Kathy Gibson reports – South Africans can look forward to more advanced persistent threats (APTs) in 2022, driven by economic growth in the region.

This is according to Maria Garnaeva, senior security researcher at Kaspersky, who adds that South Africa – along with Nigeria and Kenya – has seen an increase in cybertheats overall this year.

At the same time, the traditional self-propagating malware more widely seen in the past is decreasing as new and more targeted threats take their place.

So, although there was a decline in mass cyberattacks (down 7,5% in Nigeria, 12% in South Africa and 28,6% in Kenya), the region is seeing the introduction and popularisation of new cybercrime models.

Phishing attacks in South Africa are up 43% in the first half of 2021 compared to last year, and Garnaeva predicts that attackers will continue to exploit the pandemic in the new year.

Ransomware attacks are also seeing rapid increases, up 23% in Q2 over Q1 with 12 000 attacks taking place in South Africa during the first half of the year.

A new ransomware trend, Garnaeva explains, is double extortion, where attackers ask a ransom for returning data as well as for keeping it out of the public domain.

“We have seen South African organisations fall victim to double extortion this year.”

Going forward, Garnaeva believes attacks will be more disruptive in the future, with more damage as a result of either deliberate attacks or collateral damage, and will take place over a bigger attack surface than ever before.

“There is no stopping cybercriminals in terms of consequence,” she adds.

A new trend for injecting ransomware into organisations, in addition to the traditional phishing emails, is through vulnerable devics exposed on the Internet, Garnaeva adds.

“Initially this was a specific feature for some APT actors, but the ransomware gangs have adopted it.”

This attack method uses vulnerable SSL-VPN devices to enter the organisation’s network.

“The logical prediction is that there will be increase targeting of networking devices, since it is a very efficient attack vector,” Garnaeva says.

New cybercrime tools are becoming more targeted along with a long-running trend where malware creators rely not on the technical advantage of their technologies over security protection, but on the human factor.

This has stimulated the evolution of phishing schemes in 2021 – particularly a wave of “anomalous” spyware attacks, Garnaeva says.

A typical phishing spyware attack begins when attackers infect a victim by sending them an e-mail with a malicious attachment or a link to a compromised website and ends when the spyware is downloaded and activated on the victim’s device. Having gathered all necessary data, the operator usually ends the operation by attempting to leave the infected system unnoticed. I

In the anomalous attacks, however, the victim’s device becomes not only a source of data but also a tool for spyware distribution. Having access to the victim’s email server, the malware operators use it to send phishing emails from a legitimate company’s email address.

Garnaeva explains that, in this case, anomalous spyware attacks an organisation’s server for collecting stolen data from another organisation and sending further phishing emails.

“The anomalous spyware attacks have a huge potential for growth in South Africa, Kenya and Nigeria in 2022, because unlike regular spyware the entry level for attackers who wish to employ this tactic is significantly lower – since instead of paying for their own infrastructure, they abuse and employ the victims’ resources,” she says.

“We see that cheaper attack methods have always been on the rise in the region and cybercriminals quickly pick up on new tactics. Kaspersky therefore suggests that in the nearest future, these countries should be prepared for such attacks.”

Although the raw numbers are down, mass scale attacks are not disappearing, but rather transforming. Garnaeva also reports on a mass-scale and pervasive fake installers campaigns, where fake pirated software sites serve up malware as a service.

The scheme usually follows from a user searching for a free version of popular legitimate spyware. The cybercriminals offer them a fake installer using “black SEO technic” – the abuse of the legitimate search engines, resulting in the offering of the fraudulent websites first.

As a result of software installer execution, a few dozen malware samples are downloaded and installed with a goal of turning the infected devices into a part of the Glupteba botnet.

Garnaeva warns that the fake installers campaign and botnet has been extremely active in South Africa in 2021 and continues to evolve.

“While the Glupteba botnet seems to be a threat for consumers, we are still researching it and keeping an eye on its behaviour, since some distributed malware resembles APT-related samples like Lazarus APT groups and were recently used in the largest DDoS attack in Russia,” she says.

“It is too early to say it with a high level of confidence, but these factors may suggest that we are now entering the era where APT actors start to use existing malware distribution platforms which makes an attribution of such attacks harder and opens a new vector similar to supply chain attacks.”