More than 4,100 publicly disclosed hacks and breaches happened in 2022, leading to roughly 22 billion records being exposed or stolen. That’s up significantly from 2021, where some 1,243 major security incidents were reported. Of course, those numbers reflect public reporting companies only – as small businesses and individuals are hacked several thousand times every single day.
However, many of those hacks and data breach incidents resulted from preventable vulnerabilities – like unsecured data, untrained employees, and stolen credentials. In this article, we highlight some of the biggest hacks of 2022, with insight from our Chief Pentester Mike Terhaar for each.
1. GitHub Supply Chain Attack
Source Code Clone and Malware
In August of 2022, a Twitter share announced that an attack on its supply chain potentially impacted 83 million developers using the site. That hack happened after an attacker, known as a threat actor, cloned GitHub repositories and added malicious code or malware to over 35,000 GitHub repositories. 40% of the affected repositories originated from a single organization.
The code spoofed user accounts, using original names, and used that to encourage developers to click on them. Once they did, the code collected information on the user, device, and system it was executed on. It could also download malware, allowing it to further exploit that system.
“This is a really old school approach, in the old days they would insert code into Microsoft products, it’s different of course, but attacking GitHub like this is an evolution of that. You can’t prevent it, but you can make sure that any code you send to GitHub is hashed. If someone re-uses it, the hash won’t be the same. That’s also part of developers taking responsibility for securing their own code. GitHub must commit to being reasonably secure. However, it’s still the responsibility of developers to check code, to ensure it’s the original code, and to use security measures. Attacks like this only highlight the value of constantly checking and ensuring your code is secure”
2. Dropbox Data Breach
On November 1st, 2022, the data storage firm Dropbox disclosed that it had been the victim of a phishing attack The phishing campaign led to unauthorized access to 130 source code repositories on GitHub, with third-party libraries used by Dropbox open to the threat actor. The phishing attack also resulted in the loss of personal email addresses and names of Dropbox employees, sales leads, and vendor information being leaked.
The attack did not expose any core app data or user data. However, Dropbox employees began receiving highly targeted spear phishing attacks to their leaked accounts.
“This is a classic phishing attack, but Dropbox handled it well. Unlike Uber, which tried to hide their breach, Dropbox released a statement as soon as they were aware of the issue, how it impacted users, and what was stolen” says Mike, “that kind of transparency as well as transparency relating to security measures taken after data was breached is going to become more essential as supply chains and vendor integration become more complex”
3. Twitter Hack
In December 2022, Twitter user account data began surfacing on hacking forums. After a review of the data, experts confirmed that it was what posters were claiming it to be, the personal email addresses and phone numbers of 400 million Twitter account holders. Threat actors most likely acquired this information by scraping the site. Still, we don’t know when the data was actually stolen, with some experts suggesting that it could have been as early as 2021.
That breach has since resulted in phishing attacks and hacks of several high profile Twitter accounts, including British celebrity Piers Morgan.
“This could open millions of people up to account theft on Twitter. It’s crucial to keep changing your password and not re-use your password across different accounts. Be vigilant in case of spear phishing attacks. Ensuring that you encrypt or store data in secure servers is a basic first-step in preventing this kind of hack.”
4. Uber Hack
Social engineering / Man-in-the-middle Phishing
In September of 2022, Uber announced that it was responding to a security incident, after which, a 17-year-old hacker was arrested in London. The incident most likely involved a stolen password from an Uber contractor, which the threat actor used to gain access to Uber’s internal systems.
That’s following the high-profile 2016 hack, which Uber attempted to cover up, and which exposed the personal information of over 57 million people. Uber disclosed this time and announced that no customer data was affected – but private information, technology stacks, and even vulnerability reporting from pentesting was.
“Make sure you have logging and monitoring in place. It’s unacceptable that Uber did not see this right away, they should have some sort of logging and monitoring systems in place. If someone tries to do a man in the middle, an alarm should go off. Of course, you also still have to act on it, but that’s a different story. Man in the middle will always be an issue, if you use weak accounts, don’t have 2FA, if you steal credentials or certificates. You can also manage location-based access for system users so you can alert people if someone suddenly logs into your accounts from somewhere unexpected.”
5. Conti Ransomware Group
The Conti Ransomware Group is one of the most high-profile ransomware groups in the world, with numerous major ransomware hacks attributed to them including the hack of the Costa Rica government. In August of 2021, a former Conti Ransomware affiliate posted training documents from the company – revealing that the company (based in Russia) hired third parties to gain access to companies – this data was then used in 2022, as a Ukrainian hacker exploited it to infiltrate the group before leaking significant data on the company, its methods, models, and day-to-day operations. That leak included the company’s source code for their ransomware.
“This leak is significant because even hackers aren’t immune to social engineering and phishing attacks” ,said Mike, “It will be interesting to see if Conti Ransomware comes back in another form – or if the hack leads to more ransomware groups facing similar attacks”.
6. Los Angeles School District
In September, 2022, the Los Angeles School District, the second largest school district in the United States, announced that they had been attacked and that they were failing to pay ransom for data. Afterwards, a compressed file was uploaded to the internet, sharing data from the leak. This included social security numbers, addresses, and contact details for over 400 employees, personal information from over 4,000 employees, and the date of birth, name, and address of students enrolled between 2013 and 2016. The district has further revealed that all contractor data including payroll records were lost as well.
In addition, about half of the district’s servers were encrypted by the ransomware, making them inaccessible. And, while the district responded quickly when discovered, some experts suggest that access to the data could have gone on for some time before it was noticed. In addition, LA Unified was alerted to vulnerabilities in a 2020 audit – and failed to fix them.
“Almost every organization is vulnerable to ransomware attacks, but things like this really highlight the importance of responding to vulnerabilities and remediating them – and then re-testing to ensure that they’re fixed. This is so common, I have customers that have 500+ high issues and a few criticals and they don’t solve anything. In this case it’s difficult because you don’t know the reason they don’t solve vulnerabilities. Technicians often point to management, resources, etc, but I think it’s also the person working on solving the issues, because they have to translate the urgency of solving those issues or the potential impact of those issues to management.
2FA authentication Issue
Crypto.com was far from the only cryptocurrency hack of 2022. However, with €31 million stolen, following the site’s failure to trigger 2FA authentication for withdrawals. Crypto.com has not released why 2FA did not trigger for the transfers, but responded to the breach by shutting down transactions for 14 hours, and then instituting new security measures, including true multi-factor authentication instead of 2FA, and a 24-hour window between registering a new address and withdrawal.
Stollen Credentials / Ransomware
Medibank is one of the largest health insurance providers in the world, supplying coverage to 3.7 million people in Australia. In October, 2022, the firm announced that it had been hacked, after a threat actor infiltrated the system using stolen credentials and installed malware.
The threat actor was able to extract over 200GB of personal customer data, including medical records, addresses, dates of birth, phone numbers, email addresses, and policy numbers. This was later released to the dark web as a bulk file, after Medibank refused to pay the ransom. The data includes 9.7 million customers.
“This proves that threat actors are willing to do anything to make money, they don’t have any morals and they don’t care about hurting individual people. In the old days, a hack was more about prestige and now it’s more about organized crime, it’s more common than we think.”
9. Lapsus$ Group Attacks
Ransomware, Stolen Credentials, & More
The Lapsus$ Group is a hacker group focused on extortion using ransomware, sharing sensitive data, and encryption of data. The group focuses on gaining entrance to systems via social engineering – after which they infiltrate, steal data, or encrypt data.
The group was also notoriously responsible for several high-profile hacks in 2022, including Okta (the identity and access management company), Nvidia, Samsung, Ubisoft, T-Mobile, Microsoft, Globant, Uber, and Rockstar Games.
“Having secure software does not mean you are safe, it only means that the known issues aren’t there. It doesn’t mean someone hitting the system for several months won’t find an entrance, because they will, good cybersecurity just delays hackers willing to spend the time – a lot of what pentesters do is using existing information to test customers against those attacks, and hacking groups like this aren’t working on a deadline, they can find people to exploit, zero days, etc. They just have a challenge.
Big companies need to find a way to recover from this without paying ransom, and that could be a challenge. Otherwise, they’re just sponsoring these groups. Every big organization is at risk and having preventive measures in place or recovery measures is crucial.”
LastPass is one of the largest password management applications in the world. In August of 2022, LastPass reported that a threat actor had gained access to its cloud-based storage environment. At that time, no customer data was lost. However, source code and technical information was stollen, which was used in a (likely) man-in-the-middle attack to target employees, gaining credentials and keys which were used to access storage volumes in the database. As a result, Lastpass lost user information (names, addresses, Ip addresses), and password vaults, which are still encrypted.
“This kind of hack shows that not even the technology we use to secure data is secure. Of course, if you follow password best-practices, it’s still extremely difficult for hackers to brute force your password. Still, organizations have to stay on their guard, ensure that master passwords are secure, and take steps to use logging and monitoring to detect man-in-the-middle attacks.”
What are the Biggest Risks to Organizations?
“Phishing and social engineering remain the biggest vulnerabilities in any organization,” says Mike, “You can train employees to spot phishing attacks, use password managers to minimize stolen credentials, and use 2FA, but people will always be the biggest risk. However, there are still other threats to be concerned about.
For example, ransomware is growing and it will always be an issue. Having an offline backup systems is crucial to being able to start up again without paying – organizations should make sure they can recover without paying ransom. There are companies working on other solutions, so it will be promising to see what new companies are diving into that gap of recovering from ransomware. Old school methods of business continuity could still be the solution.
The biggest risk is not investing in good security measures (logging and monitoring, use cases for what’s going on in an environment/know what’s normal/not normal traffic), companies need to get alerts when there’s an anomaly or something strange. Once they have that system in place and the means to respond to alerts quickly, they can better recognize and respond when the system has been breached.”