Halloween hackers: The scariest cybersecurity stories of 2020

It’s the season of ghouls, ghosts and outrageous costumes. But for CISOs and cybersecurity professionals, a bump in the night on Halloween is more likely to be a notification warning them of data breach than a spooky ghostly visitation.

In the COVID-19 era, spookiness-as-a-service providers who rent out costumes or sell party products are likely to have a difficult time as lockdowns and home-working play havoc with businesses focused on in-person interaction. Yet for hackers, the dawn of a socially-distanced new normal has opened up vast numbers of attack vectors and given them new opportunities to target businesses or individuals.

So what should you be worried about this Halloween? To help you work out the answer to that question, here are some of the scariest cybersecurity stories and trends of 2020:

Home-Work Hackers

The shift away from offices has been welcomed by many workers - but it’s made life difficult for tech support desks. When staff login from home, they open up doors for hackers and make firms more vulnerable to attack. In March, the US Cybersecurity and Infrastructure Security Agency issued a warning about enterprise VPN security.

It wrote: “As organizations use VPNs for telework, more vulnerabilities are being found and targeted by malicious cyber actors. As VPNs are 24/7, organizations are less likely to keep them updated with the latest security updates and patches. Malicious cyber actors may increase phishing emails targeting teleworkers to steal their usernames and passwords.”

CISA offered the following advice to businesses: “Update VPNs, network infrastructure devices, and devices being used to remote into work environments with the latest software patches and security configurations.”

Coronavirus Ransomware

The pandemic has offered cybercriminals easy new ways to target victims with ransomware or other familiar techniques. Targets can be lured into downloading ransomware by promises of cheap masks, information about Covid-19 or some other treat. Then comes the trick: crooks seize data and then try to exhort a ransom.

Europol warned: “The COVID-19 pandemic has made organizations like hospitals, governments and universities, more conscious about losing access to their systems and more motivated to pay the ransom. Criminals take advantage of this situation by running faster and more ransomware attacks, recruiting collaborators to help them maximize their impact and offering ransomware-as-a-service on the dark web.

“It is now even more important to secure your systems. With most employees working from home, a ransomware attack on companies would cause more disruption than under normal circumstances.”

Israel Water Hack

This year, Israel has suffered several attacks on the systems which power its water management facilities. Intelligence sources said the hackers tried to modify chlorine levels in the water during one attack in June. Although they were thwarted, the hacks show how threat actors are looking to carry out attacks which hurt or even kill people.

This time around, water providers were able to take a simple piece of preventative action to reduce the risk of disaster. The Israel National Cyber-Directorate (INCD) and the Water Authority sent out an alert to water treatment facilities urging them to change the passwords of internet-connected equipment with an “emphasis on operational systems and chlorine control devices in particular”.

Critical Infrastructure At Risk

In July, it was claimed that critical US infrastructure in the US could be hacked by “anyone”. Research from CyberNews found that legacy Industrial Control Systems were vulnerable to attack, with oil wells, public water distribution systems and a sewer pump station left connected to the internet without even being protected by a password.

If attackers gained control of these systems they could, for instance, turn off warning systems on oil wells or flood water supplies with sewage. In the event of a cyberwar, these systems could be a major target for enemy attacks - so it’s imperative that the US locks them down securely.

Blue Leak Hack

In June, a hacktivist group linked to Anonymous published 10 years of police data in the form of a highly sensitive 269-gigabyte archive. The data was stolen from a Houston-based web development firm and obtained by a threat actor that used a compromised account and the firm’s content upload feature to pump malware into its system.

Stewart Baker, an attorney at Steptoe & Johnson LLP and a former assistant secretary of policy at the U.S. Department of Homeland Security, said: “With this volume of material, there are bound to be compromises of sensitive operations and maybe even human sources or undercover police, so I fear it will put lives at risk. Every organized crime operation in the country will likely have searched for their own names before law enforcement knows what’s in the files, so the damage could be done quickly.”

The attacks show that if your company handles sensitive data, you are a target. Hackers are always looking for weakest links in the chain - so make sure your firm’s security practices are fit for purpose.

Dark Web Data Explosion

A total of 15 billion passwords and account credentials are now circulating on the dark web, researchers warned this year. This follows a 300% rise in data theft since 2018. Most of the data belong to individuals - but businesses are also on the target list. The loss of sensitive passwords can cause expensive problems, so companies need to follow the latest password best practice to protect themselves.

Nation-States On The Rise

This year, Britain finally admitted that it had offensive cyber-warfare capability. Which is just as well, because nation state hackers have been busy in 2020.

In June, Google's Threat Analysis Group said that the Iran-linked hackers known as Charming Kitten had launched phishing attacks against President Donald Trump's reelection campaign, whilst Russia continued with efforts to “hack the US election” and North Korea’s infamous Lazarus Group hackers used LinkedIn to steal cryptocurrency. Businesses could easily get caught in the crossfire of a cyberwar, so it’s best to start shoring up their defenses immediately.

Happy Halloween!

We hope you have a great day on Halloween. But once work starts again on Monday, it’s time to start dealing with the real horrors lurking out there on the internet. And we have some more concerning news.

According to Gartner, worldwide spend on cybersecurity will rise by 2.4% to reach $123.8 billion in 2020 - which is a much lower rate of growth than the 8.7% growth it predicted last December. It warned that the coronavirus pandemic is “driving short-term demand in areas such as cloud adoption, remote worker technologies and cost saving measures”.

“Like other segments of IT, we expect security will be negatively impacted by the COVID-19 crisis,” said Lawrence Pingree, managing vice president at Gartner. “Overall we expect a pause and a reduction of growth in both security software and services during 2020.”

So what are you scared of this Halloween?

With the advent of Internet of Things (IoT) technology and Industrial Internet of Things (IIoT), the cyber security practices are increasingly getting integrated with the physical security practices.

We will provide insight on NDAA Section 889 and how the act has evolved and impacted business, so that organizations can better mitigate risk and stay compliant.