ESET Threat Report T3 2021
A view of the T3 2021 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts
While 2020 was the year of supply-chain attacks (and, yes, the start of the global COVID-19 crisis), 2021 was defined by shockingly severe vulnerabilities (…and by vaccines).
The year started with a bang, when Microsoft Exchange servers around the world found themselves under fire from at least ten APT groups. ProxyLogon, the vulnerability chain at the bottom of these attacks, ended up being the second most frequent external attack vector in 2021 according to ESET telemetry, right after password-guessing attacks. As you’ll read in the ESET Threat Report T3 2021, Microsoft Exchange servers ended up under siege again in August 2021, with ProxyLogon’s “younger sibling”, named ProxyShell, exploited worldwide by several threat groups.
When a critical flaw in the ubiquitous Log4j utility surfaced in mid-December, IT teams everywhere were sent scrambling, again, to locate and patch the flaw in their systems. This vulnerability, scoring a 10 on the CVSS scale, put countless servers at risk of a complete takeover – so it came as no surprise that cybercriminals instantly started exploiting it. Despite only being known for the last three weeks of the year, Log4j attacks were the fifth most common external intrusion vector in our 2021 statistics, showing just how quickly threat actors are taking advantage of newly emerging critical vulnerabilities.
The end of the year was also turbulent in the area of RDP attacks, which escalated throughout all of 2020 and 2021. The numbers from the last weeks of T3 2021 broke all previous records, amounting to a staggering yearly growth of 897% in total attack attempts blocked – despite the fact that 2021 was no longer marked by the chaos of newly imposed lockdowns and hasty transitions to remote work. Probably the only good news from the RDP attack front, as noted in the Exploits section of this report, is that the number of targets has been gradually shrinking, although it doesn’t seem like the rampage is about to end any time soon.
Ransomware, previously described in our Q4 2020 Threat Report as “more aggressive than ever” surpassed the worst expectations in 2021, with attacks against critical infrastructure, outrageous ransom demands and over US$5 billion worth of bitcoin transactions tied to potential ransomware payments identified in the first half of 2021 alone.
However, the pressure has been growing from the other side, too, represented by feverish law enforcement activity against ransomware and other cybercriminal endeavors. While the intense clampdown forced several gangs into fleeing the scene – even releasing decryption keys – it seems that some attackers are only getting bolder: T3 saw the highest ransom ultimatum yet, US$240 million, more than triple the record mentioned in our previous report.
And to throw in another all-time high: as the bitcoin exchange rate reached its highest point so far in November 2021, ESET experts observed an influx of cryptocurrency-targeting threats, further boosted by the recent popularity of NFTs (non-fungible tokens).
In the world of mobile, we noted an alarming upsurge in Android banking malware detections, which rose by 428% in 2021 compared to 2020, reaching the detection levels of adware – a common nuisance on the platform. It is needless to say that the damage potential of these two threats cannot be compared, and we can only hope that the downward trend seen for banking malware in T3 2021 will spill over into 2022.
Email threats, the door to a myriad of other attacks, saw their yearly detection numbers more than double. This trend has been mainly driven by a rise in phishing emails, which more than compensated for the rapid decline in Emotet’s signature malicious macros in email attachments. Emotet, inactive for most of the year, came back from the dead in T3, with its operators trying to rebuild its infrastructure with support from Trickbot. In 2022, ESET malware analysts expect the botnet to expand rapidly, pushing the malware back into the leading ranks – a process we will be monitoring closely.
The final months of 2021 were also rife with research findings, with ESET Research uncovering: FontOnLake, a new malware family targeting Linux; a previously undocumented real-world UEFI bootkit named ESPecter; FamousSparrow, a cyberespionage group targeting hotels, governments, and private companies worldwide; and many others. T3 also saw our researchers publish a comprehensive analysis of all 17 malicious frameworks known to have been used to attack air-gapped networks, and conclude their extensive series of deep dives into Latin American banking trojans.
ESET Threat Report T3 2021 also provides previously unpublished information about APT group operations. This time, researchers offer updates on the activity of cyberespionage group OilRig; latest information on in-the-wild ProxyShell exploitation; and new spearphishing campaigns by the infamous cyberespionage group The Dukes.
And, as always, ESET researchers took multiple opportunities to share their expertise at various virtual conferences this period, appearing at Virus Bulletin 2021, CyberWarCon 2021, SecTor 2021, AVAR 2021 Virtual and others. For the upcoming months, we are excited to invite you to an ESET talk at SeQCure in April 2022, and to the RSA Conference in June 2022 where we will be presenting the recent ESPecter discovery.
Happy reading, stay safe — and stay healthy!
Follow ESET research on Twitter for regular updates on key trends and top threats.