Enlarge (credit: Traitov | Getty Images )

2020 was a tough year for a lot of reasons, not least of which were breaches and hacks that visited pain on end users, customers, and the organizations that were targeted. The ransomware menace dominated headlines, with an endless stream of compromises hitting schools, governments, and private companies as criminals demanded ransoms in the millions of dollars. There was a steady stream of data breaches as well. Several mass account takeovers made appearances, too.

What follows are some of the highlights. For good measure, we’re also throwing in a couple notable hacks that, while not actively used in the wild, were impressive beyond measure or pushed the boundaries of security.

The SolarWinds hack

2020 saved the most devastating breach for last. Hackers that multiple public officials say are backed by the Russian government started by compromising the software distribution system of SolarWinds, the maker of network monitoring software that tens of thousands of organizations use. The hackers then used their position to deliver a backdoored update to about 18,000 customers. From there, the hackers had the ability to steal, destroy, or modify data on the networks of any of those customers.

Enlarge (credit: Apple )

Three dozen journalists had their iPhones hacked in July and August using what at the time was an iMessage zeroday exploit that didn’t require the victims to take any action to be infected, researchers said.

The exploit and the payload it installed were developed and sold by NSO Group, according to a report published Sunday by Citizen Lab, a group at the University of Toronto that researches and exposes hacks on dissidents and journalists. NSO is a maker of offensive hacking tools that has come under fire over the past few years for selling its products to groups and governments with poor human rights records. NSO has disputed some of the conclusions in the Citizen Lab report.

The attacks infected the targets’ phones with Pegasus, an NSO-made implant for both iOS and Android that has a full range of capabilities, including recording both ambient audio and phone conversations, taking pictures, and accessing passwords and stored credentials. The hacks exploited a critical vulnerability in the iMessage app that Apple researchers weren’t aware of at the time. Apple has since fixed the bug with the rollout of iOS 14.

Enlarge (credit: Getty Images)

Cisco has patched its Jabber conferencing and messaging application against a critical vulnerability that made it possible for attackers to execute malicious code that would spread from computer to computer with no user interaction required. Again.

The vulnerability, which was first disclosed in September , was the result of several flaws discovered by researchers at security firm Watchcom Security. First, the app failed to properly filter potentially malicious elements contained in user-sent messages. The filter was based on an incomplete blocklist that could be bypassed using a programming attribute known as onanimationstart.

Messages that contained the attribute passed directly to DOM of an embedded browser. Because the browser was based on the Chromium Embedded Framework, it would execute any scripts that made it through the filter.

Enlarge (credit: GE Healthcare )

Dozens of radiology products from GE Healthcare contain a critical vulnerability that threatens the networks of hospitals and other health providers that use the devices, officials from the US government and a private security firm said on Tuesday.

The devices—used for CT scans, MRIs, X-Rays, mammograms, ultrasounds, and positron emission tomography—use a default password to receive regular maintenance. The passwords are available to anyone who knows where on the Internet to look. A lack of proper access restrictions allows the devices to connect to malicious servers rather than only those designated by GE Healthcare. Attackers can exploit these shortcomings by abusing the maintenance protocols to access the devices. From there, the attackers can execute malicious code or view or modify patient data stored on the device or the hospital or healthcare provider servers.

Aggravating matters, customers can’t fix the vulnerability themselves. Instead, they must request that the GE Healthcare support team change the credentials. Customers who don’t make such a request will continue to rely on the default password. Eventually, the device manufacturer will provide patches and additional information.

Enlarge / This image was the profile banner of one of the accounts allegedly run by the Internet Research Agency, the organization that ran social media "influence campaigns" in Russia, Germany, Ukraine, and the US dating back to 2009. (credit: A Russian troll)

The National Security Agency says that Russian state hackers are compromising multiple VMware systems in attacks that allow the hackers to install malware, gain unauthorized access to sensitive data, and maintain a persistent hold on widely used remote work platforms.

The in-progress attacks are exploiting a security bug that remained unpatched until last Thursday, the agency reported on Monday . CVE-2020-4006, as the flaw is tracked, is a command-injection flaw , meaning it allows attackers to execute commands of their choice on the operating system running the vulnerable software. These vulnerabilities are the result of code that fails to filter unsafe user input such as HTTP headers or cookies. VMware patched CVE-2020-4006 after being tipped off by the NSA.

A hacker’s Holy Grail

Attackers from a group sponsored by the Russian government are exploiting the vulnerability to gain initial access to vulnerable systems. They then upload a Web shell that gives a persistent interface for running server commands. Using the command interface, the hackers are eventually able to access the active directory, the part of Microsoft Windows server operating systems that hackers consider the Holy Grail because it allows them to create accounts, change passwords, and carry out other highly privileged tasks.

Enlarge / That's a lot of screen. (credit: Samuel Axon)

Earlier this year, Apple patched one of the most breathtaking iPhone vulnerabilities ever: a memory corruption bug in the iOS kernel that gave attackers remote access to the entire device—over Wi-Fi, with no user interaction required at all. Oh, and exploits were wormable—meaning radio-proximity exploits could spread from one near-by device to another, once again, with no user interaction needed.

This Wi-Fi packet of death exploit was devised by Ian Beer, a researcher at Project Zero, Google’s vulnerability research arm. In a 30,000-word post published on Tuesday afternoon, Beer described the vulnerability and the proof-of-concept exploit he spent six months developing single handedly. Almost immediately, fellow security researchers took notice.

Beware of dodgy Wi-Fi packets

“This is a fantastic piece of work,” Chris Evans, a semi-retired security researcher and executive and the founder of Project Zero, said in an interview. “It really is pretty serious. The fact you don’t have to really interact with your phone for this to be set off on you is really quite scary. This attack is just you’re walking along, the phone is in your pocket, and over Wi-Fi someone just worms in with some dodgy Wi-Fi packets.”

Enlarge (credit: Oracle )

Attackers are targeting a recently patched Oracle WebLogic vulnerability that allows them to execute code of their choice, including malware that makes servers part of a botnet that steals passwords and other sensitive information.

WebLogic is a Java enterprise application that supports a variety of databases. WebLogic servers are a coveted prize for hackers, who often use them to mine cryptocurrency, install ransomware, or as an inroad to access other parts of a corporate network. Shodan, a service that scans the Internet for various hardware or software platforms, found about 3,000 servers running the middleware application.

CVE-2020-14882, as the vulnerability is tracked, is a critical vulnerability that Oracle patched in October . It allows attackers to execute malicious code over the Internet with little effort or skill and no authentication. Working exploit code became publicly available eight days after Oracle issued the patch.

Enlarge (credit: Getty Images )

Google’s project zero says that hackers have been actively exploiting a Windows zeroday that isn’t likely to be patched until almost two weeks from now.

In keeping with long-standing policy, Google’s vulnerability research group gave Microsoft a seven-day deadline to fix the security flaw because it’s under active exploit. Normally, Project Zero discloses vulnerabilities after 90 days or when a patch becomes available, whichever comes first.

CVE-2020-117087, as the vulnerability is tracked, allows attackers to escalate system privileges. Attackers were combining an exploit for it with a separate one targeting a recently fixed flaw in Chrome . The former allowed the latter to escape a security sandbox so the latter could execute code on vulnerable machines.

Enlarge (credit: Getty Images)

One of the most critical Windows vulnerabilities disclosed this year is under active attack by hackers who are trying to backdoor servers that store credentials for every user and administrative account on a network, a researcher said on Friday.

Zerologon, as the vulnerability has been dubbed, gained widespread attention last month when the firm that discovered it said it could give attackers instant access to active directories , which admins use to create, delete, and manage network accounts. Active directories and the domain controllers they run on are among the most coveted prizes in hacking because once hijacked, they allow attackers to execute code in unison on all connected machines. Microsoft patched CVE-2020-1472 , as the security flaw is indexed, in August.

On Friday, Kevin Beaumont, working in his capacity as an independent researcher, said in a blog post that he had detected attacks on the honeypot he uses to keep abreast of attacks hackers are using in the wild. When his lure server was unpatched, the attackers were able to use a powershell script to successfully change an admin password and backdoor the server.