Robin’s Newsletter #185 — 2022 Forecast

2 January 2022. Volume 5, Issue 1
What does 2022 hold for cyber and the world?
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This year

Taking a look ahead, here’s my forecast for 2022…

Broad forecast for 2022

Certain characteristics define our world — physically and digitally — and shape events within those spheres. Those might be (very) slow-moving, such as geography, or faster moving social or technological changes. These set the conditions for our environment (and more specifically cyber threat landscape). Even with the fastest moving of these trends, you are unlikely to notice a fundamental difference from one year to the next.

Existing themes 

That can be seen in the themes that have been present in my 2019 (vol. 2, iss. 52) and 2020 (vol. 3, iss. 52) retrospectives. (Side note, I’ve split the 2021 retrospective, published last week, and the 2022 forecast this year).

Reviewing these again, I think two are broader trends, that I think are still relevant:

  • Digital divide / Balkanisation of tech / sovereign ‘splinternets’: nation-state level legislation, regulation or diktat that seek to control and provide resilience for tech in their jurisdiction as a means of protecting national and economic interests. China’s Great Firewall is one example of this control, but perhaps a more recent and extreme example is Russia’s mandate of a sovereign network that can function while cut off from the rest of the Internet.
  • Trust and transparency: There are two sides to this. On one side, data protection provides individual citizens with greater control over their data and can be used to hold an organisation to account. The other, linked to the previous trend for sovereignty, ostensibly ‘consumer’ regulation may also be used as a mechanism not just for simplifying enforcement, but also to further state aims and objectives by keeping data ‘on-shore’.

While the following two are a bit more specific and worthy of some change or retirement:

  • Software supply chains: “Software is eating the world,” said Marc Andreessen in 2011, and with that comes a whole raft of complexity, both within the components of software and digital services, and the ecosystems that are developing around them within or between organisations. As written this is broad enough to encompass Solarwinds-style mass-compromise, more point data breaches at a third-party provider, or impactful software vulnerabilities like Log4Shell. I can see elements of mass digitisation, the ‘API economy’, risk concentration and complexity management, from Phil Venables updated risk megatrends in this.
  • Ransomware: This is the theme which has perhaps changed the most: the market has matured and specialised rapidly (network access brokers, affiliate programmes, and so on) and business models have adapted too (from spray/prey attacks against individuals to target, manual attacks against corporations, from encryption to ‘hack and leak’ operations, etc). While relevant, the change and specificity of ransomware mean it should be demoted, I think, from being an overarching trend to a more specific concern.

Updated themes and things to consider

So, in addition to Internet sovereignty and continuing importance of privacy and trust, what else is setting the stage for 2022 and beyond?

  • Organisations rely on technology and third-parties more: there are far more different careers and job roles now than there were at the beginning of the previous century. The proliferation of specialisations has resulted in out-sourcing being far more commonplace and, increasingly, takes on the form of (confusingly) ‘buying-in’ tech or Software-as-a-Service (SaaS) apps. At the ‘business end’ of the spectrum, this expansion of an organisation’s supply chain is linked with increased exposure to disruption or data breach within that chain.
  • Platforms, APIs and risk concentration: at the ‘tech end’ of the spectrum, platforms, with usage-based or take-rate commercial models, play an increasingly important part in digital life. Often also providing application programming interfaces (APIs), some ‘cloud’ services can form small components nested within layer upon layer of services. This increase in complexity is difficult to understand and, while there is a net increase in the number and diversity of businesses selling to end-customers (good from a competition perspective) certain common aspects of each end up being consolidated amongst relatively fewer, very-large players and a concentration of risk.

The number of SaaS applications used in organisations is increasing in every sector (source: Ben Evans/Okta)

The number of SaaS applications used in organisations is increasing in every sector (source: Ben Evans/Okta)

  • Convergence / automation / robots: Mass digitisation is moving from consumer products and services to operational technology and industrial systems, in part driven by a shift from expensive, bespoke technologies to commercial-off-the-shelf (COTS) hardware and protocols. With that comes an increased reliance on the technology delivering those industrial processes. COTS reduces costs and also opens up the ecosystem to those without previous experience or knowledge of sector-specific applications. Malware can be repurposed easily or systems can become collateral damage in attacks targeting office IT systems.
  • Importance of identity: A blog post that I sketched out, but never wrote, talked about the evolution of security operations centres (SOCs) from a network- and signature-centric models looking for known bad things, through ‘SOC 2.0’ behavioural-centric models to identify ’suspected bad’ things happening on endpoints. I wasn’t (and still aren’t) sure what SOC 3 and 4 look like, but my theory is that ‘SOC 5.0’ will be identity-centric looking for nefarious intent. The rise of software-as-a-service (SaaS) within the enterprise and ‘API economy’ mean an increasing amount of business does not take place within an enterprise network. You can’t detect that using traditional approaches. Instead, you need to look at who is logging in to which resources and what they are trying to do.
  • Regulatory ramifications: Lots of industries are regulated directly (telecoms, water, energy, transport, financial services, etc) and every industry is increasingly subject to data protection and other technology regulation. As regulators play catch-up, questions are being asked of app stores, ‘social’ media properties, and other digitally transformed business models. 

I had hoped to spend more time on these through December and bounce them off a few folks, however, last month was incredibly busy for Cydea and they have been written… today. The inter-connectedness of digital transformation, cloud, APIs and commercialisation/consumerisation are closely intertwined and I’m not entirely happy I’ve sufficiently decomposed them, yet! If you’ve got some feedback on them, drop me a DM, because I will likely be revisiting them in the coming weeks.

Specific predictions

How did I do in 2021?

As I’ll cover below, supply chain and ransomware predictions were pretty sure-fire things to occur in 2022 (I’ll be more specific this year). Beyond those, I identified three other, more specific things that I thought would come to pass:

  • Certificates did cause outages. (You need to be doing this as part of business-as-usual nowadays, instead of it being an ad-hoc thing)
  • A mobile device management (MDM) solution was hit (Kaseya) though it was for ransomware, not to intercept multi-factor authentication (MFA) tokens
  • Though MFA codes are now being directly targeted by cybercriminals, via automated ‘verification’ services and phishing toolkits (see below)
  • Azure itself had an ‘open S3 bucket’ moment by self-publishing source code for many of its customers (see below, too)

I would say ‘not bad’ — all of them correct — though in hindsight I think the bad was less in the accuracy as it was in the precision. I must do better here!

What’s going to happen in 2022?

Taking a leaf out of Tony Martin-Vegue’s ( far ‘smart’-er predictions, here three things I think will come to pass in the next 12 months, and all of which should be verifiable by government announcements or press coverage:

  1. A vulnerability at an identity provider will allow attackers to bypass authentication
  2. An attacker will execute a successful software dependency confusion attack to successfully deploy crypto-mining malware at scale
  3. Core members from one of the top 10 ransomware gangs (by revenue) will be arrested by law enforcement

What’s everyone else saying?

If you’re looking for a broader look at what cyber security vendors are predicting, Paul Brucciani publishes an annual review of the main sources, and this year he’s analysed 175 predictions. Also, having built up a useful data set, he takes a look back at 2021’s predictions and how effective these vendors are at making predictions. Some really interesting observations - thank you, Paul! 

Interesting stats

3.8% of ‘strategically aged’ domains (left dormant for a long period) are malicious, and a further  19% are suspicious, according to new research from Palo Alto Networks who say that these aged domains are  3x more likely to be malicious than newly registered domains

In brief

The folks at The Record and Bleeping Computer seem to have been working through the holidays - lots of content from them this week!

Attacks, incidents & breaches

  • Details of 637,138 Albanian citizens (22% of the population), including names, ID card numbers, salaries, job positions, and employer names, has leaked in with government sources indicating it is likely the result of an ‘internal infiltration’
  • LastPass confirms credential stuffing attacks against some of its users, seemingly where master passwords have been reused (🤦‍♂️) or phished 
  • Print editions, ads and subscriptions business disrupted at Norwegian newspaper group Amedia following ‘serious’ cyberattack

Threat intel

  • ‘Catching transparent phish’: attackers turn to reverse-proxy models to machine-in-the-middle users and intercept multi-factor authentication requests and cookies in more than 1,200 instances
  • Actor ‘in the category of APTs’ using HP integrated lights out (iLO) modules as part of wiper campaign against Iranian organisations, says Tehran-based Amnbpardaz, the security company who has dubbed the attacks ‘iLOBleed’
  • ‘RedLine’ malware focuses on decrypting, stealing passwords stored in Chromium-based web browsers
  • Chinese-linked group used Log4j exploit in suspected attempt to steal intellectual property from an academic institution, says CrowdStrike
  • Korean researchers have identified a way to hide malware in the ‘over provisioning’ (OP) area of solid-state drivers (SSDs)


  • Microsoft Azure App Service had been exposing source code for apps and websites written in PHP, Node, Ruby, and Python and deployed from’ local git’ repos to Linux servers

Cyber teams

  • BlackBerry is shutting down their network provisioning service - which communicates updates to mobile and wi-fi network settings - on 4th Jan

Internet of Things

  • QNAP Network-attached storage (NAS) devices being targeted by eChoraix ransomware


  • China’s Personal Information Protection Law (PIPL) comes into force, though clarity is needed over some of the differences. For example (from the article) user consent is required (like GDPR) however ‘legitimate interest’ is not a reason for data processing, causing headaches for HR and Payrolls teams processing Chinese employee data without explicit consent to do so

Public policy

  • China has suspended Alibaba from the information-sharing partnership run by the state’s Ministry of Industry and Information Technology for not disclosing the Log4Shell vulnerability to them. Timely disclosure of vulnerabilities to the authorities is required for ‘cyber threat management’ purposes in China

Law enforcement

  • The UK National Crime Agency (NCA) has shared details of 585 million accumulated credentials they found on a cloud hosting provider with Have I Been Pwned?

Events and conferences

  • RSA Conference 2022 pushed back from 7th-10th February to 6th-9th June out of an ‘abundance of caution’ amid rising COVID-19 cases

And finally

On-prem Microsoft Exchange isn’t delivering email: Happy New Year!

The anti-spam and anti-malware engine in Microsoft Exchange apparently uses a signed 32-bit integer to store the date of the message it is processing. The maximum value of an ‘int32’ is 2,147,483,647, while timestamps for ’22/01/01 00:01’ represented as 2,201,010,001 exceed this value, causing the process to not run, and mail to be held rather than delivered.

Microsoft has released a script to help get things moving again.


  Robin's Newsletter - Volume 5