Acronis Cyber ​​Threats Report 2020: Beware of vulnerabilities

During the pandemic, have hackers found more exploits in all types of software? Today we again want to share interesting facts and data from our research, Acronis Cyber ​​Threats Report 2020, and highlight the areas of activity in which cybercriminals have excelled. We will talk about vulnerabilities in various applications that were discovered during the coronavirus lockdown. We will also tell you about the popularity of different types of malware, trends in data theft and the cost of maintaining the infrastructure to ensure employees work remotely.

Content:

More attacks on companies

Windows exploits

Vulnerabilities in Application Applications

“One-time” malware

Data theft trend

IT costs have risen

According to statistics collected Cyber ​​Protection Operation Center (CPOC), the Acronis Security Center in Singapore, has experienced a variety of attacks in recent months across the globe. And if many are already used to the high level of DDoS aggression, 2020 will be remembered for the high level of phishing, as well as attacks on video conferencing systems.

By the way, the danger of phishing remains especially relevant because according to our previous study Acronis Cyber ​​Readiness Report, only 2% of entrepreneurs pay attention to such a method of protection as URL filtering. Due to this, cybercriminals successfully carry out both broad-spectrum attacks and targeted attacks against specific corporations.

In terms of attacks on video communications and collaboration systems, their growth has resulted from the discovery of a large number of vulnerabilities in 2020. And this is not surprising, because cloud platforms and programs, which began to be used by tens or even hundreds of times more people, attracted close attention of hackers.

However, the results of our research showed that many vulnerabilities for operating systems and other applications were also discovered in the past year. BY. For example, VulnDB (an IT risk management specialist) reported that 11,121 vulnerabilities were disclosed in the first half of 2020 alone.

Microsoft data confirms this information – the September vendor patch closes 129 security vulnerabilities, 23 of which could be used by malware to gain full control over Windows computers with minimal or no user intervention. This is an unfortunate figure, given that in 2020 Microsoft released patches for more than 100 vulnerabilities for seven months in a row.

However, even the timely release of patches does not guarantee security, because many users never install them. For example, the vulnerability CVE-2020-0796 (SMBGhost), was considered so dangerous that it received the most high vulnerability rating system (CVSS) rating: 10 out of 10… Although Microsoft released an urgent emergency patch just a few days later, our Acronis CPOCs are still registering exploitation of this vulnerability.

Among the interesting vulnerabilities of 2020 – CVE-2020-1425 and CVE-2020-1457allow you to execute remote code (RCE) on the user’s machine. They got a rating “Critical” and “important” respectively, both are linked to the Microsoft Windows Codecs Library, which processes objects in memory. And although both vulnerabilities in the rating Microsoft Exploitability Index assigned the category “use unlikely”, the presence of such gaps creates additional opportunities for attackers.

Vulnerabilities CVE-2020-1020 and CVE-2020-0938on the contrary, they are actively used. On March 23, when information on these vulnerabilities was published, Microsoft confirmed the absence of Windows patches, as well as the fact that the vulnerabilities were actively exploited by attackers. Windows 10 users who haven’t installed Microsoft patches actually allow attackers to install programs, view or modify data, and create new accounts on their machine.

CVE-2020-1464 Is a representative of another interesting type of vulnerability. It allows you to break the Windows file signature validation process. When exploiting this vulnerability, it is possible to launch a file with a fake signature, and the operating system will not be able to recognize its malicious nature. Incidentally, this vulnerability affects all supported versions of Windows and is a serious issue.

Apps are vulnerable too

In 2020, application applications also showed a high level of vulnerabilities. One of the record holders for the number of published patches was Adobe, which released an emergency security update for Photoshop, Prelude and Bridge in July. Just a week after the standard monthly security update was released, Adobe released security advisories, identifying a total of 13 vulnerabilities, 12 of which were found to be critical because they allow arbitrary code to be executed on the victim’s machine.

In August, Adobe released patches to address 26 vulnerabilities in Adobe Acrobat and Adobe Reader, including 11 critical vulnerabilities to bypass security controls. Nine of them also allowed arbitrary code to be executed remotely.

In addition, given the trend of remote work, cybercriminals are increasingly paying attention to the vulnerabilities of virtual private networks (VPNs). For example, an arbitrary code execution vulnerability known as CVE-2019-19781 has been found in Citrix VPN devices. And on Pulse Secure VPN servers, the CVE-2019-11510 vulnerability, which opens the ability to read an arbitrary file, is still encountered.

Is malware becoming “disposable”?

In Q3 2020, AV-Test, an independent malware analysis lab, recorded 400,000 new malware samples every day. This confirms the automation of the creation of malicious code for specific tasks. During the same period, our CPOC found that 19% of the samples were seen in real conditions only once. At the same time, the average lifespan of a modern version of malware is 3.4 days on average. Instead of reusing “fresh” viruses, Trojans, and ransomware, the authors prefer to generate new code.

If it speaks about the popularity of different types of software, here is a diagram with the 10 largest families of malware that we observed and tracked in 2020:

Data theft is becoming a trend

At the same time, the list is headed by the types of software aimed at stealing data. In general, the compromise of information has become a trend of the past year – even ransomware is now increasingly not only encrypting, but also stealing data. For example, the authors of the new ransomware-as-a-service (RaaS) Conti, the successor to Ryuk, opened a site to publish the stolen data. Conti has been in use for several months, but it seems that encryption blackmail was not very effective. In the fall of 2020, a new website, Conti.News, was launched, which lists 112 victims, including very large and well-known companies.

Apparently, this trend is becoming the norm for cybercriminal groups. About 20 different groups have created their pages for publishing stolen data on the Tor network. The data of more than 700 companies have already been published on the network – 37% of them were stolen as a result of infection with the ransomware Maze (read more about it in previous post), 15% – Conti, and 12% – Sodinokibi…

The situation is difficult because leaks can lead to loss of business reputation, further attacks using new credentials, and various fines. If customer data is compromised in the course of a leak, penalties under regulations such as the GDPR or CCPA can be severe. But paying a ransom is also not an option for many companies, because it is an offense under the rules of the US Office of Foreign Assets Control (OFAC).

IT maintenance costs are rising

At the end of this post, we note that most companies in the current environment were forced to increase their IT costs – including security. And only 1 out of 5 companies managed to keep costs at the same level or to reduce them slightly.