2021 was a year in which everything escalated. The pandemic triggered separation, isolation, and general unease in our ability to discern the good from the bad. In cybersecurity, we saw a sharp increase in the number of threat actors riding the wave of the ransomware economy, more governments using cyberspace to influence nation-state politics, and more software vulnerabilities. The combined effect of these has made breaches easier and security harder.
So where will 2022 lead us? Our predictions last year weren’t far off the mark, so as we look forward to another year in the trenches of cybersecurity, we gather some of SentinelOne’s best researchers and thought leaders once again to read the tea leaves of the central motifs they see coming to bear in 2022.
We Haven’t Reached ‘Peak Ransomware’ Yet
Ransomware operators have, throughout the last year, continued to display their absolute lack of compunction. Numerous high-profile attacks in 2021 demonstrated that these actors will seize any opportunity to profit. In 2022, expect the availability of highly-critical vulnerabilities such as log4j, which have exposed countless environments while greatly enhancing attackers’ toolsets, to be making the headlines more than once.
This past year also saw the wider and accelerated adoption of malware written in Rust and Go programming languages. One of the main benefits of this practice is, naturally, cross-platform compatibility. A few recent examples of this include BlackCat/AlphaVM ransomware, RansomEXX ransomware and ElectroRAT. We are trending towards a majority of these threats being multiplatform out of the gate. As we progress into 2022, expect to see a greater number of new, cross-platform malware families emerge.
Targeting of healthcare entities (hospitals, medical research facilities, private clinics) will continue to be a critical issue. While on the surface many threat operators claim to avoid attacking medical-centric targets, the reality is far less altruistic. We continue to see ransomware infecting these environments, at times costing lives. In 2022, expect to see no let up in aggressive, unscrupulous ransomware operations targeting organizations regardless of the impact on public safety.
We will also continue to see the identity of these operations blur, with various groups continuing to hide in the open while attempting to circumvent any new penalties or sanctions through frequent re-branding of their operations. Jim Walter, Senior Threat Researcher, SentinelLabs
You Can’t Spend Or Arrest Your Way Out Of Cybersecurity
We’ve seen the number of ransomware attacks rise steadily, despite enterprises spending millions. Although the US government assembling the ransomware task force was done out of good intention, it’s demonstrated that arresting the cybercriminals responsible, such as the alleged member of the REvil ransomware gang, is not going to be enough.
Recently, the U.S. State Department offered a reward of up to $10 million “for information leading to the identification or location of any individual(s) who hold(s) a key leadership position in the DarkSide ransomware variant transnational organized crime group.” While not officially linked to the Russian Federation, DarkSide was able to operate inside Russia with the apparent implicit approval of the government. The use of State Department funds underscores the desire to keep the military option in reserve while using diplomatic and other means to identify and bring to justice transnational organized crime actors.
Continued ransomware activity throughout 2022 will prove that we can’t spend or arrest our way out of cyberattacks. Instead, we must change our way of thinking. The problem isn’t the problem, it’s the way we think about the problem. And that’s not what matters. It’s how our adversaries think about the problem that really counts.
We need to think critically about the problems we are trying to solve to beat cybercriminals at their own game. Playing inside the lines isn’t going to cut it – it’s time to think outside of the box and fight machine with machine. Morgan Wright, Chief Security Advisor, SentinelOne
Software Dependencies Are Your Weakest Link
From the end of last year with SolarWinds to the end of this year with Log4j2, the alarm bells have been ringing loud and clear: software dependencies are a massive blindspot and a major vector for supply chain attacks.
The likelihood of widely-used software components being secure out-of-the-box is low at best. Even with the best of intentions, the mindset of those that create and share useful modules, plug-ins, packages and other utility code is rarely security-focused. On top of that, the ability of an enterprise to be able to test and evaluate every piece of software that enters their network is limited for most, including the federal government.
2022 represents both an opportunity and a threat: we can tackle the problem with technology and visibility across our entire cyber estate, or we can continue as we’ve been going along, waiting for the next well-crafted nation-state attack like Sunburst or the next “universal vulnerability” like Log4j2. Overworked SOC teams and admins may vote with their feet.
APTs Getting Down to Business
Working in the trenches of cybersecurity research, it’s easy to get carried away with flashy and innovative operations. It’s easy to forget that ‘APT’ is a euphemism for a strata of intelligence collection operators well entrenched in the national apparatus of the majority of countries worldwide. After all, some of the more notable APTs have been around for nearly a quarter of a century.
Instead of romanticizing them as rogue outfits of wily hackers, many of these nation-state adversaries are entrenched in bureaucracies, they have objectives to meet, and–contrary to popular researcher belief–their primary goal isn’t to impress us.
This past year, nation-state adversaries learned a tried-and-true formula that being unimpressive and downright mundane (at least in the early stages of their operations) inevitably increases their return-on-investment. In other words, if your infection vector is an email ($0) with some JavaScript loaders for Cobalt Strike or Metasploit ($0), allowing you to validate victims, lookout for security solutions, begin basic collection, and deploy second-stage tools where they won’t be burned, then whatever persistence and collection you accomplish represents a booming ROI.
Moreover, it’s easier to blend into the noise of ‘business-as-usual’ when you’re just another APT doing intellectual property theft with no zero-day exploits, custom tooling, or notable antics. How many threat hunters will get out of bed to make it their business to track those folks when there are flashy high-end actors out there to blog about?
I’m afraid that 2022 will further slide us into the more mundane aspects of cyberespionage – as a pervasive but low-grade, constant but unremarkable onslaught of collection efforts from all sides that we’ve essentially grown used to. Juan Andres Guerrero-Saade, Principal Threat Researcher, SentinelLabs
Private Espionage Businesses Will Continue To Flourish
Private espionage businesses will encounter many setbacks due to their increased attention over the last year, but that will neither deter nor prevent the growth of such a lucrative and in-demand trade. We can expect researchers to uncover new and less-reported businesses selling surveillance-for-hire technology and resources around the globe with little regard for real-world impact.
While some well-known companies such as Russia’s Positive Technologies, Singapore’s Computer Security Initiative Consultancy, Israel’s Candiru, and perhaps most famously, the NSO Group, have experienced crippling government sanctions or negative media coverage during 2021, we can expect these and others to rebrand, split, or generally evolve with the opportunity of profits in mind. This type of business will not go away in 2022. Tom Hegel, Senior Threat Researcher, SentinelLabs
Securing the Intricacies of Enterprise Cloud Dependency
Enterprises will need to adopt cloud native security faster and respond to these threats from the front lines as customer data privacy on cloud-native servers will be put to the test. The on-going cloud-credential stealing feast will continue, and we will see cloud-native ransomware implemented by abusing weak permissions and stolen Azure and AWS API credentials.
On-Premise Active Directory will continue to fade away, while Azure Active Directory is pushed towards major adoption. As companies like Okta and JumpCloud get further buy-in, they’ll start facing increased interest from every stripe of hacker looking to gain access to large swaths of victims at once.
From the defenders perspective, API Security solutions will become a necessity. XDR adoption will grow via MSSPs forcing threat hunters to adopt more automations. These will provide coverage for the new data sources and will enable defenders to face the new battle-terms. Rafel Ivgi, Principal Security Technologist, SentinelLabs
More Targeted Attacks On Enterprise Macs (and Other Apple Devices Near You)
Unsurprisingly, and as we predicted last year, there has been a glut of macOS and iOS vulnerabilities disclosed in 2021 due to the increased scrutiny of Apple’s platforms by both security researchers and threat actors. Stealing the show during 2021 was NSO’s Pegasus zero-click iMessage exploit, in which a zero-day vulnerability (CVE-2021-30860) in Apple’s Core Graphics framework was used to construct an entire emulated computer architecture.
Meanwhile, although Macs have never been at the heart of most companies’ network or server infrastructures, the Mac has become a firm-favorite among developers and C-Suite level executives – an enticing combination for threat actors interested in high-value targets.
At the same time, iOS and macOS security is woefully misunderstood by Apple users, including in the enterprise. While Mac users at least have the ability to install 3rd-party EDR products for detection and protection against malware, few choose to do so, persuaded by a strong “Macs are safe by design” marketing message from Apple. Lulled into believing that the Mac’s legacy AV scanner XProtect and the regularly-bypassed Gatekeeper and Notarization technologies are somehow enough, users leave themselves and their organizations vulnerable to attacks. The fact is, the Mac’s built-in defenses are far from adequate, as even Apple admitted earlier this year.
Recent history has shown that threat actors with the most resources – nation-states – are willing to spend those resources on targeting dissidents, journalists and political opponents. Whether it’s buying NSO spyware like Pegasus or creating Mac-specific backdoors like macOS.Macma, governments (or their proxies) have been the main driver of targeted attacks against Apple’s platforms so far. However, where nation-states go, criminals soon follow.
These three factors – increased attention on Apple device vulnerabilities, wider use of Macs in the enterprise, and the false sense of security that Macs are safe and don’t need 3rd-party protection – will lead to more high-value, targeted attacks against Apple device users in 2022. Phil Stokes, macOS Threat Researcher, SentinelLabs
Conclusion
While this year saw the U.S. government making some valiant efforts to try and tackle the long-standing challenges of cybersecurity, it is enterprises that are the first and last line of defense, needing to stay focused on growth and commercial expansion while not risking it all by getting breached and losing trust and material funds.
Whatever challenges 2022 brings, we all need to ensure that we are taking care of the basics: strong preventative measures, clear Incident Response and Disaster Recovery planning, and let’s not forget to take care of our people on the front line! From all of us at SentinelOne, we wish you a happy and secure New Year!
If you would like to learn how SentinelOne can protect your organization, contact us or request a free demo.