Complex Made Simple

Every way cyberwarfare attacked you in H1 is here

DDoS, vulnerability lags, phishing, malware, ransomware, and a number of other cyber warfare tactics were used globally in the first half of 2021. We show all with examples from the UAE and Saudi

The average UAE organization needs to spend $2.52 mn, and hire 34 new members of IT staff to fight cybercrime 77% of Saudi organizations have moved business-critical functions to the cloud E-commerce panels, unsecured databases, and Microsoft Exchange servers appeal to data stealers

According to a report by cybersecurity researchers at Netscout, there were 5.4 million recorded DDoS attacks during the first half of 2021 – a figure that represents an 11% rise compared with the same period last year. 

During the first half of 2021, there were a number of attacks using between 27 and 31 different vectors. An attacker can switch between vectors to make the attack harder to disrupt. 

Vulnerability lag

Some 58% of UAE organizations said their security measures have kept up with their COVID-led digital transformation initiatives over the past 18 months, according to new research from Veritas Technologies. This is compared to just 43% in last year’s 2020 Ransomware Resiliency Report.

However, the Veritas Vulnerability Lag Report said UAE businesses could still be at risk of cyberattacks for another 2 years due to IT security vulnerabilities, and which to fix requires the average UAE organization to spend an additional $2.52 million and hire 34 new members of IT staff.

Cloud environments are most at risk with 77% of UAE respondents having implemented new cloud capabilities or expanded them, but just 46% said they could accurately state the number of cloud services they were now using.   

Saudi cyber

Tenable®, the Cyber Exposure company, published results of a study that found 86% of Saudi organizations suffered a business-impacting cyberattack caused by vulnerabilities in technology put in place during the pandemic. The data is drawn from ‘Beyond Boundaries: The Future of Cybersecurity in the New World of Work.’  

91% of organizations now have remote employees, up from just 34% in early 2020.  Moving forward, the vast majority of organizations (91%) plan to adopt this remote working model permanently.

To facilitate the new world of work, cloud adoption has surged. 77% of Saudi organizations have moved business-critical functions to the cloud, including human resources (80%) and accounting and finance (60%).

However, this change to working practices has increased organizations’ risks. 67% believe moving business-critical functions to the cloud exposes the organization to increased cyber risk.

98% of Saudi organizations experienced a business-impacting cyberattack in the last 12 months, with 33% falling victim to five or more. 57% of these attacks targeted remote employees.

“The pandemic has seen the corporate perimeter shattered,” said Maher Jadallah, Senior Director Middle East & North Africa, Tenable. “Cloud adoption and remote working practices were being cautiously adopted in Saudi, but in the last eighteen months, this transition has exponentially accelerated. Attackers have seized on the opportunity.”

Google Forms

Sophos, a global leader in next-generation cybersecurity, has published a report titled, “Phishing and Malware Actors Abuse Google Forms for Credentials, Data Exfiltration,” which describes how cyber abuse Google Forms to implement a wide range of attacks, targeting both organizations and individuals.

Sean Gallagher, a senior threat researcher at Sophos said: “Google Forms offer cyberattackers an attractive proposition: the forms are easy to implement, trusted by both organizations and consumers, and the traffic to and from the service is secured with Transport Layer Security (TLS) encryption so it can’t be easily inspected by defenders.”

 “While most abuse of Google Forms by cyberattackers remains firmly in the low-skill phishing and fraud spam space, there are increasing signs that adversaries are taking advantage of the platform for more sophisticated attacks including using Google Forms to exfiltrate data, and for malware command-and-control.”  

Racoon Stealer

Sophos also published new research called “Trash Panda as a Service: Raccoon Stealer Steals Cookies, Crypto coins and More,” detailing how a stealer disguised as pirated software grabs cryptocurrencies and information while dropping malicious content, such as crypto miners, on targeted systems.

“Operators behind information-stealing malware are increasingly targeting stored web credentials that provide access to a lot more than they could get by just stealing stored password hashes,” said Gallagher.

“The campaign we’ve been tracking shows Raccoon Stealer grabbing passwords, cookies, and the ‘autofill’ text for websites, including credit card data and other personally identifying information that may be stored by a browser. Raccoon Stealer also now targets crypto-wallets, and it can retrieve or load files on infected systems. That’s a lot of stuff that cybercriminals can easily monetize for a service that is ‘rented out’ at $75 for a week’s use.”

Raccoon Stealer is usually spread by spam email, but it is also distributed through droppers that the operators disguised as cracked software installers. These droppers bundle Raccoon Stealer with additional attack tools, including malicious browser extensions, YouTube click-fraud bots, and Djvu/Stop, a ransomware targeted primarily at home users.


Sophos also announced the findings of its global survey, “Phishing Insights 2021,” which revealed that 60% of IT teams in the UAE said phishing emails targeting their employees increased during 2020.

Chester Wisniewski, principal research scientist at Sophos said: “Phishing is often the first step in a complex, multi-stage attack. Attackers frequently use phishing emails to trick users into installing malware or sharing credentials that provide access to the corporate network.”

87% of organizations in the UAE have implemented cybersecurity awareness programs to combat phishing. Respondents said they use computer-based training programs (52%), human-led training programs (45%), and phishing simulations (37%).

 Perfect ransomware victim

Researchers have explored what the perfect victim looks like to today’s ransomware groups.

Recently, KELA, a global leader in actionable threat Intelligence, published a report on listings made by underground ransomware operators and players in the Ransomware-as-a-Service (RaaS) space, revealing that many want to buy working credentials or the knowledge of a vulnerability in a corporate system for US companies whose minimum revenue is over $100 million.

Canadian, Australian, and European targets are also considered. Those located in developing countries are unwanted because potential payouts are low.

Roughly half of the ransomware operators will reject offers for access into the healthcare and education sector, no matter the country. In some cases, government entities and non-profits are also off the table.

Remote Desktop Protocol (RDP), and Virtual Private Network (VPN)-based access prove popular, specifically products developed by companies including Citrix, Palo Alto Networks, VMWare, Cisco, and Fortinet. 

KELA also found offerings for e-commerce panels, unsecured databases, and Microsoft Exchange servers appeal to data stealers and criminals attempting to implant spyware and cryptocurrency miners.