H1 2021: Malware and Vulnerability Trends

Editor’s Note: The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.

Executive Summary

This report examines trends in malware use, distribution, and development, and high-risk vulnerabilities disclosed by major hardware and software vendors between January 1 and June 30, 2021. Data was assembled from the Recorded Future® Platform, open-source intelligence (OSINT), and public reporting on NVD data. This report will assist threat hunters and security operations center (SOC) teams in strengthening their security posture by prioritizing hunting techniques and detection methods based on this research and data along with vulnerability teams looking for ways to prioritize patching and identify trends in vulnerability targeting.

Trends within vulnerability exploitation and malware attacks often intersect, as threat groups will target these flaws to deliver, distribute, and execute their malicious code onto vulnerable systems. Throughout the first half of 2021, several notable cyber incidents gained mainstream attention due to their wide effect and novel techniques used in attacks that demonstrate this intersection. These incidents involved threat actors taking advantage of critical vulnerabilities to deploy malware onto compromised systems such as Accellion FTA software, Microsoft Exchange Servers, macOS, and QNAP devices. These attacks illustrate the rapid targeting and exploitation of high-risk vulnerabilities by cybercriminals, ransomware operators, and state-sponsored groups alike. 

In the first half of 2021, the marketplace for ransomware matured as more operators began hiring affiliates to increase the effectiveness of their attacks. Ransomware operators have demonstrated increased sophistication by adding DDoS to their attacks, targeting Linux systems, rapidly exploiting newly disclosed vulnerabilities, and even targeting zero-day vulnerabilities in attacks. This evolution demonstrates that ransomware operators are no longer considered unorganized cybercriminals, but now have the resources to compete with well-established groups like nation-state threat actors. 

In an investigation into botnet activity, the successful law enforcement takedown of the Emotet botnet in January 2021 opened a gap in the botnet space, resulting in the increased use of other bots, including Trickbot, IcedID, BazarLoader, and Qakbot over the last quarter.

For trends within the vulnerability landscape in H1 2021, supply-chain attacks derived from vulnerabilities in third-party products dominated headlines. In addition, vulnerabilities in corporate software were more frequently targeted than consumer-grade software, and high-risk vulnerabilities across major vendors spiked in the first half of the year.

Editor’s Note: This post was an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.