7 of the Most Impactful Cybersecurity Incidents of 2021
There was a lot to learn from breaches, vulnerabilities, and attacks this year.
December 23, 2021
![Shadowy hacker standing by window Shadowy hacker standing by window](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltf2e4991c28ad4891/64f173ff7899728152832aba/cyberattack_Anucha_Cheechang_shutterstock.jpg?width=700&auto=webp&quality=80&disable=upscale)
Source: Anucha Cheechang via Shutterstock
The Log4j vulnerability that became public on Dec. 10 quickly established itself as one of the most significant security threats of 2021. But, by far, it was not the only issue that security teams had to wrestle with through the year.
As with every year, 2021 had its share of other big data breaches and security incidents that impacted many organizations.
For those keeping score, 1,291 breach incidents were publicly reported through Sept. 30, according to the Identity Theft Resource Center (ITRC). That number was already 17% higher than the 1,108 breaches disclosed for all of 2020. If the trend continues, 2021 could break the record of 1,529 breaches that were reported in 2017.
But breaches weren't the only concern. A new Redscan analysis of the National Vulnerability Database (NVD) showed that more vulnerabilities — 18,439 — have been disclosed so far this year than in any previous year-to-date. Redscan found that some nine in 10 of them can be exploited by attackers with limited hacking or technical skills.
For security teams defending their organizations against threats daily, the statistics are unlikely to come as much of a surprise. Even so, the data hammers home the challenges organizations faced in 2021 — and will no doubt continue to face next year, as well.
The following is a list of seven of the most impactful breaches, attacks, and vulnerabilities of 2021.
A critical remote code execution vulnerability in the Log4j logging framework rocked the industry like few other vulnerabilities have in recent years. The concern stemmed from the fact that the tool is used pervasively across enterprise, operational technology (OT), software-as-a-service (SaaS), and cloud service provider (CSP) environments and is also relatively easy to exploit. The flaw gives attackers a way to take remote control of servers, PCs, and any other device—including those in critical OT and industrial control system (ICS) environments — in which the logging tool is present.
The flaw (CVE-2021-44228) exists in versions Log4j 2.0-beta9 to Log4j 2.14.1 and can be exploited in multiple ways. The Apache Foundation initially released a new version of the tool (Apache Log4j 2.15.0) to address the issue but then had to release another update shortly thereafter because the first update did not fully protect against denial-of service (DoS) attacks and data theft.
As of Dec. 17, there were no major data breaches tied to the flaw that had been publicly reported. However, security experts have little doubt that attackers will exploit the flaw and continue to do so for the foreseeable future simply given how difficult it is for organizations to find every instance of the vulnerable tool and protect against the flaw.
Numerous security vendors have reported widespread scanning activity targeting a wide range of IT and OT systems, including servers, virtual machines, mobile devices, human machine interface (HMI) systems, and SCADA equipment. A lot of the scanning activity has involved attempts to drop coin-mining tools, remote access Trojans, ransomware, and Web shells. Among those involved are known financially motivated threat groups and state-back advanced persistent threat actors from Iran, China, and Turkey.
A ransomware attack on US pipeline operator Colonial Pipeline in May dominated the news not so much for the way the company was breached, but for the broad impact it had on a relatively wide swath of the US population.
The attack, by a group later identified as Russia-based DarkSide, caused Colonial — for the first time in its history — to shut down the entire length of its 5,500-mile pipeline. The move disrupted the transportation of millions of gallons of fuel and triggered temporary gas shortages across a large section of the US East Coast. The impact of the breach elevated ransomware to a national security-level concern and prompted reactions from the White House on down. A few days after the incident, President Biden issued an executive order requiring federal agencies to implement new controls for strengthening cybersecurity.
DarkSide gained access to Colonial Pipeline's network using stolen legacy VPN credentials. The attack method itself was not especially noteworthy, says John Pescatore, director of emerging security trends at the SANS Institute, but the disruption itself "was visible, meaningful, and personally felt by many in government positions," he says.
The personal impact of not being able to gas up vehicles grabbed the attention of government officials and constituents alike.
"I really think that caused some bipartisan support for the US government raising the bar on issues such as use of reusable passwords," Pescatore says. Though the heightened focus may not translate to rapid progress, it has triggered a definite forward movement to better security, he notes.
An early July security incident at IT management software provider Kaseya highlighted once again the growing threat organizations face from software vendors and other providers in the IT supply chain.
The incident, later attributed to an affiliate of the REvil/Sodinokibi ransomware group, involved threat actors exploiting a set of three vulnerabilities in Kaseya's Virtual System Administrator (VSA) technology that numerous managed service providers (MSPs) use to manage their customers' networks. The attackers exploited the vulnerabilities to distribute ransomware on thousands of systems belonging to downstream customers of MSPs using Kaseya VSA.
An investigation conducted into the breach by Huntress Labs showed the attackers took less than two hours — after initial exploit activity — to install the ransomware on systems belonging to numerous companies across multiple MSPs.
The incident prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to issue multiple alerts warning of the threat and offering guidance for MSPs and their customers.
The Kaseya attack highlighted growing threat actor interest in breach-once/compromise-many targets, such as software vendors and service providers. While such attacks have been going on for years, the incidents at SolarWinds and Kaseya underscored the growing severity of the threat.
"The Kaseya attack took attacking MSP from the realm of nation-states to that of criminal gangs operating strictly for profit," says Oliver Tavakoli, chief technology officer at Vectra AI. "While it was not a classic supply chain attack — as it leveraged exploits of deployed Kaseya VSA servers — the Kaseya mechanism whereby MSPs distribute software to their clients [was] key to the broad scope and speed of the attack."
When Microsoft issued emergency fixes for four vulnerabilities — collectively called ProxyLogon — in its Exchange Server technology in early March, the move sparked a patching frenzy unlike any in recent memory.
The panic was prompted by Microsoft's disclosure that a China-based advanced persistent threat (APT) group called Hafnium had been actively targeting the flaws for weeks before the patches were issued. Subsequent investigations by other security vendors showed that several threat groups had been targeting the flaws prior to patch availability and that numerous others had joined the action after Microsoft's vulnerability disclosure. The attacks were so numerous that F-Secure at one point described vulnerable Exchange Servers worldwide "being hacked faster than we can count."
When chained together, the ProxyLogon flaws gave threat actors a way to gain unauthenticated remote access to Exchange Servers.
"[It] is essentially an electronic version of removing all access controls, guards, and locks from the company’s main entry doors so that anyone could just walk in," F-Secure had noted at the time.
The security vendor, like numerous others, advised companies to simply assume they had been breached and respond accordingly. In less than three weeks after the bug's disclosure, Microsoft reported some 92% of worldwide Exchange Service IPs had been either patched or mitigated. But lingering concerns over Web shells that attackers had installed on Exchange Servers prior to patching prompted the US Department of Justice to take the unprecedented step of ordering the FBI to proactively remove Web shells from backdoored Exchange Servers.
The Exchange Server flaws were bad news in many ways, SANS's Pescatore says. Exacerbating the issue was Microsoft's relative slowness in getting fixes out for on-premises installations compared to Exchange Online.
"There are some reasons why SaaS providers can shield code weaknesses in their services faster than they can develop fixes that will work for the disparate on-prem environments," Pescatore notes.
But if they keep selling on-premises software, they must spend the money to have enough resources to quickly fix the software, especially when it comes to mission-critical technologies like Exchange Server, he adds.
Few vulnerabilities highlighted the persistent risk that Microsoft's Windows Print Spooler technology presents to enterprises than PrintNightmare (CVE-2021-34527). The flaw, disclosed in July, was tied to a specific function in the Spooler service for installing a printer driver system. The issue impacted all Windows versions and gave authenticated attackers a way to remotely execute malicious code on any system where the vulnerability was present. That included critical Active Directory administration systems and core domain controllers. Microsoft warned of exploits against the vulnerability, resulting in a loss of confidentiality, integrity, and availability of the environment.
Microsoft's disclosure of PrintNightmare prompted an urgent advisory from CISA, the CERT Coordination Center (CC), and others urging organizations to quickly disable Print Spooler services on critical systems. Initial alerts referred to a patch that Microsoft had issued for a near identical vulnerability in Print Spooler in June, describing that patch as ineffective against PrintNightmare. Microsoft later clarified that while PrintNightmare was similar to the flaw in June, it was unique flaw and required a separate patch.
PrintNightmare was the most serious of several flaws that organizations had to patch for this year in Microsoft's perennially buggy Print Spooler technology.
"PrintNightmare became significant because the vulnerability was in the ‘Print Spoole' service that’s installed on practically every Windows system," says Andrew Barratt, vice president, technology, and enterprise at Coalfire.
This meant attackers had a huge attack surface to target, he adds. "Disabling those services isn’t always practical because it’s needed to facilitate printing," Barratt says.
Multiple organizations in the US, Canada, Singapore, Netherlands, and other countries experienced significant data compromises in February because of a vulnerability in a file transfer service they were using from Accellion. Retail giant Kroger was among the largest victims, with data belonging to employees and millions of customers of its pharmacy and clinic services being exposed. Other notable victims included law firm Jones Day, Singapore Telecommunications, the State of Washington, and New Zealand's Reserve Bank.
Accellion described the issue as having to do with a zero-day vulnerability in its near obsolete File Transfer Appliance technology that numerous organizations were using at the time to transfer large files inside and outside their organizations. Security vendor Mandiant said its investigation showed the attackers used as many as four zero-day vulnerabilities in the Accellion technology as part of the attack chain. Security vendors later attributed the attack to threat actors with connections to the Cl0p ransomware family and FIN11, a financially motivated APT group.
"The Accellion attack was a significant event in early 2021 because it demonstrated the dangers of ransomware supply-chain attacks," says Ivan Righi, cyber threat intelligence analyst at Digital Shadows. "The Cl0p ransomware gang was able to take advantage of zero-day vulnerabilities in Accellion's File Transfer Appliance [FTP] software to target a large number of companies at once, which significantly reduced the work and effort required to achieve initial access."
In February an attacker broke into a system at a water treatment facility in Oldsmar, Fla., and attempted to change the level of a chemical called lye that is applied to water to control acidity. The intrusion was discovered when the intruder attempted to raise the level of lye by a factor of 111; the change was quickly reversed before any damage was done.
A subsequent analysis of the incident showed the intruder had gained access to a system belonging to an operator at the water treatment facility likely using stolen TeamViewer credentials to log into the system remotely. The intrusion hammered home the continuing vulnerability of US critical infrastructure to cyberattacks, particularly because it showed how little it took to break into a supervisory control and data acquisition (SCADA) system at a drinking water treatment facility.
The incident prompted CISA to warn critical infrastructure operators about the dangers of using desktop-sharing software and obsolete or near end-of-life software, such as Windows 7, in the environment. CISA said its advice was based on its observation — and that of others, such as the FBI — of cybercriminals targeting critical infrastructure assets via such technology.
"The Florida water utility compromise was significant both because it was a wake-up call on how easily utilities could be compromised, and the safety controls put in place to mitigate most cyber compromises," says Jake Williams, CTO at BreachQuest.
After the incident, the public learned that the utility posted its remote access password in a publicly available Google Document. They also learned from officials that other safety measures in place at the facility would have kept the lye from ever reaching the public water source, even if the initial intrusion remained undetected. But such reassurances are cold comfort.
"It’s rare to start with such a serious issue and end with a 'but things were always going to be OK' kind of ending," Williams says.
In February an attacker broke into a system at a water treatment facility in Oldsmar, Fla., and attempted to change the level of a chemical called lye that is applied to water to control acidity. The intrusion was discovered when the intruder attempted to raise the level of lye by a factor of 111; the change was quickly reversed before any damage was done.
A subsequent analysis of the incident showed the intruder had gained access to a system belonging to an operator at the water treatment facility likely using stolen TeamViewer credentials to log into the system remotely. The intrusion hammered home the continuing vulnerability of US critical infrastructure to cyberattacks, particularly because it showed how little it took to break into a supervisory control and data acquisition (SCADA) system at a drinking water treatment facility.
The incident prompted CISA to warn critical infrastructure operators about the dangers of using desktop-sharing software and obsolete or near end-of-life software, such as Windows 7, in the environment. CISA said its advice was based on its observation — and that of others, such as the FBI — of cybercriminals targeting critical infrastructure assets via such technology.
"The Florida water utility compromise was significant both because it was a wake-up call on how easily utilities could be compromised, and the safety controls put in place to mitigate most cyber compromises," says Jake Williams, CTO at BreachQuest.
After the incident, the public learned that the utility posted its remote access password in a publicly available Google Document. They also learned from officials that other safety measures in place at the facility would have kept the lye from ever reaching the public water source, even if the initial intrusion remained undetected. But such reassurances are cold comfort.
"It’s rare to start with such a serious issue and end with a 'but things were always going to be OK' kind of ending," Williams says.
The Log4j vulnerability that became public on Dec. 10 quickly established itself as one of the most significant security threats of 2021. But, by far, it was not the only issue that security teams had to wrestle with through the year.
As with every year, 2021 had its share of other big data breaches and security incidents that impacted many organizations.
For those keeping score, 1,291 breach incidents were publicly reported through Sept. 30, according to the Identity Theft Resource Center (ITRC). That number was already 17% higher than the 1,108 breaches disclosed for all of 2020. If the trend continues, 2021 could break the record of 1,529 breaches that were reported in 2017.
But breaches weren't the only concern. A new Redscan analysis of the National Vulnerability Database (NVD) showed that more vulnerabilities — 18,439 — have been disclosed so far this year than in any previous year-to-date. Redscan found that some nine in 10 of them can be exploited by attackers with limited hacking or technical skills.
For security teams defending their organizations against threats daily, the statistics are unlikely to come as much of a surprise. Even so, the data hammers home the challenges organizations faced in 2021 — and will no doubt continue to face next year, as well.
The following is a list of seven of the most impactful breaches, attacks, and vulnerabilities of 2021.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024