2022: like 2021 but moreso, quicker and with greater sophistication on all sides.
By Tim Nodar, the CyberWire staff
Dec 24, 2021

What do the experts expect for 2022? An increase in sophistication on all sides, from the hoods to the heroes.

2022: like 2021 but moreso, quicker and with greater sophistication on all sides.

Expectations for 2022 tend to be evolutionary, not revolutionary. Those offering predictions see an increase in 2021's tempo, as both attackers and defenders learn from one another and react to the oppositions' moves.

Expect more ransomware, as criminal organizations mature.

Mandiant believes ransomware attacks will accelerate, barring any significant innovations from government or industry:

"Ransomware threats will continue to grow unless governments and technological innovations can significantly change the cost-benefit calculation for attackers, as the crime is simply too lucrative. These kinds of attacks are also expected to rise in critical industries where paying cyber criminals is imperative to protect health and safety. New tactics are expected from attackers as they become more business savvy and anticipate counter-negotiation strategies.

"Further, there is an anticipated increase in conflict among bad actors within ransomware-as-a-service operations, affecting how victims and organizations think about making ransom payments. The US government has placed sanctions on suspected threat actors in an effort to curb ransomware attacks. However, this approach to stop organizations from paying money to extortionists can cause negative recourse for victims."

Shay Nahari, CyberArk's VP of Red Team, predicts that ransomware-as-a-service offerings will continue to grow more sophisticated:

"The evolution of ransomware as a service (RaaS) has only just begun. In 2022, the provision of ransomware will continue to evolve from cottage industry to something more akin to coteries of specialists. We will see operator-driven ransomware expand, with a clear distinction between off-the-shelf ransomware payloads and delivery methods, skilled practitioners moving through networks, and experts that make the actual ransomware code....In addition, most current ransomware families share multiple technical behaviors, tactics, techniques and procedures (e.g. the way they delete backup encryption functions, perform initial execution, etc.), of which security tools typically find common denominators to detect and block. The widespread adoption of security tools designed to combat ransomware is forcing ransomware authors to innovate and find different methods to avoid common detections being deployed today."

Ben Smith, Field CTO at NetWitness, says 2022 will see a continuation of double-extortion ransomware attacks:

"The 'double-extortion' model, where your data is encrypted and the adversary simultaneously threatens to release the data, will persist. Much as there has been every year, there will be new combinations of existing tactics, as attackers continue to innovate in how they run their own revenue-generating business operations for greatest efficiency. Attacks launched from locations not addressed by the US legal system will further complicate response efforts."

 Likewise, Chris Berry, CTO and GM of Security Solutions, PDI Software, expects to see an increase in data theft extortion alongside ransomware attacks:

"In 2022, we’ll continue to see the proliferation of ransomware hitting all sizes of businesses. But we’ll also see an escalation of the ransomware attack model with extortionware. With more businesses maintaining secure backups to avoid paying a ransom to unlock encrypted data, cybercriminals are now threatening to publicly expose sensitive data. Doing so can cause significant business risk, especially when the blast radius extends to customer, partner, or vendor data."

Nigel Thorpe, Technical Director at SecureAge, says ransomware attackers will likely focus on critical infrastructure:

"One of the biggest stories in cybersecurity this year was the attack on the Colonial Pipeline that had ripple effects on many industries. But it was far from the only utility company that was targeted in 2021. We’ve seen plenty of attacks on utilities and services that affect people’s everyday lives, as hackers have exploited vulnerabilities in areas such as electrical or water grids, crippling critical infrastructure. By focusing cyberattacks on these generally well-protected areas that need constant upkeep, cybercriminals have the opportunity for huge pay-offs.

"So even as there will be efforts to protect these vulnerable industries, hackers will still target them as much, if not more than they did this year. They know companies will meet their demands to keep vital parts of society running, and they will exploit any small weakness they can find. Thus, companies and local governments must do everything that they can to shore up their systems to prevent such attacks."

Troy Gill, Senior Manager of Threat Intelligence at Zix I App River, says cautious ransomware actors will target smaller companies in order to stay off the radar of governments:

"In 2022, the Ransomware-as-a-Service model will see continued growth as it has proven to be an incredibly efficient vehicle for maximizing profits. While the growth trajectory is staying the same, the primary target of ransomware attacks will not. Government involvement in defense of critical infrastructure will motivate ransomware groups to target SMBs in order to draw less attention than larger, high-profile targets."

Researchers at Trend Micro offer the following observations on ransomware developments:

"Based on the security incidents we have observed this year, we also expect to see two major developments in ransomware in the coming year. First, ransomware attacks will become more targeted and highly prominent, making it harder for enterprises to defend their networks and systems against these attacks. Because modern ransomware is relatively new, it is very possible that enterprises have yet to make the same ransomware mitigation and defense investments for servers as they have made for endpoints. In addition, the continuing lack of skilled cybersecurity specialists is an aggravating factor with regard to securing organizations against ransomware threats. The TTPs used by ransomware operators will likely stay the same, but they will be used to go after more complex targets, ones that will possibly be bigger than the major targets of previous years.

"The second development that we foresee is that ransomware operators will also use more modern and sophisticated methods of extortion that will resemble nation-state advanced persistent threat (APT) attacks. Once attackers are able to infiltrate their victims’ environments, they can opt to just exfiltrate sensitive data and go straight to extorting their victims, skipping the encryption or access blocking step altogether. In terms of the primary means of successful extortion, the focus will veer away from denial of access to critical data in favor of leaking and mining stolen data for weaponization. Attack vectors used by ransomware operators to target enterprises, such as virtual private networks (VPNs), spear-phishing emails, and exposed remote desktop protocol (RDP) ports, will remain at play. However, in 2022, the cloud will be targeted more often. As more enterprises migrate to the cloud, they bring with them their sensitive data and resources, prompting cybercriminals to follow suit."

Trend Micro also believes that ransomware actors will seek to exert additional pressure on their victims by going after the supply chain:

"Further taking advantage of and exacerbating the great supply chain disruption, malicious actors will generate a surge in the quadruple extortion model71 in 2022. They will make the most of their cyberattacks by strong-arming big-name victims into paying large sums of money via a fourfold extortion technique: holding the victim’s critical data for ransom, threatening to leak the data and publicize the breach, threatening to go after the victim’s customers, and attacking the victim’s supply chain or vendors."

Cloudian’s CMO Jon Toor thinks that as the ransomware threat persists, organizations will increasingly appreciate the importance of the storage layer:

“Security experts will continue to miss the mark with ransomware protection: Security experts continue to tout increased perimeter defense as the catch all for ransomware protection. However, in a recent report, 49% of businesses that experienced an attack had perimeter defenses in place and ransomware still managed to get in. In addition, 65% of the organizations that were penetrated through phishing emails had conducted anti-phishing training for employees. The threat of ransomware will only continue to rise, making it a matter of “if,” not “when,” an attack will occur. Given these realities, more organizations will recognize the need to protect data at the storage layer with an immutable backup copy, ultimately ensuring they can recover quickly from an attack without having to pay ransom.”

Supply chain attacks, especially software supply chain attacks, will also trend up.

Lavi Lazarovitz, Head of Research on CyberArk's Labs team, warns that attackers will seek to carry out supply chain attacks by compromising open-source software:

"Our digital economy runs on open source software (OSS) — it’s flexible, scalable and harnesses collective community power to spark new innovations. But countless 'open' and 'free' OSS libraries also mean a dramatically expanded attack surface and a way for threat actors to automate their efforts, sidestep detection and do more harm.

"The April 2021 Codecov breach gave us a glimpse of how one subtle tweak in one line of code can turn a completely benign library into a malicious one — putting any organization using it at risk. Using this highly evasive infiltration method, attackers can target and steal credentials to reach thousands of organizations across a supply chain in unison.

 "In the next 12 months, attackers will continue looking for new ways to compromise open source libraries. We have seen attackers implementing typosquatting-like attacks by creating code packages that include subtle changes to the packages’ names (i.e., atlas-client vs. atlas_client). These were actually trojanized versions of the original packages, which implement or download a backdoor or credential-stealing functionality. In another case, an NPM package was trojanized to run cryptomining script and credential theft malware after a developer’s credentials were compromised.

 "Organizations must remain vigilant, as these subtle attacks will rarely send up signals, making them extremely difficult to spot — especially as such libraries are deployed into the pipeline as part of legitimate day-to-day operations, and in many cases, may look benign as the malicious code is downloaded as a dependency. What’s more, since these automated attacks are easy and quick to execute with a very limited signature, they’ll become even more frequent, sudden and damaging.”

Cybereason CEO Lior Div says that cybercriminals will increasingly grow involved in supply chain attacks:

"There is a growing trend of threat actors realizing the value of targeting a supplier or provider up the chain in order to compromise exponentially more targets downstream. Rather than attacking 100 or 1,000 separate organizations, they can successfully exploit one company that unlocks the door to all the rest. It is the path of least resistance. The attacks we have seen have been part of cyber espionage campaigns from nation-state adversaries. Those attacks will likely continue, and we will see a rise in cybercriminals adopting the strategy as well. Companies that act as suppliers or providers need to be more vigilant, and all organizations need to be aware of the potential risk posed from the companies they trust."

Josh Rickard, Security Solutions Architect at Swimlane, predicts that criminals will exploit misconfigured software-as-a-service (SaaS) APIs to conduct large-scale attacks:

"As organizations add more third-party SaaS and IaaS providers to their technology stack, the impact of cyberattacks on centralized cloud services will have a broader impact. In 2022, we will see cybercriminals take advantage of misconfigured SaaS APIs to exploit private data at an unprecedented scale. This will lead to a large distribution of core software code becoming compromised and impacting thousands of organizations across the globe."

Nation-state cyberespionage and cybersabotage will become the norm throughout the spectrum of conflict.

The Familiar Four will continue to be prominent, barring the emergence not only of effective international norms, but, more importantly, an effective deterrent regime.

Mandiant provides the following predictions on state-sponsored cyberattacks in the coming year:

"Major nation-state actors in Russia, Iran, China, and North Korea will likely maintain an aggressive posture to promote each of their regional interests. Russia’s scope of operations will expand as it targets NATO, Eastern Europe, Afghanistan, and the energy sector. Iran will use its cyber tools to target Israel and the Middle East in an effort to shift power balances in its own interest. Using cyber espionage, China is poised to support the Belt and Road initiative and scale their operations. North Korea will flex its cyber capabilities and take risks despite its financial and geographical challenges."

Expect gangland to get more professional, and to find new targets.

CyberArk's Lazarovitz states that, as malware developers grow more organized and professional, they'll begin to face some of the same challenges that legitimate companies have to deal with:

"DevOps is changing the way business is done, and underground criminal enterprises are certainly no exception. Just like legitimate software vendors, attackers are using CI/CD pipelines, cloud infrastructure and other digital technologies to develop and sell new malware as a service (MaaS) offerings. The need to rapidly push new features to market is driven by growing (underground) demand for popular tools like credential theft malware that can be configured to surreptitiously gather user credentials and pillage privileged information from victims. Such malware is not only powerful, but it is also simple to use right out of the box, emboldening novice attackers and strengthening sophisticated nation states alike.

"Attacker groups are pulling on strengths from various stakeholders to monetize these services and grow their operations — from developers writing the exploit code, to engineers architecting the attack infrastructure, to attackers using these new exploits in the wild to target victim networks. 

"Yet as these criminal groups start to appear more and more like 'real' businesses, they’ll also open themselves up to new risks. Just like any other enterprise, they’ll face new security challenges in managing multi-tenant SaaS applications, securing remote access to sensitive systems and data and more. While being forced to ramp up their own security protections, adversaries will increasingly get caught by defenders using their own offensive tactics against them."

Troy Gill from Zix I App River foresees additional cooperation between cybercriminal groups:

"As we have seen with the evolution of Malware-as-a-Service and Phishing-as-a-Service, threat actors are willing to join forces for mutual success. This was further demonstrated in the aftermath of the Emotet cybercrime services takedown earlier this year. After Emotet services were disabled by law enforcement, Trickbot malware operators stepped in and began re-seeding Emotet infections to get them back into operation. As a result, we saw malicious email traffic from Emotet...for the first time since the takedown in January 2021. Even threat actors competing for profits see the value in having a greater variety of threat actors in operation. They can leverage them as a service or even to better hide their activities in the noise. That is why in 2022, we will see cybercriminals form even more robust working relationships to facilitate their continued success."

Nick Tausek, Security Solutions Architect at Swimlane, expects to see an increase in hacktivism: 

"This year we have seen an increase in both internal and external actors breaching companies such as Epic and Twitch for 'ethical' reasons versus purely financial intentions. In 2022, there will be a significant increase in hacking for a political or social cause. Most organizations in this position will fail to adequately respond to the threat of exposure by focusing only on “clamping down” internally to prevent leakage rather than addressing problematic business cultures that make employees want to go rogue."

Forcepoint, in an article for IT Brief, predicts that more malware will be delivered through software updates:

"In 2022, we expect to see a significant rise in cybercriminals delivering a variety of malware via software updates. One of the reasons this technique is effective is ‘technical debt’ - or the difference between the ‘price’ (time, human resources, technology investment) a technical project should cost in order to be perfect and future-proofed, and the 'price' an organisation is prepared to pay at the time. Products can get behind the curve due to reduced investment, but a lot of this debt centres around applying software updates – absolutely necessary, and so often overlooked.

"Even though there is the possibility that malicious may output malware through software updates, IT administrators must keep on top of applying updates and patches as they come in. If technical debt builds, vulnerabilities and security holes will provide a way in for attackers – and the combination of new malware delivery techniques plus unpatched vulnerabilities causes concern.

"In addition, with the increase in hybrid working, end users are having to be more responsible for patching and updating their systems. This could lead to either updates not happening at all, or updates being applied by those unused to the task, meaning they are more likely to accept behavior IT teams would spot as suspicious. Leaders should ensure that cybersecurity training is rolled out and regularly updated, to ensure employees act as a first line of defense."

Forcepoint also sees the farming industry as a particularly attractive target for ransomware actors, since an attack in this vertical could disrupt the food supply chain:

"As industries become more digital, the greater their exposure to threat actors grows. And while it may not be the most obvious industry facing tech threats, farming is under the spotlight for cybercriminals. Many tractors now run more software than a modern car – allowing farmers to run them from an iPad while enjoying a cup of tea.

 "The growing automation has given rise to precision agriculture and remote farming – but not without its drawbacks. Given the heavy reliance on technology in food and agriculture, could we see hackers bring tractors and food production across parts of the world to a screeching halt in 2022? If we do, unfortunately, we’ll also see large scale disruption of a supply chain that operates under a concise shelf life.

"As we incorporate technology into more critical infrastructure, we’ll see the emergence of new technologies as high-value targets for cybercriminals. We welcome automation and greater resource efficiency with open arms, but we can’t digitalise the world without a backup strategy in place for when that technology doesn’t work. We all have a responsibility to plan for going offline or outages. If we don’t consider the potential for widespread disruption, then getting from ‘farm to table’ may take a great deal longer than we expect."

Expect more cybersecurity legislation, but its likelihood of success remains an open question.

Researchers at SecZetta foresee additional cybersecurity regulations being enacted in the US:

"The increase in highly visible and impactful cyber-attacks throughout the past year compelled  the federal government to become more active in its efforts to deter cybercrime, from CISA’s recent mandate on remediating cyber vulnerabilities to President Biden’s May 2021 Executive Order on improving the nation’s cybersecurity. We expect to see more guidance coming out of Washington but in the form of prescriptive cybersecurity requirements that will eliminate leaving key initiatives like Zero Trust open to interpretation and create concrete actions plans for federal agencies and corporations alike. 

"Recommendation: Government prescribed guidelines are not a panacea that will permanently solve the cyber crisis. Organizations need to be proactive in their adoption of cybersecurity programs, frameworks, and technologies to mitigate the risk to their reputations, business operations, and very importantly the people and companies whose data they are custodians of. Making logical decisions to improve your security programs before being forced to enact them by the federal government is the best way to preserve your resources for the needs of your organization."

Swimlane's Tausek has a pessimistic view of the US government's ability to pass effective regulation to address disinformation on social media:

"Facebook whistleblower Frances Haugen’s testimony before Congress in October cast a spotlight on the need for social media regulations. Many see the latest allegations of widespread negligence as the final straw. Social media companies like Facebook that carry large fractions of the world’s communications, from personal messaging to business traffic, can no longer be trusted to self-regulate. The need for greater transparency into social media companies’ moderation practices has been clearly highlighted to Congress and the general public. There needs to be insurance that they are not being influenced by entities hostile to the United States, such as when Facebook sold political ads to accounts that paid in Russian rubles leading up to the 2016 election. Although numerous pieces of legislation will be proposed in the House and Senate after the conversation was reignited, the flame will quickly die out in 2022 as political gridlock keeps Congress from officially taking the oversight process into their own hands to curb disinformation tactics. This will have the effect of further sowing distrust, anti-vaccine information, and social discord, as misinformation and disinformation run rampant on the most popular platforms."

Cybereason's Lior Div believes that cybersecurity "will be interchangeable with national security":

"The line no longer exists between national security and cybersecurity. Sometimes a nation-state adversary attacks a private company as part of a broader campaign. Russia did it with SolarWinds. China did it with HAFNIUM. Iran did it with GhostShell. Sometimes, cybercriminals launch attacks with national security implications. What we need to be aware of as we go into 2022 is the increasing cooperation and collaboration between these threat actors. Nation-state adversaries are not directly controlling many of these operations, but a combination of state-sanctioned, state-condoned, and state-ignored attacks create an environment where failure to act is equivalent to tacit approval and indicates that even if they are not actively working together, their objectives are often aligned."

Added 12.28.21:

Chris Gladwin, CEO of Ocient, thinks that anyone collecting and using data needs to think through the ethical issues that surround information:

"Data, computing, and AI have gained more power in recent years, and this is just the beginning. With this increase in power, there needs to be a conversation around ethics in data collection. Organizations need a line of ethics when it comes to data collection and analysis, and need to have clear policies and approach on how they handle this. There is not going to be a perfect solution for this; however, it’s going to be important to address when an issue is illegal and point out something that is discriminatory." 

For organizations, policy and training for security will be important (and they should especially get back to basics).

Darren James, Head of Internal IT and Product Specialist at Specops Software, points out that security basics, such as proper password management, shouldn't be overlooked:

"The big, headline-grabbing attacks from 2021 have focused on the supply chain and ransomware attacks on critical infrastructure, which have wide-reaching impact. What is overlooked in many of these data breaches and attacks is that compromised passwords are often to blame for the initial security breach. This was the case when Colonial Pipeline was breached in May, causing fuel shortages across the East Coast. The root cause of this ransomware attack was a compromised password that has since been discovered within a list of leaked passwords on the dark web.

"That said, in 2022, companies still need to focus on the basics -- like password security -- to improve protection against ransomware and other increasingly common attacks. Employee passwords are the backbone of any company’s cybersecurity posture. Social engineering and AI-driven ‘spray and pray’ attacks are escalating and it's easier than ever for attackers to obtain lists of leaked passwords. If there is just one step you take during 2022 to improve your password security, this is the one. Implement a comprehensive list of breached passwords that are blocked from being used in your environment. A strong list should be updated continuously with live attack data, providing protection from the passwords that are being used in attacks today. Equally important is setting password policies for employees, ensuring best practices in line with NIST and other standards like choosing longer passphrases and utilizing multi-factor authentication tools."

Sagar Shah, Client Partner at Fractal Analytics, says organizations need to place additional focus on their cybersecurity programs and policies:

"Breaches have jumped by 600 percent during COVID, and that is likely not going to slow down any time soon. Therefore, it goes without saying that moving forward business leaders need a dedicated approach to cybersecurity. In years gone by, cybersecurity has often been lumped in with general IT planning and budgets. This simply isn’t going to work moving forward as cybersecurity needs to be carved into its very own business arm – one that is funded and supported just like any other business branch is. From there, all corporate branches need to work together to foster a collaborative environment to balance the cybersecurity needs of both today and tomorrow. Lastly, businesses need to find a way to dig deeper – through sophisticated methods like behavioral science – to truly understand how they can enact meaningful and sustained internal cybersecurity success so that they can empower their employees with training that is actually going to yield better cybersecurity results. Once these pillars are in place, then businesses can look to supplement with cybersecurity software and AI."

Dr. Margaret Cunningham, Principal Research Scientist at Forcepoint, points out that organizations will have to continue to adjust to hybrid work environments:

"In 2022, organizations will turn to analytics to recalculate their understanding of cybersecurity risks and to reshape their protection strategies. When we talk about business risk, it boils down to two fundamentals: do we understand one) what we are protecting, and two) the factors that impact our ability to protect. The last eighteen months has seen a gradual erosion of the ‘rules’ we had in place to manage workforce behaviors, and without an accurate understanding of this behavior, risks can easily be introduced. The 'new rules' that govern technology and personnel requirements for the remote and hybrid workforce will drive how we protect our organizations from both internal and external threats."

Trend Micro offers the following recommendations:

"Go back to security basics. It may seem deceptively simple, but adhering to security best practices can help organizations combat the majority of old and new threats in the coming year. Malicious actors will continue to exploit old vulnerabilities in systems and applications, so it is important for organizations to be on top of their patch management policies. This will help them avoid data breaches and, subsequently, costly fines and reputational damage. Enterprises should also understand and apply the shared responsibility model and regularly encrypt critical data.

"Apply the zero trust model to keep applications and environments secure. Enterprises can improve their security posture by applying the zero trust model, wherein any user or device that attempts to connect to applications and systems needs to be verified before being granted access and continuously thereafter — regardless of whether the user or device is inside the network or not.

"Harden server security and employ access control. As organizations move toward a hybrid work model, it is imperative for organizations to craft and implement security policies that take into account the perimeterless nature of the postpandemic workplace. Access and application control can enable organizations to get a better handle of their overall security even as employees access sensitive or critical work applications and data from anywhere and from different devices.

"Prioritize visibility. As employees continue to access cloud applications, services, systems, and databases remotely in the coming year, it is important for organizations to bring visibility to the fore to help fortify their cybersecurity defenses. Security teams must be aware of all cloud providers, accounts, and services in order to keep an eye on them and make sure that they are configured as securely as possible. This will help minimize the risk of unintended exposures and misconfigurations."

A lot like 2021, but with more sophistication on all sides, and more of life being lived online.

Perhaps we might begin 2022 with some reflection on 2021, a year that saw ransomware rise to the top of the underworld's toolkit, and that saw exploitation of the human come in some ways to eclipse exploitation of the system. Vulnerabilities continue to undergo exploitation, and especially their exploitation in the supply chain, as we're presently seeing with Log4Shell and its related issues, will remain important, but the extent to which both criminals and intelligence services rely on manipulation, stolen credentials, and the whole armamentarium we've come to call "social engineering" is striking.

On the side of civilized life, the increasingly assertive work of law enforcement and cyber agencies can be expected to continue, and we wish them good hunting. Damage to data, damage to industrial processes, these are matters of great importance, and we hope the bad actors behind them can be at least deterred, and even, we hope, brought to book.

Above all, perhaps, is the growing extent to which so many of us live much of our personal and professional lives online. This has induced a probably healthy skepticism about the place of social media and the role of Big Tech in personal and public life. That skepticism has found expression in courtrooms and legislative hearings; how much it will induce people to assume more responsibility for their own engagement with the virtual world remains to be seen. From the way some people talk, it seems that our societal grip on the distinction between the metaverse and reality may be looser than a healthy civilization might wish. Much of what comes out of Silicon Valley, for example, in its speculative moments, sounds like a confident aspiration to gnostic ascent, as if Plotinus had been reborn as a business consultant working from an office in Los Altos Hills. Dude, where's your aeskesis?