Attacks From All Angles: 2021 Midyear Cybersecurity Report










Attacks From All Angles: 2021 Midyear Cybersecurity Report Download Attacks From All Angles: 2021 Midyear Cybersecurity Report

In the first half of this year, cybersecurity strongholds were surrounded by cybercriminals waiting to pounce at the sight of even the slightest crack in defenses to ravage valuable assets.

Threats and risks from all angles soon closed in, bringing with them updated tactics and greater motivation to affect targeted industries. These security issues include high-profile modern ransomware attacks, active campaigns, critical vulnerabilities, Covid-19-related scams, and other threats, not to mention developing threats in the cloud and the internet of things (IoT).

We investigate these in our midyear roundup report, "Attacks From All Angles: 2021 Midyear Cybersecurity Report."

To better prepare for the future, let us retrace our steps so far this year in the volatile landscape of cybersecurity.

Where would you like to start?



01

Ransomware

Ransomware continued to evolve as one of the most menacing cyberthreats, amassing over 7 million combined email, URL, and file threat detections. Threat actors moved quickly and aggressively with attacks on critical sectors such as banking, government, and manufacturing.

Banking
15,537
Government
10,225
Manufacturing
4,957
Healthcare
4,802
Food and beverage
2,330

Top five industries affected by ransomware in the first half of 2021

While some of the operators’ strategies, such as their propensity to target crucial industries, remained constant, many of their tactics evolved drastically and rapidly. Prominent ransomware variants raised the stakes as new families aggravated the risks. Some threat actors were quick to jump in on the opportunity and pretended to be ransomware gangs, such as in the case of a fake DarkSide campaign.

Notable ransomware families


DarkSide

DarkSide launched a string of high-profile attacks, including the Colonial Pipeline incident.

It has also been actively updating its technique, such as with a DarkSide Linux variant targeting VMware ESXi servers.


REvil
(aka Sodinokibi)

REvil was wielded in a recent attack on major meat supplier JBS.

In the first half of 2021, Trend Micro file detections for REvil also more than doubled compared to the same period last year.


Hello

Hello, a new ransomware variant, exploits the Microsoft SharePoint vulnerability CVE-2019-0604.

We also found that it deployed the China Chopper web shell to execute PowerShell commands.

Such incidents prompted discussions on the delicate issues of ransom payments, cyber insurance, and potential legislation. There have also been aggressive efforts by authorities and security researchers to take down ransomware gangs, which have led to a string of high-profile arrests such as in the cases of the crackdown on Egregor and Clop operators.

Refined techniques

Ransomware operators expanded their use of legitimate tools. They also upped the ante of their extortion techniques, from encryption to exposure of stolen data, to incorporating distributed denial-of-service (DDoS) attacks and directly badgering customers and stakeholders of victim organizations.

Ransomware multi-extortion techniques



02

Advanced persistent threats (APTs)

APTs were also active as several campaigns were launched in the first half of this year.

The threat groups behind these APTs brandished both tried-and-tested techniques and innovative tactics. The former included the use of spear-phishing emails and malicious scripts, while the latter involved new legitimate platforms, malware variants, and remote access tools (RATs) such as the PlugX loader.

Notable APTs


Team TNT

TeamTNT is at it again, this time targeting Amazon Web Services (AWS) credentials and Kubernetes clusters. These attacks are related to cryptocurrency mining as well.

For the latter, China and the US make up most of the compromised IP addresses.


Water Pamola

We spotted some changes in Water Pamola’s tactics. These consist mainly of a shift to focusing mostly on targets in Japan. Additionally, instead of using spam, attacks are launched by exploiting a cross-site scripting (XSS) vulnerability in a store’s online admin portal.


Earth Vetala

Earth Vetala – MuddyWater launched campaigns against organizations in the Middle East and surrounding regions. They took advantage of legitimate remote admin tools such as ScreenConnect and RemoteUtilities to distribute payloads.


Iron Tiger

Iron Tiger, which is notorious for targeting gambling companies in Southeast Asia, updated its toolkit with an evolved SysUpdate malware variant. The group now also uses five files (instead of three) in its infection routine.


Earth Wendigo

Trend Micro discovered an APT has been targeting organizations in Taiwan since 2019. We dubbed the threat actors as Earth Wendigo. The attacks use spear-phishing emails with malicious JavaScript injected onto a widely used webmail system.

Notable APTs for the first half of 2021

The attack flow of Earth Wendigo’s operation



03

Vulnerabilities

Notable vulnerabilities made headlines as researchers scurried to patch affected systems before these flaws could pose dangers and disrupt work setups, including remote ones.

ProxyLogon

A hacking incident attributed to the Hafnium group saw the exploitation of four zero-day vulnerabilities in the on-premises versions of Microsoft Exchange Server. These vulnerabilities are CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, collectively dubbed as ProxyLogon.

Microsoft SharePoint vulnerabilities

Five notable remote code execution (RCE) vulnerabilities also affected Microsoft SharePoint, an online document management and storage platform that can also be used in remote work setups.

CVE-2021-24066Workflow Deserialization of Untrusted Data Remote Code Execution Vulnerabilit
CVE-2021-27076InfoPath List Deserialization of Untrusted Data Remote Code Execution Vulnerability
CVE-2021-31181WebPart Interpretation Conflict Remote Code Execution Vulnerability
CVE-2021-28474Server-Side Control Interpretation Conflict Remote Code Execution Vulnerability
CVE-2021-26420WorkflowCompilerInternal Exposed Dangerous Function Remote Code Execution Vulnerability

Microsoft SharePoint RCE vulnerabilities for the first half of 2021

VPN vulnerabilities

As work-from-home (WFH) setups continue to persist, virtual private networks (VPNs) remain a vital tool for ensuring security. Detections for these vulnerabilities continued to proliferate, with some spikes compared to the same period last year.

Fortinet

Pulse Secure

Citrix Systems

CVE-2018-13379

CVE-2019-11510

CVE-2019-11539

CVE-2019-19781

2020

Jan

15,834

88,506

9

 

856

287

 

Feb

9,864

66,164

12

 

52

19

 

Mar

14,910

63,716

115

 

118

18

 

Apr

18,312

62,862

69

 

2,703

1

 

May

20,897

60,791

60

 

2,921

7

 

Jun

27,110

39,994

123

 

2,783

5

2021

Jan

113,330

45,937

787

 

1,388

3

 

Feb

77,853

15,627

488

 

579

761

 

Mar

75,785

27,876

566

1

713

158

 

Apr

68,651

21,440

956

 

988

5

 

May

70,083

15,230

508

 

650

5

 

Jun

61,467

9,558

301

11

418

15

Detections for VPN vulnerabilities for the first half of 2020 and the first half of 2021

PrintNightmare

“PrintNightmare” is the name attributed to CVE-2021-1675, a critical Windows Print Spooler vulnerability that allows arbitrary code execution with system-level privileges. The accidental leak of a proof-of-concept exploit code triggered a race to patch this vulnerability as soon as possible.

All in all, the number of vulnerability detections showed a small decrease, with a notable decline in critical vulnerabilities.

Severity1H 2021 Count1H 2020 Count
Critical16121
High553547
Medium10776
Low9442
Total770786

Half-year comparison of the severity breakdown, based on the CVSS of vulnerabilities disclosed via our Zero Day Initiative (ZDI) program.
Source: Trend Micro ZDI program



04

Covid-19-related scams and other threats

Even amid a pandemic, it’s business as usual for many threat actors as they either continue unleashing new threats or refurbish current ones. Some cybercriminals directly took advantage of the pandemic, using the uncertainty and distress brought about by the situation for social engineering ammunition in crafting their scams.

Covid-19-related threats

As vaccination programs continue to be rolled out across the globe, threats related to Covid-19 vaccines proliferate as well. These involve malicious files, emails, text messages, misinformation sites, and phishing pages. The usual targets are telecommunications, banking, retail, government, and finance sectors.

United States
1,584,337
Germany
832,750
Colombia
462,005
Italy
131,197
Spain
111,663
Others
1,287,440

The top countries affected by Covid-19-related threats in the first half of 2021

Active threats

XCSSET

XCSSET targets Mac users and infects Xcode projects. A few months into the year, threat actors updated XCSSET with features that let it adapt to both ARM64 and x86_x64 Macs. The malware also gained the ability to harvest sensitive information from certain websites, including cryptocurrency-trading platforms.

PandaStealer

PandaStealer is a new information stealer that can gather sensitive information like private keys and records of past transactions from a target’s digital currency wallets. It can also harvest credentials from other applications, take screenshots, and exfiltrate data from browsers. It is mainly propagated through spam emails that request business quotes.



05

Cloud and the Internet of Things (IoT)

Circumstances brought about by the pandemic catalyzed the adoption of online systems powered by technologies such as the cloud and the IoT. However, these domains come with their own sets of threats and risks.

Cloud

Some prominent threats this year include TeamTNT attacks. At the start of the year, we uncovered that the threat actors behind TeamTNT were targeting certain cloud systems:

  • AWS credentials. TeamTNT stole AWS credentials through a binary containing a hard-coded shell script. Over 4,000 instances were compromised.
  • Kubernetes clusters. TeamTNT compromised Kubernetes clusters in the wild. Almost 50,000 IP addresses were affected across multiple clusters.

The IoT

We uncovered risks in various facets of the IoT, including Long Range Wide Area Network (LoRaWAN), 5G, and routers.

LoRaWAN

While useful in enterprises and smart cities, LoRaWAN devices are not immune to compromise. After finding exploitable vulnerabilities in these devices, we created the LoRaPWN tool for assessing the security of LoRaWAN communications.

5G

Establishing 4G/5G campus networks for enterprises comes with risks. To study these perils, we identified several attack scenarios including DNS hijacking, MQTT hijacking, Modbus/TCP hijacking, downloading or resetting unprotected programmable logic controllers (PLCs), remote desktop, and SIM swapping.

Routers

Routers have always been plagued with security issues. We analyzed router infections and found VPNFilter, an IoT botnet, to be one of the most prominent threats. To compromise routers and storage devices, VPNFilter uses backdoor accounts and various exploits.



06

Threat
Landscape

40,956,909,973

Overall number of threats blocked for the first half of 2021



Blocked email threats

Q1
16,089,334,070
Q2
17,226,781,018

Blocked malicious files

Q1
2,343,479,304
Q2
3,997,341,419

Blocked malicious URLs

Q1
535,451,111
Q2
764,523,051

Email reputation queries

Q1
20,910,330,826
Q2
22,075,108,541

File reputation queries

Q1
442,384,974,451
Q2
517,455,645,611

URL reputation queries

Q1
848,818,567,862
Q2
796,857,859,588

Download our full report to gain insights into the pressing cyberthreats and risks that plagued the first half of 2021 and learn more about our expert security recommendations for users and enterprises.









HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.