In January, the US Department of Justice confirmed that it had been affected by the Solarwinds supply-chain attack, and that 3% of its employee email boxes had been accessed in order to steal sensitive data. The department has more than 100,000 employees across a series of law enforcement agencies, including the FBI, the Drug Enforcement Agency, and the US Marshals Service. The Department of Justice was a buyer of SolarWinds Orion, a tool that was used by hackers to execute this attack, leading to as many as 18,000 SolarWinds customers experiencing a breach. The Department of Justice said it learned it was a victim on Christmas Eve, revealing that a small percentage of its Microsoft Office 365 email accounts had been compromised.

In February, popular music streaming platform, Spotify, was hit by a credential-stuffing attack, only three months after experiencing a similar incident. The attack used stolen credentials from 100,000 user accounts and leveraged a malicious Spotify login database. The attack was reported to Spotify, which prompted the company to issue a password reset to affected users that rendered the stolen credentials invalid. The company said in a statement that it also worked to have the fraudulent database taken down by its internet service provider, and noted that the attack was not linked to a breach in Spotify's own security. Cybercriminals carrying out credential-stuffing exploit people who reuse the same passwords across multiple online accounts and platforms. Attackers simply build automated scripts that systematically try stolen IDs and passwords against various types of accounts.

On March 2nd, 2021, Volexity reported the in-the-wild exploitation of the Microsoft Exchange Server vulnerabilities, CVE-2021-26855 CVE-2021-26857 CVE-2021-26858 and CVE-2021-27065. Further investigation uncovered that an attacker was exploiting a zero-day used in the wild. The attacker was using the vulnerability to steal the full contents of several user mailboxes. This vulnerability is remotely exploitable and does not require authentication, special knowledge or access to a specific environment. It was estimated that 250,000 servers fell victim to the attacks, including servers belonging to around 30,000 organizations in the United States and 7,000 servers in the United Kingdom. The European Banking Authority, the Norwegian Parliament, and Chile's Commission for the Financial Market (CMF) were also impacted.

In April, the US National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) published a joint advisory warning that a Russia-linked APT group, APT29, was exploiting five vulnerabilities in an ongoing attack against US targets. According to the advisory, Russian Foreign Intelligence Service (SVR) actors (also known as APT29, Cozy Bear, and The Dukes) frequently used publicly known vulnerabilities to conduct widespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access. Recent Russian SVR activities include compromising SolarWinds Orion software updates, targeting COVID-19 research facilities through deploying WellMess malware, and leveraging a VMware vulnerability that was a zero-day at the time.

In May, a ransomware attack shut down the routine operations of Colonial Pipeline, which carries 45% of the fuel consumed in the US East Coast, including diesel, petrol and jet fuel. The alleged Russian DarkSide ransomware criminal group, was behind the attack. Colonial Pipeline is the largest refined products pipeline in the US, a 5,500 mile (8,851 km) system involved in transporting over 100 million gallons from the Texas city of Houston to New York Harbor. DarkSide uses Ransomware-as-a-Service (RaaS) model, where it relies on affiliate program to execute its cyber attacks. Colonial Pipeline paid a ransom demand of close to US$ 5 million in return for a decryption key. Later on, the FBI declared it had retrieved the private key of the ransom account and recovered 63.7 of the bitcoins paid.

JBS, the US-based meat processing giant, was hit by a ransomware attack in June affecting its North American and Australian operations. The FBI attributedthe attack to the REvil ransomware group. The attack forced JBS to temporarily shut down. all of its beef plants in the United States. One of its Canadian plants was also affected, and the company paused beef and lamb kills in Australia until the plants were back online. On June 9, JBL’s Chief Executive in the US revealed the company had paid US$ 11 million to hackers in a “very painful but necessary decision”, despite the fact that the company was able to restore most of its systems from its own backups.

In July, the REvil ransomware group targeted multiple Managed Service Providers (MSPs) and their customers in a supply chain attack. Threat actors successfully implanted a malicious software update for IT Company Kaseya’s VSA patch management and client monitoring tool, which included the malware installer. An estimated 1,000 companies were impacted by the attack. The massive supply chain attack carried out by REvil over the 4th of July weekend impacted numerous Kaseya customers with millions of USD demanded in ransom. Kaseya issued a security advisory on their site, warning all customers to immediately shut down their VSA server to prevent the spread of the attack while they investigated. In order to breach on-premise Kaseya VSA servers, REvil used a zero-day vulnerability that was in the process of being fixed. The vulnerability had been previously disclosed to Kaseya by security researchers from the Dutch Institute for Vulnerability Disclosure (DIVD), and Kaseya was validating the patch before rolling it out to customers. However, the REvil ransomware gang was one step ahead of Kaseya and used the vulnerability to carry out their attack, with ransoms ranging from US$45K to US$5 million. With the attack on Kaseya VSA servers, REvil’s affiliate was initially targeting Kaseya’s MSSP’s, with a clear intent to propagate to the MSSP customers. The attack amplified exponentially from the MSSP to the actual customers.

The largest ever distributed denial of service (DDoS) attack was detected in August, with 17.2 million requests-per-second. The attack was facilitated by the Mirai botnet, targeting an organization in the financial industry. In this specific incident, the traffic originated from more than 20,000 bots in 125 countries worldwide, with almost 15% of the attack originating from Indonesia, followed by India, Brazil, Vietnam, and Ukraine. Mirai was first observed in 2016 targeting Internet of Things (IoT) devices, such as CCTV cameras and routers. Numerous variants of the botnet have emerged since, expanding the list of targeted devices to include Linux routers and servers, Android devices, and more.

Check Point Research saw a global surge in the black market for fake COVID-19 vaccine certificates on Telegram, following US President Biden’s vaccine mandate announcements. The black market expanded to serve 28 countries, including Austria, UAE, Brazil, UK, Singapore and more. The price for fake vaccine certificates also jumped globally, including in the US, where it doubled from $100 to $200.

In October, the infrastructure of the Russia-based REvil ransomware gang, responsible for numerous ransomware attacks, was compromised and forcibly taken-down for the second time in three months, bringing their operation to a halt. This comes after REvil’s leaks website “Happy Blog” was previously shut down in July (along with the suspicious disappearance of one of REvil gang leaders “UNKN”), and after it was brought back up again during September, by one of its remaining gang leaders. REvil ransomware became notorious during 2021 with a series devastating attacks, especially after their successful ransom. of the JBS food company, for US$ 11 million, and their later compromise of Kaseya - a US software management company, in July. These increasingly devastating attacks were matched by an increased pressure from authorities, and the launch of an offensive attack against REvil’s infrastructure and its members.

On November 14, Emotet, one of the most infamous botnets in history, rose from the dead after it was taken down. ten months earlier, by a joint international law enforcement operation. Emotet used the Trickbot botnet to jump-start its operation, when machines already infected with the Trickbot Trojan, started to download and execute the latest version of Emotet. Emotet itself came back even stronger than before, with some new additions to its toolbox, such as an updated encryption scheme, control-flow obfuscations and new delivery methods.

On December 9th, an acute remote code execution (RCE) vulnerability was reported in the Apache logging package Log4j 2 versions 2.14.1 and below (CVE-2021-44228). in the Apache logging package Log4j 2 versions 2.14.1 and below (CVE-2021-44228). Apache Log4j is the most popular java logging library with over 400,000 downloads from its GitHub project. It is used by a vast number of companies worldwide, enabling logging in a wide set of popular applications. Exploiting this vulnerability is simple. The Log4j library is embedded in almost every internet service or application we are familiar with, including Twitter, Amazon, Microsoft, Minecraft and more. Since the outbreak, Check Point Research witnessed what looks like an evolutionary repression, with new variations of the original exploit being introduced rapidly - over 60 in less than 24 hours. This was clearly one of the most serious vulnerabilities on the internet in recent years.