Cybercrime in 2021 burrowed to new depths, costing companies millions more than in 2020. Known threats increased and new, more sophisticated blended attacks surfaced. Remote working conditions contributed, at least in part, to the evolution of cyberattacks throughout the year.
Companies swiftly adopted new technologies choosing to skip rigorous vetting processes. Employees used a mix of personal and company-owned devices from their home networks, significantly increasing the number of devices connecting to internal company resources.
Many organizations considered the risks but didn’t quite anticipate the outcome.
A 2021 U.K. study of hybrid work environments that examined the impact on network security exposed an alarming trend among workers. The hasty transition to remote work, according to IT security leaders, was fraught with noncompliance — with 31% saying employees ignored security measures, and 28% of IT security leaders reporting employees had disabled or circumvented security measures in some way.
Poor work-from-home security practices were a contributing factor, but weren’t solely responsible for opening doors for cybercriminals. Understaffed IT security teams tackled serious software vulnerabilities to defend against a growing list of increasingly sophisticated threats.
Apache Log4j flaw
Threat actors actively targeted the Log4j flaw, which was present across personal and commercial devices and systems. Widespread use of the Log4j logging utility for Apache meant hundreds of millions of devices were at risk of complete system takeover until an urgent security patch could be applied.
Brute-force attack on remote desktop credentials
A ransomware group launched a brute-force attack against Microsoft Windows Remote Desktop Protocol (RDP) credentials to gain access to victim networks and deploy Ranzy Locker ransomware. Known Microsoft Exchange Server vulnerabilities were targeted with phishing campaigns in some cases. The end result was the same: Criminals found and copied files containing personal and financial information before encrypting them.
Ranzy Locker ransomware double extortion tactics have also evolved to include a new demand. Once ransom is paid for the decryption key, criminals threaten to leak stolen data online unless they are paid a second sum. Ranzy Locker is particularly troublesome because it is a ransomware-as-a-service (RaaS) tool that can be leased by any criminal group willing to pay. Recent attacks were so severe the FBI issued a flash warning detailing ransomware gangs’ activities and indicators of compromise.
Ransomware gangs raise the stakes
In an attempt to compel more victims to pay ransom, the RagnarLocker ransomware gang employed a new tactic. The group announced it would publish victims’ stolen data immediately if law enforcement was involved or if victims had received professional help to mitigate the situation. This criminal network is notorious for using reconnaissance to find highly valued files and storage devices inside victim networks before manually deploying ransomware to encrypt or delete the data.
In 2021, the Conti ransomware gang acquired millions of dollars stealing terabytes of high-profile data. Ireland’s healthcare services were taken offline as a precaution and patients diverted after being attacked by the group. The ransomware reportedly encrypted 80% of HSE’s environment, including patient electronic health records (EHR). Conti demanded $20 million in exchange for the decryption key, threatening to publish 750 GB of private data if the ransom was not met. The criminal group gifted a decryptor for the data and vowed to sell 700 GB of data since ransom was never paid. The attack had both immediate and long-term effects on the hospital system, with recovery efforts lasting four months. The Irish healthcare system has spent $48 million on recovery efforts, with the total cost projected to reach $100 million.
Multistage business email compromise (BEC) through video meetings and deep fakes
Criminals have incorporated virtual meetings into their workflow. They use virtual meeting platforms to listen in on company meetings, gather information about daily business activities, and trick employees into completing wire transfers to fraudulent accounts. The FBI Internet Crime Complaint Center (IC3) reported three common tactics:
● Hijacked accounts for reconnaissance: Attackers compromise employee email accounts to join virtual meetings and collect information about company business operations.
● Spoofed emails for fraudulent wire transfers: Cybercriminals impersonate high-ranking executive and director-level accounts, sending fake emails in order to request wire transfers. The imposter emails employees, claiming to be busy with a virtual meeting and thus unable to handle the transfer themselves.
● Impersonating C-levels with deep fake audio: After compromising a high-ranking executive or director’s email account (CEO or CFO), the criminals invite employees to a virtual meeting. The imposter uses a still image of the CEO without audio or uses deep fake audio, claiming the video or audio isn’t functioning. The attackers then use the virtual meeting platform’s live chat feature to request a wire transfer. Some criminals use a compromised high-level email account to send a follow-up message after the video meeting.
What lies ahead
Cyberattacks will continue to cause destruction, disruption, and financial damages. Organizations of all sizes were ensnared by sophisticated cyberattacks in 2021, and the trend will continue. Attacks will include familiar tactics alongside new blended methods for maximum damage and financial gain.
Phishing will continue as a primary attack vector across industries, with these tactics being adapted to avoid detection and thus reach more victims. A new attack method now uses malicious QR codes to evade security tools.
Multistage phishing attacks will too increase. Text messages, social media direct messaging, and team collaboration tools (e.g., Microsoft Teams, Slack, or Discord) will remain popular for phishing attacks used to trick victims into sharing login credentials and two-factor authentication (2FA) verification codes.
Supply chain attacks two ways
Software supply chain attacks, similar to the SolarWinds attack of 2020, are expected to increase. Threat actors target trusted systems to access source code and distribute malware. Managed service providers and remote monitoring / automation services remain high-value targets since they maintain access to clients’ critical systems.
Physical supply chain attacks are expected to increase as well. These attacks have directly impacted food supplies. Brazilian meat processor JBS S.A. was hit by a cyberattack in 2021 leading it to close its facilities in nine U.S. states.
Ransomware is profitable and expected to remain a popular attack method. Victims in 2021 suffered a record $49.2 million in losses from ransomware attacks. As criminal groups exploit software vulnerabilities to gain access to important systems for organizations of all sizes, real-world operations will be halted, compelling victims to pay ― as with the ransomware attack on managed service provider Kaseya.
The healthcare sector is particularly vulnerable to ransomware attacks because large amounts of personal data are routinely used and stored. Providers also tend to use older devices and lack dedicated IT / security personnel for network management. For instance, the Hive ransomware group stole personally identifiable information (PII) and 400GB of data from a Partnership HealthPlan of California file server. Similar attacks will continue in this target rich environment.
Linux and MacOS in the crosshairs
Linux-based malware is on the rise, and Linux remains a popular target for ransomware, trojans, rootkits, and cryptominers. Malware authors are also reaching more machines by porting Windows malware to run on Linux systems.
In addition, Apple MacOS has been targeted with malware, some of which has been ported from Windows to run on MacOS. MacOS-specific malware has also targeted operating system vulnerabilities. MacOS malware is expected to increase due to its growing popularity with malware developers.
Botnets for stealing cryptocurrency and launching DDoS attacks
Botnet attacks increased 41% in the first half of 2021 alone. Commanding 1.6 million devices, the Pink botnet, reportedly the largest botnet observed in the wild, is used to launch distributed denial-of-service (DDoS) attacks and inject unwanted advertisements.
The MyKings botnet is used to steal massive amounts of cryptocurrency ― either by installing a malicious cryptominer or clipboard stealer trojan on the victim computers. The group has reportedly stolen at least $24.7 million.
The Mirai botnet has resurfaced. Threat actors are actively exploiting a Java vulnerability to install Mirai malware on unpatched servers. A Mirai botnet is used for a variety of malicious attacks, including ransomware, DDoS, and malicious cryptominers.
Trojans and worms
Trojans and worms will continue targeting Linux and Windows. In 2021, HolesWarm malware exploited security vulnerabilities in both operating systems. Over 1,000 servers were affected, particularly those in cloud environments.
The modular Trickbot trojan remains very active. Microsoft researchers recently discovered how the Trickbot trojan uses internet of things (IoT) devices in its command-and-control infrastructure to attack MikroTik routers. Trickbot attackers compromised devices using known default passwords, using brute-force attacks to discover others, and exploiting a flaw in the router’s operating system.
Application programming interfaces (APIs) are increasingly vulnerable to attack, and businesses are more reliant on APIs than ever before. Attackers use APIs in unintended ways to find vulnerabilities in data storage and retrieval processes (business logic attacks).
The Tesla autonomous driving module was infiltrated through a flaw in a logging tool that monitors energy consumption and location history. The hacker used the module’s API to lock and unlock car doors and windows as well as enable keyless driving. Threat actors will continue attacking APIs to gather personal data, steal money, and wreak havoc.
Data breaches abound
Data breach reports increased 68% in 2021 compared with the previous year, and the trend is expected to continue. Complex IT environments filled with untracked assets pose a significant threat to an organization’s data security since this offers attackers multiple entry points. Legislation such as the EU General Data Protection Regulation can help encourage improved data hygiene and systems security, but many organizations struggle to track data storage locations and methods.
Attacks on cryptocurrency exchanges and currency owners will continue. Cryptocurrency crimes increased significantly in 2021. Illicit cryptocurrency wallets received a record $15 billion in payments compared with $7.9 billion the previous year. Overall usage has gone up 567% compared with the previous year. Cryptocurrency adoption for legitimate use and its increasing value makes it an attractive form of payment. Money laundering schemes, scams, and wallet thefts are expected to increase as well.
Planning for an uncertain future
A 2021 study found a majority of cyberattacks were financially motivated, as they have been year over year. Data — your data — is a highly valued commodity, not because of the price it commands when sold on the dark web, but because of how important it is to you.
Protecting your data from compromise requires a proactive approach to mitigate the effects of an attack on your systems and potentially save your business from ruin. Data backup is good, but modern cyberattacks target backups by either encrypting or deleting the data. A reliable data backup and recovery plan will ensure backups are stored in a separate location away from the rest of the network. Deploying a range of dedicated tools from multiple vendors might meet your business’ needs for each tool, but working with multiple vendors can introduce unnecessary IT complexity into your environment.
Perimeter defense alone isn’t enough to protect against many modern cyberattacks. Acronis Cyber Protect (includes Acronis Cyber Backup) uses machine learning algorithms to proactively block ransomware attacks. The Acronis behavior-based detection engine examines current behaviors and blocks threats from propagating throughout the corporate network, regardless of malware type. Offering multilayered, next-generation protection against zero-day exploits, Acronis Cyber Protect (includes Acronis Cyber Backup) vulnerability assessment and patch management give you peace of mind that your workloads are up to date, minimizing the overall attack surface. From a central console, it eliminates the need for multiple tools to maintain and protect your most important asset: your data.
Suitable for businesses of all sizes, Acronis Cyber Protect (includes Acronis Cyber Backup) is an all-in-one antivirus, anti-malware, and backup software solution offering you the cyber protection you need to keep your network, devices and data secure. Register for your free trial today.
Acronis is a Swiss company, founded in Singapore. Celebrating two decades of innovation, Acronis has more than 1,800 employees in 45 locations. The Acronis Cyber Protect Cloud solution is available in 26 languages in over 150 countries and is used by 20,000 service providers to protect over 750,000 businesses.