The year 2021 was a wild year in the cybersecurity space. As companies rushed to adapt to pandemic-inspired changes, cybercriminals found new ways to capitalize on remote and hybrid models. Above all, threat actors became faster than ever as around 648 cyberattacks were observed every minute. As a result, organizations incurred a loss of $1.79 million per minute in 2021. Let’s have a look at the trends that shaped this year’s cyber threat landscape.
Ransomware evolves
2021 was a big year for ransomware. Despite authorities’ crackdown on several ransomware gangs, this particular breed of malware proved to be similar to the multi-headed Greek mythological monster Hydra - and all signs indicate that it’s not easing up anytime soon.
Earlier this year, the Federal Bureau of Investigation (FBI) disclosed that there are more than 100 active ransomware gangs that are busy targeting American businesses, schools, and other organizations. The disclosure came at a time when the world saw some of the biggest ransomware attacks on the Colonial Pipeline and Kaseya that affected over 1000 organizations.
Extortion payments hit a new record this year, with threat actors’ earnings increasing by 42% (approx $590 million) in the first half alone with major gains made by REvil, Conti, DarkSide, Avaddon, and Phobos ransomware operators. The get-rich-quick scheme in the minds of cybercriminals even gave birth to the never-seen-before Python-based ransomware that compromised systems in less than three hours of the attack.
Unfortunately, this time the ransomware ecosystem did not stop at locking up victims’ files. It extended to many other innovative ways to monetize their illicit business.
Extortion model expands
Following the success of the double extortion tactic in 2020, the first half of the year witnessed a disturbing Triple extortion threat that involved putting pressure on third parties linked to a victim organization. Threatening victim organizations with DDoS attacks became another effective extortion tactic as Avaddon, HelloKitty, and BlackCat, among other ransomware groups, added it to their arsenal. In other trends, Emsisoft warned about a new double-encryption threat that stemmed from two ransomware strains and DarkSide became the first ransomware variant to make a formal announcement on leveraging a company’s stock price as part of its extortion strategy.
RaaS model takes a new approach
One of the biggest drivers behind the continued success of ransomware is the adoption of the Ransomware-as-a-Service (RaaS) model. After DarkSide’s attack on Colonial Pipeline, all topics related to ransomware were banned on many underground forums. As a result, operators chose to go private to recruit affiliates without disclosing their purpose. Some ransomware gangs such as LockBit and Himalaya created their own websites to promote their RaaS operations.
Ransomware take aim at zero-day flaws
The upsurge in ransom payouts has made ransomware gangs greedier than ever. They are now rich enough to afford zero-day exploits worth $10 million and this is something that organizations must ponder upon before paying the ransom when attacked. In Q3, ransomware attackers expanded their attacks by exploiting a dozen new vulnerabilities, taking the number of vulnerabilities linked with ransomware to 278 (which is 4.5% higher when compared to Q2 2021).
Rebranding/renaming comes into vogue
This year, many ransomware such as Nemty, MountLocker, and DoppelPaymer went through the rebranding process and were renamed Karma, AstroLocker, and Grief respectively. Although not new, this approach still remains popular among the ransomware gangs to evade detection while raising and fulfilling the ransom payment demands.
Malware and other associated threats
Not only did ransomware remain at the forefront of cybersecurity concerns, but the cyber threat landscape also witnessed significant upheaval in malware attacks in 2021. For the first time, malware dubbed Siloscape was observed targeting Windows containers. Moreover, over 13 million malicious attack attempts were made against Linux cloud environments to spread web shells, coin miners, and other malware in the first half of 2021.
Besides this, network defenders and security analysts also had a tough time dealing with some notorious malware and attack methods.
TrickBot-Emotet malware duo rise from ashes
The notorious TrickBot-Emotet duo made a powerful comeback despite the takedown attempts between October 2020 and January 2021, by law enforcement agencies. Since its re-emergence, TrickBot amassed 140,000 victims across 140 countries. Towards November, Emotet too showed signs of its survival as it upgraded its features. To make things worse, it again joined hands with its long-time partner in crime, the TrickBot, to launch more ransomware attacks in the future.
Cobalt Strike becomes a popular crimeware
Malicious use of Cobalt Strike remained a high volume threat in 2021 as researchers recorded a 161% year-on-year increase in cyberattacks using the tool. Cybercrooks used the tool to deliver malware, exfiltrate data, and avoid security defenses. Adding more pain for victims, Linux and Windows re-implementation of Cobalt Strike Beacon named Vermilion Strike was also heavily repurposed to target organizations worldwide.
A surge in mobile malware activities
Hidden apps remained the most active mobile threats this year. FluBot and Joker were some of the predominant malware that used sneaky tactics, such as fake apps and fake security updates, to target Android users. Joining this pair was a new trojan named Cynos.7.origin that targeted over 9 million devices by disguising 190 gaming apps on the official app store for Huawei. However, one of the worrying aspects was the attack from Pegasus spyware that snooped on several high-profile activists, lawyers, journalists, and political figures worldwide. The attack was hatched by exploiting a zero-click vulnerability on iPhones.
The growing risk of Supply chain attacks
While the massive SolarWinds supply chain attack in 2020 is still fresh in memory, cybercriminals inflicted more damages with many such attacks in 2021. In mid-July, the European Union Cybersecurity Agency (ENISA) warned about the rising trend of such attacks as it forecasted that there will be four times more software supply chain attacks this year than there were in 2020. The agency also cited that more than 50% of supply chain attacks experienced in the past 18 months emanated from nation-state threat actors such as Lazarus, Thallium, TA413, and TA428, among others.
Software supply chain insecurity looms
Attacks at Kaseya and Codecov took the whole cyber world by surprise. While the hack at Kaseya was pulled off by exploiting a zero-day vulnerability in the VSA tool, the breach at Codecov occurred after threat actors altered the Bash Upload script in the platform. As a result, at least 1000 businesses across 17 countries were affected and hundreds of clients were compromised in Kaseya and Codecov supply chain attacks, respectively.
An uptick in the malicious use of software repositories
Bad actors proactively moved upstream to wreak havoc by infiltrating popular open-source software repositories. In one such incident, two well-known npm packages with nearly 22 million downloads were found to be infected with password-stealing malware. Besides, researchers also discovered new types of attack supply chain methods - Dependency Confusion and ChainJacking - that can be executed through software packages.
New vulnerabilities increase the scope of attacks
For the fifth time in a row, the volume of newly found security vulnerabilities hit a new record as the U.S. CERT’s National Vulnerability Disclosure logged more than 18000 flaws this year. Moreover, the CISA highlighted the nightmares of improper patch management by releasing a list of roughly 300 known vulnerabilities that were exploited in the wild. Among those highly exploited in 2021 were vulnerabilities in Microsoft, Pulse, Accellion, VMware, and Fortinet.
Let’s take a look back at this year’s vulnerability disclosures that are likely to make impacts in the future.
ProxyLogon and ProxyShell fuels many attacks
Exploits for ProxyLogon and ProxyShell flaws created a whole new attack surface for threat actors. Hafnium was the first of many threat actor groups that abused the ProxyLogon flaw to compromise at least 30,000 organizations in the U.S and hundreds of thousands of organizations worldwide. Despite the issue of patches to address the flaw, cybercriminals were quick at work to outsmart the fix and this led to a new set of vulnerabilities dubbed ProxyShell.
Log4j: A new threat that continues to wreak havoc
Just when organizations were bracing up for a new year, a new critical vulnerability in the form of Log4Shell came knocking at the door to wreak havoc. Like much open-source software, the flaw, which exists in the widely used Java logging library Apache Log4j, is built-in down the supply chain. It is currently being exploited in the wild to distribute ransomware, botnet, and cryptominers. With attackers making over a hundred attack attempts to exploit the flaw every minute, the risk of threats on organizations increases manifold.
Rowhammer returns with a new SMASH attack
This year, researchers demonstrated three new versions of Rowhammer attacks that pose threats to systems using DDR4 memory chips. Called SMASH (Synchronized MAny-Sided Hammering), Half-Double, and Blacksmith, these attack methods circumvented the mitigation measures set to address the previous Rowhammer attacks. The new attack method can affect browsers, smartphones.
Atlassian Confluence flaw caught in mass exploitation
On August 25, Atlassian had issued a security advisory for a remote code execution flaw affecting its Confluence server. However, several organizations failed to patch the vulnerability in time, and this attracted more attacks. Some of the attacks enabled threat actors to install cryptominers and ransomware.
Threat actors continue to evolve their tactics
Throughout the year, threat actors bombarded the security landscape with one major attack after another, proving once again how the global threat landscape is aggravating through sophisticated TTPs. Microsoft warned of the evolution of six Iranian hacking groups that used ransomware, data exfiltration, and supply chain attacks as a means to sabotage their targets and generate revenue. This included the names of Charming Kitten, Curium, and DEV-0343, among others. Moreover, Russian ransomware gangs were found making attempts to collaborate with Chinese counterparts, which indicates more sleepless nights for security teams in the coming years. Meanwhile, the hunting campaign of the Nobelium APT gang continues as it expands the attack scope this year.
Besides, there were some old threat actors that rose to prominence by adding new tricks under their sleeves.
Lazarus updates its supply chain attack capabilities
The Lazarus APT updated its malware arsenal with a new version of DeathNote malware in an effort to build its supply chain attack capabilities. The malware cluster was used in two attack campaigns targeting a South Korean think tank and a Latvian IT asset-monitoring tool vendor. The hacking group also ramped up its evasion techniques by leveraging fake job offers, and BMP images to pull off some dangerous attacks against the defense industry and security researchers, this year.
Evil Corp dons many names to hide itself
Despite the arrest of many of its members, Evil Corp continued to reign this year and it was evident from its rebranding tactics to evade US sanctions. It switched its identity to PayloadBIN, REvil, Macaw Locker, and Hades ransomware to successfully monetize its criminal endeavors. Meanwhile, the hacking group’s most famous tool Dridex continued to remain an active threat globally.
Conti gang on an attack spree
The earnings of the Conti gang raked in over $25 million in just four months, July-October. The gang had become very active in the second half of the year, with researchers observing data of more than 10 victims being posted, one day. This attack spree ultimately prompted the CISA, FBI, and HHS to issue flash alerts and advisories for organizations globally.
Conclusion
The cyber threat landscape has evolved drastically in 2021, especially since the COVID-19 pandemic began. With a variety of malware and attack techniques at their disposal, threat actors have become more pervasive than ever, and are casting a much wider net to ensnare more victims. As we wait and watch how the threat landscape unfolds in 2022, it is important that organizations brace up for future attacks by leveraging security real-time actionable threat intelligence, security automation, and integrated threat response.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/e6f9_shutterstock_1946991124.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/2afd_shutterstock_2022933251_1.jpg)
