This past year saw no shortages of breaches, ransomware attacks, and revealed vulnerabilities in the news. nVisium’s team of world-class application security experts is regularly featured in the media for our security and industry expertise. Let’s take a look back to some of the most memorable headlines and security incidents that rocked the infosec industry in 2021.
DDoS Attacks Continue to Thrive in the Work-From-Home Era
The abrupt changes brought about by COVID-19 continued to pervade the security landscape, with cybercriminals adjusting their tactics to continue to take advantage of vulnerable devices and home networks.
Mark Moses, Director of Client Engagement, weighed in on the continuing shift:
“Moses noted that the shift to work-from-home gave attackers fresh means to use DDoS as a way to target multiple networks. These attackers intended to either bring down the infrastructure or squeeze money from a victim to stop further attacks from happening.
‘Unfortunately, bad actors have taken advantage of the new reliance on online work; targeting service providers to bring a target down for economic or political reasons,’ Moses told Dice. ‘Criminals select a target hoping for economic gain by demanding ransom or a perceived political gain by targeting a provider that has offended their political sensibilities in some way.’”
Off-Boarding Challenges Arise Amidst “The Great Resignation”
With information security professionals leaving their jobs in droves, an often overlooked challenge arose for IT departments across the country: securely off-boarding employees.
Taylor Gulley, Senior Application Security Consultant, offered off-boarding tips and best practices:
“‘Largely, it is on the IAM (Identity Access Management) team’s shoulders to create the automated processes and up to the HR department to enact those processes when appropriate,’” Gulley said.
Gulley said a strong endpoint security program can largely mitigate the risk of data loss from lost, stolen, or unreturned devices by having full disk encryption and remote wipe capabilities for all company devices.
On the administrative side, a new personal account for access to HR and benefits functionality may need to be created if one is not already in place, while email and other communication channels should be forwarded to a manager who can handle the transition of responsibilities.
Any company hardware in the employee’s possession must be repossessed or backed up and wiped remotely, especially if endpoint encryption is not in place, Gulley added.
‘IT security staff should have ready-made access revocation processes that can be enacted quickly and easily by the HR department with appropriate confirmations, such as that from managers along the way,’ Gulley said. ‘Any remaining access should trigger the creation of a high priority ticket to have the access removed manually.’”
HIPAA Concerns Persist With the Advent of Digital Vaccine Passport Apps
As digital vaccine apps rolled out all over the world, the need for increased security was highlighted, with spoofing concerns and validation issues being front-and-center.
Ryan Kennedy, Application Security Consultant, weighed in on one such case with New York’s “Excelsior Pass” app:
“‘Ideally, apps shouldn’t let users add credentials that don’t pass a validation check performed on the app’s backend servers,’ said Kennedy.
Kennedy said in the context of the Excelsior Pass app, the Excelsior Pass scanner should function as a “source of truth” as end users may not always use the most up-to-date versions of an app.
‘As a New York City resident, and a frequent user of the app, I’m glad to hear that security concerns are being addressed and that it’s becoming increasingly difficult for bad actors to forge their vaccine status.’”
Ransomware Continues to Bring Companies to Their Knees
Unfortunately, ransomware attacks aren’t going anywhere, but in 2021, IT leaders began to see the need to adapt to the attack method’s ever-changing behaviors in the modern threatscape.
Momodou Jaiteh, Application Security Consultant, addressed the issue, suggesting that automating everyday tasks can help short-staffed information security teams focus on the seemingly never-ending slew of ransomware attacks:
“‘I think it’s time for IT leaders to not only understand the changing attacker behaviors of highly sophisticated and targeted attacks, but also its relation to their critical data and employee awareness,’ said Jaiteh.
Jaiteh noted that ransomware has been evolving the past few years, but significantly so in the past year, partly due to the sophistication and effectiveness of defensive approaches being adopted by some high-value targets.
‘As ransomware attacks gets more and more sophisticated, they require advanced skillsets on the defensive side,’ he explained. ‘With IT staff facing capacity issues due to a typical individual juggling multiple tasks, the necessary skills gap widens.’
Under these circumstances, IT security teams need to strategize how to best confront these threats – leveraging automation of routine tasks to free staff with advanced skills to pursue attackers and combat ransomware and other threats.
In addition, Jaiteh said leveraging more specialized external resources to defend against ransomware can help fill that gap.”
A Newly-Updated OWASP Top Ten List Addresses Evolving API Security Concerns
The Open Web Application Security Project (OWASP) released an updated Top 10 List on the most critical security risks to web applications. While the original OWASP Top 10 focused on vulnerability classification, the new list was more data-driven with a focus on exploitability and impact.
Ben Pick, nVisium Principal Consultant, addressed the updated testing guide as it related to access control:
“‘To address API security, it’s necessary to first see where the security issues are. Because newer technologies are implementing API solutions, organizations are now seeing older and known security vulnerabilities—that were previously addressed in simpler web applications—being reintroduced in these APIs,’ said Pick.
‘This has resulted in one of the greatest security threats to APIs: A lack of access control. Knowing that an API exists could grant a user access to an improperly configured API or allow its functions to be abused,’ Pick said. Authorization flaws are one of the biggest threats to API security, with many incidents resulting from authorization mechanisms not being implemented appropriately, or authorization not being performed at all. Also, APIs often expose too much private or sensitive data.”
Android Malware “FlyTrap” Continues Upward Trend of Social Hijacking Attack Methods
Researchers uncovered a new Android trojan, dubbed FlyTrap, that spread to more than 10,000 victims via rigged apps on third-party app stores, side-loaded apps, and hijacked Facebook accounts.
Shawn Smith, Director of Infrastructure, weighed in on the social hijacking tactic:
“We need to impress the importance of doing a little research before just clicking links,” he said via email.
This malware spreads mainly by promising coupons and voting for the user’s favorite interests from these links. Other similar and more recent situations like this include a Twitter scandal that involved high-profile accounts being hacked and used to lure people to [give] them money. It’s this social engineering aspect behind these attacks which is the most concerning and dangerous.
We can only do so much by securing our technology alone, and users need to be educated to spot social engineering attacks so they can better protect themselves and their friends.”
Supply Chains Remain Vulnerable With Newly-Discovered “Trojan Source” Bug
Researchers from the University of Cambridge identified a new attack method that abuses Unicode to stealthily inject vulnerabilities into code. Dubbed “Trojan Source,” the attack impacts many of the compilers, interpreters, code editors, and code repository frontend services used by software developers.
Jon Gaines, Senior Application Security Consultant, addressed the new technique that can be exploited to inject malware into source code without detection:
“This 'Trojan Source' bug certainly presents an interesting attack surface. As it sits, the research by the University of Cambridge is novel, but their proof-of-concepts are not actually malicious. However, in the hands of a sophisticated attacker or group who can actually weaponize it, we would definitely have a dangerous situation on our hands.
This scenario demonstrates the proactive power of source code reviews and it would be a good best practice not to copy and paste code for the time being. It's always better to rewrite it yourself and you can also enable your IDE or text editors to display Unicode. Alternatively, if you do go this route, open up the code you copied and pasted within a hex editor to check it. Hopefully patches will be promptly released for most compilers, but in the interim, this would be an effective short-term solution.”
LET'S TALK ABOUT SEC
The threats and attack methods above aren't going anywhere in 2022. And with over 1 million unfilled jobs in cybersecurity, great talent is in high demand among already short-staffed infosec teams.
nVisium's Staff Augmentation Services provide experts who seamlessly integrate with your team to support your organizational goals for a set period of time.
Whether you've been hit by The Great Resignation or just need an extra pair of hands to continue to drive security projects forward, we can parachute in our experts to help fill the gaps.
(Note: Due to FAA regulations, we cannot *actually* parachute in our team members.)