Here is a list of top vulnerabilities found since 2015, which I am still working on to compile them together. It will come from different sources and includes those which I believe it is worth taking a note here.
2018
- Jan 3, Spectre and Meltdown vulnerabilities (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)
- Jan 29, Cisco Adaptive Security Appliance Remote Code Execution and Denial of Service Vulnerability
- Mach 20, Facebook’s privacy scandal – The Guardian revealed that the personal data of 50 million Facebook profiles was illegally harvested by Cambridge Analytica.
2017
- Feb 17, CloudBleed – Google vulnerability researcher Tavis Ormandy discovered a bug in the internet infrastructure company Cloudflare‘s platform caused random leakage of potentially sensitive customer data.
- March 7, Wikileaks CIA Vault 7 – WikiLeaks published a data trove containing 8,761 documents allegedly stolen from the CIA that contained extensive documentation of alleged spying operations and hacking tools.
- April, Shadow Brokers (A hacking group, stole NSA data) / EternalBlue (Released by Shadow Brokers, which alleged NSA tool)
- May 12 , WannaCry – Ransomware :WannaCry searches for and encrypts 176 different file
types and appends .WCRY to the end of the file name. It asks users to pay a US$300 ransom in
bitcoins. The ransom note indicates that the payment amount will be doubled after three days. If payment is not made after seven days it claims the encrypted files will be deleted.
- June, Petya / NotPetya / Nyetya / Goldeneya – Ransomware , which is more advanced than WannaCry. Hit Ukraninian infrastructure hard.It spreads rapidly across an organization once a computer is infected using the EternalBlue vulnerability in Microsoft Windows
- Sep 7, Apache Struts : Equifax data breach was confirmed to be a vulnerability in Apache Struts. The security flaw (CVE-2017-5638), which was patched last March, allowed attackers to gain unauthorized access to data via remote code execution.
- Oct 3, 3 billion Yahoo user accounts were hacked by 2013 security breach, which make yahoo tops the list of largest ever data breaches
- Oct 16, Krack : Key Reinstallation Attack (KRACK) is a proof of concept that exploits vulnerabilities in the Wi-Fi Protected Access 2 (WPA2) protocol.
- Nov 28, Major macOS High Sierra Bug Allows Full Admin Access Without Password
Here is another good review for 2017 security threats from youtube video 2017 Security Threats | Year in Review | WEBINAR. I have watched it and made some notes in the following points:
- Q1. The Botnet Menace , Zeus and Conflicker, Mirai (IoT) and Pushdo (SpamBots)
- Q2. WannaCry, Locky, H-Worm (Houdini Worm)
- Q3. SMB, Petya (Ransomware)
- Q4. AAEH New Hope, Apache Struts Remote Code Execution, Necurs Botnets, H-Worm
2016
- February, Israel breached the US Department of Justice’s database.
- March, Cyber criminals stole $81 million from Bangladesh’s central bank through a series of transfers from its account at the Federal Reserve Bank of New York.
- June, ‘Peace’ came to prominence after data on millions of LinkedIn, Tumblr and Myspace users was made available online.
- September, Krebs site hit with DDoS attack measuring in at between 620 and 655 Gbps.
- September, Yahoo suffers from massive data breach
- October, Dyn DDoS Attack
- November, AdultFriendFinder.com gets attacked once more
- December, Hackers Stole a Billion Yahoo Accounts on a 2013 hit.
2015
- January, A critical vulnerability has been found in glibc, the GNU C library, that affects all Linux systems dating back to 2000. CVE-2015-0235, has already been nicknamed GHOST because of its relation to the _gethostbyname function.
- March, All Major browsers hacked
- April, Obsolete NPAPI extension blocked in Chrome
- June, hard-coded default SSH keys were found in Cisco’s security appliances
- July, Vulnerabilities discovered in the Stagefright media playback engine that is native to Android devices could be the mobile world’s equivalent to Heartbleed.
- October, SHA-1 Collision
2014
- April, OpenSSL heartbleed vulnerability
- September, ShellShock
- December, Misfortune Cookie – 12 MILLION HOME ROUTERS VULNERABLE TO TAKEOVER
References:
- 2016年网络安全大事记
- 2017年网络安全行业大事记(最全完整版)
- 2017 Security Threats | Year in Review | WEBINAR
- The Biggest Cybersecurity Disasters of 2017 So Far
- 2017’s Notable Vulnerabilities and Exploits
- The unconventional list of top security events in 2015
- The 10 biggest security incidents of 2016