Download Attacks From All Angles: 2021 Midyear Cybersecurity Report
In the first half of this year, cybersecurity strongholds were surrounded by cybercriminals waiting to pounce at the sight of even the slightest crack in defenses to ravage valuable assets.
Threats and risks from all angles soon closed in, bringing with them updated tactics and greater motivation to affect targeted industries. These security issues include high-profile modern ransomware attacks, active campaigns, critical vulnerabilities, Covid-19-related scams, and other threats, not to mention developing threats in the cloud and the internet of things (IoT).
To better prepare for the future, let us retrace our steps so far this year in the volatile landscape of cybersecurity.
Where would you like to start?
Ransomware continued to evolve as one of the most menacing cyberthreats, amassing over 7 million combined email, URL, and file threat detections. Threat actors moved quickly and aggressively with attacks on critical sectors such as banking, government, and manufacturing.
Food and beverage
Top five industries affected by ransomware in the first half of 2021
While some of the operators’ strategies, such as their propensity to target crucial industries, remained constant, many of their tactics evolved drastically and rapidly. Prominent ransomware variants raised the stakes as new families aggravated the risks. Some threat actors were quick to jump in on the opportunity and pretended to be ransomware gangs, such as in the case of a fake DarkSide campaign.
Notable ransomware families
DarkSide launched a string of high-profile attacks, including the Colonial Pipeline incident.
It has also been actively updating its technique, such as with a DarkSide Linux variant targeting VMware ESXi servers.
REvil (aka Sodinokibi)
REvil was wielded in a recent attack on major meat supplier JBS.
In the first half of 2021, Trend Micro file detections for REvil also more than doubled compared to the same period last year.
Hello, a new ransomware variant, exploits the Microsoft SharePoint vulnerability CVE-2019-0604.
We also found that it deployed the China Chopper web shell to execute PowerShell commands.
Such incidents prompted discussions on the delicate issues of ransom payments, cyber insurance, and potential legislation. There have also been aggressive efforts by authorities and security researchers to take down ransomware gangs, which have led to a string of high-profile arrests such as in the cases of the crackdown on Egregor and Clop operators.
Ransomware operators expanded their use of legitimate tools. They also upped the ante of their extortion techniques, from encryption to exposure of stolen data, to incorporating distributed denial-of-service (DDoS) attacks and directly badgering customers and stakeholders of victim organizations.
Ransomware multi-extortion techniques
Advanced persistent threats (APTs)
APTs were also active as several campaigns were launched in the first half of this year.
The threat groups behind these APTs brandished both tried-and-tested techniques and innovative tactics. The former included the use of spear-phishing emails and malicious scripts, while the latter involved new legitimate platforms, malware variants, and remote access tools (RATs) such as the PlugX loader.
For the latter, China and the US make up most of the compromised IP addresses.
We spotted some changes in Water Pamola’s tactics. These consist mainly of a shift to focusing mostly on targets in Japan. Additionally, instead of using spam, attacks are launched by exploiting a cross-site scripting (XSS) vulnerability in a store’s online admin portal.
Earth Vetala – MuddyWater launched campaigns against organizations in the Middle East and surrounding regions. They took advantage of legitimate remote admin tools such as ScreenConnect and RemoteUtilities to distribute payloads.
Iron Tiger, which is notorious for targeting gambling companies in Southeast Asia, updated its toolkit with an evolved SysUpdate malware variant. The group now also uses five files (instead of three) in its infection routine.
Notable APTs for the first half of 2021
The attack flow of Earth Wendigo’s operation
Notable vulnerabilities made headlines as researchers scurried to patch affected systems before these flaws could pose dangers and disrupt work setups, including remote ones.
A hacking incident attributed to the Hafnium group saw the exploitation of four zero-day vulnerabilities in the on-premises versions of Microsoft Exchange Server. These vulnerabilities are CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, collectively dubbed as ProxyLogon.
Microsoft SharePoint vulnerabilities
Five notable remote code execution (RCE) vulnerabilities also affected Microsoft SharePoint, an online document management and storage platform that can also be used in remote work setups.
Workflow Deserialization of Untrusted Data Remote Code Execution Vulnerabilit
InfoPath List Deserialization of Untrusted Data Remote Code Execution Vulnerability
Server-Side Control Interpretation Conflict Remote Code Execution Vulnerability
WorkflowCompilerInternal Exposed Dangerous Function Remote Code Execution Vulnerability
Microsoft SharePoint RCE vulnerabilities for the first half of 2021
As work-from-home (WFH) setups continue to persist, virtual private networks (VPNs) remain a vital tool for ensuring security. Detections for these vulnerabilities continued to proliferate, with some spikes compared to the same period last year.
Detections for VPN vulnerabilities for the first half of 2020 and the first half of 2021
“PrintNightmare” is the name attributed to CVE-2021-1675, a critical Windows Print Spooler vulnerability that allows arbitrary code execution with system-level privileges. The accidental leak of a proof-of-concept exploit code triggered a race to patch this vulnerability as soon as possible.
All in all, the number of vulnerability detections showed a small decrease, with a notable decline in critical vulnerabilities.
1H 2021 Count
1H 2020 Count
Half-year comparison of the severity breakdown, based on the CVSS of vulnerabilities disclosed via our Zero Day Initiative (ZDI) program. Source: Trend Micro ZDI program
Covid-19-related scams and other threats
Even amid a pandemic, it’s business as usual for many threat actors as they either continue unleashing new threats or refurbish current ones. Some cybercriminals directly took advantage of the pandemic, using the uncertainty and distress brought about by the situation for social engineering ammunition in crafting their scams.
As vaccination programs continue to be rolled out across the globe, threats related to Covid-19 vaccines proliferate as well. These involve malicious files, emails, text messages, misinformation sites, and phishing pages. The usual targets are telecommunications, banking, retail, government, and finance sectors.
The top countries affected by Covid-19-related threats in the first half of 2021
XCSSET targets Mac users and infects Xcode projects. A few months into the year, threat actors updated XCSSET with features that let it adapt to both ARM64 and x86_x64 Macs. The malware also gained the ability to harvest sensitive information from certain websites, including cryptocurrency-trading platforms.
PandaStealer is a new information stealer that can gather sensitive information like private keys and records of past transactions from a target’s digital currency wallets. It can also harvest credentials from other applications, take screenshots, and exfiltrate data from browsers. It is mainly propagated through spam emails that request business quotes.
Cloud and the Internet of Things (IoT)
Circumstances brought about by the pandemic catalyzed the adoption of online systems powered by technologies such as the cloud and the IoT. However, these domains come with their own sets of threats and risks.
Some prominent threats this year include TeamTNT attacks. At the start of the year, we uncovered that the threat actors behind TeamTNT were targeting certain cloud systems:
AWS credentials. TeamTNT stole AWS credentials through a binary containing a hard-coded shell script. Over 4,000 instances were compromised.
Kubernetes clusters. TeamTNT compromised Kubernetes clusters in the wild. Almost 50,000 IP addresses were affected across multiple clusters.
We uncovered risks in various facets of the IoT, including Long Range Wide Area Network (LoRaWAN), 5G, and routers.
While useful in enterprises and smart cities, LoRaWAN devices are not immune to compromise. After finding exploitable vulnerabilities in these devices, we created the LoRaPWN tool for assessing the security of LoRaWAN communications.
Establishing 4G/5G campus networks for enterprises comes with risks. To study these perils, we identified several attack scenarios including DNS hijacking, MQTT hijacking, Modbus/TCP hijacking, downloading or resetting unprotected programmable logic controllers (PLCs), remote desktop, and SIM swapping.
Routers have always been plagued with security issues. We analyzed router infections and found VPNFilter, an IoT botnet, to be one of the most prominent threats. To compromise routers and storage devices, VPNFilter uses backdoor accounts and various exploits.
Overall number of threats blocked for the first half of 2021
Blocked email threats
Blocked malicious files
Blocked malicious URLs
Email reputation queries
File reputation queries
URL reputation queries
Download our full report to gain insights into the pressing cyberthreats and risks that plagued the first half of 2021 and learn more about our expert security recommendations for users and enterprises.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).