2015 in Review: The Year's Biggest Security Stories
Security in 2015 made a lot of headlines, mostly because of the number of incidents that had real-world implications. From large-scale data breaches, high-profile hacking incidents, and high-risk vulnerabilities down to simple security blunders, the year was also marked by events that showed how even the most unlikely of targets can be compromised.
Here's a quick look at some of the biggest and most significant security stories we saw in 2015. How did these stories shape the security landscape as we know it today? How did these events impact users, industries, and organizations? How can these events give us a glimpse of the future?
Government surveillance: The endless debate
Soon after the Paris attacks broke out with footage that shocked the world, several officials and organizations have openly expressed that “unauthorized disclosures” of national security strategies have endangered not just the United States’ but the world’s security. Statements furthered that maintaining secrecy in the undisclosed regions of the net facilitated the plans of the group behind the attack.
The controversial “disclosures” mentioned referred to the secret programs designed by the NSA that were leaked by Edward Snowden. Through the years, the debates have compounded, revealing the “creative” methods the US government employed to seek out suspicious activities. Following the expose, many expressed that such unwarranted spying was an overreach of the government’s authority.
In June of 2015, the US Senate passed the USA Freedom Act without any amendments soon after the Patriot Act’s expiry. The passed bill is set to bring an end to the bulk collection of phone records by the NSA, thus curtailing its surveillance authority.
While several parties remained unsatisfied by bill's passing, the USA Freedom Act is seen as a way to strike a better balance between personal liberties and government protection, and regarded as the beginning of a long process of regaining the right to privacy.
No one is safe: The year of data breaches
In the last quarter of 2015, leading electronic learning toy producer VTech announced a breach that exposed a significant chunk of the company's customer information. The compromised data included names, birthdates, account information, as well as over 190 GB worth of photos from its application database.
The group behind the breach claimed that the company’s servers were left exposed, leaving a hole that left the system vulnerable to compromise. This was seconded by independent researcher Troy Hunt who said, “There is no SSL anywhere. All communications are over unencrypted connections including when passwords, parent’s details and sensitive information about kids is transmitted.”
The hackers were able to access customer records from its Learning Lodge App Store, a gateway for downloading apps, games, books, and other support materials for VTech toys. The company confirmed in a published FAQ that a total of 13 websites were affected, with almost 5 million parent’s profiles stolen and over 6 million children’s profiles from the United States, France, United Kingdom, Germany, among other countries around the globe mined.
This recent attack was just one of the many data breach cases that showed how vulnerable organizations were over the past year, compared to the level of sophistication and savvy that hackers demonstrated. In July, the cloak of secrecy that was supposed to protect 37 million of its “anonymous” users were stripped off Ashley Madison, a known “cheater’s” site that used the slogan “Life is short. Have an affair.”
Toronto-based company Avid Life Media (ALM), confirmed the compromised user database. The Impact Team, the group behind the attack, imposed demands driven by a rather unique motivation: to permanently take down two of ALM's sites via a warning: “Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.”
Shortly after the threat, small samples of client data from three of ALM's sites were leaked online, along with maps of internal company servers, employee account and salary information, and company bank account data. Aside from this, the group also pointed out that the website's paid “full delete” feature was a lie, as the company didn't really wipe user data.
This all happened barely two months after Adult FriendFinder, another adult-themed networking site, got hacked and the hackers demanded a sum of money to meet their demands. These incidents show how hackers are no longer confined to going after wallets and online accounts. This time, schemes are geared towards threatening real world relationships and reputations.
In The Fine Line: The 2016 Trend Micro Security Predictions, our experts noted that the success seen in high-profile data breaches will eventually shape how cybercriminals stage their attacks. In the past, Hacktivists used web defacement and DDoS attacks to disrupt their targets. 2015 showed how data breaches can also be an effective strategy to push certain agendas, centered on threats of exposing incriminating information that can affect even the most unlikely of targets.
Last June, the United States government announced a security breach that exposed the information of former and current federal employees. The incident was traced to compromised systems belonging to the US Office of Personnel Management (OPM)—the human resources arm of the federal government responsible for conducting background checks on employees and federal agencies. Initially, the reported number of stolen information was at 4 million. However, this figure skyrocketed to 18 million after investigations were carried out.
EINSTEIN, the intrusion detection system used by the Department of Homeland Security, reportedly saw the malicious activity in the OPM’s information systems prior to the hack. It can also be remembered that the previous year, hackers already broke into the OPM’s computer networks that housed personal information of federal employees, exposing the files of employee applications for top-secret security clearances containing foreign contacts, previous jobs, and other sensitive personal information. Unfortunately, even with histories of previous attacks that should have resulted in beefing up security countermeasures, organizations—even those deemed to be secure such as the OPM—remained susceptible to attacks.
One of the biggest ironies seen in 2015 involved an attack that targeted those who promise to boost security. LastPass shared news of a discovery of “suspicious activity” in their network. The company offers easy management of multiple passwords across several accounts by offering a sealed gate that leads to its 72 million-user base’ multiple accounts across different websites. While company CEO Joe Siegrist claimed that there was “no evidence that encrypted user vault data was taken”, investigations revealed that the digital break-in compromised account email addresses, password reminders, server per user salts, and authentication hashes.
This reinforces the fact that every organization is a target. 2015 also showed how cybercriminals saw medical data as a goldmine in their schemes. Several medical organizations have been attacked in 2015, including Anthem, Premera, and Carefirst Bluecross Blueshield, compromising valuable customer's personal information that included social security numbers, financial records, passwords, and credit card credentials.
In the past year, it was observed that healthcare companies were hit harder. This was primarily because of the type of data that these companies possess—details that cannot be easily replaced, and personal information that can be used for identity theft and other schemes.
Gaping security holes
During the last quarter of 2015, The Independent, the blog page of one of the top media websites in the UK, was found redirecting its readers to a page that loads an exploit kit. The blog was reportedly running on an old, unpatched version of WordPress (2.9.2).
Wordpress is a widely-used blogging platform, making it a feasible target among threat actors. In April 2015, it was also subject to risk from a zero-day vulnerability that enabled an attacker to launch stored cross-site scripting (XSS) attacks from different avenues like the comments section, forums, and discussions.
The hack on The Independent was discovered by Trend Micro threat researchers who have been monitoring Angler Exploit Kit activities since November. The Angler Exploit Kit is known to be the most active exploit kit leveraging Adobe Flash zero-day vulnerabilities. In the case of The Independent hack, redirected users with older versions of Adobe Flash Player were at risk of downloading Cryptesla 2.2.0 ransomware.
In Hazards Ahead: Current Vulnerabilities Prelude Impending Attacks, we observed a significant spike in the number of Angler-hosting links in the months of May to September 2015. This, of course, was related significantly to the Hacking Team leak in July. The Italian company, which mastered on supplying tools and services related to espionage, hogged the headlines following a massive breach that exposed 400GB of confidential data to the public.
The leaked information involved classified business practices, but, more importantly, five security vulnerabilities in Adobe Flash, Internet Explorer, and Microsoft Windows, amounting to at least a billion affected devices. Other by-products of the Hacking Team breach involved the use of Flash zero-day exploits integrated to Angler and Nuclear Exploit Kits used to launch attacks in Korea and Japan, as well as government and media websites in Hong Kong and Taiwan.
Smartphones were also put at risk following the leak, particularly involving the surfacing of the source code of the spy app for Android devices, Remote Control System Android (RCSAndroid). The app featured with data-stealing routines that included capturing screenshots, voice calls, as well as passwords and messages from apps like Facebook, Viber, and Skype. Similarly, iOS devices, jailbroken or not, were also rendered vulnerable to spyware under the guise of a newspaper app that users could unknowingly download.
2015 also had a lot of stories that revolved around mobile threats. In September, Apple’s reputation as a well-protected app platform was tainted with the discovery of multiple legitimate apps in the iOS app store that contained malicious code, called XcodeGhost. Android devices also took a beating in 2015 with the Stagefright security hole found in different instances the past year. Last July, the bug allowed hackers to gain access to a smartphone simply by sending an MMS message. In October, over a billion Android devices were estimated to be at risk from a vulnerability that can give an attacker control over an Android device through an MP3 file or an MP4 video.
Other internet-ready devices also revealed insecurities in 2015. Our Gaspot experiment in August showed how gas-tank-monitoring systems could become targets. Aside from this, similar public-facing utilities such as heating systems, surveillance systems, and power plants have been found to be vulnerable.
Several security researchers have also revealed that car hacks are no longer limited to science fiction. Last July saw an alarming digital car-jacking stunt where a Jeep Cherokee’s infotainment system could be hacked using a 3G connection. The demo led to the recall of over 1.4 million units.
2016: Looking back and moving forward
2015 was a storied year and the security stories that shaped the past year can provide clues on what to expect in the future. While 2015 saw significant issues that need to be addressed, we also saw milestones and security wins, such as the Darkode takedown in July, the sentencing of the Russian national behind the notorious Citadel malware in September, and the DRIDEX shutdown in October. It goes to show that 2016 will see the much-needed shift in the mindset of governments and regulators to take on an even more active role in protecting the Internet and safeguarding its users.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Ransomware Spotlight: Trigona
- Steering Clear of Security Blind Spots: What SOCs Need to Know
- Understanding the Kubernetes Security Triad: Image Scanning, Admission Controllers, and Runtime Security
- Preempting Threats to Connected Cars: The Importance of Cybersecurity in a Data-Driven Automotive Ecosystem
- Your Stolen Data for Sale