News

7 worst security breaches of 2021 (so far)

August 10, 2021 by Susan Morrow

In 2020, there were over 37 billion data records exposed. That’s not only a massive number of records breached, but these numbers reflect the loss of trust in our security measures.

Ransomware is the most prevalent type of attack in 2021. Cyberattacks take advantage of insiders, misconfigurations, and human error. The latest Verizon Data Breach Investigations Report 2021 (DBIR) found that 85% of breaches use “the human element,” with 36% involving phishing.

Welcome to the world of data breaches. Here are seven of the most impactful security breaches this year that will hopefully provide lessons on mitigating cybersecurity issues in the coming years.

7 of the most impactful data breaches of 2021

2021 comes on the heels of 2020, a year unlike most in my lifetime. The Covid-19 pandemic not only caused worldwide health issues but also caused cybersecurity problems. The sudden move to home working meant that security policies designed for the office were no longer enough to contain the threat of increased use of personal devices, insecure Wi-Fi, identity and access management enforcement and so on. In 2020, there was a reported 667% increase in phishing-related cybercrimes. As 2020 closed and 2021 began, the situation vis-a-vis data breaches continued to escalate. In 2021, several key cybersecurity events occurred, including:

1. Mimecast

In January 2021, a compromised Mimecast digital certificate became the center of a data breach storm. The digital certificate, used in authentication of Mimecast Sync and Recover Continuity Monitor, and IEP to Microsoft 365 Exchange Web Services, was hacked by the hacking group behind the SolarWinds attacks of late 2020, aka Nobelium. Mimecast researchers believe the attack was part of large-scale targeting of certain types of organizations. The attack was believed to have also involved stolen privileged credentials:

Our investigation also showed that the threat actor accessed, and potentially exfiltrated, certain encrypted service account credentials created by customers hosted in the United States and the United Kingdom,” a Mimecast statement said.

Mimecast’s stock dropped by 5% after the breach, which affected around 10% of its customer base. Mimecast has over 60,000 companies using their services; the exact figure of potential data records breached is unknown. 

2. Acer

In March 2021, electronics manufacturer Acer became a victim of ransomware, leading to the largest ransom in history: $50 million. The hacking group ReEvil, also known as Sodinokibi, is thought to be the perpetrator of the ransomware attack on Acer. The infection encrypted data, making operations impossible, and a large amount of sensitive data (including bank account details) was stolen. The latter tactic is increasingly common during ransomware attacks to use as leverage to ensure the ransom is paid. ReEvil typically uses phishing and attempts at remote desktop login using credentials stolen in earlier data breaches to begin the process of infection. The continuing chain of infection events involved the creation of new domain user accounts, the installation of Cobalt Strike’s Beacon (a legitimate tool used to model threat actors; the tool executes PowerShell scripts, etc.), and disabling of anti-virus software. 

3. Microsoft Exchange

March 2021 also saw the Chinese state-sponsored hacking group, Hafnium, exploit four zero-day vulnerabilities within the Microsoft Exchange server. The three-step process behind the cyberattack was performed initially using stolen credentials or exploiting Exchange Server vulnerabilities. Once access was established, Hafnium then used a web shell to establish remote control over the server. This remote connection is used to exfiltrate data. Notably, web shell attacks have doubled in 2021.

This cyberattack is thought to have affected around 30,000 U.S. organizations. Microsoft quickly released patches for the Exchange Server vulnerabilities, but Hafnium continued to find unpatched Microsoft Exchange servers to exploit by performing internet scans.

4. Facebook

Facebook was, yet again, the victim of a data breach in April 2021. The breach was more of a screen scrape than a technical hack. The breach affected 530 million Facebook users from 106 countries. The personal data exposed included Facebook ID numbers, names, phone numbers, dates of birth and location. The screen scraping attack happened because of a feature known as contact importer that became an allowed vulnerability in Facebook; any profiles set to public or shared with friends or enabled a lookup using a phone number allowed this exploit to happen.

The use of screen-scraping to capture personal details was also used to breach the personal and professional data of 92% of LinkedIn users in April and July 2021.

5. Colonial Pipeline

Colonial Pipeline is a major U.S. company responsible for 45% of all fuel consumed on the east coast. In May 2021, Colonial Pipeline was effectively shut down by a ransomware attack that affected around 50 million customers. The hacking group, DarkSide, carried out the attack. Again, the attackers used a double-whammy approach, encrypting data and stealing around 100 gigabytes of data. The stolen data was used to put pressure on the company to pay the $4.4 million ransom. A compromised password is believed to have initiated the attack; experts have stated that the password is part of a batch of compromised credentials available on the dark web. Darkside is renowned for offering a Ransomware-as-a-Service package (RaaS), making attacks more accessible and easier to initiate.

6. Electronic Arts

Sensitive data takes many forms, one of which is Intellectual Property (IP). In the case of a cyberattack against Electronic Arts in June 2021, 780 gigabytes of source code were stolen. Having unfettered access to source code used for consumer games allowed the attackers to locate vulnerabilities that could be exploited, thereby placing customer personal data at risk. The attack came with a ransom demand, the hackers placing source code snippets online in an attempt to put pressure on Electronic Arts to pay up. The cybercriminals are believed to have used stolen cookies, sold for $10 on the dark web, to gain initial access to a company Slack account. Social engineering was then used to trick IT support into issuing a temporary multi-factor authentication token to allow privileged access to data.

7. Kaseya

July brought yet another major ransomware attack, this time against Kaseya, a provider of IT network management software delivered via managed service providers (MSPs). The attackers were, again, the hacking group, ReEvil. The group used a zero-day vulnerability in the Kaseya Virtual System Administrator component to deliver ransomware to the endpoints of around 1,500 SMBs. There is now a dispute about the length of time the zero-day was out in the wild, with Brian Krebs reporting that it may have been around since 2015.

The Kaseya exploitation was reminiscent of the 2020 mega hack of SolarWinds, where hackers used vulnerabilities to push out infected updates to customers of the SolarWinds software. In the Kaseya attack, an “authentication bypass vulnerability” was the open door allowing remote code execution, the flaw allowing authentication protection layers to be bypassed.

Lessons from the cyberattacks of 2021

The job of the cybercriminal is to find ways of circumventing protection. This may be in the form of software vulnerabilities or via human error leading to credential theft and often using multiple techniques. Most of the attacks described above use a chain of exploits, often including social engineering of employees, to carry out the cyberattack. 

Breaking through each successive layer of protection takes dedication and resources; hacking gangs and RaaS are helping to circumvent even 2FA authentication. The cybercriminals are not going to take improved security measures and layered security strategies lying down. The ante has been upped, and the cyberwar continues unabated. But no organization has the luxury to just let cybercrime happen and take the hit. There is little choice but to double down on a comprehensive approach to tackle persistent hackers. This means using education with our staff on security matters, de-risking the human aspect of security and taking on board the security controls suggested by the Center for Internet Security (CIS). Digital identity in the form of zero trust/zero identity is a critical area that can help close the door to cyberattacks.

 

Resources

Posted: August 10, 2021
Articles Author
Susan Morrow
View Profile

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure. Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.

Leave a Reply

Your email address will not be published. Required fields are marked *