Cyberattacks are often discussed in terms of left-hand and right-hand threats when viewed through an attack chain such as the MITRE ATT&CK framework.
On the left side of the attack chain are efforts spent pre-attack, which includes planning, development, and weaponization strategies.
On the right is the more familiar execution phase of attacks. FortiGuard Labs predicts that cyber criminals will spend more time and effort on reconnaissance and discovering zero-day capabilities to exploit new technologies and ensure more successful attacks.
Fortinet also expects an increase in the rate at which new attacks can be launched on the right due to the expanding Crime-as-a-Service market.
Cyber adversaries are evolving and expanding their attack methods to target new areas for exploit spanning the entire attack surface especially as work-from-anywhere continues. They are looking to maximize opportunity from the 5G-enabled edge to the core network, home, and even satellite internet in space.
Ransomware will get more destructive
There will continue to be a crimeware expansion and ransomware will remain a focus going forward. Ransomware attackers already add to the noise by combining ransomware with distributed denial-of-service (DDoS), hoping to overwhelm IT teams so they cannot take last-second actions to mitigate an attack’s damage.
Adding a “ticking time bomb” of wiper malware, which could not only wreck data but destroy systems and hardware, creates additional urgency for companies to pay up quickly.
Given the level of convergence seen between cybercriminal attack methods and advanced persistent threats (APTs), it is just a matter of time before destructive capabilities like wiper malware are added to ransomware toolkits.
This could be a concern for emerging edge environments, critical infrastructure, and supply chains.
Cybercriminals Use AI To Master Deep Fakes: Artificial Intelligence (AI) is already used defensively in many ways, such as detecting unusual behaviour that may indicate an attack, usually by botnets. Cybercriminals are also leveraging AI to thwart the complicated algorithms used to detect their abnormal activity.
Going forward, this will evolve as deep fakes become a growing concern because they leverage AI to mimic human activities and can be used to enhance social engineering attacks. In addition, the bar to creating deep fakes will be lowered through the continued commercialization of advanced applications.
These could eventually lead to real-time impersonations over voice and video applications that could pass biometric analysis posing challenges for secure forms of authentication such as voiceprints or facial recognition.
More attacks against lesser targeted systems in the supply chain: In many networks, Linux runs many of the back-end computing systems, and until recently, it has not been a primary target of the cybercriminal community.
New malicious binaries have been detected targeting Microsoft’s WSL (Windows Subsystem for Linux), which is a compatibility layer for running Linux binary executables natively on Windows 10, Windows 11, and Windows Server 2019.
Also, botnet malware is already being written for Linux platforms. This further expands the attack surface into the core of the network and increases the threats that need to be defended in general. This has ramifications for operational technology (OT) devices and supply chains in general that run on Linux platforms.
Everything is a target
The challenge going forward for defenders is far more than just the rising number of attacks or evolving techniques of cyber adversaries. New areas for exploitation are being explored spanning an even broader attack surface.
This will be especially difficult because, at the same time, organizations around the world will continue to expand their networks with new network edges driven by work-from-anywhere (WFA), remote learning, and new cloud services.
Similarly, in the home, connected learning and gaming are commonplace activities and growing in popularity. This rise in rapid connectivity, everywhere and all the time, presents an enormous attack opportunity for cybercriminals.
Threat actors will shift significant resources to target and exploit emerging edge and “anywhere” environments across the extended network, rather than just targeting the core network.
Living off and at the Edge
A new edge-based threat is emerging. "Living off the land" allows the malware to leverage existing toolsets and capabilities within compromised environments so attacks and data exfiltration look like normal system activity and go unnoticed.
The Hafnium attacks on Microsoft Exchange servers used this technique to live and persist in domain controllers. Living off-the-land attacks are effective because they use legitimate tools to carry out their nefarious activities.
The combination of living off the land and Edge-Access Trojans (EATs) could mean new attacks will be designed to live off the edge, not just the land, as edge devices become more powerful, with more native capabilities, and of course, more privilege.
Edge malware could monitor edge activities and data and then steal, hijack, or even ransom critical systems, applications and information while avoiding being detected.
Scalable attacks against critical infrastructure
Cybercriminals have learned that they can make money reselling their malware online as a service. Rather than competing with others offering similar tools, they will expand their portfolios to include OT-based attacks, especially as OT and IT convergence at the edge continues.
Holding such systems and critical infrastructure for ransom will be lucrative but could also have dire consequences, including affecting the lives and safety of individuals. Because networks are increasingly interconnected, virtually any access point could be a target to gain entry to the IT network.
Traditionally, attacks on OT systems were the domain of more specialized threat actors, but such capabilities are increasingly being included in attack kits available for purchase on the dark web, making them available to a much broader set of attackers.
Derek Manky, chief, security insights & global threat alliances at FortiGuard Labs says cybercriminals are evolving and becoming more like traditional APT groups; zero-day equipped, destructive, and able to expand their techniques as needed to achieve their goals.
“We will see attacks spanning further outside of the extended network, even into space, as attackers take advantage of a fragmented perimeter, siloed teams and tools as well as a greatly expanded attack surface,” he continued.
He added that these threats will leave overwhelmed IT teams scrambling to cover every possible avenue of attack. To combat these evolving threats, organizations need to adopt a Security Fabric platform founded on a cybersecurity mesh architecture.