The first quarter of this new decade has seen the world change in a way that no one could have predicted. If we look back at the number of predictions that we collected and triaged for Infosecurity's opening webinar in early January, none focused on the reality of a global pandemic that would cause so many around the world to work in a more isolated way.
However, whilst the world has slowed down significantly as a result of COVID-19, there were a number of other news stories and revelations that also changed the way we worked over the course of Q1. Here is our top ten on what we learned in Q1 2020.
COVID-19 and Remote Workers
Well we have to begin with COVID-19, and the impact it has had upon the cybersecurity industry. We were totally unprepared for the impact it has had upon the world, and as a result, we are now mostly working from home with IT services stretched and teleconference apps the new norm.
The advice on how to work from home, and for security, how to secure a suddenly remote workforce, has been excellent and prolific, and it seems that whilst this situation could be one for the long-term, the long-term impact will not be entirely negative.
Teleconferencing Becomes Increasingly Popular
The take up of teleconferencing apps like Zoom and House Party has been huge with Zoom in particular seeing 600,000 accounts opened in one week. This has not come without some negative issues though, as House Party ended up offering a $1m bounty for evidence of a suspected smear campaign after several newspaper reports claimed that accounts had been compromised.
In the case of Zoom, a new concept called “zoombombing” emerged, where calls are disrupted to project graphic content to unwitting conference participants, forcing hosts to shut down their events. This is especially relevant where the meeting number is shared, and the host fails to set screen-sharing to host only.
Toni Vitale, head of data protection at JMW Solicitors LLP, also pointed out that for any meeting that has occurred or is in-process, Zoom allows administrators to see the operating system, IP address, location data and device information of each participant.
The NCSC Talked About IoT Security
The concept of IoT security is not new, and neither is the concept of the security of devices such as baby monitors and IP-enabled cameras, as there are cases going back several years where such devices have been hacked.
However, in early March, the NCSC issued guidance on the security of such devices, and encouraged consumers to take action when an item has come with a default password. The story resonated with the public, to the point where it even got a mention on popular BBC Radio 4 comedy The Now Show.
Microsoft Patched NSA-Disclosed Bug
The first patch Tuesday of 2020 saw Microsoft issue a fix for the CVE-2020-0601 flaw, which saw security experts praise the NSA for disclosing responsibly rather than trying to weaponize it in attacks. Whilst this has not been publicly exploited at the time of writing, it was to be taken very seriously, according to experts.
Microsoft said that an attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.
A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software. Its patch addressed the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates.
UK Announced it Will Not Ban Huawei in its 5G Rollout
Another announcement from the NCSC, who said in January that it would not prohibit Huawei from providing equipment when the country constructs its 5G wireless network. Whilst it would keep Huawei away from providing “sensitive functions” to “core” areas of the network, it did consider Huawei to be a “high risk vendor” and equipment vendors would not be able to purchase more than 35% from those vendors.
The NCSC also encouraged businesses to “understand the risks properly and design their networks, support and operational systems and processes to manage those risks. This will also mean the NCSC will prevent Britain’s new, high-speed internet from becoming “nationally dependent” on technology that could be problematic.
Only a matter of weeks later, it was reported that Huawei could covertly access mobile phone networks around the world through “back doors” designed for use by law enforcement, according to US officials.
Twitter API Abuse
In early February, Twitter had to take action after it was revealed that malicious actors took advantage of a bug in an API which disclosed users’ phone numbers. On Christmas Eve, a user was able to use a large number of fake accounts to exploit an API, which matched usernames to phone numbers.
This was specifically intended for new users to find people they may already know on the site, when they had the “let people who have your phone number find you on Twitter” function enabled and have a phone number associated with their account. Twitter said it observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel and Malaysia, and it was possible that some of these IP addresses may have ties to state-sponsored actors. The vulnerability was removed soon after.
Chinese Indictment Over Equifax Attack
The hacking of Equifax in 2017 saw over 143 million people affected, in a story that still resonates today. In terms of who was responsible, an indictment was released in late January from the Department of Justice which alleged that four members of China’s People’s Liberation Army were behind the hack.
The indictment claimed that been May and July 2017, “the armed forces of the People’s Republic of China conspired with each other to hack into the protected computers of Equifax.” Four men, named Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei were named.
Iowa Caucus App Causes Pre-Election Headaches
With a Presidential election set to take place later this year, one of the early factors is the caucus in Iowa. With COVID-19 yet to take hold in the US, a decision was made to use a mobile app to report voting totals, which also showed errors and inconsistencies regarding the calculation and reporting of state delegate equivalents (SDEs) in several caucus locations.
Whilst the Democrats denied that cybersecurity issues were responsible for the unprecedented delay in calculating the results of the 2020 Iowa caucuses, the app was reportedly not properly tested at a statewide scale, and was quickly put together in two months.
Later, another app for the Nevada caucus also encountered similar problems.
Crypto Exchange Lost “Almost All Funds” in Hack
The most read story on Infosecurity in the first quarter of 2020 was around Italian crypto exchange Altsbit suffering a massive hack, and attackers reportedly made off with 1066 Komodo (KMD) tokens and 283,375 Verus (VRSC) coins with a combined value of $27,000.
A statement from the company said a small part of the funds were safe on cold wallets – where private keys are stored on devices that exist in an offline environment – but “almost all funds from BTC, ETH, ARRR and VRSC were stolen.”
Arrest Made Over Sale of Drugs Disguised as Sex Aids on the Dark Web
Another well-read story from Infosecurity, and proof that sex really does sell in all markets. Dipu Singh was taken into custody in February by India’s Narcotics Control Bureau (NCB), having been accused of selling psychotropic drugs, which were disguised as erectile dysfunction remedies on dark web marketplaces in exchange for cryptocurrency.
Singh was described as "a major player on the dark net," and allegedly sold illegal drugs to clients in several European countries, including Romania and Spain, and to customers in the UK and the US via dark web sites Majestic Garden and Empire Market. A total of 55,000 psychotropic tablets, which included tramadol, zolpidem and alprazolam, were seized as part of a two-month-long operation into Singh's alleged activities.