New extortion techniques and the rise of new hacking groups in 2022

Asia-Pacific is leading the world in digital transformation efforts, with IDC having forecasted that one in three companies will be generating more than 30% of their revenues from digital products and services in 2023. While this has been a growth driver for the region, the rapid, entrenched digitalisation has also attracted attention from threat actors.

Numerous industry reports have identified Asia-Pacific as a hotspot for cyberattacks. According to an EY study, 57% of Asia-Pacific businesses surveyed were unsure if their cybersecurity defences were strong enough, illustrating the challenge that organisations in the region continue to face.

Vedere Labs conducted an analysis of the cyberthreat landscape in the first half of 2022 and identified several ongoing megatrends that are likely to impact businesses in Asia-Pacific.

The ransomware plague continues

Ransomware attacks continue to grow in number. They are also evolving in complexity, with threat actors constantly evolving and changing their techniques.

Notably, threat actors are adapting conventional tactics, techniques, and procedures in tandem with current and nascent trends such as the growing adoption of enterprise IoT devices. We have observed ransomware groups exploiting vulnerabilities in IoT devices for initial access to lateral movement in the IT network, with the intention of causing physical disruption to business operations.

With the increasing convergence of IT and operational technology (OT) networks, this trend presents a significant risk to rapidly digitalising markets in Asia-Pacific. This is especially so for business and technology hubs such as Singapore, prompting a concerted effort by the authorities to uplift general cybersecurity standards and hygiene with new regulation.

In the near future, we foresee even more types of devices becoming ransomware targets either for initial access or impact. For example, ESXI virtualisation servers and NAS devices are becoming mainstream targets of ransomware groups, with malware being created or adapted specifically for these environments. Risks are exacerbated by their often more-relaxed security posture, especially as organisations traditionally focus on protecting managed endpoints. VoIP appliances are today among the most scanned devices on the internet, indicating that they could become a target of ransomware groups.

New malware rears its head

Malware developments typically garner attention because of new malicious capabilities, which group is deploying the malware, and whom it is targeting — and more often than not, involve a combination of the three. Beyond variations of known malicious tools such as WannaCry which is still very much active even five years after the initial infections, the first half of 2022 saw many new malware instances.

We have observed the growing use of destructive wipers for sabotage or to destroy evidence in 2022. These types of malware typically overwrite or encrypt critical files such as the master boot record of a system. Since their impact is similar to ransomware, threat actors often disguise the malware as such to mislead incident responders or to hide their motivations. A notable wiper detected this year was AcidRain, which rendered more than 5,000 wind turbines in Germany unable to communicate.

Malware groups are also targeting insecure-by-design native capabilities of OT equipment. Vulnerabilities stemming from persistent insecure-by-design practices as well as inadequate attempts to fix them continue to pose challenges for cybersecurity, with Vedere Labs discovering 56 vulnerabilities affecting thousands of OT devices from major manufacturers earlier this year.

Many botnets either appeared, reappeared, or became known for the first time in 2022. Emotet, one of largest botnets ever until its shutdown in 2021, returned with hundreds of thousands of new infections and was distributed in new campaigns using malicious emails. Devices infected by botnets are particularly dangerous, allowing hackers to plant backdoors for unauthorised access, laying the foundation to launch DDoS attacks.

Rise of new hacking groups

Two types of hacking groups were active in the first half of 2022: hacktivists and data extortion groups.

Hacktivists are largely politically motivated, and are likely to have proliferated due to the ongoing conflict in Ukraine. Our research indicates that more than 100 groups have conducted cyberattacks since the beginning of the conflict. While these attacks were mostly DDoS aimed at disrupting operations, some also included data breaches, the use of wipers, distribution of propaganda, and also attacks on critical infrastructure.

Data extortion groups, on the other hand, are similar to ransomware gangs in that they focus on exfiltrating data and demanding a ransom to not release it publicly. However, they employ different malware and do not operate a ransomware-as-a-service model. One example is LAPSUS$, a hacking group that has breached several high-profile organisations inclusive of governmental agencies and companies. In 2022 it moved on to global businesses such as Microsoft, Nvidia, and Okta. Of particular interest were the intensive use of stolen credentials and cooperating insiders for their hacks, as well as their strong social media presence. Following a series of arrests in March, the group has been mostly silent.

Mitigating risks

The proliferation of IoT devices continues to expand the digital terrains of organisations. IDC has forecasted spending on IoT in Asia-Pacific to reach US$436 billion in 2026. Cybercriminals are well aware of this trend, and also an insufficient level of attention towards securing them. To improve risk posture, we recommend that organisations adopt mitigation strategies that prioritise securing their increased attack surface based on up-to-date threat intelligence.

Some actions include identifying and patching known vulnerabilities in IoT devices to prevent them from being used as part of DDoS botnets. Monitoring the traffic of IoT devices to identify those being used as part of distributed attacks, as well as changing default or easily guessable passwords is also essential.

Organisations should also segment their network to isolate IT and OT to decrease the probability of OT/ICS malware reaching its target. Security teams can also adopt monitoring solutions capable of alerting them of malicious indicators and behaviours, and observe internal systems and communications for known hostile actions.

As Asia-Pacific’s digital transformation continues, adopting all, or a combination of the above recommendations, could make the difference for organisations’ digital security.