Kaspersky researchers have shared their vision on Advanced Persistent Threats (APTs) in 2021, laying out how the landscape of targeted attacks will change in the coming months.
The turmoil experienced in 2020 will bring along many structural and strategic changes, not just in our daily lives but in the realm of targeted attacks too, not in the least due to the now broadened attack surface. New attack vectors, such as the targeting of network appliances and the search for 5G vulnerabilities, will happen alongside multi-stage attacks and positive actions against activities enabling cyberattacks, such as zero-day sales.
The forecast was developed based on the changes that Kaspersky’s Global Research and Analysis Team (GReAT) witnessed during 2020 and have been published to support the cybersecurity community with some guidelines and insights. The latter, along with a series of industry and technology threat predictions, have been created to help prepare for the challenges that lie ahead.
Global APT Threats
1. APT threat actors will buy initial network access from cybercriminals: One of the key, and potentially most dangerous, trends that Kaspersky researchers anticipate is the change in threat actors’ approach to the execution of attacks. Last year targeted ransomware attacks reached a new level through the use of generic malware as a means to get an initial foothold in targeted networks. Connections between these and well-established underground networks such as Genesis, which typically trade in stolen credentials, were observed. Kaspersky researchers believe that APT actors will start using the same method to compromise their targets.
As a result, organizations should pay increased attention to generic malware and perform basic incident response activities on each compromised computer to ensure that generic malware has not been used as a means of deploying more sophisticated threats.
2. More countries using legal indictments as part of their cyber-strategy: Kaspersky’s previous predictions of ‘naming and shaming’ of APT attacks carried out by hostile parties has come true, and more organizations will follow suit. Exposing toolsets of APT groups carried out at the governmental level will drive more states to do the same, thereby hurting actors’ activities and developments by burning the existing toolsets of their opponents in an effort to retaliate.
3. More Silicon Valley companies will take action against zero-day brokers: Following the scandalous cases where zero-day vulnerabilities in popular apps were exploited for espionage on a variety of different targets, more Silicon Valley corporations are likely to take a stance against zero-day brokers in an effort to protect their customers and reputation.
4. Increased targeting of network appliances: With remote work, organizational security has become a priority, and more interest towards exploiting network appliances such as VPN gateways will emerge. Harvesting credentials to access corporate VPNs via ‘vishing’ remote workers may also appear.
5. Demanding money “with menaces”: Changes in ransomware gangs’ strategy is leading to the consolidation of a still diverse but rather tight ransomware eco-system. Following the success of previous targeted attack strategies, more major ransomware players will start focusing their activities and obtaining APT-like capabilities – with the money the gangs have extorted they will be able to invest large funds into new advanced toolsets with budgets comparable to that of some of the state-sponsored APT groups.
6. More disruptive attacks: will result from a directed orchestrated attack designed to affect critical infrastructure or collateral damage—as our lives have become even more dependent on technology with a much wider attack surface than ever before.
7. The emergence of 5G vulnerabilities: As adoption of this technology increases, and more devices become dependent on the connectivity it provides, attackers will have a greater incentive to look for vulnerabilities that they can exploit.
8. Attackers will continue to exploit the COVID-19 pandemic: While it did not prompt changes in tactics, techniques and procedures of the threat actors, the virus has become a persistent topic of interest. As the pandemic will continue into 2021, threat actors will not stop exploiting this topic to gain a foothold in target systems.
Cybersecurity Predictions for India in 2021
1. Cyber Frauds
India’s digital economy is expected to grow at a faster rate and as per the recent BCG Group and Google study that said in five years, India’s digital payment itself is going to become USD 500 billion industry. Recently Facebook-owned popular instant messaging app launched its payment services in India. It allows users to send and receive money to their contacts while chatting. It uses UPI, a payment infrastructure built by a coalition of large banks in the country, to send and receive money. This year we have seen many UPI related fraudsand several banks have issued advisories alerting their users about the same. As more options for digital payments are introduced, we can see more similar cases in the future. The BharatNet programme seeks to connect all villages in the country with optical fiber covering nearly 625,000 villages to improve telecommunications in India and reach the campaign goal of Digital India. With more users connected to the internet, the incidents related to frauds may see an uptick. The NCRB’s (National Crime Record Bureau) cybercrime data for 2019 shows that the motive behind most of the cases registered is fraud.
2. Healthcare sector
Indian has been digitizing its healthcare sector under the National Digital Health Mission The platform includes the following key feature health ID, Health Facility Registry (HFR), Personal Health Records (PHR), Electronic Medical Records, Digi-Doctor and it will also include e-pharmacy and telemedicine services. During the COVID-19 national emergency, the Ministry of Health and Family Welfare shared Telemedicine Practice Guidelines on March 25 2020 to enable Registered Medical Practitioners to Provide Healthcare Using Telemedicine.
This year we have already seen incidents where medical details of over 120 million Indian patients have been leaked and made freely available on the Internet. Recently Dr Reddy’sLaboratories also confirmed that a Cybersecurity breach was a ransomware attack. After a week of this incident, another Indian pharmaceutical company Lupin has confirmed an information security incident that has affected multiple internal systems. The above incidents indicate that the healthcare sector is expected to see a rise in attacks during 2021.
3. Digitization of Micro, Small & Medium Enterprises (MSMEs)
Lockdown has made many businesses go digital and micro, small and medium enterprises (MSMEs) are no exception. The MSMEs have to ensure that this change has to be smooth. During this transition they have to ensure that they have implemented necessary network protection in place to ensure a secure remote working setup for their employees which requires investment of resources and may not be straightforward (easy) for MSMEs. We have seen incidents in the past where the network breach was the result of exploiting a vulnerable internet-facing service. Apart from securing their infrastructure they have to take essential steps to protect their customers personal information. Any loopholes in the setups may provide attackers an opportunity to go after MSMEs.
4. Ransomware Attacks
We already mention in our 2020 predictions that ransomware will go from ransomware to targeted ransomware and we have seen a rise in this prediction during COVID-19 pandemic. We see ransomware actors like Maze, Cl0p, Nefilmi and Netwalker targeting different industries in India such as Financial Services, Oil drilling services, Pharmaceutical, Commodity and services providers, Automotive supplies, Footwear manufacturer, Professional & Consumer Services and Manufacturing & Industrials. We expect this tendency to be continued in 2021.
“We live in the world that is so mercurial that it is likely that events and processes will happen in the future that we have not been able to grasp just yet. The amount and complexity of changes we have witnessed that have affected the cyberthreat environment could dictate many scenarios for what is to come ahead. Furthermore, there are no threat research teams in the world that have full visibility of the operations of APT threat actors. Yes, the world is a chaotic place, but our previous experience shows that we have been able to anticipate many APT developments before, and hence prepare for them better. We will continue to follow this path, understanding the tactics and methods behind APT campaigns and activities, sharing the insights we learn and evaluating the impact these targeted campaigns have. What matters here is to follow the situation closely and always be ready to react, and we are confident in doing so,” says David Emm, principal security researcher at Kaspersky.