2021 Cyberthreat Retrospective and Why It Was a Bumpy Ride


2021 Was A Bumpy Ride 

The year started with the aftermath of the supply chain attack on Solarwinds1Radware, “SolarWinds Orion Supply Chain Attack,” 15 December 2020. [Online]. Available: https://www.radware.com/security/ddos-threats-attacks/threat-advisories-attack-reports/solarwinds-orion-supply-chain-attack. [1], followed closely by a ransomware attack that forced the executives of Colonial Pipeline to shut down their oil distribution2 David E. Sanger, Clifford Krauss and Nicole Perlroth, “Cyberattack Forces a Shutdown of a Top U.S. Pipeline,” The New York Times, 8 May 2021. [Online]. Available: https://www.nytimes.com/2021/05/08/us/politics/cyberattack-colonial-pipeline.html.  [2].

On January 8, law enforcement and judicial authorities worldwide took part in the arrest of operators behind Emotet, one of the most prolific banking trojans and malware-as-a-service platforms of the past decade3Europol, “World’s most dangerous malware EMOTET disrupted through global action,” 27 January 2021. [Online]. Available: https://www.europol.europa.eu/media-press/newsroom/news/world%e2%80%99s-most-dangerous-malware-emotet-disrupted-through-global-action.  [3]. On January 26, the Netherlands police announced they took control of the Emotet botnet and were able to dismantle its infrastructure and seize data about its customers.The authorities leveraged the infrastructure to schedule an un-installation of the malware by April 254L. Abrams, “Europol: Emotet malware will uninstall itself on April 25th,” Bleeping Computer, 27 January 2021. [Online]. Available: https://www.bleepingcomputer.com/news/security/europol-emotet-malware-will-uninstall-itself-on-april-25th/.  [4]. In the second half of 2021, Emotet reemerged 5R. B. Yizhak, “The Re-Emergence of Emotet,” Deep Instinct, 30 November 2021. [Online]. Available: https://www.deepinstinct.com/blog/the-re-emergence-of-emotet.  [5] more evasive than before with the help of Trickbot. Trickbot, itself a malware-as-a-service platform, demonstrated its survival instincts after reemerging in January 20216N. Shwarts, “TrickBot’s Survival Instinct Prevails — What’s Different About the TrickBoot Version?,” Security Intelligence, 26 January 2021. [Online]. Available: https://securityintelligence.com/posts/trickbot-survival-instinct-trickboot-version/.  [6] following a takedown attempt by law enforcement in October of 2020. 

In February, cyber specialists of the Security Service of Ukraine took down one of the most active cybercrime groups since the Maze shutdown, Egregor, and arrested its affiliates in an international raid between Ukrainian and French police7SBU, “СБУ заблокувала діяльність транснаціонального хакерського угруповання (SBU blocked the activities of a transnational hacker group),” SBU, 17 February 2021. [Online]. Available: https://ssu.gov.ua/novyny/sbu-zablokuvala-diialnist-transnatsionalnoho-khakerskoho-uhrupovannia.  [7]. Egregor earned its destructive reputation after the group successfully breached Barnes & Noble and video game developers Crytek and Ubisoft in October of 2020. Also in February, the internet was restricted in Myanmar following a coup d’état causing online blackouts during protests and an internet curfew was imposed on the citizens of Myanmar.  

“They’re being hacked faster than we can count.” 

In March, Microsoft released security updates for Microsoft Exchange Server to patch several vulnerabilities that could be chained together to perform unauthenticated remote code execution on Exchange servers, dubbed ProxyLogon8Radware, “ProxyLogon: Zero-Day Exploits In Microsoft Exchange Server,” 16 March 2021. [Online]. Available: https://www.radware.com/security/ddos-threats-attacks/threat-advisories-attack-reports/proxy-logon. [8]. The same day, Microsoft’s Threat Intelligence (MSTIC) reported discovering active zero-day exploits it attributed with high confidence to HAFNIUM 9Microsoft Threat Intelligence Center (MSTIC), “HAFNIUM targeting Exchange Servers with 0-day exploits,” Microsoft, 2 March 2021. [Online]. Available: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/.  [9]. HAFNIUM is a China-based threat group that primarily targets entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs. Volexity reported active exploitation of the zero-day as early as January 610Josh Grunzweig, Matthew Meltzer, Sean Koessel, Steven Adair, Thomas Lancaster, “Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities,” Volexity, 2 March 2021. [Online]. Available: https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/.  [10]. Krebs on Security reported hundreds of thousands of organizations being affected by the vulnerability worldwide and over 30,000 in US alone11B. Krebs, “At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software,” KrebsonSecurity, 5 March 2021. [Online]. Available: https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/. [11]. After public disclosure, malicious activity quickly ramped up. Several multi-national corporations disclosed attacks and ESET reported over 10 different APT groups were actively planting web shells in over 5,000 Exchange servers12 Matthieu Faou, Mathieu Tartare and Thomas Dupuy, “Exchange servers under siege from at least 10 APT groups,” Welivesecurity by ESET, 10 March 2021. [Online]. Available: https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/.  [12]. The DearCry and Black Kingdom ransomwares took advantage of the opportunity in an attempt to increase their victim count while the Lemon_Duck XMRig-based crypto mining malware claimed its fair share of victims. At some point, a security consultant at F-Secure said: “They’re being hacked faster than we can count” 13D. Palmer, “Microsoft Exchange Server attacks: ‘They’re being hacked faster than we can count’, says security company,” ZDNet, 22 March 2021. [Online]. Available: https://www.zdnet.com/article/microsoft-exchange-server-attacks-theyre-being-hacked-faster-than-we-can-count-says-security-company/.[13]

The same month, the Cybersecurity & Infrastructure Security Agency (CISA) released a security advisory to address unauthenticated remote code execution vulnerabilities impacting F5 BIG-IP and BIG-IQ enterprise networking devices 14CISA, “F5 Security Advisory for RCE Vulnerabilities in BIG-IP, BIG-IQ,” CISA, 10 March 2021. [Online]. Available: https://www.cisa.gov/uscert/ncas/current-activity/2021/03/10/f5-security-advisory-rce-vulnerabilities-big-ip-big-iq. [14]. The vulnerability could allow attackers to take full control over a vulnerable system. F5 did not release mitigations or details at the time, in an attempt to buy their customers more time to update their systems before exploits would be leveraged by malicious actors. However, several researchers thought it would be good to reverse engineer the F5 Java software patch and post a proof-of-concept exploit, causing a quick uptake in opportunistic mass scanning activity for exposed F5 systems 15 L. O’Donnell, “Critical F5 BIG-IP Flaw Now Under Active Attack,” Threatpost, 19 March 2021. [Online]. Available: https://threatpost.com/critical-f5-big-ip-flaw-now-under-active-attack/164940/. [15]

Also in March, four criminals were arrested in Barcelona for their involvement with FluBot, a mobile banking trojan that infected an estimated 60,000 mobile devices through Smishing (form of phishing delivered through SMS). Authorities took down the command-and-control infrastructure of FluBot, but saw the malicious campaign restored within days after the takedown, again with a little help from the Trickbot malware-as-a-service platform 16 C. Cimpanu, “Despite arrests in Spain, FluBot operations explode across Europe and Japan,” The Record, 26 April 2021. [Online]. Available: https://therecord.media/despite-arrests-in-spain-flubot-operations-explode-across-europe-and-japan/. [16]

In April, Pulse Secure reported17 Pulse Secure, “SA44784 – 2021-04: Out-of-Cycle Advisory: Multiple Vulnerabilities Resolved in Pulse Connect Secure 9.1R11.4,” Pulse Secure, April 2021. [Online]. Available: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784. [17] a remote command execution vulnerability in its Pulse Secure VPN software with a CVSS score of 10, following reports of zero-day exploits and malicious actors bypassing single and multifactor authentications on Pulse Secure VPN. According to Mandiant 18Dan Perez, Sarah Jones, Greg Wood, Stephen Eckels, “Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day,” Mandiant, 20 April 2021. [Online]. Available: https://www.mandiant.com/resources/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day. [18], a range of different exploits, combined with a previously unknown vulnerability, allowed threat groups with suspected ties to the Chinese government to bypass authentication and maintaining access through web shells that persist across upgrades in several defense, government and financial organizations. Mandiant dubbed the exploits Slowpulse, Slightpulse, Hardpulse, Quietpulse, Radialpulse, Thinblood, Atrium, Pacemaker, Pulsecheck and Pulsejump. 

[You may also like: What Drives DDoS Attacks and Why it Should be a Concern]

“Open Source Insecurity: Stealthily Introducing Vulnerabilities via Hypocrite Commits” 

Also in April, a group of University of Minnesota researchers got banned from the Linux codebase as they were caught submitting a series of malicious code commits that deliberately introduced security vulnerabilities in the official Linux codebase as part of their research activities. They published a paper at the IEEE Symposium on Security and Privacy entitled, “Open Source Insecurity: Stealthily Introducing Vulnerabilities via Hypocrite Commits.” The Linux Foundation did not take the experiment very well and banned the researchers 19A. Sharma, “Linux bans University of Minnesota for committing malicious code,” BleepingComputer, 21 April 2021. [Online]. Available: https://www.bleepingcomputer.com/news/security/linux-bans-university-of-minnesota-for-committing-malicious-code/.  [19]. The event could be considered a heads-up and precursor for what would happen later in the year, when the Log4j open source logging library vulnerability shook up the security industry and many were confronting the maintainers of the library who needed several updates to fix all vulnerabilities. Open source contributors have conflicting interests and the reality of a business’ urgency does not always match the best effort support that contributors of such projects provide in their spare time.  

In May, ransom DDoS made another entrance with a campaign targeting unprotected assets20 Radware, “Ransom DDoS Update: The Hunt For Unprotected Assets,” 11 June 2021. [Online]. Available: https://www.radware.com/security/ddos-threats-attacks/threat-advisories-attack-reports/ransom-ddos-update-hunt-for-unprotected-assets/. [20]. The attackers, this time, chose a new moniker, ‘Fancy Lazarus,’ which is an association between Fancy Bear (Russia) and Lazarus Group (North Korea), in an attempt to instill more fear in their victims.  

In the meantime, Colonial Pipeline paid DarkSide $4.4 million ransom of which the majority would be recovered by the US Department of Justice in subsequent actions against the DarkSide ransomware operators21 V. Romo, “U.S. Has Recovered Some Of The Millions Paid In Ransom To Colonial Pipeline Hackers,” npr, 7 June 2021. [Online]. Available: https://www.npr.org/2021/06/07/1004050873/u-s-retrieves-some-of-the-colonial-pipeline-ransom.  [21]. JBS Foods was impacted by the REvil ransomware and paid $11 million ransom 22B. Campbell, “JBS Paid An $11 Million Ransom To Cyberattackers,” npr, 9 June 2021. [Online]. Available: https://www.npr.org/2021/06/09/1004964822/jbs-paid-an-11-million-ransom-to-cyberattackers. [22] while Fujifilm had to shut down its network after being attacked by the same REvil group23L. Abrams, “FUJIFILM shuts down network after suspected ransomware attack,” BleepingComputer, 2 June 2021. [Online]. Available: https://www.bleepingcomputer.com/news/security/fujifilm-shuts-down-network-after-suspected-ransomware-attack/. [23].  

“Nearly 2000% increase in VPN attacks as organizations embrace a hybrid workplace” 

In June, North Korean attackers breached South Korea’s atomic research agency through a VPN exploit 24C. Cimpanu, “North Korean hackers breach South Korea’s atomic research agency through VPN bug,” The Record, 19 June 2021. [Online]. Available: https://therecord.media/north-korean-hackers-breach-south-koreas-atomic-research-agency-through-vpn-bug/.  [24].  

Nuspire released a report25 Help Net Security, “VPN attacks up nearly 2000% as companies embrace a hybrid workplace,” Help Net Security, 15 June 2021. [Online]. Available: https://www.helpnetsecurity.com/2021/06/15/vpn-attacks-up/.  [25] outlining an increase of nearly 2000% in VPN attacks as organizations embrace a hybrid workplace. Q1 2021 saw an increase of 1,916% in attacks against Fortinet’s SSLVPN and a 1,527% increase in Pulse Connect Secure VPN. ​Agari by HelpSystems, “Anatomy of a Compromised Account,” 26Agari, 8 June 2021. [Online]. Available: https://www.agari.com/insights/whitepapers/anatomy-compromised-account/.[26] 27D. Palmer, “This is how fast a password leaked on the web will be tested out by hackers,” ZDNet, 8 June 2021. [Online]. Available: https://www.zdnet.com/article/this-is-how-fast-a-password-leaked-on-the-web-will-be-tested-out-by-hackers/. [27]

Also in June, Agari researchers planted phony passwords on the web and discovered how extremely quick attackers were to test the usernames and passwords. 20% of the passwords were accessed within the hour, 40% within six hours and 50% of the access credentials were abused within 12 hours. They also observed how all of the accounts were accessed manually and not by automated bots

Hackers were able to break into EA games through Slack by purchasing a batch of stolen cookies being sold online for $1028J. Cox, “How Hackers Used Slack to Break into EA Games,” Vice, 11 June 2021. [Online]. Available: https://www.vice.com/en/article/7kvkqb/how-ea-games-was-hacked-slack.  [28]. In the meantime, a remote command execution vulnerability in the vSAN health check plugin of VMWare’s vCenter, with a CVSS score of 9.8, was being actively exploited following a blog published by Windy containing all the details required to weaponize the vulnerability 29Radware, “Mass Scanning For VMWare vCenter RCE,” Radware, 7 June 2021. [Online]. Available: https://www.radware.com/security/ddos-threats-attacks/threat-advisories-attack-reports/mass-scanning-vmware-vcenter-rce/.  [29]. vSphere was already the subject of another 9.8 CVSS remote command execution vulnerability in February, with two functioning exploits published within 24 hours of the disclosure.  

Supply chain attacks were also accounted for in June as Sonatype caught a new malicious cryptojacking Python package leveraging typosquatting in package names and infiltrating the PyPI repository to secretly pull cryptominers on affected systems30 A. Sharma, “Sonatype Catches New PyPI Cryptomining Malware,” Sanotype, 21 June 2021. [Online]. Available: https://blog.sonatype.com/sonatype-catches-new-pypi-cryptomining-malware-via-automated-detection.  [30]. The malicious PyPI packages were downloaded almost 5,000 times. 

[You may also like: What it Means to Redefine Success in Cybersecurity]

You’ve reached the middle of the year! Let’s move on to the lowlights of the second half of 2021. 

On July 2nd, just before the holiday weekend of the US Independence Day, Kaseya, an American software company that develops software for managing networks, systems, and information technology infrastructure, had its remote monitoring and management software compromised. In this supply chain attack, many of the managed service partners and customers using the software became victims of a ransomware attack perpetrated by the REvil group causing widespread downtime for over 1,000 organizations. REvil initially asked for a $70 million ransom payment to release a universal decryptor to unlock all affected systems. After a phone call between United States President Joe Biden and Russian President Vladimir Putin, Biden told the press, “I made it very clear to him that the United States expects when a ransomware operation is coming from his soil even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is.” Biden later added that the United States would take the group’s servers down if Putin did not. On 13 July 2021, REvil websites and other infrastructure vanished from the internet. On 23 July 2021, Kaseya announced it had received a universal decryptor tool for the REvil-encrypted files from an unnamed “trusted third party” and was helping victims restore their files 31Wikipedia, “Kaseya VSA Ransomware attack,” Wikipedia, 2021. [Online]. Available: https://en.wikipedia.org/wiki/Kaseya_VSA_ransomware_attack. [31]

Also in July 2021, the author behind the peer-to-peer Mozi IoT botnet was arrested by law enforcement32360 Netlab, Twitter, 28 July 2021. [Online]. Available: https://twitter.com/360Netlab/status/1420390398825058313.  [32]. Until the end of the year and going into the new year, Mozi did not show any signs of slowing down its infectious activity. The peer-to-peer nature of the botnet make it persist without a need for command-and-control infrastructure or operator. It could be a while before Mozi decays. 

Cloudflare reported33 P. Yoachimik, “Cloudflare thwarts 17.2M rps DDoS attack — the largest ever reported,” Cloudflare, 19 August 2021. [Online]. Available: https://blog.cloudflare.com/cloudflare-thwarts-17-2m-rps-ddos-attack-the-largest-ever-reported/. [33] a 17.2 million request per second DDoS attack on a financial industry customer. The attack was a 30 second burst and consisted of 20,000 bots.  

Researchers of the University of Colorado Boulder and the University of Maryland published an academic research paper that discloses new ways to abuse a flaw in 200 million internet exposed middleboxes and generate massive DDoS attacks34 Kevin Bock, Abdulrahman Alaraj, Yair Fax, Kyle Hurley, Eric Wustrow, and Dave Levin, “Weaponizing Middleboxes for TCP Reflected Amplification,” 12 August 2021. [Online]. Available: https://geneva.cs.umd.edu/posts/usenix21-weaponizing-censors/.  [34]. Their paper titled ‘Weaponizing Middleboxes for TCP Reflected Amplification’ explains how thousands of publicly accessible IP addresses can amplify TCP attacks with amplification factors up to 100,000,000.  

In August, as the growth in DDoS-for-Hire continues amidst the pandemic, bot herders behind IPstress, in an unprecedented move, published a press release35 GetNews, “IPStress offers one of the finest ddos for hire service,” Digital Journal, 10 August 2021. [Online]. Available: https://www.digitaljournal.com/pr/ipstress-offers-one-of-the-finest-ddos-for-hire-service.  [35] to advertise their capabilities in a mediatized PR article titled ‘IPStress offers one of the finest DDoS for hire service.’ In the meantime, Dark.IoT, a fast growing botnet that is adding new exploits in record time, was found leveraging a supply chain vulnerability in a Realtek Chipset SDK impacting IoT devices from 65 manufacturers within days of its public disclosure 36Radware, “Dark.IoT Botnet,” Radware, 24 August 2021. [Online]. Available: https://www.radware.com/security/threat-advisories-and-attack-reports/dark-iot-botnet/. [36].  

Also in August, UpGuard discovered 38 million records exposed by misconfigured Microsoft Power Apps37 UpGuard, “By Design: How Default Permissions on Microsoft Power Apps Exposed Millions,” UpGuard, 23 August 2021. [Online]. Available: https://www.upguard.com/breaches/power-apps.  [37]. Power Apps is a service for making ‘low code’, cloud-hosted business intelligence apps. Among the entities identified were state and municipal government bodies in Indiana, Maryland, and New York City, and private enterprises like American Airlines, Ford, JB Hunt, and Microsoft itself. As per UpGuard and based on the Power App documentation, the default permissions are by design.  

In another data leak, a database containing 1.9 million records with names and personal details of individuals on the FBI terrorist watchlist was discovered on a Bahrainian server 38C. Cimpanu, “1.9 million records from the FBI’s terrorist watchlist leaked online,” The Record, 16 August 2021. [Online]. Available: https://therecord.media/1-9-million-records-from-the-fbis-terroris-watchlist-leaked-online/. [38]. The database was indexed by the internet search engines Censys and ZoomEye. 

[You may also like: Cyber Attacks and Threats Amidst the Russian Invasion of Ukraine]

“DDoS attack cost Bandwidth.com nearly $12 million.” 

In September, after a two-month hiatus, REvil fully returned after what they claimed to be ‘their holidays,’ and started attacking new victims and publishing stolen files on their data leak site 39L. Abrams, “REvil ransomware is back in full attack mode and leaking data,” BleepingComputer, 11 September 2021. [Online]. Available: https://www.bleepingcomputer.com/news/security/revil-ransomware-is-back-in-full-attack-mode-and-leaking-data/. [39]. Around the same time, a threat actor leveraged REvil’s name and reputation in a ransom letter tied to a Ransom DDoS campaign targeting VoIP service providers 40T. Richardson, “UK VoIP telco receives ‘colossal ransom demand’, reveals REvil cybercrooks suspected of ‘organised’ DDoS attacks on UK VoIP companies,” The Register, 2 September 2021. [Online]. Available: https://www.theregister.com/2021/09/02/uk_voip_telcos_revil_ransom/. [40]. The DDoS attacks would cause service disruption for many of the targeted VoIP providers in UK and Canada.  

Also in September, Yandex and Qrator reported 41Qrator, “Mēris botnet, climbing to the record,” Qrator Labs, 9 September 2021. [Online]. Available: https://blog.qrator.net/en/meris-botnet-climbing-to-the-record_142/. [41] mitigating a 21.8 million request per second DDoS attack, breaking the earlier record of 17.2 million reported over summertime by Cloudflare. The attack was performed by an alleged botnet Qrator dubbed Mēris (Latvian word for plague) and reportedly consisting of 56,000 infected MikroTik RouterOS devices (MikroTik is a Latvian manufacturer). All attacks reported by Yandex and Qrator lasted no longer than 60 seconds. Following the public disclosures and research by Yandex and Qrator, the operators behind LockBit, a Ransomware-as-a-Service platform, put out a request on XSS, a Russian-speaking hacking forum, to hire the operators behind the Mēris botnet.  

On September 14th, Wiz Research Team disclosed 42N. Ohfeld, “OMIGOD: Critical Vulnerabilities in OMI Affecting Countless Azure Customers,” WIZ, 14 September 2021. [Online]. Available: https://blog.wiz.io/omigod-critical-vulnerabilities-in-omi-azure/.  [42] a set of vulnerabilities they discovered in the Azure Open Management Infrastructure (OMI) agent, including an unauthenticated remote command execution that allows attackers access as root to Linux virtual instances that have the management agent enabled. Every Linux instance deployed in Azure by default receives the OMI agent. They dubbed the vulnerability ‘OMIGOD!’. In the meantime, Dark.IoT added two new exploits 43Radware, “Dark.IoT, OMIGOD & UDP Technology Update,” Radware, 21 September 2021. [Online]. Available: https://www.radware.com/security/threat-advisories-and-attack-reports/dark-iot-omigod-update/. [43], one based on OMIGOD and another based on a supply chain command injection vulnerability impacting IP cameras using firmware by UDP Technology and which was disclosed 44. A. Titouan Lazard, “UDP Technology IP Camera vulnerabilities,” Randorisec, 8 July 2021. [Online]. Available: https://www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/.  [44] by RandoriSec in July 2021. Dark.IoT also added new defense evasions and increased its payload attack vectors to a total of 13 different DDoS attacks.  

On September 16, Matthew Gatrel (32) and Juan Martinez (28) were convicted of federal criminal charges for operating two DDoS-for-hire services: downthem[.]org and ampnode[.]com45 The United States Atternoy’s Office, Central District of California, “Illinois Man Convicted of Federal Criminal Charges for Operating Subscription-Based Computer Attack Platforms,” 16 September 2021. [Online]. Available: https://www.justice.gov/usao-cdca/pr/illinois-man-convicted-federal-criminal-charges-operating-subscription-based-computer.  [45].  

“The ramifications of this vulnerability are serious and it is a matter of time – likely minutes after the disclosure – before working exploits are publicly available.” 

Also in September, VMWare disclosed 46VMWare, “VMware vCenter Server updates address multiple security vulnerabilities,” VMWare, 21 September 2021. [Online]. Available: https://www.vmware.com/security/advisories/VMSA-2021-0020.html.  [46] a new remote command execution vulnerability in vCenter with a CVSS score of 9.8, urging its users to patch immediately. On the VMWare website it said 47C. Duckett, “RCE is back: VMware details file upload vulnerability in vCenter Server,” ZDNet, 22 September 2021. [Online]. Available: https://www.zdnet.com/article/rce-is-back-vmware-details-file-upload-vulnerability-in-vcenter-server/. [47]: “The ramifications of this vulnerability are serious and it is a matter of time – likely minutes after the disclosure – before working exploits are publicly available.” 

On September 28, a coordinated strike between the French Gendarmerie, Ukrainian Police and the U.S. Federal Bureau of Investigation, with coordination of Europol and INTERPOL, led to the arrest in Ukraine of two prolific ransomware operators. The operators were tied to gains of between €5 and €70 million Euro 48Europol, “Ransomware gang arrested in Ukraine with Europol’s support,” Europol, 17 Nov 2021. [Online]. Available: https://www.europol.europa.eu/media-press/newsroom/news/ransomware-gang-arrested-in-ukraine-europol%e2%80%99s-support. [48].  

October started where September ended with the actor claiming to be REvil continuing to cause problems for VoIP providers. Several DDoS attacks impacted UK VoIP operators Voipfone and Voip Unlimited. Later in the year, Bandwidth.com went on record that these DDoS attacks caused a $700,000 dent in their Q3 revenues and would cost them close to $12 million 49J. Greig, “DDoS attack cost Bandwidth.com nearly $12 million,” ZDNet, 8 November 2021. [Online]. Available: https://www.zdnet.com/article/ddos-attack-cost-bandwidth-com-nearly-12-million/. [49] in actual and reputation damages. 

On Monday, October 11, the Dutch police sent a final warning to 29 users that paid for illegal DDoS services on the DDoS-for-Hire website MineSearch.rip 50P. Nederland, “Kopers van DDoS-aanval krijgen waarschuwing van cybercrimeteam,” Politie.nl, 11 October 2021. [Online]. Available: https://www.politie.nl/nieuws/2021/oktober/11/03-kopers-van-ddos-aanval-krijgen-waarschuwing-van-cybercrimeteam.html.  [50]. The Dutch authorities took down and seized all records of MineSearch.rip in July 2020. The 29 people received the following message, translated from Dutch: “We have registered you in our system and you will now receive a final warning. If similar incidents occur in the future, we will prosecute. In that case, take into account a conviction, criminal record and the loss of your computer and/or laptop.” 

The REvil ransomware group shut down its operation for the second time after the group’s new administrator, 0_neday, reported that a third party had compromised their infrastructure 51C. Cimpanu, “REvil gang shuts down for the second time after its Tor servers were hacked,” The Record, 18 October 2021. [Online]. Available: https://therecord.media/revil-gang-shuts-down-for-the-second-time-after-its-tor-servers-were-hacked/.  [51]. Several affiliates were still trying to recover funds stolen by UNKN, the group’s first admin that closed shop and took off on July 13th. The group’s developers were also believed to have been hiding a backdoor inside their code that allowed the REvil admins to provide decryption keys to victims directly and force affiliates out of ransom negotiations and their ransom payment cut. Revil went offline again on October 17th.  Reuters later reported that the US government was behind the takedown 52Joseph Menn and Christopher Bing, “Governments turn tables on ransomware gang REvil by pushing it offline,” Reuters, 22 October 2021. [Online]. Available: https://www.reuters.com/technology/exclusive-governments-turn-tables-ransomware-gang-revil-by-pushing-it-offline-2021-10-21/. [52]. The previously compromised group’s infrastructure was allegedly restored from backup when REvil returned to business in September, restoring the government’s access to their infrastructure in the process. The actions by the US government caused quite a stir in the ransomware world and actors started showing signs of nervousness for the first time. The most significant blow to ransomware would not be dealt in 2021, but did come in January of this year, when Russian authorities arrested 14 alleged members of the REvil ransomware gang on Russian soil. 

Also in October, Talos reported exploits in the wild leveraging an earlier disclosed vulnerability in Apache HTTP Server 53TALOS, “Threat Advisory: Apache HTTP Server zero-day vulnerability opens door for attackers,” TALOS, 7 October 2021. [Online]. Available: https://blog.talosintelligence.com/2021/10/apache-vuln-threat-advisory.html. [53]. The vulnerability was a path traversal and file disclosure vulnerability that could allow an attacker to map URLs outside of the web server’s document root. The first fix for the vulnerability was insufficient and led to another new vulnerability that was fixed subsequently.  

Two new authentication bypasses in Dahua cams were discovered and disclosed 54bashis, “Dahua authentication bypass.txt,” Github, 6 October 2021. [Online]. Available: https://github.com/mcw0/PoC/blob/master/Dahua%20authentication%20bypass.txt.  [54]. Later in October, Best Buy, Home Depot and Lowes dropped Dahua Lorex products 55IPVM Team, “Best Buy, Home Depot and Lowes Drop Dahua Lorex,” IPVM, 25 October 2021. [Online]. Available: https://ipvm.com/reports/lorex-box.  [55] and took them off of the shelves following reports of Dahua products being deemed a threat to U.S. national security by the U.S. FCC 56John Honovich and Charles Rollet, “US FCC: Dahua and Hikvision “Deemed A Threat” To National Security,” IPVM, 15 March 2021. [Online]. Available: https://ipvm.com/reports/fcc-hikua. [56] and sanctions on Dahua for human rights violations and abuses by the U.S. government57 J. Honovich, “Hikvision and Dahua Sanctioned for Human Rights Abuses,” IPVM, 7 October 2019. [Online]. Available: https://ipvm.com/reports/sanction-hikua. [57]

Schreiber Foods, Wisconsin, in an undisclosed cyber incident, had to close its plant and distribution center for several days in October leading to a cream cheese shortage in the US 58Elizabeth Elkin and Deena Shanker, “That cream cheese shortage you heard about? Cyberattacks played a part,” Bloomberg, 9 December 2021. [Online]. Available: https://www.bloomberg.com/news/articles/2021-12-09/that-cream-cheese-shortage-you-heard-about-cyberattacks-played-a-part. [58]. Earlier in the year, ransomware attacks on JBS, New Cooperative and Crystal Valley Cooperative59 T. Starks, “‘Cyber event’ knocks dairy giant Schreiber Foods offline amid industry ransomware outbreak,” Cyberscoop, 27 October 2021. [Online]. Available: https://www.cyberscoop.com/schreiber-foods-cyber-event-ransomware-agriculture-food/.  [59] demonstrated that the food supply chain is vulnerable, causing the Federal Bureau of Investigations to release a Private Industry Notification about criminals targeting the food and agricultural sector with ransomware attacks60 FBI, “Cyber Criminal Actors Targeting the Food,” DHS-CISA, 1 September 2021. [Online]. Available: https://s3.documentcloud.org/documents/21053966/fbi-bc-cyber-criminal-actors-targeting-the-food-and-agriculture-sector-with-ransomware-attacks.pdf. [60].  

In December, Dark.IoT was found abusing a recently disclosed vulnerability that allows it to hijack TP-link routers61 C. Cimpanu, “TP-Link routers under attack from Dark.IoT botnet,” The Record, 9 December 2021. [Online]. Available: https://therecord.media/tp-link-routers-under-attack-from-dark-iot-botnet/. [61]. While there are several DDoS botnets actively targeting routers, the Dark.IoT operator must be one of the most active botnet developers of 2021. 

“Truly one of the most significant security threats of the past decade” 

The year ended with a vulnerability in a pervasively used logging component leveraged by an incredibly large amount of Java based services and software. On December 9th, 2021, a publicly disclosed log4j vulnerability took the security community by storm. The vulnerability allowed an unauthenticated attacker to leverage publicly available exploits for remote command execution (RCE) and was considered the most critical vulnerability of 2021. Some argued it was the worst vulnerability of the decade. 

Authorities have delt some serious blows to organized crime in 2021, both in the physical and virtual realms. Drug trafficking has seen a record level of arrests in Europe thanks to earlier events where European police hacked encrypted phones used by thousands of criminals. In the virtual world, hacking back and an agreement between the east and the west dealt a serious blow to ransomware. The road got bumpier for ransomware operators and affiliates and the outlook for Russian crime groups exclusively operating outside of Russian borders is becoming even darker, now that Russian authorities arrested members of REvil on their own soil. 

2021 was the year where Ransom DoS confirmed its pervasive presence in the DDoS threat landscape. 

Download the 2021 – 2022 Global Threat Analysis Report.

‘2021 was a bumpy ride’ is based on the monthly Radware Threat Researchers’ Live YouTube streams. More context and information are provided in the videos [here]. Join the threat researchers as they go live every last Thursday of the month and stay in touch with the most important cybersecurity news and events throughout 2022!

Like this post? Subscribe now to get the latest Radware content in your inbox
weekly plus exclusive access to Radware’s Premium Content

Previous articleWhy Bot Management is Essential for CCPA Compliance
Next articleWhy Security Officers of Education Establishments Need to Beware
As the Director, Threat Intelligence for Radware, Pascal helps execute the company's thought leadership on today’s security threat landscape. Pascal brings over two decades of experience in many aspects of Information Technology and holds a degree in Civil Engineering from the Free University of Brussels. As part of the Radware Security Research team Pascal develops and maintains the IoT honeypots and actively researches IoT malware. Pascal discovered and reported on BrickerBot, did extensive research on Hajime and follows closely new developments of threats in the IoT space and the applications of AI in cyber security and hacking. Prior to Radware, Pascal was a consulting engineer for Juniper working with the largest EMEA cloud and service providers on their SDN/NFV and data center automation strategies. As an independent consultant, Pascal got skilled in several programming languages and designed industrial sensor networks, automated and developed PLC systems, and lead security infrastructure and software auditing projects. At the start of his career, he was a support engineer for IBM's Parallel System Support Program on AIX and a regular teacher and presenter at global IBM conferences on the topics of AIX kernel development and Perl scripting.


  1. Malware assaults will continue to climb by 2022. Supply chain assaults are still on the rise, and hackers will find them to be a lucrative target in the next year.


Please enter your comment!
Please enter your name here