2022 KEY TRENDS AND TAKEAWAYS

CyberSense is a monthly bulletin by CSA that spotlights salient cybersecurity topics, trends and technologies, based on curated articles and commentaries. CSA provides periodic updates to these bulletins when there are new developments.

OVERVIEW

As 2022 comes to a close, this issue of CyberSense provides a summary of the key cybersecurity threats and trends observed over the past 12 months, and a taste of what to expect in 2023.

THE RUSSIA-UKRAINE CONFLICT: THE HACKTIVISM REVIVIAL & SPILLOVER EFFECTS

As the Russia-Ukraine conflict progressed, hacktivism emerged as the dominant malicious cyber activity with the indiscriminate targeting of critical infrastructure and assets, expanding to impact countries and entities that are not directly involved in the conflict. As the latter approaches the ten-month mark, several trends stand out:

Key Targets of Hacktivist Groups:

• Public and private organisations within the combatant states were the main targets of pro-Russian (Killnet, XakNet) and pro-Ukrainian (Anonymous, AgainstTheWest, IT Army) hacktivist groups.
• Other countries that were attacked by pro-Russian hacktivists include those that have applied to join NATO, and those that have supported Ukraine or impeded Russia’s war effort directly or indirectly. These include the US, Germany, Italy, Japan, Norway and the UK. On the other end, Pro-Ukraine hacktivists targeted organisations within Belarus, which is providing active support for Russia.
• Common entities targeted include telecommunications firms, energy corporations, state media, banks and financial services, military entities, government ministries and websites.

What to expect in 2023: Continued risk of collateral damage. Apart from a few isolated incidents (e.g. Viasat ^[1] ), most multi-national organisations or transnational infrastructure have been spared from cyber-attacks. However, a potential expansion of the conflict could see the deployment of worm-able malware, which carries the likelihood of spreading beyond the conflict and out of control, as seen in the 2017 NotPetya cryto-worm outbreak. Attacks can also escalate against operational technology (OT) systems, which play an integral role in managing and monitoring critical industrial processes, greatly increasing the risk of collateral damage.

Takeaways:

• Secure systems and network infrastructure, monitor network connections and review system logs to quickly detect a potential intrusion.
• Monitor for potential campaigns and attacks conducted by threat actors involved in the conflict.
• Prepare incident response and business continuity plans.
• For further details and mitigation measures, please refer to SingCERT's advisory on actions to strengthen your cybersecurity posture amidst of developments in the Russia-Ukraine conflict.
  

CRYPTOCRIME: HACKERS UNFAZED BY THE CRYPTO WINTER

Fuelled by the growing adoption of cryptocurrency and emergence of Decentralised Finance (DeFi), 2022 saw several major cyber-attacks targeting crypto-currency platforms. The fact that most cryptocurrencies have plunged in value since May 2022 notwithstanding, hacking and theft from crypto platforms continued unabated, with US$1.9 billion worth of cryptocurrency pilfered as of mid-2022 ^[2] .

Key Incidents:

Binance, the world’s largest cryptocurrency exchange, lost approximately US$570 million worth of Binance coins (BNB), when attackers exploited a vulnerability in the cross-chain bridge used by the exchange, allowing them to forge transactions and siphon off the BNBs. The exchange claimed it managed to freeze most of the funds, but with approximately US$100 million of BNB reportedly unrecoverable.

• Sky Mavis, a gaming company that lets users earn non-fungible tokens (NFTs) that they can sell for cryptocurrency, reported a theft of US$620 million, comprising approximately US$594 million worth of Ethereum and US$25.5 million worth of USDC stablecoin. Through social engineering attacks, the attacker gained access to transaction validators’ private keys, and used them to sign off on several large withdrawals.
• Nomad, the crypto company behind the Nomad token bridge, reported a theft of US$190 million in cryptocurrency, where a protocol update allowed attackers to extract funds via specially crafted transactions that were processed without proper validation.
• Crypto.com, a cryptocurrency exchange, reported a theft of US$35 million in cryptocurrency, allegedly siphoned off through a handful of fraudulent transactions. Cybersecurity researchers observed that these transactions were approved without safeguards, such as Two-factor Authentication (2FA).

What to expect in 2023: Targeting of crypto-currency platforms to persist.Crypto-assets are likely to remain attractive targets, regardless of fluctuations in value. Coupled with their growing adoption for transactions, the trend of crypto-currency platforms being targeted by threat actors is very likely to continue.

Takeaways:

• Be aware of the risks associated with DeFi, and perform due diligence to research the companies, their tokens, and associated solutions, including their cybersecurity practices, before investing.

DATA BREACHES: BRAZENNESS OF CYBER EXTORTION & RANSOMWARE GANGS

Throughout 2022, cyber extortion gangs and ransomware groups like Lapsus$ and LockBit were actively targeting high-profile targets, from critical infrastructure to entire government systems, either stealing massive databases or disrupting operations. While data breaches are not new, this increased audacity and viciousness could spell a further upswing in the already-brutal cyber extortion/ ransomware trend.

Key Targets Observed:

• Cisco Systems, Microsoft, Okta, Samsung, Uber, and Vodaphone, were amongst several high-profile victims of Lapsus$, a cyber-extortion group known to use social engineering tactics to target privileged accounts.
• Global MNC Thales Group revealed that ransomware group LockBit 3.0 had stolen and leaked data pertaining to the company, while the UK National Health Service’s digital services vendor was hit by a LockBit 3.0 ransomware attack that caused delays in handling urgent care calls and treatment. LockBit 3.0 is one of most prolific ransomware groups in 2022 ^[3]. It has claimed responsibility for several other high-profile incidents such as the attacks on California’s Department of Finance, the Italian Internal Revenue Service, digital security giant Entrust, as well as a Canadian city ^[4].
• Montenegrin and Costa Rican government systems fell victim to country-wide ransomware attacks, claimed by the Cuba and Conti ransomware groups respectively. Operations of multiple government agencies were disrupted for weeks.

What to expect in 2023: The Rise of Ransom for Reputation. With threat actors becoming more brazen, observers forecast a rise in “ransom for reputation”, where a target is extorted by the threat of publicising a fictional breach, preying on human gullibility of believing a claim based on possibly old, open-source data.

Takeaways:

• Maintain full asset visibility within the organisation’s environment and ensure appropriate security controls are implemented to protect assets.
  
• Implement network segmentation within the environment, and limit communications between different network zones.
• Enhance monitoring and detection capabilities to identify anomalous activities within the environment.
• Map out dependencies between operations and business flows and develop appropriate contingency plans into business continuity plans (BCPs).

For further details and mitigation measures, please refer to SingCERT's advisory on further tips for cybersecurity measures to be undertaken by an individual or businesses to manage your devices and online presence.

SOURCES INCLUDE:

Chainalysis, Crypto.com, Cyber Security Hub, Darkreading, Digital Shadows, Dragos, Flashpoint, Forbes, Infosecurity Media Group, ITP.net, Kaspersky, Malwarebytes, Mandiant, MIT Technology Review, Security Affairs, Thales group, Wired, ZDNET

[1] A cyber-attack against Viasat’s KA-SAT telecommunications satellite disrupted satellite internet services for subscribers not only in Ukraine, but across Europe.
[2] According to Chainalysis, as of mid-2022, US$1.9 billion worth of cryptocurrency has been stolen in hacks of services, compared to just under US$1.2 billion at the same point in 2021.
[3] On 12 December 2022, the U.S. Department of Health and Human Services Sector Cybersecurity Coordination Center issued a threat brief warning that cybercriminals wielding LockBit 3.0 have been targeting the healthcare sector since June.
[4] In November 2022, LockBit 3.0 claimed responsibility for a ransomware attack that halted municipal services and shut down employee email accounts in Westmount, Quebec.