#CyberSecurityReport2021H2: Log4Shell, the vulnerability that has exposed the software’s reliance on altruistically maintained libraries and their enormous security impact.

Telefónica Tech's Innovation and Laboratory Area    17 March, 2022

There are many reports on security trends and security summaries, but Telefónica Tech wants to make a difference. The Innovation and Lab team has just launched our own report on cybersecurity that summarises the highlights of the second half of 2021. The philosophy behind, is to offer a global, accurate and useful overview of the most relevant facts and data on cybersecurity and is designed to be easily used by both professionals and amateurs in a simple and visually appealing way.

The aim of this report is to summarise the cyber security information of the last few months, adopting a perspective that covers most aspects of the discipline, in order to help the reader, understand the risks of the current landscape. The information gathered is largely based on the compilation and synthesis of internal data, cross-checked with public information from sources we consider to be of high quality. Here are a few points that we believe to be particularly important.

News highlights

One of the most remarkable news not only for the second half of the year, but for the whole year, came in December. The bug in the Java log processing software, log4j, suffered a critical vulnerability that was not patched. From this point on, there was a relentless search for projects containing this library, new forms of exploitation, patches that were not complete, new vulnerabilities found… It was an obstacle course as attackers incorporated these vulnerabilities into their set of attack tools.

This failure opened up an interesting debate: up to what point can such widely used, ubiquitous and relevant software be maintained on the free time of a single person? This incident made us think about the role of open-source software in the industry, how vendors use it freely but do not all provide support to its creators in return, which creates a very unbalanced dependency that can later turn against them: the software will inherit potential bugs introduced by the developer.

Fuente: https://xkcd.com/2347/

Mobile Security

The second half of 2021 ended with 250 CVEs or vulnerabilities fixed for Android, 29 of them critical, very similar figures to previous semesters.

However, many of these flaws affect the software or firmware of particular manufacturers, which means that the same vulnerability does not necessarily affect the entire Android device fleet, but only those with the affected components.

For Apple iOS, the second half of 2021 closed with 120 patched vulnerabilities, 40 of which are considered high-risk, with the possibility of executing arbitrary code. Some of them affect the core of the system itself.

In this report you will find a summary of the main conclusions that can be drawn from the report that Apple publishes on the data requested by governments, which ones and to what extent the requests are met by 2020.

We can highlight that Spain is the country that has made the most requests for account information due to fraud in 2020.

OT Security

Telefónica Tech believes that it is essential to have a holistic vision of security that incorporates industrial environments. For this reason, we have internally developed the Aristeo project: a network of industrial decoys that use real OT devices to confuse attackers and extract the necessary information to generate intelligence that strengthens our clients’ defences.

More information: https://aristeo.elevenlabs.tech

In our OT threat analysis, we have been able to verify the truth of the statement that criminals are the ones who know the legislation and the reality of society best. As an example of this reality, we can see in the following graphic how, as soon as the omicron variant appeared, certain types of attacks in the OT area related to the increase in teleworking increased.

Access full report

Leave a Reply

Your email address will not be published. Required fields are marked *