LESSONS LEARNED FROM THE TOP 5 BREACHES OF 2021

In today’s digital age, cybercrime is on the rise, and the number of breaches experienced by businesses and individuals is only growing. This year, we’ve exceeded the number of breaches seen in 2020. As businesses and organizations become more reliant on technology, they become more vulnerable to cyberattacks. Hackers are finding new and innovative ways to gain access to data, and it’s more important than ever for businesses to have robust cybersecurity measures in place.

The risk factors for 2021 appear to have altered from previous years, with ransomware, third-party flaws, phishing attacks, and undetected security gaps supplanting human error as the leading cause of data breaches; however, unwitting end-users play a huge role in these kinds of attacks.

What were the top 5 biggest breaches of 2021, how were they addressed, and what can your organization do? Let’s find out…

MARCH – MICROSOFT EXCHANGE

The Chinese hacking group known as Hafnium attacked Microsoft Exchange in March of 2021. The attack affected over 30,000 organizations across the United States, including local governments, government agencies, and businesses. While the attack wasn’t directed specifically at Microsoft, the group “primarily targets entities in the United States for exfiltrating information from a number of industry sectors,” according to Microsoft’s notification to customers.

WHAT HAPPENED?

The attack began when hackers used stolen passwords combined with previously undetected vulnerabilities on servers running Microsoft Exchange software. The vulnerability allowed any user who had physical or virtual access at the time of login to gain full administrative rights. Once this happened, the attackers logged in and installed malware that created command-and-control proxies for their use.

RESOLVING THE ISSUE

To help protect against this kind of attack, Microsoft explained that its customers should immediately install all software patches for their systems. In this case, the vulnerabilities were discovered and patches were released by Microsoft in 2020, but many customers hadn’t updated their systems.

APRIL – FACEBOOK DATA BREACH

A Facebook data breach exposed over 533 million individuals’ personal information to hackers. This included the user’s name, date of birth, current city, and posts made on their wall.

WHAT HAPPENED?

This particular breach happened when cybercriminals scraped data from Facebook’s servers using a misconfiguration in their contact importer. As a result, they could gain access to the personal information of millions of people. The exposed database contained the personal information of millions of people, including phone numbers, Facebook IDs, names, birthdays, and even some email addresses.

RESOLVING THE ISSUE

Facebook identified this as an external attack, but the root cause of this breach or others like it comes from a common scenario: misconfiguration errors. Facebook isn’t the only one with security issues caused by misconfiguration.
 

MAY – COLONIAL PIPELINE

In May, the U.S.-based Colonial Pipeline was the victim of a ransomware attack. The company operates a large pipeline that ships gasoline and other petroleum products from Texas to New Jersey and throughout the Midwest.

WHAT HAPPENED?

Attackers breached the company through a VPN account with a single compromised password and gained access to their network on April 29. While operational technology systems weren’t affected, this incident caused the firm to halt fuel flow in its mainline as a precautionary measure (and to shut down leaks). This led to fuel shortages in the Southeast, Midwest, and Northeast regions of the country and rising fuel prices, with drivers panic buying at the pump.

What makes this attack so worrying is how easily the hackers could access the system – it has since been revealed that the company didn’t use multi-factor authentication.

RESOLVING THE ISSUE

According to the company, after a six-day shutdown, the restart of pipeline operations resumed on May 12, with all systems and processes having returned to normal by May 15.

It’s possible that an insider was responsible for lowering security controls by sharing VPN credentials; however, exactly how attackers gained access to those credentials remains unclear. This attack is a perfect example of why it’s so crucial for companies – especially ones handling sensitive data – to have Multi-factor authentication (MFA). It’s something that more and more companies are starting to adopt.

MAY – JBS RANSOMWARE ATTACK

The world’s third-largest meat processor, JBS, was hit by a ransomware attack. One of the main effects of the attack was reported downtime for hundreds of beef and poultry processing plants across four continents. After realizing they’d lose their entire database if they didn’t pay the ransom demand of $11 million, JBS made a bitcoin payment to the cybercriminals. 

JBS discovered the incursion when the IT team found irregularities in some of their internal servers. After contacting the FBI and security experts, they started to shut down systems to slow the attack’s impact. This tactic proved unsuccessful as it took two weeks to regain complete control of their systems through backups. 

WHAT HAPPENED?

According to an internal investigation, the malware was introduced through phishing emails. The messages contained Trojan viruses that could exploit weaknesses within their IT system and gain full access after tricking company employees into opening them. Once the attackers had a foothold, they could take over other systems, including backup servers. This made it difficult for JBS to regain control of their networks as the attackers had full access to all data and systems.

RESOLVING THE ISSUE

After realizing they’d lose their entire database if they didn’t pay the ransom demand of $11 million, JBS made a bitcoin payment to the cybercriminals.

NOVEMBER – LOG4SHELL EXPLOIT ACTIVITY WORLDWIDE

In late November a critical vulnerability affecting the popular Java logging library Log4j was disclosed. This vulnerability is a remote code execution vulnerability that can give an attacker full control of a system. Shortly after the vulnerability was disclosed, a massive flood of scanning and exploitation attempts were made across the internet by malicious actors everywhere.

WHAT HAPPENED?

An open-source library used by everyone from Apache and Apple to Minecraft and Twitter gave cybercriminals an enormous attack surface to cause widespread global disruption all through a single line of text. The vulnerability comes from the fact that this code has been a part of millions and millions of installations around the world, and allows the attacker full control of the system to do things like steal emails/files, and install ransomware among other actions.

The vulnerability was disclosed very publicly and there wasn’t a way to discreetly inform impacted individuals to allow them time to fix it.

RESOLVING THE ISSUE

Manual or automated scans of endpoints for vulnerable versions of Log4j will identify the systems that need to be upgraded to at least version 2.16. From there, the software developer can be contacted to inquire of an available update\patch that resolves the issue.
 

BEST PRACTICES FOR ADDRESSING SECURITY BREACHES

Sadly, there is no one-size-fits-all approach regarding stopping security breaches or even handling them when they happen. However, there are some best practices to consider to minimize exposure to hackers.

ENCRYPT AND REGULARLY BACKUP DATA

Encryption scrambles sensitive information and makes it unusable if stolen. Encryption can be used on mobile devices such as laptops, and for email.

The next line of defense is having Anti-hacker backups. These backup copies are stored offline to further protect them from hackers.

ENFORCE MULTI-FACTOR AUTHENTICATION

Multi-factor authentication (MFA) should be required wherever possible. MFA works by requiring the user to provide at least two identification methods, like something you know (usually a password or PIN) and something you have (another verification factor), providing significantly more security than passwords alone.

KEEP SOFTWARE AND SYSTEMS UP TO DATE

Keeping software patched and updated will close off hacker backdoors into your system as well as reduce the chances of a zero-day attack. Some common software applications have auto-updaters. If they don’t, a Company policy can be created to inventory the software used across the company, and manually check for updates once a year at a minimum.

FOSTER END-USER AWARENESS

Your team needs to be aware of the risks and importance of cybersecurity to keep your business safe. They also need to be mindful of the various ways hackers can try to gain access to your systems so they can be on the lookout for any suspicious activity, particularly phishing. In addition to periodic emails with updates on the latest threats, training sessions can be held to reinforce the response if someone feels they have succumbed to an attack or phishing email.

ENROLL WITH MANAGED DETECTION AND RESPONSE

Cybercriminals can strike any time. They especially love to do that when there is potentially no one around who can respond immediately. Managed detection and response, or MDR, is a transformative information security approach that many organizations are adopting. MDR proactively monitors and responds to threats within your IT environment, with human experts behind the wheel 24/7/365 to facilitate mitigation and recovery efforts. MDR services not only incorporate automation but have real human experts who respond to security threats within your system, even if it’s on the weekend or night when no one is at the office to report “something is strange”. 

CONCLUDING REMARKS

Businesses of all sizes must stay vigilant to protect themselves from data breaches. Implementing the proper security measures, such as employee training, up-to-date security configurations, and policies, and effective technology solutions can help reduce your risk of being compromised.

Securing company resources doesn’t have to be complicated. Contact ICS today to see what your organization can do to strengthen your cybersecurity for 2022 and reduce the risk of a data breach.