Expect many more zero-day exploits in 2022, and cyberattacks using them being launched at a significantly higher rate, warns Aamir Lakhani, researcher at FortiGuard Labs.
As we move into 2022, bad actors are ramping up their reconnaissance efforts to ensure more successful and more impactful cyberattacks. And that means more zero-day exploits are on the horizon.
When seen through an attack chain such as the MITRE ATT&CK framework, campaigns are frequently discussed in terms of left-hand and right-hand phases of threats. On the left side of the attack chain are pre-attack efforts, which includes planning, development and weaponization strategies. The more familiar execution phase of attacks is on the right side, such as building and launching malware to corrupt systems, steal data or hold networks hostage.
We need to start paying more attention to the left-hand side.
Increasing the Time & Effort Spent on Recon
As just noted, left-side attacks are things like gaining initial access, performing reconnaissance and the weaponization of vulnerabilities. Recognizing and stopping cyberattackers closer to the left side of the MITRE ATT&CK framework in many cases could make their efforts less effective, and give blue-team defenders multiple opportunities to mitigate a threat campaign.
Because much of their work happens before an attack, advanced persistent threats (APTs) spend much time on the left. Their activities include identifying a vulnerable network, gaining unauthorized access and remaining undetected for an extended period. APTs are typically allied with nefarious organizations that have abundant resources, such as state-sponsored actors or nation-states directly.
Expect to see a greater emphasis on “left-hand” activities from financially motivated cybercriminals too, as incident volumes rise and more gangs compete for a slice of the profits. Like nation-state-funded APT groups, these efforts will include spending more time and effort on reconnaissance and discovering zero-day capabilities, to further their efforts.
Cybercriminals understand spending more time in pre-attack reconnaissance means a greater chance of success when they launch their attack campaigns. In many situations, they can reuse the same techniques in their recon phase against multiple organizations, so although they’re putting more effort upfront, they increase their chance of success and make their attacks more modular.
More Ransomware Attacks, More Destruction
Not only will more vulnerabilities be discovered, but the attacks that exploit them will become more readily available to other attackers and incorporated into other attack kits. The growth of malware-as-a-service will naturally converge with the rise in new vulnerabilities.
So, not only will bad actors discover and weaponize more zero-day vulnerabilities, but those exploits will also be launched at a significantly higher rate due to the multiplicative effect of many cybercriminal affiliates simultaneously launching attacks.
Bad actors will be able to launch attack types with greater frequency, and the destructiveness of those attacks will increase, as well. As it stands, FortiGuard Labs researchers found an almost 11x increase in ransomware in the 12 months between July 2020 and June 2021. Ransomware will remain a centerpiece of the landscape, and the expansion of crimeware will continue.
Ransomware attackers already combine encryption with distributed denial-of-service (DDoS), hoping to overwhelm IT teams so they cannot take last-second actions to mitigate an attack’s damage. Adding a “ticking time bomb” of wiper malware, which could not only wreck data but destroy systems and hardware, creates additional urgency for companies to pay up quickly. Wiper malware has already made a visible comeback, targeting the Olympic Games in Tokyo, for example.
Given the level of convergence seen between financial cyberattack methods and APT tactics, it’s just a matter of time before destructive capabilities like wiper malware are added to ransomware toolkits. This could be a concern for critical infrastructure, supply chains and emerging edge environments.
Taking Action Before It’s Too Late
Enterprises need to be aware that an increase in new cybercriminals armed with advanced technologies will increase the likelihood and volume of attacks. Standard tools must be able to scale to address potential increases in attack volumes. These tools also need to be enhanced with artificial intelligence (AI) to detect attack patterns and stop threats in real time.
Critical tools should include anti-malware engines using AI detection signatures, endpoint detection and response (EDR), advanced intrusion prevention system (IPS) detection, sandbox solutions augmented with MITRE ATT&CK mappings and next-gen firewalls (NGFWs). In the best-case scenario, these tools are deployed consistently across the distributed network (data center, campus, branch, multi-cloud, home office, endpoint) using an integrated security platform that can detect, share, correlate and respond to threats as a unified solution.
Cybercriminals are opportunistic, and they’re also growing increasingly crafty. We’re now seeing them spend more time on the reconnaissance side of cyberattacks. They’re using left-side attacks to make the right-side attacks more effective. That means more destructive – and therefore more lucrative – ransomware attacks. It also means more frequent attacks, sometimes accompanied by DDoS hits to overwhelm IT security teams. And wiper malware is another nightmare these teams must prepare to contend with.
Organizations today need an intelligent, holistic and scalable security strategy to defeat these advanced attack types. Visibility and communication across the network are crucial because they enable an immediate and coordinated response. This is the level of defense enterprises need today – and we mean today, not at some vague point down the road. Gather and integrate your tools now to ensure your network can withstand the coming storm.
Aamir Lakhani is cybersecurity researcher and practitioner at FortiGuard Labs.
Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite.