I was asked to write a summary of the different cyber events that occurred in 2020. But the only thing that comes to mind is COVID-19 and how it affected 2020. COVID-19 took what should have been the year we started a new decade and converted it to a year that had challenged many of us, and some of us would prefer to forget (not counting my daughters who actually enjoyed not going to school, but on that in a different blog…).
But COVID-19 has, in my mind, a clear connection to and impact on the cyber events which rampaged through 2020. It’s no question that the pandemic impacted the way we work, mainly making remote work more prevalent. Let us look at two points:
- A quote from Michael Dell summarizes this nicely – “Technology now allows people to connect anytime, anywhere, to anyone in the world, from almost any device. This is dramatically changing the way people work, facilitating 24/7 collaboration with colleagues who are dispersed across time zones, countries, and continents.”
- A new survey from 451 Research found that – 67% of respondents expect that their work-from-home policies will become permanent, or at least remain in place for the long term.
Now, when we think of remote work and translate this into “IT lingo”, we get VPN since VPN is the standard technology for remote access. A research by OpenVPN from May 2020 states that 68% of organizations have expanded their use of VPN as a direct result of COVID-19, and 99% of employees surveyed in the research believe their company will continue to use VPN after COVID-19.
But it is not only our employees who connect remotely; COVID-19 has also shifted our interactions with our business partners and suppliers to be remote, so they are even more connected to us today than before.
Taking all the data I collected and wrote above, I then went back to the original reason for this blog, and I started going through all the major attacks which happened each month in 2020 and tried to focus on the attacks that resulted from external access.
I came up with the following chart:
As you can see from the chart, I outlined four different types of attacks:
- Credential theft
- Data breach
- VPN attack
- Ransomware attack
While all four attack types are different in nature, they have a common goal, to access our network, services, and files and create havoc. They can start from the outside or from an insider, but they all include an “access vector”.
Let us take two attacks that happened at the end of 2020, and analyze their access attack vector:
- Attack on the insurance company, Shirbit – in this attack, the hackers utilized a vulnerability in Shirbit’s Pulse Secure VPN in order to access the company. From there, they started accessing file servers to steal sensitive corporate data and threatened to release it to the public if a ransom is not paid.
- The SolarWinds supply chain attack – in this attack the hackers utilized a vulnerability and backdoor into the SolarWinds Orion Platform, into which they deployed their malicious code. From there, they were able to connect to the attackers’ command and control servers, and then they went on to steal credentials and laterally traverse the network scanning for the victims’ crown jewels.
So, we see that in both cases, the hackers utilized a vulnerable system in order to gain access into the attacked organizations, and then gained access into corporate resources in order to steal them.
Could such attacks have been prevented and blocked completely? Maybe, maybe not. There are many variables to look at and try to secure – patching the VPN, replacing a VPN for one without vulnerabilities (but who can guarantee this….), patching all 3rd party software, securing file storages, securing all systems against elevation of permissions, etc. It is like the story about the small boy who stuck his finger in the dam; block one hole, and the water will find another hole to get through.
There is a way to try and block the attack from spreading in the network, and in some cases also block it at the source.
If we look at the Shirbit hack, that attack could have been prevented if the VPNs have been patched. However, even if that were done, the hackers would have found a new vulnerability at some point, and running after the VPN and patching it every few months is a big hassle for IT. A simpler solution would have been to deploy a solution after the VPN which acts as a 2nd line of defense on top of the VPN. A solution that would prevent bypassing the VPN if it’s hacked, by enforcing the connecting user (the hacker in our case) to respond to an MFA request.
Another layer of defense in the Shirbit case would have been to place a solution before all the corporate resources, which would require any user connecting to any resource to respond to an MFA request. This would have blocked the hackers from reaching the files they were looking to steal.
If we look at the SolarWinds hack, the assumption here is that patching all 3rd party software is not realistic. What we can do in this case is (like in the Shirbit case) deploy a centralized MFA solution before all the corporate resources, and prevent data from being stolen.
At Safe-T, we have a solution called ZoneZero, which provides both layers of defense. Reach out to us to schedule a demo and see how it works.