December 2020 might have been the most significant month in cybersecurity history.
Private companies continued to be used as attack vectors in the ongoing international cyberwar. The plague of COVID-19-related phishing scams showed no signs of stopping. And yet another big tech company faced a fine following a data breach.
This month, we’ve split our cybersecurity roundup into two parts. Part 1 deals with the SolarWinds hack and the subsequent fallout, affecting tens of thousands of companies worldwide. Part 2 looks at some of December’s other major cybersecurity headlines.
The cybersecurity headlines this month have been dominated by the discovery that US software company SolarWinds had been hacked by state-sponsored Russian hackers.
The SolarWinds story will continue to develop throughout 2021. Part 1 of our December cybersecurity news roundup sets out the major developments so far, to help you understand how this major cybersecurity incident is unfolding.
December’s cybersecurity saga begins with an announcement from security firm FireEye, made via a December 8 blog post.
FireEye reported that a “highly sophisticated state-sponsored adversary” had stolen “red team” tools, used to mimic the sorts of attacks and exploits carried out by malicious actors. When such tools fall into the wrong hands, they can be used to carry out real-life attacks.
FireEye sought to reassure its clients in a further blog post on the same day, noting that none of the compromised tools contained zero-day exploits. We explored the danger of zero-day vulnerabilities in our article: What is a Zero-Day Vulnerability?
Blame for the attack fell on the Russian cybercrime group known as “Cozy Bear.” FireEye’s revelations were newsworthy in themselves, but the full implications of the company’s announcement remained unclear until a few days later.
On December 13, Texas-based IT company SolarWinds said that some of the software it released between March and June had been subject to a “highly-sophisticated, targeted and manual supply chain attack by a nation state.”
SolarWinds’ announcement was the first clear indication that one of the biggest cyberattacks of all time might be underway. But why was SolarWinds’ announcement so significant?
SolarWinds software is used by thousands of organizations — including many US governments organizations. The company’s announcement revealed that many of SolarWinds’ clients had had malware embedded in their systems for up to nine months.
The next chapter in 2020’s biggest cybersecurity story came on December 13, when Reuters reported that internal email traffic had been compromised at the US Treasury and Department of Commerce.
Just like FireEye, who had reported its breach five days earlier, these US government departments used the IT-monitoring software platform Orion. Orion is created by — you guessed it — SolarWinds.
When the organizations updated their Orion software back in March, they unwittingly installed malware. The blame for the hack continued to fall on Russia, which denied involvement via a statement on Facebook.
Shortly after the SolarWinds hack was announced, the US Cybersecurity and Infrastructure Agency (CISA) issued Emergency Directive 21-01.
The directive’s full name is “Mitigate SolarWinds Orion Code Compromise,” and it instructs federal agencies to “immediately disconnect or power down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from their network.”
Agencies were also told to “block all traffic to and from hosts, external to the enterprise, where any version of SolarWinds Orion software has been installed.”
The severity of CISA’s directive stood in stark contrast to SolarWinds’ reassuring press releases.
The full extent of the SolarWinds hack became clearer on December 14, when the company filed a report with the US Securities and Exchange Commission revealing that around 18,000 organizations may have installed the malicious Orion update.
To put this in context, SolarWinds has roughly 300,000 customers in total. Around 33,000 of these use Orion, and more than half of these Orion users are believed to have been compromised by the hack.
But these aren’t just any customers. According to SolarWinds’ website, Orion users include US public bodies such as the Department of Defense, Secret Service, and Airforce — not to mention private firms like Symantec, AT&T, and — crucially — Microsoft.
The SolarWinds saga continued on December 17, when US cybersecurity agency CISA announced an “advanced persistent threat compromise of government agencies, critical infrastructure, and private sector organizations.”
CISA described the attacker as a “patient, well-resourced, and focused adversary that has sustained long duration activity on victim networks” that, among other activities, was “targeting email accounts belonging to key personnel, including IT and incident response personnel.”
Once a hacker gains control of a target email account, it can use it to carry out advanced phishing operations. Read our articles on Business Email Compromise (BEC) and Account Takeover (ATO) attacks to learn how to avoid falling victim to these sorts of scams.
One of the more shocking threads of the SolarWinds story was revealed by Politico on December 17, when the US National Nuclear Security Administration (NNSA) and Department of Energy (DoE) revealed they had been affected by the hack.
For many, this took an already deeply concerning event into “borderline terrifying” territory, as the NNSA maintains the world’s most powerful stockpile of nuclear weapons. However, a DoE spokesperson said that only business networks had been affected.
The revelations came shortly after reports that CISA had been “overwhelmed” by the attacks, owing in part to staff shortages. CISA director Chris Krebs was fired by President Trump last month after Krebs defended the integrity of the 2020 election.
In a December 17 blog post, Microsoft President Brad Smith claimed that the SolarWinds attack had impacted more than 40 Microsoft customers located across seven countries.
While 80 percent of Microsoft’s affected customers were in the US, others were located in Canada, Mexico, Belgium, Spain, the UK, Israel, and the UEA. Smith also said it was “certain” that more locations and victims would emerge.
Smith’s blog post also called for “a more effective national and global strategy to protect against cyberattacks,” underpinned by better information sharing, stricter cybersecurity rules, and stronger accountability of nation-state cyber actors.
December 17 saw yet another newsworthy cybersecurity event when the US National Security Agency (NSA) issued a rare Cybersecurity Advisory, warning that “malicious cyber actors are abusing trust in federated authentication environments to access protected data.”
The issue originated in Microsoft’s Active Directory Federation Services (ADFS) software, which provides single sign-on access across organizations, including via multi-factor authentication.
The NSA’s Microsoft advisory followed a December 14 report by Volexity, revealing that an attacker had bypassed Duo’s multi-factor authentication service to gain access to a Microsoft Outlook Web App (OWA) inbox.
These incidents serve as a stark reminder that while multi-factor authentication might be a crucial component of your cybersecurity ecosystem, you cannot rely on it to keep your email accounts safe.
While the SolarWinds hack generated the most headlines, December saw many other important, unrelated cybersecurity news stories. Part 2 of our December cybersecurity news roundup presents some of the month’s other big cybersecurity events.
The US Federal Bureau of Investigation (FBI) published a Private Industry Notification (PIN) on December 10, advising businesses to take steps to improve cybersecurity safeguards against ransomware attacks.
Perhaps most interestingly, the PIN warns that cybercriminals have been following up ransomware attacks with phone calls attempting to “extort payments through intimidation” and “threatening to release exfiltrated data.”
The FBI does not advocate paying a ransom after falling victim to a ransomware attack. It suggests taking steps to mitigate or prevent attacks, including creating secure backups, monitoring network traffic, and enabling multi-factor authentication.
Since many ransomware attacks occur via email, it’s essential to protect your business using email security software. Read our article on How to Choose the Right Email Security Software for more information.
Research reported by Health IT Security on December 11 showed that cyberattackers continue to exploit the COVID-19 pandemic through phishing scams.
The report cites research by KnowBe4, which reveals a new batch of spear phishing emails relating to vaccinations. Armorblox also reports emails impersonating the US Internal Revenue Service (IRS) and purporting to offer COVID-19 financial relief.
The majority of COVID-19 phishing attacks target credentials — a common strategy which we discuss in our article What is Credential Phishing?
You can also check out four real-world examples of other COVID-19 phishing attacks in this article.
These phishing scams are a new variant on the COVID-19 phishing theme started hitting inboxes in March — and, like all social engineering attacks, they seek to exploit people’s trust in authority.
Want to learn how to avoid falling victim to these sorts of scams? See our article: How to Identify and Prevent Phishing Attacks.
Ireland’s data protection authority, the Data Protection Commission (DPC) , issued a €450,000 fine against Twitter on December 15 over the company’s handling of a 2018 data breach affecting Android users.
Twitter’s violations of the EU’s General Data Protection Regulation (GDPR) included failing to notify the DPC about a data breach within the required 72 hour period, and failing to document the breach properly.
While nearly half a million euro is a lot of money, it’s fairly small beer for a company as large as Twitter. The GDPR allows fines of up to 2% of global turnover for this type of violation, which could have led to a maximum fine of around €60 million in Twitter’s case. We outline the biggest GDPR fines of 2020 in this article.
But the DPC originally proposed an even smaller fine of €135,000 and €275,000. This proposal was seen as excessively lenient by other EU data protection authorities, who disputed it under the first ever use of the GDPR’s Article 65 procedure.
Other DPAs, such as Germany’s BfDI, argued that a higher fine of up to €22 million would be more appropriate. These arguments were put forward in a binding decision of the European Data Protection Board (EDPB) which required the DPC to reconsider its proposed fine.
The regulator’s response — raising the fine to just 0.1% of Twitter’s 2019 turnover — will lead many to suggest that the social media giant got off lightly.
On December 22, BleepingComputer reported that the contact details of over 270,000 users of cryptocurrency wallet Ledger were being offered for sale on the dark web, following a data breach that occurred in July.
Two text files were reportedly for sale, one containing 1,075,382 people’s email addresses, and the other containing 272,853 people’s names, mailing addresses, and phone numbers.
Although this type of personal data is not considered sensitive, it is highly valuable to hackers as it can be used to launch phishing attacks against the users. Earlier this month, Ledger users reported receiving phishing emails from an actor impersonating Ledger’s security team.