Cybersecurity multinational TrendMicro saw tools and techniques that had been used in previous years reemerge to target cloud infrastructure, while ransomware attacks have also been modernised, TrendMicro South Africa senior sales engineer Yash Pillay said this week.

Reporting on the trends seen in the first half of this year, TrendMicro said its smart protection network worldwide helped defend against, and blocked, 40-billion threats, compared with 27-billion threats in the first half of 2020.

Further, more than 7.3-million ransomware attacks worldwide were detected by TrendMicro, with Southern Africa accounting for 1.7% of those attacks and South Africa 1.05%.

"South Africa makes up a huge chunk of the 1.7% of global ransomware attacks detected against southern hemisphere-Africa. Similarly, Southern Africa saw around 700 000 malware threats detected," Pillay pointed out.

"During the first half of 2021, modern ransomware actors successfully blackmailed companies and extracted valuable enterprise data from them.

"Specific industries targeted by ransomware threat actors included the banking, government and manufacturing industries, and most of the ransomware was in the WannaCry and Locky families of ransomware. WannaCry had a significant impact in 2017 and is still prevalent," Pillay added.

Some of the differences in modern and pre-modern ransomware treats included that pre-modern ransomware was typically loaded onto a device through a phishing email containing a malicious link or attachment that compromised the machine.

Modern ransomware attacks use phishing techniques and exploits vulnerabilities to serve as entry points into an organisation. Threat actors then tend to, in most instances, not only infect one machine, but try to spread it throughout the organisation's computers until the time is right to trigger a ransomware attack and lock every machine simultaneously, thereby increasing their chance of getting a ransom from an organisation, he said.

Modern ransomware also takes advantage of a scheme called double extortion, where the threat actors not only encrypt data on machines, but also exfiltrate the data from the organisation to serve as an additional mechanism to extort funds from an organisation or individual.

"Ransomware actors exploit security vulnerabilities and take advantage of weaknesses and vulnerabilities in software to gain the upper hand. Ransomware attacks also affected Internet of Things (IoT) devices and systems, including by exploiting weaknesses in software security," Pillay noted.

Meanwhile, the prevalence of Linux in cloud systems has led to attacks focused on specific Linux operating systems. Additionally, threat actors targeting Linux operating systems are often trying to do cryptojacking, which is using cloud resources to mine cryptocurrencies, in addition to Webshells, ransomware and trojans as the most prevalent cloud vulnerabilities and attacks, he said.

The most prevalent attack vectors in 2021 were malicious email, uniform resource locator and file-based attacks. In South Africa, TrendMicro detected 25-million malicious emails during the first half of this year.

Further, unexplored risks and unpatched flaws continue to feature as key attack vectors and weaknesses, with unexplored risks including applications that may have a vulnerability or weakness built in owing to poor security frameworks and practices in development operations (devops) that can lead to vulnerabilities being introduced if such an application is pushed to a business' application repository, he said.

"We have also done research and produced papers on unexplored risks in IoT devices, including vulnerabilities of low-range radio access network (RAN) IoT devices."

Some key considerations organisations must be mindful of are that, with remote working trends, many systems are public facing without deep-packet inspection. Organisations, therefore, have to ensure relevant patching is done and mechanisms are put in place, if a patch cannot be applied.

Further, for devops and development security operations (devsecops), image scanning must form a part of their work to have insight and visibility of what is in their environment, including for applications that face existing threats or malicious code that may be inside publicly available containers or images, he said.

These tools should be used natively by devops and devsecops as part of their existing toolbox and in line with secure development best practices. In addition to multiple benefits of secure development frameworks, it is up to ten times as expensive to fix a flaw in production compared with earlier in the application's development lifecycle.

"Additionally, companies must understand the shared responsibility model of cloud security. Cloud service providers secure the cloud infrastructure, while cloud users are responsible for the security of the content they put in the cloud.

"For example, customer data, platforms, applications, users and operating systems are the purview of the customers that they put into the cloud and must ensure that security mechanisms are in place and configurations correctly done according to best practices," said Pillay.

Misconfigurations are also a vulnerability in cloud systems, and validation and access controls must be monitored and managed.

"If you put a server workload into the cloud, you are responsible for ensuring it is patched and there are no vulnerabilities, as well as that antimalware and cybersecurity solutions are deployed. Cloud vendors will not manage this.

"Understanding the shared responsibility model will enable organisations to improve their cloud security posture and they must ensure they build their clouds according to industry best practices," he noted.