With more than half the year now behind us, the cyberthreats landscape for 2021 is starting to take shape. According to a wide range of sources that include vendors (Cisco, Palo Alto Networks, Acronis, and others), the FBI, and various cyber security publications (Security Magazine, Security Weekly, Infosecurity Magazine, and CSO Online) there’s a surprising degree of consensus as to the threats that pose the biggest and most persistent dangers. Before we run down that list, defining some terms should put everyone on the same wavelength.
Security Threats and Attacks
In general a security threat is comes from the possibility of malicious activity that may seek to damage or destroy data, steal information of value, or otherwise interfere with or disrupt computer systems and networks. Common cyberthreats include malware (viruses, worms, spyware and ransomware, and so forth), software vulnerabilities (which may be known and cataloged, or as-yet unknown and uncataloged, aka “zero-day” attacks), denial of service attacks (including massive distributed denial of service attacks like those from networks of compromised PCs and devices known as “botnets”), and social engineering (which numbers e-mail and social media based phishing and spearphishing among its many types and instances).
Leading CyberThreats in 2021
Though some of the ordering and details differ amongst and amidst the many sources for such information, the following list — each with its own brief explanation — represents a consensus view of where the big threats are in 2021. These are listed numerically, but the numbering is not meant to indicate severity, priority or frequency of occurrence:
- Business E-mail Compromise (BEC): BEC seeks to obtain fraudulent payment from companies by submitting faked or invalid invoices to an organization’s accounting, accounts payable, or finance departments, or by targeting harvested or identifiable individual email addresses within those organizational units. According to the FBI, 5 BEC scams are rampant, including bogus invoices, CEO fraud (email impersonates CEO and directs employees to wire funds to a specific bank account), account compromise (uses stolen executive or employee account to request invoice payments to bogus bank accounts), attorney impersonation (email or phone call used to obtain funds or credentials with access to funds), and data theft that involves HR or accounting employees to target for impersonation or theft. Tessian report on 8 sizable BEC scams (June 2021).
- Identity Theft: Involves obtaining personally identifiable information (PII) or account access for individuals or business entities to access and steal their financial holdings or instruments (bank accounts, financial services accounts, credit cards, insurance policies, and so forth). Where outright theft of assets is not involved, attackers may file bogus claims or tax returns that redirect payments to the attacker, and leave the victim on the hook for restitution or repayment. Javelin Strategy & Research reported in March, 2021 that individuals lost US$56B to identity fraud in 2020.
- Ransomware: Installs software that encrypts entire systems via malware, and requires owners of affected systems to pay for a decryption key that supposedly restores those systems to normal operation. Though the FBI recommends against paying such ransoms, recent high-profile attacks against Colonial Pipeline and Acer Inc. featured ransom demands of US$50M or more. Ransomware attacks increasingly involve exfiltration of data to the attacker, as well as locking down attacked systems, so the level of cyberthreats and potential damage keeps escalating.
- Spoofing and phishing: Spoofing is a more general class of impersonation attack (of which BEC may be considered a subclass) in which an email or social media post impersonates a person or organization to seek illicit or invalid payments or unauthorized access to private, confidential or proprietary data. The FBI presents this type of cyberthreats as on par with identity theft in terms of scale and scope, though institutions are as likely to be targeted as individuals. Here again, Tessian provides a useful infographic on this phenomenon, which includes stats that the average cost per compromise record is US$150 and the average cost of a data breach US$3.92M.
- Supply Chain Attacks: A supply chain attack involves attacks that go after third-party software or suppliers with links into an organization’s systems as an end-around against normal security precautions and protections. With more suppliers and service providers, especially in the cloud, now providing or interacting with organizations’ systems and data, this has become a significant risk for many organizations. Recent high-profile examples of supply chain attacks include the SolarWinds and Microsoft Exchange attacks. Both types of attacks have been linked with state-level actors seeking financial gain and technical advantages.
- Remote access/Remote working attacks: Given a recent pivot in working habits to accommodate remote work scenarios, especially work-from-home (WFH) situations, attackers have increased their attempts to compromise remote access, teleconferencing, and collaboration tools to take advantage of increased attack services. Online meeting platforms like Zoom have been the focus of research and reporting for zero-day vulnerabilities since mid-2020. In April 2021, reports of a white hat discovery earned the team that found it US$200K, and generated significant news coverage, along with a thankyou from Zoom itself. VPN software, and other collaboration platforms and tools are increasingly subject to attack.
- System compromise or takedown: Whether through denial of service or more focused attacks, some attackers seek to render an organization’s systems unusable or unreachable. When they limit or halt access to an organization’s systems, such attacks are sometimes called takedowns. Australian broadcaster Channel Nine went briefly offline in March, unable to air its Sunday news bulletin and other shows. Ransomware can also have the same effect when it disables systems, as was the case for the London-based Harris Foundation, which found its 37,000 students unable to access coursework or email that same month.
- Unsolicited cryptomining: Cryptomining involves consumption of CPU resources on PCs to solve complex mathematical equations used to generated cryptocurrency. Also known as “coin mining,” this practice becomes malicious when cryptomining software gets installed on PCs without the user’s knowledge or consent. Thus, this practice is also called “cryptojacking” or “cryptomining malware.” Cryptojacking can result in sluggish performance on affected (or rather, infected) PCs, and funnels any gains from its use — any cryptocurrency that gets mined as a result of its use — to the attacker, not the victims. In July, 2021, a White House Press Release mentioned cryptojacking as one of the forms of attack in which “hackers working for the PRC Ministry of State Security (MSS)” have engaged.
But Wait, There’s More!
Beyond the items mentioned in the foregoing list, countless other scams and frauds are being actively promulgated on the public. The FBI’s list of Common Scams and Crimes lists dozens of such attacks on the credulous or ill-informed, many (if not most) of which are carried out primarily online. Organizations and individuals seeking to protect themselves and their assets from such attacks should seek to establish and maintain security awareness at all times. Many organizations make such training part of the new employee onboarding process, and offer periodic refresher classes as well. Companies and organizations that do not provide security awareness training already should make plans to do so. It’s a good investment not only because it limits exposure to risk and loss, but also helps make individuals more security savvy outside work as well.