With 2021 in the rearview mirror, we are given the opportunity to recap the cyber security trends and events it was littered with. Back in early February of 2021, we gave warning in a blog (see here) that cyber security threats are on the rise, and it would be wise for businesses to take a proactive approach to cyber security as opposed to a reactive one. It was noted that the COVID-19 pandemic would grant hackers new opportunities and avenues to exploit sensitive data leading to devastating consequences. As we discuss some of the major breaches that occurred this past year it will become apparent these predictions were unfortunately brought to life. Ransomware continues to cause chaos while other attack types such as supply chain and zero day become increasingly prevalent. To learn more about attack type trends check out blog from last April (see here) so you can be educated on what threats to be on the lookout for.
Endpoint detection and response (EDR) as well as extended detection and response (XDR) have been a strong point of emphasis in 2021. Endpoints, as explained in a previous blog (see here), are the low hanging fruit since they are the most exposed target for bad actors looking to infiltrate an enterprise. XDR, on the other hand, takes into account each endpoint is only a component of the IT infrastructure. This method strives for security visibility across cloud infrastructure, mobile devices, and endpoints amongst other things.
If you think your business is immune to these types of attacks or that you wouldn’t be a worthwhile target for a bad actor, think again. Locally, in northeastern Wisconsin, a company was the victim of a $5 million ransomware attack. They were completely down for about 5 days and were unable to operate at 100% capacity for 14 days. An estimated $1 billion in losses was reported. Companies of all shapes, sizes and locations are at risk.
Join us as we take a look at four of the biggest cyber security events of 2021 so you can better understand the impact cyber breaches have on modern society and make sure your organization has taken the appropriate steps to avoid disaster.
SolarWinds
Malicious code was added into SolarWind’s software system in early 2020 when hackers secretly broke into the Texas-based company. Orion, the name of the system that was hacked, is used to manage IT resources by approximately 33,000 customers. The SEC was notified that up to 18,000 customers were vulnerable to hackers due to updates they had installed. The severity of the breach is heightened when you consider SolarWinds serves numerous high-profile customers including multiple agencies in the US government and Fortune 500 companies. The issue started as early as March of 2020 when SolarWinds, like most software companies, sent out a regular update to their system to add features or fix bugs. However, unknowingly the update that was sent out at that time included a compromised code. This resulted in the bad actors being able to install additional malware on customer’s information technology systems that granted them the ability to spy on these organizations. One of the most eye-opening aspects of this attack is that customers were vulnerable for nine months and some victims will never even know if they were hacked due to the stealthy nature of the attack. Russia’s Foreign Intelligence Service, known as the SVR, is the likely culprit according to cyber security experts and federal investigators. It has proven to be expensive and extremely challenging to secure systems since a large number of networks have been penetrated. The silver lining may come in the form of enhanced federal cyber security efforts moving forward as a result of one of the largest breaches in recent memory.
Microsoft Exchange
Widespread attacks by state-sponsored threat groups which deployed backdoors and malware were a part of four zero-day vulnerabilities exploiting the Microsoft Exchange Server. Large enterprises and medium-sized businesses alike use Microsoft Exchange worldwide as a collaboration tool that includes an email inbox and calendar. January 6, 2021 is when the attacks likely started according to Volexity, with Dubex confirming suspicious activity on the Microsoft Exchange servers in the same month. Patches to remedy the vulnerabilities began rolling out on March 2nd. However, the degree of compromise was at the mercy of the uptake and speed of the patches. Security issues persisted for some time after. In fact, 82,000 servers remained unpatched on March 12th according to Microsoft and RiskIQ. Additionally, a potential link between the privately issued PoC attack code and exploit tools spotted in the wild is being investigated. Perhaps a leak that was accidental, or deliberate, lead to a spike in attacks. Known together as ProxyLogon, the critical vulnerabilities can have devastating consequences when used in an attack chain which has the potential to result in Remote Code Execution, backdoors, server hijacking, data theft and the potential for further malware deployment. The state-sponsored advanced persistent threat group from China, Hafnium, has been traced to the attacks. These attackers secured access to the Exchange Server by means of bugs or stolen credentials which in turn give the bad actors an opportunity to create a web shell to hijack the system and remotely execute commands.
Kaseya
On July 2, 2021 the IT solutions developer for MSP’s and enterprise clients, Kaseya, announced they had fallen victim to a cyber attack. Kaseya plays a critical role in the wider software supply chain as a provider of technology to MSP’s which serve other companies. An estimated 40,000 organizations worldwide rely on at least one software solution from Kaseya. The belief is that attackers took advantage of a vulnerability in Kaseya’s VSA software impacting several MSP’s and their customers in order to carry out the supply chain ransomware attack. Originally, the attack was believed to be limited to a small number of on-premises customers and CEO Fred Voccola encouraged clients to immediately shut down their VSA servers. By July 4th, the tune was changed as the company revealed they were the victim of a sophisticated cyber attack impacting 800 to 1,500 SMBs. After tracking 30 MSP’s involved in the breach, the belief is that an authentication bypass vulnerability in the Kaseya VSA web interface triggered the attack. Bad actors were able to avoid authentication controls, take part in an authenticated session, upload a malicious payload, and execute commands using SQL injection in an effort to achieve code execution. The ransomware group REvil has been linked to the attack. They offered a universal decryption key for $70 million worth of Bitcoin. Since then, Kaseya released a patch and now claimed 100% of their SaaS customers were once again live. By July 22, a third-party obtained a universal decryption key which Kaseya has denied paying for.
Log4j
With a severity score of 10 out of 10, the most high-profile security vulnerability on the internet right now is the Log4j flaw. Used for logging error messages in applications, Log4j is widely used in enterprise software applications. The exploits are believed to have started December 1, 2021 and the vulnerability has the potential to impact a wide range of services and software from a plethora of major vendors. If the application “consumes untrusted user input and passes this to a vulnerable version of the Log4j logging library” it is deemed at risk according to NCSC. Apache Log4j version 2 is the affected version and any device exposed to the internet is at risk if running it. This version is included in Apache Struts 2, Flink, Solr, Druid and Swift frameworks. According to one security company, over 40 percent of corporate networks have been targeted as bad actors have been making hundreds of thousands of attempts to discover vulnerable devices. CISA’s strongly encourages organizations to identify internet-facing devices running Log4j and get them upgraded to version 2.15.0 or to enforce mitigation efforts brought forth by vendors. Devices running Log4j should also be equipped with alerts for probes or attacks. Vendors who are believed to still be vulnerable include Amazon, Microsoft, Oracle, Cisco and Azure. Fortunately, scanners have become more widely available which can help identify threats that have resulted from the Log4j vulnerabilities; however, many still have blind spots.
ACP CreativIT has a dedicated department for cyber security. Whether you are looking to start protecting your business, or you have a solid foundation and want to ensure you are protected for the future, ACP CreativIT can help. Contact us at contactus@cccp.com to talk to one of our security experts today or visit our cyber security page here.
Source one: click here
Source two: click here
Source three: click here
Source four: click here