Hacking

The worst cyber attacks of 2021

Which are the cyber attacks of 2021 that had the major impact on organizations worldwide in terms of financial losses and disruption of the operations?

CNA Financial (March 2021) – CNA Financial, one of the largest insurance companies in the US, reportedly paid a $40 million ransom to restore access to its files following a ransomware attack that took place in March.

According to Bloomberg, CNA Financial opted to pay the ransom two weeks after the security breach because it was not able to restore its operations. Bloomberg was informed about the payment by two people familiar with the attack.

The systems at the company were infected with the Phoenix Locker, a variant of ransomware tracked as Hades that was part of the arsenal of the cybercrime group known as Evil Corp.

Microsoft Exchange Server massive attacks (March 2021) – At least tens of thousands of Microsoft customers may have been hacked by allegedly the China-linked APT groups since January, including business and government agencies.

At least one China-linked APT group tracked as HAFNIUM, chained these vulnerabilities to access on-premises Exchange servers to access email accounts, and install backdoors to maintain access to victim environments.

The attacks started in January, but the attackers’ activity intensified in recent weeks, according to the experts at security firm Volexity. Volexity experts were investigating the compromise of Microsoft Exchange servers belonging to its customers when discovered that the attackers exploited a zero-day server-side request forgery (SSRF) vulnerability in Microsoft Exchange (CVE-2021-26855). 

Microsoft confirmed the attacks against the Exchange servers that aimed at stealing emails and install malware to gain persistence in the target networks.

The IT giant released emergency out-of-band security updates that address four zero-day issues (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) in all supported MS Exchange versions that were actively exploited in the wild.

The US Cybersecurity and Infrastructure Security Agency (CISA) also issued the Emergency Directive 21-02 in response to the disclosure of zero-day vulnerabilities in Microsoft Exchange

Colonial Pipeline (May 2021) – The Colonial Pipeline facility in Pelham, Alabama, was hit by a cybersecurity attack in May and its operators were forced to shut down its systems. The pipeline allows carrying 2.5 million barrels of refined gasoline and jet fuel each day up the East Coast from Texas to New York, it covers 45 percent of the East Coast’s fuel supplies. The U.S. Federal Bureau of Investigation confirmed that the Colonial Pipeline was shut down due to a cyber attack carried out by the Darkside ransomware gang.

Multiple media, citing people familiar with the matter, reported that the company had initially refused to pay the ransom. However, the quick restoration of the operations is suspicious and suggests that the operators of the Colonial Pipeline have paid the ransom.

The New York Times reported that Colonial Pipeline paid the hackers almost $5 million worth of cryptocurrency to receive a decryption key that allowed it to restore the encrypted files. Because the tool was too slow, the company used its backups to restore the systems.

JBS USA – (May 2021) – On May 30, the American food processing giant JBS Foods, the world’s largest processor of fresh beef, was forced to shut down production at multiple sites worldwide following a cyberattack.

The cyberattack impacted multiple production plants of the company worldwide, including facilities located in the United States, Australia, and Canada. JBS USA disclosed the cyberattack, according to a press release published by the company the attack had a severe impact on infrastructure located in Australia and North America.

Early July, the US FBI announced that REvil ransomware gang (also known as Sodinokibi) was behind the attack and a week later JBS admitted the payment of an $11 million ransom to the criminal group after it initially demanded $22.5 million.

Kaseya (June 2021) – In June, REvil ransomware gang hit the Kaseya cloud-based MSP platfor software provider Kaseya and announced that fewer than 60 of its customers and less than 1,500 businesses have been impacted by the recent supply-chain ransomware attack.

The REvil ransomware operators initially compromised the Kaseya VSA’s infrastructure, then pushed out malicious updates for VSA on-premise servers to deploy ransomware on enterprise networks.

The ransomware gang exploited a zero-day vulnerability in Kaseya VSA servers, tracked as CVE-2021-30116, that was discovered by The Dutch Institute for Vulnerability Disclosure (DIVD) and reported to the company.

Kaseya was validating the patch before they rolled it out to customers but REvil ransomware operators exploited the flaw in the massive supply chain ransomware attack. REvil ransomware initially asked $70 million worth of Bitcoin for decrypting all systems impacted in the Kaseya supply-chain ransomware attack.

At the end of July, Kaseya provided a universal decryptor to its customers, experts speculate the company paid the gang to obtain it.  

Log4j (December 2021) – Since the public disclosure of an exploit for the Log4Shell vulnerability  (CVE-2021-44228)  in the Apache Log4J library threat actors started exploiting it along with other Log4J flaws (CVE-2021-45046, CVE2021-4104, and CVE-2021-42550) in attacks in the wild.

The vulnerabilities can allow threat actors to execute arbitrary code on the target systems, trigger a Denial of Service condition, or disclose confidential information.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, cyber attacks)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco warns of password-spraying attacks targeting Secure Firewall devices

Cisco warns customers of password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services…

25 mins ago

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

4 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

18 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

1 day ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

2 days ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

This website uses cookies.