More than just a remote location: how cybercriminals attacked in 2020
The situation with cybersecurity in 2020 resembled the paintings of Bosch and his followers: a lot of details, everything is on fire and it is not very clear what is happening. While companies were deciding how to transfer everyone to remote control and not paralyze their work, cybercriminals used every RDP sticking out, every stuck at home and lost vigilance of an employee, every unnoticed web vulnerability. And most importantly, hackers have taken the supply chain method into full swing, with the help of which they managed to carry out the loudest attack of the year. As a result, the year turned out to be very busy for the cybercriminals. In 2020, Solar JSOC recorded 1.9 million cyberattacks (73% more than in 2019), and the share of critical incidents increased by 20%. Read more about how and why they attacked companies in 2020 in our post.
How do we think it
All statistics presented here refer to our customers, and these are more than 130 organizations from different industries: public sector, finance, oil and gas, energy, telecom, retail. All companies represent the large enterprise and enterprise segment with an average number of employees from 1000 people and provide services in different regions of the country.
Our task is to identify the actions of the attacker on the way and prevent a successful attack. Therefore, it is difficult for us to assess what the hacker’s ultimate goal was: direct profit, collecting sensitive data, fixing it in the infrastructure for the further sale of resources, hacktivism … approaches to defining the types of intruders. When detecting incidents at an early stage, we took into account attack techniques and methods, malware functionality, attribution and data on a hacker group, etc.
Our classification of attacker types
Hacking devices and infrastructures with a low level of protection for further resale or use in mass attacks
Cyber Bully / Lone Enthusiast
Hooliganism, violation of the integrity of infrastructure
Official and Open Source Security Analysis Tools
Cybercriminal / Organized Groups
Priority monetization of the attack: encryption, mining, withdrawal of funds
Customized tools, available malware, available vulnerabilities, social engineering
Cyber mercenaries / Advanced factions
Focus on commissioned work, espionage in the interests of competitors, subsequent large-scale monetization, hacktivism, destructive actions
Self-developed tools, purchased 0-day vulnerabilities
Cyber Troops / Pro-State Groups
Cyber espionage, complete capture of infrastructure for the ability to control and use any actions and approaches, hacktivism
Self-identified 0-day vulnerabilities, developed and implemented “bookmarks”
Sometimes we detected attacks in the propagation phase of new plug-in customers, in this case, on compromised hosts, we took into account: their territorial distribution, functionality, the ability to implement one of the above goals, the dynamics and vector of the cybercriminal’s movement.
If, as part of the investigation of incidents among clients not using Solar JSOC services, attacks were detected at the final stage, then the data on the actual damage became the key criterion that determines the attack vector.
We excluded from the statistics the so-called simple attacks that do not lead to real information security incidents: botnet activity, network scanning, unsuccessful exploitation of vulnerabilities and password guessing.
Control and some money
For several years now, the main goal of cybercriminals has been to control the victim’s infrastructure. Over the year, the number of such attacks increased by 30%. Primarily due to the increased activity of cyber mercenaries and groups sponsored by foreign states. Their goal is espionage or the most hidden anchorage in the infrastructure for further destructive actions at the right time.
Theft of money has become a little more popular (by about 10% in comparison with the previous year). By the way, in 2019, the share of such attacks declined, which we associated with an increase in the level of security in the credit and financial sector. Unfortunately, the rigor of banking security in a remote location was “compensated”
optional the weakening of its capabilities, and the budgeting of information security in 2020, frankly speaking, has decreased.
The contractor is the weak link
In 2020, for the first time, we identified attacks through contractors (supply chain) as a separate trend. Cybercriminals have been using this path to the victim’s infrastructure, of course, not for the first year, but it was in 2020 that this hacking technique doubled and, perhaps, very soon will become the main “pain” of all security officers. Suffice it to recall how much noise there was around the attack on SolarWinds, which affected Microsoft, Cisco, FireEye and several key US ministries and departments. Obviously attracted to the Cyber Incident of the Year award.
The share of supply chain attacks is still small, but this is how professional cybercriminals break into key organizations in the country: government bodies and CII facilities. The growing popularity of the method indicates not just a change in the technical specifics of attacks, but the formation of a new key cyber threat at the state level (excuse the pathos).
On the one hand, this trend is explained by an increase in the number of more sophisticated targeted attacks. On the other hand, more and more organizations are outsourcing part of their internal processes.
God knows whowithout checking the trustworthiness of the contractor and his level of cyber protection. And, let’s be honest: few people today conduct regular audits of their infrastructure (which has become much more complicated in recent years). This means that unprotected nodes that are used or used by contractors can remain invisible for information security services for a long time. But not for attackers.
Malicious attacks remain the most popular tool for external attackers. Their share in 2020 was 39%, which is a quarter higher than in 2019. Cryptographers are becoming more and more popular among malware (the number of attacks using them has grown by about 30%).
A little more about malware:
For the third year in a row, the absolute leader was the banking Trojan RTM, which accounts for almost half of all malware used by professional groups. The second place (almost a quarter) was taken by the Emotet family, which is also focused on the banking sector.
It is worth noting the sale of the sources of the malicious code of the Dharma ransomware, which in the second half of 2020 were distributed in various modifications.
In terms of pinning tools, they increasingly used autoloading mechanisms or the creation of their own system services. These methods have been popular with both cybercriminals and more professional gangs.
Free or open source utilities were used more actively – in more than 40% of attacks. The list of popular cybercriminals’ tools also includes utilities from Nirsoft.
In attacks on web applications, when loading a web shell, the shell often used its native environment with minimal implementation of third-party modules, which made detection very difficult. In one of the 2020 cases, the attacker used powershell scripts to interact with the shell, and transmitted commands via a DNS tunnel to a legitimate site (ceye.io) created by the information security community for testing corporate systems.
Some of our customers from the credit and financial sector registered Zloader malware mailings. Users received an Excel document, upon opening which certain formulas were launched in cells that perform the necessary actions, including anti-analysis and downloading malware. The formulas themselves were scattered across a huge sheet of paper to make them harder to spot and analyze. It is worth noting that Excel 4.0 macro technology is considered obsolete and is now almost never used.
There are no surprises here: phishing was, is and will be the most popular way to deliver malware to a victim’s machine. In 2020, 75% of attacks by professional cybercriminals began with it. Naturally, the latter actively speculated on the topic of a pandemic and drugs for COVID-19: malicious emails imitated an official mailing list with information about the spread of coronavirus, imposed restrictions, vaccination of employees, etc. control over employee access to the Internet decreased, home unprotected devices were used for work, users themselves lost their vigilance against the background of general panic and difficulties associated with self-isolation).
More attacks from external attackers
Types of attacks
1st half of 2019
2nd half of 2019
1st half of 2020
2nd half of 2020
Malicious software (malware)
Attacks on web applications
Brute force and compromise the credentials of external client services
Attacks on systems control protocols
Other external attacks: attacks on the network stack, DNS vulnerabilities, violation of the protected perimeter, phishing
Compromise of administrative accounts
Exploitation of other vulnerabilities
Workers without supervision
Since 2017, the number of internal incidents has decreased, but the pandemic has changed everything, and, alas, we have again seen an increase in such violations. Moreover, more than 60% of them commit
mere mortals ordinary workers.
Among the top violations are information leaks. Some smart people have previously looked for an additional source of income in the form of theft and corporate data leaks. But in a remote location, the number of such “resourceful” increased: employees began to commit violations that they would not have dared to do in the office. Someone did such actions unintentionally – due to crookedly configured remote access systems or banal carelessness.
Due to the decrease in control by information security services, there are more violations of Internet access policies. Here you can surf on suspicious sites from a working laptop, and illegitimate access to closed company resources due to the difficulties of segmenting a corporate network based on VPN.
On the other hand, there were fewer incidents involving the use of the RAT (remote admin tool). But you should not rejoice – during the pandemic, this tool was practically not used in organizations, and, therefore, it was not particularly interesting for hackers.
What else was violated
Types of attacks
1st half of 2019
2nd half of 2019
1st half of 2020
2nd half of 2020
Leaks of confidential data
Compromise of internal accounts
Violation of Internet access policies
Using hacker and potentially malicious utilities
Illegal changes in IT systems: activities of outsourcers and contractors, including inconsistent work, leading to downtime of critical business systems
Using remote admin tools or traffic tunneling
Unauthorized activities within the framework of remote access (VPN), including building a chain of sessions to a prohibited server, uploading data to an external computer
Illegal work under privileged accounts
We will tell you even more about 2020 as part of the webinar, which will be held on Monday, April 5. Let’s recall and analyze the loudest attacks of the past year, tell about our Threat Intelligence sources and discuss what to expect in 2021. Join on link, in the same place leave your questions and comments on the topic. Waiting for everybody!