APT Predictions 2020 As it happened..Predicting 2021

Trying to make predictions about the future is a tricky business. As per the researchers what they predicted and what is happened.. and what going to happen they elobrated

  • The next level of false flag attacks
    Olympic Destroyer , Death Stalker
  • From ransomware to targeted ransomware
    Attacks targetting mainly hospitals and universities
  • New online banking and payments attack vectors
    FIN7, Cobalt Groups, Silence and Magecart, as well as APT threat actors such as Lazarus.
  • More infrastructure attacks and attacks against non-PC targets
    Tunnel Snake, Mosaic Regressor
  • Increased attacks in regions that lie along the trade routes between Asia and Europe
    Strongpity4
  • Increasing sophistication of attack methods
    Geo-fencing attacks or hosting malware and used for C2 communications).
  • A further change of focus towards mobile attacks
    TwoSail Junk
  • The abuse of personal information: from deep fakes to DNA leaks
    Leaked/stolen personal information is being used more than ever before in up-close and personal attacks.

Turning our attention to the future, these are some of the developments that we think will take center stage in the year ahead, based on the trends we have observed this year.

APT threat actors will buy initial network access from cybercriminals

More Silicon Valley companies will take action against zero-day brokers

Increased targeting of network appliances

The emergence of 5G vulnerabilities

Demanding money “with menaces”

More disruptive attacks

Attackers will continue to exploit the COVID-19 pandemic

Chrome comes with changes in cache partition

Google has changed the way one of chrome’s core components works to add additional privacy protection to users. This Chrome browser component, known as http cache or shared cache, works by saving copies of resources loaded on a Web page, such as pictures, CSS files, and JavaScript files.

The idea is that chrome will load the same files from its internal cache when users visit the same site again or visit other sites that use the same files, rather than wasting time re-downloading each file.

This component exists not only within Chrome, but also within all web browsers from an early age, as a bandwidth-saving feature. In all browsers, the caching system usually works in the same way. Each picture, CSS, or JS file saved in the cache receives a storage key, which is usually the URL of the resource.

For example, the storage key for an image is the image URL itself: https://x.example/doge.png, and when a browser loads a new page, it searches for the key (URL) in its internal cache database and sees if a picture needs to be downloaded or loaded from the cache.

Online advertising and analytics companies have realized that this feature can also be abused to track users. Detect if a user has visited a particular website. Commercial competitors can detect a user’s browsing history by checking the cache for resources that might be a particular site or group of sites, and the cache can also be used to store cookie-like identifiers as a cross-site tracking mechanism.

Google has introduced a major change to the mechanism called “cache partitioning,” works by changing the way resources in the HTTP cache are stored based on two additional factors. From now on, the storage key for a resource will contain three items, not one.

Chrome effectively blocks all past attacks on its caching mechanism by adding additional key to the cache preload check, because most site components will only be able to access their own resources and not check for resources they have not created.

Google has been testing cache partitions since the Release of Chrome 77 in September 2019 and says the new system will have no impact on users or developers.

Cache partitions are currently only active in Chrome browsers, but can also be used by other browsers based on Chrome open source, all of which are most likely to deploy it in the coming months.

NHAI Attack a month back sees logins from Hongkong and Taiwan

ew Delhi: The CERT-In, investigating the cyberattack on NHAI has found that the internal network of NHAI office was compromised by unknown attackers in June last week. It has also found that there were suspicious logins using an unauthorised username made from IP addresses in Taiwan and Hong Kong.

The CERT-In has flagged significant cyber security gaps in the NHAI system and recommended the authority and the major IT service provider to take immediate measures to address the gaps and enhance security. NHAI officials claimed they have taken corrective measures.

The cyberattack had infected multiple servers and PCs by Maze ransomware, which had resulted in complete shutdown of the systems for nearly 48 hours. The attackers had also compromised Windows Active Directory Server of NHAI network and subsequently compromised internal systems, mail server and anti-virus server.

The cyberattackers had exfiltrated data and leaked sample data of two systems of NHAI in public domain. The released data included tax information, audit reports, passport copies, identity cards, assessment reports and other personally identifiable information and financial records of NHAI users.

During analysis, suspicious logins from IP addresses in Taiwan and Hong Kong to NHAI virtual private network (VPN) using an unauthorised username were also identified. The CERT-In has said this activity doesn’t appear to be related to Maze ransomware attack and it was possible that it could be a separate incident of compromise.