Cyberattacks: tendencies observed in 2019

In .IT Operations, Blogfest-en, Uncategorized by Baufest

Analyzing the cyberattack tendencies allows us to understand how have cybercriminals been acting lately, and what can be expected in the short term.

Tuesday 19 - May - 2020
Ciberataques en 2019

This will not provide a solution to already generated losses, but it will enable the development of proactive policies to prevent future cybersecurity incidents. From this perspective, Baufest has prepared a report to highlight which cyberattacks were observed monthly during 2019. Well, the dynamics of the incidents evinced that information is an asset which is more and more valuable and sought after. Therefore, information leakage is a clear protagonist, followed by malware attacks, crypto mining and service unavailability events.

As regards specific strategies, 3 kinds of cyberattacks were observed:

Attacks to the software supply chain: instead of attacking companies directly, informatic pirates compromise the third-parties’ software they use. Malicious code is generally installed in legitimate software, modifying and infecting some of the basic components on which it is based.

Scam e-mails: an unrequested e-mail offers a bargain (or something in exchange for nothing). Some of these scam messages offer businesses; others invite victims to a website with a detailed presentation.

Attacks against cloud environments: faulty cloud environment settings were one of the main causes of data theft events.

Month after month

In January 2019, the main ailment suffered as to cybersecurity was information leakage. More than 770 million e-mail addresses and 21 million unique passwords were exposed in a popular piracy forum after being hosted in the cloud service MEGA. It was the largest collection of personal credentials violated in history, therefore being called “Collection #1.” It was later discovered that it was a small amount of data leakage in a much bigger one. Personal data was leaked, which belonged to 100 German politicians, celebrities and journalists, including Angela Merkel, which was apparently collected from their smartphones. Furthermore, Airbus was subject to a cybersecurity violation which exposed its employees’ data. And the existence of an online database was revealed, which holds records of 202 million Chinese citizens; they were apparently gathered from CVs in several websites, using a scrapping tool: “data import.”

In February 2019, information leakage continued, and malware cyberattacks appeared. 620 million account details were stolen from 16 websites, which were hacked, and put on sale in the popular dark web market, Dream Market. Later, the same cybercriminal put another “treasure” on sale, which consisted in 127 million accounts from another 8 websites. Likewise, the South African state energy supplier Eskom suffered two cyberattacks – one of them by means of the AZORult trojan-. And the Indian state LPG Gas Company suffered the leakage of data belonging to 7 million clients and distributors owing to vulnerabilities in its iOS applications.

In March, information leakage was once again a star protagonist. The e-mail verification company was victim to an important violation due to an unprotected MongoDB base, which exposed data from 800 million e-mail accounts.

Information leakage goes on

In April 2019, information leakage problems continue: more than 500 million user records from Facebook (FB) were exposed in servers in Amazon cloud without protection, which were collected and unsafely stored by FB app developers. Besides, 8 unsafe databases were found with e-mail addresses from almost 60 million LinkedIn users. The Georgia Technology Institute suffered a cybersecurity violation which exposed the information of 1.3 million students and employees: cybercriminals took advantage of a vulnerability in its web application. And data from 100 million users of the Indian search service JustDial were exposed, after being in an unprotected online database. Moreover, a wrongly set database from Elasticsearch in Tommy Hilfiger Japan’s website cause the exposure of information belonging to hundreds of thousands of clients.

May 2019 was marked by information leakage, banking malware and crypto mining. A group of Russian cybercriminals put access to several antivirus provider networks (McAfee, Symantec and Trend Micro) and their software source code on sale. In addition, the cryptocurrency exchange platform Binance received cyberattacks of different kinds (phishing, virus, etc.) and hackers managed to withdraw BTC 7,000 (40 million dollars) which were in the wallet connected to its network.

In June, information leakage was once again in the center of the stage: the American Medical Collection Agency suffered an important violation that exposed information from almost 20 million patients after attackers infiltrated its payment web portal. Moreover, the Chinese headhunting company FMC Consulting was responsible for the leakage of data belonging to millions of records owing to an ElasticSearch which was wrongly set and of public access.

Malware and service blockage

In July 2019, service unavailability and malware attack problems added to information leakage. After taking advantage of a vulnerability in the firewall installed in Capital One bank services, an AWS former employee stole data from 106 million clients from the U.S.A. and Canada. She also got social security numbers from 140 thousand people and around 80 thousand bank account numbers. Likewise, Johannesburg inhabitants had no power supply after the City Power company was attacked by a ransomware virus.

In August 2019, information leakage continued. The UN Geneva office networks were hacked, affecting the servers of the human rights and human resources offices, from which 400 gigas of data could have been downloaded.

In September, there was also a serious information leakage: it occurred in Ecuador, due to “serious informatic failure” which exposed data from almost all of the country’s population. The leakage took place from a server located in Miami which did not meet the established cybersecurity requirements.

November 2019 was malware cyberattacks’ month. Everis was victim to a serious ransomware attack which took advantage of a vulnerability in Microsoft Teams and caused the shutdown of its internal network worldwide. Prosegur reported a ransomware attack using the Russian virus Ryuk, an evolution of the powerful Wannacry. Besides, Petróleos Mexicanos was the target of another ransomware attack: its systems were violated by a virus with the capacity to block screens or cypher important files predetermined with a password. The pirates demanded USD 5 million in bitcoins so that PEMEX would be “clean and like new”. Additionally, in Argentina, the province of San Luis suffered an attack to its data center.

In January 2020, there was a leak in Perú that exposed clients’ information from a cinema chain, stemming from an unsafe database hosted in a Microsoft Azure server.

They way this looks, recently, attacks to informatic security and data security focus mainly on getting information to be later sold in dark cybermarkets. Knowing their target and most common dynamic will not banish the scourge of cyberattacks forever. But it will, at least, help raise awareness of the magnitude of the problem and the need to take strong cybersecurity measures.