High-profile attacks made their way onto front-page headlines over and over again in 2021 with an increase in nation-state threats, governments proactively shutting down online services to prevent attacks, infrastructure attacks, and more. And this is on top of the background noise of new vulnerabilities, zero-days, and rising ransomware costs.
Giving up obviously isn’t the answer. And in fact, there’s a lot you can do to protect your organization.
According to a report by the U.S. Cybersecurity and Infrastructure Authority (CISA), most organizations that are attacked haven’t done enough to protect themselves. Examining recent security news can help us discover some of the problems and adopt best practices going forward.
Let’s look at last year’s most headline-worthy CVEs and the vulnerability trends they reveal, along with takeaways that can help your organization stay protected.
Trend: Ransomware (CVE 2021-1472 and others)
Looking Back at 2021
Probably the biggest security news story of 2021 was the Colonial Pipeline incident, but it was unfortunately just one of many ransomware attacks. For instance, there was the Conti ransomware-as-a-service (RaaS) attack, which crippled Ireland’s national healthcare service and may wind up costing over $100M.
While Conti entailed several means of attack, two prominent vectors are well-known vulnerabilities:
- CVE-2021-34527, PrintNightmare (Microsoft Windows Print Spooler)
- CVE-2020-1472, ZeroLogon (Active Directory Domain Controller)
Ransomware isn’t new, but its trajectories are becoming larger and more audacious:
- Attacks targeting bigger victims (MSPs, government, critical infrastructure)
- Bigger attackers (APTs, nation-state actors such as Russia)
- Attacks with bigger repercussions (attacks on software supply chains, healthcare)
Predictions for 2022 and Beyond
Physical supply chains are more interconnected than ever with critical business information systems, so it’s essential to get a handle on your environment and keep yourself safe. Attackers will continue to take advantage of older vulnerabilities (“low-hanging fruit”) as well as newer devices coming on line through OT, IoT, and more.
SECURITY TAKEAWAY: Guard Your Entire Environment
With the growth of IoT and distributed networks, it’s no longer sufficient to patrol the edge of your network. Don’t wait to see how well-defended your software supply chains are (or your vendors’). Take the time to protect your entire environment, including legacy systems, to cut the risk that you’ll be affected by the next big headline.
Trend: Bug Bounties (CVE-2021-22005 and others)
Looking Back at 2021
The VMware Trivial Remote Exploit vulnerability gave attackers control of vCenter Server, the central management utility for the leading cloud system and service management platform in the world. This vulnerability is very easy to exploit and was found to have been exploited in the wild, which explains its CVSS score of 9.8 out of 10.
While a patch was made available for versions 6.5 and up, critics are suggesting that the PoC for this vulnerability got out, at least in part, because VMware doesn’t have a bug bounty program—which may have left the company vulnerable. As payments for bug bounties have grown in recent years, companies may discover that handing out big cash payouts could have a darker side—driving security researchers to demand larger and larger payments, regardless of which side the money is coming from.
Predictions for 2022 and Beyond
If the critics are correct, bug bounty programs may soon start losing their effectiveness.
Microsoft has started lowering payments to security researchers, leading to protests in the community, like from Abdelhamid Naceri explaining why he’d published his PoC on GitHub rather than submitting it to Microsoft: “Microsoft bounties has been trashed since April 2020, I really wouldn’t do that if MSFT didn’t take the decision to downgrade those bounties,” explained Naceri.
Other security researchers have expressed similar frustrations with Apple’s bug bounty program.
If that trend continues, so-called “ethical” hackers may start taking their PoCs to the highest bidder. That could mean selling them on the dark web rather than taking them straight to the vendor.
SECURITY TAKEAWAY: Shorten Time to Remediation
Most vendors don’t rely exclusively on their bug bounty programs and stay on top of vulnerabilities in multiple ways. They are also generally very quick to release fixes.
In fact, most organizations’ security suffers from a different problem entirely: A patch has already been released, but they haven’t had the time and resources to remediate the vulnerability yet across all their systems. By implementing a platform with predictive patching and automation, you’ll be able to shorten time to remediation and keep your org safe against emerging threats.
Trend: Log4Shell (CVE-2021-44228 and others)
Looking Back at 2021
The Log4Shell zero-day broke into the headlines practically on the eve of the new year. On the one hand, this was yet another remote code execution (RCE) vulnerability—this one affecting all systems using the Apache Software Foundation’s open-source Log4j library—in a year that brought RCE vulnerabilities to light. But on the other hand, it has much-farther-reaching consequences due to the ubiquity of Log4j and the number of versions involved.
Once attacked, systems can be exploited for coin mining, lateral movement (exposing sensitive data and endpoints), and Cobalt Strike, a favorite of APTs and large hacker groups.
As Apache scrambled to fix Log4Shell in early 2022, a number of new vulnerabilities emerged:
- CVE-2021-45046
- CVE-2021-45105
(Not sure if your application is affected? You should check this list immediately. Beyond rolling out the necessary patches, indicators of compromise are available from Microsoft here.)
Amit Yoran, who founded the U.S. Computer Emergency Readiness Team, has been quoted as saying, “The Apache Log4j Remote Code Execution Vulnerability is the single biggest, most critical vulnerability of the last decade.”
The main lesson from Log4Shell isn’t just the vast number of systems involved, but also that the vulnerability is relatively easy to exploit, requiring very little technical skill. Plus, there are so many ways to exploit the vulnerability that it is very difficult to mitigate. That’s why, even as of February 2022, many organizations were still struggling, working overtime and weekends, to remediate Log4Shell.
Predictions for 2022 and Beyond
This isn’t the last we’ve heard of Log4j; this vulnerability will be resonating for months to come. The rich feature set of Log4j has clearly exposed its downside, and ideally, developers will come away far more cautious about only including libraries that are absolutely necessary and only enabling features that provide business benefit to the application.
SECURITY TAKEAWAY: Automate Patch Rollout
With new patches coming out so frequently to fix problems as they emerge, stay secure with a reliable patching platform with automation and intelligent prediction to ensure you get all the latest relevant patch releases for all your systems.
JetPatch Keeps You Safe
The vulnerability landscape is constantly changing, but looking again at the CISA report, the top recommendation to stay ahead of emerging vulnerabilities is “implementing a centralized patch management system.”
While there are still zero-days from time to time, studies show that many attackers are continuing to exploit old vulnerabilities. That’s why, more than ever in 2022, you need a centralized way to manage all your patching.
JetPatch is a single solution that gives you:
- A single, clear console view into all your endpoints, across your entire environment
- The latest updates, classified according to their relevance and priority for your business
- Smarter, simpler remediation with automation and predictive patching
Bring down your total time to remediation and stay ahead of all the emerging security trends. JetPatch is simply the best way to ensure business continuity in the changing world of vulnerability and cyber risk management.
