2020 was a difficult year for several reasons, including breaches and hacks that affected end users, customers and targeted organizations. The ransomware threat dominated the headlines, with an endless stream of concessions affecting schools, governments and private companies while criminals demanded multi-million dollar bailouts. There was also a constant stream of data breaches. Several mass purchases of accounts have also made appearances.
The following are some of the highlights. To be sure, we are also launching some notable hacks that, while not being actively used in the wild, were impressive beyond measure or exceeded the limits of security.
The SolarWinds Hack
2020 left the most devastating breach to the end. Hackers that several government officials say are supported by the Russian government began by compromising the software distribution system of SolarWinds, a manufacturer of network monitoring software that tens of thousands of organizations use. The hackers then used their position to provide a backdoor update for some 18,000 customers. From there, hackers could steal, destroy or modify data on any of these customers’ networks.
It will take time for investigators to assess the damage. That’s because not everyone who installed the malicious update received subsequent attacks. So far, security firm FireEye said the hackers sought information about their government customers and also stole tools from the red team used to test customers’ security defenses. American officials, however, said dozens of Treasury Department email accounts were also hacked.
While all the effects of the breach are not known within a few months, it is already clear that the SolarWinds hack is one of the most damaging spy hacks visited in the United States in the past decade, if not at all. It was accomplished by attacking a vital software supply chain for some of the largest companies and government agencies in the world. Then the attackers used this pipeline to delve into the networks of the most interesting entities.
In addition to the loss of so much valuable data, the SolarWinds hack is notable for the high-level espionage it used. The attackers, according to Yahoo News, had control of the SolarWinds update system until October 2019. They started sending malicious updates in March. The industry-wide commitment came to light not by government agencies charged with discovering these things, but because of the investigation that FireEye did.
Mass Twitter engagements, Nintendo accounts
In July, Twitter lost control of its internal systems to hackers who publicized a Bitcoin scam. The breach was notable because it compromised accounts belonging to politicians, celebrities and business executives, many with millions of followers.
Although the damage was modest – about $ 100,000 in fake Bitcoin promotion payments and some personal data stolen from some account holders – a hack like this could have been used to do much worse things (think of a government or business leaders who manipulate the stock market or fuel geopolitical tensions).
Another thing that made this violation significant was the people who perpetrated it and the tactics they used. Authorities accused a young man of 17, a 19 and a 22 of using a spear phishing attack that stole an administrative password from a Twitter employee who worked at home during the COVID-19 pandemic.
A runner-up in another hack that led to massive account compromises hit Nintendo in April.
Ransomware attacks at Dusseldorf University Hospital, Garmin and Foxconn
These are separate breaches, but together they emphasize the cost that ransomware attacks are demanding, not only for the target organizations, but also for the millions of people who depend on them.
During a stoppage that hit one of the hospitals near Düsseldorf, Germany, a patient seeking treatment to save her life was rejected and died while trying to obtain services from a more distant facility. It is possible or even likely that the patient would have died anyway, but the compromise nevertheless illustrates the potentially fatal role that ransomware and other harmful hacks can play.
Garmin’s attack, meanwhile, caused a four-day outage that disrupted GPS services for millions of people, some of them aircraft pilots doing flight planning and mapping.
Another ransomware attack that attracted attention was the breach of electronics giant Foxconn. The attackers demanded $ 34 million for returning the data, making it the largest ransom ever requested.
Data breaches reaching Marriott and EasyJet
These were also separate hacks, but led to the compromise of personal data belonging to hundreds of millions of individuals.
For Marriott, the loss of information from 5.2 million guests was the second time in three years that it had been hacked on this scale. An EasyJet breach affected nine million passengers.
A zero-click iPhone exploit and the extraction of a cryptographic key from the Intel CPU
Not all hacks are bad. Most of the time, they are made by the good guys. And occasionally, they are so elegant that you only need to admire them for the ingenuity that involved them.
This year’s most impressive hack came from Ian Beer, a member of the Google Project Zero vulnerability research team. He planned an attack that, until Apple released an update, gave him full access to all iPhone within range of his malicious Wi-Fi hotspot.
His attack did not require the iPhone user to do anything and was prone to wormable, meaning that exploits could spread from one device to another. The exploit is one of the most impressive hacker achievements in recent memory and shows the damage that can result from a single common vulnerability. Apple fixed a buffer overflow failure after Beer reported this in particular.
Another major hack this year was the extraction of a secret key used to encrypt the microcode on an Intel CPU – an innovation in the annals of security and reverse engineering.
The key makes it possible to decrypt the microcode updates that Intel provides to fix security vulnerabilities and other types of bugs. Having an unencrypted copy of an update can allow hackers to reverse engineer and learn precisely how to exploit the hole you’re fixing. The key may also allow parties other than Intel – say a malicious hacker or an amateur – to update the chips with their own microcode, although this customized version would not survive a reboot.
There is an old saying in security circles that attacks are only getting better. 2020 proved that the saying is true once again, and no doubt 2021 will do the same.