Threat Intelligence Index (2022): In 2021, the IBM Security%uAE X-Force team will conduct research on cyber attack behavior and release the “Threat Intelligence Index (2022)”. The report is based on data extracted from network and endpoint detection devices, incident response (IR), domain name tracking, etc. from January to December 2021, and depicts new trends and attack patterns observed and analyzed from this data.
The highlight of the report is to analyze the main types of cyber attacks, vulnerabilities in the supply chain, the brands most commonly imitated by phishing attacks, and the largest advanced persistent threat groups (APTs), and to provide mitigation risk recommendations for defending against cyber attacks.
In 2021, in the cyber domain, some major threats are sweeping the world:
Ransomware attacks topped the list of cybersecurity threats at 21 percent.
Among ransomware attacks, 44 percent of attacks exploited unpatched software vulnerabilities.
Despite the intensified crackdown on ransomware, the average lifespan of a ransomware gang before it ceases operations or changes its name is still 17 months.
Manufacturing has replaced finance and insurance as the most attacked industry.
Asia was the most attacked region, accounting for 26% of the total.
Mozi botnet attacks account for 74% of attacks on IoT devices.
…
In 2021, the IBM Security%uAE X-Force team will conduct research on cyber attack behavior and release the “Threat Intelligence Index (2022)”.
Main types of cyber attacks
ransomware attack
Ransomware attacks are the most dominant type of attack. Although the percentage of ransomware attacks has dropped by nearly 9% year over year, it has been the number one attack type for more than three years. The research team observed that ransomware attacks accounted for 21% of remediation attacks in 2021. While down slightly from the previous year’s 23 percent, ransomware attacks continue to increase and remain stable year over year. REvil, also known as Sodinokibi, was the most common ransomware observed by the research team for two consecutive years, accounting for 37% of attacks using it. Followed by Ryuk, accounting for 13%. In 2021, law enforcement activity is likely to be the main force behind the decline in ransomware and IoT botnet attacks, but this does not rule out a possible resurgence in 2022.
Server attack
BEC attack
The third common type is Business Email Compromise (BEC). The study found that such attacks will continue to decline in 2021. The former research team theorized that the implementation of multi-factor authentication (MFA) reduces the success rate of attackers and attackers’ execution, the reason being that MFA is not widely implemented, and that BEC attackers may have changed their focus by shifting their focus to geographic location. more success.
For example, organizations in Latin America are bearing the brunt of BEC attacks that are being repaired, and organizations in North America remain prime targets for BEC operations. But the research team noticed that among attacks by Latin American organizations, the BEC attack rate rose from 0% in 2019 to 19% in 2020, and then to 20% in 2021. The surge in organized attacks in Latin America shows that BEC attackers have shifted the geographic scope of their operations.
In addition to studying the attackers with different end goals, the research team also looked at the vectors for attacking the network. Among them, phishing sites and vulnerabilities are the most common, and also include the use of stolen certificates, brute force attacks, Remote Desktop Protocol (RDP), removable devices, etc.
Supply Chain Vulnerability Attacks
Supply chain security has become a primary concern for governments and policymakers. With the Biden administration’s executive order on cybersecurity and guidance from the U.S. Department of Homeland Security, supply chain security is a top concern for governments and policymakers. The release of executive orders from the Biden administration and the U.S. Department of Homeland Security on cybersecurity has led CISA and NIST to double down on zero-trust guidelines that focus on vulnerabilities and trust relationships.
Initial vulnerabilities in manufacturing are the number one vector of attack on the manufacturing sector, which is grappling with the impact of delayed supply chains. For the first time since 2016, manufacturing took the top spot in the study as the most attacked industry in 2021. Of the attacks that were fixed, 23.2 percent were targeting manufacturing.
As digitization and Internet protocols spread, more and more “things” come alive, and with them comes the vulnerability and risk of new things. While most issues affect only industrial organizations, other organizations using IoT in their infrastructure are also at risk. In addition to increased digitization, supply chain dynamics are also affecting many OT-connected organizations, with attacks mainly reflected in the following three areas:
Attackers speed up reconnaissance of OT devices
When analyzing the 2021 data, the research team found that attackers were conducting large-scale reconnaissance campaigns looking for exploitable communications in industrial networks. The data shows that enemy reconnaissance activities targeting port 502 increased by 2,204 percent between January and September 2021( Threat Intelligence Index).
Attackers may step up their reconnaissance of Modbus to start finding targets for extortion or to seize control and cause damage. Given Modbus’s lack of security features, once attackers find an accessible Modbus device, they can issue harmful commands to the device, affecting connected ICS or IoT systems.
Although SCADA Modbus is at level 2 of the Purdue model in an ICS environment – ideally it should be separate from and placed under the enterprise network(Threat Intelligence Index). In some cases, the SCADA Modbus 502 port can be accessed directly over the open internet, but the lack of authentication and the transmission of information in plain text are drawbacks of Modbus, which is less secure than more advanced technologies.
Ransomware causes manufacturing to be most attacked in OT industry
Among industries with OT networks, the research team found that, likely due to these organizations’ low tolerance for downtime, manufacturing will be the most attacked industry in 2021, accounting for 61% of incidents the research team assisted in resolving.
The study found that industries that were hit by OT cyber attacks included engineering, mining, utilities, oil and gas, transportation and manufacturing( Threat Intelligence Index). Across these industries, ransomware once again led the attack type, accounting for 36% of all attacks, echoing overall attack trends across all industries. The vast majority of IT networks were compromised by these attacks, and the operational technology of the victims was affected.
Other major attack types include server access, DDoS, RATs, insiders, and credential harvesting operations.
Mozi botnet attacks IoT and OT assets
Since 2019, the research team has uncovered a significant amount of IoT malware activity, which surged by 3,000% between the third quarter of 2019 and the fourth quarter of 2020. The Mozi botnet is the most important IoT malware, accounting for 74% of the total.
Mozi mainly uses weak Telnet passwords and exploits to attack network devices, IoT and video recorders, and other products connected to the Internet( Threat Intelligence Index). After infection, it is able to remain persistent on network gateways, which can be particularly effective initial access points for lateral movement to high-value networks, including OT and ICS networks. In addition, by infecting routers, the attackers behind Mozi can conduct man-in-the-middle attacks (including attacks on OT networks) to complete the deployment of ransomware.
In addition to Mozi’s ability to access and laterally move, a large Mozi botnet infecting a large number of security cameras or similar IoT devices can cripple an organization’s ability to effectively conduct physical security operations. China reportedly arrested the authors of the Mozi botnet in June and August 2021, which may have contributed to the lower volume of IoT attacks in the fourth quarter of that year.
The most imitated brands in phishing attacks
In addition, the research team has also closely tracked what attackers are targeting with phishing tools in 2021. The research shows that the top brands most often imitated by phishing attacks include large technology and financial institutions, and the top 11 brands are as follows:
Among them, Microsoft, Apple and Google are the top three brands that criminals try to imitate. These large brands have been attacked repeatedly, probably because of their popularity and the trust many consumers place in them.
The Anti-Phishing Working Group (APWG) noted that there were 222,127 phishing attacks in June 2021, an all-time high. Research team assessment: Phishing kits will continue to be used by threat actors because of their ease of use and low resource requirements( Threat Intelligence Index). Monitoring suspicious connections to potentially imitated brands can help businesses greatly reduce exposure to this attack vector.
Most Active APT
The study found that suspected Iranian APT groups ITG17 (MuddyWater), ITG23 (Trickbot) and Hive0109 (LemonDuck) are the most active threat groups in 2021. Threat groups are looking to increase their power and infiltrate more organizations. The malware they use embeds more defenses — evasion techniques, and in some cases, hosted on cloud-based and storage platforms to breach security controls. These platforms are abused and hide command and control communications from legitimate web traffic. Threat actors also continue to develop Linux versions of the malware, making it easier to leapfrog to cloud environments.
Safety principles and recommendations for risk mitigation
For attacks from ransomware, BEC, and phishing, agencies need to understand the current state of the attack and take action to defend against it.
Safety principles
The research team found that the following three security principles help defend against current cyberattacks:
1. Zero trust helps reduce the risk of major attacks
Zero Trust is a paradigm shift, a new approach to security that is designed to make it harder for an attacker to move across a network, assuming a breach has occurred, centered on knowing where critical data is located and can be accessed , understand where critical data resides, who can access it, and establish strong authentication measures across the network to ensure only those with access rights can access it.
Research confirms that principles related to a “zero trust” approach, including the implementation of MFA and minimum principles, are considered to be the most important. These principles may desensitize businesses to major attack types, particularly ransomware and BEC (the attack types identified in the report).
First, applying the principle of least privilege to domain controller and domain administrator accounts can make ransomware attacks more difficult. Second, because many of these actors attempt to deploy ransomware from a compromised domain controller to the network, it creates an actor barrier. Additionally, implementing MFA would also make it harder for cybercriminals to attempt to take over email accounts, as they would need to provide further authentication beyond stolen credentials.
2. Security Automation Helps Enhance Incident Response
In mid-2021, IBM made an attack hunting automation tool available to the Open Cybersecurity Alliance. The Cyber ​​Security Alliance is designed to assist Security Operations Center (SOC) analysts in rapid forensic investigations and cyber incidents. Additionally, the research team used IBM Security QRadar SOAR to improve its incident response capabilities.
3. Expanding detection and response technology helps provide significant advantages
To better protect cybersecurity, the report proposes specific actions that can be taken as follows:
First, develop a plan for dealing with ransomware. This plan could include: informing which stakeholders and how the organization will store this information securely if immediate action is taken; in the event of data theft and leakage as part of a ransomware attack; using ransomware drills to consider whether the organization will pay the ransom and other influencing factors.
Second, implement multi-factor authentication at every remote access point on the network. The study found that it has become easier for organizations to implement MFA, essentially changing the attack landscape, forcing attackers to find new ways to compromise networks other than exploiting stolen certificates, which reduces the effectiveness of email takeover campaigns sex. MFA can reduce the risk of different attack types including ransomware, data theft, BEC, and server access. Additionally, identity and access management technologies make implementing MFA easier for both the implementation team and end users.
“Domestic + International” Privacy Protection Personnel Authoritative Certification Training
Cyber ​​Research Institute is the officially authorized training institution of the domestic personal information protection professional certification brand (CISP-PIP), and BSI China is the official training partner in China exclusively authorized by the International Privacy Professional Association (IAPP). The two major training and certification course systems of PIP and IAPP have launched heavy cooperation to jointly promote the training of data privacy professionals and improve the data security compliance capabilities of various enterprises.