How the pandemic is changing the cyber threat landscape

The pandemic has once again demonstrated that the cybersecurity industry is not a duel between the good and the bad frozen in the silence of data centers. The industry changes along with the real world and reacts to events taking place in it. We examined the most significant cyber threat trends of 2020 to understand what to expect from the new reality. This post contains the most interesting figures and facts from our research

image

Cyber ​​threat landscape

When making forecasts for 2020, we could not have foreseen how the new reality that brought down the global economy would affect our lives. However, now we can take stock of the first half of the year and show how the cyber threat landscape has changed during this time.

image
The number of threats blocked by Trend Micro Smart Protection Network in the first half of 2020. Source here and below: Trend Micro

In the first half of 2020, Trend Micro’s security solutions blocked more than 27 billion fraudulent emails containing malicious attachments and phishing links. The second quarter saw a significant increase in the number of malicious messages compared to the beginning of the year.

image
Types of malicious attachments in spam campaigns in the first half of 2020

PDF files became the most popular type of malicious attachments in the first half of 2020, accounting for over 50% of mailings. The second most popular attachment type was HTML files. About six percent of emails contained XLS attachments, slightly less popular were JavaScript files, executables, and MS Word documents.

image
Number of ransomware-ransomware in campaigns 2019 and 2020

A characteristic feature of 2020 was the growing popularity of ransomware ransomware. Compared to 2019, their number increased by 45% – from January to June of this year, 68 new families of this type of malware were discovered.

image
Number of mobile malware samples detected over six months

Mobile threats continue to grow as well, with campaigns becoming more sophisticated. For example, at the end of March, we discovered a fraudulent cyberattack dubbed Operation Poisoned News. It was a watering hole attack against iOS users in Hong Kong. Users of iOS devices received links to news on various forums in social networks and messengers. These links did lead to relevant news sites, but contained hidden iframes with malicious code exploiting vulnerabilities in iOS 12.1 and 12.2. The attacks infected devices with LightSpy, which allowed attackers to execute commands and manipulate files on devices.
Advertising fraud remains the most popular type of attacks on mobile users. Malicious applications on Google Play disguise themselves as useful utilities, and after installation show the user ads and perform other unwanted actions, including stealing bank card data and personal data of the user.

image
Change in the number of BEC attack attempts in 2019-2020 on the chart

Another notable feature of 2020 is the growing number of attacks aimed at compromising business correspondence (Business Email Compromise, BEC). Compared to the second half of 2019, the number of BEC campaigns increased by 19%.

image
The most popular target for BEC attacks was the CEO of the company. This category of employees accounts for 30% of all incidents

It is curious that the number of letters “from CEO” has decreased: in 2019, the share of such letters was 41%. Scammers may be experimenting with other jobs to gauge their effectiveness.
Naturally, the most in-demand people are people related to finance, for example, financial managers and CFOs.

Growth in COVID-19 Branded Attacks

Between January and June 2020, the Trend Micro Smart Protection Network (SPN) identified nearly 9 million COVID-19 threats. These threats consisted of e-mail messages containing links and malicious files, directly or indirectly exploiting the topic of the pandemic. This could be, for example, informer applications or notifications about delays in the provision of services due to a virus.

image
Number of COVID-branded attacks and their distribution by country

The leader in the number of such threats – 38% of cases – was the United States. The three “leaders” also included Germany with 14.6% and France with 9.2%. Most of the cases detected occurred in April, which corresponds to the peak incidence in many countries.

image
Distribution of types of malicious content in fraudulent emails in COVID-19 campaigns

The vast majority of email threats – 93.5% – contained both a malicious attachment and a malicious link. There were significantly fewer letters containing a link or a file.
The COVID-19 theme was also widely used in BEC attacks. The effectiveness of these shenanigans was reinforced by the fact that the shift to teleworking made it difficult to track communications between employees and organizations.

image
Number of BEC campaigns related to COVID-19

For example, during one of the BEC attacks, the criminals sent out to employees of a potential victim bank change notification in connection with the pandemic, specifying a mule account in Hong Kong as the recipient’s account.
Attempts to navigate to malicious sites related to COVID-19 grew throughout the year, peaking in April. Most of these sites have been used for some kind of pandemic scam, for example:
• applications that allegedly protected their users from coronavirus infection, but instead added the victim’s device to the botnet;
• Selling non-existent WHO approved vaccine kits for only US $ 4.95;
• issuing fake compensations for various types of damage from the pandemic;
• theft of credentials and bank card details to obtain “tax benefits” in the United States.

Adapting to a new reality

Faced with quarantine restrictions, companies were forced to transfer a significant portion of their employees to remote work. To ensure the safety of such a regime, several problems had to be solved at once:
• Internet connection speed and home network security;
• using vulnerable personal devices to connect to the work network and work with documents;
• the need to track what remote employees are doing during working hours;
• organization of online meetings;
• separation of personal and work tasks on one device.
Cybercriminals also took advantage of the new reality and began to actively attack routers and devices of home users

image
Number of attacks on home devices in 2019-2020

Most of all attacks are bruteforce attacks on various services for remote access: RDP, SSH, FTP. The share of such attacks was almost 90%.

image
Distribution of types of attacks on devices of home users

Compromising routers and other devices working remotely at home provides attackers with the opportunity to use them to attack corporate networks.

Zumbombing and other attacks on video conferencing services

The need for constant communication has fueled an explosive growth in the use of Zoom, Cisco Webex, Google Meet, Microsoft Skype, and other video meeting platforms. One of the sensational phenomena that even caused the appearance of a new term was troll attacks on conferences held using the Zoom service. During these attacks, outsiders would tap into private calls and meetings and then stage a show of varying degrees of obscenity, such as playing porn videos or insulting other participants.
The popularity of video services was also exploited in another way: scammers registered phishing domains whose name was somehow connected with Zoom or another similar service, after which they offered to download the Zoom or Skype distribution kit loaded with a malicious additive.

Ransomware campaigns

The number of ransomware incidents this year has dropped significantly compared to last year, but their quality has changed.

image
Number of components detected related to ransomware attacks in 2019-2020

Ransomware operators no longer trade for trivialities by sending thousands of spam emails to everyone and demanding a small ransom amount. Modern attackers prefer to target large companies, healthcare organizations or government agencies and demand large ransoms. This approach increases the likelihood that the ransom will be obtained, which means that the attack will pay off many times over.

image
Old and new ransomware attacks

Sensational WannaCry has collected significantly less in the form of a ransom over the entire period of work what, say, Ryuk ransomware can earn in one attack.
Ryuk attacks companies in critical industries. The importance of the data stored and processed by these organizations allows malware operators to demand huge ransoms: according to a Coveware report, in the first quarter of 2020, the average ransom in case of the Ryuk application increased to USD 1.3 million
Another characteristic change in modern ransomware is the predominant distribution through targeted campaigns that exploit vulnerabilities or stolen credentials for hacking.

Conclusions and recommendations

The pandemic has changed not only our lives, but also the thinking style of software companies. Recognizing the new realities, they adopted a new approach to security.
• Microsoft directed the resources freed from support for Windows 7 to eliminate vulnerabilities in Windows 10: in February 2020, the number of fixes was 99, and starting in March, more than a hundred of them began to be released (June maximum – 129 patches on Patch Tuesday);
• Scandalous with zumbombing and other problems, Zoom adopted a new concept and focused on improving the safety of its product;
• Companies have begun to actively reward independent researchers for bugs found in their products.

Tough times call for reliable security technologies. Separate tools and one-level protection of individual components of a company’s information system are no longer enough. Only layered solutions can provide combined protection against multi-component and multi-platform threats to email, user devices, servers, network and cloud infrastructure.
Ideally, such solutions should provide a wide range of metrics and analytics that allow IT staff to see the big picture without having to devote a significant portion of their time and resources to sifting through mountains of alerts and other data.
The methods that attackers use to extract profit from the pandemic remain the same. Social engineering has become even more effective due to the fear and uncertainty caused by the virus. In the current environment, organizations simply need to pay particular attention to educating remote users about safe behavior through cybersecurity awareness programs.
For their part, users must exercise vigilance and common sense when interacting remotely with company information resources.
Another issue that requires a mandatory solution is prompt delivery of updates to users’ personal devices. With the growing number of attacks targeting remote users, keeping their devices up to date will increase the security of the corporate network.

Similar Posts

Leave a Reply