One ransomware attack after another made headlines in 2021, causing widespread disruption. They left authorities across the globe struggling to work out how to take on what has become a cyber-pandemic which has proved incredibly lucrative to criminals. As such, these attacks are likely to continue to proliferate in 2022.
2021 ended with a reminder – in the form of the Log4shell critical vulnerability – of the importance, complexity and fragility of supply chains, especially when it comes to software. For particular tasks, developers commonly use code they didn’t write but which was sourced from 3rd parties. It means that a single vulnerability in any reused code – whether introduced maliciously or mistakenly – can create significant security risks for organisations, and have a widely propagated impact. With increased dependence on reused code, and economies of scale for attackers, we’re likely to see more software supply chain attacks this coming year.
Ransomware
2021 was described by the EU Agency for Cybersecurity, ENISA, as “the golden era of ransomware”. But whilst stories about ransomware might be less likely to make the headlines in 2022 – principally because editors are sick of running them – that doesn’t mean the threat is abating. One of the key drivers is the amount of money that can be made, and with attackers walking away with £millions from a single attack, they’re likely to remain just as motivated. No surprise then that ransomware and its operators have evolved over the last few years into highly sophisticated operations, complete with customer service agents.
Ransomware-as-a-Service (RaaS)
The business model has also evolved, with the emergence of RaaS – a subscription-based model, that enables affiliates to use already-developed ransomware tools to execute ransomware attacks. Affiliates earn a percentage of each successful ransom payment.
Like all Software-as-a-Service (SaaS) solutions, RaaS affiliates don’t need to be skilled or even experienced to proficiently use the tool. RaaS solutions therefore empower even the most novel hackers to execute sophisticated cyberattacks.
Ransomware affiliates are supported with onboarding documentation containing a step-by-step guide for launching ransomware attacks with the software. Some RaaS distributors even provide affiliates with a dashboard solution to help them monitor the status of each ransomware infection attempt.
Evolution of ransomware
The traditional story of ransomware was one of malicious code rapidly encrypting files, and then deleting those files if the victim didn’t pay the ransom. In response, organisations began ramping up their cyber defences, with more emphasis being placed on backups and restoration processes, so that even if files were destroyed organizations had copies in place and could easily restore their data.
So cyber-criminals began adapting their techniques. Rather than just encrypting files, after gaining access to systems they exfiltrated the data first. This meant that if the organisation refused to pay up, criminals could threaten to publish the information online or sell it to the highest bidder. Suddenly, all those backups and data recovery plans became worthless. This is what’s known as double extortion ransomware and was a feature of the attacks seen last year.
But as organisations have become more aware and able to deal with double extortion, we’re now seeing further iterations of the model which some call triple extortion, with ransom demands being directed at a victim’s customers or suppliers to exert additional pressure. At the same time, further pressure points such as Distributed Denial of Service (DDoS) attacks, or direct leaks to the media, are also brought into the mix. Although triple extortion was first observed barely 12 months ago, this kind of multi-layered extortion capability has rapidly become an important ransomware selling point. 2022 will doubtless bring new innovations by creative and profit-motivated criminals.
Software supply chain attacks
The Log4shell vulnerability was publicised in December 2021 and had security teams scrambling over the holiday period. The vulnerability related to Log4j – open-source and ubiquitous software used by developers to log (i.e. record) the activity of a system or application. Log4j is very popular and is widely used across software applications and online services globally.
That popularity, coupled with the ease with which the Log4shell vulnerability could be exploited, resulted in the UK’s National Cyber Security Centre (NCSC) describing it as “the most severe computer vulnerability in years”. The Federal Trade Commission (FTC) described it as “posing a severe risk to millions of consumer products to enterprise software and web applications” and warned that it “is being widely exploited by a growing set of attackers.”
The problem with software reuse
Developers commonly reuse software written by others to perform a specific task. The reused software is called a dependency. Use of dependencies by developers is a long-established practice. The practice benefits developers because it avoids having to develop code from scratch; and so avoids repeating work already done to design, write, test, debug and maintain a piece of code. It is key to accelerating the development of new business ideas.
However, use of dependencies comes with exposure to risk: using code which, in turn, depends on pieces of code produced by others, exposes it to all the same flaws. Put another way: software supply chain risks are inherited from the dependencies used. Those risks are often greater when using open-source dependencies given difficulties in ensuring integrity and verifying provenance.
In Log4j’s case, the dependency is used many levels down the dependency tree. This means that it’s very often not even clear that it is in use and, therefore, whether a product or system is affected. So whilst authorities quickly put out advisories on how to mitigate the risks once the vulnerability was publicised (see, for example, the NCSC’s here and the Cybersecurity & Infrastructure Security Agency’s here) it is likely to haunt organisations for years to come.
The legal and regulatory implications
The FTC’s warning to remediate this critical vulnerability, which it issued to kick off 2022, emphasised the types of harm likely to follow where the vulnerability is exploited; namely, “loss … of personal information, financial loss, and other irreversible harms.”
To encourage organisations to take action by showing that it can wield a big stick, in its warning the FTC therefore decided to reference the Equifax data breach. There, a failure to patch a known critical vulnerability affected 147 million consumers in the US and resulted in a settlement of $700 million. On this side of the pond, readers may recall that the ICO fined Equifax £500,000 in respect of the 15 million UK data subjects affected by that same data breach – the maximum available to the Information Commissioner prior to the GDPR coming into force. So, where a critical vulnerability is publicised, organisations are expected to act quickly to remediate it, even though it will often not be an easy task. Otherwise, they might be subject to enforcement action.
The ICO’s most recent fine where the data controller was the victim of a software supply chain attack was in late 2020: Ticketmaster was fined £1.25 million for a data breach where the attack vector was a chat bot containing malware which was provided by a 3rd party and installed on Ticketmaster’s online payment page. Ticketmaster’s appeal of that fine is currently paused until the outcome of a civil claim brought against it by hundreds of its customers. In that litigation, Ticketmaster blames the 3rd party which provided the dodgy chatbot, and is in turn bringing proceedings against it. The trial is likely to take place in late 2022, so watch this space.
By Ali Vaziri, Data – Lewis Silkin
Request a PDF copy of our Business in 2022 report.
Want to join The Collective, and contribute to the debate?
Email us at: The.Collective@lewissilkin.com