Three of the craziest cyberattacks of 2017 that everyone’s been talking about
You might think a cyberattack that affects millions of people is the worst-case cybersecurity scenario for many organizations. However, as a few of the most notable cyber incidents of 2017 have taught us, you would be wrong. Because while an attack in which a hacker ingeniously outmaneuvers the advanced security measures put in place by a trained cybersecurity team is bad, one in which attackers take advantage of a big fat mistake is much, much worse. If you don’t believe that just yet, keep reading.
Equifax gets equihacked
What happened: While there’s still a bit of time left in 2017, and there’s seemingly always room for bigger and badder cyber disasters, it might just be possible to crown the Equifax data breach the worst of the year already. Some are calling it one of the worst of all time, and the 143 million Americans affected would probably agree.
In the Equifax data breach, hackers took advantage of a website application vulnerability to access names, addresses, social security numbers, birth dates, driver’s license numbers and credit card numbers between May and July. Equifax discovered the breach on July 29th, but took an additional five days to inform customers.
The oops factor: To gain access to Equifax’s data, hackers exploited a bug in the Apache Struts Web Framework. This is a bug that had been reported in March with a patch issued shortly thereafter. For Equifax, obviously, it went unpatched through May, June and July. It may seem unfathomable for an enterprise that specializes in credit reports and identity theft protection to allow such a gross cybersecurity oversight to endanger its hundreds of millions of customers, but considering an Argentinean branch of Equifax was separately found to have a database username and password combination of admin and admin, a systemic cybersecurity failure within the organization is starting to look increasingly believable.
Bet ya don’t want to mess with Petya
What happened: With awful headline after awful headline dedicated to ransomware disasters this year, picking the wildest ransomware attack of 2017 is kind of like picking the most fame-hungry Kardashian. However, lest this list come to be nothing but ransomware attacks, it had to be done.
Petya was unleashed upon the world on June 27, appearing on the heels of the infamous WannaCry ransom attack in May. Petya smashed its way across Russia and the Ukraine before branching out to the rest of Europe and then Asia. Attackers demanded Bitcoin payments equaling about $300 USD for the unlocking of affected systems. High-profile victims included the Russian Interior Ministry, FedEx, Nissan, Britain’s National Health Service, German transport giant Deutsche Bahn, and Spanish telecommunications company Telefonica.
The attack was halted when British security researcher Marcus Hutchins found the kill switch, as he did with WannaCry. Thanks to Hutchins’ quick thinking, the attack never reached the United States, accounting for its lower level of infamy compared to WannaCry.
The oops factor: As mentioned, ransomware attacks aren’t particularly shocking this year, but what makes this one stand out are the tremendous errors involved in both the attack being unleashed and some of its victims buckling to it.
Firstly, the malicious software wasn’t painstakingly created by a hacking group looking to create chaos across the more than 100 countries it hit. No, it was created by the US’s National Security Agency, and that is from whom it was stolen.
Secondly, you may recognize some of the names on the list of high-profile Petya victims as names on the list of high-profile WannaCry victims. It’s not a mix-up. The only mistake here is the one made by organization’s like Britain’s National Health Service who did not take the necessary cybersecurity steps to guard against ransomware attacks after they were seriously impacted the first time.
Trouble on the Verizon
What happened: In June what was termed a “misconfigured cloud storage database” exposed the personal information of what Verizon estimated to be six million people but security researchers believed was closer to 14 million people.
The information exposed included names, phone numbers, addresses, account information and PIN codes used for accessing accounts.
The oops factor: When you read about data being exposed your mind might immediately go to data breaches. This year is set to be the worst on record for them, after all, and now that Equifax has had its hat thrown into the wrong, that seems like a certainty. However, though the information exposed in this incident will likely be misused by cybercriminals, it can’t actually be classified as a cyberattack as there was no malicious actor behind this huge trove of data being revealed. Instead, 14 million people’s personal information was revealed because an employee unchecked the default privacy setting on the cloud database, making the database public. It then took Verizon a full week to secure the data.
The way of the online world
As the saying should probably go: to err is human, and to take advantage of those errors is also human. As chronicled above, some of the craziest cyberattacks and cyber disasters of 2017 were allowed to occur because cybersecurity wasn’t taken as seriously as it needs to be, and make no mistake about it, there have been an untold number of other attacks and incidents caused by cybersecurity flaws, failings and oversights that fall into that category with Equifax, Verizon and the victims of Petya. Unfortunately for, well, everyone, this is a trend that seems as though it is going to endure.