Not a week went by in 2015 without a major data breach, significant attack campaign, or serious vulnerability report. Many of the incidents were the result of disabled security controls, implementation errors, or other basic security mistakes, highlighting how far organizations have to go in nailing down IT security basics.
But looking beyond the garden-variety attacks and vulnerabilities lends great insight into the future of malicious activity and how to defend against it. And 2015 had its share of intriguing invasions, each of which highlighted the modified techniques that lead to new forms of breaches or pinpoint areas in need of new defenses. The past year saw cyber criminals adopting innovative approaches and state-sponsored actors becoming bolder. Motivations shifted, with financial gain no longer the sole reason for launching an attack. Inflicting physical damage, stealing trade secrets, hacking as a form of protest -- 2015 was a year in which malicious activity served many ends.
The increasingly interconnected world means bad guys can cause a lot of damage; more important, many malicious actors now have the skills and means to carry out chilling attacks. Below is a roundup of some of the most significant incidents of the past year, each of which pushes the overall security conversation further, showing new paths and needs for defense. Which ones did we miss?
Bitcoin under barrage
Bitcoin -- and the idea of crypto currency in general -- captured mainstream attention this year, in part because of nefarious actors who used the platform as cover for payment. Ransomware gangs have demanded payment in bitcoins before unlocking victims’ files and folders, and blackmailers have demanded bitcoins in exchange for not launching DDoS attacks against websites. But bitcoin made security headlines several times in 2015 for a different reason: Thieves kept stealing bitcoins ... lots of them.
European exchange Bitstamp suspended trading after discovering one of its operational bitcoin storage wallets was compromised in early January. The exchange is believed to be the world’s third busiest and handles approximately 6 percent of all bitcoin transactions. About 19,000 bitcoins, or roughly $5 million, were stolen at the time. That wasn’t the only bitcoin attack, as China-based exchange BTER reported in February that 7,170 bitcoins, or roughly $1.75 million, were stolen from its cold wallet system. Thieves stole 10.235 BTC, or roughly $2,500, from bitcoin startup Purse in October.
Consider it a twist on the traditional bank heist: Instead of looting bank accounts, exchanges are raided. In addition to showing there is real financial value associated with the virtual currency, the thefts highlighted the need “for an internationally recognized security standard” for bitcoin, said Florindo Gallicchio, director of information security in the Optiv Office of the CISO. In February, the Cryptocurrency Certification Consortium (C4) proposed 10 standardized rules for the creation, storage, audit, and use of bitcoins, as part of the Cryptocurrency Security Standard (CCSS).
While the amounts stolen aren’t insignificant, they pale in comparison to the 850,000 bitcoins, worth close to $450 million, that disappeared from Japanese-based exchange Mt. Gox in 2014. The exchange, believed to have handled 70 percent of all bitcoins, has since closed and entered bankruptcy. Japanese police believe the theft was an inside job.
As is often the case with technology, the exchanges have thus far focused on functionality and usability, with security an afterthought, said Steve Donald, CTO of Hexis Cyber Solutions. Many of the attacks relied on social engineering to gain a foothold on to the exchange’s network. Exchanges need to adopt secure code development practices, as well as dynamic and static code analysis to protect their applications. “Bitcoin exchanges should be highly incented to improve security as this will be a requirement before this new type of currency will achieve wide scale usage,” Donald said.
Cyber goes real-world
Cyber attacks that result in damage in the physical world happen far more often on TV shows than they do off-screen. It was scary when the Shamoon malware attack partially wiped or totally destroyed hard drives of 35,000 computers at Saudi oil company Aramco back in 2012. We saw the blurring between cyber and physical again -- to be fair, the attack actually happened in 2014 and the report providing the details were released shortly before the end of the year -- at an unnamed German steel mill when attackers manipulated and disrupted control systems. The blast furnace could not be properly shut down, resulting in “massive” damages, according to reports.
There is a tendency to think cyber attacks are about stealing data or knocking systems offline. There can be real-world damage, too. An attacker can potentially compromise a pharmaceutical company’s production process or quality control systems and modify the recipe for a particular drug. Hospital systems are also vulnerable to attack, especially since many legacy systems still in use cannot be secured. As much as 20 percent of hospitals are vulnerable to attacks that can disable critical care systems, Gallicchio said.
“People can be physically hurt from a cyber attack,” Gallicchio said.
Industrial control system security comes up a lot in conversation, but the incident at the German steel mill highlights the fact that the threat is no longer theoretical. One of the challenges facing industrial control system security, especially in manufacturing, is the simple fact that the systems are typically controlled and administered by operations and engineering departments, not IT. The operations and engineering teams are focused on reliability and make decisions at the expense of security in order to maintain uptime.
Improving defenses requires “a mix of basics and more contemporary defenses,” such as ensuring proper segmentation and access controls between different networks, Donald said.
Financial crime goes big
There were a number of attacks against financial institutions in 2015, but none was more audacious than the Carbanak crime ring, which targeted more than 100 banks and other financial institutions in 30 nations. Kaspersky Lab estimated the gang had stolen as much as $1 billion since late 2013 and had managed to stay under the radar for two years because it kept each transaction between $2.5 million and $10 million.
The scale of attacks against financial institutions indicate criminals are moving away from low-value consumer-related attacks such as identity and credit card theft in favor of high-value attacks. “The old ‘smash and grab’ jobs are becoming carefully orchestrated and executed jobs,” said Mike Davis, CTO of CounterTack.
The FBI also warned of an increase in social engineering campaigns where an attacker sends an email purporting to be from the CEO or another senior executive to the CFO or another executive authorizing a wire transfer. If the recipient is tricked and doesn’t validate the email’s authenticity before the transfer, that money is gone, usually for good.
While external attackers still pose the biggest threat to financial organizations, 2015 showed insiders can cause damage as well. Earlier this year, a former employee of Morgan Stanley pleaded guilty to stealing confidential data from more than 700,000 customer accounts while he was interviewing for a new job with two competitors. And external attackers target insiders who already have access to sensitive data. Encryption, dynamic security policies that travel with data, and robust multifactor authentication controls are some of the defenses financial institutions should consider to ensure that unauthorized individuals can’t read anything they shouldn’t be allowed to see, said Ron Arden, vice-president of Fasoo.
Health care on the breach radar
Some of the biggest breaches in 2015 involved health care organizations, including Anthem, Excellus BlueCross BlueShield, Premera Blue Cross, and CareFirst, to name a few. Eight of the 10 largest health care breaches happened in 2015, according to the U.S. Department of Health and Human Services.
It’s no surprise the attackers went after health care, since the companies tend to have valuable data, including names, addresses, Social Security numbers, medical records, and financial information. The data is difficult to change, meaning it has a longer shelf life and can be used in a variety of follow-up attacks. Attackers accessed more than 100 million health care records in 2015.
While some of the breaches may have been part of identity theft and other cyber crime activities, security experts believe Anthem was the work of Chinese state-actors. The attackers may have been after data on specific individuals for intelligence purposes, or they may have wanted intellectual property relating to how medical coverage and insurer databases are set up. The Chinese government has denied any involvement in the attacks, and Chinese authorities recently arrested individuals they claim had targeted Anthem for cyber crime purposes.
“Just like how the financial verticals evolved to the next-generation bank heists, we will soon see attackers use health care information records to support more sophisticated business models,” said Itzik Kotler, co-founder and CTO at SafeBreach.
These attacks were successful in large part because health care companies have not traditionally invested as much on security initiatives as financial institutions have. The Anthem breach, in particular, showed how far some health care companies lag on basic security best practices. As Target shook the retail sector out of its complacency in 2014, Anthem made the health care industry sit up and notice the very real dangers it faces.
Worse, encryption practices around sensitive data had no effect. In many health care breaches, users were socially engineered out of their credentials, letting attackers easily bypass encryption controls. It doesn’t take a lot, either. Attackers stole 80 million personal records from a large health care insurance company by compromising only five user accounts, Eric Tilenius, CEO of BlueTalon, said. “Every company should ask, ‘How much data would be exposed if a user account gets compromised?’ and then work to limit that exposure,” he said.
“It doesn’t matter how strong your security platform is, if employees aren’t properly trained in best security practices, it all can go out the window,” said Garry McCracken, vice president of technology at WinMagic.
Attacks as part of a long game
Perhaps the most intriguing, significant, and shocking security incident of 2015 was theattack against the U.S. Office of Personnel Management. The personal data of millions of government employees, U.S. military personnel, and government contractors who had received background checks and security clearances were stolen. In a typical data breach, the attackers target the organization because they want the information it has. In the case of OPM, the attackers didn’t want the records simply for the sake of having them, but to obtain background information on targeted individuals.
“[The OPM breach] represents human targeting at its finest, understanding that people are our biggest security risk … our weakest link in the chain,” said Renee Bradshaw, manager of solutions strategy at NetIQ, the security portfolio of Micro Focus.
The method of attack followed a formula: Target a subcontractor in a social engineering attack and steal credentials to gain access to the network. Plant malware on a system and create a backdoor. Exfiltrate data for months, undetected. The level of poor security practices at OPM “was astounding,” including lack of consistent vulnerability scanning and two-factor authentication, as well as untimely patch management, said Bradshaw.
The OPM breach also emphasized organizations' vulnerability to social engineering. Government employees and contractors are now subject to security awareness training programs to learn about the dangers of spear phishing and other social media threats.
Vulnerabilities out of control
The attack against Hacking Team over the summer was an eye-opener. The Milan-based company developed and sold surveillance software to government agencies around the world. The company relied on zero-day vulnerabilities to develop software that was difficult to detect and could intercept communications. When an unknown individual released more than 400GB of data stolen from Hacking Team, including email communications, business documents, and source code, security researchers uncovered proofs-of-concept for three different zero-day vulnerabilities in Adobe Flash Player. While Adobe scrambled to fix the flaws as quickly as possible, cyber criminals were able to create exploits and use them in large-scale attacks.
“Hoarding zero-day exploits at both the national and private level is dangerous for everyone. We can’t expect to come out on top if we are sitting on these types of vulnerabilities,” said Tom Gorup, security operations leader at security consulting firm Rook Security.
Not reporting the vulnerabilities to the vendor for fixes means someone else can come along and find the same bug. If it was found in the first place, it stands to reason someone else will eventually find it, too. As Hacking Team learned the hard way, anyone can be breached. And once the vulnerabilities are public, everyone is at risk. Zero-day exploits are not like physical weapons in that the original owner has control over how and when it is used. The weapon can be used right back, with devastating consequences.
“We need to refocus our cyber efforts to a defensive posture and let our infantry and airmen handle the offensive efforts,” Gorup said.
Government services leak too much info
As attacks against government agencies go, the IRS Transcript Service breach was small beans. Only 100,000 people had their information exposed through this breach, which is significantly less than the 21.5 million affected by the OPM breach. The attackers plugged in the victim’s name, address, and Social Security number into the IRS Get Transcript service to obtain detailed information such as income, employer name, and dependents.
More uniquely, attackers used legitimate services to convert basic personally identifiable information to determine detailed data that could be used to falsify tax returns and other forms of financial fraud. The same method can conceivably be used with the Department of Motor Vehicles' online renewal process or with a property appraisal site maintained by the county. With the information obtained through these services, identity theft becomes easier. It was especially effective, as attackers enjoyed a 50 percent success rate using the stolen data, noted Morey Haber, vice president of technology at BeyondTrust.
“Many sites like the Get IRS Transcript website exist all over the Internet for state, local, and federal governments. The IRS was an easy target, but so are the others,” Haber said.
Forget cars, what’s happening with airplanes?
Vehicular hacking burst on to the scene in 2015 and grabbed a lot of security headlines, but we should be worried about all the things we don’t know regarding attacks on airplanes. About the time researchers Charlie Miller and Chris Valasek were exploiting a Chrysler’s UConnect infotainment system to remotely control a 2014 Chrysler Jeep Cherokee, there were reports the group behind the OPM breach had successfully obtained records of origins and destinations of United Airlines passengers, as well as passenger manifests. Another group of attackers also disrupted the IT systems for LOT Polish Airways, which resulted in the airline canceling 20 flights and grounding 1,400 passengers.
Then of course there’s the FBI’s claim that security researcher Chris Roberts caused a plane’s engine to climb when he was poking around aircraft systems while on a United Airlines flight. The jury’s out on whether Roberts actually managed to take over the jet.
Should these attacks concern us? Are airplanes at risk? Both United and LOT have refused to provide any information on the issues.
“The scary answer here is that we don’t know, and that’s both surprising and unsurprising at the same time,” said Johnathan Kuskos, manager of the threat research center at WhiteHat Security.
There are two different types of attacks to worry about. One targets IT systems, such as the airline website and check-in kiosks at the airport. The other targets onboard systems that actually power and control the aircraft. The onboard systems tend to be heavily sandboxed and are locked down. IT systems are more at risk. And according to WhiteHat’s vulnerability statistics report, every online application has at least one serious vulnerability.
“It’s hard to imagine that a professional criminal syndicate or state-sponsored hackers haven’t targeted these major airlines yet,” Kuskos said.
Getting around Apple’s walled garden
Palo Alto Networks this year uncovered XcodeGhost, a malware attack that infected iOS applications and existed in the App Store for months before being detected. The attack relied on iOS developers downloading a compromised version of Xcode, the iOS dev kit. Compromising a toolchain is not a new attack method, and XcodeGhost was extremely successful at infecting developers on a wide scale. The real danger lies in what lessons the XcodeGhost team learned from its success and how it will try again.
The way the malware infected iOS apps before they were distributed into the App Store was completely new, said Ryan Olson, intelligence director at Palo Alto Networks. Developers are vulnerable and attackers can piggy-back on their apps into the App Store, past Apple’s vaunted security measures.
“While the XcodeGhost malware was not particularly dangerous, it was groundbreaking in the way it gained access to millions of devices,” Olson said.
XcodeGhost showed people that Apple’s walled garden can be breached and at a wide scale. It forced app developers to clean up their systems, re-issue their applications, and be better about where they get their developer tools. In order to defend against similar attacks, iOS developers need to understand their dev systems and apps are valuable to attackers looking for ways to target iOS users.
“XcodeGhost was the first truly widespread malware that impacted non-jailbroken phones, it was a massive eye-opener for iOS users who had previously thought they were invulnerable to attack,” Olson said.
Juniper’s unauthorized backdoor scandal
Juniper Networks recently uncovered unauthorized code in its Juniper NetScreen firewalls that could allow attackers to decrypt VPN traffic. The issue arose from the fact that Juniper used Dual_EC_DRBG, a known flawed random-number generator, as the foundation for cryptographic operations in NetScreen's ScreenOS. Juniper claimed it used additional precautions to secure the random number generator. It turned out the safeguards were ineffective.
The backdoor in Dual EC can be viewed as two parts, where one adds a second keyhole that overrides the normal lock on a door, and the other is a specific lock cylinder that fits that keyhole, Matthew Green, a cryptographer and assistant professor at Johns Hopkins University, wrote on Twitter. The attackers replaced the NSA-approved lock cylinder with their own lock cylinder. They wouldn’t have been able to replace the cylinder if the door hadn’t been modified with the keyhole in the first place.
In the end, someone somewhere was able to decrypt Juniper traffic in the United States and around the world. The matter is currently under investigation by the FBI.
“NSA built in a powerful eavesdropping backdoor. The attackers simply repurposed it by changing a few bytes of code,” Green said. “I’ll be honest, while I’ve been worrying about something like this for a long time. Seeing it actually happen is staggering.”
In light of the mounting pressure from government officials on the tech industry over encryption backdoors, what happened to Juniper is a clear example of how backdoors can be abused. 2016 will tell whether law enforcement and government will learn the lesson and back off on those demands.
Understanding 2015
It’s clear from looking at the attacks and breaches this year that the IT security industry is not well-positioned to defend itself. Knowing is half the battle, but there’s a long road ahead for organizations that don’t follow the basics of security best practices. “Security isn’t cheap, and when you’ve historically underinvested in security, what it takes to catch up in both technology investment and human capital is expensive,” said James Carder, CISO at LogRhythm and vice president of LogRhythm Labs.
MIKAEL RICKNAS
