Increased vulnerability has been up close and personal in recent times. Businesses have encountered growing threats as the pandemic opened the door for cyber criminals to take advantage of new attack opportunities, such as ransomware, malware and cloud.
Our threat intelligence and incident response analysts have gained first-hand visibility into the tactics, techniques and procedures (TTPs) employed by some of the most sophisticated cyber adversaries. This report reflects our analysis during the second half of calendar year 2021.
Key trends 2H2021
Accenture analysis identified five trends affecting the cybersecurity landscape:
- Affiliate disputes are on the rise: Former affiliates of ransomware groups disclosed sensitive information, leading to a proliferation of potent ransomware tools and techniques.
- Cloud infrastructure is being targeted: Cloud-related malware evolved faster than more traditional malware in 2021 and custom tool development increased cloud infrastructure targeting.
Organizations should focus on robust offsite backups, training, improved authentication, patching and response plans.
Organizations should focus on integrating audits into DevOps cycles, updating security frameworks, threat modeling suppliers and introducing mature software supply chain programs.
- Infostealers are highly active: As of November 2021, based on available data, the most utilized infostealers providing underground marketplace inventory are Redline (53%), Vidar (35%), Taurus (4%), Racoon (4%) and Azorult (2%) (see Figure 4).
- Infostealer popularity varies: Data collection biases partially explain the discrepancy between the infostealer actors used in then-active campaigns and those they used to feed marketplaces with inventory. This inconsistency also showcases underground marketplaces’ reliance on newer infostealers.
- Redline grows faster: Despite being only 4% of market share, the Redline infostealer is growing at a faster rate than the others following its involvement in the July 2021 Tokyo Olympic ticket data breach.
Organizations should focus on better protecting corporate environments and be aware of the rapid rise in underground sales of “bots” that enable the easy use of stolen data via a browser plug-in.
- Rapid cloud growth feeds attack opportunities: The COVID-19 pandemic further accelerated cloud adoption, opening up new attack surfaces and increasing the value of cloud infrastructure attacks for malicious actors.
- Expanding infrastructure opens the door to new vulnerabilities: Threat actors are hijacking cloud services to exploit cloud infrastructure’s benefits, collect sensitive data and deploy ransomware. Expanding cloud infrastructure also creates highly scalable and reliable command-and-control infrastructure and botnets.
- Cloud-centric toolset threats are escalating: There’s a highly evolved and active cloud-centric toolset from TeamTNT, a German-speaking threat group. The group is known for mining cryptocurrency through cloud resource exploitation—otherwise known as cryptojacking—and for the installation of a bot named “Tsunami” onto compromised systems that can exploit cloud platforms such as Google Cloud or AWS.
Organizations should focus on auditing and testing for cloud misconfigurations, adopt an identity and access management framework and establish multi-factor authentication.
- Actors are busy selling or buying CVE exploits: Accenture analyzed 45 instances of underground actors wanting to sell or buy exploits for Common Vulnerabilities and Exposures (CVEs).
- Actors have “top three” vulnerabilities they buy and sell: The three most popular CVE exploits on the market are for CVE-2021-34473, CVE-2021-20016 and CVE-2021-31206. Successful exploitation of each enables a remote adversary unauthorized access to a victim network and execution of arbitrary code on a victim host.
- Actors begin to capitalize on Log4j vulnerability: In December, 2021, Log4j maintainers reported details surrounding a remote code execution vulnerability, 22 identified as both CVE-2021-44228 and Log4Shell, that could allow attackers to execute arbitrary code on a vulnerable host.
Organizations should focus on robustly defending network access, getting back to security basics such as regular patch management and proactive testing and update Log4j to version 2.17.0 for Java 8; version 2.12.2 for Java 7.