Reported intrusions are down, the amount of personal data exposed is down, so it’s all good, right? Well yes and no... Patrick O’Connor CISSP CEH MBCS explores the good and bad of events in cyber security in 2021.

We could be forgiven for thinking that 2021 was the year of the ransom note. However, subtle exfiltration of data and the further industrialisation of exploitation and revenue-generating software worryingly continued apace. The last year has not seen a reduction of security incidents but attack techniques are changing; targets are shifting but, as ever, money is at the root of all (cyber) evil. The more things change, the more they stay the same.

The Microsoft hack

Microsoft reported eight separate suspected ‘nation state’ hacking operations against its software in the past 12 months. It became a victim itself in March. The state-sponsored Chinese group Hafnium is credited with compromising Microsoft Exchange.

It is thought that up to 30,000 businesses were affected through this popular corporate email system. The attackers gained access to onsite servers via stolen credentials and some undetected vulnerabilities. They then erected web shells around the infected servers and were able to harvest email communications.

The Colonial Pipeline hack

Ransomware was front and centre this year. The Colonial Pipeline Company operates the largest fuel pipeline in the US. It was breached through compromise of a single machine in April, using an employee’s credentials found on the dark web. This implies that the employee may have used the same password on multiple sites, not just at work. Once in, the DarkSide ransomware operators moved laterally across the corporate network installing their ransomware.

Finally, around 5am local time on 7 May, administrators began to see the ransomware demand light up their screens. By 6:10am local time, the pipeline had been shut down for the first time in the company’s 57 year history. This rapidly caused a fuel shortage on the US East Coast. The pipeline transports 2.5 million barrels of fuel daily to the US East Coast and, as news of the problems spread, panic buying began. It was five days before service was restored.

Security company Mandiant was called in to triage and understand the manner and extent of the breach. The ransom of $4.4 million was paid by Colonial shortly after the attack. The perpetrators also exfiltrated more than 100GB of data which they threatened to publish if not paid.

REvil/Sodinokibi ransomware

Another notable ransomware attack involved the infamous REvil/Sodinokibi ransomware. Just before the Fourth of July holiday weekend in America, users of Kaseya’s virtual system administrator (VSA) software began to be infected.

Kaseya is a cloud-based managed service provider (MSP) platform that allows service providers to perform patch management, backups and client monitoring for its customers. Most customers who used the cloud version of the service were unaffected but those using on-premise Kaseya software were hit.

Although a small number were directly affected, it is thought that around 1,000 organisations downstream were affected as a result. This is a supply chain attack, as the affected systems are not independently infected but rather compromised through the trusted software of a third party (Kaseya in this case).

Current estimates are that between 800 and 1,500 small and medium sized businesses were infected with the REvil ransomware as a result of this compromise of Kaseya’s software. It certainly resulted in 800 Co-op supermarkets in Sweden closing. Mandiant was also called in to investigate this incident.

2021: it’s not all bad news

Headlines and statistics are not universally bad to this point in 2021. Risk Based Security, a US-based cyber risk analytics firm claims that publicly reported breaches fell by 24% in the first half of 2021, compared to the same period a year ago. This decline seems to mostly be for incidents outside the US, as the same report shows declared breaches are up 1.5% within the US.

The sheer number of records exposed has also fallen, according to the data. 18.8 billion records exposed in the first half of 2021 - representing a 32% decline - compared to 27.8 billion records exposed in the first half of 2020.

This does point to a possible shift in focus for certain highly sophisticated groups. In the ransomware field particularly, crime groups are carefully selecting targets based on an ability to pay higher ransoms. In many cases, this will involve compromise of less (but more valuable) data.

With the addition of a threat to expose sensitive data as well as the ransomware having encrypted it, the victim company has a difficult tightrope to walk. This unwelcome trend has spawned companies on the whitehat side specialising in ransomware negotiation, triage and recovery. On the blackhat side, ransomware-as-a-service is a booming growth industry.

The problem with LinkedIn

Before the celebrations begin over less personal data being exposed, there was a problem at LinkedIn. Data associated with 700 million LinkedIn users was posted for sale in a dark web forum on June 2021. This exposure impacted 92% of the total LinkedIn user base of 756 million users.

The data was dumped in two waves, initially exposing 500 million users - and then a second dump where the hacker ‘God User’ boasted that they were selling a database of 700 million LinkedIn users. It is well known that Chinese hackers place particular value on such data as it can be used to select targets for exploitation in industrial espionage.

Enter the government agencies

The publicity that ransomware attracts can be a problem. It provides superb advertising of the dangers of ransomware, highlighting the crippling effect it has on business. Also, reports of ransoms being paid help to persuade the next victim of the wisest choice of action.

For you

Be part of something bigger, join the Chartered Institute for IT.

Compromising sensitive operations, however - like the Colonial Pipeline and other Critical National Infrastructure (CNI) targets - has attracted the attention of government agencies.

Their investigation of these attacks has made it more dangerous for underground groups to operate. Many dark web forums have outlawed discussions of ransomware and the marketing of the software to try to avoid the attention of such three letter agencies.

Security on the fly

Personally identifiable information (PII) is not the only valuable data under threat. Recently, security researcher Bob Diachenko stumbled across an unprotected server on the clear web, which seems to have contained the US no-fly list of suspected and confirmed terrorists and other undesirables.

A database of 1.9 million records included names, country citizenship, gender, date of birth, passport details and no-fly status. He found the list on an Elasticsearch cluster, which was indexed by search engines Censys and ZoomEye. This could mean that Bob was not the first, or indeed the only person to run across the list.

Evidence that this could be the actual ‘no-fly’ list used by the US government is that another field in the database was ‘TSC_ID’. TSC (or the Terrorist Screening Center) is responsible for maintaining the list. Bob alerted the Department of Homeland Security (DHS) immediately but the server was only taken down after three weeks (on 9 August 2021).

1,000,000 free samples

In truth, the availability of PII is such that dark web marketplaces even provide free samples to draw customers in. Recently, AllWorld.Cards (a site specialising in stolen credit card data) offered one million sets of card data for free, to entice new users to their site.

While the data was stolen between 2018 and 2019, it is likely that a significant number of the cards will still be exploitable. Since the data trove includes credit-card number, expiration date, CVV, name, country, state, city, address, ZIP code, email and phone number, even if the card itself may have expired, the data would still have value.

Morse code to crypto heist

Such is the technical scramble by crime groups to evade detection that Microsoft reports detecting the use of Morse Code by some malware to obfuscate malicious code. Even when a cyber crime succeeds, perhaps beyond the perpetrator’s wildest dreams, things don’t always end as you might expect. It appears that an as yet unknown individual managed to get away with over $600 million worth of cryptocurrency from the Chinese decentralised financial (DeFi) network, or cryptocurrency exchange Poly Network.

Since the successful heist, the thief has returned around $260 million: $256 million Binance Smart Chain (BSC) tokens, $3.3 million in Ethereum tokens and $1 million in USD Coin (USDC) on the Polygon network. While the hacker is claiming noble reasons for the currency’s relocation, their motives are being questioned. This is because blockchain security firm Slowmist claims that it traced the attacker's email address, IP address and device fingerprint.

Whichever way this plays out, it must be worrying that someone, perhaps not terribly skilled in cyber crime (or at least remaining anonymous while doing it) has managed to make off with so much currency.

Security is (slowly) getting better

The good news from 2021 is that companies terrified of ransomware are finally motivated to streamline and improve both their security stance and operational readiness for disasters. The bad news is that sophisticated and increasingly subtle crime groups are still finding it straightforward to penetrate large corporations and hold them to ransom with a reasonable likelihood of being paid.

Lone hackers seem still capable of perpetrating high profile and lucrative intrusions, while government agencies still struggle to protect CNI in all its forms. Let us all take heart from the slowly improving global health situation while remaining very much aware that cyberspace is still an extremely infectious and polluted environment.