2022 will be another busy year for enterprise incident responders as ransomware, supply chain and myriad zero-day attacks will continue to rise, according to Cisco's Talos security experts.
To help address the threats, the Cisco Talos team used a blog and online presentation to detail steps enterprises can take to defend themselves against the growing field of bad actors and also to point out lessons learned from recent damaging exploits such as the Log4j vulnerability and Microsoft Exchange server zero-day threats.
Once, zero-day attacks were typically launched by state actors against service providers, but those days are gone, wrote Nick Biasini head of outreach at Cisco Talos in a blog about the security landscape in 2022.
Now new, less experienced combatants seek out a broader range of targets, using less surgical attacks. “This has led to more risky behavior than we’ve seen historically, without as much regard for collateral damage,” he wrote.
These state actors have changed their strategies, as well. Rather than focusing on espionage against other nations, now they also target dissidents and activists with attacks designed to destroy and disrupt.
At the same time criminal enterprises have become a larger threat thanks to the billions of dollars they are able to collect readily through crypto currencies. “We’ve never faced more challenges as defenders…” Biasini stated.
Some of the biggest challenges for 2022 include ongoing problems such as Log4j and ransomware.
Unpatched Log4j remains a threat
Log4j software is widely used in enterprise and consumer services, websites, and applications as an easy-to-use utility to support client/server application development. But it has weakneses that, if exploited, could let unauthenticated remote actors take control of affected server systems and gain access to company information or unleash denial of service attacks.
Cisco telemetry has detected attackers exploiting these weaknesses in vulnerable VMware Horizon servers and infecting them with malicious payloads including Cobalt Strike — a tool developed to help penetration testers protect networks but also used by attackers, said Neil Jenkins Cisco Talos Cyber Threat Alliance Chief Analytic Officer in an online presentation.
Even though there have been warnings to patch against Log4j, not everyone does, and “there are still threat actors, particularly advanced threat actors, who may look to target those vulnerabilities in future,” he said.
Cisco Talos stated that Log4j will be widely exploited moving forward, so users should patch affected products and implement mitigation solutions as soon as possible.
Ransomware still a scourge
With the exception of Q1, ransomware took up nearly 50 per cent of all the threats that Talos tracked in 2021, thanks to the lure of lucrative payouts from ransomware victims. In turn, some of that cash will help ransomware cartels develop more sophisticated approaches.
“As we saw with [supply chain attack] Kaseya, these cartels have the ability to purchase or develop zero-days to be leveraged in attacks, a trend that should concern us all and another reason why behavioural protection will continue to be an important aspect of detection in 2022 and beyond,” Biasini stated.
Another issue is that there are more and more ransomware players. At the beginning of 2021, many attacks came from one group, but by the end of the year there were at least 13 different ones, Jenkins said.
“Even with one family, you have a lot of different affiliates who are using different tactics, so even with one dominant family, you can see still see a diversification and the types of attacks and the types of tooling they’ll use,” Jenkins said.
There are other factors that could change the ransomware landscape as well as the scrutiny these groups are getting from law enforcement around the globe, Jenkins said.
Larger ransomware groups might fragment to be less detectable, and open-source ransomware developers may have a more difficult time as some of their forums are shut down. As a result, the attackers might choose smaller targets to avoid the publicity and attention from law-enforcement that larger attacks might draw, Jenkins said.
The best protection is to maintain cyber defence best practices such as offline back-ups, instituting multi-factor authentication, and having incident response plans in place, Jenkins said.
Zero day is here to stay
There has been a dramatic increase in zero-day attacks, with more than 50 discovered in the wild during 2021 — more than in all of 2019 and 2020 combined, Biasini stated.
And zero days remain a rich source of attacks. At the recent Tianfu Cup hacking contest in China, there were no less than 30 successful exploits demonstrated against the short list of targets, including a handful that affected the latest versions of Windows and iOS.
All of them were likely reported to the Chinese government due to recent regulation changes, Biasini stated, which can have consequences. The most recent example of this is Alibaba being penalised by the Chinese government for not disclosing Log4j to them in advance, he stated.
Beware suspect USBs
Another interesting development has been the continued practice of one of the oldest vulnerabilities in the security realm — the use of malicious USB devices.
“Starting in 2021, even carrying into this year, there has been an uptick of malicious USBs used as a means of initial access, which is a true blast from the past,” Jenkins said. “But just a reminder that even these old, outdated attack vectors can still be used, and still have success.”
Cisco Talos researchers did have recommendations for enterprise incident response. Patching, inventorying, segmentation training, and having incident-response plans in place are all important, but the Cisco experts have one main suggestion: institute multi-factor authentication.
“We identified that a lack of MFA is probably the biggest one of the biggest hindrances to enterprise security,” Jenkins said. “There is a large number of ransomware incidents that could have been avoided with MFA. So we absolutely encourage wherever possible when you can and especially on sensitive systems to, to institute MFA—as soon as possible.”