Skip to main content Skip to footer
Security

Cyber Threat Intelligence Report Volume 2

February 15, 2022

Increased vulnerability has been up close and personal in recent times. Businesses have encountered growing threats as the pandemic opened the door for cyber criminals to take advantage of new attack opportunities, such as ransomware, malware and cloud.

Our threat intelligence and incident response analysts have gained first-hand visibility into the tactics, techniques and procedures (TTPs) employed by some of the most sophisticated cyber adversaries. This report reflects our analysis during the second half of calendar year 2021.

Key trends 2H2021

Accenture analysis identified five trends affecting the cybersecurity landscape:

1. Ransomware attacks still prove profitable

Despite technology enabling threat actors to become more sophisticated there are still risks from traditional ransomware techniques.

  • Top country and industry targets remain the same: The number of ransomware attacks decreased slightly, with the United States again the top region impacted by ransomware and extortion threats, representing approximately 45% of intrusion volume in 2021. For industries, manufacturing, financial services, healthcare and technology remain the most targeted industries.
  • Affiliate disputes are on the rise: Former affiliates of ransomware groups disclosed sensitive information, leading to a proliferation of potent ransomware tools and techniques.
  • Cloud infrastructure is being targeted: Cloud-related malware evolved faster than more traditional malware in 2021 and custom tool development increased cloud infrastructure targeting.

Organizations should focus on robust offsite backups, training, improved authentication, patching and response plans

2. Supply chains offer attack foothold

Moving to the cloud has meant many organizations increased the consequences of supply chain insecurities.

  • Widely reported threat increases: During October and November 2021, numerous cybersecurity publications mentioned supply chain attack campaigns referencing developer library and software platform compromises.
  • Backdoor threats are more prevalent: Based on intrusion data Accenture collected from incident response engagements, 30% of the malware threats Accenture observed in 2021 were backdoor threats, making them the second-most-prevalent type of malware, behind ransomware (33%).

Organizations should focus on integrating audits into DevOps cycles, updating security frameworks, threat modeling suppliers and introducing mature software supply chain programs.

3. Infostealers boost the malware market

Underground endpoint marketplaces that sell packages of compromised login data continue to offer inexpensive gateways into corporate networks.

  • Infostealers are highly active: As of November 2021, based on available data, the most utilized infostealers providing underground marketplace inventory are Redline (53%), Vidar (35%), Taurus (4%), Racoon (4%) and Azorult (2%) (see Figure 4).
  • Infostealer popularity varies: Data collection biases partially explain the discrepancy between the infostealer actors used in then-active campaigns and those they used to feed marketplaces with inventory. This inconsistency also showcases underground marketplaces’ reliance on newer infostealers.
  • Redline grows faster: Despite being only 4% of market share, the Redline infostealer is growing at a faster rate than the others following its involvement in the July 2021 Tokyo Olympic ticket data breach.

Organizations should focus on better protecting corporate environments and be aware of the rapid rise in underground sales of “bots” that enable the easy use of stolen data via a browser plug-in.

4. Cloud-centricity prompts new attack vectors

Threat actors are exploiting public-facing cloud infrastructure to deploy offensive toolsets and use internal access points to cloud environments.

  • Rapid cloud growth feeds attack opportunities: The COVID-19 pandemic further accelerated cloud adoption, opening up new attack surfaces and increasing the value of cloud infrastructure attacks for malicious actors.
  • Expanding infrastructure opens the door to new vulnerabilities: Threat actors are hijacking cloud services to exploit cloud infrastructure’s benefits, collect sensitive data and deploy ransomware. Expanding cloud infrastructure also creates highly scalable and reliable command-and-control infrastructure and botnets.
  • Cloud-centric toolset threats are escalating: There’s a highly evolved and active cloud-centric toolset from TeamTNT, a German-speaking threat group. The group is known for mining cryptocurrency through cloud resource exploitation—otherwise known as cryptojacking—and for the installation of a bot named “Tsunami” onto compromised systems that can exploit cloud platforms such as Google Cloud or AWS.

Organizations should focus on auditing and testing for cloud misconfigurations, adopt an identity and access management framework and establish multi-factor authentication.

5. Vulnerability exploits actively bought and sold

Growth in underground market for vulnerability exploits, especially for those that enable adversaries to gain unauthorized access to a corporate network.

  • Actors are busy selling or buying CVE exploits: Accenture analyzed 45 instances of underground actors wanting to sell or buy exploits for Common Vulnerabilities and Exposures (CVEs).
  • Actors have “top three” vulnerabilities they buy and sell: The three most popular CVE exploits on the market are for CVE-2021-34473, CVE-2021-20016 and CVE-2021-31206. Successful exploitation of each enables a remote adversary unauthorized access to a victim network and execution of arbitrary code on a victim host.
  • Actors begin to capitalize on Log4j vulnerability: In December, 2021, Log4j maintainers reported details surrounding a remote code execution vulnerability, 22 identified as both CVE-2021-44228 and Log4Shell, that could allow attackers to execute arbitrary code on a vulnerable host.

Organizations should focus on robustly defending network access, getting back to security basics such as regular patch management and proactive testing and update Log4j to version 2.17.0 for Java 8; version 2.12.2 for Java 7.

About the
Authors

Howard Marshall

Managing Director – Accenture Security, Global Cyber Threat Intelligence Lead

Robert Boyce

Managing Director – Accenture Security, Global Cyber Response and Transformation Services Lead

Christopher Foster

Senior Principal – Security Innovation

Valentino De Sousa

Senior Principal – Security Innovation

Related capabilities

Cyber strategy

Define cyber, risk mitigation and regulatory strategies, aligning security to business priorities.

Cyber protection

Protect the business as it transforms—applying zero trust principles to secure the entire digital core.

Cyber resilience

Helping clients pressure test defenses, understand emerging threats and prepare and respond quickly to attacks.