Top 10 Hacks of the Last Decade

Top 10 Hacks of the
Last Decade
goteleport.com

Top 10 Hacks
Operation Aurora (2010)
Stuxnet (2010)
Mt. Gox (2014)
Panama Papers (2016)
The DNC Hack (2016)
Equifax (2017)
WannaCry (2017)
Cambridge Analytica (2018)
Capital One (2019)
SolarWinds (2020)
1. What happened?
2. How did it happen?
3. What happened afterwards?

Operation Aurora (2010)
How? Aftermath
© Gravitational, Inc. 2020 | goteleport.com
What Happened?
What happened? How did it occur? What happened
afterwards?
● Google, Adobe, Juniper
Networks, Dow Chemical,
Morgan Stanley, and more
● IP Theft - Source code
● Sophisticated
● Internet Explorer
zero-day
● Spear phishing
● JS program
exploited IE zero
day to download
malware
● Malware opened
backdoor for
access and search
internal networks
● BeyondCorp: A new
Approach to
Enterprise Security
(2014)
● Implement Zero
Trust at scale

Stuxnet (2010)
How? Aftermath
What Happened?
afterwards?
● Computer worm for
industrial SCAD
systems
● Precisely designed to
target specific
configurations
● Error in software
update unintentionally
unleashed the worm on
the internet
● >50% Iran, indonesia,
india, azerbaijan, etc.
● Air-gapped
environment -
Contractor’s USB
● Payload, .lnk file,
rootkit, command and
control network
● Exploited zero-days
and shared secrets
● Slowly manipulated
PLC for centrifuges
● First attack on
industrial
infrastructure
● Highly publicized
(error) =
weaponized
cyberspace
● Kicked off another
arms race

Mt. Gox (2014)
How? Aftermath
What Happened?
afterwards?
● Largest Bitcoin exchange in
the world stopped all trades
● 850K $BTC stolen (largest
theft to date)
● $450MM in 2014 but >
$34B now
● Only 200K $BTC ever
recovered
● Poorly managed
codebase
● Stole credentials
from an auditor
● Siphoned $BTC
from hot wallet
masked as normal
txs
● Debate over
centralized
exchange - similar
to enterprise
trusting
third-parties for
private data
● Binance /
Coinbase -
Transparent ops +
insured deposit
● Die hard fans =
DEXs

What happened?
● Law ﬁrm - Mossack
Fonseca
● Exposed high-ranking
ofﬁcials using offshore
companies to hide
income + taxes
● Largest leak in history -
2.6TB of data
Countries implicated in Panama Papers

How did it occur?
● Outdated Drupal CMS
version
● Outdated WP version
- Revolution Slider
● Emails not encrypted
TLS
● Web servers on same
network as mail
servers
Portal ran outdated Drupal version

What happened
afterwards?
● Reinforce basic
principles -
segment, encrypt,
update software
● Warning -
Companies store
sensitive customer
information
● Illegally obtained
info can be
evidence

DNC Hack (2016)
How? Aftermath
afterwards?
● (1) DNC (2) Clinton
Campaign (CC)
● 50K emails published
on WikiLeaks
● CC - 2FA, wiped servers,
phishing drills
● Fancy Bear targeted
private accounts - 50K
emails
● Admin credentials to
DNC network
● X-Agent and X-Tunnel
● 300GB through buffer
servers
● Election
cyberwarfare
● Billions spent
voter upgrading
security infra
● DNC - specialized
hardware, cloud,
phishing drills

Equifax (2017)
How? Aftermath
afterwards?
● One of the largest
credit reporting
agencies: Sensitive
personal + ﬁnancial
info
● 143MM americans -
40% of population
● Address, SSN, driver
ID
● Apache - Security notice
to patch vuln in Struts
● Remote code injection
via HTTP header
● Human error - Equifax
did not upgrade
● Hackers scanned for vuln
-> Equifax
● DB to DB, extracted data
● Did not renew 3rd party
software = did not
inspect trafﬁc
● Not much fallout -
Stock went down
for a few months
● $1.4B in upgrades
& $1.4B in claims
(~$125/person)
● Legacy co’s slow to
modernize - poor
implementation /
governance

WannaCry (2017)
How? Aftermath
What happened?
● Ransomware attack
● 100,000s of windows
machines in 150+
countries
● Ransomed access in
return for $BTC -
Often not honored
● Mostly UK hospitals,
railway networks,
and private co’s
Locations affected by WannaCry

WannaCry (2017)
How? Aftermath
How did it occur?
● Shadow brokers stole
NSA tools
● NSA inform MSFT about
exploit, but not enough
time to patch
● EternalBlue - Arbitrary
code execution delivered
in network packet
● DoublePulsar payload =
Backdoor to install
WannaCry
● DNS killswitch
Countries implicated in Panama Papers

WannaCry (2017)
What happened
afterwards?
● EB and DP used in
NotPetya (2017)
● Critical of NSA
● PATCH Act -
Balance vuln
disclosure and
national security
It was NSA. I saw them do it.
What??? Noooo. I wouldn’t spy on you
… Remember Snowden?
LOLOLOL
Yeah. It was NSA. Vote to kick

Cambridge Analytica (2018)
How?
afterwards?
● Whistle blown on
data harvesting op
● 87MM American
● High-def
psychographic
profiles -> Targeted
ads
● 300K users accepted
terms of
thisisyourdigitallife
● Abusive ToS harvested
user and FB Friends data
● Public profile, pages
liked, birthday, location
● Access to photos,
timeline, and messages
● Not exactly a hack
● $5B fines +
regulation
● CCPA (2018) - As
California Goes, So
Goes the Country
● Changed privacy
policies, minimize
API access,
banning cookies

Capital One (2019)
How?
afterwards?
● ex-Amazon
employee
● Exploited
misconﬁgured WAF
● 100K SSN & 1MM
SIN
● Financial info = CC
apps, bank account
● Hacker admitted
guilt over GitHub and
Slack
● Details not fully
disclosed, but expected
to be SSRF
● WAF sent HTTP request
to Amazon metadata
services
● AWS IAM credentials to
S3 bucket
● Brought attention
to SSRF
● Public clouds
communicate
through HTTP and
assume a degree
of trust
● More popular with
APIs and SaaS

SolarWinds (2020)
How?
afterwards?
● Most consequential
hack of all time
● Supply chain attack
through Orion
software
● 18K customer
exposed over months
● Nearly all F500 Co’s
and govts
● Trusted component with
backdoor to third party
servers
● Digitally signed upstream
by SolarWind
● SUNBURST - transfer and
execute files, reboot,
disable services, profile
network, exfiltrate data
● Masked data extraction
as network traffic part of
protocol
● Will require
months to
understand full
extent of damage
and years to
mitigate/clean
● Adds to growing
concern of
cyberwarfare

Best Practices
Segmentation
● Networks designed
for clustered
resources
● API, SaaS, cloud,
remote devices
● Interconnectivity
means trust in
networks
deteriorates
● Better yet, don’t
trust network at all

Best Practices
How?
Secrets
● Individualized,
rotated, automated,
stored, encrypted
● Infrastructure
packaged and scaled
up and down
● End up sharing static
credentials - hard
coded or on multiple
client machines

Best Practices
How?
RBAC
● Credentials have two
basic levels:
privileged and
unprivileged
● Different segments
within unprivileged
● Follow PoLP
● Requires identity
information, but
most secrets are
arbitrary strings (ssh,
bearer)

How?

Thanks for stopping by!
Check your email for the whitepaper

Top 10 Hacks of the Last Decade

Recommended

Recommended

More Related Content

Similar to Top 10 Hacks of the Last Decade

Similar to Top 10 Hacks of the Last Decade (20)

More from Teleport

More from Teleport (7)

Recently uploaded

Recently uploaded (20)

Top 10 Hacks of the Last Decade