Global threat report exposes evolution of e-crime ecosystem

The eighth annual Global Threat Report also outlines new operations and techniques from the big four – Iran, China, Russia and North Korea – breaks down the aftermath of the Log4Shell attacks and shows adversaries are moving beyond malware, as 62 per cent of recent detections were malware-free.

CrowdStrike Intelligence researchers document both the continued evolution of nation-state affiliated and criminal adversaries, as well as the increased sophistication, velocity and impact of targeted ransomware, disruptive operations and cloud-related attacks in 2021.

Key findings in this year's report give organisations the insight required to mature their security strategies and defend their businesses against prolific cyber threats.

The 2021 threat landscape became more crowded as new adversaries emerged.

CrowdStrike Intelligence today tracks more than 170 in total. Notable adversary updates include:

Financially motivated e-crime activity continues to dominate the interactive intrusion attempts tracked by CrowdStrike OverWatch. Intrusions attributed to e-crime accounted for nearly half (49 per cent) of all observed activity.

Iran-based adversaries adopt the use of ransomware as well as "lock-and-leak" disruptive information operations – using ransomware to encrypt target networks and subsequently leak a victim's information via actor-controlled personas or entities.

In 2021, China-nexus actors emerged as the leader in vulnerability exploitation and shifted tactics to increasingly target internet-facing devices and services like Microsoft Exchange. CrowdStrike Intelligence confirmed China-nexus actor exploitation of 12 vulnerabilities published in 2021.

VIEW ALL

Russia-nexus adversary COZY BEAR expands its targeting of IT to cloud service providers in order to exploit trusted relationships and gain access to additional targets through lateral movement. Additionally, FANCY BEAR increases the use of credential-harvesting tactics, including both large-scale scanning techniques and victim-tailored phishing websites.

The Democratic People's Republic of Korea (DPRK) targeted cryptocurrency-related entities in an effort to maintain illicit revenue generation during economic disruptions caused by the COVID-19 pandemic.

E-crime actors – including affiliates of DOPPEL SPIDER and WIZARD SPIDER – adopted Log4Shell as an access vector to enable ransomware operations.

State-nexus actors, including NEMESIS KITTEN (Iran) and AQUATIC PANDA (China), were also affiliated with probable Log4Shell exploitation before the end of 2021.

Adversary tradecraft becomes more sophisticated

The report highlights that the startling growth and impact of targeted ransomware, disruptive operations and an uptick in cloud-related attacks in 2021 was a palpable force felt across nearly every industry and in every country.

CrowdStrike Intelligence observed an 82 per cent increase in ransomware-related data leaks in 2021, with 2,686 attacks as of December 31, 2021, compared to 1,474 in 2020.

The CrowdStrike eCrime Index (ECX) depicts that ransomware attacks were highly lucrative spanning all of 2021.The ECX displays the strength, volume and sophistication of the cyber criminal market, and is updated weekly based on 20 unique indicators of criminal activity, tracking things like "big game hunting" victims, data leaks, and ransom demands.

Over the course of 2021, CrowdStrike’s ECX noted the following:

• CrowdStrike’s observed 2,721 big game hunting incidents last year.
• CrowdStrike Intelligence saw on average over 50 targeted ransomware events per week.
• Observed ransomware-related demands averaged $6.1 million per ransom, up 36 per cent from 2020.

Adversaries are increasingly exploiting stolen user credentials and identity to bypass legacy security solutions – of all detections indexed in the fourth quarter of 2021, 62 per cent were malware-free.

As cyber criminals and nation-states around the world continue to adapt in the changing, interconnected landscape, it's critical that businesses evolve to defend against these threats by integrating new technologies, solutions and strategies, according to Adam Meyers, senior-vice president of intelligence at CrowdStrike.

"The CrowdStrike Falcon platform, powered by the world class intelligence that informs this annual report, offers the full suite of tools necessary to deliver hyper-accurate detections, automated protection and the remediation needed to stop threats in their tracks.

"The annual Global Threat Report paints a picture that shows enterprise risk is coalescing around three critical areas: endpoints, cloud workloads, identity and data, and provides a valuable resource for organisations looking to bolster their security strategy," Meyers concluded.