INTERPOL and Nigerian Police bust business email compromise ring, arrest 11

Read Time:27 Second

INTERPOL and the Nigerian Federal Police today announced the arrests of 11 business email compromise (BEC) actors in Nigeria as part of an international operation to disrupt and tackle sophisticated BEC cybercrime. Many of the suspects are thought to be members of SilverTerrier, a network known for BEC scams that have impacted thousands of companies globally. The results are the latest example of industry and law enforcement efforts to thwart BEC activity, the most common and costly cyberthreat facing organizations.

To read this article in full, please click here

Read More

Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution

Read Time:31 Second

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Google Chrome is a web browser used to access the Internet. Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser. Depending on the privileges associated with the application, an attacker could view, change, or delete data. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

Read More

Researchers Hack Olympic Games App

Read Time:1 Minute, 50 Second

Researchers Hack Olympic Games App

Cybersecurity researchers in Canada have found a “devastating flaw” in the MY2022 app, designed for use by attendees of this year’s Winter Olympic Games in Beijing.

The vulnerability was discovered by the Citizen Lab – an academic research laboratory based at the Munk School of Global Affairs at the University of Toronto.

In findings published Tuesday, researchers said that the flaw allows encryption that protects users’ voice audio and file transfers to be “trivially sidestepped.”

Researchers warned: “Health customs forms which transmit passport details, demographic information and medical and travel history are also vulnerable. Server responses can also be spoofed, allowing an attacker to display fake instructions to users.”

The Citizen Lab reported its findings to the app’s vendor but did not respond.

“While the vendor did not respond to our security disclosure, we find that the app’s security deficits may not only violate Google’s Unwanted Software Policy and Apple’s App Store guidelines but also China’s own laws and national standards pertaining to privacy protection, providing potential avenues for future redress,” stated researchers. 

The German Olympic Sports Confederation (DOSB) said that downloading the app has been mandated for travelers seeking entry to the People’s Republic of China to attend the 2022 Winter Olympic Games.

“Without My 2022 there is no immigration into China according to the Beijing playbooks,” said the DSOB.

The confederation shared some cybersecurity advice it had received from the German Federal Institute of Information Security (BSI) regarding the MY2022 app.

“Our athletes are being equipped with a smartphone from IOC partner Samsung in Beijing. BSI recommends using MY2022 on these devices in China and deinstalling it at home,” it said. 

The International Olympic Committee (IOC) stated that MY2022 users could configure the app to disable access to features including files, media, calendar, camera, contacts, microphone and location data. 

Many countries have planned a diplomatic boycott of the Beijing Olympics over China’s record of human rights violations, including the systemic abuse of the Uyghur and other minority ethnic communities.

Boycotts have been planned by the UK, United States, Lithuania, New Zealand, Scotland, Australia, Canada, Latvia, Estonia, Belgium, Austria, Japan, Netherlands, Denmark and Sweden.

Read More

Ransomware Attack on Moncler

Read Time:1 Minute, 49 Second

Ransomware Attack on Moncler

Cyber-criminals have stolen data from Italian luxury fashion brand Moncler and published it on the dark web.

The maker of down jackets confirmed Tuesday that it had suffered a data breach after being attacked by the AlphV/BlackCat ransomware operation in December. 

Attackers hit Moncler in the final week of 2021, causing a temporary outage of its IT services which delayed shipments of goods ordered online.

Some data stolen in the incident was published online on Tuesday after Moncler refused to pay a ransom to its attackers. 

Data compromised in the security incident relates to Moncler employees, former employees, suppliers, consultants, business partners and some customers registered on the company’s website.

Moncler said in a statement: “​While the investigation related to the attack is still ongoing, Moncler confirms that the stolen information refers to its employees and former employees, some suppliers, consultants and business partners, as well as customers registered in its database. 

“With regard to information linked to customers, the company informs that no data relating to credit cards or other means of payment have been exfiltrated, as the company does not store such data on its systems.”

The fashion brand said that the brief interruption to the logistical side of its operation had not put a major dent in its profits. 

“Data breaches are part of the web attack lifecycle and continue to fuel Account Takeover (ATO) and credential stuffing attacks. Therefore, we need to protect the apps that power our daily lives by disrupting the web attack lifecycle,” commented Kim DeCarlis, CMO at cybersecurity company PerimeterX.

They added: “This includes stopping the theft, validation and fraudulent use of account and identity information everywhere along the digital journey.” 

Trevor Morgan, product manager with data security specialists comforte AG, said that data-dependent businesses need to assume that they are a target for cyber-criminals.

“Squirreling sensitive data away behind protected perimeters won’t cut it anymore as a defensive measure,” said Morgan. 

He added: “Only robust data-centric security, such as tokenization or format-preserving encryption applied directly to sensitive data elements, can help mitigate the situation if the wrong hands get ahold of your data.”

Read More

Drupal core – Moderately critical – Cross site scripting – SA-CORE-2022-002

Read Time:1 Minute, 59 Second
Project: 
Date: 
2022-January-19
Vulnerability: 
Cross site scripting
Description: 

jQuery UI is a third-party library used by Drupal. This library was previously thought to be end-of-life.

Late in 2021, jQuery UI announced that they would be continuing development, and released a jQuery UI 1.13.0 version. In addition to the issue covered by SA-CORE-2022-001, further security vulnerabilities disclosed in jQuery UI 1.13.0 may affect Drupal 7 only:

CVE-2021-41182: XSS in the altField option of the Datepicker widget
CVE-2021-41183: XSS in *Text options of the Datepicker widget

Furthermore, other vulnerabilities listed below were previously unaddressed in the version of jQuery UI included in Drupal 7 or in the jQuery Update module:

CVE-2016-7103: XSS in closeText option of Dialog
CVE-2010-5312: XSS in the title option of Dialog (applicable only to the jQuery UI version included in D7 core)

It is possible that these vulnerabilities are exploitable via contributed Drupal modules or custom code. As a precaution, this Drupal security release applies the fix for the above cross-site scripting issues, without making other changes to the jQuery UI version that is included in Drupal.

This advisory is not covered by Drupal Steward.

Important note regarding the jQuery Update contrib module

These backport fixes in D7 have also been tested with the version of jQuery UI provided by the most recent releases of the jQuery Update module (jQuery UI 1.10.2) and the fixes confirmed. Therefore, there is no accompanying security release for jQuery Update.

However, in early 2022 the currently supported release of jQuery Update (7.x-2.7 from 2015) will be deprecated and replaced by a new release from the 7.x-4.x branch. The stable release from that branch will then be the only release considered by Drupal Security Team when new jQuery security issues arise.

Please check the jQuery Update project page for more details, and for announcements when the changes are made to supported releases.

Solution: 

Install the latest version:

If you are using Drupal 7, update to Drupal 7.86

Reported By: 
Fixed By: 
Drew Webber of the Drupal Security Team
Alex Bronstein of the Drupal Security Team
Lauri Eskola

Read More

Drupal core – Moderately critical – Cross Site Scripting – SA-CORE-2022-001

Read Time:1 Minute, 21 Second
Project: 
Date: 
2022-January-19
Vulnerability: 
Cross Site Scripting
Description: 

jQuery UI is a third-party library used by Drupal. This library was previously thought to be end-of-life.

Late in 2021, jQuery UI announced that they would be continuing development, and released a jQuery UI 1.13.0 version. As part of this 1.13.0 update, they disclosed the following security issue that may affect Drupal 9 and 7:

CVE-2021-41184: XSS in the `of` option of the `.position()` util

It is possible that this vulnerability is exploitable with some Drupal modules. As a precaution, this Drupal security release applies the fix for the above cross-site description issue, without making any of the other changes to the jQuery version that is included in Drupal.

This advisory is not covered by Drupal Steward.

Solution: 

Install the latest version:

If you are using Drupal 9.3, update to Drupal 9.3.3.
If you are using Drupal 9.2, update to Drupal 9.2.11.
If you are using Drupal 7, update to Drupal 7.86.

All versions of Drupal 8 and 9 prior to 9.2.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Reported By: 
Fixed By: 
Lauri Eskola
Chris of the Drupal Security Team
Drew Webber of the Drupal Security Team
Alex Bronstein of the Drupal Security Team
Ben Mullins
xjm of the Drupal Security Team
Théodore Biadala

Read More

IRS Will Soon Require Selfies for Online Access

Read Time:9 Minute, 42 Second

If you created an online account to manage your tax records with the U.S. Internal Revenue Service (IRS), those login credentials will cease to work later this year. The agency says that by the summer of 2022, the only way to log in to irs.gov will be through ID.me, an online identity verification service that requires applicants to submit copies of bills and identity documents, as well as a live video feed of their faces via a mobile device.

The IRS says it will require ID.me for all logins later this summer.

McLean, Va.-based ID.me was originally launched in 2010 with the goal of helping e-commerce sites validate the identities of customers who might be eligible for discounts at various retail establishments, such as veterans, teachers, students, nurses and first responders.

These days, ID.me is perhaps better known as the online identity verification service that many states now use to help stanch the loss of billions of dollars in unemployment insurance and pandemic assistance stolen each year by identity thieves. The privately-held company says it has approximately 64 million users, and gains roughly 145,000 new users each day.

Some 27 states already use ID.me to screen for identity thieves applying for benefits in someone else’s name, and now the IRS is joining them. The service requires applicants to supply a great deal more information than typically requested for online verification schemes, such as scans of their driver’s license or other government-issued ID, copies of utility or insurance bills, and details about their mobile phone service.

When an applicant doesn’t have one or more of the above — or if something about their application triggers potential fraud flags — ID.me may require a recorded, live video chat with the person applying for benefits.

Since my credentials at the IRS will soon no longer work, I opted to create an ID.me account and share the experience here. An important preface to this walk-through is that verifying one’s self with Id.me requires one to be able to take a live, video selfie — either with the camera on a mobile device or a webcam attached to a computer (your webcam must be able to open on the device you’re using to apply for the ID.me account).

Also, successfully verifying your identity with ID.me may require a significant investment of time, and quite a bit of patience. For example, stepping away from one part of the many-step application process for a little more than five minutes necessitated another login, and then the re-submission of documents I’d previously uploaded.

After entering an email address and picking a password, you are prompted to confirm your email address by clicking a link sent to that address. After confirmation, ID.me prompts users to choose a multi-factor authentication (MFA) option.

The MFA options range from a six-digit code sent via text message or phone call to code generator apps and FIDO Security Keys. ID.me even suggests using its own branded one-time code generating app, which can “push” a prompt to your mobile device for you to approve whenever you log in. I went with and would encourage others to use the strongest MFA option — a physical Security Key. For more on the benefits of using a Security Key for MFA, see this post.

When the MFA option is verified, the system produces a one-time backup code and suggests you save that in a safe place in case your chosen MFA option is unavailable the next time you try to use a service that requires ID.me.

Next, applicants are asked to upload images of their driver’s license, state-issued ID, or passport — either via a saved file or by scanning them with a webcam or mobile device.

If your documents get accepted, ID.me will then prompt you to take a live selfie with your mobile device or webcam. That took several attempts. When my computer’s camera produced an acceptable result, ID.me said it was comparing the output to the images on my driver’s license scans.

After this, ID.me requires the verification of your phone number, which means they will ask your mobile or landline provider to validate you are indeed an existing, paying customer who can be reached at that number. ID.me says it currently does not accept phone numbers tied to voice-over-IP services like Google Voice and Skype.

My application got stuck interminably at the “Confirming Your Phone” stage, which is somewhere near the middle of the entire verification process.

An email to ID.me’s support people generated a message with a link to complete the verification process via a live video chat. Unfortunately, clicking that link brought up prompts to re-upload all of the information I’d already supplied, and then some.

Some of the primary and secondary documents requested by ID.me.

For example, completing the process requires submitting at least two secondary identification documents, such as as a Social Security card, a birth certificate, health insurance card, W-2 form, electric bill, or financial institution statement.

After re-uploading all of this information, ID.me’s system prompted me to “Please stay on this screen to join video call.” However, the estimated wait time when that message first popped up said “3 hours and 27 minutes.”

I appreciate that ID.me’s system relies on real human beings seeking to interview applicants in real-time, and that not all of those representatives can be expected to handle all of these immediately. And I get that slowing things down is an important part of defeating identity fraudsters who are seeking to exploit automated identity verification systems that largely rely on static data about consumers.

That said, I started this “Meet an agent” process at around 9:30 in the evening, and I wasn’t particularly looking forward to staying up until midnight to complete it. But not long after the message about waiting 3 hours came up, I got a phone call from an ID.me technician who was CC’d on my original email to ID.me’s founder. Against my repeated protests that I wanted to wait my turn like everyone else, he said he would handle the process himself.

Sure enough, a minute later I was connected with the ID.me support person, who finished the verification in a video phone call. That took about one minute. But for anyone who fails the automated signup, count on spending several hours getting verified.

When my application was finally approved, I headed back to irs.gov and proceeded to log in with my new ID.me account. After granting the IRS access to the personal data I’d shared with ID.me, I was looking at my most recent tax data on the IRS website.

I was somewhat concerned that my ID verification might fail because I have a security freeze on my credit file with the three major consumer credit bureaus. But at no time during my application process did ID.me even mention the need to lift or thaw that security freeze to complete the authentication process.

The IRS previously relied upon Equifax for its identity proofing process, and even then anyone with frozen credit files had to lift the freeze to make it through the IRS’s legacy authentication system. For several years, the result of that reliance was that ID thieves massively abused the IRS’s own website to impersonate taxpayers, view their confidential tax records, and ultimately obtain fraudulent tax refunds in their names.

The IRS canceled its “taxpayer identity” contract with Equifax in October 2017, after the credit bureau disclosed that a failure to patch a four-month-old zero-day security flaw led to the theft of Social Security numbers and personal and financial information on 148 million Americans.

Perhaps in light of that 2017 megabreach, many readers will be rightfully concerned about being forced to provide so much sensitive information to a relatively unknown private company. KrebsOnSecurity spoke with ID.me founder and CEO Blake Hall in last year’s story, How $100 Million in Jobless Claims Went to Inmates. I asked Hall what ID.me does to secure all this sensitive information it collects, which would no doubt serve as an enticing target for hackers and identity thieves.

Hall said ID.me is certified against the NIST 800-63-3 digital identity guidelines, employs multiple layers of security, and fully segregates static consumer data tied to a validated identity from a token used to represent that identity.

“We take a defense-in-depth approach, with partitioned networks, and use very sophisticated encryption scheme so that when and if there is a breach, this stuff is firewalled,” Hall said. “You’d have to compromise the tokens at scale and not just the database. We encrypt all that stuff down to the file level with keys that rotate and expire every 24 hours. And once we’ve verified you we don’t need that data about you on an ongoing basis.”

ID.me’s privacy policy states that if you sign up for ID.me “in connection with legal identity verification or a government agency we will not use your verification information for any type of marketing or promotional purposes.”

Signing up at ID.me requires users to approve a biometric data policy that states the company will not sell, lease, or trade your biometric data to any third parties or seek to derive any profit from that information. ID.me says users can delete their biometric data at any time, but there was no apparent option to do so when I logged straight into my new account at ID.me.

When I asked the support technician who conducted the video interview to remove my biometric data, he sent me a link to a process for deleting one’s ID.me account. So, it seems that removing one’s data from ID.me post-verification equals deleting one’s account, and potentially having to re-register at some point in the future.

Over the years, I’ve tried to stress the importance of creating accounts online tied to your various identity, financial and communications services before identity thieves do it for you. But all of those places where you should “Plant Your Flag” conduct identity verification in an automated fashion, using entirely static data points about consumers that have been breached many times over (SSNs, DoBs, etc).

Love it or hate it, ID.me is likely to become one of those places where Americans need to plant their flag and mark their territory, if for no other reason than it will probably be needed at some point to manage your relationship with the federal government and/or your state. And given the potential time investment needed to successfully create an ID.me account, it might be a good idea to do that before you’re forced to do so at the last minute (such as waiting until the eleventh hour to pay your quarterly or annual estimated taxes).

If you’ve visited the sign-in page at the U.S. Social Security Administration (SSA) lately, you’ll notice that on or around Sept. 18, 2021 the agency stopped allowing new accounts to be created with only a username and password. Anyone seeking to create an account at the SSA is now steered toward either ID.me or Login.gov, a single sign-on solution for U.S. government websites.

Read More

Oracle January 2022 Critical Patch Update Addresses 266 CVEs

Read Time:4 Minute, 10 Second

Oracle addresses 266 CVEs in its first quarterly update of 2022 with 497 patches, including 25 critical updates.

Background

On January 18, Oracle released its Critical Patch Update (CPU) for January 2022, the first quarterly update of the year. This CPU contains fixes for 266 CVEs in 497 security updates across 39 Oracle product families. Out of the 497 security updates published this quarter, 6.6% of patches were assigned a critical severity. Medium severity patches accounted for the bulk of security patches at 46.5%, followed by high severity patches at 41.9%.

This quarter’s update includes 33 critical patches across 25 CVEs.

SeverityIssues PatchedCVEsCritical3325High20863Medium231154Low2524Total497266

Analysis

This quarter, the Oracle Communications product family contained the highest number of patches at 84, accounting for 16.9% of the total patches, followed by Oracle MySQL at 78 patches, which accounted for 15.7% of the total patches.

Oracle fixes Log4Shell and associated vulnerabilities across some of its product suites

As part of the January 2022 CPU, Oracle addressed CVE-2021-44228, the Apache Log4Shell vulnerability disclosed in December 2021 as well as associated Log4j vulnerabilities that have been disclosed in the weeks since.

Oracle did not explicitly provide details within this release regarding CVE-2021-44228 and which components were affected. Instead, they broadly highlighted that applying the January 2022 CPU would address CVE-2021-44228 and CVE-2021-45046 across the following products:

Oracle Communications
Oracle Construction and Engineering
Oracle Financial Services Applications
Oracle Fusion Middleware
Oracle Retail Applications
Oracle Siebel CRM

While it’s not clear if Oracle has completed an assessment of all product families to address all occurrences of the recently disclosed Log4j vulnerabilities, we will continue to monitor for further updates. In addition to the broader message, Oracle provided some details around affected products for the other associated Log4j vulnerabilities:

CVEProductComponentRemote Exploit without AuthCVE-2021-45105Oracle Communications WebRTC Session ControllerSignaling Engine, Media Engine (Apache Log4j)YesCVE-2021-45105Oracle Communications Services GatekeeperAPI Portal (Apache Log4j)YesCVE-2021-45105Instantis EnterpriseTrackLogging (Apache Log4j)YesCVE-2021-45105Oracle Retail Integration BusRIB Kernel (Apache Log4j)YesCVE-2021-45105Oracle Financial Services Analytical Applications InfrastructureOthers (Apache Log4j)YesCVE-2021-45105Oracle Retail Invoice MatchingSecurity (Apache Log4j)YesCVE-2021-45105Oracle Retail Service BackboneRSB Installation (Apache Log4j)YesCVE-2021-45105Oracle Retail Order BrokerSystem Administration (Apache Log4j)YesCVE-2021-45105Oracle WebCenter PortalSecurity Framework (Apache Log4j)YesCVE-2021-45105Oracle Managed File TransferMFT Runtime Server (Apache Log4j)YesCVE-2021-45105Oracle Business Intelligence Enterprise EditionAnalytics Server (Apache Log4j)YesCVE-2021-45105Oracle Retail Order Management SystemUpgrade Install (Apache Log4j)YesCVE-2021-45105Oracle Retail Point-of-ServiceAdministration (Apache Log4j)YesCVE-2021-45105Oracle Retail Predictive Application ServerRPAS Server (Apache Log4j)YesCVE-2021-45105Oracle Retail Price ManagementSecurity (Apache Log4j)YesCVE-2021-45105Oracle Communications Service BrokerIntegration (Apache Log4j)YesCVE-2021-45105Oracle Retail Returns ManagementSecurity (Apache Log4j)YesCVE-2021-45105Oracle Financial Services Model Management and GovernanceInstaller & Configuration (Apache Log4j)YesCVE-2021-45105Oracle Retail EFTLinkInstallation (Apache Log4j)YesCVE-2021-45105Oracle Retail Back OfficeSecurity (Apache Log4j)YesCVE-2021-45105Oracle Retail Central OfficeSecurity (Apache Log4j)YesCVE-2021-44832Oracle Communications Interactive Session RecorderRSS (Apache Log4j)NoCVE-2021-44832Primavera UnifierLogging (Apache Log4j)NoCVE-2021-44832Oracle WebLogic ServerCentralized Thirdparty Jars (Apache Log4j)NoCVE-2021-44832Oracle Communications Diameter Signaling RouterVirtual Network Function Manager, API Gateway (Apache Log4j)NoCVE-2021-44832Primavera GatewayAdmin (Apache Log4j)NoCVE-2021-44832Primavera P6 Enterprise Project Portfolio ManagementWeb Access (Apache Log4j)NoCVE-2021-44832Siebel UI FrameworkEnterprise Cache (Apache Log4j)NoCVE-2021-44832Oracle Retail Fiscal ManagementNF Issuing (Apache Log4j)NoCVE-2021-44832Oracle Retail Assortment PlanningApplication Core (Apache Log4j)NoCVE-2021-4104Oracle Retail AllocationGeneral (Apache Log4j)NoCVE-2021-4104Oracle Utilities Testing AcceleratorTools (Apache Log4j)NoCVE-2021-4104Oracle WebLogic ServerCentralized Thirdparty Jars (Apache Log4j)No

Oracle CPU Patch Breakdown

A full breakdown of the patches for this quarter can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.

Oracle Product FamilyNumber of PatchesRemote Exploit without AuthOracle Communications8450Oracle MySQL783Oracle Financial Services Applications4837Oracle Retail Applications4334Oracle Fusion Middleware3935Oracle Communications Applications3322Oracle Construction and Engineering2215Oracle Java SE1818Oracle PeopleSoft1310Oracle Utilities Applications137Oracle Systems117Oracle Supply Chain108Oracle E-Business Suite95Oracle Health Sciences Applications88Oracle Enterprise Manager76Oracle Insurance Applications76Oracle Commerce66Oracle TimesTen In-Memory Database53Oracle Database Server40Oracle Essbase43Oracle HealthCare Applications44Oracle Support Tools44Oracle GoldenGate33Oracle Hospitality Applications33Oracle Big Data Graph22Oracle Graph Server and Client22Oracle REST Data Services21Oracle Secure Backup22Oracle Siebel CRM21Oracle Virtualization20Oracle Airlines Data Model11Oracle Communications Data Model11Oracle NoSQL Database10Oracle Spatial Studio11Oracle Food and Beverage Applications11Oracle Hyperion11Oracle iLearning11Oracle JD Edwards10Oracle Policy Automation11

Solution

Customers are advised to apply all relevant patches in this quarter’s CPU. Please refer to the January 2022 advisory for full details.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

Oracle Critical Patch Update Advisory – January 2022
Oracle October 2021 Critical Patch Update Risk Matrices
Oracle Advisory to CVE Map

Join Tenable’s Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Read More

Supply chain vulnerability allows attackers to manipulate SAP transport system

Read Time:44 Second

A supply chain vulnerability in the SAP transport system that allows attackers to infiltrate the change management or software deployment process has been identified by a cybersecurity provider based in Germany. A patch has been published by SAP SE to fix the issue that threatens all SAP environments that share a single transport directory.

SAP transport system vulnerable to malicious interference

SAP software products are used by companies across the globe, with many providing critical infrastructure, food, energy, and medical supplies. The internal SAP development supply chain is used by customers to request additional functionality and in-house developments to the SAP standard, with changes provided via various staging systems of the respective SAP landscape with SAP transport requests. These requests should not be modified after they have been exported from the central transport directory and released.

To read this article in full, please click here

Read More

The 2021 Threat Landscape Retrospective: Targeting the Vulnerabilities that Matter Most

Read Time:2 Minute, 48 Second

A review of the year in vulnerabilities and breaches, with insights to help guide cybersecurity strategy in 2022 and beyond.

“We do not learn from experience… we learn from reflecting on experience.” – John Dewey, American philosopher

We all know that the best way to improve is by debriefing, especially when it comes to reviewing security events and vulnerabilities. Tenable’s 2021 Threat Landscape Retrospective (TLR) is a valuable resource for security professionals seeking to improve their understanding of the threat landscape in 2021 with a goal to improve their security in 2022. 

The Threat Landscape Retrospective is the result of tracking and analyzing government, vendor and researcher advisories on important vulnerabilities throughout the year. Tenable’s Security Response Team produces the report annually to provide a resource for cybersecurity professionals. 

In 2021, there were 21,957 new CVEs assigned from January to November, a 20% increase over 2020. There were 105 zero-day vulnerabilities disclosed, a 262% increase over the 29 zero-days in 2020. As for data breaches, our count is 1,825 in the 12 months from October 2020 to October 2021. These metrics all represent upticks from 2020’s data.

One element that felt like deja vu as we were compiling this report was the revelation of a major security event just as the year was coming to a close. In 2020 we were disrupted by the NOBELIUM cyberespionage campaign that targeted organizations through SolarWinds in December, and of course in 2021 it was the exposition of the Log4Shell vulnerability.

Similarly to SolarWinds, it is important not to let Log4Shell draw our attention away from the myriad other vulnerabilities and security events reviewed in the TLR. In fact, the study demonstrates the sheer volume of vulnerabilities facing security organizations and illustrates the challenges of reducing risk.

What’s inside the 2021 Threat Landscape Retrospective

Section one of the report reviews high-level events and trends from the year, zero days and legacy vulnerabilities. In this section we analyze the year’s top vulnerabilities and zero-days, including exploring their origin and the systems affected. For example, flaws in Microsoft Exchange and Windows Print Spooler dominated.

Section two is all about what bad actors did this year and how they did it. We review the outcome of their efforts, including data breaches, ransomware and attacks against the supply chain. 

Section three is a valuable list and overview of every major vulnerability from the year and the vendor it affected. There are over 300 vulnerabilities in this list including context such as the criticality of each, the events that took place and the vendor they affected. In the already busy day security personnel, the TLR helps make sense of a cacophony of vulnerabilities from a year that was unlike any other. 

What you’ll learn from Tenable’s 2021 Threat Landscape Retrospective 

The challenges in securing an evolving perimeter
How ransomware groups are leveraging Active Directory vulnerabilities and misconfigurations in their attacks
Context surrounding the surge in supply chain attacks in the wake of the NOBELIUM SolarWinds incident

Get more information

Download the full report here
Attend the webinar: Tenable Research 2021 Recap and Defender’s Guidance for 2022
Blog post about 2021 Threat Landscape Retrospective Tenable.io Dashboard
Blog post about 2021 Threat Landscape Retrospective Tenable.sc Dashboard
Follow Tenable’s Security Response Team on the Tenable Community

Read More