The past 18 months – from the rapid adoption of remote working, innovative new technologies being trialed and tested the world over, to pandemic-fueled emotions – have been the perfect conditions for cybercrime to thrive. Cybercriminals have shown no sign of slowing down in 2021 and, as we approach the halfway point and the gradual climb out of the COVID-19 pandemic, they are still not short of sophisticated and malicious ways to achieve their goals.
As the world adjusts to the new normal, organizations must continue to champion cyber hygiene and remain committed to protecting their core assets from the rising wave of cyber fraud.
In this post, Blueliv will take a deep dive into the core attack methodologies being utilized by threat actors today, using data and insights gathered from Blueliv’s Threat Compass to outline the common practices, rationalities, and threat actors behind these attacks, and how best to mitigate them.
By the end, security teams and leaders will benefit from a better understanding of each attack vector and have an idea of the practices and products that can aid them in protecting their organizations now and in the future.
A staple of cybercrime, phishing attempts are as popular among criminals today as they’ve ever been – perhaps even more so.
Phishing – the act of coercing victims into sharing personal data, credentials, or financial information online, often under the illusion that they are doing so with their bank or a trusted third party – has evolved to incorporate QR codes. This was first recorded in 2020 but has become increasingly popular in 2021. This is likely due to the rise in the use of QR codes throughout the pandemic as a simple means for civilians to check-in or receive necessary information when interacting with shops, restaurants, and other physical spaces.
Early in 2021, several phishing schemes were identified that asked victims to disclose vital data using a QR code. Doing so would allow attackers to leak data, gain access to financial information, or infect the device. This was evident in a series of communications, appearing to be from banks, that asked users to follow a QR code to receive vital COVID-19 information relating to their banking. The State Bank of India (SBI) explicitly communicated to its customers not to follow any QR codes despite how valid the message may appear, after many fell victim to such phishing attacks.
In addition to this, SMS phishing scams – coined ‘SMIshing’ attempts – remain prevalent. Already in 2021 attackers have targeted Android devices in the UK and Europe with spyware known as ‘Flubot’, which is sent to targets via an SMS text which then lures them into installing an application to track a missed delivery package. In reality, this instead leads them to download the malicious malware which can steal sensitive banking information, credentials and passwords.
It’s no secret that cybercriminals will capitalize on the latest technology trends when targeting their victims, as has been proven by their sudden adoption of QR codes in phishing attempts.
Denial of Service (DoS) and Distributed Denial of Service (DdoS) attacks
According to research conducted by NETSCOUT’S ATLAS Security Engineering and Response Team, roughly 3 million DoS attacks took place in the first quarter of 2021 – a third (31%) more than the same period in 2020. January in particular saw 972,000 attacks recorded – the largest number of DoS attacks ever recorded in one month.
Like ransomware, DoS and DDoS attacks – the act of interrupting traffic access to online systems for malicious purposes or disrupting the normal flow of traffic by overwhelming the target with Internet traffic respectively – have seen a sharp rise throughout the pandemic as criminals look to capitalize on weakened security perimeters and overwhelmed and vulnerable workforces. This is particularly harmful for businesses that have witnessed a sharp increase in e-commerce transactions throughout the pandemic and are therefore more susceptible to such attacks.
Ransomware and access brokers
The rise of ransomware throughout the past 18 months has been well documented. After maturing in 2020, ransomware – a form of malware that prevents victims from accessing critical data lest they pay a severe ransom – continues to wreak havoc in 2021.
Alongside this, Ransomware-as-a-Service (RaaS) business models have understandably grown in popularity across the dark web and underground forums as more and more criminals want to launch their own attacks.
This has allowed criminals to create a scalable business model as developers create and sell RaaS packages as another means of increasing their revenue. Several threat actors have taken note here, outsourcing some of the core responsibilities of these attacks to other affiliates – for a price.
Most recently, beef producer JBS SA and energy company Colonial Pipeline have both fallen victim to RaaS attacks. In both cases, the smallest amount of downtime could have meant millions of dollars lost. This makes them prime targets for this type of attack, evidenced by Colonial Pipeline swiftly paying the $5million. JBS SA has not disclosed if it paid the attacker’s ransom.
The rise in RaaS cases is a cause for concern; ransomware attacks are no longer only achievable by those with the means to undertake them, which can only mean they continue to increase in popularity.
Business email compromise (BEC)
As with many other attack vectors in this list, BEC attacks have risen in popularity recently as criminals utilize any means possible to prey on vulnerable victims. BEC attacks, for the uninitiated, are a means of compromising email accounts through sophisticated social engineering techniques – particularly used against businesses that make frequent wire payments.
The FBI’s Internet Crime Complaint Center (IC3) revealed earlier this year that, alongside phishing scams and ransomware attacks, BEC attacks were the biggest complaints received throughout 2020 – a number that is only expected to have risen in 2021. The IC3 received 19,369 complaints of BEC attacks in this period, the fallout of which cost victims roughly $1.8 billion (in comparison, phishing complaints led to $54 million lost). These findings are part of the IC3’s annual Internet Crime Report.
Just last week the FBI issued a warning to private sector companies that attackers are impersonating construction companies as part of a BEC campaign targeting organizations under the guise of several US critical infrastructure sectors. This latest campaign is believed to have started in March 2021, with significant financial losses of up to millions of dollars already expected.
Valuable data being stolen from users and organizations is nothing new, but how actors are going about it of late has evolved. Just as the ongoing COVID-19 pandemic saw the maturity of ransomware, so too has it seen a surge in fraud as threat actors harness increasingly sophisticated methods to target their victims – the latest example being deepfake technology.
Deepfake technology is not a new concept, though it has improved significantly in recent years. Powered by a combination of artificial intelligence and machine learning, deepfake technology allows fraudsters to digitally create a person’s likeness – using images and videos – which can ultimately be used to impersonate a victim. The more data available, the more accurate the deepfake will be, all the way down to the minor expressions and unique mannerisms of the person being impersonated. IBM’s DeepLocker proof of concept is a leading example of how AI will drive the development of advanced forms of malware.
Currently, there are no regulations in place to combat synthetic deepfake videos; the US approved the first bill in November 2020 which has called for further research into the method, whilst the UK government is currently in the throes of evaluating legislation in a bid to ban deepfake videos.
In the meantime, threat actors have been quick to utilize deceptive technology, offering customized deepfake services, explanatory tutorials, and technologies to create deepfake audio, images, and videos via the dark web.
At the beginning of the year, Internet of Things vendor Uniquiti Inc. saw its customer database, including credentials and other sensitive information, breached via unauthorized access through a third-party provider. It is unknown how many customers were impacted by this breach, but it is expected to be a large amount considering that the company has sold more than 85 million devices globally.
Supply chain attacks
Following last year’s huge Solarwinds attack, supply chain attacks, a form of attack that sees attacks insert malicious codes or components into trusted hardware or software, remain a hot topic. According to the Identity Theft Resource Center (ITRC),137 organizations reported being hit by supply chain attacks in the first quarter of 2021, resulting in a sharp 42% rise in these types of attacks in the US compared to Q4 2020. The ITRC’s research suggests that up to seven million individuals fell victim to supply chain attacks between January and April 2021.
In April 2021, hundreds of networks were hacked in the Codecov supply chain attack which saw attackers steal credentials from a flawed Docker image, which they used to alter Codecov’s Bash Uploader script. This incident is believed to have gone unnoticed since January 2021, resulting in an unknown number of credentials stolen from the company’s 29,000 customers worldwide.
Another attack that is trending in 2021 is cryptojacking. In these types of attacks, attackers install hidden cryptojacking software onto victim’s devices that stealthily steals from cryptocurrency wallets. This attack technique will only become more popular among criminals as cryptocurrency continues to rise in popularity.
In June 2021, a new malware emerged which targets Windows containers. Known as Siloscape, this malware creates malicious containers that steal data from compromised devices, as well as loading cryptocurrency miners that identify and steal cryptocurrency.
Opportunities abound for savvy cyber criminals in 2021 as organizations continually shift their focuses as they climatize to the new normal.
Security leaders should be well aware of the threats out there, but this sadly isn’t the case, and they often don’t have the team, skills, or resources to keep up to date with every new and evolving threat heading their way.
To counteract this, and to ensure they are doing everything within their power to hold off such threats, security teams should consider threat intelligence platforms that can bolster the areas where they fall short.
Blueliv’s Threat Context module is one such platform, providing SOC, Incident Response and Threat Intelligence teams with continuously updated and intuitive information around threat actors, campaigns, malware indicators, attack patterns, tools, signatures, and CVEs, ensuring they are never left in the dark or unprepared when it comes to threats lurking outside the organization. Users of Threat Context benefit from enriched, contextualized information that enhances cybersecurity processes before, during, and after an attack, offering some much-needed peace of mind in a continually trying time.