TechNewsPro_Masthead_2.jpg

The latest in NEWS, RESOURCES and JOBS

Lower the TCO of your legacy data wareho
Talend_Banner_728x90px_v1.jpg
  • Darren Williams - Sponsored by BLACKFOG

Data Exfiltration Prevention and the Top 10 Cyberattacks of 2020

Looking back at the cyberattacks of 2020, selecting what we see as the top 10 was no easy task. In this blog we review these attacks and look at the role that data exfiltration prevention could have played in preventing them when existing technology failed. Attacks were frequent, particularly when it came to ransomware, which rose seven-fold last year. 2020 was also very lucrative for cybercriminals, with reports just in that the RYUK gang alone have amassed a fortune of $150 million by holding so many organisations to ransom. There’s little doubt that many of the organisations hit in 2020 had robust cybersecurity tools in place, however, it’s evident it wasn’t enough to prevent the attacks.



Despite the increased frequency and success of these attacks, organisations remain focused on the same defensive techniques. As is the case in any war, attackers are constantly inventing new techniques to evade forces. Just as in World War II when the allied forces had to come up with a new plan to defend against the new X-beam system which was used so effectively in attacks against Britain, so must cybersecurity defences today.


Fortifying a building by adding stronger walls, more tanks and deeper moats only encourages an attacker to develop more effective ways of getting in. It is no different in cybersecurity today. Organisations have implemented firewalls and adopted endpoint detection systems only to be thwarted at every turn. Getting into the network is now only the beginning of a much more complex attack involving dwell time, masquerading and polymorphism.


Let’s look back at some of the attacks that made headlines last year and discuss how these attacks could have been mitigated with data exfiltration prevention.


10. Travelex

In January 2020 foreign exchange company Travelex suffered a ransomware attack that resulted in its systems going offline. The REvil ransomware group disclosed that they had used Sodinokibi ransomware to successfully encrypt the company’s entire network, delete backup files and exfiltrate more than 5GB of personal data. The company paid a ransom of $2.3 million ransom but reports from PWC say they took a £23 million hit as a result of the attack, Travelex has since gone into administration as a result of the cyberattack and the impact of Covid-19.


9. Toll Group

Australian logistics giant Toll Group makes the list for being a victim of ransomware twice last year. In February the company said that its IT systems had been disabled due to a malware infection, this was later confirmed as NetWalker ransomware. Normal operations resumed until they suffered a Netfilim attack in May. Hackers stole a total of 220GB of data including financial reports and invoices. In August the group announced the appointment of their new CISO.


8. Cognizant

IT services supplier Cognizant suffered a ransomware attack expected to cost the company between $50m and $70m in the months following the attack. The company, which supplies IT services to businesses in the manufacturing, financial services, technology and healthcare industries was attacked by the Maze ransomware group in April. Cognizant did not disclose how the attackers were able to access its systems.


7. EasyJet

In May budget airline EasyJet revealed that a ‘highly sophisticated’ cyberattack had exposed the details of over 9 million of its customers. Of the 9 million people affected, 2,208 had credit card details stolen. Sources have since commented that the hacking tools and techniques used in the January attack pointed to a group of suspected Chinese hackers that have targeted multiple airlines in recent months. The airline is now facing an £18 billion class-action lawsuit filed on behalf of customers impacted.


6. Blackbaud

Leading cloud solution provider Blackbaud suffered an attack in May last year but waited two months before disclosing it. More than 120 organisations had their data compromised due to the ransomware attack that compromised the company’s cloud platform. It was later reported that the company had been sued in 23 proposed consumer class action cases in the U.S. and Canada. In a September Form 8-K filing, Blackbaud’s CFO admitted, contrary to earlier claims, that customer “bank account information, social security numbers, usernames and/or passwords” were compromised in the attack.


5. Garmin

Fitness brand Garmin reportedly paid $10 million dollars in ransom after a cyberattack encrypted some of its systems and forced services offline. The July attack affected Garmin’s wearables, apps, website and call centres. The attackers used WastedLocker ransomware, operated by Russian cybercrime group Evil Corp.


4. Universal Health Service

In September, computer systems at Universal Health Services Inc., (UHS) one of the largest hospital chains in the United States was the victim of a malicious ransomware attack. The incident crippled the company’s computers affecting 400 hospitals and led it to cancel surgeries and divert some ambulances. RYUK ransomware was behind the attack.


3. Software AG

Software AG, the German software giant was the victim of a double extortion ransomware attack in October. The Clop ransomware gang was behind the attack. It was reported that the ransom was $20 million but the company decided not to pay. Confidential company data including internal emails, employee passport information and company financial information was later posted on a leak site run by the cybercriminals.


2. FireEye

In December, FireEye, one of largest cybersecurity companies in the United States disclosed that foreign government hackers broke into its network. They accessed tools it uses to test the defences of its thousands of customers including governments and major global corporations. The firm said that a suspicious log-in prompted them to investigate what turned out to be a massive security hole for the U.S. government and many large corporations.

FireEye along with Federal officials have said that the attackers carried out the stealthy breach of the U.S. government after embedding malicious code into the software updates that SolarWinds offers to its clients. Almost 18,000 organisations received the infected code.


1. SolarWinds

The biggest attack of the year easily goes to SolarWinds in which nation-state threat actors placed a backdoor in the company’s Orion platform which was activated when customers updated the software. The Orion platform helps organisations monitor outages on their computer networks and servers. The compromised software was installed on about 18,000 customer networks including Managed Service Providers (MSPs) who are often managing anywhere from 10 to thousands of customers themselves.


The importance of this attack cannot be underestimated for several reasons. Firstly, it is widely installed software that is used by the White House, Pentagon and the Secret Service to name a few, all of which have confirmed the attack.


Secondly, the fact that this attack remained undetected for 9 months using the latest security software in the industry from some of the biggest names, raises questions as to the effectiveness of those technologies and the clear need for new security strategies. Many cybersecurity experts are describing the attack as a wake-up call for the industry.


Data Exfiltration Prevention

The one thing that connects all of these attacks, is that they all involve data exfiltration. Despite the myriad of tools now available, getting into the network is actually one of the easiest parts of the attack. It requires one successful email, a well-constructed highly targeted phishing campaign, or a technique like malvertising. Once they are in, they can use dwell time to evade detection before activating and injecting themselves into other applications such as the Orion platform, masquerading as other processes and performing their actions before vanishing again. The Orion attack was particularly sophisticated in that it would undo changes between activations. It would execute for a few seconds before undoing any changes that were made so it couldn’t be detected.


Similarly, ransomware often uses a combination of dwell time and remote activation techniques which involve process injection and data exfiltration (key exchange and data removal) that can be detected at exactly the right moment.


Conclusion

The goal of any attack is to steal information for competitive, disruptive or monetary gain. An attacker infiltrating a network or a device in and of itself does not make a successful cyberattack. An attack is only successful if unauthorised data is stolen or removed from a device or network.


The imperative is to detect these new threats by monitoring data exfiltration in real time. By monitoring the traffic leaving the device it is possible to detect the activation, communication and transfer of anomalous data out of the network. If we learned anything from the prominent attacks of 2020 it’s that no matter how much you secure the fortress, or how high you build the walls, the attackers will get in.


Organisations should include new techniques such as data exfiltration prevention which focus on both the activations and removal of key data from within the organisation if they are to remain one step ahead of this new era of industrial espionage and cyberwarfare.

Element_300x600_June_2.jpg

LATEST RESOURCES

 

 

How the Australian government departments are revitalising the citizen and supplier experience

Accelerating the delivery of excellent service. Here we outline how government departments can deliver a better experience while also saving time and money for themselves and their staff by leveraging process mapping, automation and document generation.

Best Practices for Office 365 Security

Microsoft Office 365 has largely defined how teams collaborate in the cloud with over 100 million monthly users. We look at the best practices for Office 365 security monitoring.

Beyond Security Events and Compliance 

The Splunk platform is designed to investigate, monitor, analyze and act on data at any scale. We call this Data-to-Everything Platform, which removes barriers between data and action.

The Impact of Chatbots and AI on the Customer Journey

Emerging technologies – like Artificial Intelligence (AI) – are helping companies transform the customer experience, but businesses need to act quickly to stay ahead of the pack and start delivering the type of service that becomes a true competitive differentiator.

Endpoint Security for Dummies

Symantec Endpoint Suite Product Guide. Stay ahead of the evolving threat landscape. Prevent ransomware and emerging threats. Saves resources with simplified EDR.

Leveraging CIAM to Unlock the Power of AI and IoT

How customer identity and access management (CIAM) maximises the business value of AI and IoT while protecting your customers.

Parting the clouds. 

for greater security

Covid-19 has landed CSOs a unique opportunity to embrace web isolation.

Eliminate malware threats with zero trust 

Isolation-powered security provides full protection against email and Web based threats.

MenloSecurity_Signature_Purple_RGB.jpg
MenloSecurity_Signature_Purple_RGB.jpg
bold360_Logo..png
Symantec_Logo.png
Alien_Vault_Logo.jpg
Splunk_logo.png
nintex_logo.png

    SUBSCRIBE

to our latest RESOURCES

to keep up to date with the

latest whitepapers

WP_GMC_Cover.jpg
WP_bold360_Cover.jpg