Bitdefender Looks Ahead at the Threat Landscape of 2021

As 2020 is finally and fortunately coming to an end, here at Bitdefender, we’re already exploring what will happen next year and getting our defenses ready. While our crystal ball might not be perfect, here is a shortlist of what we expect in the 2021 cyber-threat landscape:

1. Devastating corporate data breaches start at home

Data breaches are the new normal, and companies spend a great deal of effort trying to put safeguards in place. As more and more people adhere to the work-from-home schedule imposed by the Coronavirus pandemic, employees will take cybersecurity shortcuts for convenience. Insufficiently secured personal devices and home routers, transfer of sensitive information over unsecured or unsanctioned channels (such as instant messaging apps, personal e-mail addresses and cloud-based document processors) will play a key role in data breaches and leaks.

At the same time, pressure on companies’ IT and DevOps teams will take its toll: misconfigured servers within cloud infrastructures, inadvertently exposed databases and hardcoded credentials will also help cyber-criminals leak out private data.

SMBs are likely to be the most affected by data breaches, as misconfigurations resulting from the rapid transition of employees to remote work will have left behind security blind spots that attackers will likely exploit in the next 12 to 18 months.

2. Firmware attacks become mainstream

As competition in the cybercrime world tightens, malware operators will increasingly focus on burying their creations deeper into compromised systems. Attacks against firmware, previously thought of as extremely complex and difficult to achieve, will likely become mainstream in 2021. Abuse of tools like RwEverything might lead to a significant increase in firmware attacks, particularly on systems where the manufacturer hasn’t correctly configured the firmware to block unauthorized rewrites. Ransomware authors may also target device firmware to block devices and render a system unusable until victims pay the ransom.

3. Ransomware gangs fight for supremacy

Since 2014, ransomware has been a highly lucrative breed of cyber-crime that inspired bad actors to join the ranks and create a suffocating environment where operators fight for survival. This competition spells nothing good for home or corporate computer users, as diversification and increased sophistication of malware will only make decryption more difficult.

Ransomware-planting malware is already undergoing massive improvements to ensure timely delivery of payloads. Trickbot malware, responsible for infections with Ryuk ransomware, is currently piloting a UEFI (Unified Extensible Firmware Interface) compromise technique to ensure persistence and resistance to removal.

The ransomware-as-a-service (RaaS) space is crowded, but there is always room for new players. In 2020, many ransomware operators evolved their malware tools to cover data exfiltration, allowing them to blackmail their victims. With Maze having announced their retirement, there’s already a contender for the same slot.

Maze made a name for itself by being among the first to steal data before encrypting the victim’s endpoints. Now, more operators look to deploy the same type of tactics and a new RaaS player under the name of MountLocker was spotted ramping up operations in the last few months of 2020, looking for affiliates. We expect the current tactic of stealing data and encrypting endpoints to become the norm in 2021, with new operators surfacing to replace Maze.

4. Supply chain, industrial espionage and Advanced Persistent Threats rise

Threat actors will focus more on supply chain attacks rather than going directly after bigger targets. Similar to recent “cold chain” attacks on organizations that provide transportation for the Coronavirus vaccine or attacks on regulators that handle Coronavirus vaccine documentation, supply chain attacks will become more popular throughout 2021. Either for political or economic reasons, supply chain attacks will likely affect even industry verticals that have rarely been hit in the past, such as real estate or healthcare.

Targeted attacks on mission-critical industry verticals will rise. Threat actors will increasingly target research, pharma and healthcare in 2021. While ransomware-as-a-service operators will remain the main adversaries, industrial espionage groups will likely join the hunt.

In terms of sophisticated threats, we expect to see more APTs targeting high-profile victims using geo-political lures. Many of these attacks will increasingly evolve around penetration testing frameworks for privilege escalation, credential gathering lateral movement and discovery. We also expect these targeted attacks to leverage social engineering primarily for data exfiltration rather than for the reconnaissance and delivery stages of the kill chain.

5. New normal’s new phishing attacks continue

The Coronavirus outbreak and the work-from-home ‘new normal’ served as a catalyst for the evolution of phishing emails. Traditionally, phishing emails were easy to spot because of typos, poor wording, and the lack of authenticity. Only spear phishing emails, which directly targeted specific individuals and organizations, were sophisticated enough to create a sense of legitimacy. All that changed when the pandemic hit, as cybercriminals started focusing on creating mass phishing emails that lack typos, use reader-specific jargon, and even abuse the legitimate logos of the organizations or companies that they’re impersonating. More than that, these new phishing attacks quickly leverage popular topics in the media and exploit the way users have started to engage with financial and delivery companies in a work-from-home context.

The social engineering component of these new phishing campaigns has reached new heights of sophistication, with attackers focusing more on increasing the success rate of their campaigns, rather than boosting the volume of spam sent. This increase in efficacy and sense of legitimacy in phishing campaigns makes it more difficult for the untrained eye to discern fake from real.

Since most of 2020’s phishing campaigns seem to have played on popular themes and topics, this trend will likely continue throughout 2021, with attackers fine-tuning their messages to gain credibility and piggyback on local or global hot topics.

The Coronavirus epidemic will also put additional strain on inboxes and spam filtering technologies. With pressure mounting to administer a COVID-19 vaccine sooner rather than later, users today are scared and anxious. In 2021, many will fall victim to COVID-themed malware and fraudulent offers, which will predominantly arrive by spam and phishing. Fraudsters won’t pass on the opportunity to ask for credit card information under the promise of a COVID-19 vaccine delivered to the victim’s door. Now more than ever, internet users everywhere will have to exercise vigilance whenever they receive a COVID-themed message, whether by email, SMS or phone.

6. Threats/Cybercrime-as-a-service increase

With threats increasingly adopting the as-a-service business model, cybercrime-as-a-service will reach new heights in 2021. Malware developers and cybercriminals will focus more on offering highly specialized and granular services. Obfuscation-as-a-service and even APT-as-a-service will reshape the threat landscape by introducing sophistication in dodging traditional security solutions and expertise in performing highly advanced attacks, all offered to the highest bidder. Organizations will find themselves having to update their threat models to focus on identifying tactics and techniques usually associated with sophisticated threat actors, as the current security stack for SMBs is ill-equipped to handle APT mercenaries.

7. Vulnerable container clouds and vulnerable software lead to new malware standard

Last, but not least, on our predictions list for 2021 are two distinct attacks that are quietly, but rapidly gaining traction. The investigations we have worked on this year have revealed a significant increase in malware targeting misconfigured or inadvertently exposed microcontainers. We expect to see an increase in compromised containers used for anything from crypto-currency miners to pivots in the network.

Another important observation concerns the increase of attacks leveraging DLL sideloading (DLL hijacking) in popular, widely-spread applications. Hijacking execution flow allows attackers to execute malicious code in the context of a trustworthy process, and bypass firewalls and whitelists as well as other enterprise-grade security software. Mostly present in targeted attacks, we expect this technique to become a standard in commercial-grade malware as well in 2021.

8. Upping Their Game:

These three areas will also undergo significant changes as cyber-criminals step up their game:

  • Home routers and computers will continue to get hacked. Threat actors specialized in hijacking devices will either rent access to other groups seeking distributed command and control capabilities or sell them in bulk to underground operators to reuse as proxy nodes to conceal malicious activity.
  • Illegal crypto-mining operations will soar to new heights in 2021. As the world prepares for financial fallout in the aftermath of the Coronavirus epidemic, major crypto-currencies such as Bitcoin, Monero, and Ethereum have gained sharply in fiat value. Cybercrime groups specialized in illegal mining will likely ramp up their efforts in 2021 to infect and covertly mine crypto-currencies on home and datacenter infrastructure.
  • MacOS and Android malware is on the rise. In 2020 we documented several high-profile malware campaigns distributed through Google Play Store. Malware families such as Joker, HiddenAds and several banker Trojans have barely scratched the surface. We expect more not-yet-discovered APT campaigns to surface throughout the next year.