• United States



UK Editor

10 industry-defining security incidents from the last decade

Jul 19, 202211 mins
CyberattacksData BreachVulnerabilities

From Heartbleed to Apache Struts to SolarWinds, these are the 10 watershed security incidents of the past 10 years.

Cybersecurity  >  Attack warning / danger / security threat
Credit: Matejmo / Getty Images

The last decade has seen its fair share of watershed moments that have had major implications on the cybersecurity landscape. Severe vulnerabilities, mass exploitations, and widespread cyberattacks have reshaped many aspects of modern security. To take stock of the past 10 years, cybersecurity vendor Trustwave has published the Decade Retrospective: The State of Vulnerabilities blog post featuring a list of what it considers to be the 10 most prominent and notable network security issues and breaches of the last 10 years.

“It is difficult to tell the complete story about the network security landscape from the past decade because security tools and event loggers have evolved so much recently that many of the metrics that we take for granted today simply did not exist 10 years back,” the blog read. “Nevertheless, the data that is available provides enough information to spot some significant trends. The most obvious trend, based on sources like the National Vulnerability Database (NVD), Exploit-DB, VulnIQ, and Trustwave’s own security data, is that security incidents and individual vulnerabilities have been increasing in number and becoming more sophisticated,” it added.

Here are Trustwave’s 10 security incidents that have defined the last decade, in no particular order.

1. SolarWinds hack and FireEye breach

In what Trustwave called the “most crippling and devastating breach of the decade,” a supply chain cyberattack on network monitoring tool SolarWinds Orion in December 2020 sent shockwaves across the globe. Various corporations and U.S. government agencies fell victim to this campaign with cybercriminals exploiting FireEye red teaming tools and internal threat intelligence data to plant a malicious backdoor update (dubbed SUNBURST) that impacted some 18,000 customers and granted attackers the ability to modify, steal, and destroy data on networks. SolarWinds later stated that while thousands of organizations downloaded the malware, the actual number of customers hacked through SUNBURST was fewer than 100. This number is consistent with estimates released by the White House.

Despite a patch being issued on December 13, 2020, infected servers exist today and attacks still take place due to companies being unaware of dormant vectors set up before patch, Trustwave said.

Speaking to CSO in December last year, David Kennedy, former NSA hacker and founder of security consulting firm TrustedSec said, “When you look at what happened with SolarWinds, it’s a prime example of where an attacker could literally select any target that has their product deployed, which is a large number of companies from around the world, and most organizations would have no ability to incorporate that into how they would respond from a detection and prevention perspective.”

In June 2021, University of Richmond management professor and expert on risk management and industrial and operations engineering, Shital Thekdi, said that the SolarWinds attack was unprecedented because of “its capability to cause significant physical consequences,” impacting “critical infrastructure providers, potentially impacting energy and manufacturing capacities,” and creating an ongoing intrusion that “should be treated as a serious event with potential for great harm.

2. EternalBlue exploit and the WannaCry/NotPetya ransomware attacks

Next on Trustwave’s list is the EternalBlue exploit and subsequent ransomware incidents of 2017. Hacking group Shadow Brokers leaked significant exploits stolen from the U.S. National Security Agency (NSA) which were used to carry out the highly damaging WannaCry and NotPetya ransomware outbreaks which affected many thousands of systems across the globe, causing particular damage to health services in the UK and Ukraine. The most significant exploit, dubbed EternalBlue, targeted vulnerability CVE-2017-0144, which Microsoft had patched one month prior to the Shadow Brokers’ leak. According to Trustwave, the EternalBlue exploit remains active to this day with Shodan, the popular search engine for internet-connected devices, currently listing more than 7,500 vulnerable systems.

In 2017, RiskSense researchers said, “The EternalBlue exploit is highly dangerous in that it can provide instant, remote, and unauthenticated access to almost any unpatched Microsoft Windows system, which is one of the most widely used operating systems in existence for both the home and business world.”

3. Heartbleed flaw in OpenSSL

The Heartbleed vulnerability of 2014 continues to beat on, estimated to threaten more than 200,000 vulnerable systems to this day, as per Shodan, Trustwave’s blog stated. Security researchers discovered the serious flaw (CVE-2014-0160) in OpenSSL, the encryption technology that secures the web. It was dubbed Heartbleed because the bug existed in OpenSSL’s implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520) and allowed anyone on the internet to read the memory of systems.

Heartbleed caused mass panic and was quickly labelled one of the worst security bugs in the internet’s history with information security pioneer Bruce Schneier stating in his blog, “Catastrophic is the right word. On the scale of 1 to 10, this is an 11.”

In an article written for CSO in 2014, security advisor Roger Grimes set out a three-step plan to help organizations gain control of their OpenSSL environments and mitigate the Heartbleed bug, adding “OpenSSL probably runs on 60% or more of the websites that offer HTTPS connections and is used for many other popular services that use SSL-/TLS-based protocols, like POP/S, IMAP/S, and VPNs. There’s a very good chance that if you can connect to an SSL-/TLS-based service and it’s not running Microsoft Windows or Apple OS X, it’s vulnerable.”

4. Shellshock remote code execution in Bash

Shellshock (CVE-2014-7169) is a bug in the “Bourne Again Shell” (Bash) command-line interface and existed for 30 years before its discovery in 2014, Trustwave wrote. “The vulnerability was considered even more severe than Heartbleed since it allowed an attacker to take complete control of a system without having a username and password,” the firm added. A patch was issued in September 2014 and Shellshock is currently deemed inactive, last scene in the “Sea Turtle” campaign of 2019 where hackers used DNS hijacking to gain access to sensitive systems.

Commenting in 2014, Daniel Ingevaldson, CTO of Easy Solutions said, “The exploitation of this vulnerability relies on bash functionality somehow being accessible from the internet. The problem with bash is that it’s used for everything. On a Linux-based system, bash is the default shell and anytime a web-enabled process needs to call a shell to process input, run a command (such as ping, or sed, or grep, etc.), it will call Bash.”

5. Apache Struts remote command injection and Equifax breach

This critical zero-day vulnerability affects the Jakarta Multipart parser in web application development framework Apache Struts 2, discovered in 2017. “This vulnerability allowed remote command injection attacks by incorrectly parsing an attacker’s invalid Content-Type HTTP header,” it said. Months later, credit reporting giant Equifax announced that hackers had gained access to company data potentially compromising sensitive information belonging to 143 million people in the U.S., UK, and Canada. Further analysis identified that attackers used the vulnerability (CVE-2017-5638) as the initial attack vector.

In September 2017, Adam Meyer, chief security strategist of threat intelligence company SurfWatch Labs said, “This particular data breach will impact a utilized authentication stack that many organizations and federal agencies use to combat their own forms of fraud.” Trustwave deemed this vulnerability to be currently inactive.

6. Speculative execution vulnerabilities Meltdown and Spectre

It what it coined “Chipocalypse” Trustwave cited the significant CPU vulnerabilities known as Meltdown and Spectre from 2018 in its next listing. These belong to a class of flaws called speculative execution vulnerabilities which can be targeted by attackers to exploit the CPUs that run computers to gain access to data stored in the memory of other running programs. “Meltdown (CVE-2017-5754) breaks the mechanism that keeps applications from accessing arbitrary system memory. Spectre (CVE-2017-5753 and CVE-2017-5715) tricks other applications into accessing arbitrary locations within their memory. Both attacks use side channels to obtain the information from the targeted memory location,” the blog read.

Both vulnerabilities are significant because they opened possibilities for dangerous attacks. As outlined in a CSO article from 2018, “For instance, JavaScript code on a website could use Spectre to trick a web browser into revealing user and password information. Attackers could exploit Meltdown to view data owned by other users and even other virtual servers hosted on the same hardware, which is potentially disastrous for cloud computing hosts.” Thankfully, Trustwave stated that Meltdown and Spectre currently appear inactive with no exploit found in the wild.

7. BlueKeep and remote desktops as an access vector

Years before the move to mass remote working and the security risks that came with it triggered by the COVID-19 pandemic in March 2020, cybercriminals were known to target remote desktops in attacks, exploiting RDP vulnerabilities to steal personal data, login credentials, and install ransomware. However, in 2019, the threat of remote desktops as an attack vector really came to the fore with the discovery of BlueKeep, a remote code execution vulnerability in Microsoft Remote Desktop Services. “Security researchers considered BlueKeep especially severe because it was “wormable,” meaning attackers could use it to spread malware from computer to computer without human intervention,” Trustwave wrote.

Indeed, such was the severity of the issue, the U.S. National Security Agency (NSA) issued its own advisory regarding the issue. “This is the type of vulnerability that malicious cyber actors frequently exploit through the use of software code that specifically targets the vulnerability. For example, the vulnerability could be exploited to conduct denial of service attacks. It is likely only a matter of time before remote exploitation tools are widely available for this vulnerability. NSA is concerned that malicious cyber actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems.”

Trustwave said BlueKeep is still active and found over 30,000 vulnerable instances on Shodan.

8. Drupalgeddon series and CMS vulnerabilities

The Drupalgeddon series consists of two critical vulnerabilities that are still considered active today by the FBI, according to Trustwave. The first, CVE-2014-3704, was discovered in 2014 and takes the form of an SQL injection vulnerability in open-source content management system Drupal Core which threat actors exploited to hack a massive number of websites. Four years later, the Drupal security team disclosed another extremely critical vulnerability nicknamed Drupalgeddon2 (CVE-2018-7600) that resulted from insufficient input validation on the Drupal 7 Form API and allowed an unauthenticated attacker to perform remote code execution on default or common Drupal installations. “Attackers used the Drupalgeddon2 vulnerability to mine for Monero cryptocurrency on servers with compromised Drupal installations,” Trustwave wrote.

In late 2014, Indiana’s Department of Education blamed the first Drupal vulnerability for an attack on its website which forced it to take its site down temporarily while the issue was addressed.

9. Microsoft Windows OLE vulnerability Sandworm

The penultimate vulnerability on Trustwave’s list is the Microsoft Windows Object Linking and Embedding (OLE) vulnerability CVE-2014-4114, detected in 2014. “The flaw was used in Russian cyber-espionage campaigns targeting NATO, Ukrainian, and Western government organizations, and firms in the energy sector,” the blog read. The vulnerability gained the moniker Sandworm due to the group of attackers that launched the campaign – the “Sandworm Team.” The vulnerability was deemed currently inactive by Trustwave.

10. Ripple20 vulnerabilities and the growing IoT landscape

Last on Trustwave’s list are the Ripple20 vulnerabilities that highlight the risks surrounding the expanding IoT landscape. In June 2020, Israeli IoT security company JSOF published 19 vulnerabilities collectively called Ripple20 to illustrate the “ripple effect” they will have on connected devices for years to come. “The vulnerabilities were present in the Treck networking stack, used by more than 50 vendors and millions of devices, including mission-critical devices in healthcare, data centers, power grids and critical infrastructure,” Trustwave stated.

As outlined by CSO in 2020, some of the flaws could allow for remote code execution over the network and lead to a full compromise of affected devices. The Ripple20 vulnerabilities remain active today, Trustwave said.

Vulnerabilities pose risks long after detection if orgs fail to patch

Trustwave cited the fact that several of the vulnerabilities present in its list were detected almost a decade ago, yet many of them continued to pose risks over time even after patches and fixes have been available. This suggests organizations:

  1. Lack the ability to track and log various services running on a network
  2. Struggle to vouch for and apply patches to assets without disrupting workflow
  3. Are slow to react to discovered zero-days.

This is likely to take on greater significance given a sharp increase in zero-day exploits detected in 2021, Trustwave added.

Alex Rothacker, security research director at Trustwave Spiderlabs, tells CSO that organizations are constantly playing catch up to patch the latest vulnerabilities. “This is extremely challenging, especially for smaller organizations with limited or no dedicated staff. Even for larger organizations, there isn’t always a patch readily available. Take Log4j as an example. Most of the vulnerable Log4j versions are part of larger third-party software packages and many of these third-party vendors are still struggling to fully update their complex applications.”

What’s more, as time goes by, focus shifts to the next vulnerability, leading to older patches sometimes falling through the cracks, Rothacker adds. “The older a vulnerability, the more information is available about how to exploit it. This basically makes the vulnerability a low hanging fruit, requiring less skills for the attacker to take advantage of the known vulnerability. For sophisticated attackers, it is an easy target.”

UK Editor

Michael Hill is the UK editor of CSO Online. He has spent the past five-plus years covering various aspects of the cybersecurity industry, with particular interest in the ever-evolving role of the human-related elements of information security. A keen storyteller with a passion for the publishing process, he enjoys working creatively to produce media that has the biggest possible impact on the audience.

More from this author