The cybersecurity landscape in 2021 was full of serious, far-reaching changes. Though businesses are getting more adept at using the cloud, so are attackers. Ransomware has evolved to use multiple levels of extortion and is having major impacts across all sectors of industry.. Nation-state actors are not only targeting valuable information, but compromising the software supply chain to expand their reach.
These changes in the cyber landscape might deter you from embracing innovation, but they shouldn’t. Secure digital transformation is still possible. However, it requires awareness of the risks associated with new technologies as well as critical thinking about the lessons learned over the last year and what they mean for the future.
Here’s our take on the risks that took center stage in 2021 and the must-haves for enterprise security.
Attacks Specifically Designed to Target Cloud Infrastructure
Moving to the cloud makes sense for many businesses due to the cost, flexibility, and scalability advantages. It is important for you to put security at the foundation as you embrace the cloud, however. Attackers know that businesses are increasing their cloud adoption, and are therefore zooming in on cloud technologies as well.
TeamTNT is a clear example of this. The threat group is responsible for a range of attacks, targeting multiple cloud technologies and platforms. Their attack tactics include compromising misconfigured Kubernetes clusters, using compromised AWS and Google Cloud credentials, and developing Linux-based fileless malware in order to install cryptocurrency mining software on cloud infrastructure. Even though cryptocurrency mining campaigns have been a mainstay of the threat landscape, TeamTNT has been broadening the reach of such attacks and adapting them to the modern cloud.
This is not a reason to not move into the cloud: for many businesses, the benefits of cloud adoption far outweigh the risks. However, it is a reason to make sure that you have a plan to secure your operations in the cloud. That includes documenting and securing your deployments and configurations as well as frequently testing your cloud footprint in order to harden it against these attacks and others that arise in 2022 and beyond.
The Evolution of Ransomware
Ransomware perennially tops the list of cyber threats, but in 2021, it became clearer than ever that ransomware is about more than just being shaken down for a few hundred, or even a few thousand, dollars in exchange for a decryption key. With the evolutions we saw this year, robust backups are no longer enough to stem the threat of ransomware.
Modern ransomware attackers are more sophisticated. They perform network reconnaissance. They exfiltrate data and threaten large-scale data leaks. They threaten denial of service attacks. And, they are demanding million-dollar ransoms in return for not making good on these threats.
Ransomware gangs have turned up their pressure on critical Infrastructure and services firms in particular. DarkSide stole approximately 100 GB of data from Colonial Pipeline, who preemptively shut down their entire gasoline pipeline system and paid a ransom worth $4.4 million in cryptocurrency. Leading meat processing firm JBS USA halted its US plants for a day and paid approximately $11 million in cryptocurrency as ransom after an attack from the REvil gang. Though they are the biggest food processing firm to make the headlines after a ransomware attack, smaller agricultural cooperatives are also suffering ransomware attacks. Enough critical infrastructure and services firms are being targeted by ransomware that CISA issued an October 2021 warning about ransomware.
Ransomware is also disguising itself as updates. Attackers targeted IT services firm Kaseya, specifically their VSA remote management software, using an authentication bypass in the web interface to gain access and push a fake Kaseya update to clients. That fake update contained REvil ransomware.
Governments around the world have taken actions against these ransomware actors. There have been two separate takedowns of the REvil group, as well as charges and asset seizures against key REvil actors. However, ransomware attackers do not disappear when their systems go offline. They regroup, they evolve, and they return.
This underscores the importance of monitoring the cyber landscape, and continuously making sure that your business is ready to confront threats as they grow and change. Ransomware is not going away. But, if you are proactive about strengthening your defenses, you are less likely to fall victim to an attack.
The Broad Spectrum of Nation-State Attacks
Financially motivated ransomware attackers are not the only ones who may target your business. Nation-states, and organizations closely tied to nation-states, are actively performing cyberespionage campaigns against government agencies and private businesses that have access to sensitive or valuable information.
The scale and goals of nation-state attacks can range from very specific strategic information gathering to much broader ambitions. Iran-linked groups, for example, are focusing on Office 365 accounts belonging to companies that produce radars, drones, and satellites, or are involved in Persian Gulf shipping. Another example is the Russian “Ghostwriter” campaign, which performed a combination of cyberespionage and disinformation in the Russian interest. Pegasus spyware was used by nation-states against individual activists, journalists, and people close to rival leaders.
Despite these varying attacks, they all point to several security lessons. Your business needs to perform comprehensive risk assessments that cover important aspects such as data classification, network exposure, and compensating controls and business risk, and keep a regularly updated asset inventory. Then, you should ensure that security measures are properly aligned with the risk levels that accounts, devices, and networks have access to, all with the goal of preventing unauthorized access.
Software Build Security Takes Precedence
A specific nation-state attack underscored the importance of actively securing the software build process as part of your security program. In an attack against network monitoring vendor SolarWinds, an actor believed to be associated with the Russian government put malware into an update for SolarWinds’s network monitoring software Orion, giving them a foothold at any agency or company that applied the malicious update. Organizations like Microsoft, Intel, Cisco, the Department of the Treasury, the Pentagon, and the Cybersecurity and Infrastructure Security Agency were compromised.
If your company provides software or devices to customers, then your software build process is crucial to both your own security and the trust of clients and customers. In order to prevent your product from becoming an attack vector, as SolarWinds became, your security practices need to include paying attention to software build procedures and supply chain: are your developers producing secure code, what external frameworks, components, and libraries does your application use, and how is it all being compiled, packaged and deployed? That way, you will not only be able to identify and strengthen weaknesses, but be able to adopt more secure procedures that help you reach both security and business goals.
Research on Emerging Technology for a More Secure Tomorrow
The vision of Security Compass Advisory is to create a world where businesses can safely embrace innovation. In order to do this effectively, we must remain at the forefront of technology. In the context of providing security services and advice, this means continued research and innovation around how to keep businesses secure.
Our work focuses on learning how to assess the security of emerging technologies. Our researchers have continued to investigate and publish findings around penetration testing mobile networking protocols, a discipline that only becomes more critical as companies shift even more heavily toward adopting mobile devices and mobile work for the long term. Container security vulnerabilities are another subject of investigation; containerization makes cloud operations more convenient and practical than ever, and ongoing research helps businesses adopt that technology while remaining confident in their security.
Remaining at the forefront involves not only learning how new technologies work, but creating tools to improve security testing. During 2021, consultants at Security Compass Advisory have published books on building custom red teaming tools in C++, as well as testing for time-of-check to time-of-use (TOCTOU) vulnerabilities in software. Creating new testing tools, and educating the industry on how to improve their capabilities, helps keep Security Compass Advisory on the leading edge of penetration testing.
The cybersecurity landscape in 2021 proved that threats are constantly changing, making it challenging to embrace emerging technologies with confidence. Despite potential risks, it is necessary to keep moving forward for your business to remain competitive. The best ways you can do so are to follow the threat landscape, continue to think critically about how to operate securely in the threat landscape, and work with a partner who can help you every step of the way.
Security Compass Advisory has always put great emphasis on emerging technologies: new research, developing strategies for secure implementation, and partnering with businesses on secure digital transformation. We’re looking forward to seeing what 2022 has in store.
If you are interested in getting to know more about how Security Compass Advisory can help you stay secure as you adopt new technologies, you can learn more here.