Patrick O’Connor, CISSP, CEH, MBCS takes a look at significant security incidents in 2022 so far: some new enemies, some new weaknesses but mostly the usual suspects.
Major cyber attacks and data breaches happen regularly. Though each is bad in its own way, big data breaches also present cybersecurity professionals and organisations with an opportunity to learn.
Each year, BCS reports on the most impactful cyber incidents as they happen. Here are our annual roundups of top data breaches:
We explore what happened, try and understand how it happened and finally discuss whether there lessons to be learned from each big cyber incident.
The biggest cyber attacks of 2022
IBM’s Cost of Data Breaches Report 2022 quotes an average total cost of $4.5m (this figure was basically the same whether ransomware was involved or not). Amongst the 550 companies that IBM contacted that had experienced a data breach, a disappointing 83% had experienced more than one in the same period. The report also found that breaches where remote working was a factor, pushed up the average cost by around $1m. Once again, the healthcare industry posted the highest average costs to recover. This was at more than $10m.
It would be tempting to conclude as you look deeper into 2022 that few lessons are being learned. The most common attack vector remains credential theft (19%) then phishing (16%), misconfigured cloud (15%) and vulnerabilities in third-party software (13%).
To understand how crucial it is to prevent these common attacks, consider the average time required to identify and contain each type of compromise. It takes a staggering 327 days to identify and contain a compromise through stolen credentials. The number drops to 295 days for phishing and 244 days for a misconfigured cloud. Remember these are ‘average’ durations.
Elsewhere, we are seeing database attacks as a viable attack vector.
Ukraine war
Russia has, for many years, attacked Ukrainian infrastructure such as power grids, internet infrastructure and banks. Since the outbreak of physical hostilities, this has extended to systems related to government administration and the military.
Prior to the conflict, many viewed the Russian attacks as field testing of their cyber weapons. As with conventional warfare, cyber conflicts provide an opportunity for outsiders to observe and measure the effectiveness of various strategies, techniques and the technical weapons themselves.
Since the start of the conflict, Ukraine has unleashed cyber attacks of its own. They formed a volunteer ‘IT Army’, which used a website listing Russian targets, with hostnames and/or IP addresses and have caused many data breaches within Russia along with service disruptions (usually via distributed denial of service (DDoS) attacks).
Costa Rica – Conti ransomware attack
The Russia-linked cyber gang known as Conti managed to cause major disruption to financial operations throughout Costa Rica in April. They attacked the Ministry of Finance and managed to cripple Costa Rica’s import/export business. A national emergency was declared, which is a first for a ransomware attack.
There was a second attack in late May which targeted the Social Security Fund. This has also been attributed to Conti as the Hive ransomware was used and Conti are linked to its development. It is possible that this unusual activity from Conti is intended as something of a smokescreen while the gang itself tries to rebrand. They fear the impacts of sanctions against Russia over the Ukraine conflict.
Lapsus$ group’s chaotic spree
A group known as Lapsus$ began 2022 with a string of high profile targets including Nvidia, Ubisoft, Samsung and Microsoft. In each case, data was stolen and in many cases leaked online. Their operating model is extortion where access is most often gained through phishing and then they seek out the most sensitive data they can find and steal it. Often, they do not deploy encrypting software at all.
Unlike many sophisticated cybercrime operations, the Lapsus$ Group seem to be a loose collection of members. It is rumoured Nvidia may have ‘hacked back’ at the group. Hacking back is where offensive security experts will attempt to compromise attacker’s machines. This can be legally murky as often the attacking machines are compromised third parties. It soon became clear to investigators that Lapsus$ might not even be in it for the money.
Their use of social media to publicise their attacks suggested that they were seeking kudos. They used Telegram to publicise their achievements and ran polls asking readers to vote on whose data they should publish next. All this chaos and publicity ground to a halt in March as British police arrested seven people, including a 16 year old and a 17 year old, believed to be part of the group. Lapsus$ seemed to continue for a short time following the arrests but have since gone quiet.
More data theft from healthcare providers
Shields Health Care Group (Shields), a Massachusetts-based medical services provider, suffered a breach exposing around two million patient details in March. The effects of this are far-reaching as Shields relies on partnerships with hospitals and medical centres. It is believed that up to 53 separate facilities and their patients are affected.
In the UK, Advanced, a managed service provider (MSP) to the UK National Health Service (NHS) suffered a ransomware attack in August. It caused a major outage to NHS emergency services across the UK. Advanced called in both Microsoft and Mandiant to help with triage and investigations. While in the US another MSP, NetStandard, was attacked causing it to shut down its ‘MyAppsAnywhere’ cloud services.
MSPs are tempting targets for ransomware gangs because they have access to multiple companies’ data and therefore provide multiple potential ransom sources. In the past, the notorious REvil group has targeted MSPs.
Cryptocurrencies are safe though, right?
The market for companies or tools to store, convert and otherwise manage crypto assets is booming. With this rapid expansion have come flaws which hackers have been quick to exploit. At the end of March, North Korea’s Lazarus Group stole $540m Ethereum and USDC stablecoin from the popular Ronin blockchain ‘bridge’.
A blockchain bridge is an application allowing users to move crypto from one blockchain to another. It is not possible to perform a transaction on the Bitcoin blockchain using Dogecoin, for example. This makes the bridge applications vital and some would say a ‘missing link’ to making crypto mainstream.
In February, $321m of the Wormhole Ethereum variant was stolen and, in April, attackers were able to exploit the stablecoin protocol ‘Beanstalk’ to make off with crypto to the value of $182m at the time.
Marriott data breach (again)
In 2014, Marriott was breached and almost 340m guest records were exposed. This incident was undetected until September 2018 and led to a £14.4m fine from the UK Information Commissioner’s Office. In January 2020, Marriott was hacked again, affecting 5.2m guest records.
For you
Be part of something bigger, join BCS, The Chartered Institute for IT.
In June 2022 hackers claim to have made off with more than 20GB of sensitive data including guests’ credit card data. The attackers described using social engineering to trick an employee at a Marriott property in Maryland into giving them access to their computer. Marriott deny that the data affected more than 300–400 individuals, though it will be contacting people about the incident.
Former Amazon employee convicted for Capital One breach
In June this year, a former Amazon employee, Paige Thompson, was convicted for her role in the 2019 Capital One breach. While working for Amazon Web Services (AWS), she exploited her knowledge of cloud server vulnerabilities and stole personal information of over 100 million people.
Pleading that she was an ethical hacker only seeking to notify companies of vulnerabilities, she had in fact bragged about her exploits on hacker forums. She was found guilty and faces up to 45 years in prison.
Capital One were fined $80m by the Office of the Comptroller of Currency and paid out $190m to settle a class action lawsuit.
Industry still under attack
On 27 June, two Iranian steel companies, Mobarakeh Steel Company and Khuzestan Steel Industries, were attacked. A hacktivist group called Predatory Sparrow (an inverted echo of the Iranian state-sponsored cyber crime group, Charming Kitten) claimed responsibility.
One attack that targeted a Khuzestan factory caused a machine to malfunction and spew fire and molten steel across the factory floor. The attack could have been far more damaging but there are energy limitations in Iran. This meant the factories and their machines are switched off at night and had not been switched on again before the 5:15 a.m. attack.
Drone-based intrusion
The use of drones to execute cyber intrusions has been a topic of conversation for some time. Security researcher Greg Linares has come across three such attempts himself in the past two years. The latest one involves an unnamed financial company that noticed unusual activity on its internal confluence network. They determined there was a rogue device on their wifi network. Using signal trackers they were led to the roof of their building and discovered two drones.
One, a modified DJI Phantom was carrying a wifi pineapple and the other, a more powerful drone with more lifting capability, a DJI Matrice 600, carried a Raspberry Pi, a mini laptop(!), a 4G modem, a wifi device and batteries. It seems likely that some sort of initial wifi spoofing attack could have garnered internal credentials allowing access to the internal network.
Perhaps fortunately the unusual activity on the internal network was spotted early so the overall effect of the hack was contained. Having realised they had been rumbled the attackers also crashed one of the drones while attempting to escape. Estimates put the cost of the equipment used at around $15k but a more efficient setup, perhaps custom made, without using 4G but low power radio, would require fewer batteries and so less expensive/powerful drones.
Ransomware: Some good news
Usually reports of ransomware attacks involve companies or individuals handing over money to faceless hackers and having the pain and inconvenience of trying to reconstruct their data. In a recent reversal of that trend Dutch National Police managed to trick the DeadBolt ransomware gang into handing over 155 decryption keys.
The DeadBolt gang have been operating since January and leverage a 0-day exploit they came by for QNAP and Asustor Network Attached Storage (NAS) devices. They ask for a modest 0.03 Bitcoin ransom. Rather than have a website that victims need to go to to retrieve a decryption key after payment DeadBolt used a transaction in bitcoin to the same bitcoin ransom address with the decryption key included in a comments / reference field (OP_RETURN).
What the gang failed to understand about crypto transactions is that they take time to properly complete. There is a verification process as transactions are checked and eventually added to the blockchain. For different currencies these verification steps can vary in number and therefore time before transaction can be said to complete.
Since the automated method used by DeadBolt replied with the decryption key instantly it gave Dutch Police the chance to roll-back the transaction. This way they collected 155 decryption keys before the gang realised their mistake. The police then established a website listing the keys to allow other victims to try out the keys and likely recover their data.
Uber pwned by teenager
The ride-sharing company Uber had its internal systems completely compromised by teenager in September. It seems he used what is called a MFA Fatigue attack where once an employee’s credentials have been obtained, if the company employs MFA (Multi-Factor Authentication), the attacker bombards the employee with authentication requests, on their mobile phone.
Initially the employee will refuse them as they are not logging in but in this case the attacker eventually contacted the employee via WhatsApp and claimed to be from Uber IT explaining that he needed to accept the auth request or they would keep coming. The employee was sufficiently fed up with the incessant requests and complied. The attacker was then able to alter the MFA by adding his own device.
After this the attacker logged in through the corporate VPN and began looking around. Before long he found a Powershell script containing administrator credentials for the company’s Thycotic privileged access management (PAM) platform. From here all important credentials were available. Uber might be considered fortunate here as the attacker does seem to have done it for curiosity and not financial gain or other more damaging mischief.
So, now what?
Trends for 2022 are still being analysed but it seems that many of the usual suspect groups are still active. Ransomware, while not the overwhelming headline grabber it was a year ago, is still a major and terrifying threat to many companies. Surveys, like the IBM Security Cost of Data Breaches 2022, continue to illuminate that most companies could do much better with just basic security best practices.
The main attack vectors continue to be credential theft and phishing emails so it is vital to continue to raise awareness through corporate training and public ad campaigns. Finally, the conflict in Ukraine is showing how effective cyber weapons can be in disrupting command and control in a war.