Traditional cyber threat intelligence (CTI) provides information on threat actors targeting IT or OT but often only addresses edge device security during the deployment of highly specialised systems, nores Boland Lithebe, Security Lead at Accenture Africa.
Accenture CTI takes OT security a step further with critical vulnerability intelligence and monitors major edge devices, their vendors and their version numbers to make clients aware of threats to IT, OT and cloud environments.
Cyber threat intelligence offers improved visibility into overall network threats and informs decision-makers how to prioritise security around potential targets and threats. As edge device vulnerabilities and targeting are on the rise, organisations must start changing their security cultures from being reactive to adopting a proactive approach to security “on the edge.” Accenture has identified five key trends affecting the cybersecurity landscape today. In this article, I will focus on two.
Ransomware attacks still prove profitable
Despite technology enabling threat actors to become even more sophisticated, there are still active, and evolving risks from tried and tested ransomware techniques. There is also a consistency of ranking for the top targeted industries, with ransomware threat actors proving most successful against the manufacturing industry, followed by financial services, healthcare, technology and construction.
The most active ransomware groups in 2021 were LockBit and Conti, but tracking individual groups remains challenging due to continuous “retirements” and rebranding into new groups due to law enforcement pressure or internal group dynamics. The conflict between ransomware affiliates and their operators led to information leaks, and arguments between involved parties serve as one example of the unintended consequences of ransom-affiliate payment schemes. Despite these problems, ransomware operations remain highly profitable.
Based on data collection from Accenture incident response engagements, ransomware and extortion operations made up almost 35% of intrusion volume in 2021 and represented a 107% year-over-year increase from 2020. Here are some key factors contributing to higher ransomware attacks:
- Media reporting increases impact – it reflects a “scoop-and-scandal”-driven culture in the cybersecurity community and unintentionally increases the influence of cyber threat actors. Cybercriminals used this publicity to criticise rivals and increase pressure on victims.
- Cloud environments continue to be attractive targets due to lower monitoring levels than on-premise environments. Therefore cloud-related malware has evolved faster than more traditional malware.
- Underground forum members are trading in endpoint accesses – there is increased interest in accessing compromised virtual private networks (VPNs) via stolen credentials and the use of public and zero-day exploits.
- Data extortion is rising without ransomware deployment – new threat groups are establishing infrastructure and ramping up attacks solely focused on data exfiltration and extortion rather than more destructive ransomware deployments.
- Actors infer insidious insiders – robust insider threat programs can help to quickly confirm or refute threat actor claims which may be intended to deceive responders. It can backfire on threat actors as it can lower their credibility and, therefore, their chances of obtaining ransom payments.
Accenture provides some ways to defend against ransomware attacks in this report.
Supply chains offer attack foothold
Since the revelation of the SolarWinds supply chain campaign in December 2020, malicious operators have increasingly realised the potential of supply chain attacks. In addition to the complexities of asset and vendor management and visibility into software bills of materials, moving to the cloud has meant many organisations further increased the risk and consequences of supply chain insecurities. Such vulnerabilities can result from potential supply chain incidents across entire on-premise and cloud environments serving one or multiple business entities.
Backdoor threats are more prevalent. Accenture has noted references to at least nine malicious node package managers (NPMs) masquerading as legitimate packages. There were also two legitimate NPM packages with backdoors built into them that enable a threat actor to bypass normal authentication channels and interactively issue commands to a system. Some NPM code packages are downloaded millions of times every week.
A package with a backdoor and a download cadence that high could provide initial attacker footholds on thousands of victim networks or cloud tenants. Malicious actors can use such footholds for various purposes, including cryptojacking, espionage, ransomware deployment and destructive wiper attacks.
Based on intrusion data Accenture collected from incident response engagements, 30% of the malware threats Accenture observed in 2021 were backdoor threats, making them the second-most-prevalent type of malware, behind ransomware (33%).
Supply chains are the focus, so what now?
Administrators should integrate audits into DevOps cycles. The need to weave security into both DevOps and application onboarding has catalysed the integration of platforms for automated code scanning. These include intelligent and integrated platforms that help organisations develop code quickly with lower remediation costs, higher security and less staff.
There needs to be an adoption of standards and monitoring tools to meet compliance demands or enrol in application security-as-a-service offerings to block malicious actors’ direct access to sensitive environments and repositories, such as developer machines and source-code repositories. In the SolarWinds supply chain attack, malicious actors used developer machines to inject malicious code into the SolarWinds Orion platform before Orion developers compiled and digitally signed the Orion software. Such incidents underline the importance of application security and the severe penalties of failure.
Finally, administrators and security personnel should examine their organisations’ broader third-party dependencies beyond software. For more guidance on reducing the risks associated with software supply chains, please read our report here.