We’re near the end of a very rocky year. COVID-19 was the tip of a very unique iceberg, full of political turmoil, deathly fires, and the economy almost collapsing. What wasn’t unique were the thousands of cyberattacks around the world that seem to get worse every year. And 2020 wasn’t the exception to the rule.
In recent pieces, we predicted certain patterns for top cybersecurity threats, based on research from all around the world. As we arrive at the last quarter of 2020, we decided to check on those predictions, as a sort of malicious software evaluation.
Get those security measures ready, folks. It’s time for threat intelligence.
Phishing Attacks, RATs, and Malware
If there ever is a race for the most complex and rapidly-growing cyber threat of the year, the clear winner would be phishing. Always looking for the weakest link, phishing has become the avenue of choice for most hackers looking for financial gain or an entry point to larger organizations.
But why? Security researchers agree that the social climate was “a perfect storm” for social engineering attacks, phishing, and enterprise malware. As the COVID-19 pandemic spread, several things happened in the workplace. Workers left their safe office environments to coexist in unprotected, vulnerable networks. In some cases, BYOD (bring-your-own-device) policies were put in place. Remote workers with a lack of cybersecurity training became vulnerable to phishing attacks expertly crafted to resemble office logins, emails, and software.
As for the common user, the outlook wasn’t different. Cybercriminals are using machine learning to learn about user behavior, triggering emotional distress with complex attacks. For example, phishing email or SMS campaigns, related to the COVID-19 pandemic or to the tense political climate in the US.
The malicious payloads in these attacks are even more complex, too. RATs (Remote Access Trojans), especially in phones, have been growing exponentially. Malicious software that needed a deep understanding of code is now in the hands of anyone who can pay it, based on a MaaS (malware-as-a-service) model. RAT attacks are able to exploit RDPs to gain access to endpoints, opening the gates for the phishing flood.
The last trend in cyber threats is the use of the browser. The family of HTML/Phishing attacks –and their relatives HTML/scrinject and HTML/REDIR– have been affecting thousands of websites and browsers worldwide. Hackers are attacking unprotected web traffic, just as workers are dropping corporate, protected networks to work from home. This is a trend that security researchers are expecting to see in 2021, too.
Easy to deploy and a pain in the back to remove, ransomware attacks are more common than ever. As the DBIR suggested, at least one in four cases of malware were ransomware, and the number was expected to grow. As we enter the last quarter of the year, we know the threat of ransomware is growing in scope and sophistication.
The main reason behind the growth of ransomware is how easy it is for hackers to acquire the tools to perform an attack, buying it on a dark web marketplace. In the same way that threats like Cerberus offer themselves to hackers, ransomware like Sodinokibi or Phobos are making huge amounts of money with little effort. RaaS (ransomware-as-a-service) is relatively cheap for inexperienced hackers and can lead to massive profits in cryptocurrency if successful.
Certain ransomware variants are becoming more aggressive, taking notes from the Petya and GoldenEye books. Variants like CoViper have been found to write the Master Boot Record (MBR) of the machines before encryption, a heavily destructive tactic.
The era of State-Backed Attacks
This year, the news cycle has been full of headlines like “state-backed attack”, “hacked by the [insert nation-state here] government”, “cyber warfare” and “cyberterrorism”. And it’s no joke or bad reporting either. Every organization –private or otherwise– that researches cybersecurity threats, agree: nation-state actors are a serious issue. And it all comes down to the rising threat of backed APTs.
APTs, or Advanced Persistent Threats, are like hurricanes. They don’t hit too often, but when they do, expect a trail of destruction behind them. In this case, hacking groups specialized in deep and complex cyberattacks to big organizations are playing the same game of chess between the world powers. Groups in India, China, Russia, Iran –and one can only guess, the US– are hacking strategic targets more than ever, aligned with political and economic goals of their “backing” countries.
Reports from companies like Microsoft have shed some light on how state-backed cyberattacks have been changing their scope this year. Coordinated groups and APTs are targeting health care institutions and organizations in the US, with the objective to perform espionage on its citizens. On the same page, research groups related to the COVID–19 vaccine all over the world have reported attacks from state-backed hackers.
As you may have guessed, these hackers aren’t performing data breaches for petty cash or a couple of credit card numbers. They aren’t using “noisy” methods, either. State-backed APTs prefer a subtle approach, almost like a parasite, accessing foreign systems in a non-obtrusive way. The goal is to exfiltrate as much sensitive information –confidential, financial, private– as possible without being detected. A successful attack also leaves no way to trace it to the nation-state who backed it in the first place, to maintain “plausible deniability” if accused.
As we said, the changes in the workplace caused by the pandemic have been difficult for organizations. Millions are working from home, and the sensitive data that lived in secure work networks is now vulnerable to malicious actors attacking the unprotected devices in our house. And if your company decided that a BYOD policy was the way to go, it’s very probable that certain endpoints aren’t protected either.
Even if these protections are implemented –such as antivirus software or firewalls– as IT managers we can’t meddle too much on the devices our employees use in their homes. The so-called “internet of things” has become not only the latest fad in technology but a cybersecurity trend as well. IoT usage has skyrocketed since the pandemic started, and as new devices rely on our local wi-fi networks to connect, malicious actors rely on their vulnerabilities to access our computers and networks.
A trend is therefore surfacing: IoT devices being breached for malicious purposes. This year, reports of vulnerabilities in these devices show that almost 98% of all internet IoT traffic is unencrypted, and more than half of all Internet of Things devices available on the market are vulnerable to attacks from medium to high severity. This due to the fact that most devices aren’t patched when vulnerabilities are found.
This opens the door to dangerous practices, such as your devices becoming botnets, or performing DDoS attacks (distributed denial of service). Botnets like Mirai, Dark Nexus, Mukashi or LeetHazer are widespread, and one of your IoT devices may be vulnerable to one of them.
Dubbed “the silent cybersecurity threat” by many, Cryptojacking is the most important security trend related to cryptocurrency.
Cryptojacking is the unauthorized use of a machine to mine cryptocurrency. It doesn’t have to be a widely used crypto like Bitcoin, Monero, or Ethereum, although it seems to be closely related to them. Cryptojacking attacks have been experiencing a steady rise since 2019, tied to the rise in the price of Bitcoin during 2020.
A cryptojacking attack is usually massive, subtle, and widely distributed. There even is a chance that you mined crypto for someone else without knowing, using the same browser you’re using to read this post. In spite of that possibility, cryptojacking can be much more complex, and tied to the same devices we talked about in the previous section. In fact, IoT devices can be used for cryptojacking, as long as they’re vulnerable.
It’s also very hard to catch: antivirus software isn’t the best in identifying “malicious processing”, or at least differentiating what cores are being used legitimately, and which ones are mining crypto.
If the rising trend of crypto prices keeps going forward, cryptojacking will keep growing too.
Despite the fact that most trends in cybersecurity were similar to 2019, it’s undeniable that the pandemic changed the scope considerably. Malware attacks, ransomware, and phishing are tied to the changes in our behavior, and as we flock to our homes, malicious actors follow and try to enter themselves.
On the topic of threat intelligence, we must be prepared for everything. Data security and encryption are more important than ever. Multiple factors of authentication for all members of our organization is key. We must try to extend the network security we have in our offices to our employees as well.
And as users, we have a duty to stay informed about cyber threats around the world. A proactive mentality against threats is the way forward. Strong passwords, the installation of security solutions in our devices, and taking precautions with our personally identifiable information are good first steps. Remember: anyone can be a victim of cyberattacks.