From ransomware attacks to election misinformation to consumer scams, the cybersecurity industry will be in overdrive.
Security threats will likely accelerate in 2022 as cybercriminals refine tried-but-true ransomware methods and look to exploit weaknesses in the software that knits together the internet. US elections will also present a tempting target for spreading misinformation.
The expectation of a ramp-up in hacks, attacks and data theft comes after a massive jump in ransomware – takeovers of computer systems that remain locked down until a ransom is paid – that spilled into consumers’ lives in 2021. Cyberattacks that shut down oil transporter Colonial Pipeline and meat packer JBS USA contributed to temporary gas price increases and meat shortages in parts of the US.
The December discovery of the Log4j bug, a critical flaw in logging software that’s widely used around the internet, offered a glimpse of the vulnerability in the software supply chain, which had already taken a hit with 2020’s SolarWinds hack. Security experts say hackers are likely looking for ways to take advantage of Log4j and other weaknesses in the interconnected services we rely on.
The anticipated attacks come against the backdrop of a seemingly never-ending pandemic that creates additional weaknesses. With many people still working from home, attackers will seek to exploit remote connections to infiltrate corporate networks. Some scammers will also target everyday folks, who are spending more and more time in front of computer screens, in order to nab banking information, personal passwords and other data that can be used to compromise accounts.
Andrew Useckas, chief technology officer and co-founder of the cybersecurity firm ThreatX, says part of the problem is that companies don’t know the size of the problem, because so much information is on corporate networks.
“Many organizations simply don’t understand just how exposed they are,” Useckas said.
Many cybercrimes, both big and small, go unreported, making it difficult to track overall data. Still, experts say a handful of key metrics jumped last year, ringing alarms.
Notably, data breaches publicly reported in the first nine months of 2021 exceeded the total for all of 2020, according to the Identity Theft Resource Center. Suspected ransomware payments reported by banks and other financial institutions totaled $590 million for the first six months of last year, according to an October report by the Department of the Treasury. The figure easily surpassed the $416 million in suspicious payments reported for all of 2020.
President Joe Biden’s administration has taken steps to curtail ransomware and other cyberattacks. The White House recently held a global online counter-ransomware event and promised sanctions against crypto exchanges and other financial institutions that facilitate ransomware.
In the wake of Log4j, the White House plans to hold a gathering of software company executives later this month to look for ways to boost software security.
Congressional elections in November could also result in new security priorities if the balance of power in the House and Senate change. The election will bring its own security risks, and experts warn that a flood of misinformation will swamp social media platforms as Nov. 8 nears.
Cyberattacks keep coming, but will the government take action?
Ransomware attacks that affect only corporate back office operations often escape public notice. But when hackers shut down companies that consumers rely on, everyone is aware.
The Treasury Department said in September that it would start sanctioning cryptocurrency exchanges and other entities that launder ransomware payments. The idea behind the move: cracking down on shady activity surrounding crypto – the currency of choice for ransomware payments thanks to its largely untraceable nature – will discourage ransomware attackers.
Meanwhile, lawmakers in the US and other countries started crafting legislation that would require companies to disclose when a ransomware or other cyberattack has occurred. Many ransomware attacks go unreported, making it tough for law enforcement to keep track of how many attacks are happening, who’s being targeted and how much money is going to cybercriminals.
If the attacks and the demands continue to increase, politicians will need to push legislation in an attempt to show they’re combating the issue, said Tony Anscombe, chief security evangelist at the antivirus company ESET. That legislation might expand to include the prohibition of ransomware payments.
“This could then become a race around the world to enact legislation as cybercriminals will target those territories where paying is still permitted,” Anscombe said.
Worries about the software supply chain
A bug in Log4j, a widely used Java library that logs error messages in network applications, highlighted how reliant everything from government agencies to the consumer-focused internet of things is on freely used software that’s incorporated into a host of other software products.
The simple exploit, which allows attackers to take control of internet-connected devices running the affected software, is an example of vulnerabilities in the software supply chain. Often it can be unclear exactly what devices are running the software. Like cars, software relies on a supply chain. Engineers build software with premade parts that are often made up of smaller components.
Once a piece of software is finished, it can be tough to determine all of its individual parts and where they all came from.
Justin Cappos, an associate professor at New York University’s Tandon School of Engineering, says the current setup of the software supply chain isn’t transparent because so many products rely on open-source code. Even if you’re buying software from a major company, you don’t know what original code might have gone into it.
Cappos says the software industry would benefit if it disclosed the sources of the components it uses, sort of like food makers listing ingredients. “Software companies can contract out to a company, who then contracts out to another company,” Cappos said. “You don’t know where the source code is coming from.”
Experts also expect more hacks of the software supply chain in the coming year. Instead of exploiting existing flaws, cybercriminals could insert malicious code into commonly used software to infect corporate systems.
That happened two years ago, when hackers stealthily placed bad code into an update of SolarWinds’ popular Orion IT software products. Corporate customers then incorporated those products into their own systems, giving cybercriminals access to their systems. Thousands of customers installed the tainted update, though SolarWinds says far fewer companies were actually hacked.
US officials say Russia was behind the attack. The Russian government has denied involvement.
“The fact that a nation-state actor went to these lengths to target [SolarWinds] is very concerning,” Cappos said. “I think, unfortunately, this is the start of a trend rather than a one-off incident.”
Scams get scarier, go mobile
COVID forever changed the way we work. Even in the highly unlikely event that the pandemic winds down this year, many people will keep working from home at least part of the time.
Cybercriminals will be working, too. They’ll be hunting for new ways to take advantage of the connections and devices that workers use to dial in remotely.
NYU’s Cappos says the cybersecurity industry will likely get a better handle on how to manage hybrid work situations, introducing new recommendations and products that boost security and make it easier for workers to connect.
Consumers will also need to up their security game, Clay says. Good methods of two-factor authentication, such as biometrics and push notifications, are going to be a must. Simpler verification methods, like codes sent as SMS messages, just can’t be trusted anymore.
That goes for smartphones, too. Phishing, the practice of sending deceptive emails in order to get personal information, is going mobile. Similar attempts using SMS, known unimaginatively as smishing, and voice calls, which are called – you guessed it – vishing, will become more common this year as people move more of their online activity to mobile devices, Clay says. In addition, the use of scam QR codes, or quishing, is also on the rise.
“The attackers are going to continue their activities and they’re going to be targeting consumers,” Clay said. “People are going to need to secure their data.”