Blog

Key Threat Findings for Q4 and Full-Year 2021

Nuspire released its Q4 and full-year 2021 threat report findings, which indicated a decrease in activity across malware, botnets and exploits. In Nuspire’s webinar reviewing its findings, Josh Smith, Cyber Threat Analyst for Nuspire, and Justin Heard, Threat Intel & Rapid Response for Nuspire, highlighted the key data and trends they uncovered and offered practical tips to combat current cybersecurity threats.

Download the Q4 and Full-Year 2021 Threat Report

Methodology

Josh and Justin outlined a five-step process they use to compile the report. They include:

  1. Gather, where they source threat intelligence and data from global sources, client devices and reputable third parties.
  2. Process, where they analyze data from a combination of machine learning, algorithm scoring and anomaly detection.
  3. Detect, where, using Nuspire’s cloud based SIEM, the team ingests log data and alerts the security operations center (SOC). The SOC then notifies the client and works with them to remediate the threat.
  4. Evaluate, in which analysts further scrutinize the research, scoring and tracking of existing and new threats.
  5. Disseminate, which is when analysts leverage the insights to constantly improve the SOC, alerting and the community through the creation of detection rules, briefs and presentations.

Malware Activity

While malware saw a 4% decrease in activity in Q4 when compared to Q3, it continues to plague individuals and businesses alike.

“Phishing is still a big issue, where you have some type of lure attached to an email, text or other type of communication to enable macros and infect your network,” Josh said.

Some of the biggest malware variants are VBA agents, which typically launch their campaigns around a specific event, such as the holiday season, to create a theme. Because Nuspire witnessed a continued decrease of VBA agent activity from Q3 into Q4, the team suspects attackers are spending the time retooling to prepare for another campaign in Q2 2022.

“Some great news we’ve learned is that Microsoft announced they’re going to disable VBA agents by default by Q2 2022,” said Josh. “Since 25% of all ransomware is launched by VBA agents, this is a welcome change.”

Ransomware Activity

In Q4, ransomware was the only type of threat activity that saw an increase – 54%. However, Josh indicated that throughout 2021, he witnessed ransomware operators facing intense law enforcement collaboration at a level he hadn’t seen before.

“Because of the heightened scrutiny and action from law enforcement, we saw several ransomware families announce they were shutting down,” Josh said. “We anticipate ransomware operators will pivot to focus less on the ‘big game’ targets that create headlines to more of the small-to-medium organizations that will still net them a payout.”

Full-Year 2021 Malware Activity

When reviewing 2021 malware stats, Nuspire saw a 9.25% decrease in activity over 2020.

“The peak of malware activity happened in May 2021, and as with Q4, the top malware variants were VBA agents,” Josh said.

Malware Mitigation and Response

To combat malware, Nuspire recommends three mitigation measures, including:

  1. Endpoint protection platforms (EPP)
  2. Network segregation
  3. Cybersecurity awareness training

“All three of these are important to safeguard your organization against malware threats, however cybersecurity awareness training will get you the most bang for your buck,” Justin said.

Botnet Activity

Nuspire saw a large drop in botnet activity compared to Q3 2021: 57.92%.

“This was a particularly quiet quarter when it came to botnet activity, however, we did see the resurgence of the Emotet botnet,” said Josh. “Emotet was shut down by law enforcement earlier this year, but came back in Q4 – though thankfully, we didn’t see the same amount of activity from Emotet as we did when it was in its prime.”

Justin added, “Botnets are one of the easier things to detect through our threat intelligence. However, it’s important to keep in mind that something that’s easy for us to detect is also typically easier for attackers to change, so it’s important to stay vigilant.”

Full-Year 2021 Botnet Activity

Nuspire’s data show a 24% decrease in botnet activity in 2021 when compared to 2020.

“2020 was a really busy year for botnet activity,” said Josh. “Because Emotet was shut down at beginning of 2021, that had a significant impact on botnet activity for the year.”

Botnet Mitigation and Response

To protect against botnets, Nuspire suggests these three steps:

  1. Leverage threat intelligence
  2. Use next-generation antivirus
  3. Threat hunt within your environment

Exploit Activity

For exploits, Nuspire witnessed a decrease of 45.97% in Q4 2021, with SMB brute forcing continuing to dominate.

“In Q4, SMB brute forcing was behind 52% of the exploits we saw,” said Josh. “Organizations need to understand their digital footprint and ensure their systems are patched.”

Josh also cautioned to stay up to date on patches for older exploits because ultimately, threat actors will scan for vulnerabilities on any service that’s exposed to the internet, and will use whatever tools are at their disposal to do it.

Full-Year 2021 Exploit Activity

2021 saw a 13% decrease in exploit activity. Josh surmised that in 2021, security practitioners and admins were able to focus more on security once the dust settled from the rush to facilitate remote work in 2020.

Justin cautioned that threat actors are motivated by low-hanging fruit and opportunities that require the littlest amount of effort. He emphasized the need for organizations to disable any unneeded or unnecessary services and secure external ones behind a VPN.

Exploit Mitigation and Response

Josh and Justin offered four measures organizations can employ to combat against exploits:

  1. Patch your systems ASAP
  2. Use a firewall with an intrusion prevention system (IPS)
  3. Monitor security news and vendor security bulletins. Nuspire customers receive a regular threat brief to ensure they’re up-to-speed on the latest exploits.
  4. Disable unused services

Get the Threat Report

To access all the data and recommendations from the Q4 and Full-Year 2021 Threat Report, you can download it here.

You can also view the webinar to hear Josh and Justin break down the data.