2018 Cybersecurity Review: Incidents, Vulnerabilities, and Trends

By Riley ThompsonTechnology News

2018 in Review: Incidents, Vulnerabilities, and Trends

The past year followed much the same trajectory as its predecessor. Unfortunately, we cannot report any significant improvements in key areas, and instead, we mostly observed the continuation of previously established trends. For example, ransomware and extortion remain among the main threats to both everyday users and businesses, despite security experts having discussed these issues and protection methods for years. The situation in the Internet of Things (IoT) sector is also slow to improve: the number of IoT devices continues to grow, but most remain insecure, and manufacturers often neglect to release patches.

Many risks still revolve around the cryptocurrency market. After the rapid price surge at the end of last year, 2018 saw renewed interest in this area from both regular users and criminals. Various types of hidden miners could easily compete with ransomware for the title of the year’s most widespread threat.

Meltdown and Spectre

The Meltdown and Spectre vulnerabilities (CVE-2017-5754, CVE-2017-5753, and CVE-2017-5715), publicly disclosed in January 2018, shook the entire industry. It turned out that nearly all modern processors (released after 1995) have fundamental flaws that cannot always be fixed with simple software patches. In fact, all devices running vulnerable processors were at risk—from TVs and smartphones to servers and workstations.

These vulnerabilities allow attackers to break address space isolation, read passwords, encryption keys, credit card numbers, and arbitrary data from system and user applications, bypassing any security measures on any OS. Both issues enable side-channel attacks by exploiting flaws in the physical implementation of processors.

The vulnerabilities were disclosed earlier than planned. Major companies learned about the problem in the summer of 2017, but in early January, news of “problems in all processors at once” unexpectedly leaked to the press. Companies had to rush out fixes and make official statements to stop the growing rumors.

Not only did the existence of Meltdown and Spectre pose a huge problem for the industry and users, but the situation was made worse by the manufacturers of vulnerable products. Software patches and microcode updates were released in a hurry, causing various failures and bugs for months. Patches often conflicted with antivirus solutions, caused system crashes, BSODs, frequent reboots, and even introduced new vulnerabilities. As a result, the rollout of patches and microcodes was repeatedly paused and resumed, leading to confusion.

Ultimately, representatives from Intel, AMD, ARM, Apple, Amazon, Google, and Microsoft had to answer to the U.S. Senate Committee on Energy and Commerce, explaining how this happened.

Worse still, even properly installed and functioning patches negatively impact processor performance, and unfortunately, nothing can be done about it. While most researchers agree that regular users won’t notice much difference during everyday tasks, in some cases, the performance loss can be significant. Depending on various factors—architecture, hardware, OS, running tasks—processors may lose 5–50% of their power after patching. The impact is most noticeable on older processors and operating systems.

Data Breaches Everywhere

Data breaches remain one of the main problems in information security. They happen constantly, affecting both small firms and major IT companies—and even cybercriminals themselves. Sometimes, the fault lies with careless employees, while other times, leaks result from well-planned and sophisticated hacker operations that are genuinely hard to defend against.

Data breaches not only put regular users at risk but can also be used for password reuse attacks, turning even simple brute-force attempts into serious threats. Worse, personal data in the wrong hands can be used for identity theft, insurance fraud, blackmail, and many other scams.

In fall 2018, Mozilla engineers announced the launch of the free Firefox Monitor service, developed in partnership with the Have I Been Pwned breach aggregator. The service lets users check if their email addresses and associated accounts have been compromised. We recommend taking advantage of this tool.

Sadly, the passwords “123456” and “qwerty” were once again among the most commonly used this year.

Facebook and Cambridge Analytica

The biggest incident of the year was undoubtedly the massive scandal involving Facebook. In spring 2018, it became public knowledge that the British company Cambridge Analytica had obtained information on 87 million Facebook users without their consent. Data was collected under the guise of a simple survey, which required users to log in via Facebook.

About 270,000 people took the survey, but at the time, Facebook’s API allowed the collection of data on their friends as well, resulting in information on tens of millions of people. This data was used to create psychological profiles and develop personalized advertising. Since Cambridge Analytica’s main focus was analyzing voters’ political preferences, the data was used in dozens of election campaigns worldwide.

As a result, Facebook was accused of negligence and covering up the incident, while Cambridge Analytica was suspected of ties to intelligence agencies and influencing election results (including in the U.S.). The world suddenly realized the immense responsibility companies have when users share their personal data, and the incredible value this data holds for marketers, political scientists, and others.

Despite multiple public apologies from Facebook, the company’s image suffered greatly, as evidenced by lost user trust, falling stock prices, and numerous lawsuits. Facebook has since expanded its bug bounty program, encouraging researchers to find apps that misuse user data, and tightened restrictions on third-party apps using its API. For example, if a user doesn’t interact with an app for more than three months, it now automatically loses access to their data.

“We didn’t focus enough on preventing abuse and didn’t think enough about how people could use these tools to cause harm. We lacked a broad enough view of our responsibility. That was my mistake,” Facebook CEO Mark Zuckerberg told The New York Times.

Other Facebook Scandals

  • A bug in the “View As” feature compromised data of at least 30 million people.
  • The NameTests app was found to be misusing Facebook user data, giving anyone access to information on 120 million people.
  • After the Cambridge Analytica incident, it was revealed that Facebook officially shared user data with 52 third-party companies and 61 app developers.

From Airlines to Spammers

No one is immune to data breaches. While Yahoo still holds the record for the largest breach (1.5 billion users in 2016), 2018 saw its share of major incidents:

  • Marriott Hotels: A breach discovered at the end of the year actually occurred in 2014, before Marriott acquired Starwood. Hackers stole information on about 500 million guests who used Starwood’s services.
  • Reddit: In late summer, Reddit reported a breach after attackers bypassed two-factor authentication on several employee accounts, stealing various data including source code, user emails, and database backups.
  • Japan: Info on 200 million Japanese residents was found for sale on hacker forums. Since Japan’s population is about 127 million, researchers concluded the database contained duplicates and invalid data.
  • Brazil: A publicly accessible, unsecured database containing personal data of 120 million Brazilian taxpayers was discovered online.
  • MyHeritage: Data on 92 million users of the genealogy and social network hybrid was compromised, though financial info and DNA test results were not affected.
  • British Airways and Cathay Pacific: Both airlines suffered breaches in fall 2018, compromising personal and financial data of millions of passengers.
  • Trik Botnet: Due to an operator error, a database of 43 million email addresses used for spam became public.
  • TheTruthSpy and Spyfone: Even spyware developers were caught being careless with security, allowing outsiders to access client data and information collected by their spyware.

Source Code Leaks

Another interesting type of data breach is source code leaks. The consequences can be severe, as seen with the publication of the Mirai IoT malware source code or the NSA hacking tools leaked by The Shadow Brokers.

  • Apple iBoot: In spring 2018, the Dark-Liberty Team published the source code for iBoot, a key Apple component responsible for trusted OS boot. Apple quickly filed a DMCA complaint, and GitHub removed the content, but the code soon reappeared on the dark web.
  • TreasureHunter PoS Malware: In March 2018, the source code for this PoS malware was leaked, raising concerns about a surge in similar threats.
  • Snapchat: In May 2018, an iOS app update accidentally revealed part of Snapchat’s source code, which spread online. Snap Inc. filed a DMCA complaint, and the repository was removed from GitHub, but copies appeared elsewhere.
  • DexGuard: The source code for this commercial Android obfuscation tool was also leaked on GitHub.
  • NSO Group: A former employee was arrested after stealing and attempting to sell the source code for commercial spyware in the dark web for $50 million.

The Battle for Telegram

In spring and summer 2018, the standoff between Russia’s Roskomnadzor and the Telegram messenger became one of the most discussed topics in the Russian internet. Roskomnadzor tried to block Telegram in Russia, but the attempt was unsuccessful.

The conflict began in 2017 when Telegram was added to the register of information distributors, but founder Pavel Durov emphasized that the company would not provide access to user messages. When Telegram refused to hand over encryption keys to the FSB, the company was fined. Telegram then challenged the FSB’s order in court, but lost in March 2018. On April 13, 2018, a Moscow court ordered Telegram to be blocked, and Roskomnadzor began enforcement on April 16.

Telegram’s developers used tactics similar to those of Zello, switching IP addresses and using cloud services like Amazon AWS. As a result, millions of IP addresses belonging to Amazon, Google, Microsoft, and major hosting providers were blocked, disrupting many unrelated services. Despite this, Telegram continued to work in Russia without VPNs or proxies, and the blockades had little effect on its operation.

Pavel Durov publicly thanked users for their support and stated his intention to continue spending millions to keep Telegram accessible. He also thanked Apple, Google, Amazon, and Microsoft for not participating in political censorship.

By the end of 2018, Telegram was still accessible in Russia, and Roskomnadzor had stopped making bold statements about the effectiveness of the block. However, the standoff is far from over. In December 2018, media reported that Roskomnadzor planned to implement deep packet inspection (DPI) technology to fight banned sites and services, including Telegram, with a budget of about 20 billion rubles. While Roskomnadzor’s head denied these reports, he confirmed that work was ongoing on more effective content blocking methods.

Other companies like Facebook, Twitter, and Google have also come under increased scrutiny. In December, Google was fined for not connecting to the federal information system used to filter search results, and further administrative cases may follow. Facebook and Twitter have yet to localize user data in Russia, and Roskomnadzor has given them until January 17, 2019, to comply or face fines and possible further penalties.

Cryptocurrencies and Their Problems

Even before Bitcoin’s price surpassed $20,000, experts noted the growing attention to cryptocurrencies. After the December 2017 price surge, interest increased further, including among criminals. Despite the significant drop in value since December 2017, the number of mining malware attacks rose sharply, targeting both powerful servers and mobile devices with hidden miners.

Cryptojacking also continued to thrive. This involves embedding scripts in websites that use visitors’ CPU power to mine cryptocurrency. As security vendors and ad blockers fight back, attackers have started disguising mining scripts in new ways. For example, Coinhive, a popular browser mining service, now offers a URL shortener that requires users to compute a set number of hashes before being redirected to the target URL. According to researchers at RWTH Aachen University, just ten users are responsible for 85% of Coinhive-related links, and Coinhive mines about $250,000 worth of Monero per month.

Scams

Cryptocurrencies continue to attract scammers looking for new ways to deceive users. The abundance of fraudulent offers, hidden miners, and fake ICO ads led Facebook and Instagram to ban crypto-related ads (later lifted for trusted advertisers), Google to ban mining extensions and restrict ads, and Apple to ban mining via apps on its devices.

Unfortunately, these measures were justified. In early 2018, criminals ran several fake ICOs, tricking investors. For example, scammers sent emails to users interested in the Experty ICO, announcing the sale of tokens and providing an Ethereum wallet address. The wallet had no connection to Experty, but users sent over $150,000 to it. Similarly, the Bee Token ICO was targeted by scammers who sent fake messages and collected nearly $1 million.

In another case, the LoopX startup, which promised a unique crypto trading app, turned out to be a complete scam. The team disappeared, deleting all social media accounts, after collecting about $4.5 million from investors.

Other, almost comical, scams involved fake Twitter profiles impersonating celebrities and offering crypto giveaways. Users were asked to send a small amount of cryptocurrency to verify their address, with the promise of receiving much more in return. Despite efforts by Twitter and verified users to warn people, scammers continued to adapt, even hacking verified accounts and using them to promote fake giveaways. In one day, scammers received nearly 400 transfers, earning about 28 bitcoins (around $180,000 at the time).

Attacks on Exchanges

Numerous attacks on cryptocurrency exchanges in 2018 highlight the risks of keeping funds in exchange wallets:

  • January: Japanese exchange Coincheck reported a theft of NEM (XEM) worth over $533 million.
  • February: Italian exchange BitGrail lost over 17 million Nano (XRB), worth about $180 million at the time.
  • March: A fake app posing as the official Poloniex exchange app was found on Google Play.

CONTINUED HERE

Leave a Reply