The 5 most significant IT security incidents of the last 10 years
by Tina Siering
Cybercriminals are developing ever more sophisticated, increasingly complex tactics, techniques and procedures (TTPs) to reach their target. The number of zero-day exploits in particular has increased significantly in recent years. At the same time, the time span between vulnerabilities becoming known and being exploited by cybercriminals has become shorter and shorter, sometimes almost in real time. From SolarWinds to the OLE vulnerability Sandworm, some cyberattacks are particularly memorable:
1st place: SolarWinds hack and FireEye vulnerability
- Discovered on: 08.12.2020
- Patch released on: 13.12.2020
- Status: active
- CVE code: CVE-2021-35211
Security researchers at Trustwave are calling the supply chain attack on the SolarWinds Orion network monitoring tool the "most devastating breach of the decade". In the cyberattack, hackers exploited internal threat intelligence data from the vendor and Red Team tools from FireEye to install a malicious backdoor update. The update, called Sunburst, affected around 18,000 customers, including large enterprises and US government agencies. Sunburst enabled hackers to alter, steal or destroy data on customer networks. The actual number of victims hacked by Sunburst was less than 100, according to official figures - however, thousands of organisations downloaded the malware. Despite a patch being released very promptly, servers are still infected today. Because organisations cannot reliably detect the inactive attack vectors, cyberattacks are still taking place via the vulnerability. Professor Shital Thekdi of the University of Richmond, an expert in risk management and industrial and operational engineering, calls the SolarWinds attack unprecedented because it is capable of "causing significant physical consequences and also impacting critical infrastructure."
2nd place: EternalBlue exploit, WannaCry and NotPetya
- Discovered on: 14.04.2017
- Patch released on: 14.04.2017
- Status: active
- CVE Code: CVE-2017-0144
The EternalBlue exploit is used to spread two of the most well-known and feared ransomware malware ever: WannaCry and NotPetya. The malware types have been used to attack thousands of systems worldwide, primarily from the healthcare sector. In the UK and Ukraine, the malware left a trail of devastation and caused severe damage. The exploit targeted a vulnerability that was patched almost immediately by Microsoft. Nevertheless, EternalBlue is still active - the IoT search engine Shodan (searches the internet for open TCP/IP ports) lists over 7,500 systems vulnerable to EternalBlue. The EternalBlue exploit is dangerous for two reasons. On the one hand, it enables immediate remote, and on the other hand, unauthenticated access to virtually any unpatched Windows system. The exploit does not differentiate between privately used and business systems.
3rd place: Shellshock vulnerability in Bash shell
- Discovered on: 12.09.2014
- Patch released on: 24.09.2014
- Status: inactive
- CVE code: CVE-2014-7196
The "Bourne again Shell" (Bash) is the default shell on any system based on Linux. Every time a web-enabled process calls a shell - to process input or execute a command - it calls Bash to do so. The Shellshock vulnerability, which was discovered in 2014, is based on a flaw in the "Bourne again Shell" that existed for over 30 years and remained undiscovered. The vulnerability allowed attackers to take complete control of a system without having to know usernames and passwords. Although the vulnerability was closed with a patch from September 2014 and has since been considered inactive, Shellshock was still used for cyber attacks later on. Most recently in the "Sea Turtle" hacker campaign in 2019, in which cybercriminals exploited Shellshock to gain access to protected systems by means of DNS hijacking.
4th place: BlueKeep and remote desktops as access vector
- Discovered on: 01.01.2018
- Patch released on: 01.04.2018
- Status: active
- CVE code: CVE-2019-0708
At the latest since the Corona pandemic, remote working in the home office has become standard in many companies. But remote desktops have been targeted by cybercriminals before. The focus was particularly on personal data and login information, so that ransomware could be installed on the mostly poorly secured systems. With the discovery of the dangerous BlueKeep 2019 vulnerability, the threat of remote desktops became more widely known as a possible attack surface. BlueKeep was able to spread "worm-like", i.e. without human intervention. The National Security Agency (NSA) classified the threat as extremely serious because "although Microsoft has released a patch, potentially millions of computers are still vulnerable." Even though the patch has been out for four years, BlueKeep is still active. There are over 30,000 vulnerable systems on Shodan.
5th place: OLE vulnerability Sandworm in Microsoft Windows
- Discovered on: 03.09.2014
- Patch released on: 15.10.2014
- Status: inactive
- CVE code: CVE-2014-4114
A vulnerability in "MS Object Linking and Embedding" (OLE), in the Windows operating system, discovered in 2014, was exploited by Russian cyber spies for attacks against NATO, Western and Ukrainian government organisations and against companies in the energy sector. The attackers specifically targeted critical infrastructures here. The OLE vulnerability was named after the Russian hacker group Sandworm.
Cybercriminals exploit the vulnerability by using specially developed Microsoft Office files in which remotely injected OLE files are integrated. The vulnerability in Microsoft Object Linking and Embedding allows attackers to inject targeted malicious code into the compromised system. All operating system versions of MS Windows and Windows Server from 2008 and 2012 were affected. The vulnerability is currently considered inactive.
Conclusion: Effective patch management is indispensable as a protective measure
Even if companies react very promptly to zero-day exploits and apply the corresponding patches, this is no guarantee of comprehensive security, because there are not always updates available ad hoc. Furthermore, the focus often shifts to new vulnerabilities over time, which leads to older patches not being sufficiently taken into account.
As a result, the older a known vulnerability is, the more knowledge circulates in relevant circles about how to exploit this vulnerability, even with little skill. For experienced hackers, they are particularly easy targets. In addition to the manufacturers, users are therefore primarily responsible for implementing regular and effective patch management.
Through proactive threat hunting using a solution for "managed detection and response", companies and organisations can ensure effective protection of their systems and networks so that potential attack patterns are recognised and stopped in time.