Cyber Security News & Trends – 01-31-20

/0 Comments/in /by

This week, SonicWall experts explain the accuracy and reach of data tracking, cyber-insurance court cases continue to heat up, and government drones are grounded for cybersecurity reasons.

SonicWall Spotlight

How Do I Love Thee, Data Privacy? Let Me Count the Ways – Forbes

  • SonicWall’s Dmitriy Ayrapeto talks data privacy with Forbes on Data Privacy Day 2020, explaining just how large, sophisticated, and accurate data tracking methods are, even for people not signed up for social media accounts.

A Glimpse Into what Cyber Security Has in Store in 2020 – VarIndia

  • What’s coming from SonicWall in India in 2020? SonicWall’s Debasish Mukherjee reflects on the current cybersecurity and threat landscape, noting a general downtick in ransomware in India as hackers choose more targeted attacks on larger corporations instead of scattergun approaches.

Cybersecurity News

Leaked Report Shows United Nations Suffered Hack – Washington Times

  • Hackers managed to get into the U.N. networks in Geneva last year, compromising dozens of servers and accessing domain administrator accounts. It is unknown how much damage was done but espionage has been put forward as a likely reason. The U.N. say nothing confidential was compromised.

AIG Must Cover Client’s $5.9 Million in Cyber-Related Losses, Judge Rules – Cyber Scoop

  • In the latest cyber-insurance development, a judge has decided that AIG must pay out for a $5.9 million claim it had previously denied after its clients lost money through a business email compromise scam.

US Space Industry to Launch Cybersecurity Portal – InfoSecurity Magazine

  • The Space Information Sharing and Analysis Center (ISAC) is setting up an unclassified portal where companies can share and analyze information on cybersecurity threats, with the aim of protecting the space industry.

The Space Race For Secure Access Service Edge (SASE) – Forbes Technology Council

  • SonicWall partners Perimeter 81 talk about the rise of and race for Secure Access Service Edge (SASE), a security solution created to fit the modern challenges of nomad and digital workforce, cloud adoption and 5G networks.

Dept. of Interior Grounds its Drones Amid Cybersecurity Concerns TechCrunch

  • The U.S. Department of the Interior released a statement confirming that non-emergency drones were being temporarily grounded for a cybersecurity review, admitting that concerns from “foreign entities, organizations, and governments” are driving the decision.

Malware Tries to Trump Security Software With POTUS Impeachment – Bleeping Computer

  • New research has found malware using text from President Trump’s impeachment as cover in an attempt to pass itself off as “goodware.“

Dozens of Companies Have Data Dumped Online by Ransomware Ring Seeking Leverage – Ars Technica

  • The Maze ransomware ring has begun to post data from companies caught by their malware, threatening to dump huge amounts of the information if their ransom demands are not met.
And Finally

Hacker Snoops on Art Sale and Walks Away with $3.1m, Victims Fight Each Other in Court ZDNet

  • Hackers who managed to intercept talks between an art dealer and a Dutch museum spoofed the dealer’s email account and convinced the museum to send $3.1 million to a bank account in Hong Kong. Both the art dealer and the museum are now blaming the other side for the mistake.

In Case You Missed It

Android adware that delays its advertisements

/in /by

While examining adware applications for Android, in a number of cases these applications do not contain a working component that the user can use. Often these apps disappear from the app drawer after execution and continue to bombard advertisements on the device. SonicWall Capture Labs Threats Research Team received reports of an Android adware that contains adware components along with legitimate functionality that can fool the user into using the apps while it display ads after a delay in the background.

Infection Cycle

One of the applications we analyzed – Code QR – behaves like a vanilla QR code related app. It looks and feels like a legitimate app unlike other aggressive adware that do not contain working functionality:

But shortly after execution the app contacts gamemobiledaily.xyz and sends sensitive inforamtion like IMEI, MAC and IP address of the device:

 

On examining the domain gamemobile.xyz we found something interesting, we discovered the following folders on this domain via directory traversal:

This hints that there are more apps under the categories car, clock, tv and clcb that communicate with this domain. More on this later.

Advertisements On The Device

The app sends a GET request as mentioned in the previous section to which it gets the following reply:

The interesting bit in the above exchange is the url – hxxp://bit.ly/2rb5r74. This same link is also present locally in the shared_prefs/<package_name>.xml file:

On opening this link we were redirected to different links like ztechcloud.com and vnnx.net, we saw the same links being randomly opened on the infected device at different times:

IMAGE

We did not see advertisements immediately but soon we began to see full screen advertisements on the device at regular intervals even after the app was closed. An interesting thing to note, the icon of the app disappears from the app drawer after a delay as well. This is contrary to most malware where the icon disappears immediately.

Some of the advertisements displayed were of the NSFW nature and some of these were location specific:

 

A Massive Network:

The bit.ly URL mentioned above resolves to – hxxp://binggolend.xyz/APIS/offer. VirusTotal graph shows this URL related to two more URL’s, we were redirected to one of these during our analysis:

 

The stats on bit.ly show extremely high number of clicks for this link -7,076,798 clicks since its creation on December 6, 2019:

 

This shows the massive outreach of this campaign where this link was referred to by a number of different mediums –  highest being email, sms and direct clicking:

 

 

Connected Apps

As mentioned earlier in the blog, we found the possibility of multiple apps to be part of this campaign. On digging further we were able to identify two more apps that belong to this campaign:

  • Speed Racing 3D – com.racing.car3dnham
  • Big Fish – com.bigfish.clcbgames

The package names go in line with the folders we discovered on the domain gamemobiledaily.xyz:

Overall this adware aims at executing its primary function – displaying ads – in a clever way. It lays low and performs the expected behavior initially. After some time it disappears and starts displaying ads in the background. This tactic helps it gain the initial trust from the user so as to avoid suspicion.

 

SonicWall Capture Labs provides protection against these threats with the following signatures:

  • AndroidOS.Adware.BT (Adware)
  • AndroidOS.HiddenApp.Ad (Adware)

Indicators Of Compromise (IOC’s):

    • 1250f1296c0e92112d554960d4f99710
    • 18e3acf23aa1062579b6e75d527425da
    • 8a4ae7046b293f155a5119af149ae8cf

 

Maze Ransomware that contains a maze of code

/in /by

SonicWall Capture Labs Threats Research team detected a variant of Maze ransomware that uses an anti-debugging technique though the technique is well documented.

The sample is distributed as a DLL file. Data is decrypted over and over to get the original data and code. It also makes up interesting strings like “dllisaweapon123”, “justanonce12345” in memory

A thread is created which parses PEB, hashing mechanism is used to retrieve APIs. Now the interesting part begins, address of the “ntdll_DbgUiRemoteBreakin” API is retrieved, and prologue is patched with a RET instruction.

As per documentation available in public domain:
“Debugger attaches to a process with DebugActiveProcess api which creates a thread in debuggee, then DbgUiRemoteBreakin() API is called to debug the process.”
By patching DbgUiRemoteBreakin API, the malware has ensured that the process couldn’t be attached for debugging.

It also has other anti-analysis code to verify if it’s being executed inside controlled environment.

It enumerates processes, computes a hash from the process name and compares the hash value against a list of hash belonging to monitoring tools like “procmon” etc. If the comparison is successful, the process is terminated.

Then it begins to encrypt files. Unlike, most of the ransomware where a specific string is appended to the file name, Maze ransomware adds random string to the file name. The folders where files have already been encrypted, a file named “DECRYPT-FILES.txt” is dropped for the victims which contains ransom note in addition to the instructions to be followed to recover the original files.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Maze.RSM_7 (Trojan)

This threat is also detected by SonicWall Capture ATP.

Fake Antivirus apps on Google Play flag themselves as risky

/in /by

Google Play hosts a plethora of different types of apps. One such popular type of app is Antivirus (AV) for the device. Searching for ‘antivirus’ on Google Play gives upwards of 200 results:

 

But can all these apps be trusted with securing your device ?

A few months back there was an interesting find about fake Antivirus apps for Android. SonicWall Threats Research Team identified fresh apps that exist on Google Play (during the time of our analysis) that exhibit similar behavior.

During our analysis we identified the following fake AV apps that are present on Google Play (at the time of writing this blog):

 

Fake Scans

As each of the above app claims to be an Antivirus app we ran a scan of our device via the apps above. Upon execution each one of the apps showed a scan result page that seems to have a common design pattern:

The apps find few similar security issues on the device, upon inspecting the code the reason for this similarity becomes clear.

These AV apps consults a few .json files from the assets folder to determine the risk levels of applications on the device. The following json files are used:

  • Permissions.json – This file saves a list of permissions and gives them a rating. Based on what permissions are used by an application a risk score is given:

  • BlackListActivities.json – Contains a list of package names, if an application contains a subset of these package names in their activities it is deemed risky:

  • BlackListPackages.json – If packages present in this file are present on the device, they are deemed risky:

  • WhiteList.json – Contains a list of package names, if an application contains a subset of these package names it is automatically considered safe:

All the four apps mentioned in this blog contain the same json files listed above:

Suspicious Network Activity

During the analysis of these apps, few of them started showing fullscreen ads during their execution:

One of the apps communicated with a domain onesignal.com which has suspicious associations with apps that have detection on VirusTotal. Below VT graph further highlights this:

Flawed Approach

These apps follow a very simplistic approach towards security as most of the parameters considered to determine a risk score are not reliable:

  • Package names can be easily changed. As a result, if a malicious app has a package name present in the whitelist.json file it will not be considered malicious
  • Permissions alone cannot be used to decide if an application is malicious. Most of the permissions present in the permissions.json file are used by clean applications as well

Probably the biggest irony of these antivirus apps is that they manage to flag themselves as ‘Medium Risk’/’High Risk’ apps as they do not have their own package name in the whitelist file:

Common Elements

Along with detection related assets, most of the .json files discussed in this blog are common among the fake AV apps that we saw. This makes one question if the app creators are reusing common code.

 

The Real Danger

Even though the apps discussed in this blog are not malicious in nature they do something dangerous, they give the users a false sense of security. Users feel secure once they install these anti-virus apps but these apps don’t actively protect the users, they simply reply on a static .json file to identify potentially dangerous apps. This sentiment can be seen in a review for one of these apps:

 

Rather than downloading such dubious apps we urge readers to take some precautions when downloading security related apps:

  • Install security related apps from reputed companies that have a presence in the field of security
  • Reading reviews of the app helps in identifying potentially harmful/fake apps. Few reviews of the apps listed above don’t inspire confidence:

 

But sadly based on the stats on Google Play, a large number of users have already downloaded these apps:

 

SonicWall Capture Labs provides protection against these threats with the following signature:

  • GAV: AndroidOS.FakeAV.JS

 

Indicators of Compromise (IOC’s):

  • fd6ae5a3d73d9f13c2a88934d4af9a90
  • 73107da87705c19c7ca8873f04323c6b
  • 816f496a67c9d00837ce5d7140abde4f
  • 8476aa9e1887fadd03a1df0a608d5877
  • 4b1728bb946863e1d2e916f5c6b90ab9
  • 714d036cd152d84caeb975e7e49a2bc9
  • 76dc8ad67c36650fd6da158ebf226567
  • 69a9610d8a9bd569f6795090a2b9fbff
  • ca1239ddc7a672919f606d770c07ab27
  • 9f91b53fad1572cef861eb2fe8ce5dcf
  • a04a913cd59833da915c2f44a05e5866
  • 1378680364d963b3af9bae44d61a838c

Citrix NetScaler ADC/Gateway Directory Traversal Vulnerability

/in /by

A Directory Traversal vulnerability exists in Citrix Application Delivery Controller (ADC), formerly known as NetScaler ADC, and Citrix Gateway,formerly known as NetScaler Gateway (CVE-2019-19781). This vulnerability is being exploited in the wild.

A remote attacker could exploit this vulnerability to perform arbitrary code execution. Authentication is not necessary to perform exploitation and access sensitive files.

What is Directory Traversal attack?

Directory traversal or Path Traversal is an HTTP attack, which allows attackers to access restricted directories and execute commands outside of the server’s root directory. A path traversal attack aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files.

Citrix Directory Traversal

Citrix ADC is an application delivery and load balancing solution that provides a high-quality user experience for web, traditional, and cloud-native applications – regardless of where they are hosted. and It also provides web application acceleration as well as a Gateway functionality. Citrix ADC and Gateway are accessed primarily via HTTPS on port 443/TCP.

A directory traversal vulnerability exists in Citrix ADC and Gateway. The vulnerability is because of insufficient sanitization of the request to the Citrix ADC server which allows the use of [../] due to which an attacker can access sensitive files and lead to remote code execution.

SonicWall Capture Labs observed some attack attempts trying to access sensitive file smb.conf

The PoC is available here. Following figure shows how an attacker can use this vulnerability to gain access to files on a victim’s machine and possibly execute arbitrary code. Citrix has listed mitigation steps and workaround here. Citrix recently released a patch for this vulnerability .

 

 

 

 

 

 

 

 

The Packet capture looks like this :

Threat Graph:

IoCs :

5.101.0.209
74.63.250.6

SonicWall Capture Labs Threat Research team provides protection against this vulnerability with the following signatures:

  • IPS 14710 Citrix NetScaler ADC/Gateway Directory Traversal 1
  • IPS 14725 Citrix NetScaler ADC/Gateway Directory Traversal 2

Fake windows update serves a fake Windows Media Player with a side of cryptominer

/in /by

This week, the SonicWall Capture Labs Threat Research Team came across another cryptominer that pretends to be a media player and even loads a wav file to hide its real intent.

Infection Cycle:

This Trojan comes in an archive file that purports to be a Windows Update component. Within the archive file are the following files:

  • mstcss.exe
  • config.json
  • song.wav

The executable file mstcss.exe uses the following file properties pretending to be Windows Media Player.

Upon execution it loads the wav file which plays an instrumental music.

Then it reads the config.json file which has the settings for mining cryptocurrency.

It creates a log file in the following directory:

  • \Program Files\Windows Update\log.dat

The Trojan then proceeds to connect to the mining server.

Activities are then logged in to the log.dat file and may look like this:

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: XMRig.MP (Trojan)
  • GAV: Miner.XM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Cyber Security News & Trends – 01-24-20

/0 Comments/in /by

This week, SonicWall talks protecting non-profits, new cybercrime laws are proposed, and old cybercrime laws are criticized.

SonicWall Spotlight

Don’t Let Cyber Hygiene Become an Afterthought – Nonprofit Technology News

  • With most of the big headlines concentrating on breaches and cyberattacks on large companies, SonicWall CEO Bill Conner, writing in Nonprofit Technology News, reminds us that cybercriminals know that SMBs and smaller non-profits often do not budget adequately for cybersecurity and can leave themselves open.

The Big Picture: SonicWall Sets Sights on the Enterprise Market – Tahawultech

  • SonicWall’s Terry Greer-King sits down with Security Advisor ME to discuss the history of SonicWall, personal highlights in the company so far, and what the future holds.

Cybersecurity News

Cyberattack on a Major Bank Would Have Ripple Effect: Study – BankInfoSecurity

  • A new study, Cyber Risk and the U.S. Financial System: A Pre-Mortem Analysis, has found that if a cyberattack disrupting money transfers was successfully carried out on any of the five most active U.S. banks, there would be huge, rippling damage to the financial network in general.

Analysis Ties Hacking of Bezos’ Phone to Saudi Leader’s Account New York Times

  • A forensic analysis of Jeff Bezos’ cellphone has found with “medium to high confidence” that the Amazon chief’s device was hacked after he received a video from a WhatsApp account reportedly belonging to Crown Prince Mohammed bin Salman of Saudi Arabia.

Secret Service to Launch Private-Sector Cybercrime Council – Cyberscoop

  • The United States Secret Service has recently hand-picked a small group of private-sector cybersecurity experts to advise the agency’s investigations team on how it can better take down cybercriminals. Members were selected to represent a wide array of experiences including law enforcement, computer scientists, network security, malware, ransomware, identity theft and more.

Cybercrime Laws Need Urgent Reform to Protect UK, Says Report – The Guardian

  • A new report in the UK has found that the current cybercrime laws, dating back to 1990, are not fit for purpose and “crying out for reform.” As it stands, the act exposes cybersecurity professionals to prosecution for carrying out intelligence research against cybercriminals and foreign state actors.

US Could Appoint a Cybersecurity Leader for Each State – InfoSecurity Magazine

  • US Legislators are proposing the Cybersecurity State Coordinator Act of 2020, which would improve intelligence sharing between state and federal governments and appoint an employee in each state to serve as cybersecurity state coordinator.

GDPR: 160,000 Data Breaches Reported Already, so Expect the Big Fines to Follow – ZDNet

  • It has been 18 months since GDPR regulation came into force but there’s no sign of breach notifications slowing, in fact they are currently rising with an average of 278 per day.
And Finally

Euro Cup and Olympics Ticket Reseller Hit by MageCart – Bleeping Computer

  • Magecart continues its reign of terror as an Olympics and Euro Cup ticketing reseller site is the latest to be infected by the card skimmer.

In Case You Missed It

New version of Cryakl Ransomware demands $10k for file decryption

/in /by

The Sonicwall CaptureLabs Threats Research team have observed a newly released version of Cryakl ransomware. First seen in early 2014 spreading via email, Cryakl works like most ransomware by encrypting files and demanding a ransom for file retrieval. However, the malware requires the victim to contact its operators via email in order to find out the ransom amount to be paid.  Using this method, there is also the opportunity to upload test files for decryption verification and, in some cases even negotiate the price for file restoration.

 

Infection Cycle:

 

Upon execution, the malware copies itself to %AppData%\Local\Temp\svclaa and attempts to execute itself again.  It causes presentation of the following User Account Control prompt:

 

The malware proceeds to encrypt files on the system.  Once this is complete, the following dialog is shown:

 

Encryption of files with the following extensions are ignored: bat, bmp, log, ini, dll, sys

 

The malware drops the following files onto the system:

  • %AppData%\Local\Temp\svclaa.exe (copy of original) [Detected by: GAV: Cryakl.RSM (Trojan)]
  • how_to_decrypt.hta (to every directory containing encrypted files)

 

The malware writes the following keys to the registry:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 1955573571 “%AppData%\Local\Temp\svclaa.exe”
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 1955573571hta “%AppData%\Local\Temp\how_to_decrypt.hta”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 882149 “882149”

 

Encrypted files are given the following infection markers:

 

 

The following commands are executed in order to delete system backups and shadow copies:

/Create /RU SYSTEM /SC ONCE /TN VssDataRestore /F /RL HIGHEST /TR "vssadmin delete shadows /all /quiet" /st 00:00
/Run /tn VssDataRestore
/Create /RU SYSTEM /SC ONCE /TN WBadminSystemRestore /F /RL HIGHEST /TR "wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0" /st 00:00
/Run /tn WBadminSystemRestore
/Create /RU SYSTEM /SC ONCE /TN WBadminBackupRestore /F /RL HIGHEST /TR "wbadmin DELETE BACKUP -keepVersions:0" /st 00:00
/Run /tn WBadminBackupRestore
/Create /RU SYSTEM /SC ONCE /TN WMICRestore /F /RL HIGHEST /TR "wmic SHADOWCOPY DELETE" /st 00:00
/Run /tn WMICRestore
/Create /RU SYSTEM /SC ONCE /TN BCRecover /F /RL HIGHEST /TR "bcdedit /set {default} recoveryenabled No" /st 00:00
/Run /tn BCRecover
/Create /RU SYSTEM /SC ONCE /TN BCBoot /F /RL HIGHEST /TR "bcdedit /set {default} bootstatuspolicy ignoreallfailures" /st 00:00
/Run /tn BCBoot

 

 

There is no ransom payment method mentioned in the message dialog shown when the malware is run.  Instead, the victim is directed to communicate via email in order to find out how to restore encrypted files.  We had the following conversation via email with the operator who revealed that the cost for file restoration is $10,000 USD in bitcoin:

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Cryakl.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

 

Cyber Security News & Trends – 01-17-20

/0 Comments/in /by

This week, SonicWall experts explain why the Dustman attack likely originates from Iran, the NSA publishes a major exploit in Microsoft ECC Certs, and Emotet makes a return after a holiday-season break.

SonicWall Spotlight

Security Advisor January 2020 – Tahulwheltech

  • SonicWall’s VP for EMEA Sales, Terry Greer-King, sits down with Security Advisor Middle East, and sheds some light on how SonicWall has become a major cybersecurity player in the Enterprise space with a “direct touch” approach and unrivaled security innovations.

The US is Worried about Iran Retaliating with a Cyberattack – Vox

  • As tensions between the US and Iran simmered in recent days, eyes have turned to Iran’s arsenal of cyberattack capabilities. Speaking to Vox SonicWall CEO Bill Conner stresses that American businesses must use the situation to bolster their cyberdefenses.

Dustman Attack Underscores Iran’s Cyber Capabilities – Dark Reading

  • A malware known as Dustman attacked Bahrain’s national oil company in a cyberattack in late December. SonicWall’s Dmitiry Ayrapetov explains to Dark Reading why an Iran-backed group is likely the likely source of the attack as they investigate the attack.

Landry’s Malware Attack Highlights Need for Stronger Data Security – Channel Futures

  • SonicWall CEO Bill Conner explains to Channel Futures that the recent attack on Landry’s is just one of several attacks that should not even be happening because large companies have the budget to afford the best in cybersecurity.

Cybersecurity News

Cybersecurity Threats Call for a Global Response – IMF Blog

  • The International Monetary Fund calls for a unified worldwide response to cyberthreats, listing four areas where the international community can come together to work better – understanding of the risks; improving collaboration; consistent regulatory approaches, and being ready for cyberattacks when they do happen.

60% of US politicians haven’t upgraded their cybersecurity since 2016 – MIT Technology Review

  • Despite controversy over alleged cyberattacks in the 2016 US Presidential campaign, a new poll of 500 high-risk users found that 60% of them have not upgraded their cybersecurity in the intervening years.

Proof-of-Concept Exploits Published for the Microsoft-NSA Crypto bug – ZDNet

  • Microsoft released a security update this week that includes a fix to a dangerous bug discovered and reported to them by the NSA. With the bug being described as “seriously, seriously bad” it only took 48 hours for two proof-of-concept exploits for the vulnerability to be published.

Unprotected Medical Systems Expose Data on Millions of Patients – SecurityWeek

  • New research and analysis has found that hundreds of internet-connected and unprotected medical imaging systems worldwide are exposing data of millions of patients. The most badly affected country is the USA where over 800 institutions have been exposed.

Renewed Emotet Phishing Activity Targets UN, Government and Military Users – SC Magazine

  • After a massive drop in attacks in December 2019, the Emotet botnet and banking trojan renewed attacks in January 2019, launching a massive phishing campaign targeting high profile organizations like the United Nations.

In Case You Missed It

The Worst Cyberattacks and Data Breaches of 2019

/0 Comments/in /by

Put your email address in the have i been pwned? website and see what results you get. How secure do you feel? By 2020, it’s safe to assume that most people with an online presence have had a least some of their Personally Identifiable Information (PII) compromised in a data breach.

SonicWall has been tracking and reporting on major data breaches throughout 2019 and we’ve compiled a list of not necessarily the biggest cyberattacks and data breaches of 2019, but the ones with the worst overall impact, giving us insight into the direction cyberattacks are heading in 2020.

Notable cyberattacks of 2019

Quest Diagnostics

Breaches that result in the loss of medical data can be damaging due to the possibility of highly personal information being released, whether that data is medical records themselves or identifiable data like Social Security numbers that could aid a cybercriminal in carrying out identity theft, or even blackmail. With this in mind, 2019 unfortunately set breach records in this category, with the biggest single breach likely being Quest Diagnostics, where 11.9 million patients were affected. Data taken included credit card numbers, medical information and personally identifiable data but, small consolation prize, lab results were not included.

Fortnite

The gaming industry is now bigger than both the entire music industry and Hollywood combined, making it a prime target for cybercriminals. It should come as no surprise then that cyberattackers would aim squarely for one of the biggest games on the planet.

In January 2019, a vulnerability found in Fortnite’s login system allowed hackers to impersonate real players, including viewing chat logs and other in-game details. More worryingly, the vulnerability allowed malicious users to purchase in-game currency using credit cards on file. This currency could then be siphoned off to other, legitimate, accounts — essentially money-laundering.

It is unclear how many accounts were affected, but considering there were over 80 million people logging in to Fortnite a week at the time the vulnerability was discovered, the number of players impacted is potentially huge. The vulnerability was quickly fixed but a class-action lawsuit was launched in August, the same month that a known exploit in Fortnite was used to install ransomware.

The Fortnite vulnerabilities serve as a warning to gamers and the wider gaming industry: you are a target.

US Customs and Border Protection

When U.S. Customs and Border Protection officials announced in June that a federal subcontractor had been hacked, 100,000 global travelers joined the ranks of people who have had their personal information and photos exposed. The hack included a large cache of images of car license plates, often including the face of the driver. The incident stands out as one of the more distinctive cyberattacks on U.S. public institutions in 2019, a year in which the most high-profile attacks were a rash of ransomware attacks on Texas government agencies that temporarily brought the state’s municipal infrastructure to a standstill.

Capital One

Over 100 million Americans and 6 million Canadians were affected by the Capital One data breach, where the data taken stretched from 2019 all the way back to 2005. Names, addresses, ZIP codes/postal codes, phone numbers, email addresses, dates of birth and self-reported income were taken in most cases. In addition, 140,000 Social Security numbers, 80,000 linked bank account numbers and 1 million Canadian Social Insurance numbers were all stolen. One estimate of the damage to the financial giant put the cost of the data breach at more than $300 million.

Facebook

As one of the most ubiquitous and data-packed websites on the internet, Facebook is under constant scrutiny. In April and September of 2019, two privacy breaches were discovered that exposed the personal information of around 2 million Facebook users, including phone numbers and passwords. Neither of these events were related to a cyberattack, however, and they were both discovered by security researchers looking for vulnerabilities in the Facebook web architecture. In December, Facebook again made the headlines when security expert Bob Diachenko discovered an exposed database containing names, phone numbers and Facebook IDs of more than 267 million Facebook users. In this case, the data was already posted to a hacker forum for download before the internet service provider could take action and remove access.

Magecart

Magecart makes our list as one of the most widely-distributed malware attacks in 2019. A recent count of active Magecart infections claims the malware is affecting over 18,000 website hosts, remarkable considering it’s an infection that’s been around in one form or another for nearly a decade. Magecart is a supply-chain attacker than hijacks the digital cart-system on websites when users make orders, stealing financial information as the order is processed. Major breaches caused by Magecart in 2019 included British Airways, Ticketmaster UK, Newegg.com and even the Sesame Street store.

Looking to 2020

As demonstrated throughout 2019, “cyberattack” and “data breach” are broad terms covering a huge range of activities, from poorly maintained databases found exposed online to well-oiled criminal enterprises selling their capabilities as a service. The data indicates that these events are not going to go away any time soon and cybersecurity needs to continue to be a top priority for businesses and organizations everywhere.

As 2020 starts and tensions between the U.S. and Iran have ratcheted up to a fever pitch, security researchers are highlighting the likelihood of cyberwarfare increasingly being used as an instrument of foreign policy. From disrupting elections to attacks on power grids and ransomware attacks targeting government agencies, cybersecurity is firmly establishing itself as the central concern for organizations everywhere.

SonicWall protects organizations from cyberattacks

The growing complexity of attack tactics and increasing areas of vulnerability mean that security professionals can no longer view insider threats and traditional phishing attacks as the primary attack vector for data compromise. Every organization needs to have a layered, defense-in-depth approach, something SonicWall can help with through our automated real-time breach detection and prevention platform.

Some general best practices include:

  • Ensure your cybersecurity strategy is scaled across wired, wireless, cloud and mobile networks, where applicable
  • Leverage next-generation firewalls to mitigate advanced cyber threats
  • Layer cybersecurity controls with cloud sandboxing, such as SonicWall Capture ATP
  • Secure your data in the cloud protect SaaS environments using SonicWall Cloud App Security
  • Deploy email security controls to help identify and block phishing attempts
  • Map network data to understand what’s most valuable

There’s no question that our list of the worst cyberattacks and data breaches of 2019 tell a dismal story of a rapidly expanding cyber threat landscape. However, by assessing your business’s cybersecurity strategy, ensuring you have a layered approach in place, and improving overall security behavior, it’s possible to protect your business from most data breaches.