The Russian-speaking ransomware group Clop, or Cl0p, in late May targeted a zero-day vulnerability in Progress Software's MOVEit secure file transfer software. While the vendor quickly warned customers and patched the flaw, Clop's blitzkrieg allowed it to nab voluminous amounts of data being stored by organizations on their servers. The latest victim count stands at about 2,700 organizations affected and more than 91 million individuals' personal details exposed, according to security firm Emsisoft. Ransomware incident response firm Coveware estimated Clop earned $75 million to $100 million from large victims who paid quickly to keep their victimhood quiet.
Clop has been on the vanguard of ransomware groups seeking easier and faster ways to extort victims, and secure file transfer software remains a top target. In late January, Clop exploited a flaw in Fortra GoAnywhere MFT software to steal data from hundreds of users. While Clop prefers zero-days, many attackers instead exploit unpatched file transfer software. In March, ransomware-wielding attackers targeted unpatched versions of IBM's Aspera Faspex file exchange application. In September, after Progress Software patched its WS_FTP server software and a researcher published a proof-of-concept exploit, attackers quickly came calling.
Ransomware-wielding attackers aren't picky; they'll use whatever tactics reliably work. Beyond exploiting known flaws in secure file transfer software, another repeat target is VMware hosts. In February, researchers tracked two highly automated campaigns that used ESXiArgs ransomware to infect thousands of servers. VMware said attackers appeared to be exploiting already-patched flaws to gain access to hosts, including via the heap overflow vulnerability designated CVE-2021-21974, which it fixed in February 2021.
4. US Government Hacked via Microsoft 365
Cyberespionage operations continue in force, as exemplified by suspected Chinese hackers gaining surreptitious access to 25 organizations - including senior U.S. officials' emails - in May by exploiting a zero-day flaw in Microsoft's cloud environment. The U.S. government said a federal civilian executive branch agency spotted unusual activity in its audit logs, confirmed the attack and reported it to Microsoft and the Cybersecurity and Infrastructure Security Agency. CISA urged all users to carefully monitor and review their own logs.
The attack is a reminder: The U.S. ranks China as a top national security threat in part due to its continuing willingness to use cyber operations to achieve its objectives, bolstered by its proficiency with targeting supply chains.
5. Rip and Replace: Backdoored Barracuda Gear
Barracuda Networks in May issued a patch for a zero-day vulnerability in its Email Security Gateway appliances. At the time, it warned that attackers had already been exploiting the flaw for up to eight months to gain "persistent backdoor access" to vulnerable appliances and exfiltrate data. The vendor later warned users that once attackers had installed the backdoor, the only way to safeguard themselves was to physically replace the hacked device, leading to the FBI urging the immediate removal of hacked devices. Incident responders tied the attacks to a nation-state group aligned with Beijing.
6. Making Citrix Gear Bleed
Attackers allegedly tied to Beijing struck again in late August by exploiting a zero-day flaw in NetScaler Application Delivery Controller and Gateway devices, formerly known as Citrix ADC and Citrix Gateway, to access those devices and steal existing, authenticated sessions. Even after users had patched the flaw, known as Citrix Bleed, attackers still used stolen session data to evade multifactor authentication and access the devices. All of this only came to light over the course of several weeks in October, leading researchers to warn users to patch and also terminate all active sessions. In the interim, multiple attackers began using the flaw to target organizations large and small, including Comcast.
7. Russia's Noisy 'Hacktivist' Groups
Moscow's war of conquest against Ukraine wasn't the easy victory supposedly envisioned by Russian President Vladimir Putin, thanks in no small part to Kyiv's preparation and assistance from allied nations and the private sector. As the war drags on, Russia occasionally scores a major disruption, such as against mobile operator Kyivstar, while restoring to a much greater degree misinformation and disinformation. This appears to include self-proclaimed hacktivist groups such as KillNet, which may be run or funded by the state. While such groups often report having disrupted notable targets in Ukraine and allied countries, experts say such claims are often overblown or completely false and designed to make adversaries and their leadership look weak.
8. North Korea's Atomic Wallet Love
Attacks launched by North Korea continue. The Pyongyang-affiliated hackers hit cryptocurrency exchanges and decentralized finance services to help the regime fund its long-range missile and weapons of mass destruction programs. Over the past five years, hackers tied to the Democratic People's Republic of Korea have stolen more than $3 billion, U.S. officials say.
One big hit this year happened in early June, when security researchers said North Korea's Lazarus group hacked Atomic Wallet - a noncustodial decentralized wallet - and stole $100 million in cryptocurrency from over 4,000 wallets, which they quickly began laundering. "The nature of the attack on Atomic Wallet indicates that the exploit was most likely carried out through a phishing or supply chain attack," said blockchain analytics firm TRM Labs.
9. Okta's Customer Support Data Heist
Like Microsoft, Okta got hacked and learned about it from its customer base, which in this case included BeyondTrust, 1Password and Cloudflare. Belatedly, Okta confirmed the September attack, reporting that it had traced to an attacker who apparently stole valid access credentials an Okta employee had been storing in their personal Google account - saved in their Chrome browser. In early November, Okta said, the attacker had stolen data pertaining to 134 customers. By the end of November, the vendor revised the breach tally and reported that the attacker had stolen information pertaining to every user of its primary customer support system.
10.Capita Customers' Data Breach Nightmare
Numerous organizations suffered breaches this year, and many of them have already come to light. What sets some incidents apart from others is the clarity of communications a breached organization offers to victims. Arguably falling short: British outsourcing giant Capita, which suffered a ransomware attack in March and in May learned from a security researcher that the attack had left a massive Amazon Web Services bucket unsecured since 2016. Victims included Britain's largest pension fund and potentially hundreds more organizations.
For the breach, Capita attempted to downplay the data exposure, creating a nonsense statistic and saying hackers had only accessed "less than 0.1% of its server estate." Subsequently, victims said they found more information was stolen than Capita admitted, or perhaps realized. Britain's data protection watchdog, the Information Commissioner's Office, subsequently reported "receiving a large number of reports from organizations directly affected by these incidents." The ICO's probe continues.
11. UK Police Forces Leak Personal Data
Responding to a Freedom of Information Act request in August, the Police Service of Northern Ireland inadvertently posted a spreadsheet containing the first initials and surnames, roles and locations of all officers and staff. Described as being "the most significant data breach that has ever occurred in the history of U.K. policing," the breach has left serving officers and staff at risk from dissident Irish republicans. Shortly thereafter, the PSNI disclosed another data breach, as did London's Metropolitan Police Service and two constabularies in England.
12.Major Disruptions Hit Hive, BlackCat
The year has been bookended by two notable disruptions: first of the Hive ransomware collective in January and earlier this month of the Alphv/BlackCat group. In between, in April, law enforcement seized Genesis, the world's largest market for stolen browser cookies and other types of credentials used to facilitate account takeover. Speaking at RSA Conference later that month, U.S. Deputy Attorney General Lisa O. Monaco said the Department of Justice has updated its approach to combating cybercrime by adding a "disrupt and prevent" focus to impose economic costs on attackers, even if arrests don't result.