Cyber Security

The Usual Suspects: Notorious Cyber Attacks in 2018

Written by Amy Hitchmough
Malware, phishing scams, DDoS attacking a computer

Recently, we introduced you to the usual suspects: 6 common behaviours in the workplace that lead to a higher risk of data breaches or cyber attacks. 

There are the 'usual suspects' when it comes to malware and cyber attacks too. We hear about high-profile breaches and cyber attacks in the news, but we don't always dig into the causes of those attacks and the common types of malware responsible. 

pankaj-patel-561360-unsplash.jpg#asset:3514

Here are 5 of the most notorious cyber attacks and data leaks in 2018:

1) Universities in the USA and abroad 

In March 2018, the United States Department of Justice indicted 9 Iranian hackers over an alleged spree of cyber attacks. They targeted:

  • 144 US universities,
  • 176 universities in other countries,
  • 47 private companies,
  • and other targets like the United Nations. 

The hackers stole 31 terabytes of data, estimated to be worth $3 billion in intellectual property! 

Who's the usual suspect?

Sophisticated spearphishing emails, sent to professors and other staff members, carefully crafted to trick them into clicking malicious links and entering their credentials. 

2) Under Armour's MyFitnessPal App 

In March 2018, fitness brand Under Armour revealed that hackers breached their 'MyFitnessPal' app. The intrusion exposed usernames, email addresses, and passwords, indicating that Under Armour's systems were at least segmented enough to protect more sensitive information from being stolen.

Who's the usual suspect?

Inconsistent security procedures left some usernames and passwords stored through a much weaker hash method called SHA-1. Hackers easily took advantage of this weakness! Why is SHA-1 so weak? It is subject to a fatal exploit which is known as a collision. A collision occurs when two different files or messages (including usernames and passwords) produce the same cryptographic hash, meaning that a computer comparing the hashes cannot identify one file from another. Attacks exploit this.

So instead of using SHA-1 as a security procedure, you can either turn to another hashing method such as SHA-256 or turn to adding in an extra layer of security such as firewalls or multi-factor authentication, which makes the whole process of attacking the systems harder.

3) Data Exposure

In June 2018, journalists revealed that over 2 terabytes of data (that's 340 million personal records) were left exposed on a publicly-accessible server. The data had been collected by a marketing and data aggregation firm Exactis and included details like home and email addresses, and the individual's number of children and even pets. 

Who's the Usual Suspect? 

Although malicious hacking is not the direct cause, lapsed security procedures and poor network monitoring seem to be at fault in the Exactis leak. How can companies work to improve their security procedures and network monitoring? Well, every company is different, so there's no singular correct answer. However, the first step would be to have current IT infrastructures and procedures reviewed, assessed and analysed. Only then can a company gain insight into different solutions and technologies to implement - whether that is a staff training program or using a managed services provider to continuously monitor, update and protect their systems 24/7 x 365. 

4) Dixon's Carphone

In July 2018, Dixon's Carphone, which owns Currys PC World, and other electrical brands in the UK, revealed that a data breach in July 2017 affected 10 million of their customers. 

The personal records accessed include names, addresses and email addresses. Dixons Carphone added that it hadn't discovered any evidence of the information leaving its systems or resulting in fraud "at this stage".

Who's the usual suspect? 

The method used by the hackers is unclear, but lapsed security procedures seem to be at fault. A similar solution to this would be the same advice as in #3.

5) Facebook

In September 2018, Facebook disclosed that a security bug had compromised roughly 50 million accounts, allowing hackers to steal the ‘access tokens’ used to log users into related apps connected to Facebook like Airbnb, Candy Crush & more. The 90 million affected users were logged-out of their accounts and informed of the breach within the GDPR-required 72-hour window. 

Because this has occurred in a post-GDPR world, Facebook could be liable for up to $1.63 billion in fines, or 4% of its $40.7 billion in annual global revenue in 2017. 

Who's the usual suspect?

Hackers were able to exploit overlooked security flaws because of increasingly interconnected systems. 

What steps can you take to avoid being tricked by the 'usual suspects'? 

Sophisticated spearphishing emails, inconsistent security procedures, poor network monitoring and overlooked security flaws can all lead to hacks like these. Even if you consider yourself a 'small fish', the data you control is valuable to hackers. 

  • Go the extra mile
    • Especially in the case of the Under Armour hack, they knew that a better option existed for storing customer account data, but they failed to choose that better option consistently. Are you choosing to go the extra mile with how your secure your IT infrastructure?
  • Evaluate your cyber security strategy
    • Many of these threats could be avoided with persistent network monitoring. As your organisation grows, it's easy to layer new systems over old ones, and miss seeing the holes or gaps in your IT infrastructure. Our IT Security services help you tap into industry-leading expertise through our partnerships with Kaspersky, WatchGuard and more.  
  • Pay attention to how you store data
    • GDPR has brought the importance of data security into the spotlight. Have you done an audit of which types of data your organisation holds, and how? The 'usual suspects' of phishing scams and ransomware are eager to find and steal that data. Be sure that you host your IT systems securely in a state-of-the-art data centre.

Resources

You might also like

Newsletter Sign up!

Honestly, it's not spam!! 

Join 20,000 others and get expert insights straight into your mailbox! 

Subscribe to our monthly newsletter below.