2020 has been a year of unexpected events, with COVID-19 striking a blow to the world, and bringing overnight changes to our lifestyles. While going digital was one of the primary transitions for businesses, it also created an opportunity for cybercriminals to use pandemic as their new bait – and eventually inject malware in the systems to barge in and steal sensitive data. Strengthening cybersecurity hence became the need of the hour for most businesses as they gear up for 2021. To understand this better, Seqrite, a specialist provider of IT security and data protection solutions to corporates, SMEs, and governments, has release its threat predictions that will share the future of cybersecurity in 2021 and beyond.
Threat Actors to switch from Ransomware to RansomHack: Double-Trouble for Enterprises
Previously, advanced ransomware attacks like WannaCry, Petya, Ryuk, Grandcrab etc. used to only encrypt disks or files and demand a ransom payment in return for a decryption key. Now a new ransomware trend is observed which not only encrypts user files but also exfiltrates private and sensitive information. On denial of ransom, adversaries threaten to release hijacked information in public. This is double trouble for organizations – exposing sensitive data in public causes severe GDPR implications. In either case, businesses are likely to have to pay to move forward. This tactic is called RansomHack or Double Extortion.
Maze, DoppelPaymer, Ryuk, Lockbit, Netwalker, Mountlocker, and Nefilim are few ransomware operators using double extortion techniques. We expect this trend to continue in 2021 as well.
Targeted Ransomware attacks on Healthcare and Pharma Sector to Surge
Healthcare and Pharma sector companies that have been in the front lines working to fight against the Coronavirus pandemic are also facing a new wave of ransomware attacks and extortion demands lately. Though few ransomware operators agreed to not attack the healthcare sector during the COVID-19 crisis, several other attack groups have continued to use ransomware against this sector, largely because of the sensitive and personal data of patients they store. Numerous hospitals, COVID-19 research firms, and pharma companies have fallen victim to ransomware in the last quarter of ‘20, making it necessary for them to adopt or deploy a comprehensive set of security solutions.
Techniques similar to Operation SideCopy
In September 2020, Seqrite became the pioneer in discovering Operation SideCopy, an Advanced Persistent Threat (APT) attack targeting the Indian Defence Forces. The cunning nature of this attack had so far misled the security community into believing that this was in fact Transparent Tribe.
Similar to Operation SideCopy, which attempted to use techniques similar to some other state-sponsored APTs, there will be similar attacks in 2021 that will attempt to breach critical infrastructure.
CobaltStrike: Powerhouse of Ethical Hackers in the Hands of Cyber Criminals
Cobalt Strike is a threat emulation toolkit that is often being used for post-exploitation, covert communication, and browser pivoting, among other malicious purposes. It can be repurposed to deploy any type of payload, be it ransomware or keylogger.
Ransomware attacks that are now relying on this are Egregor, Ryuk, and Lockbit. We have also observed the involvement of ‘CobaltStrike’ beacons in the recent major backdoor and APT attacks. Recently, the source code of ‘CobaltStrike’ was leaked on GitHub. This will allow malware authors to make customized changes in the source code or tweak it to evade detections. So, the rise in the inclusion of ‘CobaltStrike’ beacons in major cyber-attacks will be observed in the coming future.
Increase in threats on Remote Work Infrastructure
With the Covid-19 pandemic, almost all organizations have rolled out a remote working model— businesses have introduced tools to facilitate employees to connect to office networks from home and collaborate. Typically, VPNs are used to connect to such networks, whereas video conferencing or chat applications are used to communicate with colleagues — many SMBs have also rolled-out BYOD (Bring Your Own Device).
This new infrastructure must be managed and configured with great precision. IT administrators need to update and patch the software, OS, and Antivirus whenever required to defend against exploitation attempts made on this new attack surface. Any new vulnerabilities in such popular applications could be encashed by malware authors as soon as they are reported or discovered.
Next wave of Crypto-miners
The cryptocurrency prices are at an all-time high currently and are expected to rise even more in 2021. Cryptocurrencies like Bitcoin and Monero have almost tripled in value in 2020. The booming cryptocurrency values will invite even more threat actors towards developing stealthier crypto-miners and generate higher revenues in 2021.
Coronavirus themed threats to divert from precaution-based to prevention-based
In the initial timeframe of the pandemic outbreak, cyber threats were precaution-based where phishing sites, fake mobile apps, and malware filenames were related to awareness of coronavirus, symptoms, precaution measures, PPE kits, test kits, lockdown, and social distancing.
With the end of the year approaching, the big race among all the pharma companies has led to the creation of several vaccines which are at various stages of testing and approvals. The governments of different countries and states are gearing up for providing vaccines to all its citizens free of cost or at subsidized rates to prevent the virus from infecting and spreading. Hence, now the threats are forecasted to start diverting to a prevention-based theme.
New additions in exploits leveraging weak crypto implementations
This year we saw two critical exploits (Curveball and Zerologon) in Windows which were leveraging bugs in Microsoft’s implementation of Cryptographic algorithms in different modules. Curveball (CVE-2020-0601) allowed attackers to sign a malware file with anyone’s digital certificate, making it look legit.
Zerologon (CVE-2020-1472) made it possible for a low-privileged domain user to take full control of Active Directory domain without any authentication. These exploits were very quickly adopted by hackers in different malware attacks. Considering the high potential of such exploits, security researchers might come across more crypto vulnerabilities in different Windows modules.
Deep-fakes to cyber-frauds
Deep-fakes are fake/manipulated video or audio clips of a person, created using deep learning technology. This can be used to create fake news and carry out cyber frauds. A company’s CEO featuring in a deep-fake video asking colleagues or employees to transfer funds is a classic example of a deep-fake video. Expect more of these in 2021.
Automation in performing phishing attacks
Hackers have been increasingly seen using automation in performing phishing attacks. This trend will continue — a variety of social engineering tricks will be used to lure into giving up on sensitive information in 2021.
Attacks on Red Team tools
Cybersecurity vendor FireEye’s Red Team tools were recently stolen in a massive cyberattack. These tools were used in ‘Red Teaming Exercises’ to demonstrate the “impacts of successful attacks” for clients. The stolen tools range from simple scripts used for automating reconnaissance to entire frameworks that are similar to publicly available technologies such as CobaltStrike and Metasploit.
Many of the Red Team tools have already been released to the community and are already distributed in the open-source virtual machine, CommandoVM. This will allow access to internal systems and fetch critical information of organizations. Attacks comprising the application of Red Team tools will be observed in the coming future.
Increase in attacks related to mobile banking
In September 2020, Cerberus mobile banking trojan’s source code was released for free on underground hacking forums. Following this, an immediate rise in mobile app infections was seen. It is expected that far more advanced variants of mobile banking malware based on Cerebrus’s code will emerge next year with new techniques and payloads.
Speaking on these security predictions, Himanshu Dubey, Director, Quick Heal Security Labs, said, “Undoubtedly, 2020 started with a significant unforeseen event. Nobody would have imagined of COVID-19 and how it might disrupt economies worldwide. More importantly, the pandemic acted as a huge opportunity for cyber criminals to innovate their attack strategies further, and steal sensitive data for their personal gain. These advancements are likely to continue in the coming year as well. For instance, new tactics like double extortion, crypto-mining, ethical hacking, etc. are expected to be widely adopted by threat actors in 2021. At Seqrite, we will continue to research and innovate and work closely with our customer and partner network to spread awareness on the various tactics and methods adopted by cybercriminals.”
The predictions made by Seqrite highlight emerging cybersecurity trends that are projected to disrupt the evolving business landscape. Some of the successful predictions made by Seqrite last year include increase in web skimming attacks, more Bluekeep-like wormable exploits, APT attacks on critical infrastructures, increased use of LOLBins, and rise in Office Macro-based attacks over office exploits. Since its inception, Seqrite has been helping businesses establish an agile cybersecurity framework to defend against known and unknown attack vectors. Today, it has emerged as a preferred cybersecurity partner for thousands of businesses across the globe.