In the twenty-first century, detailed descriptions and proofs of concept just aren’t enough to draw everyone’s attention to a vulnerability. You need a catchy marketing name, a logo, and an unavoidable bundle of memes on Twitter. All kinds of researchers, IT journalists, industry workers, and sympathetic users amuse each other with funny images all the time.
And in general, it’s actually useful: After seeing a meme, plenty of people read about what happened, and sometimes they even take steps to fix the vulnerability — or at least do what they can to avoid making the same mistake and getting featured in a new meme. Also, by considering the number of memes following another incident, we can get some idea of the extent of a problem. If we were to rely solely on memes to learn the latest news on cybersecurity, we would remember 2021 as being something like this:
January: WhatsApp privacy policy update
The year began with millions of WhatsApp users suddenly learning of an update to the service’s privacy policy. The result was a mass exodus to Telegram and at the suggestion of a famous doge breeder, to Signal, both of which noted significant audience growth. We think this meme sums up the situation with WhatsApp’s new privacy policy best:
Basically this is what Whatsapp is doing pic.twitter.com/3p7wZoEYl6
— Lekompo (@Onka_Shole) January 10, 2021
February: FootfallCam 3D Plus IoT cameras’ epic security breakdown
IoT device security is famously bad, but just when you think you’ve seen it all, some smart device manufacturers manage to surpass all expectations. This thread on Twitter explains it all (careful not to face-palm yourself too hard):
By the way, that little “nubbin” on the outside in the WLAN dongle. It’s just a standard Pi dongle literally painted white.
The device instantly crashes when you pull it out.
19/18 pic.twitter.com/0nc6fVo7QT
— OverSoft (@OverSoftNL) February 4, 2021
March: ProxyLogon vulnerability
In early March, Microsoft released patches for Exchange that addressed several serious vulnerabilities in the system. That’s a pretty common occurrence, but check out the catch: Attackers had been actively exploiting some of the vulnerabilities, reportedly since January or even earlier. By the time the patch was released, more than 30,000 organizations in the US had been hacked.
Poor kid #ProxyLogon pic.twitter.com/1MlUwBRUAU
— Florian Roth (@cyb3rops) March 10, 2021
April: Signal trolls Cellebrite
For those who don’t know, Cellebrite produces equipment for law enforcement agencies, enabling employees to hack into smartphones easily and conveniently and retrieve information of interest from them. That’s why the company holds a special place in the hearts of privacy advocates. In late 2020, Cellebrite announced its products were beginning to support Signal. In response, the Signal team published a study of vulnerabilities in Cellebrite software and used an unparalleled teaser to accompany it:
Our latest blog post explores vulnerabilities and possible Apple copyright violations in Cellebrite's software:
"Exploiting vulnerabilities in Cellebrite UFED and Physical Analyzer from an app's perspective"https://t.co/DKgGejPu62 pic.twitter.com/X3ghXrgdfo
— Signal (@signalapp) April 21, 2021
May: Ransomware attack on Colonial Pipeline
A ransomware attack on the Colonial Pipeline, the largest US pipeline system moving petroleum products, disrupted gasoline and diesel supplies along the southeast coast of the country. The incident sparked a lot of discussion about how to protect such businesses, and the company’s announcement of a search for a new cybersecurity manager went viral on social media, with the comment “They probably have a decent budget now.”
They probably have a decent budget now pic.twitter.com/ptUDOgHjZN
— Justin Elze (@HackingLZ) May 12, 2021
June: Congressman accidentally publishes e-mail password and PIN
US Congressman Mo Brooks, a member of the US House Armed Services Committee, and specifically of a subcommittee dealing with cybersecurity, made an unusual contribution to popularizing secure password storage. Using his personal Twitter account, he posted a photo of his monitor along with a sticker that had his Gmail account password and a PIN code on it. Talk about playing the classics! The tweet hung around for several hours and went viral. Although Brooks finally deleted it, it was too late:
https://twitter.com/Josh_Moon/status/1401678401946243073
July: PrintNightmare vulnerability
Researchers seem to have mistakenly published on GitHub proof-of-concept attack using CVE-2021-34527 and CVE-2021-1675 vulnerabilities in the Windows Print Spooler. Fearing that attackers would quickly adopt the published method, Microsoft rolled out an urgent patch without even waiting for Update Tuesday. Moreover, even outdated Windows 7 and Windows Server 2012 were patched. The patches didn’t solve the problem completely, however; some printers stopped working after it was installed.
That’s one way to remediate #PrintNightmare pic.twitter.com/HjRs579cJM
— TechxSigil☣️ (@techxsigil) July 25, 2021
August: Black Hat and DEF CON
August was pretty quiet by 2021 standards. Of course, a few incidents proved worthy of immortality-by-meme, but perhaps the most memorable was the suffering of BlackHat and DEF CON regulars, who under COVID-19-related restrictions could not make it to Las Vegas this year.
https://twitter.com/Djax_Alpha/status/1423741831968342016?s=20
September: OMIGOD vulnerability
Microsoft Azure users suddenly discovered that when they selected a range of services, the platform installed an Open Management Infrastructure agent on the virtual Linux machine while creating it. That would not be so scary if (a) the agent did not have long-known vulnerabilities, (b) the clients were notified about the agent installation, (c) OMI had a normal automatic-update system, and (d) exploitation of the vulnerabilities was not so easy.
#OMIGod #Azure #OMIAgent #CVE202138647 pic.twitter.com/2CDDuCF2ty
— Florian Roth (@cyb3rops) September 16, 2021
October: Facebook removes itself from the Internet
A major Facebook outage made October truly memorable. According to emergency responders’ reports, an update rendered Facebook’s DNS servers unavailable over the Internet. As a result, users of the social network and of a number of the company’s other services, including Facebook Messenger, Instagram, and WhatsApp, were unable to log in for more than six hours. While they were using alternative networks and other messaging apps (overloading them) to complain, wild rumors were circulating around the Internet — such as that company administrators could not get to the servers because their access system was tied to Facebook.
Mark Zuckerberg fixing the WhatsApp, Instagram and Facebook crash #instagramdown pic.twitter.com/3yoVhyYdM7
— Kr$hna (@Obviously_KC) October 4, 2021
November: Fake Green Passes
In fact, the validated forgeries of European digital vaccine certificates that made a lot of noise appeared at the end of October, but the main wave of general surprise came in November. What happened: the fake Green Passes became available for sale on the Internet — and as examples, sellers showed certificates for Adolf Hitler, Mickey Mouse, and SpongeBob SquarePants. Judging by the recent news, the problem of the spread of counterfeit Green Passes is still relevant.
As of Thursday morning Eastern time, Adolf Hitler and Mickey Mouse could still validate their digital Covid passes, SpongeBob Squarepants was out of luck, and the European Union was investigating a leak of the private key used to sign the EU’s Green Pass vaccine passports. pic.twitter.com/kdpJmfp3WX
— astig0spe (@astig0spe) November 5, 2021
December: Log4Shell vulnerability
Almost all of December passed under the sign of Log4Shell, a critical vulnerability in the Apache Log4j library. The widespread use of this library in Java applications made millions of programs and devices vulnerable. The Apache Foundation released several patches, and researchers found ways to circumvent the countermeasures several times. Within days of initial publication, botnets began scanning the Internet for vulnerable programs, and ransomware authors took advantage of the vulnerability. So many successful Log4Shell-themed memes appeared that someone even created a compilation website.
https://twitter.com/secbro1/status/1469328495847346177
Let’s hope that next year will be a lot calmer. Happy New Year to you, dear readers!