2017, A Year in Review
Too Long to Read ?! [TL;DR]
2017 brought new and innovative attacks and the “How” and “Why” are increasingly becoming more important
2018 will bring new target focus, new tactics, and new attack campaigns and it is up to the cybersecurity world to continue to innovate and keep up with the pace of escalation. With the introduction of quantum computing, machine learning, artificial intelligence, and continual innovation to aid with defenses, it may just be a fair fight.
It’s hard to believe that 2017 is about to come to a close. Throughout the year, the world saw the New England Patriots rally back to win Super Bowl LI, North Korea escalating already tense relations in the region by conducting weapons tests, hurricanes Harvey, Irma, and Maria ravaging the southeastern US and territories, and the first total solar eclipse in nearly 40 years. 2017 also marked a remarkable change in the cyberwar landscape. While ransomware, phishing, espionage, and advanced persistent threats are nothing new, attack campaigns in 2017 have been far more strategic and appear to be directed by higher levels of government than previously seen. Military theorist Carl von Clausewitz famously stated that "War is the continuation of politics by other means" and the “cyberwar” is no exception.
In the past years, when a new bug or exploit was found in a popular piece of software, it would lead security researchers to a thought provoking discussion. Today, Information Security is so intertwined with geopolitics, commerce, and the physical world, the context is completely changing and it’s becoming increasingly important to know the “how’s” and the “why’s” of the attack rather than the actual bug or exploit. Tools, tactics, and motives are constantly evolving and 2018 will undoubtedly be an interesting year for cybersecurity.
Here is a look back on notable Information Security events in 2017.
Supply Chain Attacks
CCleaner and the popular video encoding software Handbrake were unknowingly distributing malicious versions of their software resulting in millions of infected devices. Supply chain attacks provide a convenient infection vector, but also erode the trust users have in legitimate software companies. Analysis of the malicious CCleaner code shows that the attackers were targeting 20 specific organizations including Microsoft, Cisco, VMware, and Samsung.
Attack of the Interpreters
The rise in the use of interpreters as an attack vector also significantly grew in 2017. It’s no longer the video file or a questionable “codec installer” bundled with the latest pirated episode of Game of Thrones that will compromise a system. Rather, a maliciously crafted subtitle file that is interpreted by a video player can give a malicious actor remote code execution privileges. Following the attack trend of going after the weakest link, many companies harden their software against direct attacks, but pay less attention to their interpreters.
Perhaps one of the most notable cyber attacks in 2017 is the theft of up to 143 million records. The prevailing theory for attribution was a state sponsored actor interested in the financial information on a few targeted individuals with the rest being collateral damage. The resulting fear of identity theft caused Americans to put credit freezes in place, preventing new lines of credit being opened and potentially slowing down economic growth.
Following the discovery by the Israeli government of classified NSA hacking tools on the Kaspersky network, US Federal agencies were given guidance to not use Kaspersky Labs software after October 2017. A bill signed in December solidified this guidance as the law of the land. While Eugene Kaspersky offered third party source code review to verify that there were no backdoors or implants, the US government was not willing to take the risk of possible Kremlin influence. Even if the source code was certified to not carry any vulnerabilities, it does not stop the Russian-based software maker from modifying the code at a later date through a software update. For example, the NotPetya ransomware attack originated when a legitimate Ukranian accounting software company became compromised and pushed out a malicious update.
Shadow Brokers / Equation Group NSA breach
Whether the breach of the US National Security Agency came from a Whistleblower or Kaspersky Labs software, the Shadow Brokers have been busy dumping all of the NSA’s best hacking tools. Most notably the EternalBlue exploit was released in April 2017 and by May 2017, the cyberworld would never be the same.
Virulent ransomware attacks - WannaCry, NotPetya, BadRabbit
On the morning of May 12, 2017, many users tried to log into their home or work computer and were greeted with a message that their files had been encrypted and a bitcoin payment would need to be made in order to unlock them. By the time a clever security researcher found a “killswitch”, over 300,000 computers were believed to be affected. In a rare moment when a cyber attack bleeds into the real world, Wannacry and copycats NotPetya and BadRabbit would lead to severe real world consequences.
Disruptions due to NotPetya attack caused over $300 million in damages to Federal Express’s TNT unit and an estimated $600 million to drugmaker Merck. Wannacry paralyzed the United Kingdom’s National Health Service causing clinics and hospitals to close and turn away patients.
A flaw in a crypto library for chipmaker Infineon led to the insecure generation of key pairs used in millions of systems around the world. In Estonia, where all citizens use their government issued national ID card to digitally sign documents, vote online, and access bank accounts, over 750,000 cards had to be recalled or updated. Spain had an even tougher decision on what to do with the over 60 million national ID cards in circulation vulnerable to attack.
While the theft of 57 million users’ data from Uber occured in 2016, revelations of the hack were not made public until 2017. A hacker stumbled upon and stole the user data. Desperate to monetize the data, the hacker took the unusual step of contacting the victim (Uber) requesting a payment in exchange for silence and the promise to destroy the data without exposing it. Uber paid the hacker $100,000 through HackerOne’s bug bounty program and made the hacker sign a confidentiality agreement. This transaction brought forth an ethical discussion when the lines of “blackmail” and “bug bounty” begin to blur.
Vault 7 CIA
Wikileaks began publishing leaked US Central Intelligence Agency (CIA) activities and hacking tools in March 2017, which included covert activities of electronic surveillance and cyber warfare capabilities. Through the Wikileaks publications, the CIA has shown the capability of turning smartphones and smart TVs into covert surveillance and tracking devices.
The hacking tool dubbed “Pandemic” targeted Windows machines with shared folder access. Whenever a user would copy a file from a shared folder to their local desktop, the file would be modified and injected with malware during transit, leaving the original file on the server unchanged.
On January 1, 2017, one bitcoin was worth about $1,000. By December 16th, 2017, the price was nearly $20,000 per bitcoin. Coming with Cryptocurrency’s explosive growth also came scams to steal the digital cash. A poorly secured Wordpress blog site led to over $7 million dollars stolen in an Initial Coin Offering when a hacker replaced a legitimate wallet address with their own. Social engineering and sim swap attacks invalidated two-factor authentication protections and brought to light the shortcomings of using SMS as a second factor.