In today’s digital age, cybercrime is on the rise, and the number of breaches experienced by businesses and individuals is only growing. This year, we’ve exceeded the number of breaches seen in 2020. While we’ve not reached the dizzying heights of 2017 and its 1,529 data breaches, we don’t have anything to celebrate.
As businesses and organizations become more reliant on technology, they become more vulnerable to cyberattacks. Hackers are finding new and innovative ways to gain access to data, and it’s more important than ever for businesses to have robust cybersecurity measures in place.
Security Risk Factors for 2021
The risk factors appear to have altered this year, with ransomware, third-party flaws, phishing attacks, and undetected security gaps supplanting human error as the leading cause of data breaches; however, unwitting end users play a huge role in these kinds of attacks, even if the attack vector itself doesn’t explicitly fall along a “human error”.
Ransomware is malware that blocks access to devices or data until a specific demand (often a financial ransom) is paid. This type of attack involves hackers encrypting or locking down files on a victim’s system until the hackers get what they want. These types of attacks have been on the rise over the past few years, and 2021 was no exception. Ransomware was responsible for most of the data breaches in 2021.
Third-party vendors are often a weak link in an organization’s cybersecurity defenses. They may not have adequate security measures and practices in place and, as a result, can leave an organization’s critical data exposed.
Undetected Security Gaps
Without proper security measures on endpoints – such as laptops, mobile devices, etc. – a significant cyber attack may be inevitable. A lack of endpoint security could give hackers free reign for campaigns involving ransomware or the theft of customer information.
In this article, we’ll examine the top 5 security breaches of 2021 and detail the key takeaways for IT professionals.
1. March – Microsoft Software Caused Data Breach
The Chinese hacking group known as Hafnium attacked Microsoft in March of 2021. The attack affected over 30,000 organizations across the United States, including local governments, government agencies, and businesses.
While the attack wasn’t directed specifically at Microsoft, the group “primarily targets entities in the United States for the purpose of exfiltrating information from a number of industry sectors,” according to Microsoft’s notification to customers.
The attack began when hackers used stolen passwords combined with previously undetected vulnerabilities on servers running Microsoft Exchange software. The vulnerability allowed any user who had physical or virtual access at the time of login to gain full administrative rights. Once this happened, the attackers logged in and installed malware that created command-and-control proxies for their use.
Resolving the Issue
To help protect against this kind of attack, Microsoft explained that its customers should immediately install all software patches for their systems. In this case, the vulnerabilities were discovered and patches were released by Microsoft in 2020, but many customers hadn’t updated their systems.
2. April – Facebook Data Breach
A Facebook data breach exposed over 533 million individuals’ personal information to hackers. This included the user’s name, date of birth, current city, and posts made on their wall. The vulnerability was discovered in 2021 by a white hat security group and has existed since 2019.
The Facebook data breach of 2021 is still fresh in many memories. It was brought to light by cybersecurity firm Symantec. The exposed database contained the personal information of millions of people, including phone numbers, Facebook IDs, names, birthdays, and even some email addresses.
This particular breach happened when cybercriminals scraped data from Facebook’s servers using a misconfiguration in their contact importer. As a result, they could gain access to the personal information of millions of people.
While it’s unclear precisely what the criminals plan to do with all this information, it could potentially be used for social engineering attacks on a large scale in the future.
Resolving the Issue
Facebook identified this as an external attack, but the root cause of this breach or others like it comes from a common scenario: misconfiguration errors. What’s dangerous about these breaches is how quickly they can escalate.
Facebook isn’t the only one with security issues caused by misconfiguration. Many security firms point to a worrying increase in this type of vulnerability, particularly with the dominance of cloud computing.
3. May – Colonial Pipeline
In May, the U.S.-based Colonial Pipeline was the victim of a ransomware attack. The company operates a large pipeline that ships gasoline and other petroleum products from Texas to New Jersey and throughout the Midwest.
Attackers breached the company through a VPN account with a single compromised password and gained access to their network on April 29. While operational technology systems weren’t affected, this incident caused the firm to halt fuel flow in its mainline as a precautionary measure (and to shut down leaks).
This led to fuel shortages in the Southeast, Midwest, and Northeast regions of the country and rising fuel prices, with drivers panic buying at the pump.
The attackers also threatened additional cyberattacks unless Colonial paid them $5 million worth of bitcoin – an amount equivalent at that time to more than 3x their annual profits.
What makes this attack so worrying is how easily the hackers could access the system – it has since been revealed that the company didn’t use multi-factor authentication.
Resolving the Issue
According to the company, after a six-day shutdown, the restart of pipeline operations resumed on May 12, with all systems and processes having returned to normal by May 15.
The FBI began its investigation within three days of the first reports emerging on social media. It’s possible that an insider was responsible for lowering security controls by sharing VPN credentials; however, exactly how attackers gained access to those credentials remains unclear.
This attack is a perfect example of why it’s so crucial for companies – especially ones handling sensitive data like oil pipelines – to have robust cybersecurity measures in place. Multi-factor authentication (MFA) is one such measure, and it’s something that more and more companies are starting to adopt.
While Colonial Pipeline chose to pay the ransom demand of $4.4 million, close to 50% of the funds had been recovered by June.
4. May – JBS Ransomware Attack
In May, JBS, the world’s third-largest meat processor, was hit by a ransomware attack. One of the main effects of the attack was reported downtime for hundreds of beef and poultry processing plants across four continents. After realizing they’d lose their entire database if they didn’t pay the ransom demand of $11 million, JBS made a bitcoin payment to the cybercriminals.
JBS discovered the incursion when the IT team found irregularities in some of their internal servers. After contacting the FBI and security experts, they started to shut down systems to slow the attack’s impact. This tactic proved unsuccessful as it took two weeks to regain complete control of their systems through backups.
How did the attackers gain access to JBS’ servers in the first place? According to an internal investigation, the malware was injected into one of JBS’ servers through phishing emails. The messages contained Trojan viruses that could exploit weaknesses within their IT system and gain full access after tricking company employees into opening them.
Once the attackers had a foothold, they could move laterally and take over other systems, including backup servers. This made it difficult for JBS to regain control of their networks as the attackers had full access to all data and systems.
Resolving the Issue
Unlike Colonial Pipeline, JBS was upfront about the attack. Press releases were provided regularly to keep consumers and the public informed on the incident’s progress. The overall impact was limited because of quick response times and a lack of widespread panic.
The USDA’s request to other meat producers to help make sure supply was adequate shows good judgment. As more American firms are affected by cyber-terrorist attacks, the need for industry network assistance will undoubtedly rise.
5. July – Kaseya Ransomware attack
Over the Fourth of July weekend, unknown assailants infiltrated Kaseya’s network and deployed ransomware to at least three managed service providers (MSPs) – with the potential for the attack to have impacted many more. The ransomware encrypted files on affected systems, preventing users from accessing them.
The motive for the attack is still unknown, but it’s been speculated that the attackers leveraged a vulnerability in Kaseya’s VSA software to gain access to the networks of the MSPs. This could have allowed the attackers access to all of the MSPs’ customers’ data and systems.
By compromising an MSP, attackers can potentially gain access to any of that organization’s clients. In this case, the Kaseya breach is thought to have impacted both cloud-based and on-premise customers. While Kaseya indicates that less than 0.1% of their customers were impacted, the impact to those approximately 1,500 clients could have been quite severe.
Resolving the Issue
VSAs are designed to be simple for users to work with, but this can come at a cost in regard to security. A user may not understand how best to secure their VSA or that they need to take special precautions if their VSA is connected directly into an organization’s network infrastructure.
In this incident, Kaseya informed all customers of the issue discovered through multiple different channels. In addition, they pulled their data centers offline while they continued to investigate. Over the next few days, they were able to determine the extent of the attack and come up with a fix to provide greater security of their SaaS environments.
This was a very serious supply chain attack that sent shockwaves throughout the MSP and IT community, especially as SaaS and cloud-based models have become business standards. To dive deeper into the impact of this breach, check out our CISO’s notes on the Kaseya ransomware attack.
Bonus Entry – Log4Shell Exploit Activity Worldwide
In late November a critical vulnerability affecting the popular Java logging library Log4j was disclosed. This vulnerability, documented here, is a remote code execution vulnerability which can give an attacker full control of a system. Shortly after the vulnerability was disclosed, a massive flood of scanning and exploitation attempts were made across the internet by malicious actors everywhere.
Often when white hat hackers discover vulnerabilities in the wild, they work with the manufacturer of the application or service in question to develop a patch for the issue before it is publicly disclosed. In this case, Log4j is an open source project, so the process of CVE identification through the development of the fix was more public than usual. Although exploit attempts have been recorded as early as December 1, the activity picked up when a larger analysis of the issue was published.
In short, the Log4Shell vulnerability affects the functionality that parses and logs user-controlled data. Attackers can submit a specially formatted string that, when consumed by a vulnerable instance of Log4j, forces it to connect to a malicious LDAP server that will then issue a malicious payload to the victim server.
Unlike many of the top breaches above, which targeted a single entity, this vulnerability is part of an extremely popular and widely used library, making its presence (and potential for wrecking damage) ubiquitous. On the one hand, this means every organization that uses it to monitor their infrastructure remotely is at risk, making the losses for this exploit beyond measurable.
On the other hand, the high visibility of this exploit, and the potential it has for damage, has spurred organizations around the world to act quickly to resolve the vulnerability. Because this is still an ongoing story, the true impact will not be known for some time.
Resolving the Issue
A handy resource to understand your options for remediation was published by LunaSec, who identifies multiple paths to help resolve this issue. The simplest, most effective measure is to upgrade your Log4j to version 2.16+. However, this is not always an option for organizations (either to upgrade quickly or at all), so other steps can be taken to mitigate the potential for breach.
Best Practices for Addressing Security Breaches
Sadly, there is no one-size-fits-all approach regarding stopping security breaches or even handling them when they happen. However, there are some best practices to consider to minimize exposure to hackers.
Encrypt and Regularly Backup Data
The first line of defense is encryption, which scrambles sensitive information and makes it unusable if stolen. Avoid sending passwords by email or text message. If the hacker can’t decrypt the data, it’s useless. This makes sure unauthorized access is thwarted.
The next line of defense is having good backups in place. Ideally, you’d have regular backups stored offline to further protect them from hackers. Have more than one backup copy too. If something happens to the original file on your computer or server, then you’ll still have another copy that can be restored quickly.
Enforce Multi-Factor Authentication
Multi-factor authentication (MFA) should be required wherever possible. MFA works by requiring the user to provide at least two identification methods, like something you know (usually a password or PIN) and something you have (another authentication factor), providing significantly more security than passwords alone.
Keep Software and Systems Up to Date
Keeping software patched and updated will close off hacker backdoors into your system as well as reduce the chances of a zero-day attack. While you’re at it, automate and schedule patching and updates so that there isn’t a window of opportunity for hackers to exploit your system when vulnerabilities are identified.
Foster End-User Awareness
Your team needs to be aware of the risks and importance of cybersecurity to keep your business safe. They also need to be mindful of the various ways hackers can try to gain access to your systems so they can be on the lookout for any suspicious activity, particularly phishing. You can hold training sessions or send out periodic emails with updates on the latest threats.
Implement a Zero Trust Architecture
In the future we are rapidly moving toward, the concept of “trust nothing, verify everything” will be vital in preventing cyberattacks from spreading quickly throughout an organization. A Zero Trust security strategy operates on the assumption that everything is a potential threat, and therefore everything must be comprehensively verified. Today’s decentralized IT networks, widespread remote work, and bring your own device (BYOD) policy adoption all point to Zero Trust architecture as the way forward for securing company resources effectively.
How The JumpCloud Directory Platform Helps Protect Against Breaches
Businesses of all sizes must stay vigilant in order to protect themselves from data breaches. Implementing the proper security measures, such as employee training, up-to-date security configurations and policies, and effective technology solutions can help reduce your risk of being compromised.
The JumpCloud Directory Platform is one such solution that empowers IT admins to simply and effectively step up their security posture. With our cloud directory platform in place, IT admins can:
- Layer MFA everywhere, including applications, networks, devices, and more
- Monitor, deploy, and automate patches across multi-OS environments
- Enforce security policies such as disk encryption across Windows, Mac, and Linux devices
- Implement a Zero Trust security model to secure user access to virtually all IT resources
Securing company resources doesn’t have to be complicated. Sign up for JumpCloud Free today to see how you can strengthen your cybersecurity for 2022 and reduce the risk of a data breach.