The scariest security horror stories of 2020

A young man looking at a laptop screen with his hands over his face in shock

The last 12 months have been utterly chaotic for both IT professionals and businesses, and this seemingly endless uncertainty has provided a prime opportunity for cyber criminals to wreak havoc across the globe. From COVID-19-themed phishing exercises to state-backed operations against vaccine research, the security landscape has shifted in a number of unusual and unexpected ways.

The combination of COVID-inspired attacks, numerous major data breaches and evolving trends makes distilling this year’s security highlights all the more tricky. As the dust settles on 2020, however, we can identify a number of emerging themes in cyber security, and we’ve rounded up the most significant incidents that caught our eye over the past 12 months.

Travelex crippled by ransomware

The year really started with a bang as Travelex found its systems compromised by a ransomware attack courtesy of the Sodinokibi cyber gang. Details of the incident were scarce at first, with the company claiming in a statement that it shut down all its systems as a precaution while it contended with the “computer virus” that had infiltrated its networks.

The incident meant its currency exchange services were knocked offline, and customers were unable to access their money while abroad, though it also had implications for Travelex’s corporate partners. The likes of HSBC and Virgin Money, for example, found themselves unable to exchange currency due to their reliance on the firm’s platform.

Only several months later did the wider details and context around the incident begin to emerge. First, we learned the nature of the attack was indeed ransomware, but reports then revealed that Travelex paid the attackers $2.3 million in Bitcoin in order to regain access to its networks. This is something the security community and law enforcement generally advise against. We also learned that the attackers exploited two unpatched software flaws to gain a foothold in the Travelex corporate network, for which fixes were available.

The Zerologon vulnerability

Widely considered the most frightening vulnerability of 2020, Zerologon sparked the US Cybersecurity and Infrastructure Security Agency (CISA) to consciously direct all US agencies to patch their server systems immediately.

Rated a maximum 10.0 on the CVSS severity scale, Zerologon is a critical flaw in Windows Server that allows attackers to compromise an Active Directory domain controller and grant themselves administrative privileges. The flaw lay in the Microsoft Windows Netlogon Remote Protocol (MS-NRPC), a core authentication component of Active Directory, and attackers would only need to to set up TCP connections with a vulnerable domain controller. They wouldn’t require any domain credentials, and the vulnerability can be exploited to completely compromise all Active Directory identity services. Following glaring warnings, Microsoft confirmed that hackers were indeed exploiting Zerologon in the wild, suggesting that exploits for the flaw had been incorporated into attackers’ playbooks.

The flaw became renowned within the security community as an example of an issue which, while widely reported, became lost in a constant flow of security news and updates, according to Glasswall’s CTO and CISO Dinis Cruz.

“If you look at the impact, it’s one of the most insane vulnerabilities we’ve had for a while. That’s zero to a hundred in literally seconds,” he said at a security roundtable hosted by Redscan. The event was also attended by the firm’s head of threat intelligence George Glass, curator of technology and engineering at the Science Museum Dr Liz Bruton, and the security researcher who originally disclosed the Zerologon flaw, Tom Tervoort.

“As soon as you hit the domain controller you become the main admin; it doesn’t get worse than that,” Cruz added. “If there’s one that everybody should have gone ‘big red button’, it’s this one, but I don’t think we did. Some people patched it, but the fact that there’s still a lot of places that are vulnerable to this shows that I don’t think it’s being taken with the level of seriousness that it should be.”

The COVID-19 Supremacy

The most significant change for many businesses during 2020 has been office closures leading to a massive shift to remote working patterns. Beyond vastly changing our working habits and threatening to disrupt the work-life balance, this has also posed a massive headache for IT teams. Not only did IT estates become vastly more spread-out and difficult to manage, but it required a hearty effort to prime workers with the necessary tools and equipment to do their jobs remotely, such as laptops, collaboration tools and virtual private networks (VPNs).

Research has confirmed as much, and IT professionals report that cyber security is far more important now than ever before, with secure access posing the biggest challenge when supporting remote workers. This is particularly worrying because the shift has coincided with a staggering 220% surge in phishing attacks over the past few months, according to cyber security researchers. Contact tracing apps, too, have been exploited by scammers hoping to dupe users into handing over personal information.

However, this may pale in comparison to reports of state-backed hackers working to actively disrupt COVID-19 vaccine development efforts. Microsoft, for example, flagged “unconscionable” attacks by North Korean and Russian groups in November, with various attackers targeting research organisations and pharmaceutical companies.

More recently, hackers accessed documents relating to the Pfizer/BioNTech vaccine in a cyber attack against the European Medicines Agency. This, incidentally, was reported just days after IBM revealed a global phishing campaign was targeting organisations working to ensure the temperature-controlled storage and transportation of COVID-19 vaccine. We’d expect such incidents and attacks to seriously ramp up as we move into 2021 and vaccines become more readily manufactured and distributed.

Teens compromise high-profile Twitter accounts

In what was clearly a gigantic scam, the Twitter accounts of Barack Obama, Bill Gates, Jeff Bezos and Bill Gates were all seen in July posting bizarre messages asking for payment in Bitcoin. These requests were part of a scheme whereby the high-profile individuals in question would allegedly double your money, in an effort to “give back”.

This was certainly one of the most extraordinary security stories of the year - and gained a lot of traction primarily due to the heavy-hitters involved. A comprehensive Twitter investigation found that roughly 130 accounts were targeted by attackers during the incident, with the perpetrators gaining the ability to send tweets and even access direct messages from compromised accounts. The firm was also probing the possibility that an employee was bribed for access to the internal company tools used to carry out the scam.

The authorities arrested and charged a number of US and UK-based teenagers for their involvement in the attack. Though in another bizarre twist, the virtual trial hearing of one 17-year-old, hosted over Zoom in August, was initially cut short after it was hijacked by a member of the public, who shared a pornographic clip with meeting participants.

BlackBaud clients fall like dominos

When the University of York revealed that it had suffered a data breach, nobody expected this to be the first start of a chain reaction that would grow to include a staggering 120 incidents at least. Although it was the university’s data that was compromised, all attention was instead redirected to one of its suppliers, the software company and cloud computing provider Blackbaud.

Although Blackbaud’s customers, and subsequently the public, were informed of the alleged compromise in July, the actual ransomware attack took place several months prior, in May. Not only that, but Blackbaud revealed that it agreed to pay the ransom because its customers’ data was its “top priority”. Unfortunately, the pool of affected customers gradually expanded over the coming days, growing from the University of York, to a few other institutions, and then to dozens of organisations. All were informed two months after the incident, and all were quick to write to their own stakeholders apologising for the fact that their data had been potentially compromised on Blackbaud’s watch.

It soon became clear that it wasn’t just dozens, but well over 100 organisations that had been caught up in the monstrous attack, including the Labour Party, Bletchley Park, and a donkey sanctuary. To add insult to injury, following the beginnings of legal action in September, Blackbaud admitted the following month that financial information was among the data exposed during the hack, with “unencrypted fields” accessed by the hackers.

The devastating SolarWinds ‘single point of failure’

Our final entry is also the most recent. In early December, FireEye confirmed that it had been compromised by the work of alleged Russian state-backed hackers. This was initially rather ironic, and deeply concerning, since FireEye is a security firm often used by national governments to fend off such attacks.

By the weekend, however, concern grew as it began to emerge this incident, in which “highly sophisticated” attackers stole FireEye Red Team tools, was only one piece in a far larger puzzle. FireEye, Microsoft and the US security arm CISA, established the attackers were only able to target the company, alongside what has now emerged to be tens of thousands of other businesses and US government agencies, because they had already compromised the software giant SolarWinds.

FireEye’s security team established, while examining its own breach, that the hackers had a backdoor into SolarWinds. The company had fallen victim to “highly sophisticated, manual supply chain attack” orchestrated by a nation state actor and “intended to be a narrow, extremely targeted, and manually executed attack”. CISA, as a result, ordered all US government agencies to immediately disconnect from the SolarWinds Orion security platform, while the company itself advised users to upgrade to the latest iteration, version 2020.2.1 HG 1. This was, and still is, available through the customer portal.

Although the flaw in question is patchable, SolarWinds suggested as many as 18,000 of its 300,000 customers may have been affected by the devastating supply chain attack. Indeed, the attackers gained access to a vast array of victims including more than 425 of the Fortune 500 companies, all ten top US telecoms firms, all five branches of the military; and all of the top five accounting firms, according to Guardian analysis. The absolutely monstrous scale of this attack also means we may well be unpicking the full impact well into 2021.

Keumars Afifi-Sabet
Features Editor

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.