From the Perspective of Team Cymru's S2 Analyst Team
As we charge towards another new year, we decided to pulse our threat intelligence team (@teamcymru_s2) for their views on what they perceive to be the biggest developments in cyber security over the past twelve months. Whilst this blog is a retrospective of recent events, it is also written with one eye on 2022 and how it is felt the threat landscape may evolve over the forthcoming year (because as everyone knows such things are directly linked to the Gregorian calendar).
1.) Ransomware (and everything else -as-a-Service)
This wouldn’t be a cyber security blog if we didn’t mention ransomware. But in all seriousness, the stakes have been raised during 2021. Gone are the days when your Grandma was the average ransomware victim, this year we saw the targeted double jeopardy approach of encrypting your files AND stealing yourdata explode. Due to the ‘as-a-Service’ model also taking off we’re seeing more criminals on the scene than ever before, willing to extort money from anybody, but the bigger the target the better. These criminals have shown an ability to adapt (re-emergence of Emotet) and despite the public displays of remorse, do not possess a moral compass. Operations like Conti and LockBit have been at the forefront of changes to threat actor modus operandi, with an explicit purpose to make their victims suffer more and we are genuinely concerned about where this takes us next.
2.) A rise in the use of Offensive Security Tools (OST)
Talking about changes to threat actor modus operandi provides a nice segue into our second subject. And, in similarity to ransomware, this would not be a security blog if we did not mention Cobalt Strike. Even the aforementioned Emotet group have jumped directly on this particular bandwagon. We have learned a lot this year about changes to the ‘reconnaissance’ phase of financially motivated attacks. In our own investigations we have observed attackers beaconing from networks 7-10 days before ransomware is deployed. The use of a tool like Cobalt Strike allows attackers to blend into a more general pool of noise, but we would be remiss to think that this is where the evolution ends. If 2021 has taught us anything, it is that attackers are evolving more quickly than ever. Nation State actors have been using Offensive Security Tools (OST) for several years, so it seems logical for criminal actors to follow suit. In this age of ‘partners’ and ‘affiliates’, it makes complete sense for a criminal ‘as-a-Service’ operation to use a public, ready-made tool as it allows them to focus their efforts on expansion rather than development. We noted with particular interest the cases of the NSO Group (Pegasus) and Candiru, as the type of toolsets which are now making their way into the criminal eco-system.
3.) The Time to Weaponize
2021 was book-ended with two perfect examples of this subject – HAFNIUM and Log4j. In the case of the Microsoft Exchange Server vulnerabilities associated with HAFNIUM, from our investigations, these had already been weaponized and utilized not only by Nation State actors, but also criminal actors BEFORE Microsoft released details of the vulnerabilities publicly on 2 March. How was knowledge of this vulnerability shared? The Log4j vulnerability has similarly been jumped on and targeted by a plethora of threat actors all over the globe. We feel this is driven by more than just opportunism – are actors emboldened by a lack of fear of reprisal? In the midst of a feeding frenzy, how do we in the cyber security community identify who are the real sharks? Although not strictly a 2021 subject, the SolarWinds compromises truly exposed the impact of attacks on the supply chain. We can’t just look after number one anymore, we must be conscious of the entire external attack surface of our organizations, which includes third party vendors. How we respond to the reporting of critical vulnerabilities is more important than ever.
4.) WFH / Targeting of Researchers
We decided to group these two subjects together as they fit into a general point around how our personal threat postures may need to evolve moving forwards. Reports of various ‘attacks’ against Security Researchers, often including traditional social engineering techniques, over the past year have made us question our own interactions and personal online footprints. In a world where ‘working’ is trending towards the remote / online space, how do we continue to collaborate with confidence? Outside of this particular threat, how do we as a community evolve more generally with regards to work-from-home and all the new risks that might present to organizational security? The Covid-19 pandemic has taught us all a lesson that in most cases we don’t need a superior physically watching over us to ensure the world keeps turning, organizations are going to see opportunities for savings by not spending on bricks and cubicles. SOHO (Small Office, Home Office) routers are already being targeted by Nation State actors as an attack vector (See ANSSI reporting on APT31). We expect SOHO to become a more commonplace acronym over the coming years.
5.) Blockchain / Crypto
We feel like 2021 was the point of no return for blockchain entering our everyday lives. Public awareness has been on the increase for a number of years, but has really exploded in the recent past, with the ‘ease of access’ greatly improved through the development of applications and platforms designed for everyday use. Whilst a lot of financially motivated crime has become more nuanced and targeted, will attacks on blockchain technologies, with its influx of new users, fill the void for the opportunistic, indiscriminate threat actor (for example crypto-jacking)? How else might blockchain technologies be harnessed by threat actors? One article of note from the past year (https://www.akamai.com/blog/security/bitcoins–blockchains–and-botnets) highlighted a case of the use of Bitcoin transactions as a means of hiding a backup command and control IP address. Is it possible to create ‘unblockable’ infrastructure by using the blockchain?