What to expect in 2022
We do not have a crystal ball to predict the future. However, we have plenty of experience in researching, responding, and mitigating cyber threats for our clients. The last eighteen months saw a dramatic evolution of the cyber security challenges companies face. Based on what we are observing in the threat landscape and the conversations we are having with industry leaders across sectors, here we outline what DarkLab cyber threat analysts assess will be some of the most relevant issues in 2022.
Ransomware profits will ensure ongoing exploitation by lesser-known gangs
Human operated ransomware with a double extortion tactic exploded in 2020, kept growing in 2021, and we expect it to continue to pose a high threat to organisations in 2022. Our analysis of ransomware groups’ posts on the darkweb show no sign of the underground industry slowing down.
What we expect to change is criminals’ branding tactics. Well known ransomware-as-a-service outfits like BlackMatter and REvil exploited their fame to attract affiliates and threaten victims into meeting their ransom demands. However, their high profile attracted law enforcement attention, including in their domestic countries like Russia, and has led to these groups’ downfall. A logical reaction will likely see cybercriminals avoiding the same mistakes and maintaining a lower profile. Expect a larger number of smaller ransomware gangs in 2022.
Increased threat to cryptocurrency businesses
While extortion has been the main profitable enterprise for cybercriminals in 2021, the profits will likely be reinvested in diversifying operations. Sophisticated groups like APT38 and individual hackers have in 2021 shown the potential profitability of targeting cryptocurrency exchanges and start-ups. Laundering millions of dollars worth of cryptocurrency is, for now at least, easier for criminals than to move large sums across the traditional financial system.
As more and larger companies join the cryptocurrency business, and regulators still lag behind in imposing strict anti-fraud controls, there is a likely window of opportunity for criminals to exploit.
Increased emphasis on private sector players in espionage operations
Security researchers have warned of the threat posed by private sector spyware providers for a long time, although governments have only recently acted on it and imposed sanctions on some of the best known companies in the field. Israeli companies like NSO and Candiru are the highest profile names in a crowded industry providing many shades of services, from legitimate offensive toolsets to hack-for-hire operations, particularly in South and South East Asia.
Even though governments worldwide have allegedly used private sector contractors in part of their offensive operations’ supply chain, last year’s increased media and government interest has put a spotlight on the issue. We expect more such campaigns to be highlighted in 2022.
Cloud supply chain is a potential single point of failure
This prediction is, we truly hope, one that is not going to happen in the coming year, but rather a wider concern based on the dynamics we are observing in the IT industry and the cyber threat landscape.
Companies have moved to the cloud at an unprecedented speed during the last two years, and we are not seeing any deceleration on the horizon. However, increased data crunching in the cloud is not always met with a proportional increase in cloud security spending, best practices for which are still in their relative infancy.
The number of trusted cloud vendors are also limited, with a few very large companies hosting most of the world’s data. Granted, companies like Microsoft, Amazon, Tencent and Alibaba have very good security teams and large security budgets. However, they also represent obvious central systems linked to many large organisations of interest to threat actors. Cloud systems’ outages, like those affecting a major US-based provider in December 2021, demonstrated the potential impact an attack on these companies could have on their customers.
The mass and rapid exploitation of MS Exchange, ProxyShell and Log4shell also showed how adept threat actors are at weaponising vulnerabilities in widely used digital systems, and how these campaigns can paralyse security teams worldwide for weeks.
Finally, the most sophisticated among threat actors, like APT29/Nobellium, have already demonstrated their intent and capability to successfully exploit cloud supply chain to gain access to high profile targets. Our experience suggests that where sophisticated state-sponsored threat actors go, criminals eventually follow.
As such, the exploitation of cloud supply chain is likely among the highest threats to organisations in 2022 and beyond. Fortunately, much can be done to mitigate this threat by careful planning, including thorough application of zero-trust architecture and a shift-left approach to cloud devsecops.
Recommendations to secure your 2022
We do not expect the challenges facing cyber security professionals in the coming year to be less ominous that those we just put behind us. Nonetheless, 2021 taught us plenty of useful lessons that can equip companies with the right strategies and tools to successfully mitigate cyber threats we may face in 2022.
- Comprehensive intrusion defense strategy: Our incident response and threat hunting experience suggests that a few best practices go a long way to prevent most network intrusions:
- Attack surface hardening: enterprises should focus on profiling their attack surface including services open and technologies used, and reducing their internet-exposed infrastructure.
- Identifying and protecting critical internal systems: threat actors, especially ransomware operators, actively look for systems in their victims’ network that serves crucial functions and holds sensitive data (e.g. Domain Controllers, backup servers, file servers). Securing these systems would reduce the impact of an intrusion and increase likelihood of detection, while increasing costs for attackers.
- Defending against lateral movement: the majority of threat actors moving across network rely on mechanisms that are relatively easy to disrupt with security restrictions such as restriction of remote desktop protocol between user zones, and disabling Windows Remote Management, among others.
- Protecting user accounts and privileged access: good credentials protection and management are key measures in limiting credential theft and abuse. Security measures should include multifactor authentication for remote access or sensitive access, house-keeping of user and system accounts, credentials hardening for privileged accounts by using managed service accounts (MSA) and protected user group.
- Risk-based security controls help overcome limitations: budget and human resources are finite resources. Prioritising them in the most efficient way is crucial to a timely and effective security strategy. Companies should understand intent and capabilities of the most likely threats they face. Assessing the likelihood of threats to a critical systems and their potential impact is what makes a risk-based approach to security effective. By understanding the most likely TTPs threat actors will use against your most important systems, companies can prioritise the application of the most urgent security controls.
- Cloud security needs a strategy: as threats to cloud mature, so should organisations’ strategies to secure their cloud systems. Cloud posture monitoring and cloud-specific Mitre ATT&CK TTPs detection use cases can help in identifying ongoing threats. Using existing blueprints for cloud deployment, a shift left approach to DevSecOps, and enhancing automation with infrastructure-as-a-code are important preventive measures that also help alleviate the ongoing scarcity of cyber talent.
Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.