The Year 2022 from a Cyber-Security Perspective: Of Vulnerabilities in the Software Supply Chain and the Absence of Total Cyber Warfare
As the cybersecurity community looks back on 2022, some incidents are sure to be long remembered. Some trends of the year resulted directly from events of the previous year, other trends were clear consequences of the Russian war of aggression against Ukraine. Find out which cyber phenomena will be remembered by Complion's IT security experts in this blog post.
Into the New Year with Log4Shell
The cybersecurity year 2022 actually began in December 2021, when a tweet triggered the avalanche that was the "Log4Shell" vulnerability (CVE-2021-44228) in Apache Log4j. The vulnerability was rated with a CVSS high score of 10.0 and allowed an unauthenticated attacker to remotely execute malicious code. The vulnerability was immediately exploited, with a wormable exploit, by nation-state hacker groups from Russia, China, Iran, North Korea and Turkey. Adaptation by financially motivated malicious actors with ransomware operations (including Conti) followed suit. At the height of exploitation, 100,000 attacks per second were recorded. Governments held emergency meetings before Christmas 2021, and agencies worldwide were urged to identify and close the gaps with updates.
The threat from the supply chain
As of December 2022, the Log4Shell vulnerability is still being discovered and closed in products. This is because the affected product, Apache Log4j is a so-called "supply-chain" product that resides in numerous software products. This is exactly what should prevail as a trend in several applications for the rest of the year: Vulnerabilities in products and code components that are built into other applications. The exploitation of such vulnerabilities builds on the fact that organizations usually have little visibility into the code components of their deployed products and are thus often not at a sufficient patch level.
Russian cyber activity in support of its war of aggression
If you follow the cyber operations of malicious actors with suspected ties to the Russian Federation and Belarus, you could already observe a renaissance of so-called "wiper" malware in January. This malware behaves similarly to the well-known malware type “ransomware” in that it renders files unusable for users. However, unlike its data-encrypting cousin, Wiper malware overwrites or deletes a file, rendering it irretrievably unusable or even disappearing.
Thus, this type of malware is used less to extort victims after a successful compromise but is primarily used to destroy digital infrastructure. The increased use of this malware against Ukrainian systems, especially government agencies and critical infrastructure, was the first digital harbinger of the February 24 invasion.
After the official start of the war, pro-Russian cyber activity intensified once again with wipers and DDoS. However, the destructive power of the malware was overshadowed many times over by the brutality and effectiveness of conventional weapon systems - a missile can deliver results faster and more long-term than a malware with prior phishing campaign currently could.
Overall, the all-out cyber war that some experts warned about in previous years does not seem to be happening. This seems to be because complex cyber operations cost a lot of time and money - both of which are currently in short supply on the Russian side. At the same time, the Russian Federation has finally lost its last fig leaf of peace and can use conventional weapons systems against its targets without fear of further loss of reputation.
The pro-Ukrainian cyber counteroffensive
Ukrainian hackers of all hat colors and other cyber actors of the world did not leave the Russian aggression unanswered. Thus, in the first weeks of the war, the "Ukrainian IT Army" was formed, which went into the field with the aim of disrupting Russian cyber activities and conducting offensive operations themselves.
The attacks against Russian systems proved successful; in particular, the campaign is still characterized by data exfiltrations from Russian authorities and DDoS attacks against Russian institutions. Since the end of the year, the Ukrainian IT Army's arsenal has also included wiper campaigns, which are currently being used to attack courts and offices in Russia (including CryWiper).
Outlook for 2023: Continuation of the trends
The year 2023 will probably continue to accompany us with war and general uncertainty. With the continuation of the Russian war of aggression, cyber operations against Ukraine and NATO countries will also continue, and DDoS will continue to be felt in the EU, as was recently the case with the EU Parliament. Growth in the ransomware market, driven by "as-a-service" business models will not stop either. The supply chain is and will remain a vulnerable spot in many software products and vulnerabilities like Log4Shell will become endemic to some degree after discovery and widespread patching.
All this means that the future will demand increased vigilance from IT security managers. Malicious actors do not rest, are battle-hardened, and the cybercrime business is becoming increasingly professional. Corporate security includes meticulous patch management, incident response plans and a good supply of threat intelligence, such as the Voice Cyber Security Competence Center. Complion's experts will also be vigilant in 2023 and are always available for consultation.
Author: Tobias Philipsen