Nothing is more difficult than making predictions. For this reason I did not do any “predictions for 2021 cyber security” posting before year 2021 started. Instead of trowing out wild ideas what might be coming, I have collected here some trends other people have predicted or reported.
The State of internet security in 2020 was hard. The trends that stormed last year will continue long to 2021: “Rapidly accelerated digital transformations, opportunistic phishing campaigns, discontinuity of information security operations and financial constraints are creating the perfect storm in a COVID-19-disrupted world.” Last year trend was Instead of ‘bring your own device’, these days it’s rather ‘bring your own office’.
2020 was a bumper year for cybercriminals, and this boom is expected to continue into 2021. 2021 Cybersecurity and IT Failures Roundup article presents you Lessons learned from the many failures, interruptions, crimes and other IT-related setbacks that made the news in 2020. Smart cyber security people have read about them and learned their lesson.
Kaspersky’s top three cybersecurity predictions for 2021 are increase in targeted attacks, attacks that are more disruptive exploiting contemporary issues and we will continue to have frequent and significant data breaches. I can pretty much agree on those. Cybersecurity must adapt to counter new threats in a transformed world
Head of Europol’s European Cybercrime Centre: there are no systems that cannot be breached article says that humankind has to choose between evolution by digitization, and stagnation. Naturally, the world is moving ahead. We can’t be naive and expect that bad things will not happen along with it. “We can’t be naive and expect that bad things will not happen along with it. Resilience is important.”
In 2021 Trend Micro predicts that cybercriminals will look to home networks as a critical launch pad to compromising corporate IT and IoT networks. New Cybersecurity Threat Predictions for 2021 article points out the the traditional network perimeter has been replaced with multiple edge environments, WAN, multi-cloud, data center, remote worker, IoT, and more, each with its unique risks.
DDoS attacks: Big rise in threats to overload business networks. Cyber attackers are threatening to take organisations offline with DDoS attacks if they aren’t paid bitcoin by a deadline – but victims are being urged not to give in to demands.
One sure bet is that ransomware attacks will only escalate further over this year. Pay-or-Get-Breached Ransomware Schemes Take Off in 2021. In 2020, ransomware attackers moved quickly to adopt so-called “double extortion” schemes, which means that first they encrypt your data so you can’t access it and then they say they will publish your most secret data for other people to see if you don’t pay up. Ransomware victims that have backups are paying ransoms to stop hackers leaking their stolen data.
Modern cybercrime is becoming increasingly open-sourced which means that already some of the most sophisticated and notorious cybercriminals are utilizing open-source tools to conduct their criminal activities and this will increase.
Trend Micro survey results claim that AI set to replace humans in cybersecurity by 2030. I am just wondering what this claim means and have people who have answered to the survey really understood AI and cyber security? My predictions is that we will need humans and AI and even traditional solutions for a long long time.
The lack of people with cyber security skills is still a problem for many companies because AI will not replace them any time soon. There are different views how the situation has developed. Cybersecurity Skills Shortage Falls for First Time article claims that that shortfall in skills has therefore dropped from 4.07 million last year to 3.12 million. As The End Of 2020 Approaches, The Cybersecurity Talent Drought Gets Worse article says that information technology industry has a real problem on its hands – and it’s only getting worse. While cybercrime grows exponentially, businesses are facing a severe cybersecurity talent drought. The supply of available, qualified security professionals is insufficient and the competition for services has dramatically increased. Some companies try to make claims that they have invented a “silver bullet” for educating cyber professionals like This educator claims to have invented an entertaining way to learn cybersecurity. Some of the cyber security issues move to cloud, so we need more people who know security and cloud. The Cloud Talent Drought Continues (And Is Even Larger Than You Thought)
Hackers leverage sophisticated and novel techniques to break into networks article tells that recent SolarWinds and JetBrains attacks are prime examples of why state-sponsored attacks are so dangerous. The hackers leveraged sophisticated, novel techniques to break into networks and obtain backdoor access to government agencies and enterprises. Expect to see more break-ins connected to those incidents and expect more similar incidents that have not just year been revealed.
Want to avoid having your online accounts hacked? Enable two-factor authentication. Better than the best password: How to use 2FA to improve your security article tells that this is a crucial security measure that requires an extra step when signing in to high-value services. The article explains how to set up 2FA and which accounts to focus on first.
A new version of OWASP Top-10 is coming this year. OWASP Top-10 2021 Statistics-based proposal article tries to make an OWASP Top-10 2021 predictions calculated by understandable metrics, make everyone able to reproduce the results, and present to an entire community for the feedback.
Privacy is an illusion. But that‘s a good thing article says that everyone’s information is available. It doesn’t matter who you are. Some people would pay lots of money to get that privacy illusion back and some just don’t care. With the Death of Cash, Privacy Faces a Deeply Uncertain Future article says that in One Future We have a Private, Anonymous Alternative to Cash but in the Black Mirror Future the Money in Your Pocket Knows Everything About You. Cash is dying that’s for sure. There are still ways to sen anonymous emails and it is a good idea to prepare to your digital life after death.
Ransomware attacks will explode in 2021 article claims that the Capitol riot and its aftermath makes the case for tech regulation more urgent, but no simpler. Against increased regulation there are freedom of speech sounding issues like Should Jack Dorsey be able to silence the president of the United States? Whether the storming of the US Capitol was an attempted coup, an insurrection, or an assault on democracy is merely a question of semantics. The US is now the focus of global instability. EU chief warns over ‘unfiltered’ hate speech and calls for Biden to back rules for big tech.
Legal requirements for IoT security start to emerge article tells that legislative activities are starting to make security a legal requirement for consumer IoT designs to have vaguely defined “reasonable security features”. US Government is beginning to create legislation mandating IoT security. The US House of Representatives, for instance, introduced H.R. 1668 – The Internet of Things Cybersecurity Improvement Act of 2020. There are NIST recommendations such as NISTIR 8259 — Foundational Cybersecurity Activities for IoT Device Manufacturers. EU introduces a cyber security IoT standard to protect its citizens and ENISA Publishes Guidelines on Securing the IoT Supply Chain.
7 Cybersecurity Predictions for Smart Buildings and Infrastructure for 2021: Continuous patch management and security updates, OT transparency for IT stakeholders, Natively secure OT network, Cloud-based access to remote sites instead of VPN, Zero touch onboarding, More cybersecurity in small facilities, Certified cybersecurity products and solutions.
IoT security is still complicated. For many development teams, the idea of building cybersecurity into their IoT design can seem daunting. 6 essential activities to help developers build in IoT cybersecurity article gives some ideas to improve cyber security in your IoT development.
2,202 Comments
Tomi Engdahl says:
Mitä kyberanalyytikko tekee kyberhyökkäyksen aikana? Osallistu avoimeen kyberharjoitukseen ja kokeile!
https://www.epressi.com/tiedotteet/tietoturva/mita-kyberanalyytikko-tekee-kyberhyokkayksen-aikana-osallistu-avoimeen-kyberharjoitukseen-ja-kokeile.html
Jyväskylän ammattikorkeakoulun (Jamk) Euroopan laajuinen Flagship 2
- -kyberharjoitus järjestetään myös avoimena harjoituksena, jossa kybertuvallisuudesta kiinnostuneet pääsevät kyberanalyytikoksi keskelle simuloitua kyberhyökkäystä. Jyväskylän ammattikorkeakoulu järjestää tammikuussa kyberturvallisuusharjoituksen, johon odotetaan osallistujia 22 Euroopan maasta. Osallistujien tehtävänä on löytää merkkejä uhkatoiminnasta ja teknisesti tutkia tapahtunutta kyberhyökkäystä, sekä pohtia sen vaikutusta organisaation ydintoimintaan. Harjoitukseen voivat osallistua ensimmäistä kertaa myös hanketoiminnan ulkopuoliset henkilöt.
Tomi Engdahl says:
Asset Visibility Maps Relationships and Communication Pathways in OT Environments https://www.dragos.com/blog/industry-news/asset-visibility-maps-relationships-and-communication-pathways-in-ot-environments/
Experienced cybersecurity professionals will tell you that you can’t secure the systems you don’t know about, which is why asset visibility is so crucial no matter what kind of technology infrastructure you’re defending. Asset visibility in industrial control system (ICS) environments provides industrial asset owners and operators and security staff with the knowledge and insight necessary to build a mature operational technology (OT) cybersecurity program. When organizations can get accurate and timely views into the assets running on their industrial networks, the benefits are cascading.
Tomi Engdahl says:
Ransomware Evolution: From WannaCry to DarkSide
https://medium.com/technology-hits/ransomware-evolution-from-wannacry-to-darkside-1dab07c4d890
2021 is coming to an end. And for cybersecurity, this is a busy year (which wasn’t?). Ransomware attacks are steep upward, and the gradient isn’t softening its progression. Individuals and organizations continue to fall victim to this age-old cybercrime and it’s far from a new phenomenon. If you are not new to the industry, you should remember that the last peak of attention on this issue was in 2017, when the infamous WannaCry ransomware devastated companies. However, comparing what we are facing this year with those in 2017, we saw a giant leap in the business model and the malware themselves.
Tomi Engdahl says:
Global Cyberattacks from Nation-State Actors Posing Greater Threats
https://threatpost.com/global-cyberattacks-nation-state-threats/177253/
Casey Ellis, CTO at Bugcrowd, outlines how international relations have deteriorated into a new sort of Cold War, with espionage playing out in the cyber-domain.
Tomi Engdahl says:
More than 1, 200 phishing toolkits capable of intercepting 2FA detected in the wild
https://therecord.media/more-than-1200-phishing-toolkits-capable-of-intercepting-2fa-detected-in-the-wild/
A team of academics said it found more than 1, 200 phishing toolkits deployed in the wild that are capable of intercepting and allowing cybercriminals to bypass two-factor authentication (2FA) security codes. To counter this new trend in account security protections, since at least 2017, threat actors started adopting new tools that would allow them to bypass 2FA by stealing a user’s authentication cookies, which are files created inside a web browser once the user has logged into an account after the 2FA process was completed.
Tomi Engdahl says:
The Need for Survivable, Trustworthy Secure Systems
https://www.securityweek.com/need-survivable-trustworthy-secure-systems
Cybersecurity and cyber resilience measures are most effective when applied in concert
As 2021 draws to an end, security practitioners are scrambling to address multiple vulnerabilities identified in the widely used Apache Log4j Java-based logging tool that impact hundreds of millions of devices and software applications. These security holes (CVE-2021-44228, CVE-2021-45046, CVE-2021-4104, CVE-2021-45105) expose many organizations to attacks and exploitation, illustrating once more that there is no silver bullet when it comes to protecting against cyber-attacks. More and more security professionals acknowledge that modern enterprise infrastructures are made up of large and complex entities, and therefore will always have flaws and weaknesses that adversaries will be able to exploit. In this context, they propagate the concept of cyber resilience to ensure that an adverse cyber event (intentional or unintentional, i.e., due to failed software updates) does not negatively impact the confidentiality, integrity, and availability of an organization’s business operations. But how does this compare to traditional cybersecurity practices?
Cybersecurity applies technology, processes, and measures that are designed to protect systems (e.g., servers, endpoints), networks, and data from cyber-attacks. In contrast, cyber resilience focuses on detective and reactive controls in an organization’s IT environment to assess gaps and drive enhancements to the overall security posture. According to MITRE, cyber resilience (or cyber resiliency) “is the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on cyber resources.” Most cyber resilience measures leverage or enhance a variety of cybersecurity measures. Cybersecurity and cyber resilience measures are most effective when applied in concert.
Organizations that are interested in learning more about cyber resilience should refer to the Department of Homeland Security’s Cyber Resilience Review (CRR) guidance on how to evaluate an organization’s operational resilience and cybersecurity practices or the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-160 Volume 2. The latter helps organizations anticipate, withstand, recover from, and adapt to adverse conditions, stresses, and compromises on systems – including hostile and increasingly destructive cyber-attacks from nation states, criminal gangs, and disgruntled individuals.
Assessments: Cyber Resilience Review (CRR)
https://www.cisa.gov/uscert/resources/assessments
Tomi Engdahl says:
5 Ways to Reduce the Risk of Ransomware to Your OT Network
https://www.securityweek.com/5-ways-reduce-risk-ransomware-your-ot-network
In the last year and half, we’ve seen an unprecedented increase in ransomware attacks on Operational Technology (OT) networks. While this surge is generating a lot of press coverage, it was something that experts within our industry have been anticipating for a while. In fact, I presented on the topic of ransomware and destructive attacks at RSAC 2018, together with a host of security leaders from the public and private sector.
What can defenders do in this new reality to strengthen the security posture of their OT environments? Here are five recommendations every CISO should consider:
1. Extend the scope of your risk governance to include anything that is a cyber-physical asset. This includes all Industrial IoT, industrial control system (ICS), and Enterprise IoT components. Of course, this is a challenging step for many organizations since it’s not an easy task to even identify those assets. It’s a process that might take iterations. Thankfully, in the last few years our industry has made tremendous progress in technology that helps us easily discover such assets and profile their exposure, risk, and vulnerabilities.
2. Make sure that you have proper segmentation between IT and OT networks. There are many business processes and applications that need to communicate across the IT/OT boundary, so we need to ensure this is done in a secure way. This simple step usually gets taken for granted, but it shouldn’t. In addition to the IT/OT segmentation, deploy virtual segmentation to zones within the OT environment – this will help detect lateral movement within the OT networks. And if remote operations need access directly into the OT networks, make sure this is done through a secure remote access connection with strict controls over users, devices, and sessions.
3. Practice good cyber hygiene. Ensure that your hygiene extends to OT and IoT devices. This includes the use of strong passwords (and not sharing passwords amongst different users, a practice that is common in industrial operations), a password vault, and multi-factor authentication. Some processes, like patching legacy systems, might be more challenging or not possible. If that is the case, identify and implement compensating controls such as firewall rules and access control lists. The Cybersecurity and Infrastructure Security Agency (CISA), has a number of no-cost hygiene tools, including scanning and testing to help reduce exposure to threats.
4. Implement a robust system monitoring program. This means monitoring for threats in both IT and OT networks and anything that is traversing that boundary. Agentless solutions that are purpose-built for continuous threat monitoring across the OT network, can be implemented quickly, integrate equally well with OT and IT systems and workflows, and allow IT and OT teams to look at OT environments together. Working from the same set of information these teams take specific steps to manage and mitigate risk from both known and unknown, emerging threats.
5. Run exercises on your incident response plan. Running tabletop exercises of ransomware attacks can help you understand your organizational and technical preparedness. This affords you an opportunity to create an improved incident response plan and will build confidence in your preparedness and resilience to such attacks.
Tomi Engdahl says:
Planning for the Future: What’s Ahead in 2022
https://www.securityweek.com/planning-future-whats-ahead-2022
Current security technology stacks are not keeping up with the increasing scale and sophistication of attacks
For these threats to be addressed, the security industry must focus on threats that impact a company’s bottom line. Executives in customer-facing companies rarely understand security because the marketing efforts they see are geared towards nation state espionage efforts. In addition, customer-side security teams rarely understand the details of their company’s business and therefore, understanding the impact of security events on the corporate bottom line is challenging. To address this challenge:
1. Enterprise security teams must shift their focus to client-directed intelligence to address threats to systems, assets, people, and the business. The generic threat data sets and analysis currently used by many organizations will not adequately address the company-specific threats targeting a company and their unique attributes.
2. Following this risk-based approach a security team can build a security stack that incorporates proper escalation policies and procedures including:
a. Asset Inventory Technology Evolution: New technology will solve challenges of identifying and automating hundreds of thousands of assets across corporate, OT, IT, and production environments.
b. Threat Intelligence As a Managed Service: Threat intelligence feeds providing data and generic industry threats does not solve the problem of sophisticated, client-specific threats. Improvements in managed intelligence services will likely mature and be adopted to address the problems posed by inadequate resources and expertise.
c. XDR Will Continue to Supplant Less-Sophisticated EDR Offerings: To date, SIEMs and SOARs have not delivered on their promise, leaving security and risk managers struggling with disparate security tools and high alert volumes. XDR products will start to improve detection and response activity by centralizing security tools and using ML/AI to reduce false positives. It will likely require several years for enterprises to evolve.
d. Cloud Security and Compliance Will Become Easier: Secure cloud software automation will become more mainstream enabling less sophisticated users and analysts to architect, build, and manage multi-vendor cloud deployments (AWS, Azure, GCP).
Tomi Engdahl says:
Why It’s So Difficult — And Costly — To Secure Chips
https://semiengineering.com/why-its-so-difficult-and-costly-to-secure-chips/
Threats are growing and widening, but what is considered sufficient can vary greatly by application or by user. Even then, it may not be enough.
Rising concerns about the security of chips used in everything from cars to data centers are driving up the cost and complexity of electronic systems in a variety of ways, some obvious and others less so.
Until very recently, semiconductor security was viewed more as a theoretical threat than a real one. Governments certainly worried about adversaries taking control of secure systems through back doors in hardware, either through third-party IP or unknowns in the global supply chain, but the rest of the chip industry generally paid little heed apart from the ability to boot securely and to authenticate firmware. But as advanced electronics are deployed in cars, robots, drones, medical devices, as well as in a variety of server applications, robust hardware security is becoming a requirement. It no longer can be brushed aside as a ‘nice-to-have’ feature because IC breaches can affect safety, jeopardize critical data, and sideline businesses until the damage is assessed and the threat resolved.
The big question many companies are now asking is how much security is enough. The answer is not always clear, and it’s often incomplete. Adequate security is based on an end-to-end risk assessment, and when it comes to semiconductors the formula is both complex and highly variable. It includes factors that can fluctuate from one vendor to the next in the same market, and frequently from one chip to the next for the same vendor.
Tomi Engdahl says:
https://hackaday.com/2021/12/26/hackaday-links-december-26-2021/
getting your laptop stolen would be bad enough. But what if it got yoinked while it was unlocked? Depending on who you are and what you do with that machine, it could be a death sentence. That’s where BusKill could come in handy. It’s a hardware-software approach to securing a laptop when it — or you — suddenly goes missing. A dongle with a breakaway magnetic lanyard gets plugged into a USB port, and the other end of the lanyard gets attached to your person. If you get separated from your machine, the dongle sends customizable commands to either lock the screen or, for the sufficiently paranoid, nuke the hard drive. The designs are all up on GitHub, so check it out and think about what else this could be useful for.
https://www.buskill.in/
https://github.com/BusKill
Tomi Engdahl says:
Digipalvelujen käyttö pomppasi vanhuksia rajoittaa pelko ja taitojen puute
https://www.is.fi/digitoday/art-2000008504314.html
Suomalaiset käyttävät digitaalisia palveluja huomattavasti koronan alkuaikoja enemmän, selviää Palvelualojen työnantajat Paltan Digigallupista. Digigallupin toteutti Paltalle Tietoykkönen Oy marraskuussa. Kyselyyn vastasi 1000 suomalaista, joista 67 prosenttia oli käyttänyt arjessaan digipalveluja kesällä 2020. Nyt vastaava määrä oli 84 prosenttia. 1824-vuotiaista niitä ovat käyttäneet kaikki vastaajat. Yli 65-vuotiaista valtaosa, 70 prosenttia, käyttää digitaalisia palveluita arjessaan. Heistä kuitenkin muita suurempi osuus, noin joka viides, nimeää esteiksi puutteelliset omat taidot tai pelon tietoturvauhkista.
Tomi Engdahl says:
Privacy-focused search engine DuckDuckGo saw record growth in 2021
https://therecord.media/privacy-focused-search-engine-duckduckgo-saw-record-growth-in-2021/
Privacy-focused search engine DuckDuckGo was used for more than 34.8 billion queries in 2021up more than 47 percent from the previous yearaccording to its traffic statistics, signaling that many internet users are prioritizing tools that don’t siphon data.
Tomi Engdahl says:
A Deep Dive into DoubleFeature, Equation Group’s Post-Exploitation Dashboard
https://research.checkpoint.com/2021/a-deep-dive-into-doublefeature-equation-groups-post-exploitation-dashboard/
Earlier this year, Check Point Research published the story of “Jian”
an exploit used by Chinese threat actor APT31 which was “heavily inspired by” an almost-identical exploit used by the Equation Group, made publicly known by the Shadow Brokers leak. The spicy part of the story was that Jian had been roaming in the wild and abusing Equation Group ingenuity to compromise systems before it was cool as early as 2014, a full two years before the Shadow Brokers leaks made the original exploit public. Evidently, the authors of Jian had acquired early access to it some other way. DanderSpritz is a full-featured post-exploitation framework used by the Equation Group. This framework was usually leveraged after exploiting a machine and deploying the PeddleCheap “implant”. DanderSpritz is very modular and contains a wide variety of tools for persistence, reconnaissance, lateral movement, bypassing Antivirus engines, and other such shady activities. It was leaked by The Shadow Brokers on April 14th, 2017 as part of the “Lost in Translation” leak.
Tomi Engdahl says:
2021 Wants Another Chance (A Lighter-Side Year in Review)
https://threatpost.com/2021-log4j-year-review-funny-cybersecurity/177215/
The year wasn’t ALL bad news. These sometimes cringe-worthy/sometimes laughable cybersecurity and other technology stories offer schadenfreude and WTF opportunities, and some giggles.
Tomi Engdahl says:
DuckDuckGo Signals Entry Into Desktop Browser Market
https://www.securityweek.com/duckduckgo-signals-entry-desktop-browser-market
Gabriel Weinberg’s DuckDuckGo is taking aim at the desktop browser market, betting that default privacy-centric settings will provide safer alternatives to Google’s Chrome and Microsoft’s Chromium-based Edge browsers.
The upstart search engine company says it is building a desktop browser from scratch with the same privacy-enhancing defaults that makes the DuckDuckGo search engine popular with privacy advocates.
Tomi Engdahl says:
The Human Connection: A Mindset for the Coming Year
https://www.securityweek.com/human-connection-mindset-coming-year
I’ve written about people and the contributions they make on protecting our email and IT systems, but I’d like to shift focus this last article for 2021 towards a deeper but related topic: human connections.
We are amid the holiday season, and around the world people are looking inward to family and friends, and to resolutions that we hope will stay around longer than the New Year Champagne. I am certainly doing this, and as I look back on 2021, I find the joyful things that have happened when it comes to work, are much like the ones I have at home. With that in mind, I want to make 2022 the year to focus on establishing connections with, and helping, other humans.
The best experiences of 2021 have been when I have had a meaningful impact on persons or people, I have a meaningful connection with. For instance, it might be a homework assignment or studying for a test with my kids that resulted in a good grade. Or it might be a conversation with a multi-national industry-leading company fighting through a cyber-attack where the conversations we have had over the years has created a partnership and trust that enables action to happen. These engagements are often ones that require some considerable sacrifice for me personally or on the part of my team.
Tomi Engdahl says:
The Need for Survivable, Trustworthy Secure Systems
https://www.securityweek.com/need-survivable-trustworthy-secure-systems
Tomi Engdahl says:
As 2021 draws to an end, security practitioners are scrambling to address multiple vulnerabilities identified in the widely used Apache Log4j Java-based logging tool that impact hundreds of millions of devices and software applications. These security holes (CVE-2021-44228, CVE-2021-45046, CVE-2021-4104, CVE-2021-45105) expose many organizations to attacks and exploitation, illustrating once more that there is no silver bullet when it comes to protecting against cyber-attacks. More and more security professionals acknowledge that modern enterprise infrastructures are made up of large and complex entities, and therefore will always have flaws and weaknesses that adversaries will be able to exploit. In this context, they propagate the concept of cyber resilience to ensure that an adverse cyber event (intentional or unintentional, i.e., due to failed software updates) does not negatively impact the confidentiality, integrity, and availability of an organization’s business operations. But how does this compare to traditional cybersecurity practices?
https://www.securityweek.com/need-survivable-trustworthy-secure-systems
Tomi Engdahl says:
Mariam Baksh / Nextgov:
Biden signs the annual defense bill codifying voluntary cybersecurity frameworks for the private sector, which operates the bulk of US’s critical infrastructure
Biden Signs NDAA Relying on Voluntary Private-Sector Cybersecurity Collaboration
https://www.nextgov.com/cybersecurity/2021/12/biden-signs-ndaa-relying-voluntary-private-sector-cybersecurity-collaboration/360217/
Major breaches over the past year were a double-edged sword in efforts to pass a crucial mandatory reporting measure that didn’t make it into the ‘must-pass’ legislation despite bipartisan support, according to key lawmakers.
President Joe Biden on Monday signed into law the National Defense Authorization Act of 2022 which codifies an approach to cybersecurity that depends on the decisions of private-sector entities to protect the bulk of the nation’s critical infrastructure.
The NDAA has become the go-to legislative vehicle for efforts to manage the federal government at large, and to regulate the private sector on cybersecurity issues.
On the government side, the law requires the Cybersecurity and Infrastructure Security Agency to biennially update an incident response plan and to consult with sector-specific agencies and the private sector in establishing an exercise program to assess its effectiveness.
It seeks to “ensure that the National Guard can provide cyber support services to critical infrastructure entities—including local governments and businesses,” according to Sen. Maggie Hassan, D-N.H. It also establishes a grant program at the Homeland Security Department to foster collaboration on cybersecurity technologies between public and private-sector entities in the U.S. and Israel.
Lawmakers also highlighted the inclusion of provisions codifying existing public-private partnerships at CISA which aim to offer continuous monitoring of industrial control systems—an effort known as the CyberSentry program—and to develop ‘know your customer’ guidelines for companies like cloud and other service providers comprising the “internet ecosystem.” Such companies are described as the plank bearers of CISA’s Joint Cyber Defense Collaborative.
Tomi Engdahl says:
The hacker-for-hire industry is now too big to fail
https://www.technologyreview.com/2021/12/28/1043029/the-hacker-for-hire-industry-is-now-too-big-to-fail/
This is a big moment of turbulence and change for the hacking business. But the demand is here to stay.
A shock has reverberated inside Israel in the last few months. NSO Group, the billion-dollar Israeli company that has sold hacking tools to governments around the world for more than a decade, has drawn intense scrutiny after a series of public scandals. The company is in crisis. Its future is in doubt.
But while NSO Group’s future is uncertain, governments are more likely than ever to buy cyber capabilities from the industry NSO helped define. Business is booming for “hackers for hire” firms. In the last decade, the industry has grown from a novelty into a key instrument of power for nations around the world. Even the potential failure of a major firm like NSO Group isn’t likely to slow the growth.
Just this month, Facebook reported that seven hacker-for-hire firms from around the world had targeted around 50,000 people on the company’s platforms.
The pattern repeated for years–over and over again, governments would be accused of using NSO hacking tools against dissidents but the company denied wrongdoing and escaped punishment. Then, in mid-2021, new reports emerged of alleged abuse against Western governments. The company was sanctioned by the US in November, and in December Reuters reported that US State Department officials had been hacked using Pegasus.
Now NSO Group faces expensive public lawsuits from Facebook and Apple. It has to deal with debt, low morale, and fundamental threats to its future. Suddenly, the poster child for spyware is confronting an existential crisis.
All of this is familiar territory. The secretive hacker-for-hire industry first splashed across international newspaper headlines in 2014, when the Italian firm Hacking Team was charged with selling its “untraceable” spyware to dozens of countries without regard for human rights or privacy violations.
Hacking Team opened the world’s eyes to a global industry that bought and sold powerful tools to break into computers anywhere. The resulting storm of scandals seemed to eventually kill it. The company lost business and the ability to legally sell its tools internationally. Hacking Team was sold and, in the public’s mind, left for dead. Eventually, however, it rebranded and started selling the same products. Only this time, it was a smaller fish in a much bigger pond.
“The demise of Hacking Team did not lead to fundamental change in the industry at all,”
Many more countries now pay for the instant capability to hack adversaries both internationally and within their own borders. Billions of dollars are at play, but there’s very little transparency and even less accountability.
While public scrutiny of firms that provide hackers for hire has grown, the global demand for offensive cyber capabilities has escalated too. In the 21st century, a government’s highest-value targets are online more than ever—and hacking is usually the most effective way to get to them.
For governments, investing in cyber is a relatively cheap and potent way to compete with rival nations—and develop powerful tools of domestic control.
“Especially in the last five years, you have more countries developing cyber capabilities,”
“If you don’t have a way to harness the skills or talent of the people in your country but you have the resources to outsource, why wouldn’t you go commercial?”
Military contracting giants across the world now develop and sell these capabilities. These tools have been used to commit egregious abuses of power. They’re also increasingly used in legitimate criminal investigations and counterterrorism and are key to espionage and military operations.
The demand for what private hacking companies are selling isn’t going away. “The industry is both bigger and more visible today than it was a decade ago,” says Winnona DeSombre, a security researcher and fellow at the Atlantic Council. “The demand is rising because the world is becoming more technologically connected.”
“The biggest issue comes when this space is primarily self-regulated,” she explained. Self-regulation “can result in widespread human rights abuses” or even friendly fire, when hacking tools are sold to foreign governments that turn around and use the same capabilities against the country of origin.
Tomi Engdahl says:
Iranian hackers behind Cox Media Group ransomware attack https://therecord.media/iranian-hackers-behind-cox-media-group-ransomware-attack/
The ransomware attack that crippled the IT systems and live streams of Cox radio and TV stations earlier this year was the work of Iranian hackers, The Record has learned. The attack has been attributed to a threat actor tracked under the codename of DEV-0270, a group linked to several intrusions against US companies this year that have ended in the deployment of ransomware. While the intrusion at the Cox Media Group came to light on June 3, when the attackers deployed their ransomware and encrypted some internal servers, the group had actually breached and been lurking inside the company’s internal network for weeks since mid-May.
Tomi Engdahl says:
Cryptomining Attack Exploits Docker API Misconfiguration Since 2019 https://threatpost.com/cryptomining-attack-exploits-docker-api-misconfiguration-since-2019/177299/
Hackers behind a cryptomining campaign have managed to avoid detection since 2019. The attacks exploited misconfigured Docker APIs that allowed them to gain network entry and ultimately sets up a backdoor on compromised hosts to mine cryptocurrency, researchers said. The attack technique is script-based and dubbed “Autom”, because it exploits the file “autom.sh”. Attackers have consistently abused the API misconfiguration during the campaign’s active period, however the evasion tactics have varied allowing adversaries to fly under the radar, wrote Aquasec’s research arm Team Nautilus in a report published Wednesday.
Tomi Engdahl says:
Biden Signs NDAA Relying on Voluntary Private-Sector Cybersecurity Collaboration https://www.nextgov.com/cybersecurity/2021/12/biden-signs-ndaa-relying-voluntary-private-sector-cybersecurity-collaboration/360217/
President Joe Biden on Monday signed into law the National Defense Authorization Act of 2022 which codifies an approach to cybersecurity that depends on the decisions of private-sector entities to protect the bulk of the nation’s critical infrastructure. On the government side, the law requires the Cybersecurity and Infrastructure Security Agency to biennially update an incident response plan and to consult with sector-specific agencies and the private sector in establishing an exercise program to assess its effectiveness.
Tomi Engdahl says:
Indian authorities set to tighten data breach laws in 2022
https://portswigger.net/daily-swig/indian-authorities-set-to-tighten-data-breach-laws-in-2022
Authorities in India are set to clamp down on data breaches and tighten rules for holding sensitive data, according to local media reports. Organizations will be forced to disclose data breaches within
72 hours, bringing India in line with territories such as the EU, which mandates breach disclosures under its General Data Protection Regulation (GDPR). And Indian firms will no longer be able to store payment card information, with only card issuers and card networks such as Visa or Mastercard permitted to do so.
Tomi Engdahl says:
Poland’s Tusk Calls Spyware Use ‘Crisis for Democracy’
https://www.securityweek.com/polands-tusk-calls-spyware-use-crisis-democracy
Polish opposition leader Donald Tusk on Tuesday said reports the government spied on its opponents represented the country’s biggest “crisis for democracy” since the end of communism.
A cyber-security watchdog last week said the Pegasus spyware had been used to target prominent opposition figures, with Polish media dubbing the scandal a “Polish Watergate”.
“This is unprecedented in our history,” former EU chief Tusk, who now heads the Civic Platform party, told reporters.
“This is the biggest, deepest crisis for democracy since 1989.”
Tomi Engdahl says:
The Right to Work and Non-Competes in the Security Industry
https://www.securityweek.com/right-work-and-non-competes-security-industry
Those who actively threaten or work against the right to work act against the interests of the security community as a whole
I’d like to discuss the right to work. Security professionals have that right, and unfortunately, from time to time, certain individuals, organizations, or companies try to take that right away. In this piece specifically, I’d like to focus on the issue of non-competes.
I understand that companies have employees sign non-competes. This is a common requirement when beginning employment, whether full-time, contract, or consulting. There is no problem with having employees sign a non-compete, provided that those non-competes are reasonable.
When the non-compete expires, however, the employee has the right to work elsewhere. Holding a former employee hostage by threatening legal action against them when they are within their rights to seek employment elsewhere is simply not okay.
The right to work is one of the most fundamental professional rights. This is as true in the security profession as it is in every other profession. Those who actively threaten or work against this right act against the interests of the security community as a whole. No one should be denied the opportunity to pursue their professional dreams.
Tomi Engdahl says:
https://www.atlasobscura.com/articles/capn-crunch-whistle
Tomi Engdahl says:
Chinese ‘brain control’ warfare work revealed
https://www.washingtontimes.com/news/2021/dec/29/pla-brain-control-warfare-work-revealed/
The Commerce Department imposed sanctions on Chinese technology companies and announced recently that China’s military is engaged in dangerous work related to “brain control” warfare research.
Commerce’s Bureau of Industry and Security said only that the academy and its affiliates are using “biotechnology processes to support Chinese military end-uses and end-users, to include purported brain-control weaponry.”
Tomi Engdahl says:
Pääsynhallinta on yritysverkon oma portsari
Tunnistamattomista laitteista muodostuu yritysverkoissa aina tietoturva-aukkoja. DNA Pääsynhallinnalla varmistetaan tietoturvallinen liiketoiminta.
https://www.dna.fi/yrityksille/blogi/-/blogs/paasynhallinta-on-yritysverkon-oma-portsari?utm_source=facebook&utm_medium=linkad&utm_content=KIKA-artikkeli-paasynhallinta-on-yritysverkon-oma-portsari&utm_campaign=H_SES_21-49-52_artikkelikampanja&fbclid=IwAR34lCECHqJrH_JDk2zGXxalUgSvUNKM_oaLrJaeUc8hIcJjKRAPx42JXl8
Tomi Engdahl says:
https://techcrunch.com/2021/12/30/the-year-the-tide-turned-on-ransomware/
Tomi Engdahl says:
The biggest data breaches, hacks of 2021 https://www.zdnet.com/article/the-biggest-data-breaches-of-2021/
In 2021, thousands of new cybersecurity incidents have been recorded
- — and while cryptocurrency theft and data loss are now commonplace, this year stands out due to several high-profile incidents involving ransomware, supply chain attacks, and the exploitation of critical vulnerabilities. The Identity Theft Research Center (ITRC) has reported an increase of 17% in the number of recorded data breaches during 2021 in comparison to 2020. However, an entrenched lack of transparency around the disclosure of security incidents continues to persist — and so this may be a low ball estimation. According to IBM, the average cost of a data breach has now reached over $4 million, while Mimecast estimates that the average ransomware demand levied against US companies is well over $6 million. The world record for the largest payout, made by an insurance company this year, now stands at
$40 million. Here are some of the most notable security incidents, cyberattacks, and data breaches over 2021.
Tomi Engdahl says:
2021 Information security in memes and tweets https://www.kaspersky.com/blog/security-2021-year-in-memes/43237/
Remember the most interesting events of the information security industry in 2021 in memes and tweets.
Tomi Engdahl says:
Hans Christian Andersen on security technologies
Our Danish colleague spilled a lot of cybersecurity ink in his works.
https://www.kaspersky.com/blog/andersen-cybersecurity-technologies/43232/
Tomi Engdahl says:
BleepingComputer’s most popular cybersecurity and tech stories of 2021 https://www.bleepingcomputer.com/news/technology/bleepingcomputers-most-popular-cybersecurity-and-tech-stories-of-2021/
2021 is over, and we can look forward to a hopefully healthier, safer, and more normal 2022. Below we list the ten most popular stories at BleepingComputer during 2021, with a summary of each. 10. Fired NY credit union employee nukes 21GB of data in revenge. 9. 533 million Facebook users’ phone numbers leaked on a hacker forum. 8. New phishing attack uses Morse code to hide malicious URLs. 7. New zero-day exploit for Log4j Java library is an enterprise nightmare. 6.
Adult content from hundreds of OnlyFans creators leaked online. 5. How to fix the Windows 0x0000011b network printing error. 4. Canon sued for disabling scanner when printers run out of ink. 3. Over nine million Android devices infected by info-stealing trojan. 2.
Researcher hacks over 35 tech firms in novel supply chain attack. 1.
Windows 10 bug corrupts your hard drive on seeing this file’s icon
Tomi Engdahl says:
https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html
Tomi Engdahl says:
Eight New macOS Malware Families Emerged in 2021
https://www.securityweek.com/eight-new-macos-malware-families-emerged-2021
Eight new macOS malware families emerged in 2021, according to Patrick Wardle, a security researcher who specializes in Apple products.
The new macOS malware spotted in 2021 includes ElectroRAT, SilverSparrow, XcodeSpy, ElectrumStealer, WildPressure, XLoader, ZuRu, and CDDS (aka MacMa).
Wardle has published a blog post describing each of these pieces of malware, including their infection vector, persistence mechanism, features, and goals. He has also shared samples of each malware to allow others to conduct their own analysis.
The Mac Malware of 2021
a comprehensive analysis of the year’s new malware!
https://objective-see.com/blog/blog_0x6B.html
Tomi Engdahl says:
Check Point Research: Cyber Attacks Increased 50% Year over Year
https://blog.checkpoint.com/2022/01/10/check-point-research-cyber-attacks-increased-50-year-over-year/
In Q4 of 2021 there was an all-time peak in weekly cyber-attacks per organization, counting over 900 attacks per organization. In 2021, there was a 50% increase in overall attacks per week on corporate networks compared to 2020. Education and Research was the most attacked sector
Tomi Engdahl says:
DDoS Attack Trends for Q4 2021
https://blog.cloudflare.com/ddos-attack-trends-for-2021-q4/
The second half of the year recorded a growing swarm of one of the most powerful botnets deployed (Meris) and record-breaking HTTP DDoS attacks and network-layer attacks observed over the Cloudflare network.
Tomi Engdahl says:
Jonathan Greig / ZDNet:
Report: the number of cyber attacks per week on corporate networks globally grew 50% YoY in 2021, peaking towards the end of Q4, largely due to the Log4j flaw
https://www.zdnet.com/article/report-increased-log4j-exploit-attempts-leads-to-all-time-peak-in-weekly-cyberattacks-per-org/
Tomi Engdahl says:
The Cloudflare Blog:
Ransom DDoS attacks in Q4 2021 rose 29% YoY and 175% QoQ; China has the highest percentage of originating network traffic for application-layer attacks
https://blog.cloudflare.com/ddos-attack-trends-for-2021-q4/
Tomi Engdahl says:
2021 Cyber Attacks Statistics
https://www.hackmageddon.com/2022/01/13/2021-cyber-attacks-statistics/
And finally I have aggregated all the data collected in 2021 from the cyber attacks timelines. In the past year I have collected 2539 events, meaning nearly a 9% increase compared with the 2332 events collected over the course of 2020. Interestingly this increase occurred mainly between January and May (maybe an effect of the pandemic), after this interval, the trend is essentially in line with the values of 2020.
Tomi Engdahl says:
North Korean Hackers Have Prolific Year as Their Unlaundered Cryptocurrency Holdings Reach All-time High https://blog.chainalysis.com/reports/north-korean-hackers-have-prolific-year-as-their-total-unlaundered-cryptocurrency-holdings-reach-all-time-high/
North Korean cybercriminals had a banner year in 2021, launching at least seven attacks on cryptocurrency platforms that extracted nearly
$400 million worth of digital assets last year. These attacks targeted primarily investment firms and centralized exchanges, and made use of phishing lures, code exploits, malware, and advanced social engineering to siphon funds out of these organizations internet-connected hot wallets into DPRK-controlled addresses. Once North Korea gained custody of the funds, they began a careful laundering process to cover up and cash out.
Tomi Engdahl says:
Linux-Targeted Malware Increases by 35% in 2021: XorDDoS, Mirai and Mozi Most Prevalent https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/
Malware targeting Linux-based operating systems, commonly deployed in Internet of Things (IoT) devices, have increased by 35% in 2021 compared to 2020, according to current CrowdStrike threat telemetry, with the top three malware families accounting for 22% of all Linux-based IoT malware in 2021. XorDDoS, Mirai and Mozi are the most prevalent Linux-based malware families observed in 2021, with Mozi registering a significant tenfold increase in the number of in-the-wild samples in 2021 compared to 2020.
Tomi Engdahl says:
North Korea hacked nearly $400M in cryptocurrency last year
https://techcrunch.com/2022/01/14/north-korea-hacked-nearly-400m-in-cryptocurrency-last-year/?tpcc=tcplusfacebook
North Korean hackers launched at least seven attacks on cryptocurrency platforms last year to steal almost $400 million worth of digital assets, according to a report by blockchain analysis firm Chainalysis.
“From 2020 to 2021, the number of North Korean-linked hacks jumped from four to seven, and the value extracted from these hacks grew by 40%,” the report said.
The attacks primarily targeted investment firms and centralized exchanges.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/technology/bleepingcomputers-most-popular-cybersecurity-and-tech-stories-of-2021/
Tomi Engdahl says:
https://www.kaspersky.com/blog/andersen-cybersecurity-technologies/43232/
Tomi Engdahl says:
https://semiengineering.com/creating-iot-devices-that-will-remain-secure/
Tomi Engdahl says:
Google Says NSO Pegasus Zero-Click ‘Most Technically Sophisticated Exploit Ever Seen’
https://www.securityweek.com/google-says-nso-pegasus-zero-click-most-technically-sophisticated-exploit-ever-seen
Security researchers at Google’s Project Zero have picked apart one of the most notorious in-the-wild iPhone exploits and found a never-before-seen hacking roadmap that included a PDF file pretending to be a GIF image with a custom-coded virtual CPU built out of boolean pixel operations.
Within Apple’s CoreGraphics PDF parser, the NSO exploit writers abused Apple’s implementation of the open-source JBIG2, a domain specific image codec designed to compress images where pixels can only be black or white.
Describing the exploit as “pretty terrifying,” Google said the NSO Group hackers effectively booby-trapped a PDF file, masquerading as a GIF image, with an encoded virtual CPU to start and run the exploit.
“JBIG2 doesn’t have scripting capabilities, but when combined with a vulnerability, it does have the ability to emulate circuits of arbitrary logic gates operating on arbitrary memory. So why not just use that to build your own computer architecture and script that!? That’s exactly what this exploit does,” the researchers explained.
A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution
https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html
Tomi Engdahl says:
https://www.baeldung.com/linux/advanced-file-permissions
Tomi Engdahl says:
FTC: U.S. consumers lost $770 million in social media scams in 2021, up 18x from 2017
https://techcrunch.com/2022/01/27/ftc-u-s-consumers-lost-770-million-in-social-media-scams-in-2021-up-18x-from-2017/?tpcc=tcplusfacebook
A growing number of U.S. consumers are getting scammed on social media according to a new report by the Federal Trade Commission (FTC), which revealed that consumers lost $770 million to social media scams in 2021 — a figure that accounted for about one-fourth of all fraud losses for the year. That number has also increased 18 times from the $42 million in social media fraud reported in 2017, the FTC said, as new types of scams involving cryptocurrency and online shopping became more popular. This has also led to many younger consumers getting scammed, as now adults ages 18 to 39 reported fraud losses at a rate that’s 2.4x higher than adults 40 and over.