Key Targeted Сyber-Attacks Trends to Know for 2021

by do son · Published · Updated

Programming language Cybersecurity
Cubed background in different sizes and red colors aligning to a row of glowing information security icons surrounding the word cybersecurity 3D illustration

“Cybersecurity failure” threat occupies spot four in the comprehensive list of clear and present dangers in 2021, according to the World Economic Forum’s Global Risk Report. In this day and age, when disruptive cyber-attacks grab the headlines with great regularity, the stakes are higher than ever before. COVID-19, being the “shock and stimulus” that society is both leveraging and trying to pivot away from – all at the same time, has highlighted the unparalleled cybersecurity relevance along with the ubiquitous vulnerability of individuals and organizations to targeted cyber-attacks. Joining SOC PRIME – world’s first platform for collaborative cyber defense, threat hunting, and discovery that integrates with 20+ SIEM and XDR platforms – will help to align your security needs with the market demands. This is the only Threat Detection Marketplace where researchers monetize their content to help security teams defend against attacks easier, faster and more efficiently than ever.

This article presents a list of hand-picked major trends in the field of targeted cyber-attacks to outline the current tendencies and brace ourselves for the upcoming challenges. Forewarned is forearmed, right?

The trends to be discussed below are divided into three categories. However, the edges between the categories are blurred – they overlap in the wild, usually combined by threat actors to achieve the highest efficacy of their attacks.

Ransomware

Ransomware is a constantly evolving threat characterized by a continuous increase in the scope and scale of attacks as well as their modifications, rapidly spreading worldwide. In 2021, the cybersecurity community was shaken by an avalanche of scandalous ransomware incidents. The number of businesses impacted by ransomware globally has more than doubled in 2021 compared with 2020. The most notorious ones affected day-to-day flows, crippled operations, and incurred financial strain on such vendors as CNA Financial, Acer, Colonial Pipeline, JBS USA, and Sinclair Broadcast Group. In this climate, it is highly recommended for security practitioners to use tools such as CTI.Uncoder.IO to generate custom, performance-optimized IOC queries to immediately drill down to hunt for threats in their SIEM & XDR. Analyzing these targeted cyber-attacks brings out several trends under the spotlight – more on this below.

RaaS

Most often, adversaries implement a ransomware-as-a-service (RaaS) approach, with their attacks customized on the fly. ​​Ransomware-as-a-service operates on the same principles as a software-as-a-service: ransomware developers lease their products and other deliverables to threat actors to be used for financial and ideological gain.

In July 2021, the RaaS Kaseya supply chain attack, christened “the biggest ransomware attack on record”, (due to its ransom note of $70 million), hit the headlines. The attack was launched by REvil, a ransomware-as-a-Service (RaaS) gang. About 1,500 companies fell victim to this attack. For example, a Swedish supermarket chain, Coop, was forced to close 800 stores for an entire week.

Triple Extortion Tactic

The technique implies an additional third step to ransomware, built to work on the double extortion principles that have been around for a while now and are still widely practiced by threat actors. In triple extortion, attackers are expanding their reach beyond merely obtaining sensitive

data from their victims and holding it at ransom. Furthermore, to put on maximum pressure, REvil developers contact the media and victim’s business partners to notify them about the ongoing intrusion. The triple extortion is currently gaining momentum, sometimes also mixing in DDoS attacks.

In April 2021, this tactic was deployed against RaceTrac Petroleum, a company that runs a chain of gas stations in the U.S. Their loyalty program users received emails with threats of their personal data release unless RaceTrac Petroleum paid the ransom. This email also urged everyone on the receiving end to contact the company with the demands to protect their private information, adding even more pressure on their hacked target.

Mobile ransomware

With the increasing number, sophistication, and diversity of targeted attacks, ransomware deployment ways are streamlined and optimized meticulously at a remarkable speed. Henceforth ransomware evolves the most efficient way to reach practically anyone, which is through a mobile device. With our banking, social, and health data available literally at our fingertips, handheld computers’ malware spread is on the rise. The alarming facts below speak for themselves:

  • This year, 56% of Android users who did not timely update their OS were exposed to more than three hundred exploitable vulnerabilities.
  • Infamous Pegasus spyware was used to infect all modern iOS versions up to iOS 14.6 through a zero-click iMessage exploit.
  • In 2021, millions of devices have been hit by attacks like RiskTool, Adware, ScarePakage, different Trojan types, Android.Locker.38.origin, Worm.Koler, Black Rose Lucy, Cryptolocker, etc., and are likely to continue on this upward trajectory.

APT

An advanced persistent threat (APT) is an umbrella term covering all types of attack campaigns aimed at establishing a long-time illegal presence, following a victim as it is playing into the hands of cybercriminals. Given the multi-level character of this type of intrusion, APT is pivoting towards becoming an exclusive playground for well-coordinated teams of trained hackers, seizing to be performed as a one-person job.

Supply-Chain Attacks

The year 2021 shows stable growth in cases when APT-collectives rely on supply chain attacks to penetrate vendors’ distribution systems. A general rule of thumb of not trusting suspicious software is not applicable in this case since seemingly reliable vendors are the main target of this type of attacks. The software that hosts malicious code becomes a gateway for attacker-led operations in the corrupted software.

In the time frame of January-April 2021, hackers that attacked CodeCov breached hundreds of restricted customer sites by compromising the company’s software development tool. Attackers also used CodeCov to get inside other software development vendors and other technology companies such as IBM.

 Zero-days

The amount of zero-day vulnerabilities leveraged in the wild is going through the roof. In 2021, there have been more zero-day attacks worldwide than ever before. Financially motivated threat actors are working hard on enhancing their skills and hacking tools to reap exceptionally impressive rewards for exploiting previously unknown vulnerabilities.

In late January 2021, a security hardware manufacturer SonicWall was targeted with zero-day vulnerability exploits in their VPN products. It was revealed later that a threat actor behind this exploit was the UNC2447 APT gang. This zero-day was also exploited in attacks targeting SonicWall’s internal systems and later abused in the wild.

Ransomware

Today, it is all about efficiency, and new tendencies spell new approaches. The year 2021 showed enough evidence supporting the fact that today, a cybercrime underworld primarily consists of well-organized hacker-for-hire groups conducting on-demand intrusions. Moreover, threat actors are conspicuously stepping up their activities, concentrating on highly targeted and complex intrusions.

In March 2021, two vendors, Acer and CNA Financial suffered severe financial losses due to ransomware attacks executed by REvil and Phoenix groups. Acer ended up paying the cyber offenders $50 million, and one of the largest insurance companies in the U.S. paid $40 million to regain control over its network.

Phishing

It is hard to deny that since the pandemic started, the number of cyber scams has been increasing in direct correlation with the number of remote workers. According to Microsoft’s New Future of Work Report, a majority (62%) of interviewed security professionals reported that phishing campaigns were the most increased type of security threat during the COVID-19 crisis. Phishing attacks fall under the category of social engineering built on deceitful approaches aimed at obtaining victims’ login credentials and tricking them into installing malware or making a wire transfer.

In order to get to these results through phishing techniques, hackers apply various approaches, thoroughly testing each and every for the utmost efficacy. The year 2021 has turned the spotlight on the trends that are to be discussed below.

Spear phishing

Spear phishing has clicked into gear in 2021, becoming the primary threat vector for many attackers. This method is characterized as an ultra-targeted attack, tailored specifically for a particular victim – either a person or organization. The generally increasing cyber awareness is posing new challenges for malicious actors. It requires them to prepare better to impersonate a trustworthy enough source and succeed in luring victims. The acquired data is then used for fraudulent purposes, including identity theft, ransom demands, or data breaches.

In September 2021, a massive spam campaign delivered spear-phishing emails under the disguise of Colombian government agencies that affected multiple verticals, including government, financial, healthcare, and telecommunications, in different countries of South America. The goal was to redirect recipients to a website hosting remote access trojan BitRAT to consequently obtain financial gain from the victims.

Phishing-as-a-service (PhaaS)

The phishing landscape has evolved much over the recent years, growing to sustain its own service-based economy. Both RaaS and Phaas follow the software-as-a-service model, with service providers developing and deploying phishing campaigns of varying magnitude and complexity.

In September 2021, Microsoft published their investigation of the “big fish” in the pond of PhaaS – a ransomware business run by the BulletProofLink gang. This group has been running phishing schemes since 2018, constantly expanding its market reach by offering a wide array of phishing services, including distribution of phishing templates, orchestrating scam campaigns, and providing customer support.

As the volume and scale of cyber-attacks are increasing, much of the discussion centers on establishing “the new normal”. The only new normal that seems reasonable in the current climate is to ensure a direct correlation between growing threats and security advancement.