Top 5 Cyberattacks of 2021

CNA Financial is one of the largest insurance companies in the United States. The company announced the attack in late March 2021, stating that it had fallen victim to a sophisticated cyberattack. The company negotiated its ransom down from $60 million to $40 million, and paid for the decryption key that it needed to continue operations.

A cybercrime syndicate called Phoenix claimed responsibility for the attack. The group used a type of malware called Phoenix Locker, which is itself a variant of the more popular Hades ransomware executable.

CNA Financials’ website remained closed for nearly two weeks after the attack. It only revealed the specifics of the attack two months after paying the ransom, when it was obligated by law to do so.

The Phoenix ransomware executable works by posing as a browser update. It tricks employees into installing the update, and then moves laterally throughout the network to gain higher privileges until it can successfully carry out phase two of the attack. It identifies sensitive data and then sends it outside the network before encrypting the data and launching the attack.

Data exfiltration protection would have prevented Phoenix from copying, compressing, and sending data from the CNA environment to the hacker’s cloud account. Investigators determined that the attackers wanted to blackmail users with their sensitive data. Without this data, attackers could not have successfully launched their attack or proven access to sensitive data.

The Colonial Pipeline attack is by far the most infamous of 2021 so far. A Russia-based hacking group called DarkSide has claimed responsibility for the attack, which focused on SCADA systems that connect operational systems with traditional IT networks that are internet-connected.

DarkSide successfully carried out their attack by focusing on Colonial Pipeline’s IT servers in its operational SCADA stack. Colonial Pipeline security professionals took the prudent action of taking down these systems before the attack spread, which contained the damage, but led to the sudden closure of a critical fuel pipeline, prompting a regional supply crunch that hurt consumers.

DarkSide breached Colonial Pipeline’s systems using compromised account credentials from a legacy operational system that did not feature dual-factor authentication. Attackers infiltrated the network and sent a compressed malware executable into the system.

DarkSide’s malware works by wiping the Recycle Bin and deleting volume copies using a non-restorable PowerShell script. It disables Windows services and targets terminated processes before recursively encrypting files until local and network shares are fully encrypted. It exfiltrates this data to an attacker-specified C2 server before deleting its own copy and posting the ransom note.

If Colonial Pipeline had deployed a data exfiltration solution, DarkSide’s malware would not have been able to exfiltrate its data to the C2 server. This would have interrupted the ransom process at its most critical moment. The malware would still contain its own copy of the data, which includes the decryption content. Mitigating the attack would be as simple as reaching into the malware and obtaining the decryption key it (still) contains.

One month after Colonial Pipeline fell to hackers, the largest meat packing company in the world also suffered a debilitating attack. JBS USA is the American subsidiary of JBS SA, a Brazil-based meat distribution firm. The company was able to mitigate some of the damage of the attack using backups, but it was still forced to temporarily pause operations and suffer expensive downtime.

JBS did not initially comment on whether it paid the attackers, and did not comment on its decision to close its North American plants for two days. Eventually the company admitted to paying $11 million to attackers in response to the threat of closure.

The attack did have costly ripple effects on the national meat supply chain, preventing supermarkets and restaurants from serving meat to their customers for much longer, and leading to price hikes as a result of the supply-side crunch.

The JBS attack actually began in February 2021, with initial reconnaissance pointing out structural vulnerabilities in the victim’s network. Cybercriminals carried out data exfiltration for months, starting as early as March and finishing this phase of the attack at the end of May. Hackers finalized the attack only after the exfiltration was complete, on June 1st.

JBS could have mitigated the entire attack using data exfiltration protection software. This would have made it impossible for hackers to spend months stealing data from the company without leaving obvious traces. Security alerts would have resulted in swift action that could have expelled the attackers well before the attack struck.

Kaseya is an IT services provider based in Florida that made headlines after falling victim to a large-scale ransomware attack claimed by REvil. This attack compromised between 800 and 1500 businesses around the world, with disruptive effects following end users throughout complex supply chains.

Kaseya’s case is unique because of the company’s place as a managed service provider with such a large customer base. The vast majority of these companies are small businesses, but the infrastructure of their IT supply chain links them closely together.

In this case, REvil targeted Kaseya’s virtual server appliance (VSA) solution, and claimed to hit 1 million endpoints throughout the entire supply chain. Kaseya’s VSA solution exists both as a cloud-based Software-as-a-Service (SaaS) solution and as an on-premises product.

REvil hackers compromised Kaseya’s VSA product by installing a malicious executable into the VSA system. The attack took place in multiple stages, with the first payload disabling Windows Defender and the second actually performing the ransomware encryption task.

If Kaseya has invested in data exfiltration protection, REvil would not have been able to distribute the second payload during their attack. The first payload would have been unable to communicate with the second, rendering the attack harmless. REvil would not have been able to demand its $70 million ransom.