The number of cyberattacks increased by 17% compared to Q1 2020, and compared to Q4 2020, the increase was 1.2%, with 77% being targeted attacks, according to a new Positive Technologies Cybersecurity Threatscape Q1 2021 report. Incidents involving individuals accounted for 12% of the total.
Cybercriminals typically attacked government institutions, industrial companies, science and education institutions. The main motive for attacks on both organizations and individuals remains acquisition of data. Attackers' main targets are personal data and credentials, and attacks on organizations are also aimed at stealing intellectual property.
Other findings include:
- Ransomware is still the malware that is most often used by attackers. In Q1, they demanded astronomical ransoms and refined their arsenal, including adding new ways to hide from security tools. There is a lot of new ransomware, for example, Cring, Humble, and Vovalex. And the good old WannaCry is running rampant again. Ziggy operators set a precedent: they returned the ransoms paid to the victims and "turned to the light side".
- The most popular vulnerabilities for attackers this quarter were breaches in the Microsoft Exchange Server software (ProxyLogon) and the outdated file sharing program Accellion FTA. Attackers used a zero-day vulnerability discovered in SonicWall VPN solutions not just to hack the company, but also to launch attacks on its customers. SonicWall presumably failed to notify its customers in time about the identified vulnerability or a need to implement protective measures. The incident supports the argument that software manufacturers should inform their customers as soon as possible about existing vulnerabilities and ways of protecting themselves until a patch is released.
- More and more cybercriminals are developing malware to conduct attacks on virtualization environments, and some are aggressively trying to exploit vulnerabilities already found in software for deploying virtual infrastructure. At the beginning of 2021, our security engineers helped to eliminate critical vulnerabilities in VMware products. We strongly recommend installing the security updates as soon as possible.
- The number of attacks targeting IT companies has remained consistently high for a second quarter in a row. In 15% of cases during Q1 2021, hackers targeted IT companies to conduct an attack on their customers or to steal customer data. At the beginning of 2021, there were still reports in the media about new victims of the attack on SolarWinds: the company's customers claim that their networks have been compromised.
- Telecom companies were twice as likely to be attacked as in Q4 2020. In 71% of the attacks, hackers aimed at obtaining data, with a particular interest in the 5G technology. Nine out of ten incidents saw attackers use malware—most frequently, RATs, which accounted for 55% of all attacks.
Dirk Schrader, Global Vice President, Security Research at New Net Technologies (NNT), now part of Netwrix, explains, "The report highlights a growing focus on multipliers, on targets that allow the attacker an easy access to a large number of victims, whether by supply-chain attacks or by attacking cloud service provider. Other attack vectors remain on a high level by itself, but it is bad news for telecom operators and cloud providers that they will be in the cross hair even more in future. That shift should not lead to a lowered guard for other organizations, as the attackers will continue to use all their arsenal. It will be necessary and vital to monitor infrastructure for unexpected changes, maintain diligence on accounts and associated user rights."
Of particular interest was findings around the increase in attacks on virtualization environments and what that means for cloud migrations and other cloud activities: Popular cloud services that facilitate interaction and simplify companies' IT infrastructure also became a favorite target for attackers. The reason for this phenomenon is that by attacking a cloud service provider, hackers can gain access to the customers' data, as it happened, for example, during the January incident with the Bonobos clothing store. The store suffered a data leak due to an attack on the cloud service provider that the company used to store customer credentials and personal data. A similar incident occurred with the network equipment manufacturer Ubiquiti.
Mohit Tiwari, Co-Founder and CEO at Symmetry Systems, explains that it is a common error to blame cloud providers for attacks on an organization that runs cloud workloads. "Cloud providers can be blamed if their platform software is breached or if a malicious employee is able to leak cloud-tenants' data. This is extremely rare and definitely not the case with Ubiquiti (judging by articles available online). A far more common reason is that the cloud tenant -- e.g., Ubiquiti -- had an attack on their identity and access permissions (IAM) or that one of the tenant applications was breached (so that an attacker could use the breached application as a proxy to run attacks). Cloud providers have security tooling that tenants can use, or several third-party security vendors and managed services they can work with, to secure their IAM and applications that run on the cloud."
According to the United States Cybersecurity and Infrastructure Security Agency, hackers managed to find a way to bypass two-factor authentication to compromise cloud services. This was achieved through a "pass the cookie" attack. "Sadly these types of attacks are one of the most common attack vectors seen in cloud environments today. The threat generally is caused by a misconfiguration of a cloud service provider that leaves data in an insecure state. The best solution for these types of issues are to implement a cyber asset management solution that tracks and alerts on changes in the state of cloud solutions and services. If one of these services drifts from a known secure state an alert should fire."
"Security in the cloud is fundamentally different from on premises and it’s still new for many security leaders. Whether cloud-first or hybrid, organizations are working quickly to get the right policies in place to support this transition," says Vishal Jain, Co-Founder and CTO at Valtix. "In particular, the shared responsibility model can be challenging when you have a mix of IaaS, PaaS, and SaaS - each with different security requirements. Multi-cloud makes matters worse when each cloud provider has its own nuances. In the end, you still need layered security and visibility in the cloud. Cloud-first tools can help meet these needs through robust security that also adapts to the dynamic nature of cloud environments."