2021 Cyber Threat Intelligence Report - Threats Unmasked
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Foreword Accenture Cyber Threat Intelligence (Accenture CTI) has been creating relevant, actionable threat intelligence for more than 20 years. But the rapid pace of cyber threat evolution means that intelligence needs to be timely to be relevant. As a result, we are changing our annual Cyber Threatscape report to a more frequent review, to help decision makers plan and act faster. In this inaugural issue we highlight early The SolarWinds and Colonial Pipeline 2021 cyber threat trends and expert incidents and the large-scale disruptions and perspectives on threats to the operational cost of ransomware operations, illustrate the technology (OT) landscape. In an era growing impact of cyber threat activity on of unprecedented uncertainty, with so enterprise risk across all industry segments. many devices scattered throughout This risk is increasingly difficult to control and enterprise networks, it’s challenging mitigate across both IT and OT environments. for security professionals to keep pace with security demands. 2021 Cyber Threat Intelligence Report 2
While running industrial The global ransomware crisis has Enterprise risk management is a team entered a new phase, as threat actors sport that requires a variety of capabilities, systems is eased by adopt stronger pressure tactics and new a cohesive team, excellent execution virtualization in the targets—in particular, manufacturing and of the basics and a willingness to adapt critical infrastructure. Ransom impact to changing conditions. cloud and the advance of is more widespread, with attacks often Security leaders must demonstrate to the Internet-connected devices, highlighting weaknesses in a company’s security posture. Yet, despite Colonial C-suite and the board not only that they these technologies are also Pipeline’s recent admission of a US$4.4M understand the criticality of the continuity payout,1 victims cannot assume paying of operations, but also the importance introducing operational a ransom will restore data or prevent of working in partnership with the whole environments to new leaks2 and it seems they recognize that— business to effectively manage risk. median ransom payments have fallen vulnerabilities and risks. from US$110,532 in September 2020 For more, take a look at our larger security library through our Threat Intelligence, to US$$78,398 in March 2021.3 Cyber Defense, and OT Security blogs As we have seen with the SolarWinds and our recent Operation: Next compromise, software supply chain OT security summit. security and third-party compromise vectors are in the spotlight. More generally, ransomware deployment is faster and more Howard Marshall diverse, making pre-infection defense Howard Marshall extremely difficult. Managing Director, Accenture Security 2021 Cyber Threat Intelligence Report 3
Key trends Following analysis in the first half of 2021, Accenture CTI identified four trends that are affecting the IT and OT landscape: 1 2 3 4 Ransomware actors test Cobalt Strike is on the rise Commodity malware can Dark Web actors challenge new extortion methods invade OT from IT space IT and OT networks 2021 Cyber Threat Intelligence Report 4
Ransomware actors test new extortion methods Ransomware actors are expanding data leak extortion, devising new methods to pressure victims.4 Their creative approaches are hitting home as they place operational resilience—already tested by the disruptive forces of the pandemic—under increased pressure. 2021 Cyber Threat Intelligence Report 5
Threat actors are targeting new What’s happening? industries, using higher-pressure tactics to escalate infection Targets are shifting Tactics are toughening consequences and deploying Small manufacturers remain typical targets,5 Ransomware actors generally promise payloads faster to render but cases in the first months of 2021 targeted to decrypt their victims’ systems and trusted detection methods critical infrastructure—the May 2021 Colonial destroy stolen data after receiving too slow. Response options are Pipeline ransomware paralyzed fuel distribution ransoms,8 but these promises are unreliable. becoming more complicated. in much of the southeastern United States— Ransomware negotiator Coveware reported and upstream providers, such as data-rich multiple cases in late 2020 where data Organizations should focus insurance companies.6 Ransomware operators was destroyed rather than just encrypted, on preparation, prevention disrupt production in organizations that preventing data retrieval even after ransom and pre-encryption defenses. cannot afford downtime and feel pressure payment.9 But, one group extorted their to pay ransoms. One group exploited victims and posted stolen data without a cloud provider’s product to breach even deploying ransomware—apparently legal, transportation, geophysical and viewing exposure as more intimidating logistics entities.7 to its victim than “bricking” machines.10 2021 Cyber Threat Intelligence Report 6
Where next? Extortion is becoming personal stolen victim data with anti-establishment To help tackle the impact of ransomware: New exposure tactics, pioneered in 2020, activist communities.21 After the fallout have gathered speed, compounding data leak from the Colonial Pipeline hack led major • Nip attacks in the bud: Organizations extortion damage, adding reputation damage underground forum administrators to focusing on preparation, prevention, to victim liability lists. In what one report ban talk of ransomware, Babuk announced and pre-encryption defense can more has dubbed “quadruple extortion,” groups a new platform where anyone can publish effectively face the ransomware crisis.25 26 are not only encrypting files and threatening to their stolen data.22 Segregation and zero-trust measures leak data, but also threatening non-payers with can limit threat actor movements distributed denial-of-service (DDoS) attacks11 12 13 Tactics, Techniques, and Procedures if breaches occur. or contacting victims’ customers or business (TTPs) are more advanced Ransomware actors are developing new • Collaborate and report: partners, urging them to pressure victims tools and exploits rapidly. Actors exploit Collaborate with industry partners, to pay ransoms.14 15 16 17 DarkSide, the group new vulnerabilities—for example, alternative consortiums and law enforcement whose ransomware the FBI has said was delivery mechanisms such as third-party for greater threat awareness. responsible for the Colonial attack,18 is one of the first to offer all four services as part hosting;23 Accenture CTI identified notable • Update risk and mitigation plans: of its affiliate service.19 Clop actors focused defense evasion tactics with Hades Apply an appropriate risk mitigation on top executives’ information, seeking ransomware operators using tooling strategy that includes aspects such blackmail material.20 Babuk ransomware and hands-on-keyboard actions to as controls deployment or secure operators have joined Clop and Snatch disable endpoint defenses.24 data transmission mechanisms. actors in gaining broader exposure for their 2021 Cyber Threat Intelligence Report 7
Cobalt Strike is on the rise Testing services have proven themselves as an effective way to assess systems, enabling organizations to address and mitigate risk to their critical production environment. So, it is unsurprising that threat actors continuously seek cost-efficient ways to evade detection and complicate attribution. One of these ways is to integrate open source and commercial tools into their arsenal. 2021 Cyber Threat Intelligence Report 8
Since at least December 2020, Accenture The framework’s “Beacon” backdoor What’s happening? CTI has observed, from internal research contains commercial watermarks, and public reporting,27 a notable increase which enable analysts to monitor Cobalt Strike is proliferating in threat actors adopting pirated versions campaigns and target trends about Although in use for more than a decade, of the commercial penetration testing locations of cracked or pirated Cobalt the number of Cobalt Strike-enabled framework Cobalt Strike. Strike deployments. attacks reportedly increased by 163% between 2019 and 2020.29 The emergence This pirated software has enabled Public discussions around the prolific of pirated Cobalt Strike being abused highly impactful campaigns, including success of a malicious tool can often as a preeminent commodity alternative to the recently discovered SolarWinds-based result in the development of new malware has occurred for numerous reasons. compromises, as well as prolific security detection techniques, leading “name-and-shame” ransomware attacks. threat actors to retool. However, due to In addition to being increasingly numerous factors such as increased accessible, recent Cobalt Strike versions Accenture CTI invests significant customization, the current high profile are more customizable than previous resources in tooling that identifies, success of Cobalt Strike abuse means versions. As Accenture CTI observed decrypts and tracks Cobalt Strike the pirated tool’s popularity is actually in the recent SolarWinds breach,30 threat configurations in the wild.28 growing—a trend that will almost actors are exploiting Cobalt Strike’s malleable certainly continue through 2021. command-and-control features to customize default settings of the framework’s Beacon backdoor and defeat detection. Organizations need to adopt new defensive tools that can counter this growing threat. 2021 Cyber Threat Intelligence Report 9
Where next? Attack tools are evolving the newly identified cyber espionage To help tackle the impact of threats Threat actors are evolving their own group HAFNIUM.33 HAFNIUM reportedly to testing frameworks: custom loaders to deliver Cobalt Strike. used zero-day exploits against critical Notably, attackers developed several Microsoft Exchange vulnerabilities, which • Undertake network analysis: Monitor for custom Cobalt Strike loaders to facilitate Microsoft publicly disclosed in March 2021.34 discovered Beacon watermarks in Cobalt the SolarWinds campaign.31 Accenture CTI Strike samples to find and understand has seen the popularity of the tool surge Malware is merging emerging Cobalt Strike campaigns and in the first three months of 2021. Accenture CTI has identified overlaps better defend against trending TTPs. between the infrastructure of the Beyond the intensifying use of Cobalt Strike by information-stealing malware EvilGrab and • Get familiar with Cobalt Strike opportunistic “name and shame” ransomware Cobalt Strike Beacon in early 2021 activity.35 activity: Learn how past experiences groups such as REvil (also known as Sodinokibi) There is a realistic possibility the observed can help to tackle the threat. and Egregor, Hades ransomware operators overlaps between EvilGrab and Cobalt Strike • Strengthen your defense posture: have also abused the tool to deploy their are precursors for sophisticated groups that Employ new defense tools to keep ransomware.32 These ransomware attacks have used EvilGrab in the past adopting pace with evolving challenges. affected multiple victims between Cobalt Strike against new target sets in December 2020 and March 2021. the remainder of 2021. Accenture CTI also observed a Cobalt Strike Beacon-type payload in malware hosted on infrastructure, likely associated with 2021 Cyber Threat Intelligence Report 10
Commodity malware can invade OT from IT space Commodity malware, perhaps better termed “high-volume crimeware,” presents a unique and universal challenge due to its availability and scale. It is a danger at the endpoint, enabling further intrusions within a victim network and can threaten both IT and OT systems. 2021 Cyber Threat Intelligence Report 11
QakBot, IcedID, DoppelDridex, and What’s happening? Hancitor are examples of commodity malware threats active in February First-stage commodity malware is The embedded malicious macros from and March 2021. Accenture CTI’s a notable threat because it enables the the Excel documents download crimeware underground reconnaissance team deployment of further malware at the from URLs with paths that end with “[0-9] has seldom, if ever, seen threat endpoint. Threat actors’ use of follow-on {5},[0-9]{9,10}.dat.” In a sample activity set, actors sell these malware types on commodity malware or tools, such as Accenture CTI analysts saw the download the Dark Web because relevant threat pirated and abused Cobalt Strike instances, of both Qakbot and IcedID payloads during actors hold onto the malware closely, increases the risk of an infection spreading these campaigns. A high percentage of the reducing opportunities to identify throughout an organization’s infrastructure payloads were Qakbot, an enduring malware spam campaigns early. and even to OT assets. that dates back to 2007 that can act as a backdoor. The IcedID Gziploader DLL Organizations need to Here are some of the active malware sends information from the victim system campaigns observed by Accenture CTI: consider prevention, rather to its C2 server along with the IcedID HTTP than response, as the most cookie parameters “__gads” and “_gat”, Qakbot and IcedID and the C2 server sends back the IcedID effective defense against According to Accenture CTI research, main payload, which is a banking Trojan commodity malware threats. in March 2021, threat actors used that also acts as a downloader to deploy large-volume spam campaigns to deliver follow-on malware.36 crimeware via compressed Excel documents. 2021 Cyber Threat Intelligence Report 12
Where next? DoppelDridex Hancitor To help tackle the impact of commodity A noteworthy spam campaign in March 2021 In February and March 2021, spam campaigns malware in OT environments: lured users with an e-mail that appeared delivered the commodity malware Hancitor. to be from intuit[.]com. E-mails from this Actors spread Hancitor via e-mails with • Patch endpoint systems, firewall campaign have included subjects like a DocuSign order theme and links to Google potential infection vectors, update anti- “Invoice/Sales Receipt” and “Purchase Order Docs URLs hosting malicious Microsoft Word virus software, keep offline or air-gapped Receipt” and attachments with names like documents. The Word documents dropped backups and use application whitelists. “Payment_Receipt [number].xls.” The malicious an embedded Hancitor DLL to victim systems. • Conduct regular phishing awareness Excel attachment contains two hidden sheets Hancitor contacts the C2 domain api.ipify[.]org programs for all staff, segment with invisible strings in cell A15. Upon execution, to report the target machine’s external IP Active Directory domains by a macro decodes multiple URLs, downloads address, contact its C2 at URLs using the function or criticality and maintain the DoppelDridex loader from the URLs path “/8/forum.php,” and download Ficker a principle of least privilege for and executes it via the Windows regsvr32 Stealer from .ru domains. Hancitor may each user group and account. process; then the loader drops the embedded also deliver the Cobalt Strike malware if DoppelDridex malware into memory and the victim system has a Microsoft Active • Remove or disable commonly abused executes it.37 Threat actors that split from Directory environment.39 Hancitor activity and non-essential services, if appropriate. the group responsible for Bitpaymer is connected to the threat group MAN1, and Dridex allegedly originated the a criminal enterprise that Accenture CTI DoppelDridex malware.38 has linked to the Dyre banking malware.40 2021 Cyber Threat Intelligence Report 13
Dark Web actors challenge IT and OT networks Dark Web activities, including enablement of CLOP and Hades ransomware actors, information stealers and digital fingerprints in the underground Genesis Market, reflected noteworthy challenges to both IT and OT networks in early 2021. 2021 Cyber Threat Intelligence Report 14
Dark Web activities, including What’s happening? enablement of CLOP and Hades ransomware, information stealers and CLOP and Hades ransomware actors are changing the game fingerprints in the underground Genesis Market, reflected noteworthy challenges Public reporting in early 2021 tied CLOP this skillset could threaten OT networks.48 to both IT and OT networks in early 2021. ransomware actors to a series of global data Given the EDR bypass, Accenture CTI breaches exploiting a recently discovered considers Hades ransomware actors the As threat actors congregate in Dark Web vulnerability in the widely used Accellion File latest gang threatening both IT and OT forums to share and trade tools, TTPs Transfer Appliance (FTA).41 After a review of the networks. Operators’ schemes now and victim data, they are increasing timeline of Accellion FTA compromises, CLOP encompass capturing and encrypting their pressure tactics, learning how to name-and-shame releases on the Dark Web, company data and traversing IT bypass security protections and finding victim disclosures and insights from Accenture networks to OT networks. new ways to monetize malware logs. incident response efforts, Accenture CTI agrees that CLOP ransomware actors likely Ransomware operators rarely succeed Organizations need to share teamed up with the actors responsible for when they try to compromise OT networks, but may not even need to do so to achieve information among defenders exploiting the Accellion FTA vulnerability.42 43 44 45 Profitability and managing victims at scale their objectives. In both a February 2021 to understand, prevent, identify attack on boat builder Beneteau and the could result in escalation and copycats over and respond to threat activity. May 2021 Colonial Pipeline attack, the mere the course of the year. presence of actors within the IT network Hades ransomware actors also gained traction forced preventive OT shutdowns and in early 2021 and demonstrated their ability short-term effects comparable to an OT to bypass Endpoint Detection and Response infection. OT shutdowns, even if preventive, (EDR) tools46 and reach edge devices.47 may become more common in future attacks Hades actors manually disabled or used against OT-dependent organizations.49 50 custom tools to evade defenses and 2021 Cyber Threat Intelligence Report 15
Information is easy to buy and even easier to use Since the beginning of 2021, Accenture CTI A threat actor can use malware logs to Accenture CTI considers the malware logs that observed a slight but noticeable increase masquerade as a legitimate network user Dark Web actors sell in Genesis Market to pose in threat actors selling malware logs, which and avoid detection, gaining initial access a particularly serious threat to organizations’ IT constitute data derived from information to a victim system by using valid credentials. and OT assets. Genesis Market has drastically stealer malware.51 Information stealers Threat actors often use malware logs to access lowered barriers to entry for malware log can collect and log a wide range of sensitive an organization’s Web resources and attempt exploitation by compiling and selling malware system, user and business information, to access privileged administrator accounts logs in a format Genesis ads dub “bots” such as the following: on an organization’s webservers. In some or a “plug-ins.” Even less technically savvy cases, they may try to access computers threat actors can intuitively use a plug-in • System information on a victim’s network via services like RDP with Genesis’ freely available Web browser. • Web browser bookmarks or SSH. A common alternative action is for threat actors to sell malware logs directly • Web session cookies to hackers, or to sell them in bulk to • Login credentials (websites, “malware log” Dark Web marketplaces, Remote Desktop Protocol (RDP), such as Genesis Market or Russian Market. Secure Shell Protocol (SSH)) • Payment card data • Cryptocurrency wallet addresses 2021 Cyber Threat Intelligence Report 16
Where next? To help tackle the impact of the Dark Web on OT networks: • Undertake responsible monitoring: • Increase intelligence sharing • Prepare a continuity of operations plan: Seek early warning of potential of incident response analysis: Anticipate and develop contingency unauthorized access through Share information to identify threat plans for a potential theft of administrator responsible Dark Web monitoring, signatures and attribution, plan and credentials, a bypass of Endpoint whether directly or through a cyber execute defense and response and Detection and Response systems threat intelligence provider. prepare network defense and business and physical shutdowns (either as operations for future threat activity. preventive or reactive measures), to prepare network and business operations for the future occurrence of a ransomware or similar event. 2021 Cyber Threat Intelligence Report 17
Spotlight: On the edge of security Edge devices such as Internet of Things (IoT) objects, switches and routers operate at the boundary of a network to control data flowing in and out of the organization. At the border between IT and OT environments, they are critical to OT security—breaches can mean direct access into OT environments, completely bypassing IT networks. But low rates of network monitoring52 security policies are consistent with Stringent edge device policies may make it difficult for OT incident responders National Institute for Standards and encourage organizations to allocate to identify attack vectors and causes of Technology (NIST) recommendations.54 funds from many parts of the business intrusion—and unable to advise on how The law promises greater security for edge to bolster security efforts. With investment to secure OT systems. As a result, securing devices and addresses some longstanding in the right places, security leads can edge devices has become as important challenges. On May 12, 2021, President Biden secure edge devices in OT environments as securing ICS themselves. signed the Executive Order on Improving through a combination of monitoring, the Nation’s Cybersecurity which includes response and intelligence. Policy matters. On December 4, 2020, direction to create pilot cybersecurity former President Trump signed the Internet labelling programs to educate the public of Things Cybersecurity Improvement Act on security capabilities of IoT devices of 2020.53 The act encourages government and software development practices.55 agencies to work collaboratively so that IoT 2021 Cyber Threat Intelligence Report 18
Targeting edge devices In February 2021, Accenture CTI discovered Financially motivated cyber criminals have a threat actor advertising Citrix VPN access to used VPN access to launch a ransomware a “large resources corporation” on a reputable attack and may target OT systems—they Russian-language forum specializing in know manufacturers and other users of ICS malware and ransomware.56 Citrix is a VPN are especially vulnerable to downtime and gateway commonly placed at OT boundaries may be more likely to pay ransoms to get to connect and correlate various Internet their systems back online. protocols from different networks. Meanwhile, cyber espionage threat actors Threat actors often access vulnerable may use VPN access to get onto OT networks networks and systems such as Citrix by to steal data or hide with the intention of exploiting known vulnerabilities that are issuing a destructive attack later. Both unpatched or that vendors are in the process threat actor types can access edge devices, of patching. In late 2019, the still-active threat which could lead to the disruption of critical campaign known as Fox Kitten (also known business operations and loss of revenue. as UNC757)57 accessed companies in various industries, including the energy industry, via VPN n-day exploits.58 2021 Cyber Threat Intelligence Report 19
Defend the edge Here are some familiar security capabilities and traverse into an OT environment Cyber threat intelligence offers improved organizations can use to increase their enables an entity to secure its IT and OT visibility into overall network threats and edge device security: boundaries. Data from OT IR engagements informs decision makers how to prioritize can also help inform red teaming exercises security around potential targets and threats. OT Security Operations Center (SOC) to identify edge vulnerabilities before Unlike a traditional SOC that focuses primarily an edge breach occurs. OT IR is a key As edge device vulnerabilities and targeting on IT assets, an OT SOC monitors security component of security in the context are on the rise, it is critical for organizations events in both the IT and OT environments of OT and IT convergence, as well as to start changing their security cultures for visibility of threats and risks. Monitoring operational security as a whole. from being reactive to adopting a proactive edge devices on the boundary of an OT approach to security “on the edge.” environment is a key component of overall Cyber Threat Intelligence (CTI) cybersecurity and cyber resiliency. An OT Traditional cyber threat intelligence provides SOC coupled with managed detection and information on threat actors targeting IT or response (MDR) can help defend against OT, but often only addresses edge device cyber threats and reduce exposure to them.59 security during the deployment of highly specialized systems. Accenture CTI takes OT OT Incident Response (IR) security a step further with key vulnerability OT IR is essential in uncovering how threat intelligence and monitors major edge actors access OT environments via edge devices, their vendors and their version devices if a breach occurs. Insight into numbers to make clients aware of threats how threat actors access edge devices to IT, OT and cloud environments. 2021 Cyber Threat Intelligence Report 20
References 1. Eaton, Collin and Volz, Dustin, “Colonial Pipeline CEO Tells 9. “Ransomware Payments Fall as Fewer Companies Pay Data 18. “FBI Statement on Compromise of Colonial Why He Paid Hackers a $4.4 Million Ransom,” Wall Street Exfiltration Extortion Demands,” Coveware, February 1, 2021. Pipeline Networks,” FBI, May 10, 2021. Journal, May 19, 2021. The average paid ransom declined 34%, from US$233,817 in Q3 to US$154,108 in Q4. “Ransomware Attack Vectors Shift 19. “What We Know About the DarkSide Ransomware 2. “Ransomware Payments Fall as Fewer Companies Pay Data as New Software Vulnerability Exploits Abound.” and the US Pipeline Attack,” Trend Micro, May 14, 2021. Exfiltration Extortion Demands,” Coveware, February 1, 2021. 10. Moore, Andrew et al, “Cyber Criminals Exploit Accellion FTA 20. Cimpanu, Catalin, “Some ransomware gangs are going after 3. “Ransomware Attack Vectors Shift as New Software for Data Theft and Extortion,” February 22, 2021. FireEye; top execs to pressure companies into paying,” January 9, 2021. Vulnerability Exploits Abound,” Coveware, April 26, 2021. Accenture Cyber Threat Intelligence, “SITREP: Accellion 21. Accenture Cyber Threat Intelligence, “Transparency 4. “2020 Cyber Threatscape Report,” Accenture, FTA,” February 20, 2021. IntelGraph reporting. Activists Publicize Ransomware Victims’ Data in a New October 19, 2020. Mansfield, Paul, “Tracking and 11. Accenture Cyber Threat Intelligence, “Ransomware Gang Twist on Hybrid Financial-Political Threat,” January 8, 2021. combatting an evolving danger: Ransomware extortion,” Extortion Techniques Evolve in 2020 to Devastating Effect,” IntelGraph reporting. Accenture, December 15, 2020. November 6, 2020. IntelGraph reporting. 22. Accenture Cyber Threat Intelligence, “Colonial Pipeline 5. Accenture Cyber Threat Intelligence, “Ransomware Roundup 12. Mansfield, Paul, “Tracking and combatting an evolving Attack Impacts Ransomware Groups Operating on the from iDefense Analysis,” April 8, 2021. IntelGraph reporting. danger: Ransomware extortion,” December 15, 2020. Dark Web,” May 17, 2021. IntelGraph reporting. 6. Accenture Cyber Threat Intelligence, “Ransomware Attack 13. “What We Know About the DarkSide Ransomware and 23. Ilascu, Ionut, ”Hackers use black hat SEO to push ransomware, on Cyber Insurer Highlights Risks to Cyber Insurance Sector the US Pipeline Attack,” TrendMicro, May 12, 2021. trojans via Google,” Bleeping Computer, March 1, 2021. and its Customers,” April 8, 2021. IntelGraph reporting. 14. Accenture Cyber Threat Intelligence, “Ransomware Gang 24. Welling, Eric, “It’s getting hot in here! Unknown threat 7. Accenture Cyber Threat Intelligence, “CLOP Ransomware Extortion Techniques Evolve in 2020 to Devastating Effect,” group using Hades ransomware to turn up the heat on Operators Leak CGG Data on Name-and-Shame Site November 6, 2020. IntelGraph reporting. their victims,” Accenture, March 26, 2021. on 1 March 2021,” March 10, 2021. IntelGraph reporting; Accenture Cyber Threat Intelligence, “CLOP Ransomware 15. Mansfield, Paul. “Tracking and combatting an evolving 25. Michael, Melissa, “Episode 49| Ransomware 2.0, Operators Leak CSX Documents on Name-and-Shame Site danger: Ransomware extortion.” December 15, 2020. with Mikko Hypponen,” F-Secure, January 19, 2021. on 2 March 2021,” March 10, 2021. IntelGraph reporting. 26. Toby L, “The rise of ransomware,” National Cyber Security 16. Accenture Cyber Threat Intelligence, “iDefense Global 8. Mansfield, Paul, “Tracking and combatting an evolving Research Intelligence Digest for 31 March 2021,” Centre, January 29, 2021. danger: Ransomware extortion,” December 15, 2020, March 31, 2021. IntelGraph reporting. 27. “Adversary Infrastructure Report 2020: A Defender’s View,” Khodzhibaev, Azim et al, “Interview with a Lockbit Recorded Future, January 7 2021. Ransomware Operator,” Talos, January 4, 2021. 17. Abrams, Lawrence, “Ransomware gang plans to call victim’s business partners about attacks,” March 6, 2021. 28. Cunliffe, Amy, “The development of Mimir (Amy Cunliffe, Smilianets, Dmitry, “‘I scrounged through the trash Accenture),” CREST Videos, April 9, 2021. heaps… now I’m a millionaire:’ An interview with REvil’s Unknown,” March 16, 2021. 2021 Cyber Threat Intelligence Report 21
29. “Threat Landscape Trends – Q3 2020,” 39. Accenture Cyber Threat Intelligence, “iDefense Global 49. Arghire, Ionut, “Boat Building Giant Beneteau Says Symantec, December 18, 2020. Research Intelligence Digest for 6 April 2021,” April 6, 2021. Cyberattack Disrupted Production,” Security Week, IntelGraph reporting. March 1, 2021. 30. “Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST 40. Accenture Cyber Threat Intelligence, “MAN1,” July 16, 2016. 50. Bertrand, Natasha et al, “Colonial Pipeline did pay Backdoor,” FireEye, December 13, 2020. IntelGraph reporting. ransom to hackers, sources now say,” CNN, May 13, 2021. 31. “Deep dive into the Solorigate second-stage activation: 41. Seals, Tara, “Accellion FTA Zero-Day Attacks Show Ties to 51. Accenture Cyber Threat Intelligence, From SUNBURST to TEARDROP and Raindrop,” Clop Ransomware, FIN11,” Threatpost, February 22, 2021. “Monthly Reconnaissance Report,” April 1, 2021. Microsoft, January 20, 2021. 42. Accenture Cyber Threat Intelligence, “SITREP: Accellion 52. Filkins, Barbara, Wylie, Doug, “SANS 2019 Sate of OT/ICS 32. Welling, Eric, “It’s getting hot in here! Unknown threat FTA,” March 5, 2021. IntelGraph reporting. Cybersecurity Survey,” SANS, June 2019. Slightly over 50% group using Hades ransomware to turn up the heat on of survey respondents reported continuous monitoring their victims,” Accenture, March 26, 2021. 43. Accenture Cyber Threat Intelligence, “CLOP Ransomware to detect vulnerabilities, and only 1/3 of 25 surveyed Operators Leak Qualys Documents on Name-and-Shame Site OT/ICS security monitoring technologies were in use 33. Accenture Cyber Threat Intelligence, “Microsoft Exchange on 3 and 4 March 2021,” March 4, 2021. IntelGraph reporting. across all respondents. On-Premise Zero-Day Vulnerabilities Related Malware Activity in March 2021,” March 10, 2021. IntelGraph reporting. 44. Accenture Cyber Threat Intelligence, “CLOP Ransomware 53. United States Congress, “PUBLIC LAW 116–207—DEC. 4, Operators Leak CGG Data on Name-and-Shame Site on 2020,” December 4, 2020. 34. “HAFNIUM targeting Exchange Servers with 0-day exploits,” 1 March 2021,” March 10, 2021. IntelGraph reporting. Microsoft, March 2, 2021. 54. United States Congress, “PUBLIC LAW 116–207—DEC. 4, 45. Accenture Cyber Threat Intelligence, “CLOP Ransomware 2020,” December 4, 2020. 35. Accenture Cyber Threat Intelligence, “EvilGrab and Cobalt Operators Leak CSX Documents on Name-and-Shame Site Strike Beacon Observed having Shared Infrastructure and on 2 March 2021,” March 10, 2021. IntelGraph reporting. 55. The White House, “Executive Order on Improving the Communicating,” February 3, 2021. IntelGraph reporting. Nation’s Cybersecurity,” May 12, 2021, 46. Welling, Eric, “It’s getting hot in here! Unknown threat 36. Accenture Cyber Threat Intelligence, “Spam Campaign group using Hades ransomware to turn up the heat on 56. Accenture Cyber Threat Intelligence, “Threat Actor … Distributes Gziploader to Deploy IcedID (a.k.a. BokBot) their victims,” Accenture, March 26, 2021. Advertise Compromised Citrix Access to Three Large Malware in March 2021,” April 14, 2020. IntelGraph reporting. Corporations,” February 26, 2021, IntelGraph reporting. 47. Accenture Cyber Threat Intelligence, “Hades Ransomware 37. Accenture Cyber Threat Intelligence, “Technical Analysis of Affects Large Corporate Networks from December 2020 to 57. “Groups,” MITRE, accessed May 27, 2021. DoppelDridex,” April 27, 2021. IntelGraph reporting. March 2021,” April 9, 2021. IntelGraph reporting. 58. “Fox Kitten Campaign,” Clearsky Cyber Security, 38. Stone-Gross, Brett; Frankoff, Sergei; and Hartley, Bex, 48. Accenture Cyber Threat Intelligence, “Hades Ransomware February 16, 2020. “BitPaymer Source Code Fork: Meet DoppelPaymer Affects Large Corporate Networks from December 2020 to Ransomware and Dridex 2.0,” July 12, 2019. March 2021,” April 9, 2021. IntelGraph reporting. 59. “Managed Security,” Accenture, accessed April 4, 2020. 2021 Cyber Threat Intelligence Report 22
Contacts Joshua Ray Howard Marshall Contributors Managing Director Managing Director Patton Adams, Will Archer, Adam Bumgarner, Accenture Security Accenture Security Bianca Forbes, Roya Gordon, Hannaire Mekaouar, Nellie Ohr, Max Smith, Nancy Strutt. Josh Ray is Managing Director for Cyber Defense across Howard Marshall is Managing Director for Accenture Cyber Accenture globally. Josh has more than 20 years of combined Threat Intelligence (CTI) and leads the business globally. commercial, government and military experience in the Prior to joining, Howard was FBI Deputy Assistant Director field of cyber intelligence, threat operations and information of the Cyber Readiness, Outreach and Intelligence Branch. security. He holds a Bachelor of Science degree in information He holds a Bachelor of Arts degree in Political Science and technology from George Mason University, an Executive a Juris Doctorate from the University of Arkansas. Certificate in strategy and innovation from MIT Sloan School of Management and served honorably as a member of the United States Navy. Jayson Jean Christopher Foster Senior Manager Senior Principal Accenture Security Security Innovation Jayson Jean is Director of Business Operations for Chris Foster is Director of Product Strategy for Accenture Accenture CTI in North America and the Asia Pacific Cyber Threat Intelligence. Chris has more than 18 years of region, with responsibility for business development of combined experience in the field of threat intelligence serving the Cyber Threat Intelligence portfolio. Prior to this role, public and private sector organizations to include Booz Allen Jayson has 14 years of experience building the strategic Hamilton, Chevron, United States Department of Defense and direction and leading product development for vulnerability United States Department of Homeland Security. He holds management at Accenture CTI. a Bachelors from Vanderbilt University and an MBA from the McCombs School of Business, University of Texas at Austin. 2021 Cyber Threat Intelligence Report 23
About Accenture About Accenture Security Accenture is a global professional services company with leading Accenture Security is a leading provider of end-to-end cybersecurity capabilities in digital, cloud and security. Combining unmatched services, including advanced cyber defense, applied cybersecurity experience and specialized skills across more than 40 industries, solutions and managed security operations. We bring security we offer Strategy and Consulting, Interactive, Technology and innovation, coupled with global scale and a worldwide delivery Operations services—all powered by the world’s largest network capability through our network of Advanced Technology and of Advanced Technology and Intelligent Operations centers. Intelligent Operations centers. Helped by our team of highly skilled Our 569,000 people deliver on the promise of technology and professionals, we enable clients to innovate safely, build cyber human ingenuity every day, serving clients in more than 120 countries. resilience and grow with confidence. Follow us @AccentureSecure We embrace the power of change to create value and shared success on Twitter or visit us at www.accenture.com/security for our clients, people, shareholders, partners and communities. Visit us at www.accenture.com This document refers to marks owned by third parties. All such third-party marks are the property of their respective owners. No sponsorship, endorsement or approval of this content by the owners of such marks is intended, expressed or implied. This content is provided for general information purposes and is not intended to be used in place of consultation with our professional advisors. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. The information in this report is general in nature and does not take into account the specific needs of your IT ecosystem and network, which may vary and require unique action. As such, Accenture provides the information and content on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report. The reader is responsible for determining whether or not to follow any of the suggestions, recommendations or potential mitigations set out in this report, entirely at their own discretion. Copyright © 2021 Accenture. All rights reserved. Accenture and its logo are registered trademarks of Accenture. 210353
You can also read