The Greek philosopher Heraclitus once said “the only constant is change.” This still rings true thousands of years later — particularly as we reflect on 2021, another year marked by continued shifts that pushed enterprises to adopt new strategies to strengthen resilience. Similarly, adversaries continued to refine their methods to work smarter and move faster to scale attacks, extend deeper into supply chains and cause greater damage.
The CyberArk Labs team has observed early glimpses of evolving attacker innovation; each has the potential to significantly alter the cybersecurity landscape over the next 12 months.
Innovation 1: Underground Enterprises Will Get Caught at Their Own Games, Forcing a Security Revamp
DevOps is changing the way business is done, and underground criminal enterprises are certainly no exception.
Just like legitimate software vendors, attackers are using CI/CD pipelines, cloud infrastructure and other digital technologies to develop and sell new malware as a service (MaaS) offerings. The need to rapidly push new features to market is driven by growing (underground) demand for popular tools like credential theft malware that can be configured to surreptitiously gather user credentials and pillage privileged information from victims. Such malware is not only powerful, but it is also simple to use right out of the box, emboldening novice attackers and strengthening sophisticated nation states alike.
Attacker groups are pulling on strengths from various stakeholders to monetize these services and grow their operations — from developers writing the exploit code, to engineers architecting the attack infrastructure, to attackers using these new exploits in the wild to target victim networks.
Yet as these criminal groups start to appear more and more like “real” businesses, they’ll also open themselves up to new risks. Just like any other enterprise, they’ll face new security challenges in managing multi-tenant SaaS applications, securing remote access to sensitive systems and data and more. While being forced to ramp up their own security protections, adversaries will increasingly get caught by defenders using their own offensive tactics against them.
Innovation 2: Attackers Will Employ OSS to Automate and Magnify Supply Chain Attacks
Our digital economy runs on open source software (OSS) — it’s flexible, scalable and harnesses collective community power to spark new innovations. But countless “open” and “free” OSS libraries also mean a dramatically expanded attack surface and a way for threat actors to automate their efforts, sidestep detection and do more harm.
The April 2021 Codecov breach gave us a glimpse of how one subtle tweak in one line of code can turn a completely benign library into a malicious one — putting any organization using it at risk. Using this highly evasive infiltration method, attackers can target and steal credentials to reach thousands of organizations across a supply chain in unison.
In the next 12 months, attackers will continue looking for new ways to compromise open source libraries. We have seen attackers implementing typosquatting-like attacks by creating code packages that include subtle changes to the packages’ names (i.e., atlas-client vs. atlas_client). These were actually trojanized versions of the original packages, which implement or download a backdoor or credential-stealing functionality. In another case, an NPM package was trojanized to run cryptomining script and credential theft malware after a developer’s credentials were compromised.
Organizations must remain vigilant, as these subtle attacks will rarely send up signals, making them extremely difficult to spot — especially as such libraries are deployed into the pipeline as part of legitimate day-to-day operations, and in many cases, may look benign as the malicious code is downloaded as a dependency. What’s more, since these automated attacks are easy and quick to execute with a very limited signature, they’ll become even more frequent, sudden and damaging.
Innovation 3: Brand New Spots Will Help Attackers Hide in Plain Sight
As if it’s not already tricky enough, security is going to get even more complicated, thanks to new hiding places introduced by cloud, virtualization and container technologies.
For instance, as micro virtualization becomes increasingly popular, threat actors can isolate malware in these virtual systems while keeping it hidden from host-based security controls.
While these new attack techniques haven’t been seen much in the wild … at least not yet, financially motivated and nation state threat actors have been observed testing systems such as Windows Subsystem for Linux (WSL) — a subsystem that secures credential and authentication processes — as they look for new ways to compromise endpoint machines.
By running ransomware within a Linux infrastructure, for example, Endpoint Detection and Response (EDR) and other host-based endpoint security tools cannot typically identify the malicious activity, making it possible for attackers to encrypt or exfiltrate data with ease — all while hiding in plain sight.
Editor’s note: To stay on top of emerging cybersecurity threats and original research from CyberArk Labs and the CyberArk Red Team, visit the CyberArk Threat Research Blog.