At the start of any year, we are often looking ahead to what is coming in the year ahead. Dusting off the crystal ball can be pure folly in many cases however in cybersecurity we have datacenters full of data combined with impressive analytics tools that make predictions not your typical tarot card reading affair or astrology reading focused on Saturn’s retrograde.
Ransomware’s Thorn Digs Deeper
The threat landscape regarding ransomware has evolved at a staggering pace. Initially, the malware would target home users encrypting documents and media files the victim would want to keep and not lose, resulting in extortion attempts of a few hundred dollars but the malware would look to infect as many separate machines as possible in a spray and pray approach.
The businesses began to get targeted and the now infamous Ransomware-as-a-Service (RaaS) model emerged. The ability for malware developers to hand out the initial access and encryption of data on fully mapped out networks soon became the most devastating form of malware yet to be seen. Ransom demands of a few hundred dollars, jumped into the thousands, then into the millions. To further turn the screws on victims’ data would be stolen then auctioned off to the highest bidder if the ransom was not paid in time, and sometimes even if the ransom was paid. This became known as the double extortion tactic. Further, victims were chosen in highly targeted ways and relied heavily on human involvement, the hacker in these cases, to quietly do reconnaissance and encrypt data when they were least likely to be discovered, doing the most damage.
Given the amount of negative attention, ransomware gangs got as a result of the Colonial Pipeline Incident and subsequent successful attempts by law enforcement agencies to hamstring ransomware operations and seize assets it is believed that the RaaS model has reached its peak. Now, hacker forums ban ransomware gangs from posting and advertising new opportunities to potential affiliates. This means that in the year coming we are likely to see ransomware gangs become smaller, close-knit organizations with only a few trusted members carrying out attacks. This means that the threat posed by ransomware is by no means diminished and the job of tracking down ransomware gangs may become much harder for law enforcement.
With Ransomware Comes Cyber Insurance
Given the sheer number of high-profile ransomware cases, cyber-themed insurance packages to cover the cost of paying the ransom were all but an inevitability. Due to demand for these packages, they soared in price and customers had to fork out more for their premiums. In part, this also saw a rise in regular insurance companies taken out for cyber-related incidents designed to cover the cost of remediation for cyber attacks or data disaster recovery. Many of these providers now raising costs were applying outmoded insurance models and were impacted negatively regarding finances. Some providers raised the cost of policies by some 25% to prevent further losses.
This trend of soaring insurance costs is expected to continue into 2022. For that reason, we advise readers to treat cyber insurance as a double-edged sword. They are certainly a must-have for many if not all, organizations as the costs associated with remediation are not unknown to cause businesses to close doors. The big but is cybercriminals will specifically look for organizations with insurance policies and target them as they feel it is easier to extort a payday from insured organizations.
APT Groups and Zero Days
In 2021 there were 66 disclosed zero-days, those being vulnerabilities in hardware or software unknown to vendors that can be exploited to potentially run malicious code or bypass authentication measures. Given the current geopolitical situation regarding the powers of the US, China, and Russia. In 2022 we can expect more zero-days to be uncovered resulting from malicious attacks by advanced persistent threat (APT) groups.
This trend is expected to be driven by several factors including the new law passed by the Chinese Communist Party that will require that any Chinese citizen who finds a zero-day vulnerability must pass the details to the Chinese government and must not sell or give the knowledge to any third party outside of China (apart from the vulnerable product’s manufacturer). The law came into effect in September 2021 and security researchers believe that this will enable Chinese APT groups to develop exploits for discovered zero-days in record time. Some expect the time scale for exploit development will drop from days to hours, leaving a massive gap in what system administrators can do to defend networks. This increase in zero-day discovery by potentially malicious actors is also bad news for those defending ICS/SCADA infrastructures.
Further, it is expected that Russia will continue to be a leading actor against the US, Ukraine, and other nations. Due to the above-mentioned law combined with deteriorating relationships between China, the US, and other Asian countries expect Chinese attacks to grow in volume and aggression as hostilities rise over technology bans, financial pressures, and diplomatic boycotts of the upcoming Winter Olympics.
Cloud Everything and the Remote Work Paradigm
What started as a necessity to keep businesses open during COVID-19 related lockdowns and has continued for two years now, the remote working continues to provide security teams with migraines. This has been further exacerbated by the dramatic shift to organizations adopting a Cloud-First or Cloud “Everything” approach.
Regarding remote work, we feel remote work policies are still inadequate to help combat the very likely exploitation from an attacker. This is primarily as a result of the increasingly dense overlay of numerous connected devices, apps, and web services used in our professional and private lives will grow the connected home’s attack surface to the point that it raises significant new risks for individuals and their employers. The emergence of increased functionality in both home and business devices and the fact that these devices connect more than ever before exacerbating this threat.
Adding to corporate security woes, there’s going to be a steady increase in remote work/hybrid work models, meaning many of us are using these at-risk connected devices more than ever. By compromising the home environment, these malicious actors could potentially launch a variety of attacks on consumer and corporate devices leading to PII / credential stuffing attacks and identity theft. The drive towards cloud computing solutions to fill in the infrastructure gaps caused by remote work can leave another attack vector open to exploitation. Cloud APIs and weak authentication schemes will become an increasingly dominant target for attackers along with improperly configured virtual machines and cloud native applications deployed in containers.
Social Media Weaponization
Social media has undoubtedly changed how we communicate with each other and how advertisers interact with us, either wanted or unwanted. They have also provided a handy tool for threat actors to gain information and an avenue for attack. It is predicted that this year high-profile accounts linked to celebs and CEOs will come under renewed attack, either to compromise the account with possibly millions of followers and leverage their fame to carry out a scam.
Already we have seen the Twitter profiles of the likes of Elon Musk used to promote crypto-themed scams. This is done either by complete account compromise or by creating fake but believable profiles. This trend can be expected to increase as APT groups have also twigged on that our need for followers can be weaponized to spread disinformation.
Application Container Exploitation
Containers for cloud-based applications have fast become the de facto norm for many enterprises looking for application portability, efficiency, and deployment speed. The downside to this rapid adoption is that the attack surface available to attackers has increased proportionally. Security researchers have already discovered three major risk factors that each impact a different portion of the container’s virtual infrastructure.
The first risk is posed to the orchestration layer where the attacker looks to take advantage of misconfigured API settings allowing for compromise. The second risk is related to the malicious backdooring of the image or registry. Lastly, it is feared the new year will bring more attacks on possibly vulnerable container applications themselves. These three fears are likely to result in increased malicious crypto-mining, data theft, complete application takeover, and provide more digital spaces for attackers to maintain persistence on compromised containers.
API Security: The New Security Frontier
What may have been first thrown around as a marketing buzzword, Application Programming Interfaces (APIs), has certainly changed how we interact with software. This change was greatly facilitated by the move towards cloud solutions. Threat actors were quick to realize that this interaction between user and software vendor allowed for the sharing of a treasure trove of data. The hunt for misconfigured APIs began in earnest a few years ago and is likely only to increase as we rely more and more on these interfaces for daily operations.
Whether it is a misconfigured API, an API used as an attack entry point, or assisting in a supply chain attack, the hardening of APIs will be increasingly important for cyber security professionals.