Wednesday 23rd December 2020

BLOG: 2021 Predictions


2020 has been a tough year for us all, with many of us facing unprecedented and truly unpredictable challenges. While we cautiously assess 2021 won’t bring challenges as severe as 2020, this piece looks at some of the cyber threat trends that are likely to shape the coming year.

Many long-term activities are highly likely to continue unchanged, such as nation-state espionage activity – the importance of which has been arguably heightened as global lockdowns likely make human intelligence more difficult – and mass engagement in low-level but widespread cybercrime like phishing and spam campaigns.

Nevertheless, in 2021 we are likely to see some more nuanced developments emerging. Using the trends established in 2020 and data collected throughout the year, our analyst team have made some educated guesses on how the cyber threat landscape will change – or not change – throughout 2021.

We predict that:

  • The use of supply chain compromise as an infection vector will increase by at least 25%.
  • Ransomware groups will speed up operations by adopting new TTPs.
  • The number of notable hack-for-hire groups will rise by at least 50%.
  • The onset of the hybrid work environment will further drive targeting of remote access solutions.
  • The number of IoT-related incidents will increase by at least 50%.
  • Automated scanning events will remain higher than pre-COVID levels and pivot to focus on IoT devices.

The use of supply chain compromise as an infection vector will increase by at least 25%

The recent suspect Russian state supply chain compromise of software provider SolarWinds has reaffirmed that this vector is increasingly among the most significant for companies to consider. While the extent of the breach is still being calculated, the stealthy and persistent access it provided into the networks of SolarWinds’ customers will be hard to detect and definitively remediate. Supply chain compromise has the potential to damage virtually every industry, from facilitating geopolitical espionage to shutting down manufacturing plants.

Given their potential utility, supply chain compromises are highly desirable for threat actors. According to our repository of intelligence reports, since 2017 incidences of supply chain compromise are increasing both in volume and severity year-on-year, with a total of 13 incidents analysed by us in 2020. We predict that both these metrics will increase further into 2021, especially as remote working is poised to continue indefinitely and many companies will thus continue to use various third-party products for remote access and management purposes. This complex network of third-party products, many of which will require administrator access and remote connections, exponentially broadens a target’s attack surface.

Prediction: The observable use of supply chain compromise as an infection vector will increase from our 2020 figure of 13 incidents by at least 25% throughout the course of 2021, with threat actors looking to capitalise on complex vendor-consumer ecosystems necessitated by remote working and the dawn of the ‘hybrid’ workplace environment later in the year.

Ransomware groups will speed up operations by adopting new TTPs

Big game hunting ransomware has been one of the key issues of 2020, with public and private sector organisations like Universal Health Services hospitals and IT services giant Cognizant facing multi-million dollar ransom demands, and the double extortion tactic of stealing and leaking data alongside encrypting systems now well-established. Ransomware operators are also constantly developing new techniques, such as executing payloads within virtual machines, and thus are among the most sophisticated and capable cybercriminal groups.

Despite potential government plans to penalise those who pay ransoms to sanctioned groups, it is estimated that around 25% of ransomware victims choose to pay the ransom, with the average ransom demand increasing to around USD 1 million per incident. Furthermore, increasing numbers of companies are beginning to take out cyber insurance policies which specifically cover the costs of ransom payments. Public disclosure of a relationship with a cyber insurance firm may also help ransomware operators target companies with such policies, thus increasing the chance of a pay-out. Big game hunting ransomware is therefore clearly profitable – especially with added double extortion tactics – and thus unlikely to disappear anytime soon.

There have, however, been several instances this year where ransomware infections have been detected early, such as US storage operator Americold identifying an initial infection and shutting down its systems to prevent propagation and encryption of the entire network. If ransomware operators fail to properly disrupt their victim or remain undetected long enough to find and exfiltrate sensitive data, they are less likely to successfully extort a large ransom payment. It is therefore essential for ransomware operators to not only establish persistence on a network and avoid immediate detection, but to also move swiftly once the infection process is initiated.

Prediction: The majority of sophisticated ransomware operators will focus on reducing dwell time on infected networks through tactics like extensive prior reconnaissance, obtaining credentials for lateral movement and using malware designed to encrypt whole networks as fast as possible.

The number of notable hack-for-hire groups will rise by at least 50%

A notable development in late 2020 has been the rising prominence of so-called ‘hack-for-hire’ groups conducting intrusion and espionage campaigns on behalf of customers in a wide range of industries and geographies. Orpheus conducted in-depth analysis on a total of 5 distinct and notable hack-for-hire groups this year, compared to 0 in previous years, demonstrating the growth of this subsection of cybercrime.

Both the private and public sector are clearly making increasing use of hack-for-hire services. Groups like DeathStalker and RedCurl appear to operate in the service of private entities, having targeted law firms, financial institutions and other organisations in pursuit of confidential and sensitive business information. In contrast, the Bahamut group has targeted NGOs, journalists, diplomatic staff and human rights activists across the Middle East, with this targeting rationale suggesting a commission by the Iranian regime.

As illustrated by our data in Figure 1, the vast majority of publicly recorded hack-for-hire operations show an overwhelming focus on intellectual property theft and intelligence collection, demonstrating the use of these services primarily for political and corporate espionage.

Figure 1: Orpheus’ data shows hack-for-hire operations have an overwhelming focus on IP and information theft.

There are numerous benefits to using hack-for-hire services. Operating via a third party can, for example, effectively increase the capabilities of less-skilled entities. Outsourcing services can also save resources and reduce the need to develop or maintain high-level in-house offensive cyber capabilities. Furthermore – and of greater utility for nation-states – using hack-for-hire groups adds another degree of separation from the actual operation, allowing entities to plausibly deny involvement.

Prediction: Given these benefits and the general upwards trend observed this year, we predict that the number of observable hack-for-hire groups will rise from 5 by at least 50%.  

The onset of the hybrid work environment will further drive targeting of remote access solutions

The onset of the COVID-19 pandemic early in 2020 enforced a rapid and unprecedented shift to remote working, with threat actors accordingly ramping up targeting of remote access services like remote desktop protocol (RDP) ports, virtual network computer (VNC) systems and Virtual Private Network (VPN) gateways. This trend was discussed in one of our recent blogs, and is showcased by honeypot data in Figure 2.

Figure 2: Malicious scanning of VNC honeypots increased drastically in 2020 in comparison to 2019, especially since the outbreak of the COVID-19 pandemic in March.

The economic downturn accompanying the pandemic may also de-prioritise cyber security spending, exacerbating pre-existing issues such as poor security awareness and slow and ineffective patching cycles. Such developments provided cybercriminals and nation-states alike with the opportunity to exploit known RDP and VPN vulnerabilities, such as CVE-2019-11510, a critical-severity arbitrary file read flaw in Pulse Connect Secure VPN solution.

Even as states begin vaccination programmes in the hope of lifting restrictions next year, the office life as we know it is unlikely to make a comeback: the vast majority of firms, including giants like Microsoft, intend to implement hybrid work environments as the norm, allowing employees to work from the office, from home or anywhere with an internet connection. So far from 2021 heralding a mass return to the office and reducing the size of a company’s attack surface, many companies will still be dependent on remote access solutions – a trend likely to continue well into the future.

Prediction: We forecast that targeting of remote access services will continue to remain at elevated levels compared to the pre-COVID era, consistently remaining between approximately 60,000-160,000 events per month.

The number of IoT-related incidents will increase by at least 50%

The fifth generation of mobile technology, 5G, is increasingly commercially available, and likely to be adopted in droves by individuals and businesses alike over the course of 2021.

5G has many benefits, such as faster response times, better power conservation and greater reliability. While 5G definitely won’t give you COVID-19, its benefits are shadowed by a number of very real security risks. 5G’s software-based architecture, and virtualisation of higher-level network functions increase its attack surface, with researchers in 2019 demonstrating 5G’s vulnerability to man-in-the-middle and mobile network mapping attacks as well as vulnerabilities in 5G’s HTTP/2 protocol allowing attackers to impersonate network services and remotely access user data. There is also an increased potential of supply chain compromise if an attacker gains control of the software managing the 5G network.

One of the biggest security risks associated with 5G, however, is its enabling of billions of Internet of Things (IoT) devices. The number of IoT devices is expected to reach 43bn by 2023, and 5G will play a fundamental role in enabling huge numbers of such devices, including low-complexity devices such as environmental sensors and utility meters.

IoT devices are for the most part manufactured with a focus on efficiency, size and battery life rather than security and privacy: many are either unsecured or use default admin passwords, making them relatively easy to compromise. Unsecured IoT devices are also a way for threat actors to pivot onto accompanying Wi-Fi networks, facilitating lateral movement across the network. There are currently no standardised security or privacy regulations for IoT devices, compounding this issue.

These security shortfalls mean IoT devices are already an attractive target, with peer-to-peer botnets like Mozi and Dark_nexus infecting and harnessing IoT devices for use in large-scale DDoS attacks.

Figure 3: Our database of intelligence reports show a trending increase in the number of IoT-specific incidents from 2018 to 2020.

.5G’s role in attaching and enabling billions of these devices will greatly increase the IoT-associated attack surface for both individuals and corporations, and with it maximise the chances of successful compromise.

Prediction: We will see at least a 50% increase in the number of IoT-related intelligence reports in our repository.

Automated scanning events will remain higher than pre-COVID levels and pivot to focus on IoT devices

Orpheus continuously collects data from various honeypot services spanning back to 2016, giving us insight into trends like an increase in automated scanning for unpatched vulnerabilities. Data from January 2018 to November 2020 shows an average monthly increase in malicious scanning events of 31.7%, with a notable jump correlating with the onset of COVID-19 lockdowns and enforced working-from-home policies from March 2020.

Figure 4: Honeypot data from 2018 shows a sharp spike in malicious scanning events, in correlation with enforced WFH policies as of March 2020

In particular, data suggests that from March 2020, scanning for vulnerabilities or misconfigurations in remote access solutions like remote desktop and file transfer protocol ports saw an above-average increase, indicating that threat actors were moving quickly to capitalise on hastily implemented remote working solutions.

While working from home protocols largely explain the 2020 increase in malicious events, the general upwards trend can be partly explained by the increasing numbers of Internet of Things (IoT) devices in use across the internet. As we explain elsewhere in this blog piece, IoT devices are set to become almost ubiquitous in the next few years – threat actors will likely capitalise on these increasing numbers by upping automated scanning for open and vulnerable ports with the view to infecting large numbers of these often unsecured devices. One such example is the infamous Yunni iLnkP2P exploit (CVE-2020-11220) that allowed the takeover of more than 2 million IoT devices in China last year.

Prediction: The amount of malicious scanning events will consistently remain at over 150000000 events per month and at least half will focus on targeting IoT-related ports and vulnerabilities.

Get our latest cyber intelligence insights straight into your inbox

Fill out the short form below to subscribe to our newsletter so that you never miss out on our cyber intelligence insights and news.