What to expect in 2022

We do not have a crystal ball to predict the future. However, we have plenty of experience in researching, responding, and mitigating cyber threats for our clients. The last eighteen months saw a dramatic evolution of the cyber security challenges companies face. Based on what we are observing in the threat landscape and the conversations we are having with industry leaders across sectors, here we outline what DarkLab cyber threat analysts assess will be some of the most relevant issues in 2022. 

Ransomware profits will ensure ongoing exploitation by lesser-known gangs 

Human operated ransomware with a double extortion tactic exploded in 2020, kept growing in 2021, and we expect it to continue to pose a high threat to organisations in 2022. Our analysis of ransomware groups’ posts on the darkweb show no sign of the underground industry slowing down.  

What we expect to change is criminals’ branding tactics. Well known ransomware-as-a-service outfits like BlackMatter and REvil exploited their fame to attract affiliates and threaten victims into meeting their ransom demands. However, their high profile attracted law enforcement attention, including in their domestic countries like Russia, and has led to these groups’ downfall. A logical reaction will likely see cybercriminals avoiding the same mistakes and maintaining a lower profile. Expect a larger number of smaller ransomware gangs in 2022. 

Increased threat to cryptocurrency businesses  

While extortion has been the main profitable enterprise for cybercriminals in 2021, the profits will likely be reinvested in diversifying operations. Sophisticated groups like APT38 and individual hackers have in 2021 shown the potential profitability of targeting cryptocurrency exchanges and start-ups. Laundering millions of dollars worth of cryptocurrency is, for now at least, easier for criminals than to move large sums across the traditional financial system.  

As more and larger companies join the cryptocurrency business, and regulators still lag behind in imposing strict anti-fraud controls, there is a likely window of opportunity for criminals to exploit.  

Increased emphasis on private sector players in espionage operations 

Security researchers have warned of the threat posed by private sector spyware providers for a long time, although governments have only recently acted on it and imposed sanctions on some of the best known companies in the field. Israeli companies like NSO and Candiru are the highest profile names in a crowded industry providing many shades of services, from legitimate offensive toolsets to hack-for-hire operations, particularly in South and South East Asia.  

Even though governments worldwide have allegedly used private sector contractors in part of their offensive operations’ supply chain, last year’s increased media and government interest has put a spotlight on the issue. We expect more such campaigns to be highlighted in 2022.

Cloud supply chain is a potential single point of failure 

This prediction is, we truly hope, one that is not going to happen in the coming year, but rather a wider concern based on the dynamics we are observing in the IT industry and the cyber  threat landscape.  

Companies have moved to the cloud at an unprecedented speed during the last two years, and we are not seeing any deceleration on the horizon. However, increased data crunching in the cloud is not always met with a proportional increase in cloud security spending, best practices for which are still in their relative infancy.  

The number of trusted cloud vendors are also limited, with a few very large companies hosting most of the world’s data. Granted, companies like Microsoft, Amazon, Tencent and Alibaba have very good security teams and large security budgets. However, they also represent obvious central systems linked to many large organisations of interest to threat actors. Cloud systems’ outages, like those affecting a major US-based provider in December 2021, demonstrated the potential impact an attack on these companies could have on their customers.  

The mass and rapid exploitation of MS Exchange, ProxyShell and Log4shell also showed how adept threat actors are at weaponising vulnerabilities in widely used digital systems, and how these campaigns can paralyse security teams worldwide for weeks.  

Finally, the most sophisticated among threat actors, like APT29/Nobellium, have already demonstrated their intent and capability to successfully exploit cloud supply chain to gain access to high profile targets. Our experience suggests that where sophisticated state-sponsored threat actors go, criminals eventually follow.  

As such, the exploitation of cloud supply chain is likely among the highest threats to organisations in 2022 and beyond. Fortunately, much can be done to mitigate this threat by careful planning, including thorough application of zero-trust architecture and a shift-left approach to cloud devsecops. 

Recommendations to secure your 2022

We do not expect the challenges facing cyber security professionals in the coming year to be less ominous that those we just put behind us. Nonetheless, 2021 taught us plenty of useful lessons that can equip companies with the right strategies and tools to successfully mitigate cyber threats we may face in 2022.  

  • Comprehensive intrusion defense strategy: Our incident response and threat hunting experience suggests that a few best practices go a long way to prevent most  network intrusions:  
    1. Attack surface hardening: enterprises should focus on profiling their attack surface including services open and technologies used, and reducing their internet-exposed infrastructure.  
    2. Identifying and protecting critical internal systems: threat actors, especially ransomware operators, actively look for systems in their victims’ network that serves crucial functions and holds sensitive data  (e.g. Domain Controllers, backup servers, file servers). Securing these systems would reduce the impact of an intrusion and increase likelihood of detection, while increasing costs for attackers. 
    3. Defending against lateral movement: the majority of threat actors moving across network rely on mechanisms that are relatively easy to disrupt with security restrictions such as restriction of remote desktop protocol between user zones, and disabling Windows Remote Management, among others. 
    4. Protecting user accounts and privileged access: good credentials protection and management are key measures in limiting credential theft and abuse. Security measures should include multifactor authentication for remote access or sensitive access, house-keeping of user and system accounts, credentials hardening for privileged accounts by using managed service accounts (MSA) and protected user group.  
  • Risk-based security controls help overcome limitations: budget and human resources are finite resources. Prioritising them in the most efficient way is crucial to a timely and effective security strategy. Companies should understand intent and capabilities of the most likely threats they face. Assessing the likelihood of threats to a critical systems and their potential impact is what makes a risk-based approach to security effective. By understanding the most likely TTPs threat actors will use against your most important systems, companies can prioritise the application of the most urgent security controls.  
  • Cloud security needs a strategy: as threats to cloud mature, so should organisations’ strategies to secure their cloud systems. Cloud posture monitoring and cloud-specific Mitre ATT&CK TTPs detection use cases can help in identifying ongoing threats. Using existing blueprints for cloud deployment, a shift left approach to DevSecOps, and enhancing automation with infrastructure-as-a-code are important preventive measures that also help alleviate the ongoing scarcity of cyber talent.  

Trouble in Paradise

A case study of Cloud compromise

Many organisations are increasingly moving to cloud solutions to solve their hosting needs, but outsourcing workload should not imply outsourcing security as well. The importance of security the cloud was recently highlighted by targeting of Microsoft Azure environments by Nobellium, the threat actor behind the SolarWinds Orion compromise. The threat actor notably exploited stolen SAML certificates for vertical movement, a rarely seen technique. Even without novel techniques, less sophisticated cybercriminal threat actors can also pose a threat to companies’ services in the cloud. Indeed, this week’s supply chain compromise operation by REvil is suspected to have been launched from a compromised web server hosted on AWS.

The Incident

Recently, DarkLab’s incident response team has helped a South Asian client in the media sector to remediate an incident involving multiple cloud environments breaches, a case study we think can help organisations better plan for secure implementations of their cloud environments.

The incident originated from a likely exploitation of a known remote code execution vulnerability in a Jenkins instance, an open source software development automation server. The server was hosted in an Amazon Web Service (AWS) environment and had a hardcoded root access key. With that, the threat actor was able to roam the compromised environment undetected for four months. Logs availability has been an issue due to the lack of CloudTrail log retention but we know that the threat actor created multiple IAM user accounts and accessed internal data, including those stored in S3 buckets via the free Windows client S3 Browser.

Their primary intent, however, was to use the victim as a jumping spot to identify other targets vulnerable to the same Jenkins RCE and move laterally to their servers. They did so by deploying Linux and Windows virtual machines in new EC2  instances  in the compromised environment to scan and exploit external IP addresses. The did so using T.2 micro sizing to avoid spikes in usage and remain hidden. The attacker deployed the additional EC2 instances in a different AWS region than that used by the victim, an anomaly that we suggest organisations monitor for.

A deeper dive into the system log of the Linux VMs shows that the attacker likely used Shodan to identify other vulnerable Jenkins instances online, suggesting their targeting was likely opportunistic. Similarly, analysis of the IP addresses used by the attacker to access our client – most of them AWS instances themselves – suggests the attack likely originated from multiple other compromised organisations.

From AWS, the threat actor managed to access a FTP server within a parallel Google Cloud Platform (GCP) environment. For this, they used a compromised hard-coded credential found in one of the configuration files in their BitBucket repository, also suspected to be compromised. After thorough environment and users’ enumeration, the attacker was able to obtain the password for another G-Suite user account, which they used to access data in the GCP environment and Google Drive.

Shortly after accessing the GCP,  threat actors attempted to cover their tracks by deleting the company’s entire production environment, all hosted on AWS, and the backup copies. Fortunately, AWS retained some copies of the deleted backups which were able to provide to the victim organisation.

However, while the victim restored their AWS system they were not aware to reset the root access key. Unsurprisingly, the attacker quickly re-established a presence in their cloud and a few days later they re-deleted the production environment, although no ransom demand was recorded. This was when our incident response team was called to help.

Assessment

Our investigation suggested that the threat actor behind this campaign is likely operating opportunistically and with a relatively low technical know-how. We often found traces of internet searches for open source tools or “how to” techniques. Nonetheless, such an actor could still pose significant operational damage to a large company by deleting their production environment.

The incident shows how even relatively unsophisticated threat actors are adopting an island-hopping approach by abusing imperfect implementations of commercial cloud platforms. Companies should ensure that standard security practices, like rotating passwords or access keys, monitoring suspicious activities, and prompt patching, are also applied to cloud environments.

What’s next?

Our experience suggests that this was not an uncommon attack path for adversaries targeting cloud environments. Monitoring for common attack vectors can help indeitifyuing supicious behaviour earlier and contain an incident before it is too late.

Below are some monitoring metrics mapped against Mitre ATT&CK tactics that we recommend organisations implement to AWS Config, Lambda, or their choice of CSPM platforms for automated detection and remediation.

Feel free to contact us at [threatintel at darklab dot hk] for the full set of 50 custom MITRE-based rules on AWS

TacticTechnique (custom)Log Source
Initial accessAWS user login failed multiple timesCloudTrail
Initial accessMultiple worldwide successful console login GuardDuty
Initial accessPotential Web scanning activities with multiple web server 400 error from same the source IPWeb access log
Privilege EscalationAWS “AssumeRole” from rare external AWS accountCloudTrail
DiscoveryAWS potential IAM enumeration ActivitiesCloudTrail
Defense Evasion/ PersistenceCreate/Update managed policy with excessive permissionCloudTrail
ImpactAWS Access Key EnabledCloudTrail
ExfiltrationEgress rule added to a security groupCloudTrail