2020 Forensic Predictions
The year 2020 was surprising in many ways and the digital forensics industry offered some surprises as well as some more predictable outcomes.
More attacks targeted against cloud-based platforms, products, and services.
To start with, our first prediction for 2020 was that more attacks would be targeted against cloud-based products, services, and platforms. Besides the cases we investigated at SecurityMetrics, a staggering failure to adopt basic security habits led to 70% of businesses that store data with Amazon, Microsoft, and other large cloud vendors were hacked or had data exposed last year.
Storing data in the cloud was originally seen as a tool to help secure systems, but now close to 90% of the cases SecurityMetrics investigates involve cloud data. Even in many of our smaller forensic investigations, we are often dealing with vulnerabilities that enabled attackers to compromise data that was stored in the Cloud.
Spike in registration of look-alike domain registration names for evil purposes.
The second prediction from 2020 was a spike in the registration of look-alike domain names for criminal purposes. With many businesses moving to remote workforces, hackers are exploiting Zoom in a variety of ways, including registering massive amounts of domain names that look legitimate, but are slightly altered. For example, if a domain name contains a lower-case l (L), attackers may substitute a capital I (i).
Spy vs. Spy . . . AI vs. AI
We predicted the increase in artificial intelligence (AI) security would be met with AI-assisted attack vectors. We found that hackers are weaponizing AI, but did not see any forensic investigations involving AI ourselves. One trend involved an AI password cracker that didn’t just use passwords, it created natural derivatives of passwords in order to predict how users will change their existing passwords.
So AI password crackers are anticipating that we do things like adding an exclamation mark at the end of a new password. Instead of just using brute force, hackers can utilize AI which predicts human behavior. AI-assisted attacks will likely increase every year as AI capabilities increase.
What 2020 predictions did we miss?
COVID-related scams and attacks
The first thing that we missed last year was the fact that there was a worldwide pandemic. With the coming of the pandemic also came a veritable flood of ways that attackers started performing attacks and stealing data.
Scammers are opportunistic. They’re scavengers. We saw a massive increase in the amount of scams and hacks due to the COVID-19 pandemic. Recently, a city’s water supply in Florida was hacked and attackers were able to change the chemical levels treating the water. They changed the levels of sodium hydroxide (lye).
The purpose of putting sodium hydroxide in a water system is to kill bacteria, and the normal level for sodium hydroxide in drinking water is 100 PPM. In this situation, the hacker changed it from 100 PPM to 11,100 PPM. Fortunately, an employee saw a cursor moving around on their screen and was able to stop the attack. It’s one thing to steal money out of a crypto wallet but attacks like these have very scary possibilities. Researchers still don’t know where this attack originated from or whether it was domestic or foreign in nature.
Remote bluetooth attacks
A Bluetooth attack can steal a Tesla Model X in minutes. Late last year, we found out the Tesla Model X could be hacked in minutes with a readily available bluetooth device for about $29. In this attack, hackers were able to walk up to a car, run the Bluetooth program, open the door, start the car, and drive away.
The good thing is, Tesla released a patch almost immediately, but it brings to mind the potential for future concerns. It’s not just electric cars that are vulnerable, but any car with a keyless entry. And attacks are not performed just over Bluetooth either. Most new cars are installing updated software, so what will happen in the future when the cars (not us) are the ones doing the driving?
ZOOM bombing attack hits US Government meeting
As we see people shift away from being at work physically and move to online meetings, attackers saw the opportunity to go after meetings. A new attack called “ZOOM bombing” came into play. Related to the ZOOM look-alike domain attacks, we have seen attackers going after sensitive government meetings.
Luckily, it was just people coming in to interrupt the meeting and make a scene, but what if that meeting had been top secret? A number of companies had corporate secrets and personally identifiable information (PII) leaked by attackers who had compromised ZOOM meeting credentials (or whatever remote meeting app was being used) of legitimate invitees, and then were simply flies on the wall, just watching and listening. We also saw an increase of meeting PIN codes for sale on the dark web at 10 passcodes for a penny.
In addition to government meetings, we saw a number of cases where embarrassing information was leaked out or displayed. In one case, a church’s ZOOM meeting was infiltrated with pornographic material.
Current attack trends
New attack trends continue to pop up. Some of those attacks mentioned above just came to light in January. Some began last year, but have grown in their sophistication. In our current attack trends, we will cover why ransomware won’t go away, the next generation of sophistication skimmers, and successful attacks against iFrames.
Why ransomware won’t go away
Ransomware continues to be excessively impactful in the HIPAA and healthcare industry. We’re also seeing ransomware attacks being waged against credit card processors and third-party service providers, and many of critical service industries and municipalities. There are basically two reasons why ransomware won’t go away:
- Nobody’s found a way to fix it
- Ransoms are still being paid
Ransomware is one of the most devious attacks, and they increased 45% in 2020 over 2019. Attackers aren’t just after credit card data. The ability to steal healthcare records has serious implications, especially with the mayhem that could be caused with that kind of information.
Healthcare records typically have enough information to create a complete digital persona. If you look on the dark web for example, a credit card could sell for anywhere between $1-20, depending on what the value of the card is; where a full healthcare profile of an individual will typically sell for about $200.
Physical checkout skimmers powered by chip cards in the POS environment
Physical card skimming used to be prevalent a number of years ago and will probably begin to take center stage again. One of the problems attackers had in the past with skimmers is that if you’re going to attach a skimmer to a gas pump or to a payment terminal you have to find a way to power up the skimmer. They either had to use a battery pack or a chord.
With the move to EMV chip technology, skimming is more viable again, believe it or not. That’s because the EMV chip has to be powered up when you dip your card into a reader. The skimmer draws its power from the low-voltage charge released when the chip is detected by the POS terminal. The skimmer can then send a wireless power signal to the chip. Attackers are creating card skimmers as thin as a piece of scotch tape, with tiny wires that act as antennae to intercept.
IFrame was supposed to be the security panacea that we wouldn’t have to worry about. A company’s “secret sauce” can be protected in the iFrame.
But now, iFrames are being hacked. We don’t want to scare people away from iFrames. If you implement an iFrame on your website, make sure to configure it correctly and maintain perimeter security. You can think of an iFrame as a safe room at the end of a hallway in your house. If you implement an iFrame correctly, customers coming onto your webpage walk through your shopping cart, get to the end of the “hallway,” and then check out. They don’t realize that they’re not in your house anymore. They’re in the safe room, away from prying eyes and the less secure portions of your website. However, if the security in your house is weak, attackers have found a way to come into this safe room as well.
If you set up everything correctly, it’s going to be very hard for them to breach your safe room, but attackers are smart, and when the iFrame isn’t configured just right, they’ve figured out that they can redirect the customer away from the safe room and into a side hall or side room that doesn’t look suspicious. The business and the customers have no idea this is happening, but then a merchant ends up with a common point of purchase (CPP) report in their email. The merchant wonders how it happened because they use an iFrame; they don’t see or touch credit card data. But the attackers are still getting the customer credit cards.
A business can’t rest on the inherent security of an iFrame. They still must do all that they can to protect the iFrame and the website. A business’s security efforts are the frontline protection. Here are three points of protection:
- Configure correctly with same-origin policy
- Ample security surrounding the iFrame
- Monitor the iFrame configurations for unauthorized changes
Phishing campaign hidden behind Morse Code
The code used in a recent attack looked like nonsense. Usually we can put attack code into a hex editor or a Base 64 encoder to see what the attackers are attempting to do. But, on closer examination in this case, it was discovered that the included JavaScipt code mapped letters and numbers to Morse code’s dots and dashes, which ultimately (and very cleverly) was hiding a spear phishing attack.
As Forensic Analysts, we can’t dismiss attacks that look like gibberish anymore. It could be code we don’t recognize, or a throwback to some other kind of code.
Predictions for 2021
Subscribe to our blog to receive part 2 of 2021 Forensic Data Breach predictions and What Happened in 2020.