Data Exfiltration Prevention and the Top 10 Cyberattacks of 2020
Looking back at the cyberattacks of 2020, selecting what we see as the top 10 was no easy task. In this blog we review these attacks and look at the role that data exfiltration prevention could have played in preventing them when existing technology failed. Attacks were frequent, particularly when it came to ransomware, which rose seven-fold last year. 2020 was also very lucrative for cybercriminals, with reports just in that the RYUK gang alone have amassed a fortune of $150 million by holding so many organisations to ransom. There’s little doubt that many of the organisations hit in 2020 had robust cybersecurity tools in place, however, it’s evident it wasn’t enough to prevent the attacks.
Despite the increased frequency and success of these attacks, organisations remain focused on the same defensive techniques. As is the case in any war, attackers are constantly inventing new techniques to evade forces. Just as in World War II when the allied forces had to come up with a new plan to defend against the new X-beam system which was used so effectively in attacks against Britain, so must cybersecurity defences today.
Fortifying a building by adding stronger walls, more tanks and deeper moats only encourages an attacker to develop more effective ways of getting in. It is no different in cybersecurity today. Organisations have implemented firewalls and adopted endpoint detection systems only to be thwarted at every turn. Getting into the network is now only the beginning of a much more complex attack involving dwell time, masquerading and polymorphism.
Let’s look back at some of the attacks that made headlines last year and discuss how these attacks could have been mitigated with data exfiltration prevention.
In January 2020 foreign exchange company Travelex suffered a ransomware attack that resulted in its systems going offline. The REvil ransomware group disclosed that they had used Sodinokibi ransomware to successfully encrypt the company’s entire network, delete backup files and exfiltrate more than 5GB of personal data. The company paid a ransom of $2.3 million ransom but reports from PWC say they took a £23 million hit as a result of the attack, Travelex has since gone into administration as a result of the cyberattack and the impact of Covid-19.
9. Toll Group
Australian logistics giant Toll Group makes the list for being a victim of ransomware twice last year. In February the company said that its IT systems had been disabled due to a malware infection, this was later confirmed as NetWalker ransomware. Normal operations resumed until they suffered a Netfilim attack in May. Hackers stole a total of 220GB of data including financial reports and invoices. In August the group announced the appointment of their new CISO.
IT services supplier Cognizant suffered a ransomware attack expected to cost the company between $50m and $70m in the months following the attack. The company, which supplies IT services to businesses in the manufacturing, financial services, technology and healthcare industries was attacked by the Maze ransomware group in April. Cognizant did not disclose how the attackers were able to access its systems.
In May budget airline EasyJet revealed that a ‘highly sophisticated’ cyberattack had exposed the details of over 9 million of its customers. Of the 9 million people affected, 2,208 had credit card details stolen. Sources have since commented that the hacking tools and techniques used in the January attack pointed to a group of suspected Chinese hackers that have targeted multiple airlines in recent months. The airline is now facing an £18 billion class-action lawsuit filed on behalf of customers impacted.
Leading cloud solution provider Blackbaud suffered an attack in May last year but waited two months before disclosing it. More than 120 organisations had their data compromised due to the ransomware attack that compromised the company’s cloud platform. It was later reported that the company had been sued in 23 proposed consumer class action cases in the U.S. and Canada. In a September Form 8-K filing, Blackbaud’s CFO admitted, contrary to earlier claims, that customer “bank account information, social security numbers, usernames and/or passwords” were compromised in the attack.
Fitness brand Garmin reportedly paid $10 million dollars in ransom after a cyberattack encrypted some of its systems and forced services offline. The July attack affected Garmin’s wearables, apps, website and call centres. The attackers used WastedLocker ransomware, operated by Russian cybercrime group Evil Corp.
4. Universal Health Service
In September, computer systems at Universal Health Services Inc., (UHS) one of the largest hospital chains in the United States was the victim of a malicious ransomware attack. The incident crippled the company’s computers affecting 400 hospitals and led it to cancel surgeries and divert some ambulances. RYUK ransomware was behind the attack.
3. Software AG
Software AG, the German software giant was the victim of a double extortion ransomware attack in October. The Clop ransomware gang was behind the attack. It was reported that the ransom was $20 million but the company decided not to pay. Confidential company data including internal emails, employee passport information and company financial information was later posted on a leak site run by the cybercriminals.
In December, FireEye, one of largest cybersecurity companies in the United States disclosed that foreign government hackers broke into its network. They accessed tools it uses to test the defences of its thousands of customers including governments and major global corporations. The firm said that a suspicious log-in prompted them to investigate what turned out to be a massive security hole for the U.S. government and many large corporations.
FireEye along with Federal officials have said that the attackers carried out the stealthy breach of the U.S. government after embedding malicious code into the software updates that SolarWinds offers to its clients. Almost 18,000 organisations received the infected code.
The biggest attack of the year easily goes to SolarWinds in which nation-state threat actors placed a backdoor in the company’s Orion platform which was activated when customers updated the software. The Orion platform helps organisations monitor outages on their computer networks and servers. The compromised software was installed on about 18,000 customer networks including Managed Service Providers (MSPs) who are often managing anywhere from 10 to thousands of customers themselves.
The importance of this attack cannot be underestimated for several reasons. Firstly, it is widely installed software that is used by the White House, Pentagon and the Secret Service to name a few, all of which have confirmed the attack.
Secondly, the fact that this attack remained undetected for 9 months using the latest security software in the industry from some of the biggest names, raises questions as to the effectiveness of those technologies and the clear need for new security strategies. Many cybersecurity experts are describing the attack as a wake-up call for the industry.
Data Exfiltration Prevention
The one thing that connects all of these attacks, is that they all involve data exfiltration. Despite the myriad of tools now available, getting into the network is actually one of the easiest parts of the attack. It requires one successful email, a well-constructed highly targeted phishing campaign, or a technique like malvertising. Once they are in, they can use dwell time to evade detection before activating and injecting themselves into other applications such as the Orion platform, masquerading as other processes and performing their actions before vanishing again. The Orion attack was particularly sophisticated in that it would undo changes between activations. It would execute for a few seconds before undoing any changes that were made so it couldn’t be detected.
Similarly, ransomware often uses a combination of dwell time and remote activation techniques which involve process injection and data exfiltration (key exchange and data removal) that can be detected at exactly the right moment.
The goal of any attack is to steal information for competitive, disruptive or monetary gain. An attacker infiltrating a network or a device in and of itself does not make a successful cyberattack. An attack is only successful if unauthorised data is stolen or removed from a device or network.
The imperative is to detect these new threats by monitoring data exfiltration in real time. By monitoring the traffic leaving the device it is possible to detect the activation, communication and transfer of anomalous data out of the network. If we learned anything from the prominent attacks of 2020 it’s that no matter how much you secure the fortress, or how high you build the walls, the attackers will get in.
Organisations should include new techniques such as data exfiltration prevention which focus on both the activations and removal of key data from within the organisation if they are to remain one step ahead of this new era of industrial espionage and cyberwarfare.