Today marks the one-year anniversary of the disclosure of the SUNBURST attack, which left security teams from 18,000 companies around the world ringing in 2021 with a scramble to understand, investigate, and respond to one of the worst supply chain attacks in recent memory. SUNBURST marked the end of 2020—one of the most disruptive years yet for security teams, but we now know that there was little respite over the succeeding 12 months.
As many organizations either continued their remote working policies or transitioned to a hybrid working environment and found new ways to reach customers, investments in cloud and digital projects continued to expand their corporate cyberattack surface. Threat actors, as ever, reacted quickly to target home workers and remote access infrastructure, IoT systems, supply chains, insecure protocols, unpatched and misconfigured systems, and much more.
In the first half of 2021 alone, a single vendor claims to have blocked almost 41 billion threats. Many more will fly under the radar as attackers leveraged legitimate tooling or used brute-force and social engineering, including phishing attacks, to access passwords and achieve their ends. Fortunately, the US government is getting serious about the cyberthreat landscape, at least from ransomware.
But there's only so much government mandates can do—organizations themselves must also step up. Their journey must begin by understanding the scale of today's security challenges. With that, here's our take on the cybersecurity landscape in 2021.
A Year in Cyberthreats
Advanced Persistent Threats
They may not comprise the majority of attacks, but for high-value organizations, advanced threats are a clear and present cyber risk. What's more, advanced techniques frequently trickle down to wider members of the cybercrime underground.
Advanced persistent threats have made headlines in 2021 with zero-day exploits and supply chain attacks, but it's worth noting that sophisticated cybercriminals, including initial access brokers, are quietly making gains with social engineering, including phishing attacks, to bypass perimeter defenses.
- At the time of writing, MITRE ATT&CK has observed a staggering 189 post-compromise attack techniques in the wild versus just 26 related to intrusions. It's inside networks where advanced threats are arguably most concentrated
- The exploited PrintNightmare bug affected 100% of Windows versions
- 18,000 organizations downloaded a sabotaged version of SolarWinds software, and 100 of those had it exploited against them including nine US government departments. Although this campaign began in 2020, its repercussions were felt long into 2021
- Over half (51%) of global organizations reported a significant data breach in 2021
- The number of publicly reported US data compromises through September 30, 2021 exceeded the total number of events in the whole of 2020 by 17%
- Data compromises were up in 10 out of 13 sectors in Q3 2021 compared to Q3 2020
- At least 10 advanced persistent threat (APT) groups were observed exploiting the same zero-day vulnerabilities in Microsoft Exchange Server
- Initial access brokers emerged as a significant link in the cybercrime supply chain, often selling their services to advanced threat groups
- APT groups aren't just focused on carrying out data breaches for extortion. Noted group TeamTNT uses sophisticated techniques to mine illegally for cryptocurrency
- Unsecured Kubernetes clusters are an increasingly popular target for advanced threat groups, who hijack them for various motives
The stand-out story for cyberattacks in 2021 was ransomware. They led to fuel shortages across much of the eastern U.S. and direct confrontation between the White House and the Kremlin. The threat remains largely untamed, although now that insurers and governments are specifying minimum security standards, there is hope for the future.
- Global ransomware costs are predicted to reach $265B by 2031
- The average amount of funds stolen increased 179% in 2021 to $326,264 and the average ransom demand increased to $1.2 million in the first half of 2021
- Around 7.3 million ransomware threats were detected in the first six months of 2021, nearly half the number of a year previous, indicating more targeted attacks
- 27.5% of incidents investigated in the Americas over a 12-month period involved ransomware, according to the 2021 DBIR
- Ransomware costs on average $4.62 million, not including the cost of paying the ransom
- Average ransomware demands surged 518% year-on-year (YoY) in H1 2021
- Cyber-insurance costs soared 96% from Q3 2020 to Q3 2021, largely due to ransomware
- An August study found that 17% of organizations had experienced a ransomware attack in the previous 12 months, and 69% paid their attackers
- $70M is the record for the highest ever ransom demand—aimed at IT software firm Kaseya
- Ransomware attackers benefit from profit margins in excess of 90%, similar to those of cocaine traffickers in the 1990s, but with far less risk
Supply Chain Attacks
Both state-backed operatives and financially motivated crime groups realized in 2021 that the way to optimize attacks lies in targeting upstream supply chains, especially software vendors. Organizations will need to get better at vetting their sprawling supplier ecosystems as a result.
- At least 100 US companies were compromised in the SolarWinds (SUNBURST) attack
- 29% of the most popular open-source projects contain at least one known security vulnerability
- Upstream software supply chain attacks soared by 650% from 2020 to 2021
- In 2021 developers used approximately 2.2 trillion open-source software packages and components from third-party ecosystems
- 50 managed service providers and around 1,500 of their downstream customers were impacted by the Kaseya supply chain attack, which spread ransomware far and wide
- In Q1 2021, supply chain attacks in the US rose by 42% from the previous quarter
- Nearly 793,000 people were impacted by supply chain attacks in Q3 2021
- 93% of global organizations have suffered a direct breach via their supply chains over the past year
- European security agency ENISA predicts 2021 will see four times more supply chain attacks than 2020
- Two-thirds (66%) of supply chain attacks focus on the supplier's code
IoT devices are already taking over the world, streamlining production lines, securing the smart home, and keeping us healthier. They also represent a potential weak link in the corporate security chain that threat actors are waking up to. IoT endpoints can be hijacked to launch attacks, sabotaged to disrupt business processes, or compromised to offer a handy entry point into corporate networks.
- Over half (58%) of IoT attacks in the first half of 2021 leveraged Telnet
- A critical vulnerability (CVE-2021-28372) in a popular SDK was estimated to impact 83 million recording devices, including enterprise security cameras and smart baby monitors. ExtraHop determined that around 1% of customers have devices that use the impacted ThroughTek Kalay services
- A separate ThroughTek vulnerability was also revealed to potentially impact millions of IoT cameras
- IoT cyberattacks more than doubled YoY in the first half of 2021
- IoT malware detections surged 66% YoY in the first half of 2021 as attackers targeted home networks and remote workers
- The UK introduced new legislation designed to improve baseline security of IoT devices, potentially showing the way for other western countries
- A new cluster of DNS vulnerabilities dubbed Name:Wreck could impact over 100 million IoT devices used by consumers and enterprises
- The number of IoT connections was predicted to grow to more than 27 billion by 2025
- The biggest threat to connected car owners over the past decade has been data theft/privacy breaches (30%), followed by vehicle theft (28%)
- Some 63% of enterprises have deployed IoT, but 15% haven't updated their policies as most believe IoT is secure-by-design
Investments in cloud-based technologies soared during the pandemic. But a lack of in-house enterprise, security skills, and confusion over the shared responsibility model has often ended up exposing organizations to new cyber-risks. IT buyers should note, while cloud adoption can reduce the cost of on-premises IT infrastructure, it most likely will not make you more secure. In fact, cloud adoption requires additional effort and investments in cloud-centric security.
- Nearly two-thirds (62%) of organizations reported business-impacting attacks involving cloud assets
- Nearly three-quarters (73%) of organizations reported their cloud security readiness as average or below average
- Organizations with 500-2,000 employees use an average of 664 distinct cloud apps each month
- It's estimated that that over half of cloud breaches occurred due to "shadow IT" emerging via unauthorized systems spun up against security policies
- Cloud vulnerabilities have increased 150% over the past five years
- 71% of cloud accounts sold on the dark web used RDP as their access path
- Misconfigured APIs and shadow IT accounted for two-thirds of cloud breaches over the past year
- A misconfigured cloud database left online with no password protection or encryption exposed over 800 million records linked to WordPress users before its owner was notified
- Compromised cloud accounts cost organizations on average $6.2m annually
- Almost all (98%) companies have experienced a cloud breach over a recent 18-month period
It goes without saying that remote access has skyrocketed during the pandemic as offices closed to protect public health. The future will increasingly be one of hybrid working, which will offer threat actors continued opportunities to compromise related applications and infrastructure as workers log in remotely.
- 45% of full-time US employees were still working from home either all or part of the time in late 2021
- 90% of remote workers want to maintain remote work to some degree going forward
- 74% of organizations attribute recent business-impacting cyberattacks to remote work tech vulnerabilities
- A quarter of remote workers admit to not using any two-factor authentication
- 95% of organizations said at least some of their new COVID-19 related cybersecurity protections will be permanent
- There was a 413% increase in brute-force attacks targeting RDP from 2020 to early 2021
- Attacks against one popular SSL-VPN (Fortinet) increased 1,916% in Q1 2021, while attacks targeting Pulse Connect Secure VPNs increased 1,527%
- 96% of security decision-makers now believe that Zero Trust is critical to their organization's success
- One vendor discovered four new attack tools used to establish persistence on devices connected to Pulse Secure VPNs: Bloodmine, Bloodbank, Cleanpulse, and Rapidpulse
- Threat actors also targeted legacy bugs in VPNs during 2021—such as a 2019 flaw in SonicWall Secure Remote Access (SRA) 4600 devices
The digital world was originally created without security in mind. This has left many of the protocols that remain popular today sorely in need of upgrading. Unfortunately, many organizations forget, leaving security gaps that attackers are past masters at finding and exploiting.
- Two-thirds (67%) of enterprise IT environments still had instances of SMBv1 in 2021. This protocol was exploited in both the WannaCry and NotPetya attacks
- 81 of 100 enterprise environments still use insecure HTTP credentials
- A third (34%) of organizations have at least 10 clients running NTLMv1, which could enable attackers to launch machine-in-the-middle (MITM) attacks or take complete control of a domain
- 70% of enterprises are also running LLMNR, which can be exploited to access users' credential hashes
- HTTPS attacks over encrypted channels increased by 314% from 2020 to 2021
- Between January and September of 2021, one vendor blocked 21 billion threats over HTTPS—an increase of more than 314% from 2020
- 70% of SSL-enabled applications are likely to have been attacked
- The volume of malware hidden in encrypted TLS traffic more than doubled from 2020 to Q1 2021
- SMB login brute force attempts comprised nearly 70% of all exploit activity in Q1 2021
- Encrypted protocols such as SMB v3 are used to mask lateral movement and other advanced tactics in 60% of the 30 most exploited network vulnerabilities
Although most cyber-attacks exploit known vulnerabilities that organizations have yet to patch, zero-days remain a significant threat. Attackers and defenders are increasingly locked into a race against time to discover new vulnerabilities before the other. If the bad guys get there first, resulting exploits in popular software can have a devastating impact. Nation-state exploits are increasingly ending up on the cybercrime underground, sometimes just days after the initial compromise.
- As of the date of posting, there were 82 zero-day vulnerabilities in circulation for 2021, a record total and already more than double the 2020 figure
- Chinese hackers exploited four Exchange Server zero-days subsequently used by multiple APT groups. These were known collectively as "ProxyLogon"
- In June, Microsoft announced patches for seven zero-day vulnerabilities
- In October, Apache HTTP Server admins were urged to patch after it emerged that a zero-day vulnerability was being exploited in the wild
- Cyber-criminals are reportedly exploring the prospect of renting out zero-day exploits while they find permanent buyers
- The average time taken for businesses to patch vulnerabilities has increased by a week since 2020 to a total of 287 days
- The Pentagon expanded its bug bounty program to all of its publicly available information systems in 2021
- The UK's Ministry of Defence (MoD) ran its first bug bounty program with ethical hackers this year
- Zero-day exploits are rapidly filtering down to less capable actors, experts warned this year
- Threat actors are reportedly weaponizing zero-day exploits faster than ever before
One defining story of cybersecurity in 2021 has been the more proactive stance the Biden Administration has taken on cyberthreats. In fact, the White House claimed it could even take unilateral action against crime groups being sheltered by hostile states. It's good to see the government taking a lead and setting the right tone by improving federal cybersecurity. But organizations must remember to play their part too with next-generation security tools and policies.
- CISA issued a directive requiring federal agencies to patch over 300 known vulnerabilities dating back to 2014. Private enterprises were encouraged to follow suit
- The EU has proposed new laws to make cryptocurrency more traceable, in a bid to crackdown on money laundering and cybercrime
- President Biden's executive order in May mandated zero trust, strong encryption, improved supply chain security, and other best practices across the federal government
- The White House, NATO, and the G7 all turned the heat up on Russia for allegedly harboring ransomware groups
- The US government issued a warning that the nation's water supply chain is subject to ongoing attacks
- It was reported that the US government was seeking to team up with private sector firms to monitor domestic extremists online
- The US government added spyware developer NSO Group to its export blacklist after reports the Israeli firm's tools had been used by repressive regimes to monitor their citizens
- The Biden Administration set up a ransomware task force to elevate the threat posed by such groups to that of terrorism
- The SEC sanctioned eight firms for cybersecurity failings which led to email account takeovers exposing customers' personal data
- The US Treasury sanctioned multiple ransomware actors and virtual currency exchanges for money laundering and other offenses
While governments can lead by example, improving regulatory environments and engaging hostile state actors in geopolitical dialog, they're also a prime target for attackers. The past year has arguably seen a spike in such attacks from both emboldened nation states and sophisticated organized crime groups.
- More than half (52%) of US public sector IT pros are concerned about recruiting and retaining cybersecurity talent
- Some 84% say they lack the expertise to meet current cybersecurity and compliance challenges
- Time constraints (73%) and lack of training (59%) are the top skills-related challenges cited by public sector IT pros
- A May 2021 report found that around 11% of cybersecurity incidents over the previous year involved the public sector
- According to a US intelligence assessment "cyber-threats from nation states and their surrogates will remain acute"
- From Aug. 14 to Sept. 12, 2021, US educational organizations were the target of over 5.8 million malware attacks—63% of the total
- Globally, 44% of education sector organizations were hit with ransomware
- Malicious insiders are the number one concern of public sector IT security leaders, cited by 67% of respondents
- A cyber-attack linked to Israel targeted electronic government-issued cards Iranians use to buy subsidized fuel, causing widespread disruption. Billboards were also hijacked with anti-regime messages
- A US/Canadian citizen was sentenced to 140 months in federal prison after admitting to laundering money for North Korean operatives
A Look at What's Ahead
No organization is going to be 100% breach-proof going into 2022 and beyond. The size, professionalism, and diversity of the threat landscape will attest to that. However, the good news is that with the right cybersecurity tooling, including east-west visibility and machine learning-based detections, you can gain insight, context, and control where you need it most—at the network layer. Detecting and stopping suspicious activity before adversaries have a chance to make an impact, will be the best way to mitigate risk over the coming 12 months.