2020 is the year everyone will remember for the global disruption caused by COVID-19. The pandemic brought unforeseen changes in the cyber world that accelerated digital transformations and in just a few months, brought about digital advancements that once could have been considered impossible for many organisations.
COVID-19-related threats have persisted into 2021, and cyber threats actors continue to adapt attack techniques to exploit unprepared organisations who are still struggling to adopt digitalisation, support their remote workforce, and enable their business to grow.
Now that we’re nearly at the end of 2021, let’s look at high-profile cyber security attacks and critical vulnerabilities that surfaced in the news and reflect on how we can build an ecosystem that enables trust and resilience in an organisation.
As 2021 began, the SolarWinds supply-chain attack and Accellion vulnerabilities came along with it, making the first month of the new year difficult for organisations who were directly, and indirectly, impacted by these attacks.
In December 2020, the SolarWinds attack was initially discovered. This breach affected more than 18,000 organisations who received an automatic software update for SolarWinds Orion system. This update allowed the attackers to add a backdoor called “Sunburst,” enabling attackers to spy on the organisations’ assets both in the cloud and on-premises.
In the same month, Accellion, a secure file sharing company, started to discover and patch zero-day vulnerabilities on their File Transfer Appliance (FTA) software. Accellion’s FTA is a 20-year-old product that specialises in large file transfers. The December vulnerabilities found in FTA software allowed attackers to bypass the appliance’s built-in anomaly detector, navigate in FTA’s internal database and decrypt file names.
The software and products targeted in these attacks are developed by top global tech brands and are widely used by organisations from different sectors and industries. This makes them perfect candidates for supply-chain attacks, which allow cyber criminals to target multiple organisations at once to extort money from victims.
While other organisations were working to remediate exploited vulnerabilities in SolarWinds and Accellion, in January Microsoft was made aware of on-premises Microsoft Exchange Server critical vulnerabilities that were being exploited and targeting organisations who hadn’t migrated to Microsoft cloud-based services.
Cyber threat actors utilised four zero-day vulnerabilities to compromise Microsoft Exchange Server’s Outlook Web Access (OWA). This enabled them to download all the emails, passwords and email addresses of users from Exchange’s stored memory of the victim. It has been reported that Microsoft Exchange Server versions 2010, 2013, 2016 and 2019 are the ones susceptible to cyber attacks and require immediate patching to address the exploit. An estimated 250,000 servers around the globe were impacted, including 7,000 servers in United Kingdom and around 30,000 organisations in the United States.
Cyber criminals have used more sophisticated technologies and techniques to increase their effectiveness and execute stealthier ransomware attacks. With the use of double extortion, cyber criminals make sure that all their efforts pay off by demanding a ransom in exchange for decrypting the data. To heighten the urgency of paying the ransom, cyber criminals threaten the victim by releasing their confidential data on underground or leak sites.
In July of 2021, Kaseya Limited, an American software company, was targeted by cyber criminals through its virtual system administrator (VSA) software authentication bypass vulnerability. VSA is a remote monitoring management system that is widely used by their managed service provider (MSP) customers. Through this vulnerability, cyber criminals were able to distribute a malicious payload through hosts managed by the software and encrypt more than one million systems during the attack.
A month after the Kaseya attack, Accenture, a global consulting firm, reported that they were hit by a ransomware attack and assured the public that the attack hadn’t make any impact on the company. In Accenture’s statement, they said, “Through our security controls and protocols, we identified irregular activity in one of our environments. We immediately contained the matter and isolated the affected servers. We fully restored our affected servers from back up. There was no impact on Accenture’s operations, or on our clients’ systems.”
For the past eight months, we have seen cyber criminals improve their tactics to exfiltrate data and extort money from their victims. From SolarWinds’ attackers, a “Russian in origin” hacker group, to the cyber gangs behind Accellion’s attack, dubbed UNC2546 and UNC2582 who have links to FIN11 and CLOP, these are just some of the cyber criminal groups who are well organised and determined to achieve one goal – extorting money from their victims. In addition, we’ve also seen Hafnium, a Chinese state-sponsored hacking group behind the Microsoft Exchange server attack, the REvil gang behind Kaseya ransomware attack, and LockBit ransomware gang, who were responsible for Accenture’s ransomware threat.By looking at the tactics being used by cyber gangs to infiltrate secured systems, the number one lesson we can learn is organisations must create an ecosystem that enables trust and resilience. Before you think about having advanced visibility and control, first focus on the current risks present that prevent delivering business outcomes and determine how and where critical data flows. Once all critical assets are identified, invest in a detection and response system instead of perfecting decentralised controls to protect your organisation.
To learn more about the principles of building trust and resilience, our Security Advisors can run a Cyber Risk Assessment to help your senior management team navigate through emerging threats, maintain a high level of security, and adapt to the latest technology.