Singapore Cyber Landscape 2021: What your organisation should know
In 2021, the cyber world was rife with increasingly complex threats and bold threat actors. One such surprise was the extent to which cyber-attacks’ impacts spilled over into the physical realm.
The world has seen a number of striking examples of how cyber-attacks have had real-world implications, such as supermarkets closing down, gas stations running out of fuel, and patients being denied timely healthcare services.
Not only did these cyber-attacks have a physical impact, but they also revealed that cybercriminals could be just as dangerous, resourceful, and intelligent as state-sponsored Advanced Persistent Threat (APT) groups.
Global Trends in 2021
In 2021, there was a flurry of high-profile criminal cyber activity, including ransomware attacks on Colonial Pipeline and JBS Foods, as well as assaults that exploited flaws in major software like Accellion FTA, Microsoft Exchange Server, and KaseyaVSA. The publication of zero-day vulnerabilities in the widely used open-source Log4j library at the end of 2021 sent shockwaves across cybersecurity communities around the world, affecting hundreds of thousands of apps and enterprise services. This chapter examines the most critical themes that will define the cyber world in 2021.
The year 2021 was a watershed moment for ransomware. Following years of significant development, ransomware assaults exploded across numerous sectors and geographies, causing more damage in terms of targets affected and money extorted1. Local ransomware occurrences reported to SingCERT increased by 54% in 2021, mirroring the global trend. Small and medium-sized firms (SMEs) in the industrial and information technology industries were the hardest hit. However, because not every incident was reported, the figures may simply be the tip of the iceberg.
Most crucially, ransomware assaults ‘graduated’ from sporadic and isolated occurrences to actual national security dangers capable of enormous and systematic attacks affecting whole networks of large organisations this year.
Ransomware gangs purposefully targeted large organisations and critical service providers that couldn’t afford downtime. Their goal was to create significant interruption to victims’ activities and force them to accept hefty ransom demands. In terms of scope and the level of damage caused, May 2021 witnessed three of the year’s most major ransomware incidents:
a) A ransomware attack on the Colonial Pipeline business’s IT network, which supplies roughly 45% of the oil and gas supply to the US East Coast, forced the company to shut down operations, resulting in fuel shortages and price increases.
b) Ransomware attacks on Ireland’s Health Service Executive and New Zealand’s Waikato District Health Board not only exposed sensitive patient data, but also forced the closure of their IT systems, interfering with the delivery of critical healthcare services.
c) A ransomware attack on JBS Foods, the world’s largest meat producer by net sales, resulted in the closure of its IT network and the temporary suspension of operations at its processing plants, threatening to disrupt food supply chains and drive up food prices even more.
Enhanced Operational Sophistication
Ransomware gangs have gotten more sophisticated and aware of their victims’ business procedures. Because of their increased understanding, ransomware gangs were able to exploit flaws in victims’ business procedures, as well as dependencies between victims’ operations and business flows, to increase the likelihood of success and impact of their attacks. For example, hackers opted to launch their attack on JBS Foods over Memorial Day weekend in the United States, when organisations often have fewer resources – and are less prepared – to respond to attacks. Ransomware gangs have also been known to target companies that have cyber insurance because these companies are more likely to pay up.
More diversified and specialised ransomware ecosystem
In 2021, the ransomware ecosystem matured enough for ransomware assaults to become a more accessible endeavour. The rise of Ransomware-as-a-Service (RaaS) affiliate models provided hackers – even those with less technical expertise – with the ability to execute their own assaults, significantly increasing the ransomware threat.
The previous page’s diagram depicts the complexity of a current ransomware operation. A large cybercriminal shadow sector has sprung up to provide a slew of diverse and specialised services to bolster ransomware assaults, such as early access to targeted networks, hosting and infrastructure services, and money laundering services.
The shadow industry now assists ransomware gangs in conducting more sophisticated and impactful operations, while profits from successful attacks fuel research and development, levelling up the industry’s competence for more devious and effective attacks to compel greater ransomware payments.
Multiple versions within the same ransomware virus family, which can be utilised by multiple associated threat actors or a single organisation, also make identifying the actual parties involved extremely difficult for law enforcement agencies.
Intrusion methods largely unchanged: Cyber hygiene remains key
The spike in global ransomware incidents conjures up images of cybercriminals carrying out sophisticated hacks, breaking into organisations and holding valuable data to ransom. This is far from the truth: despite their increasing operational savviness, ransomware gangs typically tweak existing malware to derive new variants, and continue to rely on stolen credentials, unpatched vulnerabilities or phishing attacks to gain access into their targets.
This means that organisations can largely mitigate the threat of ransomware attacks by practising good cyber hygiene, backing up data regularly, and mapping out business dependencies and ensuring business continuity plans are updated.
Proliferation of cyber tools and access services
Several events occurred in 2021 addressing the global proliferation and potential abuse of cyber tools and network access services, including:
• A burgeoning market for Initial Access Brokers (IAB) – hackers who sell access to infiltrated networks or systems. One study anticipated a more than 50% increase in the number of IAB listings promoted on underground forums between 2020 and 20212.
• Microsoft and Canada-based think-tank Citizen Lab‘s charges that an Israeli corporation Candiru’s spyware infected the devices of more than 100 people in Palestine, Singapore, Israel, Iran, Lebanon, and the United Kingdom, among other nations, in 2021. Microsoft stressed in its advisory on Candiru’s spyware that the presence of victims in a country did not imply that they had been targeted by the country’s government, as international targeting was widespread.
• An investigation by a coalition of 17 news outlets from around the world found potentially widespread exploitation of Pegasus, a military-grade malware. More than 50,000 phone numbers were discovered that belonged to people who Pegasus may have been directed to target, including government officials (including ministers and heads of government), human rights activists, business executives, journalists, academics, and religious figures from more than 45 countries across four continents.
Pegasus can extract texts, photographs, and e-mails, as well as locate the target, record calls, and discreetly activate microphones and cameras. It can infiltrate a target device via weaknesses in common programmes or by luring the target into opening a malicious link. In response, the company behind Pegasus stated that its product was exclusively designed for use against terrorists and criminals, and that its customers were all approved government agencies.
Hacking-as-a-service, which means selling malware for money, has been around for a long time. Demand is high and likely to stay that way for three reasons:
- Customers don’t have the technical skills to create effective malware or break into networks on their own;
- Threat actors can spend more time and money on their malicious cyber operations when they use widely available toolsets or access; and
- They want to hide their tracks and make it hard to figure out who they are.
Cyber-attacks are “democratised” by commercial cyber tools and initial access broker services. Whereas highly advanced cyber espionage skills and privileged access with domain administrator credentials used to be reserved for “cyber superpowers,” they are now available to anyone with the means.
There is also little indication that peddlers exercise significant monitoring over their customers’ use of acquired products and network access. If the market continues to grow, the consequence is that we should expect a larger pool of more reckless and indiscriminate cyber threat actors.
Vulnerabilities in the supply chain and popular software
Targeting software supply chains enables cyber threat actors to scale up their attacks. They can gain access to several victims by exploiting flaws in popular software or through a single initial intrusion. Several prominent instances in 2021 attested to the efficacy of this strategy:
(1) In February 2021, hackers, most likely from the Clop ransomware group, used zero-day vulnerabilities in Accellion’s File Transfer Appliance (FTA) software, a file-sharing programme widely used by large corporations, to launch a series of cyber-attacks on businesses around the world, threatening to expose stolen data if ransom demands were not met. Even Singtel, an Accellion customer, was impacted when hackers stole data from Singtel subscribers.
(2) In March 2021, Microsoft disclosed that HAFNIUM, a state-sponsored hacker group, had exploited four zero-day vulnerabilities in on-premises versions of Microsoft Exchange Server, a widely used e-mail-management software.
HAFNIUM was able to steal information such as e-mails and credentials and plant malware that allowed permanent remote access to targeted networks. According to Microsoft, HAFNIUM primarily targeted US organisations.
The actual number of entities affected remained unknown, but due to the widespread usage of Microsoft’s software, individuals with knowledge of the inquiry estimated that “at least 30,000 organisations across the US,” as well as “tens of thousands” of organisations in Asia and Europe, had been affected.
(3) In July 2021, the REvil ransomware organisation exploited a zero-day vulnerability in Kaseya’s Virtual System Administrator (VSA) software, a popular platform among enterprises and managed service providers (MSPs) for remotely managing IT services.
As a result, the hackers were able to directly transmit ransomware to MSPs, and then attack the organisations whose IT services were controlled by these MSPs. The effect was pervasive and, in some cases, had real-world consequences.
For example, the Swedish supermarket retailer Coop had to shut down 500 locations in Sweden after its system was compromised with ransomware sent by their MSP, which used Kaseya VSA.
Exploiting supply chain vulnerabilities weakens organisations’ trust-based relationships with their MSPs and the software they utilise. Managing supply chain cybersecurity is more than just an IT concern. It is a multi-functional business effort that includes sourcing, vendor management, and meticulous evaluation of supply chain quality.
Today’s average program has about 500 open-source components, each of which might be a source of risk. Increasing the visibility of IT assets and implementing layered protective measures would help. As 2021 came to a close, the global cybersecurity community would be dealing with the aftermath from a severe vulnerability in Log4j, a widely used open-source component.
Survey on Cyber Awareness – Findings and Insights
Although there has been an increase in cyber awareness, adoption remains low.
In December 2020, the CSA conducted the national Cybersecurity Awareness Survey 2020, polling 1,052 Singapore citizens and permanent residents aged 15 and up to better understand their overall attitudes and behaviors concerning cybersecurity practises and incidents.
The survey results, which were released in June 2021 in conjunction with the start of the CSA’s national cybersecurity awareness campaign, revealed that nearly four out of ten respondents had been victims of a cyber-attack at least once in 2020, up from three out of ten in 2019. This increase followed global trends of increasing cyber incident prevalence. Furthermore, while overall awareness of cybersecurity had improved, adoption of appropriate cyber hygiene measures, such as enabling two-factor authentication (2FA) and installing anti-virus apps, remained low.
For example, perceived understanding of phishing had improved in 2020, with seven out of ten respondents knowing what it was, a six percentage point improvement from 2019. Three-quarters of respondents accurately identified more than half of the e-mails, a 12 percentage point gain over 2019.
A minor increase was also observed in those who utilised the desired password practices: nearly nine out of ten respondents used a combination of upper and lower case letters, digits, and symbols in their passwords. However, just slightly more than half of respondents (56%) could pick a strong password, which was unchanged from the previous year.
There was also a modest increase in the number of respondents who used 2FA, however, only around half had enabled 2FA as an additional layer of security for their communication, online shopping, and social networking accounts.
While nearly eight in ten respondents were aware of the risks associated with not having cybersecurity software, just 39% had installed cybersecurity programs on their mobile devices, a decrease from 47% in 2019.
While the survey results were positive, they clearly indicated the need for more efforts to drive both awareness and adoption of effective cyber hygiene measures. CSA is continuing to collaborate with our partners to offer appropriate measures on both fronts.
Cyber Trends to Watch
The cyber-world is ever-changing. The last edition of the Singapore Cyber Landscape focused on potential disruptions caused by the rising rate of digitalisation and the transition to telecommuting as a result of COVID-19.
On the other hand, recent global events threaten to significantly destabilise the cybersecurity landscape. Beyond the ever-changing techniques of cybercriminal and hacktivist groups, the rise of Web3 and the Metaverse, as well as increased geopolitical tensions, will almost certainly have a long-term impact and redefine numerous cybersecurity challenges.