Here, we summarize a few things that we remember from 2021 that will keep affecting us in the coming years.
1. Ransomware affecting our society
Ransomware attacks have for several years increased in numbers. 2021 was no exception, and we also witnessed how they could influence our everyday life. Production downtime, the need to re-install computers, and restoring data from backups certainly have a huge impact on companies. Even more so, if the backups themselves are made unusable due to the attack. In 2021, we saw effects directly impacting societal services that we otherwise take for granted.
In July, a ransomware attack exploited a vulnerability in the Kaseya system administration software. This attack ultimately led to Coop having to close down around 800 supermarkets for one week in Sweden. Small villages with no other supermarkets were also affected. There have arguably been several ransomware attacks in previous years, e.g., Wannacry and NotPetya, that had a huge impact on our society. However, in Sweden, the Kaseya attack was not just another headline. It impacted the everyday life of almost everyone.
The ransomware attack on Colonial Pipeline targeted the system that managed oil pipelines from Houston, Texas. As a result, millions of people queued for fuel, and since fuel to Americans is as critical as food is to Swedes, this attack can be claimed to have had a similar effect.
2. Supply chain attacks at the center of attention
The Kaseya ransomware attack above also falls into the supply chain attack category. The initial target of the attack was Kaseya software, but it was ultimately the users of the software that suffered the main consequences. See our blog post series on software supply chain attacks for a more in-depth treatment of these attacks.
The Solarwinds attack, which was detected in December 2020, was a spark that shifted the cybersecurity community’s attention to software supply chain attacks. In 2021, ENISA released a report on the subject, categorizing and enumerating several attacks. Also, NIST, together with CISA, released a report on how to defend against the attacks. Several examples and instances of such attacks have been seen in the last few years. A notable addition in 2021 was the introduction of the dependency confusion attack, which affected several large organizations, including Microsoft, Apple, PayPal, Shopify, Netflix, Yelp, Tesla, and Uber.
3. The Log4j vulnerability
Christmas and New Year are not known to be a time of relaxation in the cybersecurity community. We can recall the Meltdown and Spectre vulnerabilities that were announced on January 3, 2018. December 2020, the Solarwinds attack was on everybody’s lips. And, as we approached Christmas in 2021, the world was heavily hit by the Log4j vulnerability, which became known as Log4Shell.
Log4Shell is a vulnerability in a Java library used by thousands of applications. With a CVSS score of 10 and with such widespread use of the library, the weeks before Christmas saw a large number of attacks exploiting this vulnerability. Since it allowed remote code execution on the targeted system, attackers were often only limited by their imagination.
There were obvious examples of ransomware and cryptocurrency mining, but it was also used to install banking trojans. Organizations worldwide had busy days making sure to identify and patch all systems using vulnerable versions of the library.
4. New DDoS attack records
We see an increased number of DDoS attacks, and they keep growing in scale. The Mirai Dyn DDoS attack in 2016 was the largest one at the time with somewhere between 1-1.5 Tbit/s. In 2018, GitHub was hit by an attack that reached 1.35 Tbit/s. In 2020, Amazon Web Services were hit by a 2.3Tbit/s attack. In 2021, Microsoft Azure was hit by an attack reaching 2.4Tbit/s.
While some report this attack as the largest yet, we should add that Google announced in 2020 that they experienced a DDoS attack already in 2017 that peaked at 2.5Tbit/s. In addition to the increased traffic volumes, it was also reported that the number of DDoS attacks is increasing and that they use a higher number of simultaneous attack vectors. They are easy to initiate and often difficult to protect against.
5. More than 20 000 new vulnerabilities
The number of reported vulnerabilities with a CVE identifier has steadily increased for several years. In 2021, we passed the 20k marker for the first time. This is an average of about 55 new vulnerabilities each day. The reason behind this increase is most likely due to a number of reasons. New use cases for digitization mean that more software is developed. This naturally leads to more vulnerabilities.
However, this is just one side of the coin. The number of CVE numbering authorities is increasing, which can better centralize vulnerability information in one place. More organizations use bug bounty programs, incentivizing security researchers to find more vulnerabilities. These programs also collect and make the information public, making it easier to centralize the vulnerability data.
6. An accelerated need for cybersecurity
The Covid-19 pandemic has fast-forwarded the need for and use of digitization. This has increased our need for new digital tools and software but also opened up for more attacks on our digital infrastructure as we work remotely.
Cybersecurity is not just good for businesses to protect IT systems and customer data. It is evident that it must also be a prioritized issue for governments to handle on a national scale. In May, the Biden executive order sought to improve the state of national cybersecurity. It both focused on improving the defenses and on sharing security-critical information.
If you’re one of those people who still don’t have a cybersecurity solution in place – this is your sign. A great place to start is to get an overview of all open source in your software, which you can do by integrating with Debricked – for free. Create an account today and enjoy a safer 2022.