Let’s be honest, 2020 will not be remembered fondly by many people. Having celebrated its passing, let’s have a quick look back on the big cyber security events and trends that happened over the year
WFH Tools
As so many office workers moved to working from home the demand for collaboration and Video-Tele-Conferencing tools brought a renewed security focus on suddenly business critical applications such as Zoom and Teams. For Zoom, it meant upping the ante on security, with the hurried development of actual end-to-end encryption and the hiring of more heavyweight security staff.
There was also a renewed focus on Teams, which along with other popular examples like VS Code and Slack, is an Electron application. The fact that Electron apps are just web browsers without modern security mitigations was reinforced by a big-ticket vulnerability that could be triggered by a single GIF, or a more recent issue triggered simply by viewing a message. Whilst Electron and similar frameworks undoubtedly make it easy to develop cross-platform GUI applications, it does feel like a step-back in endpoint security when you can exploit a desktop app with Cross-Site Scripting.
The good news is that the massive focus these applications have had, and the need to scale them to cope with the increased demand, puts them in a much better position for the future when we go back to something like what used to be normal. From a defensive perspective, it comes down to good old patching. It wasn’t just desktop applications that needed rapid patching last year, as administrators couldn’t afford to take their eye off their more traditional networking kit…
Network Device Vulnerabilities
It wasn’t a great year for the purveyors of enterprise-grade network security devices, with a swathe of high-profile vulnerabilities in, for example, F5 and Cisco, and PulseVPN devices. They were bad vulnerabilities too, with the F-5 Remote Code Execution (RCE) vulnerability (CVE-2020-5902) getting the highest possible CVSS rating of 10.0. That’s as bad as it gets for any vulnerability, and when it’s in a device that sits on the outside edge of your network the exploitation consequences are severe, as organisations like Travelex found out.
We’ve seen similar issues with Anti-Virus products in the past; unfortunately, just because the products are designed to enforce security doesn’t mean the developers follow best practice when building them. It doesn’t seem unreasonable to suggest that this isn’t good enough. Selling expensive products built without best practice development processes (an SDL, static and dynamic analysis, fuzzing, security testing) is not excusable at all, especially considering how expensive and business critical these devices are.
Let’s hope a lot of vendors have learned the lesson, and are upping their game in the development of their products. If not, we’re going to see more big-ticket vulnerabilities, and customers looking for alternative solutions.
Ransomware Everywhere
2020 saw a continuing rise in the threat and occurrence of ransomware attacks, plus some changes to the tactics of some of the big ransomware crews. There were too many publicised attacks to list, but recent victims included Foxconn and Vancouver’s transit agency.
One worrying development with the tactics of some of the ransomware crews is how they are also threatening to publish the stolen information online, torpedoing the strategy of ignoring the ransom and restoring from offline backups. Another complication that arose was the announcement of US sanctions against Evil Corp, the people behind the Dridex malware. In some ways the sanctions make it harder for everyone, as paying out on a ransom is an illegal contravention of the sanctions, adding another complicating factor to victims’ decisions over paying out.
On the defensive side the lessons should be clear by now: implement offline/offsite backups, disable RDP if you don’t use it, patch your stuff, and refresh your phishing protections. One consequence of this ever increasing ransomware threat is its effect on cyber insurance. In the near future there are going to be some tough decisions about policies and premiums, as insurers are struggling to cope.
One regular victim of ransomware over the whole of 2020 was an industry that already felt under siege from different cyber security threats: healthcare.
Healthcare Under Siege
2020 was obviously a big year for the healthcare industry, perhaps more than anyone else. Whilst they have done wonders with the pandemic response, there are still big issues with their approach to cyber security. Under increased focus and pressure, historic issues with poor cyber security practices suddenly had even more serious consequences in the face of threats new and old.
There were some pandemic-specific attacks that caused them issues, including the targeting of COVID-19 research by attackers, and spammers using the pandemic as a new topic for spam emails.
On top of the new threats there was the inevitable slew of ransomware attacks, for example in Baltimore and Vermont. In Germany an attack may have directly led to the death of a patient. Such obvious human consequences raises the issue of Law Enforcement response to ransomware, and the question of what constitutes a reasonable response to what can be a direct threat to life. Next year might see renewed discussions for concerted efforts to disable some of the big ransomware groups.
Presumably there’ll be lots of reviews of the healthcare once we’re through the pandemic. It’ll be interesting to see how much cyber security features, particularly in the areas needing improvement. It seems like a lot of healthcare institutions need a fundamental review of their cyber security, the question is whether they’ll ever have the funding to do it. Maybe it needs to be driven and provided by central government.
As if all this wasn’t enough, there was also reporting of more disappointingly poor vulnerabilities in healthcare devices, for example this GE Healthcare radiology machine. It seems like it’s not just the vendors of network security devices who are overdue a refresh of their development practices. This is a massive issue for healthcare, and again the manufacturers should take a large amount of blame; it shouldn’t be acceptable to supply key medical equipment that have basic security flaws. One compounding issue is that often in healthcare the IT team has no role in purchasing decisions, but are responsible for connecting whatever the doctors have bought into an already over complicated network.
That leads nicely onto the final, and possibly biggest topic of the year: how the supply chain of hardware and software affects the security of an organisation.
Supply Chain Woes
The healthcare industry has long-standing issues with the cyber security of their supply chain, as do most critical and high-assurance industries. It was a big issue even before we heard about the Solar Winds attack, which has rightly thrust this issue back to the foreground. That was such a big story you could be forgiven for forgetting some of the other big supply chain issues of 2020, such as the battle over Huawei kit in the UK telecoms infrastructure, and the continual drip of issues with software dependencies.
As the details of the Solar Winds hack slowly come out we’re getting more of a picture of what happened, but we may never get the full story. At the very least, it seems like the attackers had access to the development and build process of Solar Winds, and were able to inject malicious functionality into the software that repurposed it as a software implant to exploit customer networks.
Certain industries say they are taking supply chain security seriously, and for example may demand the completion of a long spreadsheet before onboarding a supplier, but that feels like more of an exercise in being seen to do the right thing than it does a genuine effort.
From a defensive perspective it raises so many questions for organisations building any kind of technical product. Assuring the security of every one of your developers, and of your code/build/deployment pipeline, is a very difficult problem. We’ve been talking a lot about how you can stop the next Solar Winds attack, and this year are going to be looking at technical solutions for detecting malicious actors in the development and build process. Hopefully more to follow on that in the future.
Conclusion
2020 was obviously a difficult year, and 2021 isn’t going to be immediately easier for many. Hopefully we can all soon start to move on and get back to something like normal. Although many things will undoubtedly be different. Many companies won’t be returning to a fully office-based culture, now that many have been convinced by and have adapted to working from home. Hopefully the hardest changes have already been made, and after the pandemic it’ll be nothing more for most people than a little readjustment. Regardless of what happens, Hexiosec are here to help. Happy New Year!