Staying one step ahead of the bad guys is the best way to stop cyberattacks. Trend Micro’s VP of Threat Research, Jon Clay, provides in-depth predictions of cyberattacks and trends based on world-renowned threat intelligence, enabling you to create a more nuanced, strategic cybersecurity plan.
Cybercrime as a service
No longer lone wolves with signatures, cybercriminals are teaming up or buying access to infiltrate and ransom high-value targets. Cybercrime as a service starts with access as a service, where groups sell their residence within an enterprise to an affiliate access group, which then launches their ransomware attack from within.
Cybercriminals have also adopted tactics used by nation state attacks. By working as a team to gather extensive intelligence on their target, they can execute a smoother attack that is more difficult to detect and stop.
Attacks for N-day vulnerabilities, which are vulnerabilities that already have a patch, are also being sold and traded in underground markets. These are utilized more than zero-day vulnerabilities, as they’re easier to access for cybercriminals, and organizations often struggle with patch management.
Living off the land
The most dangerous attacks fly under the radar by using legitimate enterprise tools, such as leveraging trusted accounts to access many layers of your network. Once inside, cybercriminals can use tools like MEGASync or FileZilla for data exfiltration and then terminate several endpoint security products by using PCHunter. By using legitimate tools inside an organization, the attack will often go unnoticed until it’s too late and the ransom is dropped.
Cloud apps hounded by critical class bugs
Enterprises are storing more valuable, critical data within the cloud, attracting highly skilled malicious actors. There’s been a significant jump in zero-day attacks in 2021 due to the deepening pockets of cybercriminals who can net tens of millions of dollars from ransomware attacks. Armed with padded (virtual) wallets, cybercriminals can purchase expensive zero-day exploits that they couldn’t afford in the past. This is creating new challenges for organizations, as it is hard to stop what you don’t know about.
Here are two ways to bolster your cybersecurity posture:
1. Invest in training: People remain the weakest link. They’re prone to giving away too much information that cybercriminals can leverage and they make mistakes. Training will look different for each department—from educating staff on identifying BEC and phishing scams, to ensuring IT teams have the proper skills and knowledge to maximize security products and successfully deploy virtual patches.
2. Implement a platform approach: The stakes are too high to use disconnected point products. You need comprehensive visibility across all layers of your infrastructure and a platform approach allows you to correlate data across cloud, network, endpoint, email, and web environments so you can detect and respond to attacks faster.
Jon Clay: The first one that we have here is pandemic news will continue to fuel social engineering attacks. So obviously and unfortunately we're still dealing with the pandemic around the world, and this has actually been one of the greatest things for the malicious actors out there in the world because as many know, and if you don't, that news, is what they try to utilize in a lot of their socially engineered attacks. So they'll take whatever the latest news is events sporting, sporting events that are coming up and occurring.
But with the pandemic because the news seems to change every single day, it gives them an opportunity to utilize that information in these socially engineered attacks. So when you have constant news that gives them the ability to throw out there. We as humans are constantly looking for new information especially people who are in technology, but even home users who are out there want to hear news about it.
Lately, the biggest one has been around the vaccinations, and so they're throwing out all the different news around vaccinations. They're utilizing that and sending phishing emails to people saying, "Hey, your vaccination time has changed. Click here." It opens up a phishing page that maybe looks to try and steal their email credentials or something like that.
Even from a business perspective, they may be sending an email to your employees that say, “Hey, the, the policy on work from home has changed. Click here to get information," and then they have your employees would likely click on those to get that information and pop it in.
And the other aspect is that they're weaponizing this stuff very quickly. So you'll see the news come up today and tomorrow a new phishing email will pop up, initially, new socially engineered attack will pop up using that information. They may even drop in and open up domains associated with whatever it might be fraudulent domains and so forth.
Then the other aspect in why we're going to continue to see pandemic attacks is that a lot of it is tied to the healthcare data, which is very valuable and very profitable to be sold in the underground communities. So they are looking constantly to try and obtain healthcare data from people. When we looked at the attacks that we saw or threats that we detected year over year from first half of 2020 and the second half you can see the numbers actually dropped about half. So they definitely aren't doing as much as they used to, but it's still, when you think about it, almost four and a half million threats detected in the first half of this year. Still quite significant number. You can see the United States is still predominantly being targeted by the actors up there with these threats.
So definitely the good news is it's a little bit lower, but the bad news is as this pandemic continues and the information continues to get out there it will be used. So again, recommendation would be to ensure that your employees know exactly how the company will communicate to them about COVID news and information from the company so that they don't get hit with a phishing email that is maybe sounds like it or looks like it from your company, but you have to ensure you have some mechanism set up for establishing proper communications around this.
Next one, extortion attacks, including ransomware, will continue to plague organizations of all sizes. So ransomware is, I think people are so tired of ransomware, but unfortunately it's a very effective threat and it's very successful against a lot of organizations out there. The tactics that they are utilizing have been changing constantly. They also have been updating the process that they, they go after as well as the victim types.
One of the things that we're seeing more often today is what we call cybercrime as a service, which comprises a bunch of different things like access as a service. So what we're seeing now is these access as a service gangs who are very good at initially infiltrating an organization's network and sitting resident in that network for long periods of time. They will then sell that access to other actor gangs like a ransomware as an actor, or excuse me, ransomware as an access affiliate group who will then target that organization with their ransomware attack.
Um, but the underground community and the different groups that are now working together and collaborating together inside to perpetrate crime is, is growing pretty dramatically, and that's going to be a challenge as well. And, as you see on the right-hand side in the image the multiple extortion campaigns are definitely going to continue, because, again, it's been very successful in getting an organization to pay something. And you can see here we're even seeing quadruple extortion attacks.
So if you think about the single extortion, that's simply where they drop ransomware and they encrypt the files and they ask for a ransom. Double extortion, which is what we're now seeing most often in the case in most new ransomware families that are coming out and being developed and pushed out there in the market are doing double extortion, where they will first steal data from an organization and then once they've stolen that, exfiltrated that data, they will drop the ransomware. So if the organization has properly prepared themselves to combat a ransomware an encryption process, they would then and won't pay that ransom, they will come back and say, "Hey, by the way, we stole your money or stole your data and, we're going to ransom it off unless you pay us this extortion fee to get it back or to stop us from publishing it."
But triple extortion, which we've seen, is where they actually will also kick off a DDoS attack inside an organization. So they'll scan your network to find your business critical systems and they will do a DDoS against those critical systems that may be running your day to day operations so that they can extort you for that.
And then quadruple, which is something that we saw Brian Krebs mentioned last year or earlier this year where as part of that data theft, a lot of it tends to be your customer information, and what they are now doing is contacting your customers and leveraging them to put pressure on you. So they'll send a letter or a note or an email or something to that customer contact the data that they have and they'll say, "Hey, we stole your data from company ABC. You need to let them know that they need to pay the ransom in order to stop this from being leaked out." So these quadruple extortion and these multiple extortion campaigns are definitely going to continue.
When you look at the typical ransomware attack scenario, the other aspect that we're going to see continuing through the next several months and even years is the use of what we call living off the land tools. This is where attackers are using tools like MEGAsync and FileZilla for data exfiltration. You see the use of PsExec some scripts, Mimikatz NetScan, Cobalt Strike, etc. in the lateral movement stage. Then they'll use some like PCHunter power tool to terminate a lot of the security products that are running on your endpoints so that they can then drop a piece of ransomware malware on those systems.
But this use of legitimate tools inside an organization is in an effort to stay under the radar, right? Because you may be already using those tools and their use of it may go unnoticed because you're used to seeing those tools being used inside your organization. So they'll continue to do that.
Also in the initial access, you notice on the far left compromised accounts, spear phishing, vulnerabilities. Those activities will continue to be the main driver of getting access to your organization. And as I mentioned earlier, the access as a service gangs are becoming more and more utilized by the ransomware actors because they have specialization into getting into a network.
Another prediction is attackers will quickly weaponize newly disclosed vulnerabilities, leaving users with narrow window for patching. We've seen quite a bit of attacks this year utilizing vulnerabilities. In this case, we're talking about N-day vulnerabilities, which are vulnerabilities that already have a patch available to them. These are bought and sold quite often in the underground markets. They’re utilized more often than zero-day exploits or zero-day vulnerabilities, which are unknown vulnerabilities that are out there and being used by the criminal elements before a patch is being made available.
But the criminals recognize that N-day vulnerabilities are very good, so they've been popping up marketplaces in the underground markets. They're trading and buying and selling exploits regularly. You even have people that are customizing the exploits so they'll work on simply, say, Microsoft Exchange vulnerabilities. That's all they do and they will offer Exchange vulnerabilities to the buyers in the marketplace. They'll specialize in that because that's what they're good at.
We did a recent study over about a year and a half, two years where we analyzed the marketplaces around the world for the buying and selling of exploits, and you can see this kind of a pie chart that shows you what is being sold in the underground markets. 61% of exploits are sold, targeted Microsoft products. Exploits for Office and Adobe were the most common in English-speaking forums, but again, when I mentioned N-day markets, 54% of the N-days that that dominate this market were less than two years old. But that also tells you that 46% are older than two years. So the criminals definitely recognize that a lot of organizations struggle with patch management and patching of a lot of their devices out there. So these N-day exploits still work very well for them in targeting organizations.
Now, with that said, enterprise software and cloud applications are going to be hounded by critical class bugs, and we've seen that. You can see here in the third bullets, there's been 66 documented zero-day attacks just in 2021 alone. That's a big jump from previous years, so the zero-day exploit attacks seem to be growing and part of that. It could be because the amount of, of money that is being made by these criminals today is pretty astronomical. Think about some of these recent ransomware attacks where, tens of millions of dollars, are being paid to the actors behind the ransomware attacks. Well, that funds their ability to buy a zero-day exploit, because those are not cheap. They're very expensive. They can go for anywhere from $500,000 to $1 million in the underground market, where in the past a lot of these cybercriminal gangs just couldn't afford those.
Well, now that they're making so much money they're able to afford these zero-day exploits, so we do think that zero-days are going to be more common moving forward, and that's going to be difficult because, again, this is one area where prevention is going to be a difficult solution because if you don't know about a vulnerability and it's being targeted against you and utilized against you, it's very difficult.
We saw that with some of these supply chain attacks. Those are going to continue as well and what they're going to be looking for are these critical class, or excuse me, these enterprise software vendors who supply the software to these organizations. They're going to target those software suppliers in their attacks in an effort to what we, what I call island hop, which is moving from one organization to another organization's network through an island hopping process. And that's what we saw with those supply chains, the software supply chains where they utilized an organization's software update process and targeted that and compromised it so that they were getting access to all their customers. And that allowed them to do that.
Another thing we're seeing with, with cloud applications is a lot of cloud infrastructures are now dropping a lot of critical data into cloud repositories and we published a report on this as well. We saw a lot of what we call cloud of logs, so there was a lot of logs out there that had information and critical data stored in them in these cloud repositories where they're potentially have access to by the criminals.
Another area is nation state tactics will be widely adopted by cybercriminals. Um, so again the cyber criminals have recognized that nation state tactics work. The nation state attacks are very successful, so they've adopted them. So, number one, the extensive intelligence gathering they do prior to an attack, so even before they launch any kind of attack they're going to know who they're going to target, why they're going to target it, how they're going to target it, who inside they're going to target, what they're going to target, whether it's a business critical system or if it's going to be a ransomware or whatever it might be. The collaboration among groups is making it much more difficult.
Also, anti-forensics is going to be used extensively against your organization. If you remember the SolarWinds attack, Microsoft published an article or a document that talked about all the anti-forensics that were used against them in the attack in the attack that they got hit up on in the SolarWinds attack. So, this anti-forensics is going to be done where, and we see this a lot in our area because they reverse engineer security software and figure out ways to stop it or block it from being accessed and working. And I mentioned island hopping.
The other aspect to think about is these attacks are no longer isolated just to your endpoints. The attacks are going to cross many layers of your network. They're going to go from your endpoint to your network, lateral movement across to the business-critical systems. Those might be in your physical data center, could be in a hybrid data center, could be in a cloud environment. But they're going to utilize all of these different areas, and so you're going to see these campaigns against you that are going to cross many different areas of your network.
Another thing I wanted to highlight is, is the Secret Service came out with some information and my friend colleague here, Ed Cabrera liked that, being a former Secret Service agent. But they came out with some information about how they targeted, in interviews with these criminals that they arrested, how they targeted organizations. These are things that you need to start looking at inside your organization to help prevent these attacks from being successful. First is human error. So again, human error could be an employee clicking on a phishing email that they shouldn't, right? So training them, educating them on how to spot a phishing attack. But it also could be a cloud architect who has misconfigured one of the cloud applications to open it up, say an S3 bucket, open it up to the internet and now that has access. And the criminals have access to it. So, they're looking for human error regularly.
IT security complacency. So this kind of talks more around, not enabling the latest and greatest uh capabilities in the products, not patching quickly enough. You know, that kind of complacency. And then technical deficiencies, and the interesting thing is when they talk to these criminals, and they said it's when they used multiple TTPs in concert when they were absolutely able to get inside an organization and stay inside an organization. They had actually one actor who was able to stay resident for 10 years inside a large network.
Another area… I want to see how I'm doing on time here. I don't think I have much time here. I wanted to highlight just why they target certain areas of your network and certain areas of your infrastructure.
So first one is credentials, right? So we’ll talk about credential theft a lot. These are trusted accounts. If they can compromise an administrative account, they have lots of access, lots of things that they can do. It allows malicious activity to be disguised, as I mentioned earlier, right? They’re living off the land. A lot of the stolen credentials we see are being sold in the underground, so RDP accounts are being sold left and right inside the criminal underground. So, and if organizations don't regularly change those the likelihood that their RDP account is already open and able to be accessed is out there. And then again, weak credentials. When you see people just using a password, it's not implementing multi-factor authentication on these can definitely be challenging.
Why do we target people, right? It's easier than a technical attack. It's difficult to detect. A lot of times employees don't even realize they've been phished. It pops up, an Office 365 login screen. They think it's real. They enter their Office 365 credentials username, password and gives it right to the criminals and they don't realize it so they don't alert you, the security team, that this happened. Because maybe you didn't see it, didn't detect it.
People give away way too much information. This is how they can do that socially engineered attack very easily. This is how they can do a business email compromise attack, because they have the LinkedIn data of who's in finance inside your organization. And then they look at their social media accounts, they find out what their hobbies are. People just give away way too much information. And it's very low risk for a high reward.
Now, we look at why target vulnerabilities? You know obviously there's new vulnerabilities every single day. Microsoft just had their patch Tuesday. You know, they've been averaging over a hundred new vulnerabilities every patch cycle it seems like these days. A lot of them are critical bugs and especially ones that are being actively targeted and actively exploited in the wild.
Patching is difficult, as we said. We recognize that you, as organizations, it is difficult because how many applications do you have? How many patches do you obtain every single week from your vendors? Probably quite a bit, and it's very difficult today to manage that process. There’s those exploit marketplaces in the underground, so it makes it very easy for wannabe criminals to very easily utilize. Even buying an exploit kit in the underground is very simple. And then zero-days are very hard to detect as we've seen in the past. When you don't know about something, it's very difficult to detect it.
And then lastly, why target external-facing infrastructure? You know criminals use tools like Shodan so they can scan the internet very quickly today. The computing power of the systems today allow them to scan the internet very fast so they can find open IPs very quickly and then they can do a scan and even Shodan will give you a lot of information about each of those IPs, what's running on the system, what's available, etc.
Misconfigurations are very big, especially in cloud environments because it's new technology. New applications being used by these architects and by the administrators, and they can very easily make a mistake. Humans error, right? We talked about that. A lot of exposed ports and services are available that should be locked down, but a lot of companies don't realize it. So it makes it difficult for an organization if you don't have controls in place that can lock down the ports and the services that actually don't have to be utilized in those open external facing IPs.
And then often it's forgotten. We talk to customers who get targeted and they come back and say, "We didn't even realize that that IP address and that system was still available online. We didn't think it was out there." So that can be a difficult one.
Some of the commonalities we see in attacks are weak credentials, outdated, unpatched OS applications, insecure application development, too much access privileges. Open shares happen a lot. And then unsecured devices, so again, that idea of doing an analysis of what your IPs are out there and what are they able to be accessed? If they are then analyzing, do they have the right ports open? Do they have the right ports closed? Etc.
The last thing I wanted to highlight is something that we also are doing. We're going to be publishing this in November. There's been some stuff trickling out, but it's our Project 30 where we're actually working with some outside experts to build out what 2030 is going to look like. So what I just talked about is kind of the next six to eight months, but what this is going to talk about more is what is going to happen in 2030? So at Trend Micro, we've got futurists that not only look at the near term, but they also look way out at the long term and what's going to happen. What's society going to look like? What are the technologies we're going to have in that timeframe?
And you can see here, some of the drivers of change that are going to happen towards 2030 is obviously automation, machine learning, AI data in the digital supply chain, advances in some of those machine learning capabilities like MLP and GAN. Additive manufacturing, the prevalence of 5G. 5Gs coming very fast and furious. That capability is going to give not only organizations better capabilities, but it's also going to give the threat actors out there capabilities as well.
We looked at all of these different drivers of change and came up with some idea of where, what types of threats we're going to see in 2030. And what's interesting, if you look at the list here, a lot of it is similar, is stuff we already even see today. So, think about ransomware for a moment. Ransomware has actually been out here for about 20 years. It's still very successful. It still works. The tactics that they're using to distribute ransomware may be different, but the malware itself, the encryption process is very similar to what it was years and years ago.
But so you can see here under unauthorized access, intrusions denial of service, disruptions. As the society gets more connected, and we've seen those stats about the IOT numbers in the future being billions and billions and billions of IOT devices you're going to have issues with people having devices internal to their bodies and having those give access to those to the internet and giving access to your doctors and things like that. All of those are going to cause challenges in the future and you can see that.
Then some of the implications we have for cybersecurity stakeholders, you can see this list here. Again, in 2030, everything will be cyber. You'll have embodied cybersecurity, so embodied meaning in-body. You'll have popular resistance against technology, whether it's from a moral or an ethical focus. We'll have to deal with things like that. Technology disparity, especially when it comes to country-level technology disparity, so some countries will be way more sophisticated than other countries, and that may cause challenges with cyber security in those nations and so forth. And then lastly, truth, trust, and authenticity.
With that the only thing I wanted to end on is just kind of give you some highlights on our platform. We do recommend organizations start moving to a platform approach versus a single product, you know, best of breed type approach, because with a platform you can actually see these threats across your entire network and you can, you can correlate, collaborate across the entire network and so forth. So with that, I'm going to turn it over to Ed and Scott. Thanks, everybody.