2021 Marred by Aggressive APTs; RDP Attacks up 897%
While much of the world tried to regain some semblance of normalcy in 2021 after the onset of the COVID-19 pandemic the year before, cyberattackers were hard at work ushering in the new year by exploiting flaws in Microsoft Exchange Servers and resulting in an 897% increase in spurned RDP attacks.
Ransomware “surpassed the worst expectations in 2021, with attacks against critical infrastructure, outrageous ransom demands and over $5 billion worth of bitcoin transactions tied to potential ransomware payments identified in the first half of 2021 alone,” according to a blog post penned by ESET chief research officer Roman Kovac, detailing findings from the company’s 2021 Threat Report.
ESET also found “an alarming upsurge in Android banking malware detections, which rose by 428% in 2021 compared to 2020, reaching the detection levels of adware—a common nuisance on the platform,” Kovac said.
What’s more, “as the bitcoin exchange rate reached its highest point so far in November 2021, ESET experts observed an influx of cryptocurrency-targeting threats, further boosted by the recent popularity of NFTs (non-fungible tokens),” Kovac wrote.
“This report speaks to how rapidly the threat landscape can evolve in such a short amount of time,” said Hank Schless, senior manager, security solutions, at Lookout.
“The increase in cryptocurrency-focused scams shows how attackers leverage the new and relatively unknown against victims,” said Schless. “The idea of purchasing NFTs with cryptocurrency is a trend that many people are jumping on but might not completely understand. This creates the perfect arena for threat actors to socially engineer individuals around crypto and NFTs.”
Kovac said that 2021 was marked by “shockingly severe vulnerabilities,” beginning with at least 10 APT groups exploiting the ProxyLogon vulnerability chain in what ESET said was the second most frequent attack vector; the year ended with vulnerabilities being found—and exploited—in the ubiquitous Log4j library.
“Microsoft Exchange servers ended up under siege again in August 2021, with ProxyLogon’s ‘younger sibling,’ named ProxyShell, exploited worldwide by several threat groups,” Kovac wrote.
“APT nation-state groups can be expected to produce more attacks as global conflict shows no signs of lessening,” said Joshua Aagard, vulnerability analyst on the Photon Research Team at Digital Shadows.
“The ESET Threat Report’s details on the Microsoft Exchange Server vulnerabilities show just how important it is for organizations to make a decision about how they are going to protect their messaging and collaboration back-end,” said Aaron Turner, vice president, SaaS posture, at Vectra. “Microsoft has made it very clear that the path forward for Exchange is in the cloud with the M365 online offerings.”
Turner said that “the rash of Exchange on-premises vulnerabilities, from Hafnium to ProxyShell, shows that Microsoft’s focus on supporting legacy Exchange Server is decreasing.”
Unfortunately, though, “many organizations cannot wean themselves from their on-premises Exchange infrastructure and wade into a hybrid Exchange architecture, where the organizations are exposed to both the legacy Exchange vulnerabilities like ProxyShell, plus all of the posture management requirements of Exchange Online,” said Turner.
And in 2021, “IT teams everywhere were sent scrambling, again, to locate and patch the flaw in their systems. This vulnerability, scoring a 10 on the CVSS scale, put countless servers at risk of a complete takeover—so it came as no surprise that cybercriminals instantly started exploiting it,” he said. “Despite only being known for the last three weeks of the year, Log4j attacks were the fifth most common external intrusion vector in our 2021 statistics, showing just how quickly threat actors are at taking advantage of newly emerging critical vulnerabilities.”
RDP attacks continued to escalate even though 2021 lacked the “chaos of newly imposed lockdowns and hasty transitions to remote work” that wreaked havoc the year before.
“The massive increase in remote desktop protocol (RDP) attacks pointed to attackers ‘playing hopscotch,’ or system pivoting with the otherwise useful protocols intended for authorized network navigation,” said Aagard. “As a default protocol for Microsoft’s Azure, it presents an attractive target for access to greater resources.”
However, “probably the only good news from the RDP attack front,” Kovac noted, “is that the number of targets has been gradually shrinking, although it doesn’t seem like the rampage is about to end any time soon.”
Another spot of good news (bad news if you’re a hacker): “Feverish law enforcement activity against ransomware and other cybercriminal endeavors” ramped up the pressure on attackers.
But “while the intense clampdown forced several gangs to flee the scene—even releasing decryption keys—it seems that some attackers are only getting bolder: T3 saw the highest ransom ultimatum yet, $240 million, more than triple the record mentioned in our previous report,” Kovac said.
