2020 has had its share of memorable hacks and breaks. Listed below are the highest 10
2020 was a tough year for many reasons, not least because of violations and hacks that hurt end users, customers, and the target organizations. The ransomware threat dominated the headlines and an endless stream of compromises hit schools, governments and private companies as criminals demanded millions of dollars in ransom. There has also been a steady stream of data breaches. Several bulk account takeovers also occurred.
What follows are some of the highlights. We also throw in a few notable hacks that, while not actively used in the wild, have been overwhelmingly impressive or have crossed the boundaries of security.
The SolarWinds hack
2020 saved the most devastating injury in the end. Hackers, who several officials claim are backed by the Russian government, initially compromised the software distribution system of SolarWinds, the maker of network monitoring software used by tens of thousands of companies. The hackers then used their position to deliver a backdoor update to around 18,000 customers. From there, the hackers had the opportunity to steal, destroy, or alter data on one of these customers' networks.
It will take time for investigators to assess the damage. This is because not everyone who installed the malicious update received follow-up attacks. So far, the security firm FireEye has said that the hackers obtained information about their government customers and also stole Red Team tools that were used to test the security defenses of the customers. US officials have since said that dozens of Treasury Department email accounts have also been hacked.
Although the full effects of the breach will not be known for a few months, it is already clear that the SolarWinds hack is one of the most harmful espionage hacks to have been visited in the US in the past decade, if not all time. It did so through an attack on a software supply chain that is vital to some of the largest companies and government agencies in the world. The attackers then used this pipeline to dig deep into the networks of the most interesting entities.
In addition to losing so much valuable data, the SolarWinds hack is notable for the top tier craft it uses. According to Yahoo News, the attackers had control of the SolarWinds update system by October 2019 at the latest. They've been posting malicious updates since March. The industry-wide compromise was not unearthed by government agencies charged with exposing such matters, but by the investigation by FireEye.
Mass compromises from Twitter to Nintendo accounts
In July, Twitter lost control of its internal systems to hackers who started a Bitcoin scam. The breach was notable because it compromised the accounts of politicians, celebrities and business people, many of whom had millions of followers.
While the damage was modest – around $ 100,000 in bogus Bitcoin advertising payments and some personal information stolen from some account holders – such a hack could have been used to do much worse things (think of a government announcement – or executives who manipulate the stock market or fuel geopolitical tensions).
Another thing that made this violation meaningful were the people who committed it and the tactics they used. Authorities accused a 17-year-old, a 19-year-old and a 22-year-old of spear phishing attacks on a Twitter employee who worked from home during the COVID-19 pandemic Administrator password was stolen.
A runner-up for yet another hack that resulted in a mass compromise on the accounts was the one that hit Nintendo in April.
Ransomware attacks on the Düsseldorf University Hospital, Garmin and Foxconn
These are separate violations, but together they underscore the cost that ransomware attacks place not only on the target organizations but also on the millions of people who rely on them.
During an outage at one of the hospitals near Düsseldorf, a patient seeking life-saving treatment was turned away and died trying to get services from a facility further away. It is possible or even likely that the patient would have died anyway, but the compromise nonetheless shows the potentially lethal role ransomware and other types of harmful hacks can play.
The Garmin attack, meanwhile, caused a four-day outage that turned off GPS services for millions of people, including some airplane pilots doing flight planning and mapping.
Another ransomware attack that attracted attention was the violation of electronics giant Foxconn. Attackers demanded $ 34 million for the return of the data, making it the highest ransom ever claimed.
Data breach at Marriott and EasyJet
These were separate hacks too, but they compromised the personal data of hundreds of millions of people.
For Marriott, the loss of information for 5.2 million guests was the second time in three years that a hack of this magnitude had been carried out. An EasyJet violation affected nine million passengers.
An iPhone zero-click exploit and extraction of an Intel CPU crypto key
Not all hacks are bad. Mostly they are made by the good guys. And occasionally they are so elegant that one just has to admire them for the ingenuity that has gone into them.
The most impressive hack of the year came from Ian Beer, a member of Google's Project Zero Vulnerability Research team. He developed an attack that gave him full access to any iPhone within range of his malicious Wi-Fi access point until Apple released an update.
The iPhone user did not need to do anything for his attack, and it was bad, which meant that exploits could spread from one nearby device to another. One of the most formidable hacking exploits in recent history, the exploit demonstrates the damage that can be caused by a single garden variety vulnerability. Apple fixed a buffer overflow bug after Beer reported it privately.
Another top hack this year was the extraction of a secret key used to encrypt microcode on an Intel CPU – a first in the annals of security and reverse engineering.
The key enables the microcode updates provided by Intel to be decrypted in order to fix security vulnerabilities and other types of errors. If you have a decrypted copy of an update, hackers can potentially reverse engineer it and learn exactly how to take advantage of the patch hole. The key may also be used by parties other than Intel – such as a malicious hacker or hobbyist – to update chips with their own microcode, although that modified version would not survive a reboot.
There's an old saying in security circles that attacks only get better. 2020 has proven the saying true again, and no doubt 2021 will do the same.