Perhaps the surprising, and damning, thing about 2016 in terms of security is that businesses are generally still not taking security seriously. Nobody wants to admit to being slack when it comes to cyber security, but the indisputable fact is that during 2016, many organisations simply didn’t show up, whatever they claimed.
The basics are still not being done. Updates aren’t being applied, patching strategies are not in place, admin credentials are easy to find. Let’s be blunt, people are still trying to do security on the cheap, using, for example, free antivirus software. This was most evident in the amount of ransomware that infected companies.
A Trend Micro report claimed that 45 per cent of UK businesses were hit by ransomware this year. We believe the figure is much higher, closer to 60 or 70 per cent.
In the US, hospitals have paid massive amounts of money when their databases have been encrypted by ransomware. The Hollywood Presbyterian Medical Center paid a $17,000 bitcoin ransom for the decryption key for patient data. It was infected by the delivery of an email attachment disguised as a Microsoft Word invoice. In the UK some hospitals had to cancel operations.
Hundreds of planned operations, outpatient appointments, and diagnostic procedures were put on hold at multiple hospitals across Lincolnshire. The damage done by ransomware in 2016 is largely attributable to the infamous Locky and its many variants. It was first identified in February and made it to the top of the ransomware charts only two weeks later.
It initially used malicious macros in Office documents to infect its victim’s computer, and these documents were distributed attached to spam emails. Locky has been through several versions since then. A new version was released on October 24, and less than 24 hours later yet another version was launched. It’s carried through phishing campaigns and the email subjects are centred on pay cheques, receipts, invoices, orders, or wrong credit card charges all of which are themes designed to fool recipients into opening attached files.
Heads in the sand
In a sense it’s staggering that people are still falling for these tricks, given the exposure about ransomware dangers. There still seems to be a general mindset that ‘it will never happen to me’, when it clearly is happening to lots of businesses and individuals. It’s frustrating because basic security measures offer protection. Being on the front line we tend to get a good sense of what is happening on the ground and it can be best summed up with the phrase ‘blind panic’ when a company is hit.
But this lack of awareness, or ‘head in the sand’ scenario, is also playing out across other areas. Security in 2016 can also be defined by the large number of replay attacks that have taken place. Ransomware is included in this but it’s not exclusive. Yahoo is perhaps one of the biggest culprits.
In 2012, a security breach exposed 450,000 usernames and passwords from a site on the huge web portal with the company failing to take even basic precautions to protect the data. Two years later it happened again with 500 million account details stolen.
Enormous DDoS attacks
Yahoo cried ‘state-sponsored actor’ in its defence but clearly it’s still not adequately protecting its customer data. This defence is usually code for ‘don’t blame us, it was a really sophisticated attack’. And Yahoo only came clean in 2016. These serious errors are clearly an illustration of some fundamental flaws at the online giant. Is it any wonder that it’s gone from an operation worth close to $100 million at its peak to today’s evaluation of $4.8 million?
Another large 2016 security event, which ironically few noticed at the time, was the largest DDoS attack recorded, a whopping 540Gbps directed at public facing websites belonging to organisations affiliated with the 2016 Rio Olympics. These attacks were sustained, sophisticated, and actually started months before the Olympics began.
These attacks were clearly aimed at the global stage and foreshadowed the equally massive IoT botnet based DDoS attacks which, in contrast, caught the attention of the mainstream media because they were launched from compromised everyday household devices such as internet connected video recorders and cameras.
The industry, at large has been warning about the parlous state of IoT security for some time, but it seems no one really wants to listen until an attack hits home and hurts bank balances.
The hack that resulted in $81 million being siphoned from Bangladesh central bank was also noteworthy due to the huge amounts of money involved.
Hackers also stole a reported $10 million from an unnamed bank in Ukraine, while back in Bangladesh an eye watering $1 billion cyber theft was only stopped when an eagle-eyed employee spotted a typo.
In an ironic way it’s almost fitting that a hack to see out 2016 was the attack on Tesco Bank. The company was forced to repay £2.5 million of losses to 9,000 customers in a heist described as ‘unprecedented’ by regulators.
It may seem small when compared to the aforementioned hacks but there’s worrying significance that the company apparently ignored warnings that its vulnerable software was being targeted by cyber criminals for months before the attack. What is just as shocking is that the bank didn’t even encourage two-factor authentication for its customers.
How many more financial organisations are going to be nailed by cyber thieves before the message gets through? If the EU General Data Protection Regulation had been in force, which is due to come into effect in 2018, Tesco would have been hit by a fine up to £1.9bn. And who could say that Tesco and other organisations with terrifyingly lax cyber security wouldn’t deserve it?
NB: An earlier version of this article stated that SWIFT's system was hacked. This was incorrect. There is no evidence to suggest that the SWIFT network was compromised as part of this or any of the recent attacks on financial institutions. In each case, the evidence demonstrates that the attackers compromised the banks’ systems, not SWIFT’s – the SWIFT network was used purely as a means to channel to send fraudulent payments messages once the banks had been breached.
Image source: Shutterstock/jijomathaidesigners
Andrew Tang, Service Director, Security, MTI