It seems like we were just recovering from the aftermath of the massive SolarWinds campaign a month or two ago. And now suddenly, it’s been a year since one of the largest cyber attacks in history and moving onto another threat that could last for years.

That just seemed to be how 2021 went — one hit after another for the cybersecurity community. We had everything from massive oil pipelines go offline, to state-sponsored actors raising the stakes, and (albeit on the less serious end of things) even saw the entirety of the Twitch streaming platform leaked.

There’s really no way to predict where threat actors will head in 2022, but we expect to still see big game hunting and ransomware to be on the rise. It’s worth looking back at some of the major security moments from 2021, though, to be prepared for what could come in the New Year.

January January
  • While the SolarWinds supply chain attack first came up in December 2020, we were still feeling the effects well into the start of 2021. At that point in time, there were still many questions left unanswered
  • The hunters became the hunted as cybersecurity researchers across the industry started to become targets of state-sponsored actors. Several Talos analysts were among those people targeted with malicious links and messages on social media with phony accounts seeking information.  
February February
  • We talked to a Lockbit ransomware operator to discuss their history with malware campaigns. This provided some valuable insight into the ransomware-as-a-service landscape and a rare first-hand account of how attackers choose their targets. 
  • The fileless malware trend started to heat up with the Masslogger trojan. This variant of the trojan specifically looked to steal login credentials for web browsers and other highly sensitive sites. 
  • Throughout 2021, we saw a trend of threat actors working for essentially whoever was the highest bidder. They weren’t exactly state-sponsored, going after other countries, but they also benefitted from the protection (or inaction) of the country they were based on. And then they’d just work for whoever happened to offer them money. Gamaredon’s evolution was our first sign of this.  
March March
  • Just as we were still unpacking SolarWinds, the HAFNIUM threat actor came along and stole headlines by targeting several zero-day vulnerabilities in Microsoft Exchange Server.  
  • “ProxyLogon,” one of the vulnerabilities disclosed as part of this campaign, was the most dangerous. An attacker could exploit it as part of a chain of vulnerabilities to eventually take complete control of the targeted server. Needless to say, that would be bad. 
April April
  • Despite vaccines for COVID-19 being widely available at this point in the year, there was still no signs of a return to the “normal” office. Workers continued to use collaboration apps like Slack and Discord to communicate, but attackers had adapted just as quickly, hijacking trusted servers to spread malware
May May
  • LemonDuck, which we first discovered in 2020, became more advanced. The malware started targeting vulnerable Exchange Servers with the aforementioned vulnerabilities and added Cobalt Strike to its arsenal.  
  • Remember the changes for Gamaredon? Turns out they weren’t the only threat actor to be not-quite-state-sponsored, but also not a standalone crimeware group just trying to fly under the radar. We finally gave these groups a name: “Privateers.” 
  • The DarkSide ransomware actors target Colonial Pipeline, the largest oil pipeline on the East Coast. Many states run out of gas at pumping stations in a few days, and those that do drive up the price. This wound up being a wake-up call for critical infrastructure in the U.S. 
June June
  • Weeks after the Colonial Pipeline attack, the DarkSide groups goes dark, taking down their payment portal and announcing they were going inactive. Eventually, the group would re-brand and return as BlackMatter. 
  • JBS, a massive meat distribution worldwide, is hit with a ransomware attack and eventually pays an $11 million extortion payment. Although no operations were affected, it does lead to consumers panic buying meat at grocery stores in the U.S. over shortage concerns. 
July July
  • Another month, another set of Microsoft zero-days. This time, attackers started exploiting what became known as “PrintNightmare,” a vulnerability in the Windows print spooler service.  
  • The Fourth of July holiday in the U.S. was far from time off for security researchers, who had to deal another supply chain attack. This time, they went after managed service provider Kaseya to infect victims with the REvil ransomware. 
    • PrintNightmare rears its head again, this time being exploited by the Vice Society ransomware group. Cisco Talos Incident Response discovered multiple organizations who had become victims of ransomware as a result of this technique. 
    • As internet-sharing applications become increasingly popular, attackers find ways to sneak scams in. These apps allow users to make a few cents off extra bandwidth they “loan” to other users, but there are bad guys abound, as our research found. 
      September September
      • A threat actor spoofs Amnesty International’s website to spread fake anti-virus software that allegedly removes the Pegasus spyware from mobile devices. Instead, it delivers malware and steals victims’ information. 
      • The ransomware-as-a-service soap opera begins another season when a disgruntled member of the Conti group leaks their playbook. This offered several insights into how Conti operates and opened a rare window into these groups. 
      • The Russian APT group Turla adds a new backdoor to its arsenal that essentially serves as a last-ditch effort to stay on victim machines. 
      October October
      • Talk about an unlikely duo — squirrels and waffles teamed up to become the next big player in the spam space. SQUIRRELWAFFLE was undoubtedly our cutest malware mascot this year, but that didn’t make it any less dangerous. 
      November November
      • In another round of zero-day vulnerabilities, Microsoft warns of active attacks targeting Windows Installer that could allow an attacker to elevate their privileges to admin. Meanwhile, the Exchange Server vulnerabilities are still being targeted elsewhere with Babuk ransomware
      • U.S. law enforcement arrests two individuals for their alleged involvement in the Kaseya supply chain attack as part of the REvil threat group. It also offers up a new $10 million reward for any information leading to the arrest of the leader of REvil. 
      • A massive $1 trillion infrastructure bill is signed into law in the U.S., opening up $2 billion in new cybersecurity funding. Local governments will be able to apply for grants in 2022 to bolster their critical infrastructure security and cybersecurity training. 
      • After an international law enforcement takedown of Emotet earlier in the year, the botnet shows signs of life.  
      December December
      • Talos discovers a series of malware campaigns from an actor we’re calling “Magnat.” The actor’s arsenal includes a fake Google Chrome browser extension. 
      • The Log4j vulnerability ruins everyone's holiday season, forcing defenders to work overtime and developers to patch, patch and patch again. For continued coverage of Log4j, check out Talos' blog.