2021 Year in Review

The Verizon Threat Research Advisory Center intelligence collections in both 2019 and 2020 began with cyber espionage targeting cloud environments by the Chinese menuPass threat actor. Among the ongoing threats were attacks on remote access. These included attacks on new vulnerabilities in Citrix products and continued password spraying attacks on Pulse Secure, FortiOS and Palo Alto VPN servers. London-based financial services company Travelex suffered a Sodinokibi ransomware infection on New Year’s Eve that some sources claimed was the result of failing to patch a Pulse Secure VPN server. The U.S. Coast Guard announced a port facility had to shut down for 30 hours due to a Ryuk infection. The first zero-day attacks in 2020 exploited CVE-2020-0674 Internet Explorer use-after-free vulnerability in JScript. Qihoo 360 reported a watering hole attack by the DarkHotel actor using a cocktail of exploits: CVE-2020-0674 (Internet Explorer JScript) and CVE-2019-17026 (Firefox) and CVE-2017-11882 (Office Equation editor).

The Australian Cyber Security Centre issued an advisory on ransomware known as “Mailto” or “Netwalker” after the Australian transportation and logistics company The Toll Group suffered an attack. On patch Tuesday, Microsoft released 99 patches including one for CVE-2020-0674. Another patch was for a vulnerability in Microsoft Exchange, CVE-2020-0688. Within two weeks, the VTRAC collected intelligence about mass scanning and exploitation targeting the Exchange Server vulnerability. The Cybersecurity and Infrastructure Security Agency (CISA) issued an alert with intelligence about a Ryuk ransomware attack on a natural gas pipeline facility. Industrial Control Systems (ICS) security company Dragos released an assessment with links to January’s U.S. Coast Guard report. Five days after releasing a new version of their Chrome browser, Google released another to mitigate a type confusion vulnerability, CVE-2020-6418, that was being exploited in the wild (ITW).

Fans of Westerns (movie genre) will recognize “ringing the chuck wagon triangle bell” at dinnertime. COVID-19 began to have the same effect for cybercriminals. Perhaps the most immediately useful collection was RiskIQ’s COVID-19 Daily Update reports and domain watch or block lists. Prevailion and Proofpoint produced intelligence on TA505 attacks using COVID-19 bait. Before the end of the month, Microsoft was warning customers about limited targeted attacks exploiting a new Windows 7 vulnerability. Windows 10 was not vulnerable. CVE-2020-1020 was a security flaw in the Adobe Type Manager Library. FIN7 targeted a Trustwave customer with a malicious USB drive in conjunction with a US$50 gift card bait.

BAH published a re-assessment of 200+ cyber operations by the GRU (Russian military intelligence) concluding they conform to Russian strategic doctrine, which makes them somewhat more predictable. Recorded Future leveraged MITRE’s ATT&CK for a report exploring the most common cyber-attacker TTP in 2019. Malwarebytes published, “APTs and COVID-19: How advanced persistent threats use the coronavirus as a lure.” Two other resources for cybersecurity during the COVID-19 pandemic were BBC cybersecurity correspondent Joe Tidy’s searchable Coronavirus Phishing Scams collection, and the National Cyber Security Alliance’s COVID-19 Security Resource Library. Three of the 113 vulnerabilities patched by Microsoft were being exploited ITW. Patches for CVE-2020-1020 and CVE-2020-0938 mitigated the “limited targeted Windows 7 based attacks that could leverage un-patched vulnerabilities in the Adobe Type Manager Library.” The third surprise attack exploited a Windows kernel elevation of privilege vulnerability, CVE-2020-1027. But before the end of April, Microsoft released an out-of-cycle advisory for a vulnerable Autodesk DLL, CVE-2020-7085.

Oracle reported ITW exploitation attempts on WebLogic servers without the patch for CVE-2020-2883 that was in the April Critical Patch Update. F-Secure announced two severe vulnerabilities in SaltStack Salt management framework, a configuration management and administration tool frequently used in data centers and cloud environments including AWS and GCP. CISA published Top 10 Routinely Exploited Vulnerabilities. New intelligence from ESET detailed Winnti attacks on video game companies in South Korea and Taiwan. Taiwan’s Ministry of Justice believes Winnti was responsible for ransomware attacks on both of the country’s oil refineries. Broadcom/Symantec intelligence covered attacks on telecommunications companies in South Asia by the Greenbug threat actor. Cisco disclosed that six of its backend servers were compromised by hackers who exploited SaltStack vulnerabilities CVE-2020-11651 and CVE-2020-11652. The Australia logistics giant Toll Group was hit by a second ransomware attack in three months. Trustwave disseminated a report on “GoldenSpy,” a backdoor in the tax payment software mandated by the Chinese bank of a UK-based technology company.

Cycldek, a low-profile Chinese threat actor deployed “USBCulprit” malware that Kaspersky assessed is intended to spread to and exfiltrate data from systems isolated from the internet. None of the 150+ vulnerabilities patched in June were being exploited prior to patch release. Australian Prime Minister Morrison said Australian organizations, including governments and businesses, are currently being targeted by a sophisticated foreign “state-based” actor. The “Evil Corp’’ APT-grade cybercrime threat actor began “big game hunting” with relatively new WastedLocker ransomware. NCC Group and Symantec independently released intelligence on the new Evil Corp campaign.

Enterprises with F5 BIG-IP appliances were at risk from attacks on two new vulnerabilities that U.S. Cyber Command called to be “remediated immediately.” Exploit code was ITW. BIG-IP honeypots had been attacked and malware installed. FortiGuard, Palo Alto and Deep Instinct each reported intelligence about EKANS (SNAKE) ransomware that sidelined systems at Honda and Enel. Citrix released a security bulletin and patches for 11 new vulnerabilities in Citrix ADC, Gateway and SD-WAN. Within three days, the VTRAC collected reports of Citrix exploit detections by honeypots followed by de rigueur attempts to install cryptocurrency mining software. The U.K., U.S.A. and Canada jointly reported APT29 (Cozy Bear) (Russia) has been targeting COVID-19 vaccine research organizations. Sansec reported the Lazarus Group had been attacking U.S. and E.U. e-tailers using Magecart payment card skimming. McAfee and SentinelOne each reported different campaigns by Lazarus.

We collected security advisories about Cisco firewalls and TeamViewer, the management tool used by many managed service providers and their clients. We collected intelligence on campaigns spreading new variants of banking Trojans: IcedID, Dridex and Emotet. MITRE published, “2020 CWE Top 25 Most Dangerous Software Weaknesses.” Three U.S. agencies released joint reports on a newly distinguished North Korean threat actor, “BeagleBoyz,” and malware that the actor uses for ATM “jackpotting” attacks. F-Secure reported North Korean actors targeting virtual currency organizations.

Group-IB reported “UltraRank” an actor behind Magecart payment card skimming campaigns since 2015. SWIFT and BAE Systems released a report on the cybercrime economy fittingly titled, “Follow the Money.” CISA released two products covering Iranian threat activity. Several vulnerabilities used by Iranian actors are also favored by ransomware actors according to SenseCy. Intel 471 assessed Lazarus has been using Russian crimeware for initial access to their targets. Microsoft Security reported ITW attacks exploiting systems without patches for the so-called “ZeroLogon” vulnerability, CVE-2020-1472.

The Australian Cyber Security Centre (ACSC) issued an advisory on an “ongoing and widespread” Emotet campaign impacting Australian organizations. The VTRAC continued to collect threat intelligence about exploitation of Netlogon/ZeroLogon (CVE-2020-1472). CISA and Microsoft have observed Netlogon/ ZeroLogon exploitation by APT-grade actors like MuddyWater and TA505. The MuddyWater Iranian APT actor has been targeting Israeli organizations according to ClearSky Security. Telsy attributed MuddyWater was behind another campaign targeting professionals in the aerospace and avionics sectors in Italy. Google said it mitigated a 2.54 Tbps DDoS attack, one of the largest ever recorded. The U.S. barbeque restaurant chain Dickey’s suffered a point-of-sale attack between July 2019 and August 2020.

The VTRAC collected risk-relevant intelligence about eight new vulnerabilities, three of which have already been exploited and the remainder having exploit code ITW without reports of successful attacks. November’s Patch Tuesday came with 114 Microsoft patches, 2 Adobe product updates, 12 SAP security notes (6 Hot News), 4 Chrome browser updates and 40 Intel security advisories. Exploit code was already ITW for one Microsoft and five Chrome browser vulnerabilities. Bitdefender released a report of Chinese APT attacking South East Asian governments. Attacks by Lazarus and Kimsuky were reported by ESET and EAST Security respectively. Egregor ransomware has been establishing itself as the successor to Maze ransomware. The Australian Cyber Security Centre alerted the healthcare sector about TA505 attacks using SDBBot remote access Trojan and Clop ransomware.

Malwarebytes and CERT-Bund warned about a campaign that had been targeting users in Germany with Gootkit banking Trojans and REvil (Sodinokibi) ransomware. The milestone attack abusing the SolarWinds Orion update process will probably eclipse WannaCry as the most costly cyberattack. The 18,000 SolarWinds customers exposed to the first stage Sunburst malware will be threat hunting to determine if they were among the priority targets for the attackers. Microsoft identified more than 40 customers that were “targeted more precisely and compromised through additional and sophisticated measures.” There were probably at least two different threat actors inside SolarWinds’ network. One was the APT-grade actor discovered by FireEye. Another less-sophisticated actor was spreading SUPERNOVA backdoors. The APT actor prioritized a much smaller set of customers for reinforcing attacks using Teardrop dropper Trojans to deliver a Cobalt Strike Beacon. These priority victims probably number in the low hundreds and are being identified by unravelling Sunburst’s network use for Command and Control and malware distribution.