General Cyber security / ENISA 2021 Threat Landscape: Initial Thoughts

ENISA 2021 Threat Landscape: Initial Thoughts

ENISA 2021 Threat Landscape: Initial Thoughts
Photon Research Team
Read More From Photon Research Team
November 1, 2021 | 12 Min Read

The European Union Agency for Cybersecurity (ENISA) has released its yearly threat landscape report, which contains some handy insights. The following blog details some of the key points from the report surrounding threats in 2021. One of the key sentiments repeated throughout the report is that cyber threats continue to increase in the number of total attacks and the overall impact that attacks can cause. 

The world of 2021 is increasingly interconnected and undergoing significant technological change. Many companies are transitioning traditional infrastructure to cloud-based solutions, while other emerging technologies like artificial intelligence will undoubtedly play a more significant role in our lives in 2022. The result? An expanded – and thus more vulnerable – attack surface. 

Cybersecurity threats related to the COVID-19 pandemic and the “new normal” are also, unsurprisingly, continuing at pace. COVID-19 is still being widely used as phish bait in social engineering attacks. At the same time, remote services software is widely being exploited as a practical entry point for both cybercriminals and nation-state associated groups. Without trying to blow our own trumpet, many of these themes echo predictions we made during several of our blogs earlier this year

State actors continue to return to software supply chains

One of the first things that caught our eye in the ENISA report was regarding supply chain attacks. While these threats are absolutely not new—and we’ve spoken extensively about the risks from supply chains—within the past year, supply chain attacks have reached new levels in terms of sophistication and impact. 2020 ended with the compromise of software supplier Solarwinds, which Microsoft defined as “the largest and most sophisticated attack ever.” The threat actor responsible for the Solarwinds attack, NOBELIUM, has again been reported to be targeting the software supply chain, this time against cloud resellers and other managed service providers and IT companies. Their motivations are highly likely to be the same; moving laterally into companies of strategic interest to Russia, and gaining long term, systemic access to critical points in the technology chain. 

In ENISA’s report, which covers the period of June 2020 – July 2021, a total of 17 distinct supply chains attacks were conducted, of which 50% were attributed to nation-state groups. Most of these attacks targeted software suppliers, with the most likely distribution vector being the hijacking of software update processes; others included the undermining of software certificates, open-source compromise, and mobile app store attacks. One common thing through all of these attacks is an exploitation of the implicit trust placed through providers and customers. 

With supply chain attacks likely to continue or increase in tempo in 2022, a wise choice would be for organizations to put additional time and resources towards placing scrutiny on vendors and third parties. One of the key concepts of President Biden’s executive order in May 2021—which was aimed at strengthening the defenses of companies working with the federal government—was to move towards adopting a zero-trust security model. Zero-trust is a shift from the traditional perimeter/castle and moat security model. Instead, it focuses on not automatically trusting anything inside or outside a network and requires continual authentication. The activity associated with NOBELIUM in both December 2020 and October 2021 couldn’t serve as a better example of why automated trust should be a thing of the past.  

Improvise, adapt, overcome: 

State-associated groups have also reportedly been observing threat intelligence reporting and disclosures to improve their operational effectiveness. While you’d imagine that learning from past mistakes and adapting might seem like the hallmark of an advanced actor, it does demonstrate that standard techniques being used now may not necessarily be the same in 6-12 months. State-associated groups are reportedly putting additional focus on the use of cybercriminal contract hackers, standard offensive security tools, published proof of concepts (PoCs) and living off-the-land techniques. These techniques are likely to be conducted to aid in both obfuscation and deniability of their actions. 

ENISA also predicts that state-backed groups will develop (or buy or otherwise procure) ransomware capabilities and then conduct disruptive operations masqueraded as other cybercriminal groups. Given the abundance of ransomware as a service (RaaS) programs in existence allowing affiliates to conduct attacks, it would likely be pretty easy for a nation-state group to obtain the tools required to perform a destructive attack of this nature. We’ve observed Iranian-associated groups conduct destructive attacks using wipers in the past year. This could become more commonplace as a method of covering an actor’s tracks or causing chaos for incident responders upon discovery. 

Ransomware, here to stay: 

As you’d expect, the topic of ransomware features heavily in the report. According to the ENISA, the frequency of attacks grew by 150%, which coincided with increased complexity with attackers’ intrusions. Unless you’ve been hiding under a rock for the last year, this will come as no surprise. Ransomware remains the highest trending attack vector of 2021 and will almost certainly remain the most significant threat in 2022. As commented by ENISA, we have likely not reached the peak of this activity; in Q3 2021, Digital Shadows tracked 35 data-leak sites associated with distinct ransomware groups, 9 more than in Q2 2021. While this number regularly fluctuates, if the growth rate continues to climb, we could be looking at over 50 groups by the middle of 2022. That’s a pretty shocking indictment on how well global business is doing to stop the activity and also law enforcement in providing meaningful justice to those who engage in this activity. Unfortunately, it looks like ransomware is a problem that will get worse before it gets better. 

Ransomware incidents observed by ENISA (Apr 2020-July 2021)

Ransomware-as-a-Service (RaaS) business models are booming: 

One of the most significant factors behind this rapid climb has been the use of ransomware-as-a-service (RaaS) business models, which ENISA attributes to two-thirds of ransomware attacks made during 2020. This model allows ransomware developers to rent their malware and infrastructure to affiliates to conduct raids on their behalf before sharing the profits. This follows a broader trend of a lowered barrier of entry for the skills needed to conduct a cyberattack and further complicates efforts to attribute to individual actors. With more individuals capable of performing an attack—and jumping on the ransomware gravy train—the number of attacks is likely to increase. 

Initial access vectors remain consistent among ransomware groups: 

While the ransomware market has become highly saturated, the techniques used by these groups remain relatively consistent. While there are distinctions between each group, the entry methods are usually compromised through phishing emails or brute-forcing weak credentials on exposed remote desktop protocols. This is consistent with the finding from Digital Shadows; an assessment into initial access broker (IAB) activity in Q3 2021—who act as middlemen by identifying and selling accesses into corporate networks—shows that RDP is the most common access type, followed by VPN. This was consistent with findings from Q1 and Q2 2021 and will almost certainly continue into Q4, particularly with ransomware actors representing a significant percentage of the customer base of IABs.

Money launderers represent the weak point for ransomware activity:

One interesting point raised by ENISA surrounded money laundering, which is a key service allowing ransomware groups to turn payments into usable currency. According to the report, 199 crypto addresses received 80% of all funds sent by ransomware addresses in 2020. An even smaller group of 25 addresses accounted for 46%. This means only the owners of a minute pool of crypto addresses support and control the ability to cash out ransomware gains. Successful law enforcement operations against a handful of these money launderers could result in a significant impact against the ransomware industry and likely impact several groups. 

ENISA also stated that affiliates involved with RaaS operations do not typically work exclusively with one provider and suggests the core operations and developers of RaaS programs are likely to be a small number of individuals. This observation remains consistent with the findings regarding money launderers. While there are several distinct groups, in all likelihood, there are connections between the groups which aren’t known, and joining these dots may best be conducted through targeting the financial side of this business. 

The Evergreen Threat: Phishing Activity Ranks High

Of course, ransomware is the hot topic of the year and needs to be carefully examined to understand its evolution and how to mitigate it. Everyone is talking about the ‘r-word’ (as Sean described it in our latest Halloween blog) and, up to some extent, rightly so. However, threat landscape reports have also the daunting task of reminding everyone that there’s more to it out there and that, sadly, old threats haven’t disappeared. At all.

E-mail related threats are still ranking high in every threat intelligence report out there, and the reason is apparent; while blue teams and security researchers can come up with the best technologies to defend their fortress, humans will still be humans characterized by the same old cognitive biases we all know about. And cybercriminals and threat actors have become world-class experts in exploiting them to gain access to sensitive areas.

That’s why ENISA devoted one of its threat report’s sections to analyzing some critical social engineering trends observed in the past year. Unsurprisingly, ENISA highlights that COVID-related lures have been frequently used by cybercriminals and state-sponsored groups to trick users into opening malicious emails – a trend in line with what was observed by Digital Shadows since early 2020. The reason for using these lures? One of the key tactics used by social engineers is to cause a strong emotional response in a third party to push them into committing a determined action – and what works better than some news about a world-raging pandemic?

User awareness is a crucial component in the fight against phishing, and ENISA tries to shed light on some lesser-known phishing tactics observed in the past year. For example, we’ve all noticed how QR codes (invented more than 25 years ago) have finally become ubiquitous during the pandemic to allow people to access pub’s menu in a contact-free way. But apart from letting you pick your favorite beer, QR codes can also be weaponized by malicious actors to redirect users to infected websites or automatically download malware on your device. According to ENISA, that’s what frequently happened over the past year, with QR codes embedded into fraudulent emails to extract sensitive credentials.

Finally, we can’t close a phishing discussion without at least mentioning Business Email Compromise (BEC), a phishing tactic able to cause more than $1.8 billion of reported losses throughout 2020. The FBI defines a BEC scam as when “criminals send an email message that appears to come from a known source making a legitimate request,” such as asking for gift cards, invoices, or to complete a transaction on their behalf. According to ENISA, cybercriminals will continue to use this tactic in the future, and they also foresee further sophistication of the threat actors involved.

I Can’t Get No Availability: DDoS Trends 

Before closing this blog, we thought it was well worth reserving some space for Distributed Denial of Service (DDoS) attacks. This malicious tactic is one of the most annoying and widespread attacks out there, given its relatively low entry bar and the availability of hundreds of cheap tools available online. These attacks “occur when users of a system or service cannot access relevant information, services or other resources” and “ can be accomplished by exhausting the service or overloading the component of the network infrastructure.” In other words, when a service is under DDoS attack, you will likely not be able to access it for a while. 

As we mentioned last year in a blog covering present and future DDoS trends, there are three main trends in the threat landscape of activity against data availability: extortion-related attacks, exploitation of Internet of Things devices, and DDoS-as-a-service.

Ransom DDoS (RDDoS) campaigns have become relatively common throughout the past year, with groups such as Fancy Bear, Lazarus Group, and Armada Collective carrying out these campaigns against many victims. The technical skills required to launch these attacks are significantly lower than a traditional ransomware attack; however, these groups can still expect a decent payout.

Cybercriminals have also been quick in leveraging the explosion of Internet of Things (IoT) devices and the subsequent emergence of 5G to expand the threat posed by DDoS attacks. IoT devices face endemic issues such as weak default passwords and misconfiguration problems that make them easy targets even for the least skilled actors. This led attackers to build massive botnets thanks to vulnerable IoT devices in the past year, such as Mirai, Meris, and Mozi.

Finally, Cybercrime-as-a-Service (CaaS) is becoming a “cornerstone” for conducting widespread attacks as it opened the door of DDoS attacks to a massive number of unsophisticated attackers. ENISA further claims that “these services reduce the effort needed to manage high-volume and complex attacks, making DDoS adaptive, lightweight, and heterogeneous”. Additionally, by targeting third-party providers, attackers can hope for a cascade effect that would impact the broader supply chain and thus increment the impact of their disruption. The use of CaaS also makes attribution processes more difficult for security researchers and law enforcement agencies.

A Messy Threat Landscape

Threat landscape reports like the ENISA one are incredibly valuable for researchers and practitioners to get a comprehensive and updated view of the main threats and tactics out there. However, that massive amount of information can be intimidating and difficult to navigate but don’t worry, we’re here to help. Whether it’s good old threat intelligence, the dark web, risk management, or you’re looking to keep an eye on the important assets, we can help you.

Try us out for a 7-day test drive to see if Searchlight works for you, or we can walk you through a demo using your use cases and questions.