An Update on Recent Major Breaches

Add bookmark
Lisa Morgan
Lisa Morgan
08/27/2021

2021 has already been the year of unprecedented cyber attacks. What they increasingly have in common is a supply chain aspect which may or may not be exploited. When the supply chain aspect is exploited in a technological way, then customers' and partners' systems might also become compromised. Alternatively, in the case of a physical goods supply chain, delivery of the good is disrupted, whether gasoline or beef, fear-based hoarding and price spikes may result.

The supply chain aspect is something every company needs to consider from both upstream and downstream perspectives. Even if third-party systems are not compromised by a breach, their data may be and if it is, those parties might become the victim of a triple ransom.

Following are a few updates to our biggest Incident of the Week (IOTW) stories this year so far, including:

 

  • SolarWinds
  • Microsoft Exchange
  • Colonial Pipeline
  • JBS
  • Kaseya

 

  • With more than 140,000 members, Cyber Security Hub is the vibrant community connecting cyber security professionals around the world.

    SolarWinds

    In December 2020, news surfaced that IT monitoring and management tools provider SolarWinds had been the victim of a cyber attack masquerading as a software update. Hackers injected malicious code into a genuine update which was downloaded by approximately 18,000 customers. 

    The Biden administration responded with sanctions against Russia and a pledge to step up America's cyber security capabilities. More than a hundred organizations including Cisco, Intel and Microsoft were affected, along with government agencies including the Cybersecurity and Information Security Agency (CISA). FireEye discovered the malicious code and alerted SolarWinds to its existence.

    Update: NPR reported that the threat actors had breached SolarWinds nine months before the hack, identifying targets among other things. The hackers who are believed to be directed by the Russian secret service were said to "move like ghosts" undetected in the network or software update. They even covered their tracks. In May, Microsoft identified the threat actors as Russian hacking group Nobellium.

    In July, the U.S. Department of Justice (DOJ) revealed that 27 US attorneys' email accounts had been compromised from May 7, 2020 until December 27, 2020 and that the department was treating the threat as if all email associated with those accounts was involved. On a web page, the DOJ said, "The compromised data included all sent, received, and stored emails and attachments found within those accounts during that time. While other districts were impacted to a lesser degree the [Advanced Persistent Threats] group gained access to the O365 email accounts of at least 80 percent of employees working in the U.S. Attorneys' offices located in the Easter, Northern, Southern, and Western Districts of New York. The Executive Office for U.S. Attorneys has notified all impacted account holders and the Department has provided guidance to identify particular threats."

  • Microsoft Exchange

    Security firm Volexity uncovered a Microsoft vulnerability that allowed hackers to take advantage of an Exchange Server flaw. Beginning in January, the threat actors had been planting web shells that enable administrative access and the ability to steal data. The 60,000 victims were targeted through their self-hosted Outlook Web Access manager. Cloud-based Outlook accounts remained secure. 

    Hacking efforts spiked when Microsoft issued a patch on March 3. However, by that time, other hackers were also taking advantage of the vulnerability. Worse, the hacking campaigns were automated which affected companies across industries.

    Microsoft blamed the attack on Hafnium, a Chinese state-sponsored hacking group. In April, The Department of Justice issued a warrant enabling the U.S. Federal Bureau of Investigation (FBI) to copy and remove web shells from hundreds of on-premises Microsoft Exchange servers owned by private organizations. Then in mid-August, a new worry surfaced which is that hackers are combining three Microsoft Exchange vulnerabilities to circumvent authentication, obtain higher user rights and execute malicious code. Those attacks cause Microsoft Exchange servers to become completely compromised.