The first six months of 2021 saw a significant increase in the volume and sophistication of attacks targeting individuals, organisations, and increasingly critical infrastructure. This is not just more of the same. Cybercriminals have upped their game, and they represent an existential threat for many organisations.
By Derek Manky, chief: security insights and global threat alliances at Fortinet’s FortiGuard Labs
Even governments and law enforcement agencies have taken notice. The ransomware attacks on Colonial Pipeline and JBS, following on the heels of the SolarWinds supply chain attack, impacted millions of people. And the supply chain attack against Kaseya VSA, an MSP, changed the game even further as it resulted in downstream customers also being impacted.
In response, the White House announced a cross-government task force to develop and coordinate defensive and offensive measures against ransomware. Solutions being discussed range from revising cybersecurity regulations to updating security infrastructures to offering rewards for identifying threat actors. INTERPOL held its first global forum on ransomware, and an international action plan is being developed as a result of the recommendations from global experts from this forum. In addition, organisations that focus on information and intelligence sharing—such as the World Economic Forum’s Centre for Cybercrime (C4C) and the Cyber Threat Alliance (CTA)—are increasingly working with industry, government, and law enforcement agencies.
They key takeaway is that everyone has a role. Organisations are encouraged to support these efforts wherever possible and join the partnership efforts. In addition to adopting new guidelines, they should look to partner with cybersecurity vendors that participate in industry alliances and work closely with government agencies and law enforcement, as they allow us to further align our forces to defeat our cyber adversaries.
Now more than ever, everyone has an important role in strengthening the kill chain. Aligning forces through collaboration must be prioritised to disrupt cybercriminal supply chains. Shared data and partnership can enable more effective responses and better predict future techniques to deter adversary efforts.
Ransomware – cyber threat landscape insights
According to the mid-year Global Threat Landscape Report from FortiGuard Labs, ransomware has grown a staggering more than tenfold over the past 12 months. Revenue generated from ransomware is driving most of this criminal activity, and it is being fueled by the growth of Ransomware-as-a-Service (RaaS). And some operators have now branched by selling access to corporate networks that have already been compromised, making it that much easier for novice criminals to get involved.
Over the past six months, organisations in the telecommunications sector have been the most heavily targeted, followed by government agencies, managed security service providers, and the automotive and manufacturing sectors. Numerous high-profile attacks crippled sectors of critical importance, impacting daily life, productivity, and commerce. These include the Colonial Pipeline attack that disrupted oil and gasoline distribution across the East Coast of the US, the JBS Foods attack that led to concerns about a global meat shortage.
It’s not just the volume of ransomware attacks that has increased. The attacks themselves are evolving too. Cybercriminals have been adding levels of extortion to get victims to pay. This includes combining encryption with doxing (the threat of publicly exposing internal data), adding a DDoS attack to create additional confusion and panic, and now, reaching out directly to a victim’s customers and stakeholders so they will put further pressure on the victim to pay.
Cyber threat landscape insights of botnet activity spiking in the first half of 2021
Another threat trend documented in this report has been the increase in the volume of botnet attacks. Unlike many threat indicators that only see potential threats in the wild, botnet activity looks at organisations that have been compromised. And the percentage of organisations detecting botnet activity jumped from 35% to 51% in the first six months of 2021.
This has been led by a new surge in the use of TrickBot, which was taken offline in 2020 but came back on the radar in mid-2021, not as prolific as before. While initially designed as a banking trojan, Trickbot has become a sophisticated, modular, and multi-stage toolkit supporting a range of illicit activities. But the most prevalent botnet is one that every security professional is aware of—Mirai. It has continued adding new cyberweapons to its arsenal. Its dominance partially stems from criminals seeking to exploit IoT devices used by WFA or remote-learning individuals. And Gh0st continues to play a significant role in botnet activity as well.
Attackers widen the net to include remote workers and on-premises systems
Last year, many attackers shifted resources from enterprise infrastructures to home networks and consumer-grade products to exploit the recent work-from-anywhere (WFA) phenomenon. And while they continue to target those remote workers, they have now aggressively returned to targeting the corporate network as well, hitting IT teams from both sides. Top IPS detections, for example, show cybercriminals have also returned to targeting corporate web servers and content management and application development platforms (CMS).
In addition, ranking the prevalence of top malware detections by malware families shows a rise in deceptive social engineering malvertising and scareware. More than one in four organisations detected malvertising or scareware attempts with Cryxos being a notable family. Although, a large volume of the detections are likely combined with other similar JavaScript campaigns that would be considered malvertising. The hybrid work reality has undoubtedly encouraged this trend in tactics by cybercriminals as they attempt to exploit it, aiming for not just a scare but also extortion. Increased cybersecurity awareness is important as ever to provide timely training and education to help avoid falling victim to scareware and malvertising tactics
OT is prime time for attackers
Operational Technology’s connection to our physical world means that a cyber disruption can impact lives in a way that an IT attack never can. There has been steady growth in threat actors identifying OT vulnerabilities and building them into exploit tools they sell on the dark web. The result is that script kiddies are now nearly as likely to find and exploit your exposed OT devices as the handful of advanced groups that explicitly focus on targeting unprotected and unpatched ICS. This puts your OT systems at increased risk just due to the growing volume of attacks alone.
In addition, when looking at ransomware activity across sectors it is also clear to see the danger ransomware is attempting to inflict on OT environments. Several of the top sectors are operational technology industries. From automotive and manufacturing, to energy and transportation.
Cyber threat landscape insights to better protect your organisation
While government and law enforcement agencies have taken actions relative to cybercrime in the past, the first half of 2021 could be a game-changer in terms of the momentum for the future. They are working with industry vendors, threat intelligence organisations, and other global partnership organisations to combine resources and real-time threat intelligence to take direct action against cyber adversaries.
Some results of this cooperation was the coordinated takedown of Emotet, one of the most prolific malware operations in recent history, and the disruption of the Egregor, NetWalker, and Cl0p ransomware operations which represent significant wins by global governments and law enforcement to curb cybercrime. Also, the US Department of Justice (DOJ) sent a strong message when they charged a NetWalker affiliate.
Regardless, organisations need to take a proactive approach with real-time endpoint protection, detection, and automated response solutions to secure environments along with a zero-trust access approach, network segmentation, and encryption. In addition, automated threat detection and AI remain essential to enable organisations to address attacks in real time and to mitigate attacks at speed and scale across all edges. As these network edges explode, consistent security and connectivity enabled through SD-WAN will be vital to protect the expanding attack surface.
In addition, cybersecurity user awareness training is as important as ever with anyone being a target of cyberattacks. Everyone needs regular instruction on best practices to keep individual employees and the organisation secure.