Posted: 6 Min ReadThreat Intelligence

The Threat Landscape in 2021

Symantec takes a look at the cyber security trends that shaped the year

From the evolving ransomware ecosystem to attacks against critical infrastructure, Symantec looks back over the cyber-security trends that shaped 2021.

A new whitepaper from Symantec, a division of Broadcom Software, takes a look back at the some of the major threats that shaped the threat landscape during 2021.

Ransomware was arguably the most significant threat facing organizations in 2021, with some ransomware operators departing the scene, new ones entering the fold, and business models and tactics being refined to make targeted ransomware more lucrative than ever.

However, ransomware wasn’t the only threat, with supply chain attacks, an increase in attackers exploiting vulnerabilities in public-facing applications, and attacks against critical infrastructure also shaping the threat landscape in 2021.

Ransomware

Ransomware, or more precisely, targeted ransomware, was the most dominant threat making headlines throughout 2021. Ransomware gangs moved towards targeting entities with a broad network of downstream users. These upstream entities included large software developers and organizations involved in critical infrastructure, as seen in the Kaseya and Colonial Pipeline attacks. Targeting managed service providers (MSPs) also gave attackers the opportunity to infect potentially thousands of victims by compromising just one.

While as in previous years, the total number of ransomware attacks detected and blocked by Symantec in 2021 continues to trend downwards, this doesn’t mean ransomware activity is becoming less of a threat. This downward trend is due to a significant decrease in relatively unsophisticated, indiscriminate ransomware attacks and threat actors shifting their focus to large organizations where they can cause more disruption and demand higher ransom amounts. The number of these targeted ransomware attacks rose from around 80 in January 2020 to more than 200 in September 2021.

Figure 1. Number of targeted ransomware attacks January 2020 to September 2021
Figure 1. Number of targeted ransomware attacks January 2020 to September 2021

This increase in targeted ransomware attacks is partly fueled by two relatively recent developments: the rise of so-called initial access brokers (IABs), threat actors that sell access to compromised networks to the highest bidder, which in recent times has become targeted ransomware gangs; and a rise in ransomware-as-a-service (RaaS), a subscription-based model that lets individuals or gangs known as affiliates use already-developed ransomware threats in their attacks.

The RaaS model greatly increases the number of adversaries an organization faces, with multiple attackers now attempting to deliver the same ransomware, but using different tactics, techniques, and procedures (TTPs).

Due to the growth in the RaaS market, affiliates now have the option to migrate to another ransomware should their current one shut down. In addition, Symantec has observed affiliates using two different strains of ransomware in a very short space of time and, in some cases, during the same attack. This suggests that some affiliates have enough of a reputation to not be locked in to an exclusive agreement with one ransomware operator.

While as in previous years, the total number of ransomware attacks detected and blocked by Symantec in 2021 continues to trend downwards, this doesn’t mean ransomware activity is becoming less of a threat.

Botnets are now also playing a key role in ransomware attacks, with many older financial fraud botnets having been repurposed to spread ransomware. In some cases, it is the same threat actor behind both the ransomware and the botnet. For example, Trickbot is believed to be controlled by the Miner group (aka Wizard Spider) which is also linked to both the Ryuk and Conti ransomware.

Another takeaway from the year concerning ransomware included operators targeting industries that were hardest hit by the COVID-19 pandemic. A prime example of this was the attack against Ireland’s national health service, the Health Service Executive, by the Conti (aka Miner, Wizard Spider) ransomware operators.

Last year also saw the REvil (aka Leafroller, Sodinokibi) ransomware’s infrastructure compromised by law enforcement, which gained control of at least some of REvil’s servers. However, as with previous efforts to halt the gang’s activity, REvil is likely to reappear in some form following the most recent takedown effort.

In 2021, targeted ransomware groups also began threatening victims in order to prevent them from sharing details of attacks with media or ransomware negotiating firms. Both the Conti and Grief ransomware gangs said that they would publish stolen victim data or delete decryption keys if transcripts or screenshots of ransom negotiations were publicly shared. The announcement was likely prompted by a growing number of media reports containing details of ransom negotiations. Other threat groups also employed similar tactics, including Ragnar Locker and a new ransomware threat called Yanluowang, which was uncovered by Symantec’s Threat Hunter Team.

Supply-chain attacks

Software supply chain attacks, due to their potential to disrupt large sections of society and business, remain a concern for governments and businesses around the world. Two significant supply chain attacks in the headlines from last year included the SolarWinds hack and the Kaseya attack.

While the SolarWinds attack occurred in late 2020 it continued to make waves well into 2021. The attackers responsible for the attack, the Russia-backed Nobelium (aka Hagensia) group, has remained active. A new backdoor threat (Tomiris) likely developed by Nobelium was uncovered in September. The malware has similarities to the SUNSHUTTLE second-stage malware used by Nobelium in the SolarWinds attack. While another post-exploitation backdoor (FoggyWeb) was also linked to Nobelium. The malware is designed to steal sensitive data from compromised Active Directory Federation Services (AD FS) servers.

The attack against IT management software maker Kaseya, which was carried out by the REvil ransomware operators, impacted multiple managed service providers (MSPs) that used the company’s software. While Kaseya reported that approximately 60 of their customers were impacted by the attack, those customers were MSPs with numerous customers themselves. The estimated number of organizations compromised as a result of the supply chain attack was 1,500. The attack was carried out during the U.S. July 4 holiday weekend, likely in an attempt to have the attack go unnoticed for as long as possible due to many employees being on leave. This is a tactic that is increasingly being adopted by threat actors.

While the Kaseya and SolarWinds attacks are the most significant, they are by no means the only supply chain attacks in recent times. According to a report from the Identity Theft Resource Center (ITRC), supply chain attacks are increasing, with 793,000 more individuals being affected by such attacks in the first three quarters of 2021 than in the entire 12 months of 2020.

New avenues of attack

Last year saw an increase in attackers exploiting vulnerabilities in public-facing applications in order to gain access to organizations’ networks. While in some cases attackers are focusing on zero-day bugs, more frequently they are looking towards recently patched vulnerabilities and the hunt for unpatched systems.

A notable example of this was the critical vulnerabilities in Microsoft Exchange Server, collectively known as ProxyLogon. The flaws were patched in early March 2021, with Microsoft saying at the time that the bugs were being exploited by an advanced persistent threat (APT) group it dubbed Hafnium (Symantec tracks this group as Ant) in targeted attacks. However, shortly after the ProxyLogon vulnerabilities were disclosed, other threat actors began exploiting them.

Figure 2. Exploit attempts against Microsoft Exchange Server bugs, March to August 2021
Figure 2. Exploit attempts against Microsoft Exchange Server bugs, March to August 2021

This quick adoption was also highlighted when another string of vulnerabilities in Microsoft Exchange Server, dubbed ProxyShell, were publicly revealed in August 2021. Exploit attempts targeting these bugs began immediately, with Symantec data showing more than 200,000 exploit attempts targeting this set of vulnerabilities in August 2021 alone.

Other vulnerabilities in public-facing applications that were frequently exploited by threat actors in 2021 include flaws in VPN products from Pulse Secure (CVE 2019-11510), Fortinet (CVE-2018-13379), and SonicWall (CVE-2021-20016), and vulnerabilities in Accellion’s File Transfer Appliance (FTA) software (CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, and CVE-2021-27104).

Critical infrastructure

Cyber-attacks against critical national infrastructure (CNI) can be some of the most impactful as they can potentially affect everyone in society. This was highlighted in May 2021, when the Colonial Pipeline, the largest petroleum pipeline in the U.S., suffered a ransomware attack that impacted equipment managing the pipeline.

The attack was carried out by the Russia-based DarkSide ransomware gang. While the ransom was paid just hours after the attack took place, decryption was slow and the pipeline’s operation was halted, causing fuel shortages, price increases, and panic buying across a number of U.S. states.

The Colonial Pipeline attack was not an isolated incident, with news also emerging in July 2021 that Chinese state-sponsored threat actors had targeted 23 U.S. oil and gas pipeline operators in attack campaigns between 2011 and 2013. U.S. officials announced that the aim of the actors behind the attacks was to “help China develop cyber attack capabilities against U.S. pipelines to physically damage pipelines or disrupt pipeline operations.”

Attacks against CNI show no signs of stopping, with the number of network-based detections related to attacks targeting CNI trending upward (Figure 3). These attacks are blocked by Symantec’s Intrusion Prevention System (IPS) technologies. Malicious activity blocked on the network saw a decline after a peak in July 2021, however, overall the numbers are trending upward.

Figure 3. Network-based detections related to attacks targeting CNI
Figure 3. Network-based detections related to attacks targeting CNI

In terms of regions that see the most activity targeting the networks of CNI organizations, the U.S. is bounds ahead of others on the list with 69% of all activity seen there.

Figure 4. Regions with the most activity targeting the networks of CNI organizations
Figure 4. Regions with the most activity targeting the networks of CNI organizations

This was just a sample of the content in our latest whitepaper. Read the full paper for more insights into the threat landscape of 2021.

Symantec Enterprise Blogs
You might also enjoy
Threat Intelligence4 Min Read

Log4j Vulnerabilities: Attack Insights

Symantec data shows variation and scope of attacks.

Symantec Enterprise Blogs
You might also enjoy
Threat Intelligence3 Min Read

Apache Log4j Zero-Day Being Exploited in the Wild

Symantec products will protect against attempted exploits of critical CVE-2021-44228 vulnerability

About the Author

Threat Hunter Team

Symantec

The Threat Hunter Team is a group of security experts within Symantec whose mission is to investigate targeted attacks, drive enhanced protection in Symantec products, and offer analysis that helps customers respond to attacks.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.