Top 5 security incidents of 2021

We may have moved into a new year, but 2021 gave us plenty to remember when we look back at notable security concerns. The best way to best protect ourselves this year (and every year) is to learn from the past and ask how we can do better and ensure we don’t make the same mistakes. The security landscape is rapidly developing with ever-increasing developer reliance on third parties (like cloud providers) and open-source software.

This past year, we started to see governments, specifically the US government, get more involved in Cybersecurity guidance and warnings to the private sector.  In the past, this would normally take place quietly (where the FBI would work with a company privately or upon request) or in a press briefing where a summary of the incident would take place.  In 2021, we saw the federal government issue active alerts advising the private sector on the risk of the incident.  The change stems from  recent attacks that allow adversaries to pivot and target the Public sector through the use of activities like phishing or installing malware as a trusted partner.

The security community must learn to adapt and become proficient at reducing exposure and risk to the ever-changing threats. It’s in that spirit, we can take a look back on 5 of the top concerns of 2021.

Log4j (CVE-2021-44228)

The most memorable (and recent) security concern is related to Log4j.  As of the publishing of this blog, there have not been many disclosed breaches from this vulnerability. But given the global impact of this event, the potential and inevitability is there, so it’s worth being at the top of this list. Log4j is one of the most used open-source logging libraries for Java applications. It’s an easy way for developers to incorporate a logging mechanism into their application, without having to build one. It obviously saves time and money to reuse code, but it brings risk. The OWASP Top 10 in 2017 listed “Using Components with Known Vulnerabilities” as the number 9 most common security vulnerability.  In the updated 2021 Top 10, it moved up to number 6.  This shows the continued strong use of Open Source components in modern software development and the potential for vulnerabilities to be taken advantage of by adversaries.     

Log4j was particularly concerning because the exploit allows attackers to run a command locally on the server hosting the Java application (known as remote code execution).  This attack could allow downloading of a malicious file or allow an attacker to run commands granting access to the server and pivoting onto servers with more sensitive information.  The Log4j vulnerability was difficult to fix because it was so pervasive and can be buried deep in an application so it requires knowledge of all your application libraries and their versions. It’s even more complicated by the fact that Java libraries allow you to nest libraries (a jar may be nested instead of a jar that is nested inside of a jar, etc.), so it’s possible that a simple scanning tool will not find all the vulnerable libraries.

Unfortunately this vulnerability will be with us in 2022 and likely beyond. The Apache foundation was quick to fix the vulnerability, but organizations are not always as quick to patch.  Log4j was serious enough for the US Federal Trade Commission to issue a rare statement strongly urging businesses to patch.  This vulnerability is one to keep an eye on and see how attackers eventually manage to use it to attack an organization.

Microsoft Exchange Server

At the beginning of the year Microsoft announced that it had discovered (or been notified) about 4 vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) in its Microsoft Exchange product.  These can not only lead to compromise of the Exchange Server but the vulnerabilities could be used as a part of an attack chain to gain control of the server and install malware or launch commands that would allow lateral movement in an organization’s environment.  

The timeline for the Exchange Server vulnerability is somewhat known, but there is still some question around the disclosure timeline. In January 2021, companies were targeted and the vulnerability started to be exploited by attackers. Microsoft then deployed patches in March 2021 for all four vulnerabilities and strongly urged all companies to begin reviewing their Exchange environments and to patch immediately if vulnerable. Over the next several weeks and months, enterprises were left ensuring they were patched and trying to determine if they had been compromised by attackers.

The US government took an active interest and unusual direct action in this exploit.  It started in March when the Cybersecurity & Infrastructure Security Agency (CISA.gov) issued a detailed directive on the exploit and even posted remediation information to assist security teams with determining if they are infected and how they can fix the issue.  In April, the FBI obtained court permission to connect to private sector infected servers (through the same method as the attacker) and shut down the exploit. They would then notify and work with the infected company.  The interest by the federal government was likely due to the threat that an infected company could be exploited to send a phishing email (but appearing totally legit since the attacker could modify the infected company’s Exchange server) to a government agency.

ONUS

2021 was a year of security issues for the Crypto market. They were all for different reasons (stolen encryption keys, ransomware, and so on), but it’s clear that this is a market being especially targeted by attackers. One attack of note is Vietnamese crypto trading platform Onus.  It suffered a break-in around the middle of December by attackers taking advantage of the Log4j vulnerability.  

The bad actors discovered a sandbox server that was running a vulnerable version of Log4j.  They were able to exploit this vulnerability, gain access to the box, and then pivot to some s3 buckets in AWS that contained customer data.  The data they were able to steal contained information like personal information, E-KYC (data like photos used to verify identity), and hashed passwords of two million customers. Once they had this information, they set a $5 million ransom

Onus made a decision not to pay the ransom. They notified their customers of the attack on social media and then apologized.  Their statement said it gave them an opportunity to evaluate their security posture and improve and asked for customer understanding. The hackers then put the stolen information for sale on the darkweb.  It’s worth noting that this is an example of an extortion scenario in the cloud.  This situation has not been seen much in the cloud, but is a logical extension of where the criminals may go.

Colonial Pipeline

Like the past couple of years, ransomware continues its popularity among attackers as a way to extort money from businesses. Whether it’s through finding a vulnerability in an external network or through malware embedded in a phishing email, ransomware is still being used regularly.  Not surprisingly, its effects can be extremely disruptive and damaging to businesses.  

In 2021, Colonial Pipeline suffered a ransomware attack in the month of May.  Colonial Pipeline is a major supplier of fuel up and down the East Coast of the United States.  Attackers were able to gain access to their network by a compromised credential on a company VPN.  Once they logged in through the VPN, they were able to gain access to servers with sensitive information and encrypt the data.  The pipeline was forced to shut down for a few days to stop the spread of the malware.  This predictably led to fuel shortages for a few days along the Eastern seaboard.

This was the first publicly disclosed attack against a part of the US Infrastructure. It was declared a national security threat and US intelligence agencies got involved to assist.  In the end, it was decided by Colonial to pay the $4.4 million ransom to unlock the files.  In the end, the federal government was able to recover $2.3 million of the ransom by tracking down the digital wallets used in the transaction.  

T-Mobile

The phone carrier T-Mobile, in August of 2021, suffered a major attack involving their customer data. Attackers were able to gain access to around 50 million of the carrier’s customer records.  The data includes names, addresses, drivers license numbers, IMEI and IMSI information.  It was a massive amount of private information lost that T-Mobile had to disclose to its customers.

The attacker was a 21 year old US Citizen based in Turkey.  He managed to find a hole in a T-Mobile firewall which allowed him access to around 100 of the company’s servers. From there, he was able to hack into an Oracle database and extract the customer data.  He took copies of the data and sold it to buyers who were ready to use it in the dark market.

The motive behind this attack is interesting. The young hacker claimed to be doing it in retaliation for being held captive by US intelligence agencies during investigating his potential involvement in cybercrime, Satori botnet activity and Islamic militant activities.  There is no proof one way or another whether this is true, but he remains clear on his motive.

2022 and beyond

There appears to be no sign of let-up in cyber criminal activity.  Techniques like crypto mining and ransomware will continue in 2022 (see Lacework labs 2022 Security Predictions.) As more companies continue to go digital or move their data centers to the cloud, the attack surface will only increase. As such it’s important to review the incidents so that we can understand how we can better improve the security of our systems.  One thing to keep in mind is we should never be dependent on one security control to secure our infrastructure or be dependent on a 3rd party to do it alone.  When we put data in the cloud, we should not assume the cloud provider will keep it secure. Having multiple controls in place such Identify and Access Management, least privilege and encryption at rest can help mitigate the impact of an attack.  Many of the security incidents of 2021 appear to have single points of failure that allow broader access or they assume cloud providers own all the security.  A solution is to take ownership of your security and go back to the basics.  Defence in Depth is a security strategy that can not eliminate all the security threats, but it can make the adversary’s job a lot more difficult.