- Home >
- Services >
- Access to Knowledge >
- Trend Monitor >
- Type of Threat or Opportunity >
- Trend snippet: Trends in Cyber Attacks: 2021 Mid Year report
Trends in Security Information
The HSD Trendmonitor is designed to provide access to relevant content on various subjects in the safety and security domain, to identify relevant developments and to connect knowledge and organisations. The safety and security domain encompasses a vast number of subjects. Four relevant taxonomies (type of threat or opportunity, victim, source of threat and domain of application) have been constructed in order to visualize all of these subjects. The taxonomies and related category descriptions have been carefully composed according to other taxonomies, European and international standards and our own expertise.
In order to identify safety and security related trends, relevant reports and HSD news articles are continuously scanned, analysed and classified by hand according to the four taxonomies. This results in a wide array of observations, which we call ‘Trend Snippets’. Multiple Trend Snippets combined can provide insights into safety and security trends. The size of the circles shows the relative weight of the topic, the filters can be used to further select the most relevant content for you. If you have an addition, question or remark, drop us a line at info@securitydelta.nl.
visible on larger screens only
Please expand your browser window.
Or enjoy this interactive application on your desktop or laptop.
Trends in Cyber Attacks: 2021 Mid Year report
In 2021, US organizations saw an average of 443 weekly attacks, marking a 17% increase compared to earlier this year. In EMEA, the weekly average of attacks per organization was 777, a 36% increase. APAC organizations saw 1338 weekly attacks, a 13% increase.
In a year that has seen a 93% increase in ransomware attacks, ransomware actors have adopted a new strategy, adding a third step to the Double Extortion technique. In addition to stealing sensitive data from organizations and threatening to release it publicly unless a payment is made, attackers are now targeting organizations’ customers and/or business partners and demanding ransoms from them too. This is called Triple Extortion and has caused new questions to arise in the field of cybersecurity. Can customers call on the targeted company, whose actions led to the exposure of their data, to pay the ransom demanded from them individually? Can business partners claim the same?
What happens if customers receive extortion emails prior to learning that a breach occurred? Can they demand that the company pay the entire ransom?
It appears that the business development of ransomware pushes the cybercrime groups involved to constantly find more innovative and fruitful models. Third-party victims, such as a targeted company’s clients, external colleagues and service providers, are heavily affected by data breaches caused by these ransomware attacks, even if their network resources remain unscathed. Whether a further ransom is demanded from them or not, they have a lot to lose should the ransom incident take a wrong turn. Third-parties make a natural target for extortion, and may continue to be on ransomware groups’ radars from this point on.
Companies are looking for better prevention measures to ensure they are unharmed by the next incident, and as a result, the way they integrate, or at an earlier stage, inspect third-party products, is rapidly evolving. We can now expect to see new third-party product evaluation procedures spreading among companies. From the opposite perspective, service providers, even small-scale ones providing level-one tech support, may become lucrative targets without even realizing it, let alone taking the time to set up adequate security measures to protect their clients. Such companies might believe that they would not be targeted as they don’t have sensitive data of their own. However, today’s targets are not selected solely based on their resources, but may be selected based on their network connections. In the wake of these events, organizations must adopt adequate security measures, including carefully constructing network connection to third-party components, and patching zero-day flaws as quickly as possible.
A lot has been written about Emotet in the past few years. This malware debuted in 2014 as an elite banking malware targeting European banking users, and was the top most-distributed botnet in 2019 and 2020, after a years-long evolution into a large-scale botnet with over one million bots at its disposal. Emotet was also involved in the distribution of the most prominent malware at any given moment, including Qbot and TrickBot banking Trojans. As early as January 27, 2021, however, Emotet’s fortunes took a sharp downward turn as a global operation conducted by law enforcement and judicial authorities worldwide disrupted the botnet’s activities and attempted to take control of its infrastructure.
The prominence of mobile devices within the threat landscape continues to grow over time as our personal devices become a more integral part of our professional toolset. Corporate applications have now replaced designated corporate devices as part of the ‘Bring-Your-Own-Device’ (BYOD) concept, to allow for greater operational flexibility in today’s hybrid work model. As a result, a greater amount of professional information is stored or accessible from personal phones. Threat actors are working tirelessly to develop new designated mobile attack techniques aimed at exfiltrating personal and corporate information from mobile phones, and leveraging these devices to obtain access to organizations’ networks. In 2021, we saw a new kind of flaw that is drawn from the general threat landscape climate, including misconfiguration of third-party cloud-based services such as real-time databases, storage, and analytic applications. Similar to network environments, third-party services are integrated into complex applications, with a direct impact on their user data security level.
Cobalt Strike beacons act as the silent partners of a vast array of cyber-attacks. After the initial infection phase, the beacons can be used for multiple purposes including gathering system information, collecting sensitive data, escalating privileges and moving laterally within the target network. The tool is both comprehensive and modular, and widely accessible in various cracked versions. The customization options make it difficult to detect and its popularity also creates attribution difficulties as attacks tend to blend in with all other Cobalt Strike attacks, making attribution to a specific threat group difficult.
Not much has changed since our 2020 global malware ranking, just some slight movements up or down. However, the top 10 for the first half of 2021 is missing two whole categories of drive-by attacks, which have been with us for several years. For the first time since Coinhive premiered in the top charts, we no longer have a drive-by crypto-mining service in our top malware ranks. This is due to the decline in profitability of drive-by cryptomining, as well as last year’s shutdown of JSECoin. Second, RigEK, one of the longest running and successful Exploit Kit services in operation, can no longer compete with other types of attack surfaces, and dropped from our top global charts as well.
In the second half of 2021, ransomware will likely grow, despite law enforcement stepping up. Increased use of penetration tools to give live hackers ability to customize attacks on the fly and a trend towards collateral damage well beyond the initial target victim calls for a collateral damage strategy.