The year isn’t over yet, but in terms of the sheer size of data breaches, 2020 is shaping up to be a chartbuster. According to security researchers, more than 36 billion records were exposed in publicly reported breaches by the end of Q3, making 2020 the worst year on record — before Q4 breaches were even reported.
Nonetheless, we don’t have evidence that cybercriminals are now using radically new, more sophisticated tactics than in previous years, or at we least didn’t, and then the Solarwinds breach news broke. This nation-state level supply chain attack may prove to be one of the more well-coordinated and sophisticated breaches the public becomes aware of. And while the specifics are still very much developing, the breadth and volume of impacted organizations is sure to grow dramatically.
Naturally, breach costs continue to mount, and high-profile events including the takeover of Twitter accounts belonging to celebrities and public figures like Bill Gates, Barack Obama, Elon Musk and Kanye West have attracted their fair share of media attention. But many of the criminals’ most successful strategies, including social engineering attacks and leveraging re-used credentials that had been harvested in a prior breach, are tried and true methods they’ve been using for years.
We also can’t say with confidence that 2020 has seen the biggest breaches in recent history, since the meaning of “biggest” depends on how you define it. Certainly, “biggest” might be interpreted as “largest number of records exposed,” but just because a record was exposed doesn’t mean it was actually exfiltrated, and even if it was exfiltrated, there’s no guarantee it’ll appear for sale on the Dark Web until years later (if ever). Further, not all records are of equal value — a long-expired password/username combination that was never reused elsewhere isn’t worth as much as a valid social security number or a current medical record.
What we can say with confidence is that supply chain attacks have increased in frequency and severity over the past 12 months. As this worrisome trend continues to impact businesses large and small, along with nonprofits, government agencies and other organizations around the globe, it’s never been more important to model and anticipate the threats that your supply chain may pose to your own security.
With that in mind, we’ll take a look at some of the most significant breach events of the past year, as we highlight lessons learned as well as the cybersecurity best practices that could have prevented them.
Victim: CAM4 (adult video streaming website)
Impact: 10.88 billion records exposed
Takeaway: Avoid facepalm misconfigurations. Leaving sensitive things exposed in places they shouldn’t be makes things very easy for attackers.
In this ElasticSearch production database misconfiguration of enormous scale, CAM4 employees accidentally configured a server so that it would be easy for any would-be attacker to find and view personally identifiable information belonging to CAM4 users, as well as corporate information including fraud detection logs. The good news about this incident is that there’s no evidence that the database was actually accessed by malicious actors. Still, it’s possible that over 10 million individual customers of the site could have been affected, along with performers and other company employees. This type of mistake — a server configuration error — remains frighteningly common across industries today. Although human error is impossible to eliminate, employee training can help (particularly educating developers on cybersecurity best practices), performing regular assessments/testing, and implementing security monitoring can ensure that this this kind of misconfiguration is detected and remediated quickly.
Victim: Wishbone (popular mobile application)
Impact: 40 million user records exposed and advertised for sale on hacking forums
Takeaway: There’s an app for that! Web and mobile apps are rife with vulnerabilities that continue to be exploited.
In May of 2020, a hacker published registered user information from Wishbone, a popular mobile application and social platform. The records included usernames, email addresses, phone numbers and hashed passwords, and the passwords were stored in the weak hashing format MD5, which is relatively easy to crack in order to reveal the original plaintext. This isn’t the first time that a Wishbone database was exposed (an earlier breach occurred in 2017), nor is it the first large breach we’ve seen of a mobile or web application. We recommend exercising care when downloading and using mobile apps, many of which contain unprotected binary code that can easily be examined, modified and exploited by attackers.
Victim: Blackbaud (cloud computing provider and software vendor serving nonprofits, universities and healthcare organizations)
Impact: 3 million or more user records exposed
Takeaway: Be wary of your friends. Smaller, less-resourced third parties often get attacked as a steppingstone to larger targets.
When Blackbaud, a vendor providing cloud-hosted fundraising software to a wide range of international nonprofits, was hit with a ransomware attack midway through the year, the attackers didn’t just encrypt the victim’s data. They also exfiltrated it, saying they’d delete all the data if the victim didn’t promptly pay the ransom. User records from thousands of charities, foundations, universities and healthcare systems were involved in the attack, which impacted entities ranging from the U.K.’s National Trust to the Rhode Island School of Design and the Memorial Sloane-Kettering Cancer Center. The incident exemplifies the growing trend in which attackers target third-party vendors as a means of gaining access to data assets belonging to their larger customers. Simply put, your organization must be diligent when it comes to reviewing the security processes and policies your partners, vendors and consultants have in place. A vulnerability in one part of a shared information ecosystem can easily impact the whole.
Victim: LiveJournal (social networking and blogging platform)
Impact: 26 million sets of credentials exposed
Takeaway: Reduce re-use (of passwords, that is). “Credential stuffing,” which is just another way of saying “taking passwords compromised in one breach, and re-using them elsewhere,” remains prevalent.
Though the once-popular blogging platform appears to have suffered a breach back in 2014, the database of LiveJournal usernames and passwords wasn’t leaked on the Dark Web until May of 2020. Later that month, the Have I Been Pwned (HIBP) data breach indexing service recorded the compromise of more than 26 million user accounts. It goes without saying, but we’ll repeat it anyway: never, ever, re-use your passwords on multiple online accounts. Change passwords regularly and often. With this sort of incident, basic password hygiene and following cybersecurity best practices go a long way in keeping your information safe.
Victim: SOLARWINDS (SOFTWARE PROVIDER FOR IT SERVICES FIRMS)
Impact: AT LEAST 18,000 SOLARWINDS CUSTOMERS WERE AFFECTED...THAT WE KNOW OF SO FAR
Takeaway: WATCH YOUR BACK! INCIDENTS OF SUPPLY-CHAIN CYBERATTACKS ARE ON THE RISE, AND IT'S CRITICAL TO MODEL HOW THIS THREAT MIGHT IMPACT YOUR BUSINESS.
Prior to this major breach, which was announced on December 14, SolarWinds provided IT asset management and remote monitoring software to over 300,000 organizations around the globe, including national governments, government agencies and Fortune 500 companies. The SolarWinds Orion platform, a network management system (NMS) used by at least 18,000 of the company’s customers, was the target of a sophisticated cyberespionage operation performed by an experienced nation-state attacker, who used the platform to distribute malicious code to thousands of victim organizations.
SolarWinds customers should review available guidance from SolarWinds as well as cybersecurity firm FireEye, which was also impacted by the attack and has subsequently researched its impact. All available remediations should be immediately applied, and all Orion customers should consider changing sensitive credentials and encryption keys company wide. Organizations that were not impacted should carefully evaluate their future risks. The success of this operation may mean that other NMSs will be seen as highly attractive targets going forwards. Besides threat modeling, organizations should consider ongoing security monitoring, which can rapidly identify anomalous activities that may indicate your network has been compromised. It’s a wise investment to address this threat.