2022 Year in Review

As the New Year began, the Verizon Threat Research Advisory Center (VTRAC) was still tracking the SolarWinds-related campaigns. Tools emerged for security teams to use in Azure/Microsoft O365 environments. January’s patch Tuesday included one remote code execution vulnerability in Windows Defender that was already being exploited in the wild (zero-day). SonicWall was investigating an attack exploiting "probable zero-day vulnerabilities” in certain secure remote access products. Researchers reported a fourth malware used in the SolarWinds operation. “Raindrop” is a digital cousin to the Teardrop malware. Raindrop was installed only on select targets and delivered Cobalt Strike. After zero-day attacks, Apple released security updates for three vulnerabilities in iOS/iPadOS. The best news in January came when Europol closed down Emotet’s infrastructure redirecting 1.6 million victim systems to servers controlled by law enforcement.

Google kicked off February with Chrome browser updates to mitigate one zero-day. SonicWall, Cisco, Fortinet and Palo Alto Networks all released patches and updates to VPN and remote access products. SonicWall’s CVE-2021-20016 was already being exploited. Two more zero-day vulnerabilities were patched on patch Tuesday, one each by Microsoft and Adobe. CERT-FR reported a supply-chain compromise of Centrion by the Russian Sandworm threat actor that exhibited commonalities with the 2020’s SolarWinds Orion and Accellion attacks. Two days before the Super Bowl, the fresh water plant for a small city in Florida was briefly breached. One processing chemical was manipulated but quickly detected and corrected. IT security at the plant did almost everything wrong: the attacker entered via TeamViewer with a shared static password on a Windows 7 computer.

March roared in with out-of-cycle updates for four zero-day vulnerabilities in Microsoft Exchange that had been initially exploited in January. At least 30,000 Exchange servers were reported to be victims of Hafnium, a newly-labeled APT-grade threat actor aligned with the national security interests of China. The flaws were dubbed, “ProxyLogon.” Scanning and exploitation quickly surged. Other APTs and other threat actors breached unpatched Exchange servers. Microsoft patched 89 vulnerabilities including CVE-2021-26411, a zero-day in Internet Explorer exploited by a North Korean threat actor targeting security researchers. The month closed with Apple releasing patches for a zero-day vulnerability in Apple iOS/iPadOS/WatchOS.

In early April, the VTRAC collected reports of attacks by APTs from China and Russia targeting Japanese manufacturing and the German Bundestag respectively. The most significant shift in risk was due to zero-day exploitation of an authentication by pass vulnerability in Ivanti Pulse Secure SSL VPN appliances. Microsoft patched 114 vulnerabilities, one of which was exploited before patch Tuesday. The US government formally attributed the SolarWinds Orion operation to the Russian SVR intelligence service and their APT29 or Nobelium threat actor. SITA, a communications and IT vendor for almost all of the world’s airlines, was the victim of a data breach that compromised data for millions of passengers. It was among the largest data breaches of the year.

May began with one of 2021’s milestone breaches: Colonial Pipeline was compelled to shut down operations of their pipeline to contain a DarkSide ransomware attack. Several states suffered from fuel shortages. Even after paying the 75 Bitcoin (~US$5 million) ransom, the closure lasted six days. On the same day Colonial resumed operations, DarkSide announced they were ceasing operations, releasing decryptors to their affiliates and claiming that a portion of the group's infrastructure was disrupted by an unspecified law enforcement agency. A month later, the FBI seized 63.7 Bitcoin (~US$2.3 million due to declining Bitcoin valuation). May’s zero-day vulnerabilities were one vulnerability in MacOS, one in Adobe Reader and four vulnerabilities in Android. A threat actor self-identifying as “Fancy Lazarus,” a tongue-in-cheek combination derived from names of a Russian and a North Korean APT, began an extortion DDoS campaign. Japanese conglomerate, FujiFilm and the world’s largest meat packer, JBS Foods, both suffered business interruptions caused by REvil ransomware.

North Korean APT Kimsuky breached the network of the South Korean Atomic Energy Research Institute in June. Threat actors stole source code from Electronic Arts by first infiltrating the company’s support channel on Slack to bypass the company’s multi-factor authentication. Microsoft reported APT29 targeted IT, think tanks and government organizations using credential harvesting attacks. Six zero-day vulnerabilities were among 50 patched on Microsoft Tuesday. Apple patched two zero-days in iPadOS and iOS and Google patched one in Chrome browser.

Hours before the USA’s Independence Day holiday, REvil ransomware abused Kaseya Virtual Systems Administrator (VSA) to attack Managed Security Service Providers that controlled the infrastructure of thousands of companies. No one knows how many of the millions of end point systems were encrypted. A few days later, the REvil threat actors closed their darknet website and ceased infecting new victims. Before the end of the month, the BlackMatter ransomware debuted announcing: “The project has incorporated in itself the best features of DarkSide, REvil, and LockBit.” Attacks exploiting a total of 15 zero-day vulnerabilities in five product families were reported in July. Cloudflare mitigated a 17.2 million request per second DDoS attack on a financial industry customer. The attack was a 30 second burst launched from 20,000 bots. Microsoft discovered a Chinese threat actor targeting SolarWinds Serv-U software with a Zero-day exploit.

August 5th at Black Hat, a “researcher” revealed how he chained two April and one May vulnerabilities in Windows to create the “ProxyShell” attack. Mass scanning for vulnerable Exchange servers ensued. Cybereason reported on “DeadRinger,” a campaign targeting Asian telecom providers. Cybereason found links to no less than five Chinese threat actor groups. Microsoft patched 51 vulnerabilities including “exploitation detected” for one zero-day. Italian energy company ERG and Accenture were the victims of LockBit 2.0 ransomware. T-Mobile reported a breach of PII from about 40 million former or prospective customers. The Poly Network, a "DeFi" or decentralized finance platform that works across blockchains, said that an attacker stole about $600 million in cryptocurrencies.

Just in time to ruin the Labor Day holiday in the United States, threat actors began exploiting a one-week old vulnerability in Atlassian Confluence servers. Most threat actors installed cryptominers but before the end of the month, VTRAC collected intelligence for payloads including webshells akin to the TTPs of APT actors. On Labor Day, Microsoft released an out-of-cycle advisory for zero-day exploitation of a vulnerability in the Windows browser rendering engine. Microsoft advised: “K eep antimalware products up to date,” but did not release patches until a week later, on the eve of Patch Tuesday. Iowa farm services provider NEW Cooperative was hit with BlackMatter ransomware and a $5.9 million ransom demand. CISA and the FBI urged organizations to patch a vulnerability in Zoho ManageEngine ADSelfService Plus that APTs had been using as a zero-day exploit to target defense contractors, academic institutions, and other entities. Google patched five vulnerabilities being exploited in zero-day attacks on Chrome browser. Zero-day attacks drove Apple to patch three vulnerabilities in iOS/iPadOS and MacOS.

The month began with accelerated patching to mitigate zero-day attacks on a vulnerability in Apache HTTPD, the internet’s #2 (after N ginx) web server. After the fix in Apache 2.4.50 was found to be “insufficient,” and that it introduced a new vulnerability that was, in turn, exploited almost immediately. Apache released version 2.4.51. Zero-day attacks also struck Microsoft, Apple and the Chrome browser. The REvil ransomware operation shut down again after an unknown person hijacked their Tor payment portal and data leak blog. CrowdStrike published an analysis of the threat actor known as “LightBasin” which had been targeting companies in the telecommunications sector since 2016. CrowdStrike did not attribute LightBasin to a nation-state. A “cyber event” shuttered Schreiber Foods, a multibillion-dollar dairy company for three days. This would affect the availability of cream cheese in the United States for the holiday season. CISA/FBI/NSA issued a joint alert detailing the TTP of BlackMatter ransomware. The ransomware had been targeting multiple US critical infrastructure organizations since July 2021. Eighteen days later BlackMatter closed down after transferring its current victims to LockBit 2.0.

Robinhood Markets said a hacker tried to extort the financial services company following a breach of data for 7 million customers. The actor targeted 10 customers to collect “extensive account details.” Emotet returned, using TrickBot for distribution and launched a worldwide email spam campaign delivering malicious documents. Researchers believe that the Conti ransomware gang was behind the botnet’s return. Google’s monthly Android update addressed a local privilege escalation vulnerability under “limited targeted exploitation.” Microsoft released advisories for 55 vulnerabilities including two that were already being exploited. Ukraine's security service, the SSU, identified five Russian FSB officers as operators behind the Gamaredon threat actor.

The Apache Foundation patched a critical remote code execution vulnerability in the widely employed Log4j library. Within days, security researchers discovered indications of exploitation that began nine days before the patch announcement. The VTRAC collected intel about attacks exploiting two previously unknown vulnerabilities in Zoho ManageEngine. Zero-day attacks impacted one Windows and one Chrome browser vulnerability respectively. The APT29 (Nobelium) actor maintained the high operational tempo it reached for the SolarWinds compromise one year earlier. Reports detailed several cyber-espionage campaigns tied to the APT. "In most instances, post compromise activity included theft of data relevant to Russian interests.”