Advanced threats constantly evolve. This year saw multiple examples of advanced persistent threats under the spotlight, allowing Kaspersky to predict what threats might lead in the future.
Advanced persistent threats, which focus on cyberespionage goals, are a constant threat to companies, governments and freedom activists, to name a few. This activity keeps growing and evolving as more threat actors increase their skill.
Kaspersky released its advanced threat predictions for 2022 and shared interesting thoughts on next year’s landscape. Here are eight advanced threats Kaspersky predicts will happen in the coming year.
1. An influx of new APT actors
The recent legal cases against offensive security companies like NSO brought the use of surveillance software under the spotlight. NSO, an Israeli company providing services including offensive security, is being accused of providing governments with spyware that was ultimately turned on journalists and activists.
Following that action, the U.S. Department of Commerce reported in a press release that it added NSO to its entity list for engaging in activities that are contrary to the national security or foreign policy interests of the United States. The department added three other companies to that list: Candiru (Israel), Positive Technologies (Russia), and Computer Security Initiative Consultancy PTE LTD (Singapore).
The zero-day exploit market keeps growing, while more and more software vendors start selling offensive capabilities. All this business is highly profitable and can only attract more players in the game, at least until governments take actions to regulate its use.
Kaspersky said that “malware vendors and the offensive security industry will aim to support old but also new players in their operations.”
2. Mobile devices targeting
The topic of compromising mobile devices is not new, yet still very sensitive. Kaspersky underlined an important difference between the two main operating systems on mobile phones: Android and iOS. Android allows more easily the installation of third-party applications, which results in a more cybercriminal-oriented malware environment, while iOS is mostly targeted by advanced nation-state sponsored cyberespionage. The Pegasus case revealed by Amnesty International in 2021 brought a new dimension to the iOS zero-click, zero-day attacks.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Malware infection is actually harder to prevent and detect on mobile devices, while the data it contains often is a mixture of personal and professional data never leaving its owner. IT makes it a perfect target for an APT attacker.
Kaspersky concluded, “In 2022, we will see more sophisticated attacks against mobile devices getting exposed and closed, accompanied by the inevitable denial from the perpetrators.”
3. More supply-chain attacks
This year saw the targeting of Managed Service Providers by the REvil/Sodinokibi ransomware group. This kind of attack is devastating because it allows one attacker, once he or she successfully compromises the provider, to bounce and easily compromise a greater number of companies at the same time.
“Supply-chain attacks will be a growing trend into 2022 and beyond,” Kaspersky said.
4. Work from home creates attacking opportunities
Work from home is necessary for many employees and still will be for the foreseeable future, due to pandemic lockdown rules. This creates opportunities for attackers to compromise corporate networks. Social engineering and brute-force attacks may be used to obtain credentials to corporate services. And the use of personal equipment at home, rather than using devices protected by the corporate IT teams, makes it easier for the attackers.
New opportunities to exploit home computers that are not fully patched or protected will be looked at by threat actors to gain an initial foothold on corporate networks.
5. Geopolitics: An increase in APT attacks in the META region
The increasing tensions in geopolitics around the Middle East and Turkey, and the fact that Africa has become the fastest urbanizing region and attracts huge investments, are very likely factors that will increase the number of major APT attacks in the META region, especially in Africa.
6. Cloud security and outsourced services at risk
Cloud security offers a lot of advantages for companies worldwide, yet access to these kinds of infrastructure usually lies on a single password or API key. In addition, outsourced services like online document handling or file storage contain data that can be very interesting for an APT threat actor.
Kaspersky said that those will “attract the attention of state actors and will emerge as primary targets in sophisticated attacks.”
7. Back to bootkits
Low-level bootkits have often been shunned by attackers because there is a higher risk of causing system failures. Also, it takes a lot more energy and skills to create them. Offensive research on bootkits is alive and well, and more advanced implants of this kind are to be expected. In addition, with secure boot becoming more prevalent, “attackers will need to find exploits or vulnerabilities in this security mechanism to bypass it and keep deploying their tools” Kaspersky said.
8. Clarification of acceptable cyber-offense practices
In 2021, cyberwarfare made it so that legal indictments became more used as part of the arsenal on adversary operations.
Yet states who denounce APT operations are often conducting their own at the same time. Those will need to “create a distinction between the cyberattacks that are acceptable and those that are not”. Kaspersky believes some countries will publish their taxonomy of cyber-offense in 2022, detailing which types of attack vector and behavior are off-limits.
What cybersecurity threats happened in 2021?
This year has seen many types of threats that rocked the cybersecurity community. Here are six 2021 threats we have seen, according to Kaspersky.
1. More links between APT and cybercrime worlds. Several ransomware threat actors are using the exact same methods as APT attackers: compromising a target, moving laterally through the network, increasing privileges and extracting data (before encrypting it). Recently, Blackberry reported a connection between three different threat actors who unusually used the same Initial Access Broker. Out of those three actors who used the same service, two were pursuing financial cybercrime activities while the third one was actually an APT threat actor dubbed StrongPity.
2. Cyberstrategy: Indictments instead of diplomatic channels. Countries start to use law more to try to disrupt and punish adversary operations, when applicable. Kaspersky provided several examples, one of which was the White House blaming Russia for the SolarWinds supply-chain attack. A shift is clearly visible where APT incidents are now being handled through legal means instead of diplomatic channels as they were previously.
3. More actions against zero-day brokers. The zero-day market has never been so visible as in recent years. Several companies now sell zero-day exploits to governments or third parties, and one of those has been the target of a joint legal battle initiated by Facebook, Microsoft, Google, Cisco and Dell.
4. Network appliances targeting will grow. In 2021, threat actor APT31 leveraged a network of compromised SOHO routers (Pakedge RK1,RE1, RE2 models). Those routers were used as proxies for their APT operations, but also sometimes as command and control servers. According to a recent publication from Sekoia, the threat actor might also have compromised a few other network appliances in its infrastructure. In addition, VPN services are still targeted. Threat actor APT10 exploited vulnerabilities targeting Pulse Connect Secure in order to hijack VPN sessions.
5. More disruption. The ransomware attack on Colonial Pipeline has been one of the most iconic events in 2021. The production was affected, causing supply issues in the U.S. and forcing the infrastructure to pay a $4.4 million ransom. Luckily enough, the U.S. Department of Justice could recover $2.3 million of that amount. In another case in 2021, MeteorExpress, a malware which rendered the Iranian railway system useless.
6. Pandemic exploitation. The COVID-19 theme became widely used, including for several APT threat actors. This theme can be used for initial compromise of targets, in spear-phishing campaigns, for example.