DarkSide launched a string of high-profile attacks, including the Colonial Pipeline incident.
It has also been actively updating its technique, such as with a DarkSide Linux variant targeting VMware ESXi servers.
Attacks From All Angles: 2021 Midyear Cybersecurity Report
Download Attacks From All Angles: 2021 Midyear Cybersecurity Report
In the first half of this year, cybersecurity strongholds were surrounded by cybercriminals waiting to pounce at the sight of even the slightest crack in defenses to ravage valuable assets.
Threats and risks from all angles soon closed in, bringing with them updated tactics and greater motivation to affect targeted industries. These security issues include high-profile modern ransomware attacks, active campaigns, critical vulnerabilities, Covid-19-related scams, and other threats, not to mention developing threats in the cloud and the internet of things (IoT).
We investigate these in our midyear roundup report, "Attacks From All Angles: 2021 Midyear Cybersecurity Report."
To better prepare for the future, let us retrace our steps so far this year in the volatile landscape of cybersecurity.
Where would you like to start?
01
Ransomware
Ransomware continued to evolve as one of the most menacing cyberthreats, amassing over 7 million combined email, URL, and file threat detections. Threat actors moved quickly and aggressively with attacks on critical sectors such as banking, government, and manufacturing.
Banking
Government
Manufacturing
Healthcare
Food and beverage
Top five industries affected by ransomware in the first half of 2021
While some of the operators’ strategies, such as their propensity to target crucial industries, remained constant, many of their tactics evolved drastically and rapidly. Prominent ransomware variants raised the stakes as new families aggravated the risks. Some threat actors were quick to jump in on the opportunity and pretended to be ransomware gangs, such as in the case of a fake DarkSide campaign.
Notable ransomware families
DarkSide
REvil
(aka Sodinokibi)
REvil was wielded in a recent attack on major meat supplier JBS.
In the first half of 2021, Trend Micro file detections for REvil also more than doubled compared to the same period last year.
Hello
Hello, a new ransomware variant, exploits the Microsoft SharePoint vulnerability CVE-2019-0604.
We also found that it deployed the China Chopper web shell to execute PowerShell commands.
Such incidents prompted discussions on the delicate issues of ransom payments, cyber insurance, and potential legislation. There have also been aggressive efforts by authorities and security researchers to take down ransomware gangs, which have led to a string of high-profile arrests such as in the cases of the crackdown on Egregor and Clop operators.
Refined techniques
Ransomware operators expanded their use of legitimate tools. They also upped the ante of their extortion techniques, from encryption to exposure of stolen data, to incorporating distributed denial-of-service (DDoS) attacks and directly badgering customers and stakeholders of victim organizations.
Ransomware multi-extortion techniques
02
Advanced persistent threats (APTs)
APTs were also active as several campaigns were launched in the first half of this year.
The threat groups behind these APTs brandished both tried-and-tested techniques and innovative tactics. The former included the use of spear-phishing emails and malicious scripts, while the latter involved new legitimate platforms, malware variants, and remote access tools (RATs) such as the PlugX loader.
Notable APTs
Team TNT
TeamTNT is at it again, this time targeting Amazon Web Services (AWS) credentials and Kubernetes clusters. These attacks are related to cryptocurrency mining as well.
For the latter, China and the US make up most of the compromised IP addresses.
Water Pamola
We spotted some changes in Water Pamola’s tactics. These consist mainly of a shift to focusing mostly on targets in Japan. Additionally, instead of using spam, attacks are launched by exploiting a cross-site scripting (XSS) vulnerability in a store’s online admin portal.
Earth Vetala
Earth Vetala – MuddyWater launched campaigns against organizations in the Middle East and surrounding regions. They took advantage of legitimate remote admin tools such as ScreenConnect and RemoteUtilities to distribute payloads.
Iron Tiger
Iron Tiger, which is notorious for targeting gambling companies in Southeast Asia, updated its toolkit with an evolved SysUpdate malware variant. The group now also uses five files (instead of three) in its infection routine.
Earth Wendigo
Trend Micro discovered an APT has been targeting organizations in Taiwan since 2019. We dubbed the threat actors as Earth Wendigo. The attacks use spear-phishing emails with malicious JavaScript injected onto a widely used webmail system.
Notable APTs for the first half of 2021
The attack flow of Earth Wendigo’s operation
03
Vulnerabilities
Notable vulnerabilities made headlines as researchers scurried to patch affected systems before these flaws could pose dangers and disrupt work setups, including remote ones.
ProxyLogon
A hacking incident attributed to the Hafnium group saw the exploitation of four zero-day vulnerabilities in the on-premises versions of Microsoft Exchange Server. These vulnerabilities are CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, collectively dubbed as ProxyLogon.
Microsoft SharePoint vulnerabilities
Five notable remote code execution (RCE) vulnerabilities also affected Microsoft SharePoint, an online document management and storage platform that can also be used in remote work setups.
| CVE-2021-24066 | Workflow Deserialization of Untrusted Data Remote Code Execution Vulnerabilit |
| CVE-2021-27076 | InfoPath List Deserialization of Untrusted Data Remote Code Execution Vulnerability |
| CVE-2021-31181 | WebPart Interpretation Conflict Remote Code Execution Vulnerability |
| CVE-2021-28474 | Server-Side Control Interpretation Conflict Remote Code Execution Vulnerability |
| CVE-2021-26420 | WorkflowCompilerInternal Exposed Dangerous Function Remote Code Execution Vulnerability |
Microsoft SharePoint RCE vulnerabilities for the first half of 2021
VPN vulnerabilities
As work-from-home (WFH) setups continue to persist, virtual private networks (VPNs) remain a vital tool for ensuring security. Detections for these vulnerabilities continued to proliferate, with some spikes compared to the same period last year.
Fortinet | Pulse Secure | Citrix Systems | |||||
CVE-2018-13379 | CVE-2019-11510 | CVE-2019-11539 | CVE-2019-19781 | ||||
2020 | Jan | 15,834 | 88,506 | 9 | | 856 | 287 |
| Feb | 9,864 | 66,164 | 12 | | 52 | 19 |
| Mar | 14,910 | 63,716 | 115 | | 118 | 18 |
| Apr | 18,312 | 62,862 | 69 | | 2,703 | 1 |
| May | 20,897 | 60,791 | 60 | | 2,921 | 7 |
| Jun | 27,110 | 39,994 | 123 | | 2,783 | 5 |
2021 | Jan | 113,330 | 45,937 | 787 | | 1,388 | 3 |
| Feb | 77,853 | 15,627 | 488 | | 579 | 761 |
| Mar | 75,785 | 27,876 | 566 | 1 | 713 | 158 |
| Apr | 68,651 | 21,440 | 956 | | 988 | 5 |
| May | 70,083 | 15,230 | 508 | | 650 | 5 |
| Jun | 61,467 | 9,558 | 301 | 11 | 418 | 15 |
Detections for VPN vulnerabilities for the first half of 2020 and the first half of 2021
PrintNightmare
“PrintNightmare” is the name attributed to CVE-2021-1675, a critical Windows Print Spooler vulnerability that allows arbitrary code execution with system-level privileges. The accidental leak of a proof-of-concept exploit code triggered a race to patch this vulnerability as soon as possible.
All in all, the number of vulnerability detections showed a small decrease, with a notable decline in critical vulnerabilities.
| Severity | 1H 2021 Count | 1H 2020 Count |
| Critical | 16 | 121 |
| High | 553 | 547 |
| Medium | 107 | 76 |
| Low | 94 | 42 |
| Total | 770 | 786 |
Half-year comparison of the severity breakdown, based on the CVSS of vulnerabilities disclosed via our Zero Day Initiative (ZDI) program.
Source: Trend Micro ZDI program
04
Covid-19-related scams and other threats
Even amid a pandemic, it’s business as usual for many threat actors as they either continue unleashing new threats or refurbish current ones. Some cybercriminals directly took advantage of the pandemic, using the uncertainty and distress brought about by the situation for social engineering ammunition in crafting their scams.
Covid-19-related threats
As vaccination programs continue to be rolled out across the globe, threats related to Covid-19 vaccines proliferate as well. These involve malicious files, emails, text messages, misinformation sites, and phishing pages. The usual targets are telecommunications, banking, retail, government, and finance sectors.
United States
Germany
Colombia
Italy
Spain
Others
The top countries affected by Covid-19-related threats in the first half of 2021
Active threats
XCSSET
XCSSET targets Mac users and infects Xcode projects. A few months into the year, threat actors updated XCSSET with features that let it adapt to both ARM64 and x86_x64 Macs. The malware also gained the ability to harvest sensitive information from certain websites, including cryptocurrency-trading platforms.
PandaStealer
PandaStealer is a new information stealer that can gather sensitive information like private keys and records of past transactions from a target’s digital currency wallets. It can also harvest credentials from other applications, take screenshots, and exfiltrate data from browsers. It is mainly propagated through spam emails that request business quotes.
05
Cloud and the Internet of Things (IoT)
Circumstances brought about by the pandemic catalyzed the adoption of online systems powered by technologies such as the cloud and the IoT. However, these domains come with their own sets of threats and risks.
Cloud
Some prominent threats this year include TeamTNT attacks. At the start of the year, we uncovered that the threat actors behind TeamTNT were targeting certain cloud systems:
- AWS credentials. TeamTNT stole AWS credentials through a binary containing a hard-coded shell script. Over 4,000 instances were compromised.
- Kubernetes clusters. TeamTNT compromised Kubernetes clusters in the wild. Almost 50,000 IP addresses were affected across multiple clusters.
The IoT
We uncovered risks in various facets of the IoT, including Long Range Wide Area Network (LoRaWAN), 5G, and routers.
LoRaWAN
While useful in enterprises and smart cities, LoRaWAN devices are not immune to compromise. After finding exploitable vulnerabilities in these devices, we created the LoRaPWN tool for assessing the security of LoRaWAN communications.
5G
Establishing 4G/5G campus networks for enterprises comes with risks. To study these perils, we identified several attack scenarios including DNS hijacking, MQTT hijacking, Modbus/TCP hijacking, downloading or resetting unprotected programmable logic controllers (PLCs), remote desktop, and SIM swapping.
Routers
Routers have always been plagued with security issues. We analyzed router infections and found VPNFilter, an IoT botnet, to be one of the most prominent threats. To compromise routers and storage devices, VPNFilter uses backdoor accounts and various exploits.
06
Threat
Landscape
40,956,909,973
Overall number of threats blocked for the first half of 2021
Blocked email threats
Q1
Q2
Blocked malicious files
Q1
Q2
Blocked malicious URLs
Q1
Q2
Email reputation queries
Q1
Q2
File reputation queries
Q1
Q2
URL reputation queries
Q1
Q2
Download our full report to gain insights into the pressing cyberthreats and risks that plagued the first half of 2021 and learn more about our expert security recommendations for users and enterprises.
HIDE
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
Cellular IoT Vulnerabilities: Another Door to Cellular Networks
Today’s Cloud and Container Misconfigurations Are Tomorrow’s Critical Vulnerabilities
The Artificial Future: Trend Micro Security Predictions for 2025
The Realities of Quantum Machine Learning