Fortinet has unveiled predictions from the FortiGuard Labs global threat intelligence and research team about the cyberthreat landscape for 2022 and beyond. Cyber adversaries are evolving and expanding their attack methods to target new areas for exploit spanning the entire attack surface especially as work-from-anywhere continues. They are looking to maximize opportunity from the 5G-enabled edge, to the core network, home, and even satellite internet in space. The forward-looking trends reveal strategies FortiGuard Labs anticipates cyber adversaries will leverage going forward, along with recommendations that will help defenders prepare to protect against these oncoming attacks. Highlights of the predictions follow, but for a more detailed view of the predictions and key takeaways, read the associated blog.
Derek Manky, Chief, Security Insights & Global Threat Alliances, FortiGuard Labs, said, “Cybercriminals are evolving and becoming more like traditional APT groups; zero-day equipped, destructive, and able to expand their techniques as needed to achieve their goals. We will see attacks spanning further outside of the extended network, even into space, as attackers take advantage of a fragmented perimeter, siloed teams and tools as well as a greatly expanded attack surface. These threats will leave overwhelmed IT teams scrambling to cover every possible avenue of attack. To combat these evolving threats, organizations need to adopt a Security Fabric platform founded on a cybersecurity mesh architecture.”
Pre-attack Reconnaissance Increases To Maximize Attacks Like Ransomware
Attacks are often discussed in terms of left-hand and right-hand threats when viewed through an attack chain such as the MITRE ATT&CK framework. On the left side of the attack, chain is efforts spent pre-attack, which includes planning, development, and weaponization strategies. On the right is the more familiar execution phase of attacks. FortiGuard Labs predicts that cyber criminals will spend more time and effort on reconnaissance and discovering zero-day capabilities to exploit new technologies and ensure more successful attacks. Unfortunately, there will also be an increase in the rate at which new attacks can be launched on the right due to the expanding Crime-as-a-Service market.
- Ransomware Will Get More Destructive: There will continue to be a crimeware expansion and ransomware will remain a focus going forward. Ransomware attackers already add to the noise by combining ransomware with distributed denial-of-service (DDoS), hoping to overwhelm IT teams so they cannot take last-second actions to mitigate an attack’s damage. Adding a “ticking time bomb” of wiper malware, which could not only wreck data but destroy systems and hardware, creates additional urgency for companies to pay up quickly. Wiper malware has already made a visible comeback, targeting the Olympic Games in Tokyo, for example. Given the level of convergence seen between cybercriminal attack methods and advanced persistent threats (APTs), it is just a matter of time before destructive capabilities like wiper malware are added to ransomware toolkits. This could be a concern for emerging edge environments, critical infrastructure, and supply chains.
- Cybercriminals Use AI To Master Deep Fakes: Artificial Intelligence (AI) is already used defensively in many ways, such as detecting unusual behavior that may indicate an attack, usually by botnets. Cybercriminals are also leveraging AI to thwart the complicated algorithms used to detect their abnormal activity. Going forward, this will evolve as deep fakes become a growing concern because they leverage AI to mimic human activities and can be used to enhance social engineering attacks. In addition, the bar to creating deep fakes will be lowered through the continued commercialization of advanced applications. These could eventually lead to real-time impersonations over voice and video applications that could pass biometric analysis posing challenges for secure forms of authentication such as voiceprints or facial recognition.
- More Attacks Against Lesser Targeted Systems in the Supply Chain: In many networks, Linux runs many of the back-end computing systems, and until recently, it has not been a primary target of the cybercriminal community. Recently, new malicious binaries have been detected targeting Microsoft’s WSL (Windows Subsystem for Linux), which is a compatibility layer for running Linux binary executables natively on Windows 10, Windows 11, and Windows Server 2019. In addition, botnet malware is already being written for Linux platforms. This further expands the attack surface into the core of the network and increases the threats that need to be defended in general. This has ramifications for operational technology (OT) devices and supply chains in general that run on Linux platforms.
Cybercriminals Target Everywhere—Your Wallet, Space, and Home
The challenge going forward for defenders is far more than just the rising number of attacks or evolving techniques of cyber adversaries. New areas for exploitation are being explored spanning an even broader attack surface. This will be especially difficult because, at the same time, organizations around the world will continue to expand their networks with new network edges driven by work-from-anywhere (WFA), remote learning, and new cloud services. Similarly, in the home, connected learning and gaming are commonplace activities and growing in popularity. This rise in rapid connectivity, everywhere and all of the time, presents an enormous attack opportunity for cybercriminals. Threat actors will shift significant resources to target and exploit emerging edge and “anywhere” environments across the extended network, rather than just targeting the core network.
- Cybercrime Targets Space: FortiGuard Labs expects to see new proof-of-concept (POC) threats targeting satellite networks over the next year as satellite-based internet access continues to grow. The biggest targets will be organizations that rely on satellite-based connectivity to support low-latency activities, like online gaming or delivering critical services to remote locations, as well as remote field offices, pipelines, or cruises and airlines. This will also expand the potential attack surface as organizations add satellite networks to connect previously off-grid systems, such as remote OT devices, to their interconnected networks. As this happens, attack types such as ransomware are likely to follow.
- Guard Your Digital Pockets: Hijacking wire transfers has become increasingly difficult for cybercriminals as financial institutions encrypt transactions and require multi-factor authentication (MFA). Digital wallets, on the other hand, can sometimes be less secure. While individual wallets may not have as big a payoff, this could change as businesses begin to increasingly use digital wallets as currency for online transactions. As this happens, it is likely that more malware will be designed specifically to target stored credentials and to drain digital wallets.
- Esports Are a Target Too: Esports are organized, multiplayer video gaming competitions, often involving professional players and teams. It is a booming industry that is on track to surpass $1 billion in revenue this year. Esports are an inviting target for cybercriminals, whether by using DDoS attacks, ransomware, financial and transactional theft, or social engineering attacks since they require constant connectivity and are often played out of inconsistently secured home networks or in situations with large amounts of open Wi-Fi access. Due to the interactive nature of gaming, they are also targets for social engineering lures and attacks. Given its rate of growth and increasing interest, esports and online gaming are likely to be large attack targets in 2022.
Living Off New Land at the Edge
More edges are being fueled by the growing number of Internet-of-Things (IoT) and OT devices, as well as smart devices powered by 5G and AI that enable the creation of real-time transactions and applications. New edge-based threats will continue to emerge as cybercriminals target the entire extended network as an entry point for an attack. Cybercriminals will work to maximize any potential security gaps created by intelligent edges and advances in computing power to create advanced and more destructive threats at unprecedented scale. And as edge devices become more powerful with more native capabilities, new attacks will be designed to “live off the edge.” An increase in attacks targeting OT, at the edge, in particular, is likely as the convergence of IT and OT networks continues.
- Cybercriminals Thrive Living Off the Land at the Edge: A new edge-based threat is emerging. “Living off the land” allows the malware to leverage existing toolsets and capabilities within compromised environments so attacks and data exfiltration look like normal system activity and go unnoticed. The Hafnium attacks on Microsoft Exchange servers used this technique to live and persist in domain controllers. Living off-the-land attacks are effective because they use legitimate tools to carry out their nefarious activities. The combination of living off the land and Edge-Access Trojans (EATs) could mean new attacks will be designed to live off the edge, not just the land, as edge devices become more powerful, with more native capabilities, and of course, more privilege. Edge malware could monitor edge activities and data and then steal, hijack, or even ransom critical systems, applications, and information while avoiding being detected.
- Dark Web Makes Attacks on Critical Infrastructure Scalable: Cybercriminals have learned that they can make money reselling their malware online as a service. Rather than competing with others offering similar tools, they will expand their portfolios to include OT-based attacks, especially as OT and IT convergence at the edge continues. Holding such systems and critical infrastructure for ransom will be lucrative but could also have dire consequences, including affecting the lives and safety of individuals. Because networks are increasingly interconnected, virtually any access point could be a target to gain entry to the IT network. Traditionally, attacks on OT systems were the domain of more specialized threat actors, but such capabilities are increasingly being included in attack kits available for purchase on the dark web, making them available to a much broader set of attackers.
A Security Fabric Platform Founded on a Cybersecurity Mesh Architecture
The perimeter has become more fragmented and cybersecurity teams often operate in silos. At the same time, many organizations are transitioning to a multi-cloud or hybrid model. All of these factors create a perfect storm for cybercriminals to take a holistic, sophisticated approach. A cybersecurity mesh architecture integrates security controls into, and across, widely distributed networks and assets. Together with a Security Fabric approach, organizations can benefit from an integrated security platform that secures all assets on-premises, in the data center, and in the cloud or at the edge. Defenders will need to plan ahead now by leveraging the power of AI and machine learning (ML) to speed threat prevention, detection, and response.
Advanced endpoint technologies like endpoint detection and response (EDR) can help to identify malicious threats based on behavior. Also, zero-trust network access (ZTNA) will be critical for secure application access to extend protections to mobile workers and learners, while Secure SD-WAN is important to protect evolving WAN edges. In addition, segmentation will remain a foundational strategy to restrict lateral movement of cyber criminals inside a network and to keep breaches restricted to a smaller portion of the network. Actionable and integrated threat intelligence can improve an organization’s ability to defend in real-time as the speed of attacks continues to increase. Meanwhile, across all sectors and types of organizations, shared data and partnership can enable more effective responses and better predict future techniques to deter adversary efforts. Aligning forces through collaboration should remain prioritized to disrupt cybercriminal supply chain efforts before they attempt to do the same.