What we can learn from the most alarming 2021 breaches so far

Written by Cyber Pop-up on behalf of Veriato

The escalation in cybersecurity breaches as seen in 2020 has continued well into 2021. According to Verizon’s 2021 DBIR, so far they have looked into 29,207 incidents worldwide. These incidents boiled down to 5,258 confirmed data breaches. An analysis of these breaches shows:

  • 85% of breaches involved a human element.

  • 10% of breaches involved ransomware, double the previous year.

  • Cloud-hosted assets were compromised more than on-premises assets.

Many of these breaches were financially motivated, targeting sensitive data that can be easily monetized and lucratively too.

Human negligence, consistent with previous years, was the biggest threat to security. Cybercriminals are heavily exploiting social engineering tactics to gain a foothold in enterprise infrastructure. The human factor, intentional and otherwise insider threats, needs serious attention.

As cyber-attacks cripple more companies, it is time to look deeper into the recent security incidents. This can help security leaders determine better ways to defend and allocate security budgets to prevent, detect, and respond to attacks.

2021 Security Incidents in Review

This section classifies the incidents by attack types analyzing what happened, the consequences, and actionable steps to defend and respond

1. Ransomware

In 2020, ransomware attacks increased by 150% from the previous year, and ransom payments grew by 200%. The trend is up in 2021, with multiple high-profile ransomware attacks targeting critical infrastructure, municipalities, healthcare, etc. The attacks have grown in sophistication. The ransom demands have also grown to tens of million dollars (paid in cryptocurrency) against sensitive company data held as a hostage.

The breaches affecting Colonial Pipeline and CNA financial are two prominent ransomware incidents that hit the news headlines. CNA Financial,  one of the largest insurers in the US, has reportedly paid a ransom of $40 Million to a hacker group called the Evil Corp. The CNA attackers used a new version of the Phoenix CryptoLocker malware. CNA Financial attack in March 2021 makes the record as the highest ransom payment to date, roughly ten times that in Colonial Pipeline attack, which is analyzed next in more detail.

Colonial Pipeline Breach

  • About the incident

Georgia-based Colonial Pipeline, the largest  pipeline  system for refined oil products in the US, was hacked in May 2021, prompting the company to shut one of America’s major arteries for fuel delivery. The company and FBI reported the hackers as an organized criminal group operating out of Eastern Europe. The attackers gained control of the oil supplier’s enterprise IT systems. In such attacks, typically, an organization’s networks are compromised, critical data is locked away using encryption keys, or even computing systems are wrecked beyond repair. For critical infrastructure companies like the Colonial Pipeline, the danger is that attack can spread into the operational infrastructure, which can completely cripple high net-worth oil production and distribution systems. In this incident, however, it was reported that the attack was limited only to the enterprise IT systems of the company. But the company proactively decided to shut down its operations to safeguard the operational infrastructure from potential damage from the attack. Colonial Pipeline reportedly paid a ransom of nearly 5 Million dollars in bitcoin to restore and regain control of the network infrastructure and data.

  • Analyzing the cause

While more threat intelligence data of this recent attack are yet to become public, it is understood that the threat actors, in this case, DarkSide, employed extensive reconnaissance and possibly harnessed social engineering tactics to gain their foothold in Colonial Pipeline’s IT infrastructure and to install the ransomware.

  • Sizing up the consequences

Colonial Pipeline’s distribution network consists of two gigantic tubes extending over 5,500 miles from Texas to New York. It can carry 3 million barrels of fuel per day. The sheer scale of the operations when hacked can be particularly impactful. Once the attack was detected, the company shut down its IT as well as OT (Operational Technology) infrastructure. The oil distribution came to a grinding halt that continued for nearly a week. Considering the company distributes 45% of the fuel consumed in the US East Coast, the shutdown led to panic buying, fuel shortage, and price hikes that affected millions in the affected areas. Both the US government and the FBI intervened to manage the impact of the attack and its consequences.

  • Actionable steps to prevent, detect and respond

Following the attack, the Federal government has announced plans to beef up cybersecurity defenses for critical infrastructure sectors. But, attacks of this scale serve as a wake-up call for security stakeholders.

To defend against the growing threat and sophistry of ransomware attacks, companies need to consider security products designed to monitor, prevent and alert against ransomware. Continuous remote monitoring of your digital systems and assets for malware infection is crucial.

To ensure business continuity, it is important to regularly back up files and other network assets and configurations. Products like Veriato RansomSafe™ continuously monitor your systems for ransomware. Should ransomware reach your file server, Veriato RansomSafe™ immediately detects the attack and shuts down the affected servers before your data is encrypted. Before your files can be changed, RansomSafe™ backs up all your files, making a pristine copy of their latest versions that you can retrieve. Once the attack is disrupted, recovery is simplified. RansomSafe™ minimizes the scope and impact of the incident. Instead of extensive and expensive downtime, you can use the tool to expedite recovery and restoration.

2. Zero-Day Exploits – Microsoft Exchange

  • About the incident

In the March 2021 Microsoft Exchange incident, state-sponsored threat groups actively exploited multiple  zero-day vulnerabilities affecting the on-premise versions of the Microsoft Exchange Server. Microsoft Exchange Server is a solution for emails, calendars, and collaboration.

On March 2, 2021, Microsoft released patches addressing these critical vulnerabilities. However, on-premise servers often lag in applying the latest patches and software updates. The result was, very soon, these exploits affected reportedly 30,000 organizations around the United States, including both private and government enterprises. In these exploits, the hackers installed web shells , giving the cybercriminals backdoor into victims’ servers with ongoing administrative access.

  • Analyzing the cause

According to Microsoft Threat Intelligence Center (MSTIC), a threat group dubbed Hafnium carried out these exploits targeting multiple industry segments across the United States. The four software vulnerabilities, referred to as ProxyLogon, allowed the intruders to leave behind a “web-shell,” an easy-to-use, password-protected hacking tool. Hackers could access it from any browser over the Internet.

  • Sizing up the consequences

Gartner analyst Peter Firstbrook, the hackers’ endgame was not simply installing web shells in enterprise servers. The cybercriminals were exploiting rich attack environments like outdated servers to set the ground for future attacks on higher-value targets by seeding hundreds of thousands of victim organizations worldwide. The web shells provide attackers the tools to gain complete remote control over affected systems.

If used in an attack chain, these exploits can facilitate Remote Code Execution (RCE), server hijacking, backdoors, data exfiltration, and potentially more server malware deployment. The Exchange server hacks have also resulted in several attempts to ransom stolen data.

  • Actionable steps to prevent, detect and respond

To defend against these threats before it proliferates further, the United States Cybersecurity & Infrastructure Security Agency  (CISA) issued an emergency directive. It instructs all federal civilian departments and agencies with on-premise Microsoft Exchange server vulnerabilities to either update the email software or take the products offline from their networks. For ongoing defense against zero-day exploits, organizations need to implement the right threat detection tool. It is time to upgrade antiquated security tools with modern threat detection capabilities engineered to monitor anomalies and alert early enough for faster response and remediation.

3. Malware – SolarWinds Hack

  • About the incident

The SolarWinds hack exploited the “software supply-chain” by first malware infecting the company’s Orion software. The malware then spread to reportedly18,000 SolarWinds’ enterprise customers using the trusted Orion update channel. According to SEC, SolarWinds has 33,000 Orion customers. This attack is worrisome for two reasons:

  1. Orion clients include several large US enterprises and government agencies.

  2. Being an “infrastructure monitoring and management” tool, Orion is well-placed within target networks. The malware can spread across any number of connected assets for an attacker to pursue many goals.

Although the SolarWinds hack surfaced in late 2020, its aftermath is expected to continue to unfold in 2021 and beyond.

  • Analyzing the cause

Software companies regularly send out patches, bug fixes, and feature updates, etc., to their customers. Since March 2020, SolarWinds unwittingly sent software updates to its Orion customers that included the malware.

  • Sizing up the consequences

The Orion software updates affected several large corporates, critical infrastructure companies, US federal departments, and agencies. The IT systems of these organizations house a massive volume of confidential data of national significance.

The malware created a ‘backdoor’ into the customers’ IT systems. Hackers could potentially utilize it to spy on companies, exfiltrate data, gain remote access, impersonate legitimate officials, or install even more harmful malware and ransomware.

So far, none of these fallouts or any physical damages have been reported due to this attack. However, since this attack carries the signature of nation-state threat actors, some experts consider this incident as international espionage that may lead to long-term and more catastrophic consequences.

  • Actionable steps to prevent, detect and respond

The alarming aspect of this widespread security breach is that it went unnoticed for nearly ten months. The fact highlights the need for more intelligent cybersecurity tools and systems that can detect highly sophisticated threats, as evident in this incident. It also highlights the critical role of cybersecurity as the first line of defense where private and public companies must collaborate to come up with more innovative methods to share threat intelligence and incident response plans.

4. Remote Access: Attack on Florida Water Supply

  • About the incident

On February 8, 2021, Florida county sheriff  Bob Gualtieri  publicly reported an attempt to poison the water supply of a small town of 15,000 in Oldsmar, near Tampa, Florida. The intruder used a popular remote access software to remotely access the human-machine interface (HMI) of the town’s water treatment system to increase sodium hydroxide (a.k.a. lye used to control acidity in the water)  to 100 times the normal level.

Thankfully, before the changes could take effect, a supervisor detected the tampered levels from the attack, restored the chemical balance, and disabled the remote access system used in the attack.

  • Analyzing the cause

The treatment plant had computers running legacy Microsoft Windows software to monitor the facility remotely. These computers shared the same password and used obsolete remote management software. Hence, it was not too hard to hijack credentials to inflict the attack.

  • Sizing up the consequences

Despite minor consequences, this attack highlights the stark risks of using remote access without adequate security. To allow remote management, many utility companies allow remote access to their control systems. But the necessary controls like multi-factor authentication, strong passwords, etc., are not followed. A similar attack by advanced adversaries could potentially inflict more severe damage to public utilities and other mission-critical systems.

  • Actionable steps to prevent, detect and respond

The rise of remote work has made enterprises more vulnerable to targeted attacks. Insider threats cause 60% of these attacks. In addition to strengthening security posture with strong authentication, software updates, it is also essential to monitor remote endpoints and user activity. Investing in workplace security discipline and monitoring software can minimize the threats posed by remote access.

5. Data Breach: Facebook account hack

  • About the incident