It’s been called the worst internet hack in history.
On Dec. 9, a critical vulnerability in a widely used online software logging tool surfaced after hackers used it to gain access to servers that host Minecraft, the popular gaming platform. The flaw, known as Log4Shell (CVE-2021-44228), is a global threat because it allows hackers to get into computer systems and servers without a password.
In the days since it surfaced, cybersecurity teams have been scrambling to patch it while cybercriminals have been racing to develop and distribute tools to exploit it. Unless it’s fixed, criminals, spies, and nation-states can use the flaw to access business and government networks, plant malware, and steal valuable data.
The vulnerability exists in an open-source Java logging library that, as Jim Kelly, Tanium vice president of endpoint security notes in a recent blog post, “is incorporated in many enterprise applications, open-source software, and potentially as a dependency in many other services.” Kelly, a security architecture professional, adds: “The prevalence of configuration and installation variables make this vulnerability extremely challenging to identify and target for remediation.”
With just days left in 2021, it’s hard for even seasoned cybersecurity professionals to wrap their heads around the magnitude of this hack—as well as the sheer number of attacks that cybercriminals and nation-states have carried out this year.
The roster of major businesses attacked is shorthand for today’s cyber epidemic: Kaseya. Colonial Pipeline. JBS meatpacking. Twitch. And, of course, SolarWinds. (Technically a 2020 hack, SolarWinds was discovered exactly one year ago, took up much of 2021’s cybersecurity thinking, and inspired a presidential executive order.)
The range of targets that cyberattackers hit was so widespread (among them, a meat-packer, an energy provider, a brewer, and several federal agencies) it would be hard to say that anybody was safe. “Literally all industries and sectors were affected,” says Brenda R. Sharton, partner and co-chair of Dechert LLP’s global privacy and cybersecurity practice and a nationally recognized expert in the area. “2021 was an equal opportunity event. Cyberattacks were up exponentially across the board both in frequency, level of sophistication and certainly ransom demands.”
Most targeted sectors
The exact number of ransomware attacks is hard to nail down. But the sectors most often targeted were those with the most sensitive data (banking and other financial services) and those that have struggled to maintain cybersecurity (healthcare and education).
For instance, in March, criminals attacked CNA Financial, the seventh largest commercial insurer in the U.S., encrypting some 15,000 devices, including computers used by its remote workforce. The insurer reportedly paid more than $40 million in ransom. Two months later, hackers hit French insurer Axa’s Asia assistance division, likely using Avaddon ransomware.
2021 was an equal opportunity event. Cyberattacks were up exponentially across the board.
In May, hackers launched a ransomware attack against the Irish Department of Health and its Health Service Executive. In addition to releasing sensitive patient data online, the attackers’ software forced the cancellation of in-patient services and a delay in issuing birth and death certificates and the processing of Covid-19 tests.The University Medical Center of Southern Nevada was hit by an attack in the summer that affected the personal details of 1.3 million people. Some of the stolen data was spotted on the darknet site of ransomware group REvil.
Paul Bischoff, editor and privacy advocate at consumer security firm Comparitech, notes that “the healthcare industry is particularly vulnerable to ransomware attacks.” That’s because healthcare facilities have many points of cyber weakness, including overworked staff who are not trained IT professionals and who must use unsecured internet-connected computers and Wi-Fi networks. In addition, such facilities, critical to the healthcare of their communities, have been under pressure to operate smoothly during the pandemic. That “makes them more likely to pay ransomware demands, and therefore they are more lucrative targets to hackers,” Bischoff says.
Easy and anonymous money
While no one has yet tallied 2021’s overall cost for rectifying a ransomware attack on healthcare, Bischoff and others say it will probably top last year’s. In 2020, the average cyberattack cost—for downtime, ransom paid, repairs, and replacement of devices and networks—in the U.S. healthcare sector was $1.27 million, according to Health and Human Services Department figures. By comparison, the average in the financial services industry was $2.1 million. Meanwhile, the education sector reported the highest average bill, at $2.73 million.
This year, the bill is expected to be far higher. “We saw ransom demands go from mid-seven figures in 2020 into the tens of millions of dollars in 2021,” Sharton says.
The healthcare industry is particularly vulnerable to ransomware attacks.
Industry experts fear that the increasing use of cryptocurrency—which is untraceable—to pay ransomware demands may encourage attacks. Because cryptocurrency regulations vary across the world, Jon Brandt, director of professional practices and innovation at the IT association ISACA, believes the currency’s “global ambiguity likely emboldens cybercriminals.” However that doesn’t mean crypto is itself to blame for the attacks. “That would be like saying that bank heists went up because automobiles were invented and created an easier getaway,” says Brandt.
The rise of supply chain attacks
Covid exposed one of the most vulnerable aspects of any organization: its use of outside vendors that lack sophisticated security. Supply chain attacks may have increased as much as fourfold this year, according to the European Union Agency for Cybersecurity. In two-thirds of such attacks, ENISA notes, the hackers first targeted a supplier’s codebase to advance on their main target.
“Supply chains are complex, with goods and services sourced from across the world, all of which are vulnerable to different degrees,” Brandt says. “The pandemic propelled many to cloud services, which exponentially increases risk.”
A key example of a supply-chain breach occurred in early July when Kaseya Ltd., an IT management and antivirus software provider, was compromised by Eastern European hackers using ransomware made by the REvil group. Kaseya sells its products to third-party service providers, which manage IT for other companies, often small and medium-size businesses. By targeting Kaseya’s software, the cybercriminals gained access to a range of different networks, affecting as many as 1,500 companies. The hackers demanded $70 million in ransom.
Suppliers and vendors are increasingly targeted, Sharton says, because they can “provide a back door into an organization’s environment that may not be as readily apparent to the information security team.”
Phishing gets phishier
With the increased migration to remote work during the pandemic, clever email phishing attacks followed, as did hacks on unsecured network devices.
“Things like home Wi-Fi, not knowing new co-workers, vulnerabilities in workers entering the systems from disparate locations, and just sheer fear and uncertainty around all things Covid created the perfect storm for hackers to try to capitalize,” Sharton says. “I’ve handled around 1,000 data breach investigations since the late 1990s. Every year, I see an increase in the sophistication of phishing attacks.”
Far too many cyberattacks occur or escalate because organizations aren’t doing the easy things well, if at all.
Indeed, reported phishing attacks doubled in 2020 with the pandemic, according to the international consortium Anti-Phishing Working Group, and continued strong in 2021. In June this year, APWG saw 222,127 attacks.
One common attack was the business email compromise, in which the scammer impersonates a fellow company employee or other trusted party, and tries to trick a worker into sending money or financial information, usually by sending the victim email from fake or breached accounts. With so much personal data shared on social media, it’s fairly easy for scammers to drill down into their target’s interests and likes and create phishing campaigns that are scarily accurate to a user’s vulnerabilities.
Phishing scammers also got greedier this year. The average wire transfer request in a BEC attack increased to $106,000, from $48,000 a year earlier, APWG reported.
Security’s silver bullet: basic cyber hygiene
An organization’s best defense against becoming a hacking victim is basic cyber hygiene. That starts with discovering and inventorying all hardware and software on your network. The principle to then be applied is zero trust, in which every device that tries to log on to the network is treated as a potential threat. Multifactor authentication, data encryption, and backups that are regularly tested are key, as well as permissions granted using the guidelines of least-privilege and need-to-know.
“Many organizations are really bad at limiting access to systems and data. Far too many employees have more access than they need to do their job,” Brandt says. Simply put, he adds, “Far too many cyberattacks occur or escalate because organizations aren’t doing the easy things well, if at all.”
Sharton says one surprise this year was “seeing ransom demands going into the tens of millions of dollars,” compared to attacks many years ago that started out in the thousands of dollars.
The good news, she says, is “the threat actors finally got too greedy, and we’re now seeing attempts at a coordinated response on the government level, whereas before they were able to stay under the radar.”