illustrates the desperation organizations are experiencing to continue business operations without regard to security. During this exceptional work from the home era, it is essential to continue business operations while maintaining a strict security posture. The two objectives do not need to be mutually exclusive with cloud-based ZTNA solutions.

Zero-Days in VPNs, Load Balancers, NGFW, Oh My!

I'm cheating a little with this one as the VPN/Edge networking device crisis began in late 2019 and exploded in 2020. To illustrate just out of hand these zero-days are, the US NSA released the top attack methods Chinese state-sponsored attackers used against US organizations. In order from most frequently abused to less:

1. Pulse Secure VPN Servers (CVE-2019-11510)
2. F5 BIG-IP Proxies and Load Balancers (CVE-2020-5902)
3. Citrix Application Delivery Controller (CVE-2019-19781, CVE-2020-8193, CVE-2020-8195, CVE-2020-8196) count that FOUR vulnerabilities in Citrix
4. BlueKeep Remote Desktop Service (CVE-2019-0708)

These networking devices have security patches to close the vulnerabilities, but organizations do not keep up with the latest updates and pay a dire price for it. Even after organizations patch vulnerabilities, there is no way to know if attackers infiltrated the network before patching. Organizations are likely given a false sense of security that they are safe due to the patches, but attackers are already inside the network mapping out their targets.

COVID Phishing Lures and Scams

Winston Churchill coined the phrase "Never let a crisis go to waste," and cyber criminals took those words to heart. The amount of COVID-related phishing lures and scams skyrocketed shortly after the WHO declared a global pandemic. Miscreants wasted no time blasting out e-mails to the unsuspecting public promising insider information, a secret cure, photos of celebrities on their death beds, or snake oil remedies. The COVID lures enticed unsuspecting users to open e-mails, click on malicious links, and open attachments.

With the significant shift to work from home, users also received links to fake pages looking to steal credentials to office collaboration tools such as MS Teams, Zoom, or Office 365. As the criminals upped their phishing game, security researchers had to respond in kind to protect the new mobile workforce.

Big Game Hunting and Double-extortion

As I eluded to in the "what's down" section, sophisticated ransomware crews are no longer in mom-and-pop type ransomware operations. Attackers hit huge organizations such as videogame developer Capcom, camera maker Canon, toymaker Mattel, major IT supplier Foxconn, liquor maker Campari, and numerous hospitals with significant ransomware attacks. The attackers demanded millions of dollars for the decryption key. If getting locked out of critical systems was not enough, ransomware crews also stole sensitive data before encrypting it. The ransomware crews could then demand another payment or charge more in exchange for a promise to delete the stolen data. If an organization refused to pay the ransom and attempted to recover their systems from backup, the attackers publish the sensitive or embarrassing data to a leak website.

In many cases, organizations paid the ransom even if they had backups to prevent the publishing of the stolen data. Surprising absolutely no one, a report recently stated that ransomware gangs who promise to delete data upon ransom payment are instead keeping a copy of the data.

The global pandemic only added fuel to the fire of ransomware crews by making infiltrating organizations even easier. COVID-themed phishing lures, unsecured RDP servers, vulnerable VPN devices, and lax remote-access security allowed attackers comfortable entry into many corporate networks. They even spawned an entire industry of initial access brokers.

The difference in ransomware for 2020 is that ransomware crews are much more patient in selecting their target and preparing for the attack than in previous campaigns. Whereas before the spray-and-pray method would occasionally net a few hundred dollars of Bitcoin, attacks utilizing persistence could achieve ransom payments in the eight-figure range.

The scourge of ransomware has gotten so bad that the US Treasury Department warned potential victim organizations that paying the ransom to any sanctioned group would result in severe penalties. The hope is to cut off the financial motivation for these attacks if organizations can no longer legally pay the ransom.

Business E-mail Compromise

The confusion and "fog of war" created by the sudden shift to work from home left many organizations vulnerable to business e-mail compromise scams. Attackers initially gain access to an organization's e-mail system by phishing users or password spraying weak passwords until the system is successfully accessed. Once in the system, attackers wait for an opportunity where it would be routine to send a large wire transfer such as paying a vendor or placing a large deposit for some real estate. The attackers would spoof an e-mail from the legitimate sender and provide a bank account number controlled by the attackers.

The business e-mail compromise scam was the unfortunate case for a Philadelphia-based hunger-relief charity that sent almost $1 million to attackers after they believed they were paying a construction vendor. Not working in an office makes it increasingly difficult to communicate, especially at the pace everyone is now expected to maintain. People will make mistakes and some of them can be quite costly. BEC scams from ventilators for hospitals or PPE gear remain prevalent and picking up the phone to verify banking information should be standard practice.

Photo Credit: US FBI

Zoombombing

While not overtly damaging, Zoombombing has a good shot of becoming Webster's word of the year for 2020. The sudden shift from in-office meetings to virtual Zoom meetings meant that hundreds of millions of users were now on a platform not designed to scale that far. Lax security controls built into the platform allowed attackers to randomly guess the 9-digit meeting number and infiltrate confidential corporate gatherings, 6th-grade science classes, and even government policy meetings. In an attempt to gain clout on social media, policymakers, teachers, and workers posted screenshots of their Zoom calls online and made the attackers' jobs even more effortless. The Zoombomb occurs when an uninvited guest shares explicit or obscene material during a Zoom meeting.

Despite the numerous security controls Zoom put in place for their platform after their rise in popularity, my child's school still suffered a Zoombombing due to weak and easily-guessable credentials. It's not always Zoom's fault, but it was for the first few months of the pandemic.

Photo Credit: The Windows Club

Social Engineering

Along the lines of COVID phishing lures, the explosion of work-from-home left many IT departments unprepared and understaffed. IT departments who are understaffed and overworked now had to support a crumbling remote access infrastructure; install, maintain, support a new suite of collaboration tools; and run a helpdesk for an already stressed workforce. My employer was no exception to social engineering attempts. The sudden shift meant that IT departments were bombarded with calls for password resets and little capability to verify the caller's identity. In putting business continuity above security (the "new normal"), many IT departments unwillingly gave corporate credentials to attackers.

The social engineering sword cuts both ways and the newly minted work from home workforce is also susceptible to social engineering attacks. Attackers calling employees pretending to be the helpdesk can lead employees to phishing pages to steal corporate credentials. Unsolicited phone calls from a fake help desk were the case in at least one instance where GoDaddy employees were sent to a dummy VPN login page to steal VPN credentials.

Deaths Due to Cyberattack

September 2020 marked a grim milestone in the cyber-to-real world bridge. For the first time, a cyberattack resulted in the death of a person. An ambulance rushed a woman in Germany to her local hospital to treat a life-threatening condition. Unfortunately for her, a ransomware attack crippled the local hospital. She was diverted to another medical facility over twenty miles away, resulting in a one hour delay in treatment and the patient did not survive.

Universal Health Services, one of the largest healthcare providers in the United States, was also hit with a massive ransomware attack that affected over 400 hospitals. Doctors had to rely on paper charts and test results had to be driven or mailed from the lab. There is no doubt that the delay in treatment and inconvenience and manual processes at the hospital cost human lives.

The ransomware crews' disregard for human life may result in an attitude shift among policymakers to allow governments to hack-back, defend forward, or take more drastic measures to protect critical infrastructure such as hospitals.

Immortal Botnets

The Emotet botnet returned in 2020 after taking a long hiatus. According to Zscaler ThreatlabZ's research, Emotet began its career of crime as a banking trojan in 2014. Its primary goal was to steal banking credentials and drain the accounts of unsuspecting victims. Emotet primarily spreads through malicious e-mail attachments and links in spam e-mail. More recently, Emotet has pivoted from a banking trojan to be used as an attack vector to spread the Ryuk ransomware strain, which famously decimated local schools and governments last summer. With the recent shift in the workforce mostly working from home due to the global pandemic, the security protections typically offered to employees are less adequate or non-existent.

The Trickbot botnet suffered a significant blow a month before the US presidential election. At the time, unknown actors had modified the Trickbot code and simultaneously attacked the command and control infrastructure of Trickbot in an attempt to disrupt its operations. While Trickbot operators were busy repairing their botnet, the US Election went off without a hitch and now the Trickbot botnet is back at its full capacity. It eventually came out later that US CyberCommand, as suspected, was responsible for the initial disruption.

Photo Credit: Zscaler Security

Predictions for 2021

Ransomware

Ransomware will still be a scourge on the digital domain, but governments will lose their patience and begin to take matters into their own hands. The United States, through CyberCommand, is already defending forward against North Korea, Russia, and Iranian-sponsored hackers and that I see that trend continuing, barring any significant policy changes from the new administration.

Along the lines of ransomware, I am also predicting more human deaths from ransomware either directly or indirectly. Security researchers are already seeing phishing lures sent to so-called "cold supply chain" providers, an essential job function in transporting vaccines that require freezing temperatures. If a cold supply chain vendor were taken offline due to a ransomware attack, life-saving medicine would spoil or not make it to its destination in time.

End Users as the Weak Link

Attackers will continue to use COVIC lures or exploit users working from home to attack organizations. With many organizations predicting it will be at least mid-2021 or even 2022 before employees return to the office, all of the problems we dealt with in 2020 will still transfer over to 2021. Securing the mobile workforce should be a priority, if not already.

Supply Chain Attacks

Proper supply chain attacks are novel but amazingly useful. As traditional routes to gaining unauthorized access begin closing, attackers will look to unconventional means to achieve their ends. Compromising the supply chain is an effective way to get inside an organization without them suspecting and it's already looking like 2021 may be the year of supply chain attacks.

Image by Gerd Altmann from Pixabay 

Government Legislation

Despite my belief that Congress is incompetent in drafting meaningful cybersecurity policy, I believe that the younger generation of lawmakers, who grew up with Facebook, Friendster, and Telegram, will understand what it takes to make the internet genuinely secure. 2020 saw a record number of younger-aged members elected to Congress and there are already a few rising stars who can help steer the country in the right direction. 

2020 brought many challenges globally but also acted as an opportunity to modernize organizations and shake off inertia. One thing is for sure: COVID is acting as a catalyst to drive digital transformation. Organizations that desired some cloud initiative got a quick lesson in the cloud and the global pandemic accelerated those plans quicker than anyone previously thought.

The Chinese character for "Crisis" is made up of two characters, with one character being "danger" and the other, "opportunity." This once-in-a-generation pandemic is also acting as an opportunity for organizations to change their digital strategy for the next decade. The future is cloud and the future is now.

Here's to a better 2021 when we can all look back at 2020 as something we will only see once in our lifetimes. I am genuinely grateful for health, family, and the opportunity presented to forge a new way forward. That's it from me; see you all in 2021!

If you enjoyed my article, please follow me on Twitter and subscribe to my weekly newsletter at https://www.chrislouie.net/