2021 – A Year in review.

Hello World!

As the year of 2021 now comes to a complete closure, the effects of the new year festivities subside and teams, students and professionals sit back down in the office full time. Another year of what will surely be packed with many surprises awaits us…

2021 like 2020 was marred by the effects of the global coronavirus pandemic and a societal political divide like never before, pushing us further and further apart from each other at a time when cooperation and diversity is (as always) incredibly important within the IT industry.

That brings me onto the first topic of my review, as I will try to take a look at the situation of hybrid warfare that is happening every day. In my opinion, influence and information are the main goals of groups in the current landscape when it comes to this topic, it likely wont be in the future but we are still in very early stages. With the ability to spew misinformation & disinformation around a critical topic, such as the coronavirus or vaccines, this ability to control information and influence could be used to exacerbate another countries political unrest as well as overloading health systems worldwide. This topic isn’t specific to this year or the pandemic, as the information tactics are used worldwide almost every day… but we must ask ourselves: “Where did this information come from?”, “Is the source trustworthy?”, “Has this information been reviewed by independent experts?”.

As defenders were still feeling the effects the effects of the SolarWinds supply chain attack where more than 18,000 SolarWinds customers installed the malicious updates and were subsequently compromised last December, a new problem was found within Microsoft Exchange servers… well four of them to be precise.

A group that was given the name HAFNIUM was detected exploiting these 4 problems in the wild for information theft and espionage. HAFNIUM who Microsoft have said are “state-sponsored and operating out of China” are a sophisticated adversary that required haste from Microsoft to roll out updates. The attackers themselves would exploit the vulnerabilities in Microsoft exchange, the CVE’s associated with this attack are as follows: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065. The adversary would then be looking to deploy a web shell on the server(s) they had compromised in order to further their position within the server and possibly exfiltrate information from the targets. However it wasn’t just HAFNIUM who were attempting to exploit these vulnerabilities, with mass scanning detected as taking place by threat intel teams after some time had elapsed.

Lets move to the month of May… probably the most significant month of 2021 in Cyber-Security: We saw five major attacks in these months, all of which had a significant effect on daily life for a large amount of people, they are as follows: The Colonial Pipeline ransomware attack, The Health Service Executive ransomware attack, The Waikato District Health Board ransomware attack, The JBS S.A. cyberattack and The Air India data breach.

So lets pick up on two factors here, ransomware and healthcare… Whilst I won’t elaborate too much on ransomware here as it’s nothing new and it’s not declining, nor is a prediction that “it’ll continue for 2022” worth spending oxygen on. As it’s become a constant pain in the backside over the last few years and will not be letting up soon. Instead let’s look at healthcare, other than critical infrastructure such as water, electric etc. healthcare is a key sector where an attack has the ability to not only cause damage, but also change lives and families. The problem of why healthcare find themselves susceptible to attacks lies in the critical role their staff and systems play on a daily basis, with some of these computers being relied on to save lives or computers that operate complex machinery. It increases the difficultly of upgrading these systems, not to mention the factor of cost of product AND the cost to upskill employees with the new equipment/systems… sometimes pushing the task of upgrading or patching systems down the list.

Well I’m struggling to keep it short and sweet here, but let’s move onto the month of July where we saw the Kaseya Ransomware attack which saw ransomware group REvil claim to infect more than 1 million devices, according to security firm Sophos. This was another supply chain attack as Kaseya said that less than 60 customers were affected, however the impact was felt by under 1500 downstream businesses. The crooks attempted to extort $70m in cryptocurrency from the compromised businesses, however REvil would be soon to lose their control…

In one of the first public cases of “hacking back” by the FBI that I have seen myself (I wrote a post about it that can be seen here.) There was a lot of activity by law enforcement, that sparked weeks of speculation before the FBI confirmed they had indeed compromised the group behind the attack on Kaseya and withheld the decryption key for some time. This was done in order to not tip-off the cyber gang to their activity, as a decryption key suddenly appearing would surely set alarm bells off in the criminals heads. The story had a mostly happy ending with a small number of criminals being jailed, money that was paid being recovered by law enforcement and the distribution of the universal decryptor to affected parties.

While there’s tons to potentially discuss on the topic, I’d like this to be a comfortable read… Briefly ill close by mentioning the log4j vulnerabilities, which since my last blog post have slightly escalated with more vulnerabilities being discovered in log4j on an almost weekly basis. No doubt due to hackers of all kinds swarming over log4j, as it marks one of the most significant vulnerabilities in history as noted by the initial CVSS score of 10.0, however more recent vulnerabilities are less severe. Advice as of this post is that safe versions currently are Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later).

Well that’s all in my mini-review. As we look towards another year with newfound hope and motivation, I hope this year is better for all of us and to see more smiles on the faces of people as we all play our role in protecting others.

Sources: https://whatis.techtarget.com/feature/SolarWinds-hack-explained-Everything-you-need-to-know