2021 Security Landscape


A Year in Cyberthreats

Advanced Persistent Threats

They may not comprise the majority of attacks, but for high-value organizations, advanced threats are a clear and present cyber risk. What’s more, advanced techniques frequently trickle down to wider members of the cybercrime underground.

Advanced persistent threats have made headlines in 2021 with zero-day exploits and supply chain attacks, but it’s worth noting that sophisticated cybercriminals, including initial access brokers, are quietly making gains with social engineering, including phishing attacks, to bypass perimeter defenses.

  1. At the time of writing, MITRE ATT&CK has observed a staggering 189 post-compromise attack techniques in the wild versus just 26 related to intrusions. It’s inside networks where advanced threats are arguably most concentrated
  2. The exploited PrintNightmare bug affected 100% of Windows versions
  3. 18,000 organizations downloaded a sabotaged version of SolarWinds software, and 100 of those had it exploited against them including nine US government departments. Although this campaign began in 2020, its repercussions were felt long into 2021
  4. Over half (51%) of global organizations reported a significant data breach in 2021
  5. The number of publicly reported US data compromises through September 30, 2021 exceeded the total number of events in the whole of 2020 by 17%
  6. Data compromises were up in 10 out of 13 sectors in Q3 2021 compared to Q3 2020
  7. At least 10 advanced persistent threat (APT) groups were observed exploiting the same zero-day vulnerabilities in Microsoft Exchange Server
  8. Initial access brokers emerged as a significant link in the cybercrime supply chain, often selling their services to advanced threat groups
  9. APT groups aren’t just focused on carrying out data breaches for extortion. Noted group TeamTNT uses sophisticated techniques to mine illegally for cryptocurrency
  10. Unsecured Kubernetes clusters are an increasingly popular target for advanced threat groups, who hijack them for various motives


The stand-out story for cyberattacks in 2021 was ransomware. They led to fuel shortages across much of the eastern U.S. and direct confrontation between the White House and the Kremlin. The threat remains largely untamed, although now that insurers and governments are specifying minimum security standards, there is hope for the future.

  1. Global ransomware costs are predicted to reach $265B by 2031
  2. The average amount of funds stolen increased 179% in 2021 to $326,264 and the average ransom demand increased to $1.2 million in the first half of 2021
  3. Around 7.3 million ransomware threats were detected in the first six months of 2021, nearly half the number of a year previous, indicating more targeted attacks
  4. 27.5% of incidents investigated in the Americas over a 12-month period involved ransomware, according to the 2021 DBIR
  5. Ransomware costs on average $4.62 million, not including the cost of paying the ransom
  6. Average ransomware demands surged 518% year-on-year (YoY) in H1 2021
  7. Cyber-insurance costs soared 96% from Q3 2020 to Q3 2021, largely due to ransomware
  8. An August study found that 17% of organizations had experienced a ransomware attack in the previous 12 months, and 69% paid their attackers
  9. $70M is the record for the highest ever ransom demand—aimed at IT software firm Kaseya
  10. Ransomware attackers benefit from profit margins in excess of 90%, similar to those of cocaine traffickers in the 1990s, but with far less risk

Supply Chain Attacks

Both state-backed operatives and financially motivated crime groups realized in 2021 that the way to optimize attacks lies in targeting upstream supply chains, especially software vendors. Organizations will need to get better at vetting their sprawling supplier ecosystems as a result.

  1. At least 100 US companies were compromised in the SolarWinds (SUNBURST) attack
  2. 29% of the most popular open-source projects contain at least one known security vulnerability
  3. Upstream software supply chain attacks soared by 650% from 2020 to 2021
  4. In 2021 developers used approximately 2.2 trillion open-source software packages and components from third-party ecosystems
  5. 50 managed service providers and around 1,500 of their downstream customers were impacted by the Kaseya supply chain attack, which spread ransomware far and wide
  6. In Q1 2021, supply chain attacks in the US rose by 42% from the previous quarter
  7. Nearly 793,000 people were impacted by supply chain attacks in Q3 2021
  8. 93% of global organizations have suffered a direct breach via their supply chains over the past year
  9. European security agency ENISA predicts 2021 will see four times more supply chain attacks than 2020
  10. Two-thirds (66%) of supply chain attacks focus on the supplier’s code

IoT Security

IoT devices are already taking over the world, streamlining production lines, securing the smart home, and keeping us healthier. They also represent a potential weak link in the corporate security chain that threat actors are waking up to. IoT endpoints can be hijacked to launch attacks, sabotaged to disrupt business processes, or compromised to offer a handy entry point into corporate networks.

  1. Over half (58%) of IoT attacks in the first half of 2021 leveraged Telnet
  2. A critical vulnerability (CVE-2021-28372) in a popular SDK was estimated to impact 83 million recording devices, including enterprise security cameras and smart baby monitors. ExtraHop determined that around 1% of customers have devices that use the impacted ThroughTek Kalay services
  3. A separate ThroughTek vulnerability was also revealed to potentially impact millions of IoT cameras
  4. IoT cyberattacks more than doubled YoY in the first half of 2021
  5. IoT malware detections surged 66% YoY in the first half of 2021 as attackers targeted home networks and remote workers
  6. The UK introduced new legislation designed to improve baseline security of IoT devices, potentially showing the way for other western countries
  7. A new cluster of DNS vulnerabilities dubbed Name:Wreck could impact over 100 million IoT devices used by consumers and enterprises
  8. The number of IoT connections was predicted to grow to more than 27 billion by 2025
  9. The biggest threat to connected car owners over the past decade has been data theft/privacy breaches (30%), followed by vehicle theft (28%)
  10. Some 63% of enterprises have deployed IoT, but 15% haven’t updated their policies as most believe IoT is secure-by-design


Investments in cloud-based technologies soared during the pandemic. But a lack of in-house enterprise, security skills, and confusion over the shared responsibility model has often ended up exposing organizations to new cyber-risks. IT buyers should note, while cloud adoption can reduce the cost of on-premises IT infrastructure, it most likely will not make you more secure. In fact, cloud adoption requires additional effort and investments in cloud-centric security.

  1. Nearly two-thirds (62%) of organizations reported business-impacting attacks involving cloud assets
  2. Nearly three-quarters (73%) of organizations reported their cloud security readiness as average or below average
  3. Organizations with 500-2,000 employees use an average of 664 distinct cloud apps each month
  4. It’s estimated that that over half of cloud breaches occurred due to “shadow IT” emerging via unauthorized systems spun up against security policies
  5. Cloud vulnerabilities have increased 150% over the past five years
  6. 71% of cloud accounts sold on the dark web used RDP as their access path
  7. Misconfigured APIs and shadow IT accounted for two-thirds of cloud breaches over the past year
  8. A misconfigured cloud database left online with no password protection or encryption exposed over 800 million records linked to WordPress users before its owner was notified
  9. Compromised cloud accounts cost organizations on average $6.2m annually
  10. Almost all (98%) companies have experienced a cloud breach over a recent 18-month period

Remote Access

It goes without saying that remote access has skyrocketed during the pandemic as offices closed to protect public health. The future will increasingly be one of hybrid working, which will offer threat actors continued opportunities to compromise related applications and infrastructure as workers log in remotely.

  1. 45% of full-time US employees were still working from home either all or part of the time in late 2021
  2. 90% of remote workers want to maintain remote work to some degree going forward
  3. 74% of organizations attribute recent business-impacting cyberattacks to remote work tech vulnerabilities
  4. quarter of remote workers admit to not using any two-factor authentication
  5. 95% of organizations said at least some of their new COVID-19 related cybersecurity protections will be permanent
  6. There was a 413% increase in brute-force attacks targeting RDP from 2020 to early 2021
  7. Attacks against one popular SSL-VPN (Fortinet) increased 1,916% in Q1 2021, while attacks targeting Pulse Connect Secure VPNs increased 1,527%
  8. 96% of security decision-makers now believe that Zero Trust is critical to their organization’s success
  9. One vendor discovered four new attack tools used to establish persistence on devices connected to Pulse Secure VPNs: Bloodmine, Bloodbank, Cleanpulse, and Rapidpulse
  10. Threat actors also targeted legacy bugs in VPNs during 2021—such as a 2019 flaw in SonicWall Secure Remote Access (SRA) 4600 devices

Protocol Abuse

The digital world was originally created without security in mind. This has left many of the protocols that remain popular today sorely in need of upgrading. Unfortunately, many organizations forget, leaving security gaps that attackers are past masters at finding and exploiting.

  1. Two-thirds (67%) of enterprise IT environments still had instances of SMBv1 in 2021. This protocol was exploited in both the WannaCry and NotPetya attacks
  2. 81 of 100 enterprise environments still use insecure HTTP credentials
  3. A third (34%) of organizations have at least 10 clients running NTLMv1, which could enable attackers to launch machine-in-the-middle (MITM) attacks or take complete control of a domain
  4. 70% of enterprises are also running LLMNR, which can be exploited to access users’ credential hashes
  5. HTTPS attacks over encrypted channels increased by 314% from 2020 to 2021
  6. Between January and September of 2021, one vendor blocked 21 billion threats over HTTPS—an increase of more than 314% from 2020
  7. 70% of SSL-enabled applications are likely to have been attacked
  8. The volume of malware hidden in encrypted TLS traffic more than doubled from 2020 to Q1 2021
  9. SMB login brute force attempts comprised nearly 70% of all exploit activity in Q1 2021
  10. Encrypted protocols such as SMB v3 are used to mask lateral movement and other advanced tactics in 60% of the 30 most exploited network vulnerabilities

Zero Days

Although most cyber-attacks exploit known vulnerabilities that organizations have yet to patch, zero-days remain a significant threat. Attackers and defenders are increasingly locked into a race against time to discover new vulnerabilities before the other. If the bad guys get there first, resulting exploits in popular software can have a devastating impact. Nation-state exploits are increasingly ending up on the cybercrime underground, sometimes just days after the initial compromise.

  1. As of the date of posting, there were 82 zero-day vulnerabilities in circulation for 2021, a record total and already more than double the 2020 figure
  2. Chinese hackers exploited four Exchange Server zero-days subsequently used by multiple APT groups. These were known collectively as “ProxyLogon
  3. In June, Microsoft announced patches for seven zero-day vulnerabilities
  4. In October, Apache HTTP Server admins were urged to patch after it emerged that a zero-day vulnerability was being exploited in the wild
  5. Cyber-criminals are reportedly exploring the prospect of renting out zero-day exploits while they find permanent buyers
  6. The average time taken for businesses to patch vulnerabilities has increased by a week since 2020 to a total of 287 days
  7. The Pentagon expanded its bug bounty program to all of its publicly available information systems in 2021
  8. The UK’s Ministry of Defence (MoD) ran its first bug bounty program with ethical hackers this year
  9. Zero-day exploits are rapidly filtering down to less capable actors, experts warned this year
  10. Threat actors are reportedly weaponizing zero-day exploits faster than ever before

Government Action

One defining story of cybersecurity in 2021 has been the more proactive stance the Biden Administration has taken on cyberthreats. In fact, the White House claimed it could even take unilateral action against crime groups being sheltered by hostile states. It’s good to see the government taking a lead and setting the right tone by improving federal cybersecurity. But organizations must remember to play their part too with next-generation security tools and policies.

  1. CISA issued a directive requiring federal agencies to patch over 300 known vulnerabilities dating back to 2014. Private enterprises were encouraged to follow suit
  2. The EU has proposed new laws to make cryptocurrency more traceable, in a bid to crackdown on money laundering and cybercrime
  3. President Biden’s executive order in May mandated zero trust, strong encryption, improved supply chain security, and other best practices across the federal government
  4. The White House, NATO, and the G7 all turned the heat up on Russia for allegedly harboring ransomware groups
  5. The US government issued a warning that the nation’s water supply chain is subject to ongoing attacks
  6. It was reported that the US government was seeking to team up with private sector firms to monitor domestic extremists online
  7. The US government added spyware developer NSO Group to its export blacklist after reports the Israeli firm’s tools had been used by repressive regimes to monitor their citizens
  8. The Biden Administration set up a ransomware task force to elevate the threat posed by such groups to that of terrorism
  9. The SEC sanctioned eight firms for cybersecurity failings which led to email account takeovers exposing customers’ personal data
  10. The US Treasury sanctioned multiple ransomware actors and virtual currency exchanges for money laundering and other offenses

Source: ExtraHop Security

Share on facebook
Share on twitter
Share on linkedin
Share on pinterest

Leave a comment

Your email address will not be published. Required fields are marked *

Follow us
Subscribe to get 15% discount
Subscribe to get 15% discount