AhnLab announced that it has selected five major security threat trends in the first half of this year. The top 5 major security threat trends in the first half of 2021 announced by AhnLab are: ▲Increased targeted ransomware attacks ▲Continued attacks that exploit organizational infrastructure solutions ▲Distribution of information leaking malware disguised as work emails ▲Social issues actively used in cyber attacks ▲Operation of a hacking group presumed to be supported by unidentified countries
Han Chang-gyu, Center Director of AhnLab Security Emergency Response Center (ASEC) said, “Attackers are aiming for the ‘weakest link’ in the entire process of a cyber attack, from system vulnerabilities to users. In order to minimize the damage caused by increasingly sophisticated security threats, it is crucial to prepare countermeasures for all entities, including institutions, companies, and users, and to comply with security rules.”
The details of the top 5 major security threat trends in the first half of 2021 are as follows.
▲Increased targeted ransomware attacks
AhnLab predicted an increase in targeted ransomware attacks in the “Top 5 Cyber Security Threats Forecast in 2021” earlier this year. As expected, numerous enterprises worldwide were hit by targeted ransomware attacks in the first half of this year. Attackers infiltrated companies and institutions, leaked information and infected ransomware at the same time, and threatened to disclose the leaked information if they did not make payment. Among these attacks, many of them have been found out to be distributed in the form of RaaS (Ransomware as a Service), which helps create and distribute ransomware.
Organizations should always respond to ransomware attacks by using security solutions and also strengthening internal employee security training, as it is easy for them to become targets again once they are attacked or internal information is stolen.
▲Continued attacks that exploit organizational infrastructure solutions
From last year to the first half of this year, attacks that exploit the organization’s infrastructure solution or supply chain like the attempt to hijack an AD server (*) with the hacking version of a specific penetration test tool and the distribution of ransomware using the recent IT security management solution Kaseya VSA vulnerability are continuously happening. If an attacker takes control of a solution used for internal resource management or service provision, it can cause great damages like spreading ransomware or stealing information to the organization and customers using the service. Also, attackers actively conducted attacks using vulnerabilities in VPN (virtual private network) solutions that are often used in remote (home) work environments that have become the new normal after COVID-19 pandemic.
* Active Directory (AD) Server: A server that provides AD (Active Directory) service that is connected to multiple systems such as users, user groups, and networks to integrate and manage the resources efficiently If the account is hijacked, the attacker could have the privileges to take over the internal system.
In general, organizations respond sensitively to attacks coming from outside, but they tend to easily trust programs and related files that they are using. Therefore, in addition to the general security policy, the security manager of the organization should continue efforts to enhance the threat response capability by collecting information using the TI (threat intelligence) service.
▲Distribution of information leaking malware disguised as work emails
According to the malicious code analysis statistics collected by AhnLab Security Emergency Response Center (ASEC), the most detected malicious codes in the first half of this year are information leaking malicious codes, mainly Formbook and AgentTesla. Many of these emails were disguised as invoices, order sheets, and order detail sheets, and were distributed in a way that induces the execution of malicious URLs in mail attachments or main text. Especially, by pretending to be actual companies and using fluent Korean in the text, employees who are in charge of related tasks are often fooled by them and exposed to malicious codes.
Since the leaked information is likely to be used for secondary attacks such as targeted attacks, users should carefully examine the sender of mail and attachments, and should not execute attachments or URLs in e-mails from unknown sources.
▲Social issues actively used in cyber attacks
Attackers often use issues of high social interest to attack the victims. Especially in the first half of this year, many attacks using keywords related to COVID-19 such as “path of (COVID) confirmed individuals,” “disaster stipend,” and ‘general information regarding SME owners” have been found. Recently, attacks that exploited social issues that may be of interest to specific groups such as the Korea-US summit were also found. There were also various attack methods, such as attaching malicious attachments and URLs to emails directing to these issues, or inducing clicks on URLs in text messages disguised as COVID-19 related information.
Since attackers are highly likely to use life-related keywords to lure users, people should not click URLs from unknown sources in text messages or emails, and use a verified website or platform to search for issues.
▲Operation of a hacking group presumed to be supported by unidentified countries
In the first half of this year, many reports on the activities of hacking groups presumed to be supported by unidentified countries were presented in Korea and abroad. According to the report, their hacking activities are everywhere, from politics to society, economy, culture, defense, medical care, and cryptocurrency. Especially, due to the recent increase in the number of COVID-19 infections, cyberattack attempts have been made against domestic and foreign pharmaceutical companies.
The attack method is exploiting vulnerabilities of web browsers like IE (Internet Explorer) and Chrome and also programs that run in the web browsers, and even advancing to developing phishing sites that pretend to be Korea’s major portals. Accordingly, individuals and organizations must practice basic security rules, such as updating all programs in use to the latest version and applying security patches.