2021 Cyber Threat Intelligence Report - Threats Unmasked

Page created by Beverly Bowman
 
CONTINUE READING
2021 Cyber Threat Intelligence Report - Threats Unmasked
Threats Unmasked
2021 Cyber Threat
Intelligence Report
2021 Cyber Threat Intelligence Report - Threats Unmasked
Foreword
Accenture Cyber Threat Intelligence (Accenture CTI) has been creating
relevant, actionable threat intelligence for more than 20 years. But the
rapid pace of cyber threat evolution means that intelligence needs to
be timely to be relevant. As a result, we are changing our annual Cyber
Threatscape report to a more frequent review, to help decision makers
plan and act faster.
In this inaugural issue we highlight early   The SolarWinds and Colonial Pipeline
2021 cyber threat trends and expert          incidents and the large-scale disruptions and
perspectives on threats to the operational   cost of ransomware operations, illustrate the
technology (OT) landscape. In an era         growing impact of cyber threat activity on
of unprecedented uncertainty, with so        enterprise risk across all industry segments.
many devices scattered throughout            This risk is increasingly difficult to control and
enterprise networks, it’s challenging        mitigate across both IT and OT environments.
for security professionals to keep pace
with security demands.

2021 Cyber Threat Intelligence Report                                                             2
2021 Cyber Threat Intelligence Report - Threats Unmasked
While running industrial                The global ransomware crisis has                Enterprise risk management is a team
                                        entered a new phase, as threat actors           sport that requires a variety of capabilities,
systems is eased by                     adopt stronger pressure tactics and new         a cohesive team, excellent execution
virtualization in the                   targets—in particular, manufacturing and        of the basics and a willingness to adapt
                                        critical infrastructure. Ransom impact          to changing conditions.
cloud and the advance of                is more widespread, with attacks often
                                                                                        Security leaders must demonstrate to the
Internet-connected devices,             highlighting weaknesses in a company’s
                                        security posture. Yet, despite Colonial         C-suite and the board not only that they
these technologies are also             Pipeline’s recent admission of a US$4.4M        understand the criticality of the continuity
                                        payout,1 victims cannot assume paying           of operations, but also the importance
introducing operational                 a ransom will restore data or prevent           of working in partnership with the whole
environments to new                     leaks2 and it seems they recognize that—        business to effectively manage risk.
                                        median ransom payments have fallen
vulnerabilities and risks.              from US$110,532 in September 2020
                                                                                        For more, take a look at our larger security
                                                                                        library through our Threat Intelligence,
                                        to US$$78,398 in March 2021.3
                                                                                        Cyber Defense, and OT Security blogs
                                        As we have seen with the SolarWinds             and our recent Operation: Next
                                        compromise, software supply chain               OT security summit.
                                        security and third-party compromise
                                        vectors are in the spotlight. More generally,
                                        ransomware deployment is faster and more
                                                                                        Howard Marshall
                                        diverse, making pre-infection defense           Howard Marshall
                                        extremely difficult.                            Managing Director, Accenture Security

2021 Cyber Threat Intelligence Report                                                                                                    3
2021 Cyber Threat Intelligence Report - Threats Unmasked
Key trends
Following analysis in the first half of 2021, Accenture CTI
identified four trends that are affecting the IT and OT landscape:

                                        1                          2                          3                         4

Ransomware actors test                      Cobalt Strike is on the rise   Commodity malware can     Dark Web actors challenge
new extortion methods                                                      invade OT from IT space   IT and OT networks

2021 Cyber Threat Intelligence Report                                                                                            4
2021 Cyber Threat Intelligence Report - Threats Unmasked
Ransomware
                                        actors test new
                                        extortion methods
                                        Ransomware actors are expanding data leak extortion,
                                        devising new methods to pressure victims.4 Their creative
                                        approaches are hitting home as they place operational
                                        resilience—already tested by the disruptive forces of
                                        the pandemic—under increased pressure.

2021 Cyber Threat Intelligence Report                                                               5
2021 Cyber Threat Intelligence Report - Threats Unmasked
Threat actors are targeting new         What’s happening?
industries, using higher-pressure
tactics to escalate infection           Targets are shifting                              Tactics are toughening
consequences and deploying              Small manufacturers remain typical targets,5      Ransomware actors generally promise
payloads faster to render               but cases in the first months of 2021 targeted    to decrypt their victims’ systems and
trusted detection methods               critical infrastructure—the May 2021 Colonial     destroy stolen data after receiving
too slow. Response options are          Pipeline ransomware paralyzed fuel distribution   ransoms,8 but these promises are unreliable.
becoming more complicated.              in much of the southeastern United States—        Ransomware negotiator Coveware reported
                                        and upstream providers, such as data-rich         multiple cases in late 2020 where data
Organizations should focus              insurance companies.6 Ransomware operators        was destroyed rather than just encrypted,
on preparation, prevention              disrupt production in organizations that          preventing data retrieval even after ransom
and pre-encryption defenses.            cannot afford downtime and feel pressure          payment.9 But, one group extorted their
                                        to pay ransoms. One group exploited               victims and posted stolen data without
                                        a cloud provider’s product to breach              even deploying ransomware—apparently
                                        legal, transportation, geophysical and            viewing exposure as more intimidating
                                        logistics entities.7                              to its victim than “bricking” machines.10

2021 Cyber Threat Intelligence Report                                                                                                    6
2021 Cyber Threat Intelligence Report - Threats Unmasked
Where next?
Extortion is becoming personal                         stolen victim data with anti-establishment     To help tackle the impact of ransomware:
New exposure tactics, pioneered in 2020,               activist communities.21 After the fallout
have gathered speed, compounding data leak             from the Colonial Pipeline hack led major      • Nip attacks in the bud: Organizations
extortion damage, adding reputation damage             underground forum administrators to              focusing on preparation, prevention,
to victim liability lists. In what one report          ban talk of ransomware, Babuk announced          and pre-encryption defense can more
has dubbed “quadruple extortion,” groups               a new platform where anyone can publish          effectively face the ransomware crisis.25 26
are not only encrypting files and threatening to       their stolen data.22                             Segregation and zero-trust measures
leak data, but also threatening non-payers with                                                         can limit threat actor movements
distributed denial-of-service (DDoS) attacks11 12 13   Tactics, Techniques, and Procedures              if breaches occur.
or contacting victims’ customers or business           (TTPs) are more advanced
                                                       Ransomware actors are developing new           • Collaborate and report:
partners, urging them to pressure victims
                                                       tools and exploits rapidly. Actors exploit       Collaborate with industry partners,
to pay ransoms.14 15 16 17 DarkSide, the group
                                                       new vulnerabilities—for example, alternative     consortiums and law enforcement
whose ransomware the FBI has said was
                                                       delivery mechanisms such as third-party          for greater threat awareness.
responsible for the Colonial attack,18 is one
of the first to offer all four services as part        hosting;23 Accenture CTI identified notable
                                                                                                      • Update risk and mitigation plans:
of its affiliate service.19 Clop actors focused        defense evasion tactics with Hades
                                                                                                        Apply an appropriate risk mitigation
on top executives’ information, seeking                ransomware operators using tooling
                                                                                                        strategy that includes aspects such
blackmail material.20 Babuk ransomware                 and hands-on-keyboard actions to
                                                                                                        as controls deployment or secure
operators have joined Clop and Snatch                  disable endpoint defenses.24
                                                                                                        data transmission mechanisms.
actors in gaining broader exposure for their

2021 Cyber Threat Intelligence Report                                                                                                                  7
Cobalt Strike
                 is on the rise
                  Testing services have proven themselves as
                  an effective way to assess systems, enabling
                  organizations to address and mitigate risk to
                  their critical production environment. So, it is
                  unsurprising that threat actors continuously
                  seek cost-efficient ways to evade detection
                  and complicate attribution. One of these ways
                  is to integrate open source and commercial
                  tools into their arsenal.

2021 Cyber Threat Intelligence Report                                8
Since at least December 2020, Accenture      The framework’s “Beacon” backdoor           What’s happening?
CTI has observed, from internal research     contains commercial watermarks,
and public reporting,27 a notable increase   which enable analysts to monitor            Cobalt Strike is proliferating
in threat actors adopting pirated versions   campaigns and target trends about           Although in use for more than a decade,
of the commercial penetration testing        locations of cracked or pirated Cobalt      the number of Cobalt Strike-enabled
framework Cobalt Strike.                     Strike deployments.                         attacks reportedly increased by 163%
                                                                                         between 2019 and 2020.29 The emergence
This pirated software has enabled            Public discussions around the prolific      of pirated Cobalt Strike being abused
highly impactful campaigns, including        success of a malicious tool can often       as a preeminent commodity alternative to
the recently discovered SolarWinds-based     result in the development of new            malware has occurred for numerous reasons.
compromises, as well as prolific             security detection techniques, leading
“name-and-shame” ransomware attacks.         threat actors to retool. However, due to    In addition to being increasingly
                                             numerous factors such as increased          accessible, recent Cobalt Strike versions
Accenture CTI invests significant            customization, the current high profile     are more customizable than previous
resources in tooling that identifies,        success of Cobalt Strike abuse means        versions. As Accenture CTI observed
decrypts and tracks Cobalt Strike            the pirated tool’s popularity is actually   in the recent SolarWinds breach,30 threat
configurations in the wild.28                growing—a trend that will almost            actors are exploiting Cobalt Strike’s malleable
                                             certainly continue through 2021.            command-and-control features to customize
                                                                                         default settings of the framework’s Beacon
                                                                                         backdoor and defeat detection.

Organizations need to adopt new defensive
tools that can counter this growing threat.

2021 Cyber Threat Intelligence Report                                                                                                      9
Where next?
Attack tools are evolving                         the newly identified cyber espionage             To help tackle the impact of threats
Threat actors are evolving their own              group HAFNIUM.33 HAFNIUM reportedly              to testing frameworks:
custom loaders to deliver Cobalt Strike.          used zero-day exploits against critical
Notably, attackers developed several              Microsoft Exchange vulnerabilities, which        • Undertake network analysis: Monitor for
custom Cobalt Strike loaders to facilitate        Microsoft publicly disclosed in March 2021.34      discovered Beacon watermarks in Cobalt
the SolarWinds campaign.31 Accenture CTI                                                             Strike samples to find and understand
has seen the popularity of the tool surge         Malware is merging                                 emerging Cobalt Strike campaigns and
in the first three months of 2021.                Accenture CTI has identified overlaps              better defend against trending TTPs.
                                                  between the infrastructure of the
Beyond the intensifying use of Cobalt Strike by   information-stealing malware EvilGrab and        • Get familiar with Cobalt Strike
opportunistic “name and shame” ransomware         Cobalt Strike Beacon in early 2021 activity.35     activity: Learn how past experiences
groups such as REvil (also known as Sodinokibi)   There is a realistic possibility the observed      can help to tackle the threat.
and Egregor, Hades ransomware operators           overlaps between EvilGrab and Cobalt Strike
                                                                                                   • Strengthen your defense posture:
have also abused the tool to deploy their         are precursors for sophisticated groups that
                                                                                                     Employ new defense tools to keep
ransomware.32 These ransomware attacks            have used EvilGrab in the past adopting
                                                                                                     pace with evolving challenges.
affected multiple victims between                 Cobalt Strike against new target sets in
December 2020 and March 2021.                     the remainder of 2021.

Accenture CTI also observed a Cobalt Strike
Beacon-type payload in malware hosted
on infrastructure, likely associated with

2021 Cyber Threat Intelligence Report                                                                                                          10
Commodity
                                        malware can invade
                                        OT from IT space
                                        Commodity malware, perhaps better termed “high-volume
                                        crimeware,” presents a unique and universal challenge due to
                                        its availability and scale. It is a danger at the endpoint, enabling
                                        further intrusions within a victim network and can threaten
                                        both IT and OT systems.

2021 Cyber Threat Intelligence Report                                                                          11
QakBot, IcedID, DoppelDridex, and       What’s happening?
Hancitor are examples of commodity
malware threats active in February      First-stage commodity malware is               The embedded malicious macros from
and March 2021. Accenture CTI’s         a notable threat because it enables the        the Excel documents download crimeware
underground reconnaissance team         deployment of further malware at the           from URLs with paths that end with “[0-9]
has seldom, if ever, seen threat        endpoint. Threat actors’ use of follow-on      {5},[0-9]{9,10}.dat.” In a sample activity set,
actors sell these malware types on      commodity malware or tools, such as            Accenture CTI analysts saw the download
the Dark Web because relevant threat    pirated and abused Cobalt Strike instances,    of both Qakbot and IcedID payloads during
actors hold onto the malware closely,   increases the risk of an infection spreading   these campaigns. A high percentage of the
reducing opportunities to identify      throughout an organization’s infrastructure    payloads were Qakbot, an enduring malware
spam campaigns early.                   and even to OT assets.                         that dates back to 2007 that can act as
                                                                                       a backdoor. The IcedID Gziploader DLL
Organizations need to                   Here are some of the active malware            sends information from the victim system
                                        campaigns observed by Accenture CTI:
consider prevention, rather                                                            to its C2 server along with the IcedID HTTP
than response, as the most                                                             cookie parameters “__gads” and “_gat”,
                                        Qakbot and IcedID
                                                                                       and the C2 server sends back the IcedID
effective defense against               According to Accenture CTI research,
                                                                                       main payload, which is a banking Trojan
commodity malware threats.              in March 2021, threat actors used
                                                                                       that also acts as a downloader to deploy
                                        large-volume spam campaigns to deliver
                                                                                       follow-on malware.36
                                        crimeware via compressed Excel documents.

2021 Cyber Threat Intelligence Report                                                                                                    12
Where next?
DoppelDridex                                          Hancitor                                          To help tackle the impact of commodity
A noteworthy spam campaign in March 2021              In February and March 2021, spam campaigns        malware in OT environments:
lured users with an e-mail that appeared              delivered the commodity malware Hancitor.
to be from intuit[.]com. E-mails from this            Actors spread Hancitor via e-mails with           • Patch endpoint systems, firewall
campaign have included subjects like                  a DocuSign order theme and links to Google          potential infection vectors, update anti-
“Invoice/Sales Receipt” and “Purchase Order           Docs URLs hosting malicious Microsoft Word          virus software, keep offline or air-gapped
Receipt” and attachments with names like              documents. The Word documents dropped               backups and use application whitelists.
“Payment_Receipt [number].xls.” The malicious         an embedded Hancitor DLL to victim systems.
                                                                                                        • Conduct regular phishing awareness
Excel attachment contains two hidden sheets           Hancitor contacts the C2 domain api.ipify[.]org
                                                                                                          programs for all staff, segment
with invisible strings in cell A15. Upon execution,   to report the target machine’s external IP
                                                                                                          Active Directory domains by
a macro decodes multiple URLs, downloads              address, contact its C2 at URLs using the
                                                                                                          function or criticality and maintain
the DoppelDridex loader from the URLs                 path “/8/forum.php,” and download Ficker
                                                                                                          a principle of least privilege for
and executes it via the Windows regsvr32              Stealer from .ru domains. Hancitor may
                                                                                                          each user group and account.
process; then the loader drops the embedded           also deliver the Cobalt Strike malware if
DoppelDridex malware into memory and                  the victim system has a Microsoft Active          • Remove or disable commonly abused
executes it.37 Threat actors that split from          Directory environment.39 Hancitor activity          and non-essential services, if appropriate.
the group responsible for Bitpaymer                   is connected to the threat group MAN1,
and Dridex allegedly originated the                   a criminal enterprise that Accenture CTI
DoppelDridex malware.38                               has linked to the Dyre banking malware.40

2021 Cyber Threat Intelligence Report                                                                                                                   13
Dark Web actors
                                        challenge IT and
                                        OT networks
                                        Dark Web activities, including enablement of CLOP
                                        and Hades ransomware actors, information stealers
                                        and digital fingerprints in the underground Genesis
                                        Market, reflected noteworthy challenges to both IT
                                        and OT networks in early 2021.

2021 Cyber Threat Intelligence Report                                                         14
Dark Web activities, including              What’s happening?
enablement of CLOP and Hades
ransomware, information stealers and        CLOP and Hades ransomware actors are changing the game
fingerprints in the underground Genesis
Market, reflected noteworthy challenges     Public reporting in early 2021 tied CLOP                 this skillset could threaten OT networks.48
to both IT and OT networks in early 2021.   ransomware actors to a series of global data             Given the EDR bypass, Accenture CTI
                                            breaches exploiting a recently discovered                considers Hades ransomware actors the
As threat actors congregate in Dark Web     vulnerability in the widely used Accellion File          latest gang threatening both IT and OT
forums to share and trade tools, TTPs       Transfer Appliance (FTA).41 After a review of the        networks. Operators’ schemes now
and victim data, they are increasing        timeline of Accellion FTA compromises, CLOP              encompass capturing and encrypting
their pressure tactics, learning how to     name-and-shame releases on the Dark Web,                 company data and traversing IT
bypass security protections and finding     victim disclosures and insights from Accenture           networks to OT networks.
new ways to monetize malware logs.          incident response efforts, Accenture CTI
                                            agrees that CLOP ransomware actors likely                Ransomware operators rarely succeed
Organizations need to share                 teamed up with the actors responsible for                when they try to compromise OT networks,
                                                                                                     but may not even need to do so to achieve
information among defenders                 exploiting the Accellion FTA vulnerability.42 43 44 45
                                            Profitability and managing victims at scale              their objectives. In both a February 2021
to understand, prevent, identify                                                                     attack on boat builder Beneteau and the
                                            could result in escalation and copycats over
and respond to threat activity.                                                                      May 2021 Colonial Pipeline attack, the mere
                                            the course of the year.
                                                                                                     presence of actors within the IT network
                                            Hades ransomware actors also gained traction             forced preventive OT shutdowns and
                                            in early 2021 and demonstrated their ability             short-term effects comparable to an OT
                                            to bypass Endpoint Detection and Response                infection. OT shutdowns, even if preventive,
                                            (EDR) tools46 and reach edge devices.47                  may become more common in future attacks
                                            Hades actors manually disabled or used                   against OT-dependent organizations.49 50
                                            custom tools to evade defenses and
2021 Cyber Threat Intelligence Report                                                                                                               15
Information is easy to buy and even easier to use

Since the beginning of 2021, Accenture CTI      A threat actor can use malware logs to           Accenture CTI considers the malware logs that
observed a slight but noticeable increase       masquerade as a legitimate network user          Dark Web actors sell in Genesis Market to pose
in threat actors selling malware logs, which    and avoid detection, gaining initial access      a particularly serious threat to organizations’ IT
constitute data derived from information        to a victim system by using valid credentials.   and OT assets. Genesis Market has drastically
stealer malware.51 Information stealers         Threat actors often use malware logs to access   lowered barriers to entry for malware log
can collect and log a wide range of sensitive   an organization’s Web resources and attempt      exploitation by compiling and selling malware
system, user and business information,          to access privileged administrator accounts      logs in a format Genesis ads dub “bots”
such as the following:                          on an organization’s webservers. In some         or a “plug-ins.” Even less technically savvy
                                                cases, they may try to access computers          threat actors can intuitively use a plug-in
• System information                            on a victim’s network via services like RDP      with Genesis’ freely available Web browser.
• Web browser bookmarks                         or SSH. A common alternative action is for
                                                threat actors to sell malware logs directly
• Web session cookies
                                                to hackers, or to sell them in bulk to
• Login credentials (websites,                  “malware log” Dark Web marketplaces,
  Remote Desktop Protocol (RDP),                such as Genesis Market or Russian Market.
  Secure Shell Protocol (SSH))
• Payment card data
• Cryptocurrency wallet addresses

2021 Cyber Threat Intelligence Report                                                                                                             16
Where next?
To help tackle the impact of the Dark Web on OT networks:

• Undertake responsible monitoring:              • Increase intelligence sharing            • Prepare a continuity of operations plan:
  Seek early warning of potential                  of incident response analysis:             Anticipate and develop contingency
  unauthorized access through                      Share information to identify threat       plans for a potential theft of administrator
  responsible Dark Web monitoring,                 signatures and attribution, plan and       credentials, a bypass of Endpoint
  whether directly or through a cyber              execute defense and response and           Detection and Response systems
  threat intelligence provider.                    prepare network defense and business       and physical shutdowns (either as
                                                   operations for future threat activity.     preventive or reactive measures),
                                                                                              to prepare network and business
                                                                                              operations for the future occurrence
                                                                                              of a ransomware or similar event.

2021 Cyber Threat Intelligence Report                                                                                                        17
Spotlight: On the edge of security
Edge devices such as Internet of Things (IoT) objects, switches and routers operate at the
boundary of a network to control data flowing in and out of the organization. At the border
between IT and OT environments, they are critical to OT security—breaches can mean
direct access into OT environments, completely bypassing IT networks.

But low rates of network monitoring52          security policies are consistent with          Stringent edge device policies may
make it difficult for OT incident responders   National Institute for Standards and           encourage organizations to allocate
to identify attack vectors and causes of       Technology (NIST) recommendations.54           funds from many parts of the business
intrusion—and unable to advise on how          The law promises greater security for edge     to bolster security efforts. With investment
to secure OT systems. As a result, securing    devices and addresses some longstanding        in the right places, security leads can
edge devices has become as important           challenges. On May 12, 2021, President Biden   secure edge devices in OT environments
as securing ICS themselves.                    signed the Executive Order on Improving        through a combination of monitoring,
                                               the Nation’s Cybersecurity which includes      response and intelligence.
Policy matters. On December 4, 2020,           direction to create pilot cybersecurity
former President Trump signed the Internet     labelling programs to educate the public
of Things Cybersecurity Improvement Act        on security capabilities of IoT devices
of 2020.53 The act encourages government       and software development practices.55
agencies to work collaboratively so that IoT

2021 Cyber Threat Intelligence Report                                                                                                        18
Targeting edge devices
In February 2021, Accenture CTI discovered           Financially motivated cyber criminals have
a threat actor advertising Citrix VPN access to      used VPN access to launch a ransomware
a “large resources corporation” on a reputable       attack and may target OT systems—they
Russian-language forum specializing in               know manufacturers and other users of ICS
malware and ransomware.56 Citrix is a VPN            are especially vulnerable to downtime and
gateway commonly placed at OT boundaries             may be more likely to pay ransoms to get
to connect and correlate various Internet            their systems back online.
protocols from different networks.
                                                     Meanwhile, cyber espionage threat actors
Threat actors often access vulnerable                may use VPN access to get onto OT networks
networks and systems such as Citrix by               to steal data or hide with the intention of
exploiting known vulnerabilities that are            issuing a destructive attack later. Both
unpatched or that vendors are in the process         threat actor types can access edge devices,
of patching. In late 2019, the still-active threat   which could lead to the disruption of critical
campaign known as Fox Kitten (also known             business operations and loss of revenue.
as UNC757)57 accessed companies in various
industries, including the energy industry,
via VPN n-day exploits.58

2021 Cyber Threat Intelligence Report                                                                 19
Defend the edge
Here are some familiar security capabilities      and traverse into an OT environment              Cyber threat intelligence offers improved
organizations can use to increase their           enables an entity to secure its IT and OT        visibility into overall network threats and
edge device security:                             boundaries. Data from OT IR engagements          informs decision makers how to prioritize
                                                  can also help inform red teaming exercises       security around potential targets and threats.
OT Security Operations Center (SOC)               to identify edge vulnerabilities before
Unlike a traditional SOC that focuses primarily   an edge breach occurs. OT IR is a key            As edge device vulnerabilities and targeting
on IT assets, an OT SOC monitors security         component of security in the context             are on the rise, it is critical for organizations
events in both the IT and OT environments         of OT and IT convergence, as well as             to start changing their security cultures
for visibility of threats and risks. Monitoring   operational security as a whole.                 from being reactive to adopting a proactive
edge devices on the boundary of an OT                                                              approach to security “on the edge.”
environment is a key component of overall         Cyber Threat Intelligence (CTI)
cybersecurity and cyber resiliency. An OT         Traditional cyber threat intelligence provides
SOC coupled with managed detection and            information on threat actors targeting IT or
response (MDR) can help defend against            OT, but often only addresses edge device
cyber threats and reduce exposure to them.59      security during the deployment of highly
                                                  specialized systems. Accenture CTI takes OT
OT Incident Response (IR)                         security a step further with key vulnerability
OT IR is essential in uncovering how threat       intelligence and monitors major edge
actors access OT environments via edge            devices, their vendors and their version
devices if a breach occurs. Insight into          numbers to make clients aware of threats
how threat actors access edge devices             to IT, OT and cloud environments.

2021 Cyber Threat Intelligence Report                                                                                                                  20
References
1.   Eaton, Collin and Volz, Dustin, “Colonial Pipeline CEO Tells   9. “Ransomware Payments Fall as Fewer Companies Pay Data          18. “FBI Statement on Compromise of Colonial
     Why He Paid Hackers a $4.4 Million Ransom,” Wall Street           Exfiltration Extortion Demands,” Coveware, February 1, 2021.       Pipeline Networks,” FBI, May 10, 2021.
     Journal, May 19, 2021.                                            The average paid ransom declined 34%, from US$233,817 in
                                                                       Q3 to US$154,108 in Q4. “Ransomware Attack Vectors Shift       19. “What We Know About the DarkSide Ransomware
2. “Ransomware Payments Fall as Fewer Companies Pay Data               as New Software Vulnerability Exploits Abound.”                    and the US Pipeline Attack,” Trend Micro, May 14, 2021.
   Exfiltration Extortion Demands,” Coveware, February 1, 2021.
                                                                    10. Moore, Andrew et al, “Cyber Criminals Exploit Accellion FTA   20. Cimpanu, Catalin, “Some ransomware gangs are going after
3. “Ransomware Attack Vectors Shift as New Software                     for Data Theft and Extortion,” February 22, 2021. FireEye;        top execs to pressure companies into paying,” January 9, 2021.
   Vulnerability Exploits Abound,” Coveware, April 26, 2021.            Accenture Cyber Threat Intelligence, “SITREP: Accellion       21. Accenture Cyber Threat Intelligence, “Transparency
4. “2020 Cyber Threatscape Report,” Accenture,                          FTA,” February 20, 2021. IntelGraph reporting.                    Activists Publicize Ransomware Victims’ Data in a New
   October 19, 2020. Mansfield, Paul, “Tracking and                 11. Accenture Cyber Threat Intelligence, “Ransomware Gang             Twist on Hybrid Financial-Political Threat,” January 8, 2021.
   combatting an evolving danger: Ransomware extortion,”                Extortion Techniques Evolve in 2020 to Devastating Effect,”       IntelGraph reporting.
   Accenture, December 15, 2020.                                        November 6, 2020. IntelGraph reporting.                       22. Accenture Cyber Threat Intelligence, “Colonial Pipeline
5. Accenture Cyber Threat Intelligence, “Ransomware Roundup         12. Mansfield, Paul, “Tracking and combatting an evolving             Attack Impacts Ransomware Groups Operating on the
   from iDefense Analysis,” April 8, 2021. IntelGraph reporting.        danger: Ransomware extortion,” December 15, 2020.                 Dark Web,” May 17, 2021. IntelGraph reporting.

6. Accenture Cyber Threat Intelligence, “Ransomware Attack          13. “What We Know About the DarkSide Ransomware and               23. Ilascu, Ionut, ”Hackers use black hat SEO to push ransomware,
   on Cyber Insurer Highlights Risks to Cyber Insurance Sector          the US Pipeline Attack,” TrendMicro, May 12, 2021.                trojans via Google,” Bleeping Computer, March 1, 2021.
   and its Customers,” April 8, 2021. IntelGraph reporting.
                                                                    14. Accenture Cyber Threat Intelligence, “Ransomware Gang         24. Welling, Eric, “It’s getting hot in here! Unknown threat
7. Accenture Cyber Threat Intelligence, “CLOP Ransomware                Extortion Techniques Evolve in 2020 to Devastating Effect,”       group using Hades ransomware to turn up the heat on
   Operators Leak CGG Data on Name-and-Shame Site                       November 6, 2020. IntelGraph reporting.                           their victims,” Accenture, March 26, 2021.
   on 1 March 2021,” March 10, 2021. IntelGraph reporting;
   Accenture Cyber Threat Intelligence, “CLOP Ransomware            15. Mansfield, Paul. “Tracking and combatting an evolving         25. Michael, Melissa, “Episode 49| Ransomware 2.0,
   Operators Leak CSX Documents on Name-and-Shame Site                  danger: Ransomware extortion.” December 15, 2020.                 with Mikko Hypponen,” F-Secure, January 19, 2021.
   on 2 March 2021,” March 10, 2021. IntelGraph reporting.                                                                            26. Toby L, “The rise of ransomware,” National Cyber Security
                                                                    16. Accenture Cyber Threat Intelligence, “iDefense Global
8. Mansfield, Paul, “Tracking and combatting an evolving                Research Intelligence Digest for 31 March 2021,”                  Centre, January 29, 2021.
   danger: Ransomware extortion,” December 15, 2020,                    March 31, 2021. IntelGraph reporting.                         27. “Adversary Infrastructure Report 2020: A Defender’s View,”
   Khodzhibaev, Azim et al, “Interview with a Lockbit                                                                                     Recorded Future, January 7 2021.
   Ransomware Operator,” Talos, January 4, 2021.                    17. Abrams, Lawrence, “Ransomware gang plans to call
                                                                        victim’s business partners about attacks,” March 6, 2021.     28. Cunliffe, Amy, “The development of Mimir (Amy Cunliffe,
                                                                        Smilianets, Dmitry, “‘I scrounged through the trash               Accenture),” CREST Videos, April 9, 2021.
                                                                        heaps… now I’m a millionaire:’ An interview with REvil’s
                                                                        Unknown,” March 16, 2021.
2021 Cyber Threat Intelligence Report                                                                                                                                                                     21
29. “Threat Landscape Trends – Q3 2020,”                             39. Accenture Cyber Threat Intelligence, “iDefense Global            49. Arghire, Ionut, “Boat Building Giant Beneteau Says
    Symantec, December 18, 2020.                                         Research Intelligence Digest for 6 April 2021,” April 6, 2021.       Cyberattack Disrupted Production,” Security Week,
                                                                         IntelGraph reporting.                                                March 1, 2021.
30. “Highly Evasive Attacker Leverages SolarWinds Supply Chain
    to Compromise Multiple Global Victims With SUNBURST              40. Accenture Cyber Threat Intelligence, “MAN1,” July 16, 2016.      50. Bertrand, Natasha et al, “Colonial Pipeline did pay
    Backdoor,” FireEye, December 13, 2020.                               IntelGraph reporting.                                                ransom to hackers, sources now say,” CNN, May 13, 2021.

31. “Deep dive into the Solorigate second-stage activation:          41. Seals, Tara, “Accellion FTA Zero-Day Attacks Show Ties to        51. Accenture Cyber Threat Intelligence,
    From SUNBURST to TEARDROP and Raindrop,”                             Clop Ransomware, FIN11,” Threatpost, February 22, 2021.              “Monthly Reconnaissance Report,” April 1, 2021.
    Microsoft, January 20, 2021.
                                                                     42. Accenture Cyber Threat Intelligence, “SITREP: Accellion          52. Filkins, Barbara, Wylie, Doug, “SANS 2019 Sate of OT/ICS
32. Welling, Eric, “It’s getting hot in here! Unknown threat             FTA,” March 5, 2021. IntelGraph reporting.                           Cybersecurity Survey,” SANS, June 2019. Slightly over 50%
    group using Hades ransomware to turn up the heat on                                                                                       of survey respondents reported continuous monitoring
    their victims,” Accenture, March 26, 2021.                       43. Accenture Cyber Threat Intelligence, “CLOP Ransomware                to detect vulnerabilities, and only 1/3 of 25 surveyed
                                                                         Operators Leak Qualys Documents on Name-and-Shame Site               OT/ICS security monitoring technologies were in use
33. Accenture Cyber Threat Intelligence, “Microsoft Exchange             on 3 and 4 March 2021,” March 4, 2021. IntelGraph reporting.         across all respondents.
    On-Premise Zero-Day Vulnerabilities Related Malware
    Activity in March 2021,” March 10, 2021. IntelGraph reporting.   44. Accenture Cyber Threat Intelligence, “CLOP Ransomware            53. United States Congress, “PUBLIC LAW 116–207—DEC. 4,
                                                                         Operators Leak CGG Data on Name-and-Shame Site on                    2020,” December 4, 2020.
34. “HAFNIUM targeting Exchange Servers with 0-day exploits,”            1 March 2021,” March 10, 2021. IntelGraph reporting.
    Microsoft, March 2, 2021.                                                                                                             54. United States Congress, “PUBLIC LAW 116–207—DEC. 4,
                                                                     45. Accenture Cyber Threat Intelligence, “CLOP Ransomware                2020,” December 4, 2020.
35. Accenture Cyber Threat Intelligence, “EvilGrab and Cobalt            Operators Leak CSX Documents on Name-and-Shame Site
    Strike Beacon Observed having Shared Infrastructure and              on 2 March 2021,” March 10, 2021. IntelGraph reporting.          55. The White House, “Executive Order on Improving the
    Communicating,” February 3, 2021. IntelGraph reporting.                                                                                   Nation’s Cybersecurity,” May 12, 2021,
                                                                     46. Welling, Eric, “It’s getting hot in here! Unknown threat
36. Accenture Cyber Threat Intelligence, “Spam Campaign                  group using Hades ransomware to turn up the heat on              56. Accenture Cyber Threat Intelligence, “Threat Actor …
    Distributes Gziploader to Deploy IcedID (a.k.a. BokBot)              their victims,” Accenture, March 26, 2021.                           Advertise Compromised Citrix Access to Three Large
    Malware in March 2021,” April 14, 2020. IntelGraph reporting.                                                                             Corporations,” February 26, 2021, IntelGraph reporting.
                                                                     47. Accenture Cyber Threat Intelligence, “Hades Ransomware
37. Accenture Cyber Threat Intelligence, “Technical Analysis of          Affects Large Corporate Networks from December 2020 to           57. “Groups,” MITRE, accessed May 27, 2021.
    DoppelDridex,” April 27, 2021. IntelGraph reporting.                 March 2021,” April 9, 2021. IntelGraph reporting.
                                                                                                                                          58. “Fox Kitten Campaign,” Clearsky Cyber Security,
38. Stone-Gross, Brett; Frankoff, Sergei; and Hartley, Bex,          48. Accenture Cyber Threat Intelligence, “Hades Ransomware               February 16, 2020.
    “BitPaymer Source Code Fork: Meet DoppelPaymer                       Affects Large Corporate Networks from December 2020 to
    Ransomware and Dridex 2.0,” July 12, 2019.                           March 2021,” April 9, 2021. IntelGraph reporting.                59. “Managed Security,” Accenture, accessed April 4, 2020.

2021 Cyber Threat Intelligence Report                                                                                                                                                                     22
Contacts
Joshua Ray                                                       Howard Marshall                                                   Contributors
Managing Director                                                Managing Director
                                                                                                                                   Patton Adams, Will Archer, Adam Bumgarner,
Accenture Security                                               Accenture Security                                                Bianca Forbes, Roya Gordon, Hannaire Mekaouar,
                                                                                                                                   Nellie Ohr, Max Smith, Nancy Strutt.
Josh Ray is Managing Director for Cyber Defense across           Howard Marshall is Managing Director for Accenture Cyber
Accenture globally. Josh has more than 20 years of combined      Threat Intelligence (CTI) and leads the business globally.
commercial, government and military experience in the            Prior to joining, Howard was FBI Deputy Assistant Director
field of cyber intelligence, threat operations and information   of the Cyber Readiness, Outreach and Intelligence Branch.
security. He holds a Bachelor of Science degree in information   He holds a Bachelor of Arts degree in Political Science and
technology from George Mason University, an Executive            a Juris Doctorate from the University of Arkansas.
Certificate in strategy and innovation from MIT Sloan School
of Management and served honorably as a member of
the United States Navy.

Jayson Jean                                                      Christopher Foster
Senior Manager                                                   Senior Principal
Accenture Security                                               Security Innovation
Jayson Jean is Director of Business Operations for               Chris Foster is Director of Product Strategy for Accenture
Accenture CTI in North America and the Asia Pacific              Cyber Threat Intelligence. Chris has more than 18 years of
region, with responsibility for business development of          combined experience in the field of threat intelligence serving
the Cyber Threat Intelligence portfolio. Prior to this role,     public and private sector organizations to include Booz Allen
Jayson has 14 years of experience building the strategic         Hamilton, Chevron, United States Department of Defense and
direction and leading product development for vulnerability      United States Department of Homeland Security. He holds
management at Accenture CTI.                                     a Bachelors from Vanderbilt University and an MBA from the
                                                                 McCombs School of Business, University of Texas at Austin.

2021 Cyber Threat Intelligence Report                                                                                                                                               23
About Accenture                                                                                                                 About Accenture Security
Accenture is a global professional services company with leading                                                                Accenture Security is a leading provider of end-to-end cybersecurity
capabilities in digital, cloud and security. Combining unmatched                                                                services, including advanced cyber defense, applied cybersecurity
experience and specialized skills across more than 40 industries,                                                               solutions and managed security operations. We bring security
we offer Strategy and Consulting, Interactive, Technology and                                                                   innovation, coupled with global scale and a worldwide delivery
Operations services—all powered by the world’s largest network                                                                  capability through our network of Advanced Technology and
of Advanced Technology and Intelligent Operations centers.                                                                      Intelligent Operations centers. Helped by our team of highly skilled
Our 569,000 people deliver on the promise of technology and                                                                     professionals, we enable clients to innovate safely, build cyber
human ingenuity every day, serving clients in more than 120 countries.                                                          resilience and grow with confidence. Follow us @AccentureSecure
We embrace the power of change to create value and shared success                                                               on Twitter or visit us at www.accenture.com/security
for our clients, people, shareholders, partners and communities.
Visit us at www.accenture.com

This document refers to marks owned by third parties. All such third-party marks are the property of their respective owners.
No sponsorship, endorsement or approval of this content by the owners of such marks is intended, expressed or implied.

This content is provided for general information purposes and is not intended to be used in place of consultation with our professional advisors.

Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation.
The information in this report is general in nature and does not take into account the specific needs of your IT ecosystem and network, which may vary and require unique
action. As such, Accenture provides the information and content on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to
act taken in response to the information contained or referenced in this report. The reader is responsible for determining whether or not to follow any of the suggestions,
recommendations or potential mitigations set out in this report, entirely at their own discretion.

Copyright © 2021 Accenture. All rights reserved.
Accenture and its logo are registered trademarks of Accenture.                                                                                                                                     210353
You can also read