Blog: The Arbitrary Top of the Past Year 2020

Author: Vlad
Published on

Patrowl's blog - The Arbitrary Top of the Past Year 2020

As I traditionally do for several years, here is a "random unordered stochastic list in the form of a ranking of a totally arbitrary and subjective selection of the outstanding security events of the past year", i.e. a "top" πŸ˜‰.

For all the details, I refer you to the corresponding emails of this list (which I can resend on request).

The main question one might ask is "what was 2020?"...besides a global year marked by the world's global pandemic.

Note: Journal references represent OSSIR news journals where the topic was discussed: https://www.ossir.org/support-des-presentations/

2020, again the year of ransomware in the continuity of 2018 and 2019?

It is now certain, 2020 was the year of ransomware, in the continuity of previous years:

  • Emotet

Emotet returns to Germany (Review from 2020-01-14)

Emotet still the most widespread botnet, according to a report by eSentire (Review from 2020-02-11)

  • Many compromises by the Maze group, which announced to stop its activities (Review of 2020-11-10) : Maze threatens to release 14 Gb of stolen files from Southwireeach week until ransom is paid (2020-02-11 Review)

Bouygues Construction Group targeted by Maze ransomware(2020-02-11 Review)

IT giant Cognizant victim of Maze ransomware (2020-05-12 Review)

Maze group claims to have hacked a network of LG Electronics Group (2020-07-07 Review)

Xerox Group reportedly falls victim to Maze Ransomware attack (2020-07-07 Review)

Maze leaks information from U.S. military contractor (Review of 2020-06-09)

SunCrypt Ransomware announces it has joined cartel created by Maze group (2020-09-11 Review)

Canon victim of Maze attacker group: 10TB of data stolen (2020-09-11 Review)

  • Lots of compromises and releases or threats of releases Maritime operator victim of Ryuk ransomware forced to shut down for 30 hours (2020-01-14 Review)

Hackers behind Sodinokibi/REvil ransomware begin publishing data from victims who refuse to pay ransom (2020-02-11 Review)

Analysis of the ransomware that allegedly hit Honda (2020-07-O7 Review)

MMA victim of ransomware hack by Revil/Sodinokibi (2020-09-11 Review)

Umanis releases 6GB of data after compromise (2020-12-09 Review)

Software AG victim of Clop ransomware (2020-10-13 Review)

  • Some with defender abuse: Computer attack on Edenred hid another (2020-05-12 Review)
  • With substantial losses: €50 million expected loss for Sopra Steria from Ryuk ransomware attack (2020-12-09 Review)

And above all, the year of Cobalt Strike, a commercial tool used in the vast majority of these attacks. So much so that cybercriminals are asking for skills on this tool in their job offers.

Fortunately, with some good news:

  • For six months, security researchers secretly distributed a vaccine against the Emotet virus around the world (2020-09-11 Review)
  • Shade ransomware developers shut down and release 750,000 decryption keys (2020-05-12 review)
  • A great operation with hundreds of arrests across Europe (Encrochat) Some of these attacks were using the COVID theme for their phishing (Review of 2020-05-12).

Speaking of COVID, the year 2020 was the year of Zoom-bashing, with or without reason?

The year 2020 marked the strong growth of Zoom but also with many security findings:

  • Accounts recovered via credential stuffing and put up for sale
  • Zoom calls not end-to-end encrypted, using AES 128 not 256, meeting credentials are predictable (Zoom Bombing) (Review of 2020-05-12)
  • System takeover via two vulnerabilities within Zoom (2020-06-09 review)

But it's not necessarily better in others:

  • Teams vulnerabilities with possible session theft (Review of 2020-05-12)
  • And even code execution on Teams by simply sending an image (Review of 2021-01-12)

2020, still the year of data leakage in the continuity of the past years?

Data leaks have been far too numerous to list πŸ˜‰. I count about ten, public, per week.

2020, still the year of State Campaigns in the continuity of past years?

Still many state campaigns of espionage, without surprise:

  • A cyber espionage campaign hidden in Google Play for 5 years (Review of 2020-05-12)
  • Several cyber attacks to steal classified data have targeted Israel and are believed to be the work of groups associated with North Korea (2020-09-11 Review)
  • Bandook Trojan reappears in numerous campaigns linked to state interests, Last observed version was digitally signed (2020-12-09 Review) With originalities about the past 🍺:
  • Discovery of the existence of an alliance named Maximator around cryptography and signals intelligence (Review of 2020-06-09)

2020, still the year of original attacks or 3.0 like the past years?

  • With more and more original attacks:
  • Vibrations from computer's built-in fans can be exploited to exfiltrate data (Review of 2020-05-12)
  • Platypus: A new RAPL on auxiliary channel attacks using CPU consumption (Review of 2020-12-09)

And new vulnerabilities on components or microprocessors:

  • Intel processors plagued by a new vulnerability: Plundervolt in the Software Guard Extensions (SGX) component (2020-01-14 review)
  • Intel processors still plagued by two new vulnerabilities: CacheOut/L1DES and VRS (Review of 2020-02-11)
  • Thunderbolt security questioned again after 7 new vulnerabilities discovered (2020-05-12 review)
  • A researcher was able to unlock (jailbreak) Apple's latest T2 security chip (Review of 2020-10-13)

2020, another year of supplier (supply chain) compromises to hit its target(s)?

In the continuity of the previous years, attacks on suppliers or subcontractors continue, targeting more and more software publishers with their software factory and sometimes code/image repository hosts... :

  • 725 malicious packages discovered in the RubyGems repository(Review of 2020-05-12)
  • JavaScript library update impacts over 3 million projects (2020-05-12 Review)
  • Russian citizen accused of seeking to recruit U.S. employee to deploy malware on Tesla's network (2020-09-11 Review)
  • Four malicious packages removed from npm package manager (2020-11-10 Review)
  • Solarwinds compromised (Review from 2021-01-12)

2020, the year of major vulnerabilities again?

Every year has its share of critical vulnerabilities, each with a global reach:

  • Curveball affecting Microsoft's crypto (CVE-2020-0601) and allows to spoof a valid X.509 certificate chain (Review of 2020-02-11)
  • System takeover via 2 vulnerabilities within SaltStack, remotely and without authentication (Review of 2020-05-12)
  • System takeover via 2 vulnerabilities within Apple iOS Mail app, exploited in the wild but "a priori" without persistence if iOS 13 (Review of 2020-05-12)
  • Critical vulnerability in Apple products earns researcher $100,000 on "Connect with Apple" feature (2020-06-09 review)
  • Another Remote Control Takeover via Vulnerability in Apache Tomcat (2020-06-09 Review)
  • SMBleed, allows to read the uninitialized memory of the Windows kernel (Review of 2020-07-07)
  • ZeroLogon (CVE-2020-1459), cancels the local administrator password of a domain controller and is exploited in the wild (Review of 2020-10-13)
  • BadNeighbour (CVE-2020-1459) allows a remote denial of service in IPv6 but limited to the local network (Review of 2020-11-10)

And always:

  • Hundreds of vulnerabilities in Chrome (all reviews)
  • Hundreds of vulnerabilities in Cisco (all reviews)
  • Hundreds of vulnerabilities in Android: System takeover and elevation of privilege via 40 vulnerabilities within Android (2020-01-14 review)

System takeover and elevation of privileges via 25 vulnerabilities in Android (Review of 2020-02-11)

System takeover and elevation of privileges via 39 vulnerabilities in Android (Review of 2020-05-12)

System takeover and elevation of privileges via 34 vulnerabilities within Android (Review of 2020-06-09)

...

  • But also a lot on iOS (all reviews)
  • Vulnerabilities in antivirus software: System takeover and security bypass via 4 vulnerabilities within Kaspersky products (Review from 2020-01-14)

Data manipulation and denial of service via a vulnerability in Trend Micro Deep Security (Review from 2020-01-14)

Elevation of privileges via a vulnerability in Trend MicroMaximum Security (Review from 2020-02-11)

System takeover via vulnerability in F-Secure(Review of 2020-02-11)

Chinese hackers exploit vulnerability in Trend Micro antivirus to compromise Mitsubishi Electric systems (2020-02-11 Review)

Privilege elevation and data manipulation via 5 vulnerabilities in Symantec Endpoint Protection and Symantec Endpoint Protection Manager (Review of 2020-06-09)

Security bypass via 2 vulnerabilities within SymantecAdvanced Secure Gateway and Symantec Content Analysis (Review from 2020-06-09)

  • Security product vulnerabilities: System takeover and elevation of privileges via 13 vulnerabilities within F5 BIG-IP (2020-01-14 Review)

System takeover without authentication via a vulnerability in the traffic management portal of F5 BIG-IP products (Reviewed on 2020-07-07)

Security bypass and denial of service via 5 vulnerabilities within F5 Big-IP and Big-IQ (Reviewed on 2020-12-09)

Change of a user's password remotely, without authentication in FortiMail and FortiVoiceEnterprise (Review of 2020-05-12)

System takeover and data manipulation via 6 vulnerabilities in PAN-OS (PAN-100734) (Review of 2020-06-09)

Elevation of privileges and security bypass via a vulnerability in PAN-OS on signatures during SAML authentication (PAN-148988) (Reviewed on 2020-07-07)

System takeover without authentication via a vulnerability in PAN-OS (Reviewed on 2020-09-11)

System takeover via 3 vulnerabilities in Trend Micro InterScan Web Security Virtual Appliance (Reviewed on 2020-07-07)

Data manipulation and information disclosure via two vulnerabilities in Stormshield Network Security (Review of 2020-07-07)

System takeover and security bypass via 4 vulnerabilities in Trend Micro InterScan Web Security Virtual Appliance (2020-07-07 Review)

  • Citrix vulnerabilities: Remote system takeover via a vulnerability within Citrix ADC and Gateway products (2020-01-14 Review)

Theft of sensitive information via 3 vulnerabilities within Citrix ShareFile and update is not enough to fix (Review of 2020-05-12)

Security bypass and information disclosure via 3 vulnerabilities within Citrix products (Review of 2020-12-09)

Privilege elevation and information disclosure via 3 vulnerabilities in Citrix products (2020-10-13 Review)

  • Thousands of vulnerabilities in Oracle: Oracle, 334 vulnerabilities including 43 critical (CVSS score > 9.1) (2020-02-11 Review)

Oracle, 450 vulnerabilities in 24 products including 286 critical (Review of 2020-05-12)

Oracle, 443 vulnerabilities in 27 products including 70 critical (Review of 2020-07-07)

Oracle, 402 vulnerabilities including a hundred critical (Review of 2020-11-10)

...

2020, a good year for France-Cybersecurity?

Fortunately, 2020 was a good year for the French cybersecurity business, with good news:

  • CrowdSec raises 1.5 M€ (Review of 2020-11-10)
  • QuarksLab raises €5 million (Review of 2020-07-07)
  • Tehtris security raises €20 million

But also some bad ones

  • Vade Secure's US fundraising cancelled (Review of 2020-09-11)

On the other hand, France is still at the forefront:

  • lsassy in version 1.0.0, integrated with Metasploit (Review of 2020-01-14)
  • PingCastle, regularly updated
  • Mimikatz, regularly updated
  • The Hive 4.0-RC2, with strong two-factor authentication (MFA) (Reviewed on 2020-05-12)
  • Bento 2020.5, toolkit for forensics (Review of 2020-06-09)

And still some great publications:

  • OSSIR and CLUSIF publish a cybersecurity guide for business leaders (2020-02-11 Review)
  • The ANSSI publishes its report "The state of the threat against companies and institutions" (Revue du 2020-02-11)
  • The cybercriminal group SILENCE is the subject of a report by the ANSSI (Revue du 2020-05-12)
  • ANSSI publishes a collection of checkpoints concerning the security of Active Directory (Revue du 2020-06-09)
  • ANSSI publishes a detailed report on the TA505 cybercriminal group (Review of 2020-07-07)
  • ANSSI and the Ministry of Justice publish a guide to raise awareness of ransomware among companies and communities (Review of 2020-09-11)
  • ANSSI's feedback on the Dridex malicious code (Review of 2020-06-09)
  • ANSSI publishes a report on the Ryuk ransomware (Review of 2020-12-09)
  • ANSSI publishes the list of 26 security professions (Revue du 2020-10-13)
  • The CERT-FR publishes a document on the Emotet Trojan (Revue du 2020-11-10)

2020, a good year for Personal Data Protection?

A year with some nice advances:

  • Personal data protection in California, named the California Consumer Privacy Act of 2018 (CCPA), similar to the RGPD (Review of 2020-01-14)
  • CNIL publishes RGPD guide for developers(2020-02-11 review)
  • European Court of Justice opposes massive collection of Internet and phone connection data by states (2020-10-13 Review)
  • Privacy Shield: Ireland asks Facebook to stop transferring data to the U.S. (2020-10-13 Review)

And some nice fines:

  • Facebook fined $1.6 million in Brazil in Cambridge Analytica case (2020-01-14 Review)
  • Facebook fined $550 million for its use of facial recognition (2020-02-11 review)
  • Two companies of the Carrefour group sanctioned by the CNIL for a total amount of 3 million euros (Review of 2020-12-09)
  • Ticketmaster UK fined €1.7 million following a 2018 data leak (2020-12-09 Review)

But these fines are often reduced on appeal, severely limiting the impact of GDPR:

  • British Airways fined Β£20 million, Initial fine set at Β£200 million, lowered following covid-19 (2020-11-10 Review)

2020 is also the year when we have been able to reinvent ourselves, to massively telecommute and to adapt our lifestyles.

I take advantage of this mail to wish you all a very nice year 2021 πŸ₯³πŸŽŠπŸŽ‰, all my wishes of happiness and good health, especially health.

Hope to see you soon for a beer in the finally reopened bars 🍻.

Blog: We Wanted to Talk About Cyberattacks During the Olympics, but We Have Nothing to Say

Patrowl Raises €11m in Series A Funding: Continuous Protection of Internet Exposed Assets

Blog: RegreSSHion, critical vulnerability on OpenSSH CVE-2024-6387