2021 presented diverse cyber security challenges and it’s clear that the pace of change shows no sign of slowing.
In this blog post, we discuss the key security issues of the last year and explore what this could mean for 2022.
With the continuous exploitation of vulnerabilities which took place in 2021 likely to continue in 2022 and beyond, organisations can benefit from conducting tabletop exercises using some of the scenarios presented below.
The increase in ransomware activity is no longer limited to new entrants. In 2021, we observed many established criminal groups and threat actors adding RaaS (Ransomware as a Service) to their services.
Operational Technology (OT) systems will continue to be targeted in 2022 by threat actors. To protect OTs and prevent adversaries from gaining a foothold in a network, organisations should strengthen their essential security controls to reduce an attacker’s ability to traverse, degrade visibility and isolate the breach to the affected device.
In 2021, malware authors demonstrated their ability to develop novel infection chains, such as IcedID, abusing misconfigured email gateways behind webforms. We foresee that in 2022, threat groups like those behind IcedID will be looking for new avenues to introduce malware into corporate environments, as organisations invest in inline email and network defence tooling.
Vulnerabilities were a major factor in the threat landscape of 2021, with a record-breaking 20,000+ CVEs logged. We observed a drop in many vulnerabilities’ time to weaponization – the time it takes from a vulnerability being discovered to tooling being developed to exploit it.
Earlier in 2021, the ProxyLogon suite of vulnerabilities was initially exploited by a limited group of threat actors, but after Microsoft publicly disclosed details of the vulnerability and released a patch, mass exploitation began the next day. We anticipate similar scenarios this year, in which the speed of patching matches the cadence of the threat actor’s ability to weaponize. Wargaming with tabletop exercises to test emergency patching cycles and playbooks will put organisations in good stead to respond to such vulnerabilities.
Vulnerabilities impacting network edge applications present a great risk, as do those which impact devices on the local network. Should these vulnerabilities be found in 2022, we can be fairly sure that advanced and coordinated actors such as Conti will look to exploit them.
The Internet of Things (IoT) also remains a viable target for threat actors. We expect that, as more security researcher attention focuses on IoT, organisations managing deployments of IoT devices will have to move quickly to mitigate risk.
This year, cyber defenders will need to contend not just with newly discovered vulnerabilities but also continued exploitation of unpatched vulnerabilities from previous years. In July 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) released an advisory covering the most commonly exploited vulnerabilities targeting Edge networking devices and applications with remote code execution flaws. Some of the most commonly exploited vulnerabilities had patches made available in 2018!
Over the course of 2021, we observed an increase in threat actors targeting organisations in order to take advantage of employees working from home. The shift to remote working has increased the risk of downloading and installing commodity malware onto devices. Emotet, which was disrupted at the start of 2021, but made a resurgence in the last quarter with the help of Trickbot operators, now poses a significant threat to organisations once again. We are observing that the Emotet botnet now has over 150 active distribution URLs and 60 active command and control (C2) servers.
Last year, the Cobalt Strike penetration testing toolset remained one of the most commonly deployed post-exploitation frameworks favoured by attackers to achieve their objectives. We anticipate that Cobalt Strike will continue to be favoured by threat actors throughout 2022.
In 2021, the Redscan Applied Intelligence team reported on several instances of law enforcement agencies taking down criminal groups, a trend that we hope will continue into 2022. We also noted the exploitation of firmware and UEFI by malware strains, used by threat actors to persist across reboots and machine rebuilds while remaining undetected.
In 2021, this capability was tested by the developers of the TrickBot malware. Using this capability could significantly increase the difficulty and time to recover from a malware infection for defenders. We predict that threat actors will begin to use this capability in more widespread campaigns.
Last year, we also continued to see a rise in the distribution of malware written in the ‘Go’ programming language (Golang). Threat actors are adopting Go because of the difficulty in detecting malicious properties in it. We expect to see more Golang-based malware in 2022.
When targeting an organisation in order to gain a foothold within a network, adversaries look for misconfiguration on devices and applications. Remote Desktop Protocol (RDP) is a common target for adversaries aiming to attack on-premise systems and those in the cloud.
RDP is easy to misconfigure and leave exposed to the internet, leading to more lenient firewall or access management rules being applied to RDP hosts. We predict with high confidence that the exploitation of misconfigured or insecure implementations of services and applications directly connected to the internet will continue, as it provides threat actors a simple, low-cost method of accessing a corporate environment.
Looking ahead to 2022
We anticipate that the general trends discussed above will continue in 2022. Learn about the key steps organisations can take in response in our recent blog post sharing cyber security tips for 2022 from the Redscan and Kroll team.
Our Applied Intelligence Team continually integrate the latest threat intelligence into our ThreatDetect™ Managed Detection and Response (MDR) service to ensure clients are protected from current and emerging cyber threats.
Find out more about ThreatDetect