Threat-actors and cloud computing: predictions for 2022
- Published: Wednesday, 01 December 2021 11:21
Felipe Duarte, Senior Researcher at Appgate, focuses on the emerging techniques used by threat-actors to breach an organization’s network, how organizations are less likely to pay ransomware demands in 2022, and why more organizations will turn towards zero trust and move away from VPNs.
Due to the work-from-anywhere era we now find ourselves in, most companies have had to accelerate their adoption of cloud computing in order to support employees working from multiple locations at different times. This rapid rise of cloud computing has meant that we have seen an increase in the number of hosts on the cloud, as well as an increase in operational systems such as virtual machines, ESXI and Citrix. As a result, attackers have increased their toolkit to target different operational systems, allowing cyber attacks to move laterally to attack more servers and inflict as much damage as possible.
Over the past year, there has been an increased number of malware attacks caused by bad actors encrypting virtual machine drives. Attackers have always tried to breach a network in order to encrypt files, however, now malware focuses on reaching VM Hypervisors servers and encrypting all the hosted machines.
With an increased toolkit and the ability to move laterally across the network, threat-actors can cause significantly more damage by encrypting databases, virtual machines, and common servers, and this is something we’re going to continue to see going into 2022. Therefore, it is important that organizations implement solutions and zero trust principles such as segmentation, which prevents malware from moving laterally across an organization’s network by literally segmenting areas of the network.
Additionally, we have also seen an increase of new programming languages used to develop malware over the last year. Malware developers would usually use programming languages, such as C++ to create malware, however they are now using new programming languages like Golang to avoid detection. When a new language is used, a new binary is built, and it therefore executes differently. Anti-virus solutions use static and behavioural signatures to detect malware execution, by using a new language to compile malicious code the old signatures can't recognize this new sample. From the attacker’s point of view, malware is less likely to be detected, and it takes time for AV solutions to adapt. Besides, Golang allows the same code to be cross compiled to other Operating Systems, so a same threat can now attack both Linux and Windows.
Paying the ransom
The actions by the international cyber security community and law enforcement against ransomware gangs over the last six months have forced ransomware groups to be more careful with their operations. It's not uncommon nowadays for these groups to ‘go dark’ after a major attack and change their servers in order to hide their footprint. Some ransomware gangs even rebrand after they're put under pressure by authorities.
With ransomware groups continuing to rebrand and change their infrastructure, organizations face less pressure to pay a ransom when they are breached. You can’t pay a group that no longer exists, and you are less likely to pay the ransom if there is a possibility they will disappear with your money.
Trust in law enforcement and government agencies to crack down on these attacks has also grown. Organizations are, therefore, less likely to give into the demands of ransomware groups if they know that government agencies are cracking down on the recovery of their data.
As a result, in the upcoming year ransomware groups will likely have a lower profit margin if they continue to target high profile organizations, where the government is likely to respond quickly to an attack. Ransomware groups will, therefore, change their focus to target more small companies, where there will be less media and government attention, in order to maintain their profit margin, or find ways to operate more stealthily.
Organizations must be vigilant as ransomware groups will learn how to operate more cautiously without being detected. Ransomware attacks will not dramatically drop in the next year but, they may become less profitable as the pressure by law enforcement and government agencies to crack down on the people causing these attacks continues to grow.
At the start of the pandemic the industry saw an increased usage of VPNs as a quick fix to accommodate the sudden growth of remote workers. However, VPNs are a legacy technology and are not designed to provide effective cyber security in this work-from-anywhere era. The antiquated technology leaves huge attack surfaces and easily scannable open ports that can be easily exploited; once a threat-actor identifies a VPN port, they know that only one employee needs to be infected in order to gain access to the whole network.
Organizations that use VPNs are at a higher risk from experiencing a cyber attack and therefore need to implement a solution, such as Zero Trust Network Access (ZTNA) which assumes every connection can be compromised. ZTNA is based on the idea of ‘least privilege’ and limits users’ access to sensitive data, thus providing a more secure network. People only have access to the resources they need to do their job at a point in time. Access is conditional and continuously monitored and can be restricted or revoked automatically. This level of fine-grained control significantly reduces the attack surface and can prevent attackers from moving laterally across a network and causing wide-spread damage.
In the past year, the US government in particular has been calling for organizations to adopt ZTNA, from Biden releasing a memo earlier in the year and the Pentagon due to launch a zero trust cyber security office in December. With governments urging organizations to implement zero trust policies, we expect to see a surge in ZTNA adoption in the next year.
As employees continue to work from home and organizations continue to move towards cloud computing, more companies will adopt sustainable solutions such as ZTNA to provide sustainable security and scalability.