Exploring the prolific threats influencing the cyber landscape

Some of the world’s most skilled nation-state cyber adversaries and notorious ransomware gangs are deploying an arsenal of new open-sourced tools, actively exploiting corporate email systems and using online extortion to scare victims into paying ransoms, according to a report from Accenture.

threats cyber landscape

The report examines the tactics, techniques and procedures employed by some of the most sophisticated cyber adversaries and explores how cyber incidents could evolve over the next year.

“Since COVID-19 radically shifted the way we work and live, we’ve seen a wide range of cyber adversaries changing their tactics to take advantage of new vulnerabilities,” said Josh Ray, who leads Accenture Security’s cyber defense practice globally.

“The biggest takeaway from our research is that organizations should expect cybercriminals to become more brazen as the potential opportunities and pay-outs from these campaigns climb to the stratosphere.

“In such a climate, organizations need to double down on putting the right controls in place and by leveraging reliable cyber threat intelligence to understand and expel the most complex threats.”

Sophisticated adversaries mask identities with off-the-shelf tools

Throughout 2020, CTI analysts have observed suspected state-sponsored and organized criminal groups using a combination of off-the-shelf tooling — including “living off the land” tools, shared hosting infrastructure and publicly developed exploit code — and open source penetration testing tools at unprecedented scale to carry out cyberattacks and hide their tracks.

For example, Accenture tracks the patterns and activities of an Iran-based hacker group referred to as SOURFACE (also known as Chafer or Remix Kitten). Active since at least 2014, the group is known for its cyberattacks on the oil and gas, communications, transportation and other industries in the U.S., Israel, Europe, Saudi Arabia, Australia and other regions.

CTI analysts have observed SOURFACE using legitimate Windows functions and freely available tools such as Mimikatz for credential dumping. This technique is used to steal user authentication credentials like usernames and passwords to allow attackers to escalate privileges or move across the network to compromise other systems and accounts while disguised as a valid user.

According to the report, it is highly likely that sophisticated actors, including state-sponsored and organized criminal groups, will continue to use off-the-shelf and penetration testing tools for the foreseeable future as they are easy to use, effective and cost-efficient.

New, sophisticated tactics target business continuity

The report notes how one notorious group has aggressively targeted systems supporting Microsoft Exchange and Outlook Web Access, and then uses these compromised systems as beachheads within a victim’s environment to hide traffic, relay commands, compromise e-mail, steal data and gather credentials for espionage efforts.

Operating from Russia, the group, refered to as BELUGASTURGEON (also known as Turla or Snake), has been active for more than 10 years and is associated with numerous cyberattacks aimed at government agencies, foreign policy research firms and think tanks across the globe.

Ransomware feeds new profitable, scalable business model

Ransomware has quickly become a more lucrative business model in the past year, with cybercriminals taking online extortion to a new level by threatening to publicly release stolen data or sell it and name and shame victims on dedicated websites.

The criminals behind the Maze, Sodinokibi (also known as REvil) and DoppelPaymer ransomware strains are the pioneers of this growing tactic, which is delivering bigger profits and resulting in a wave of copycat actors and new ransomware peddlers.

Additionally, the infamous LockBit ransomware emerged earlier this year, which — in addition to copying the extortion tactic — has gained attention due to its self-spreading feature that quickly infects other computers on a corporate network.

The motivations behind LockBit appear to be financial, too. CTI analysts have tracked cybercriminals behind it on Dark Web forums, where they are found to advertise regular updates and improvements to the ransomware, and actively recruit new members promising a portion of the ransom money.

The success of these hack-and-leak extortion methods, especially against larger organizations, means they will likely proliferate for the remainder of 2020 and could foreshadow future hacking trends in 2021. In fact, CTI analysts have observed recruitment campaigns on a popular Dark Web forum from the threat actors behind Sodinokibi.

25 vulnerabilities exploited by Chinese state-sponsored hackers

The US Cybersecurity and Infrastructure Security Agency (CISA) has released a list of 25 vulnerabilities Chinese state-sponsored hackers have been recently scanning for or have exploited in attacks.

vulnerabilities exploited Chinese hackers

“Most of the vulnerabilities […] can be exploited to gain initial access to victim networks using products that are directly accessible from the Internet and act as gateways to internal networks. The majority of the products are either for remote access or for external web services, and should be prioritized for immediate patching,” the agency noted.

The list of vulnerabilities exploited by Chinese hackers

The list is as follows:

The vulnerability list they shared is likely not complete, as Chinese-sponsored actors may use other known and unknown vulnerabilities. All network defenders – but especially those working on securing critical systems in organizations on which US national security and defense are depending on – should consider patching these as a priority.

Mitigations are also available

If patching is not possible, the risk of exploitation for most of these can be lowered by implementing mitigations provided by the vendors. CISA also advises implementing general mitigations like:

  • Disabling external management capabilities and setting up an out-of-band management network
  • Blocking obsolete or unused protocols at the network edge and disabling them in device configurations
  • Isolating Internet-facing services in a network DMZ to reduce the exposure of the internal network
  • Enabling robust logging of Internet-facing services and monitoring the logs for signs of compromise

The agency also noted that the problem of data stolen or modified before a device has been patched cannot be solved only by patching, and that password changes and reviews of accounts are a good practice.

Additional “most exploited vulnerabilities” lists

Earlier this year, CISA released a list of old and new software vulnerabilities that are routinely exploited by foreign cyber actors and cyber criminals, the NSA and the Australian Signals Directorate released a list of web application vulnerabilities that are commonly exploited to install web shell malware, and Recorded Future published a list of ten software vulnerabilities most exploited by cybercriminals in 2019.

Admins and network defenders are encouraged to peruse them and patch those flaws as well.

SecOps teams turn to next-gen automation tools to address security gaps

SOCs across the globe are most concerned with advanced threat detection and are increasingly looking to next-gen automation tools like AI and ML technologies to proactively safeguard the enterprise, Micro Focus reveals.

next-gen automation tools

Growing deployment of next-gen tools and capabilities

The report’s findings show that over 93 percent of respondents employ AI and ML technologies with the leading goal of improving advanced threat detection capabilities, and that over 92 percent of respondents expect to use or acquire some form of automation tool within the next 12 months.

These findings indicate that as SOCs continue to mature, they will deploy next-gen tools and capabilities at an unprecedented rate to address gaps in security.

“The odds are stacked against today’s SOCs: more data, more sophisticated attacks, and larger surface areas to monitor. However, when properly implemented, AI technologies such as unsupervised machine learning, are helping to fuel next-generation security operations, as evidenced by this year’s report,” said Stephan Jou, CTO Interset at Micro Focus.

“We’re observing more and more enterprises discovering that AI and ML can be remarkably effective and augment advanced threat detection and response capabilities, thereby accelerating the ability of SecOps teams to better protect the enterprise.”

Organizations relying on the MITRE ATT&K framework

As the volume of threats rise, the report finds that 90 percent of organizations are relying on the MITRE ATT&K framework as a tool for understanding attack techniques, and that the most common reason for relying on the knowledge base of adversary tactics is for detecting advanced threats.

Further, the scale of technology needed to secure today’s digital assets means SOC teams are relying more heavily on tools to effectively do their jobs.

With so many responsibilities, the report found that SecOps teams are using numerous tools to help secure critical information, with organizations widely using 11 common types of security operations tools and with each tool expected to exceed 80% adoption in 2021.

Key observations

  • COVID-19: During the pandemic, security operations teams have faced many challenges. The biggest has been the increased volume of cyberthreats and security incidents (45 percent globally), followed by higher risks due to workforce usage of unmanaged devices (40 percent globally).
  • Most severe SOC challenges: Approximately 1 in 3 respondents cite the two most severe challenges for the SOC team as prioritizing security incidents and monitoring security across a growing attack surface.
  • Cloud journeys: Over 96 percent of organizations use the cloud for IT security operations, and on average nearly two-thirds of their IT security operations software and services are already deployed in the cloud.

Threat intelligence platform market to reach $234.9 million by 2022

The growing volume and complexities of cyber threats present a compelling case for adopting threat intelligence platforms (TIPs), a Frost & Sullivan analysis finds.

Threat intelligence platform market 2022

These solutions help organizations navigate the ever-increasing threat landscape and allow for further analysis and threat intelligence operationalization.

The TIP market least affected by the pandemic

The yhreat intelligence platform market is one of the cybersecurity markets that will be least affected by COVID-19. It is estimated to reach $234.9 million by 2022 from $132.7 million in 2019, at a compound annual growth rate (CAGR) of 21%.

“The proliferation of TIP use cases indicates the convergence of the TIP space with adjacent markets,” said Mikita Hanets, Information & Communication Technologies Research Analyst at Frost & Sullivan.

“Vendors increasingly aim to offer some elements of TIP functionality in SOAR and SIEM platforms and vice versa. Going forward, solutions that enable businesses to operationalize threat-related data and set up workflows for cyber incidents will converge in the next three years.”

Hanets added: “North America will dominate the market and contribute the maximum revenue, followed by Europe, the Middle East and Africa (EMEA), Asia-Pacific and Latin America. Technology and telecommunications will be the fastest-growing vertical market for TIP vendors in the next two years, while banking and finance is expected to contribute the most by 2022.”

Growth prospects for market participants

The growing sophistication of attacks and the necessity of using threat intelligence for proactive cyber defense present immense growth prospects for market participants who:

  • Increase their presence in geographical areas like EMEA, Asia-Pacific and Latin America, where the penetration rate is currently low.
  • Expand the network of third-party SOAR integrations or develop native SOAR capabilities. Enterprises with mature cybersecurity practices need intelligence-powered SOAR.
  • Develop SIEM capabilities to offer seamless, intelligence-driven solutions. TIP vendors can build on their data management experience and offer a fully consolidated solution.
  • Develop threat detection and threat hunting capabilities to enable investigations of security incidents. Threat intelligence is instrumental in securing enterprises because it enables security teams to prevent cyberattacks in real time and identify a breach that might have occurred in the past.
  • Develop or acquire intelligence-driven vulnerability and risk management technology. The ability to assess an organization’s exposure and the risk to its global threat data is a key feature of the next generation of solutions.

Banks risk losing customers with anti-fraud practices

Many banks across the U.S. and Canada are failing to meet their customers’ online identity fraud and digital banking needs, according to a survey from FICO.

banking fraud

Despite COVID-19 quickly turning online banking into an essential service, the survey found that financial institutions across North America are struggling to establish practices that combat online identity fraud and money laundering, without negatively impacting customer experience.

For example, 51 percent of North American banks are still asking customers to prove their identities by visiting branches or posting documents when opening digital accounts. This also applies to 25 percent of mortgages or home loans and 15 percent of credit cards opened digitally.

“The pandemic has forced industries to fully embrace digital. We now are seeing North American banks that relied on face-to-face interactions to prove customers’ identities rethinking how to adapt to the digital first economy,” said Liz Lasher, vice president of portfolio marketing for Fraud at FICO.

“Today’s consumers expect a seamless and secure online experience, and banks need to be equipped to meet those expectations. Engaging valuable new customers, then having them abandon applications when identity proofing becomes expensive and difficult.”

Identity verification process issues

The study found that only up to 16 percent of U.S. and Canadian banks employ the type of fully integrated, real-time digital capture and validation tools required for consumers to securely open a financial account online.

Even when digital methods are used to verify identity, the experience still raises barriers with customers expected to use email or visit an “identity portal” to verify their identities.

Creating a frictionless process is key to meeting consumers current expectation. For example, according to a recent Consumer Digital Banking study, while 75 percent of consumers said they would open a financial account online, 23 percent of prospective customers would abandon the process due to an inconsistent identity verification process.

Lack of automation is a problem for banks too

The lack of automation when verifying customers’ identity isn’t just a pain point for customers – 53 percent of banks reported it problematic for them too.

Regulation intended to prevent criminal activity such as money laundering typically requires banks to review customer identities in a consistent, robust manner and this is harder to achieve for institutions relying on inconsistent manual resources.

Fortunately, 75 percent of banks in the U.S. and Canada reported plans to invest in an identity management platform within the next three years.

By moving to a more integrated and strategic approach to identity proofing and identity authentication, banks will be able to meet customer expectations and deliver consistently positive digital banking experiences across online channels.

State and local governments under siege from cyber threats

With both security budgets and talent pools negatively affected by the ongoing pandemic, state and local governments are struggling to cope with the constant wave of cyber threats more than ever before, a Deloitte study reveals.

governments cyber threats

The study is based on responses from 51 U.S. state and territory enterprise-level CISOs.

Key themes

  • COVID-19 has challenged continuity and amplified gaps in budget, talent and threats, and the need for partnerships.
  • Collaboration with local governments and public higher education is critical to managing increasingly complex cyber risk within state borders.
  • CISOs need a centralized structure to position cyber in a way that improves agility, effectiveness and efficiencies.

The report also details focus areas for states during the COVID-19 pandemic. While the pandemic has highlighted the resilience of public sector cyber leaders, it has also called attention to long-standing challenges facing state IT and cybersecurity organizations such as securing adequate budgets and talent, and coordinating consistent security implementation across agencies.

Remote work creating new opportunities for cyber threats

These challenges were exacerbated by the abrupt shift to remote work spurred by the pandemic. According to the study:

  • Before the pandemic, 52% of respondents said less than 5% of staff worked remotely.
  • During the pandemic, 35 states have had more than half of employees working remotely; nine states have had more than 90% remote workers.

“The last six months have created new opportunities for cyber threats and amplified existing cybersecurity challenges for state governments,” said Meredith Ward, director of policy and research at NASCIO.

“The budget and talent challenges experienced in recent years have only grown, and CISOs are now also faced with an acceleration of strategic initiatives to address threats associated with the pandemic.”

“The pandemic forced state governments to act quickly, not just in terms of public health and safety, but also with regard to cybersecurity,” said Srini Subramanian, principal, Deloitte & Touche LLP.

“However, continuing challenges with resources beset state CISOs/CIOs. This is evident when comparing the much higher levels of budget that federal agencies and other industries like financial services receive to fight cyber threats.”

governments cyber threats

The need for digital modernization amplified by the pandemic

State governments’ longstanding need for digital modernization has only been amplified by the pandemic, along with the essential role that cybersecurity needs to play in the discussion. Key takeaways from the 2020 study include:

  • Fewer than 40% of states reported having a dedicated budget line item for cybersecurity.
  • Half of states still allocate less than 3% of their total information technology budget on cybersecurity.
  • CISOs identified financial fraud as three times greater of a threat as they did in 2018.
  • Overall, respondents said they believe the probability of a security breach is higher in the next 12 months, compared to responses to the same question in the 2018 study.
  • Only 27% of states provide cybersecurity training to local governments and public education entities.
  • Only 28% of states reported that they had collaborated extensively with local governments as part of their state’s security program during the past year, with 65% reporting limited collaboration.

The anatomy of an endpoint attack

Cyberattacks are becoming increasingly sophisticated as tools and services on the dark web – and even the surface web – enable low-skill threat actors to create highly evasive threats. Unfortunately, most of today’s modern malware evades traditional signature-based anti-malware services, arriving to endpoints with ease. As a result, organizations lacking a layered security approach often find themselves in a precarious situation. Furthermore, threat actors have also become extremely successful at phishing users out of their credentials or simply brute forcing credentials thanks to the widespread reuse of passwords.

A lot has changed across the cybersecurity threat landscape in the last decade, but one thing has remained the same: the endpoint is under siege. What has changed is how attackers compromise endpoints. Threat actors have learned to be more patient after gaining an initial foothold within a system (and essentially scope out their victim).

Take the massive Norsk Hydro ransomware attack as an example: The initial infection occurred three months prior to the attacker executing the ransomware and locking down much of the manufacturer’s computer systems. That was more than enough time for Norsk to detect the breach before the damage could done, but the reality is most organization simply don’t have a sophisticated layered security strategy in place.

In fact, the most recent IBM Cost of a Data Breach Report found it took organizations an average of 280 days to identify and contain a breach. That’s more than 9 months that an attacker could be sitting on your network planning their coup de grâce.

So, what exactly are attackers doing with that time? How do they make their way onto the endpoint undetected?

It usually starts with a phish. No matter what report you choose to reference, most point out that around 90% of cyberattacks start with a phish. There are several different outcomes associated with a successful phish, ranging from compromised credentials to a remote access trojan running on the computer. For credential phishes, threat actors have most recently been leveraging customizable subdomains of well-known cloud services to host legitimate-looking authentication forms.

anatomy endpoint attack

The above screenshot is from a recent phish WatchGuard Threat Lab encountered. The link within the email was customized to the individual recipient, allowing the attacker to populate the victim’s email address into the fake form to increase credibility. The phish was even hosted on a Microsoft-owned domain, albeit on a subdomain (servicemanager00) under the attacker’s control, so you can see how an untrained user might fall for something like this.

In the case of malware phishes, attackers (or at least the successful ones) have largely stopped attaching malware executables to emails. Most people these days recognize that launching an executable email attachment is a bad idea, and most email services and clients have technical protections in place to stop the few that still click. Instead, attackers leverage dropper files, usually in the form of a macro-laced Office document or a JavaScript file.

The document method works best when recipients have not updated their Microsoft Office installations or haven’t been trained to avoid macro-enabled documents. The JavaScript method is a more recently popular method that leverages Windows’ built-in scripting engine to initiate the attack. In either case, the dropper file’s only job is to identify the operating system and then call home and grab a secondary payload.

That secondary payload is usually a remote-access trojan or botnet of some form that includes a suite of tools like keyloggers, shell script-injectors, and the ability to download additional modules. The infection isn’t usually limited to the single endpoint for long after this. Attackers can use their foothold to identify other targets on the victim’s network and rope them in as well.

It’s even easier if the attackers manage to get hold of a valid set of credentials and the organization hasn’t deployed multi-factor authentication. It allows the threat actor to essentially walk right in through the digital front door. They can then use the victim’s own services – like built-in Windows scripting engines and software deployment services – in a living-off-the-land attack to carry out malicious actions. We commonly see threat actors leverage PowerShell to deploy fileless malware in preparation to encrypt and/or exfiltrate critical data.

The WatchGuard Threat Lab recently identified an ongoing infection while onboarding a new customer. By the time we arrived, the threat actor had already been on the victim’s network for some time thanks to compromising at least one local account and one domain account with administrative permissions. Our team was not able to identify how exactly the threat actor obtained the credentials, or how long they had been present on the network, but as soon as our threat hunting services were turned on, indicators immediately lit up identifying the breach.

In this attack, the threat actors used a combination of Visual Basic Scripts and two popular PowerShell toolkits – PowerSploit and Cobalt Strike – to map out the victim’s network and launch malware. One behavior we saw came from Cobalt Strike’s shell code decoder enabled the threat actors to download malicious commands, load them into memory, and execute them directly from there, without the code ever touching the victim’s hard drive. These fileless malware attacks can range from difficult to impossible to detect with traditional endpoint anti-malware engines that rely on scanning files to identify threats.

anatomy endpoint attack

Elsewhere on the network our team saw the threat actors using PsExec, a built in Windows tool, to launch a remote access trojan with SYSTEM-level privileges thanks to the compromised domain admin credentials. The team also identified the threat actors attempts to exfiltrate sensitive data to a DropBox account using a command-line based cloud storage management tool.

Fortunately, they were able to identify and clean up the malware quickly. However, without the victim changing the stolen credentials, the attacker could have likely re-initiated their attack at-will. Had the victim deployed an advanced Endpoint Detection and Response (EDR) engine as part of their layered security strategy, they could have stopped or slowed the damage created from those stolen credentials.

Attackers are targeting businesses indiscriminately, even small organizations. Relying on a single layer of protection simply no longer works to keep a business secure. No matter the size of an organization, it’s important to adopt a layered security approach that can detect and stop modern endpoint attacks. This means protections from the perimeter down to the endpoint, including user training in the middle. And, don’t forget about the role of multifactor authentication (MFA) – could be the difference between stopping an attack and becoming another breach statistic.

ATM cash-out: A rising threat requiring urgent attention

The PCI Security Standards Council (PCI SSC) and the ATM Industry Association (ATMIA) issued a joint bulletin to highlight an increasing threat that requires urgent awareness and attention.

ATM cash-out

What is the threat?

An ATM cash-out attack is an elaborate and choreographed attack in which criminals breach a bank or payment card processor and manipulate fraud detection controls as well as alter customer accounts so there are no limits to withdraw money from numerous ATMs in a short period of time.

Criminals often manipulate balances and withdrawal limits to allow ATM withdrawals until ATM machines are empty of cash.

How do ATM cash-out attacks work?

An ATM cash-out attack requires careful planning and execution. Often, the criminal enterprise gains remote access to a card management system to alter the fraud prevention controls such as withdrawal limits or PIN number of compromised cardholder accounts. This is commonly done by inserting malware via phishing or social engineering methods into a financial institution or payment processor’s systems.

The criminal enterprise then can create new accounts or use compromised existing accounts and/or distribute compromised debit/credit cards to a group of people who make withdrawals at ATMs in a coordinated manner.

With control of the card management system, criminals can manipulate balances and withdrawal limits to allow ATM withdrawals until ATM machines are empty of cash.

These attacks usually do not exploit vulnerabilities in the ATM itself. The ATM is used to withdraw cash after vulnerabilities in the card issuers authorization system have been exploited.

Who is most at risk?

Financial institutions, and payment processors are most at financial risk and likely to be the target of these large-scale, coordinated attacks. These institutions stand to potentially lose millions of dollars in a very short time period and can have exposure in multiple regions around the world as the result of this highly organized, well-orchestrated criminal attack.

What are some detection best practices?

  • Velocity monitoring of underlying accounts and volume
  • 24/7 monitoring capabilities including File Integrity Monitoring Systems (FIMs)
  • Reporting system that sounds the alarm immediately when suspicious activity is identified
  • Development and practice of an incident response management system
  • Check for unexpected traffic sources (e.g. IP addresses)
  • Look for unauthorized execution of network tools.

What are some prevention best practices?

  • Strong access controls to your systems and identification of third-party risks
  • Employee monitoring systems to guard against an “inside job”
  • Continuous phishing training for employees
  • Multi-factor authentication
  • Strong password management
  • Require layers of authentication/approval for remote changes to account balances and transaction limits
  • Implementation of required security patches in a timely manner (ASAP)
  • Regular penetration testing
  • Frequent reviews of access control mechanisms and access privileges
  • Strict separation of roles that have privileged access to ensure no one user ID can perform sensitive functions
  • Installation of file integrity monitoring software that can also serve as a detection mechanism
  • Strict adherence to the entire PCI DSS.

Cyber teams are getting more involved in M&A

Despite ongoing economic uncertainty amidst a global pandemic, many dealmakers remain optimistic about the outlook for the year ahead as they increasingly pursue alternative merger and acquisition (M&A) methods to navigate the crisis and pursue new disruptive business growth strategies.

virtual dealmaking

According to a Deloitte survey of 1,000 U.S. corporate M&A executives and private equity firm professionals, 61% of survey respondents expect U.S. M&A activity to return to pre-COVID-19 levels within the next 12 months.

Soon after the WHO declared COVID-19 a pandemic on March 11, deal activity in the U.S. plunged — most notably during April and May.

Responding M&A executives say they tentatively paused (92%) or abandoned (78%) at least one transaction as a result of the pandemic outbreak. However, since March 2020, possibly aiming to take advantage of pandemic-driven business disruptions, 60% say their organizations have been more focused on pursuing new deals.

“M&A executives have moved quickly to adapt and uncover value in new and innovative ways as systemic change driven by the pandemic has resulted in alternative approaches to transactions,” said Russell Thomson, partner, Deloitte & Touche LLP, and Deloitte’s U.S. merger and acquisition services practice leader.

“We expect both traditional and alternative M&A to be an important lever for dealmakers as businesses recover and thrive in a post-COVID economy.”

Alternative dealmaking on the rise

For many, alternative deals are quickly outpacing traditional M&A activity as the search for value intensifies in a low-growth environment.

When asked which type of deals their organizations are most interested in pursuing, responding corporate M&A executives’ top choice was alternatives to traditional M&A, including alliances, joint ventures, and Special Purpose Acquisition Companies (45%) — ranking higher than acquisitions (35%).

Private equity investors plan to remain more focused on traditional acquisitions (53%), while simultaneously pushing pursuit of M&A alternatives — including private investment in public equity deals, minority stakes, club deals and alliances (32%).

“As businesses prepare for a post-COVID world, including fundamentally reshaped economies and societies, the dealmaking environment will also materially change,” said Mark Purowitz, principal, Deloitte Consulting LLP, with Deloitte’s mergers and acquisitions consulting practice, and leader of the firm’s Future of M&A initiative.

“Companies were starting to expand their definition of M&A to include partnerships, alliances, joint ventures and other alternative investments that create intrinsic and long-lasting value, but COVID-19 has accelerated dealmakers’ needs to create more optionality for their organizations’ internal and external ecosystems.”

Virtual dealmaking to continue playing large role post-pandemic

87% of M&A professionals surveyed report that their organizations were able to effectively manage a deal in a purely virtual environment, so much so that 55% anticipate that virtual dealmaking will be the preferred platform even after the pandemic is over.

However, virtual dealmaking does not remain without its own challenges. Fifty-one percent noted that cybersecurity threats are their organizations’ biggest concern around executing deals virtually.

“When it comes to cyber in an M&A world — it’s important to develop cyber threat profiles of prospective targets and portfolio companies to determine the risks each present,” said Deborah Golden, Deloitte Risk & Financial Advisory, cyber and strategic risk leader, Deloitte & Touche LLP.

“CISOs understand how a data breach can negatively impact the valuation and the underlying deal structure itself. Leaving cyber out of that risk picture may lead to not only brand and reputational risk, but also significant and unaccounted remediation costs.”

Other virtual dealmaking concerns included the ability to forge relationships with management teams (40%) and extended regulatory approvals (39%). When it comes to effectively managing the integration phase in a virtual environment, technology integration (16%) and legal entity alignment or simplification (16%) are surveyed M&A executives’ largest and most prevalent hurdles.

“It may be too early to assess the long-term implications of virtual dealmaking as many of the deals currently in progress now are resulting from management relationships that were formed pre-COVID. We also expect integration in a virtual setting will become much more complex a few months from now,” said Thomson.

virtual dealmaking

“Culture and compatibility issues should be given greater attention on the diligence side, as they pose major downstream integration implications.”

International dealmaking declines, focus on domestic-only deals

Interest in foreign M&A targets declined in 2020 as corporate executives reported a significant shift in their approach to international dealmaking, with 17% reporting no plans to execute cross-border deals in the current economic environment, an 8 percentage point increase from 2019.

In addition, 57% of M&A executives say less than half of their current transactions involve acquiring targets operating primarily in foreign markets.

Notably, the number of survey respondents interested in pursuing deals with U.K. targets dropped by 8 percentage points, while Chinese targets declined by 7 percentage points. Interest in Canadian (32%) and Central American (19%) targets remained highest.

One-fifth of organizations did not make cybersecurity a priority during the pandemic

56% of IT and OT security professionals at industrial enterprises have seen an increase in cybersecurity threats since the start of the COVID-19 pandemic in March, a Claroty research reveals. Additionally, 70% have seen cybercriminals using new tactics to target their organizations in this timeframe.

cybersecurity priority pandemic

The report is based on a global, independent survey of 1,100 full-time IT and OT security professionals who own, operate, or otherwise support critical infrastructure components within large enterprises across Europe, North America and Asia Pacific, examining how their concerns, attitudes, and experiences have changed since the pandemic began in March.

Cybersecurity still not a priority, regardless of the pandemic

  • 32% said their organization’s OT environment is not properly safeguarded from potential threats
  • One-fifth of organizations did not make cybersecurity a priority during the pandemic
  • COVID-19 has not only accelerated the adoption of new technologies (41% stated implementing new technology solutions as a priority during the pandemic), but also brought to the fore the challenges of having siloed teams (56% said collaboration between IT and OT teams has become more challenging)
  • 83% believe that, from a cybersecurity perspective, their organization is prepared should another major disruption occur

COVID-19 impact on IT/OT convergence

Across the globe, COVID-19 has led cybercriminals to use new tactics and organizations to become more vulnerable to cyber attacks, with 56% of global respondents saying that their organization has experienced more cybersecurity threats since the pandemic began. Further, 72% reported that their jobs have become more challenging.

COVID-19 has clearly had an impact on IT/OT convergence, as 67% say that their IT and OT networks have become more interconnected since the pandemic began and more than 75% expect they will become even more interconnected as a result of it.

While IT/OT convergence unlocks business value in terms of operations efficiency, performance, and quality of services, it can also be detrimental because threats – both targeted and non-targeted – can move freely between IT and OT environments.

“While we would be short-sighted to think that we won’t have more challenges as we continue to face unknowns from this pandemic, protecting critical infrastructure is especially important in a time of crisis,” said Yaniv Vardi, CEO of Claroty.

“As large enterprises are trying to improve their productivity by connecting more OT and IoT devices and remotely accessing their industrial networks, they are also increasing their exposure as a result. OT security needs to be brought to the fore and made a priority for all organizations.

“Attackers know that IT networks are covered with cybersecurity solutions so they’re moving to exploit vulnerabilities in OT to gain access to enterprise networks. Not protecting OT is like protecting a house with state-of-the-art security and alarm systems, but then leaving the front door open.”

Most vulnerable industries

In terms of industries, globally the respondents ranked pharmaceutical, oil & gas, electric utilities, manufacturing, and building management systems as the top five most vulnerable to attack.

Most regions followed similar patterns, identifying three to five industries clustered closely toward the top of the list. The exceptions are the DACH region, where oil & gas clearly holds the top spot at 36%, and Singapore, where pharmaceutical is at 22%.

Securing mobile devices, apps, and users should be every CIO’s top priority

More than 80% of global employees do not want to return to the office full-time, despite 30% employees claiming that being isolated from their team was the biggest hindrance to productivity during lockdown, a MobileIron study reveals.

securing mobile devices apps

The COVID-19 pandemic has clearly changed the way people work and accelerated the already growing remote work trend. This has also created new security challenges for IT departments, as employees are increasingly using their own personal devices to access corporate data and services.

Adding to the challenges posed by the new “everywhere enterprise” – in which employees, IT infrastructures, and customers are everywhere – is the fact that employees are not prioritizing security. The study found that 33% of workers consider IT security to be a low priority.

Mobile devices and a new threat landscape

The current distributed remote work environment has also triggered a new threat landscape, with malicious actors increasingly targeting mobile devices with phishing attacks. These attacks range from basic to sophisticated and are likely to succeed, with many employees unaware of how to identify and avoid a phishing attack. The study revealed that 43% of global employees are not sure what a phishing attack is.

“Mobile devices are everywhere and have access to practically everything, yet most employees have inadequate mobile security measures in place, enabling hackers to have a heyday,” said Brian Foster, SVP Product Management, MobileIron.

“Hackers know that people are using their loosely secured mobile devices more than ever before to access corporate data, and increasingly targeting them with phishing attacks. Every company needs to implement a mobile-centric security strategy that prioritizes user experience and enables employees to maintain maximum productivity on any device, anywhere, without compromising personal privacy.”

The study found that four distinct employee personas have emerged in the everywhere enterprise as a result of lockdown, and mobile devices play a more critical role than ever before in ensuring productivity.

Hybrid Henry

  • Typically works in financial services, professional services or the public sector.
  • Ideally splits time equally between working at home and going into the office for face-to-face meetings; although this employee likes working from home, being isolated from teammates is the biggest hindrance to productivity.
  • Depends on a laptop and mobile device, along with secure access to email, CRM applications and video collaboration tools, to stay productive.
  • Believes that IT security ensures productivity and enhances the usability of devices. At the same time, this employee is only somewhat aware of phishing attacks.

Mobile Molly

  • Works constantly on the go using a range of mobile devices, such as tablets and phones, and often relies on public WiFi networks for work.
  • Relies on remote collaboration tools and cloud suites to get work done.
  • Views unreliable technology as the biggest hindrance to productivity as this individual is always on-the-go and heavily relies on mobile devices.
  • Views IT security as a hindrance to productivity as it slows down the ability to get tasks done. This employee also believes IT security compromises personal privacy.
  • This is the most likely persona to click on a malicious link due to a heavy reliance on mobile devices.

Desktop Dora

  • Finds being away from teammates and working from home a hindrance to productivity and can’t wait to get back to the office.
  • Prefers to work on a desktop computer from a fixed location than on mobile devices.
  • Relies heavily on productivity suites to communicate with colleagues in and out of the office.
  • Views IT security as a low priority and leaves it to the IT department to deal with. This employee is also only somewhat aware of phishing attacks.

Frontline Fred

  • Works on the frontlines in industries like healthcare, logistics or retail.
  • Works from fixed and specific locations, such as hospitals or retail shops; This employee can’t work remotely.
  • Relies on purpose-built devices and applications, such as medical or courier devices and applications, to work. This employee is not as dependent on personal mobile devices for productivity as other personas.
  • Realizes that IT security is essential to enabling productivity. This employee can’t afford to have any device or application down time, given the specialist nature of their work.

“With more employees leveraging mobile devices to stay productive and work from anywhere than ever before, organizations need adopt a zero trust security approach to ensure that only trusted devices, apps, and users can access enterprise resources,” continued Foster.

“Organizations also need to bolster their mobile threat defenses, as cybercriminals are increasingly targeting text and SMS messages, social media, productivity, and messaging apps that enable link sharing with phishing attacks.

“To prevent unauthorized access to corporate data, organizations need to provide seamless anti-phishing technical controls that go beyond corporate email, to keep users secure wherever they work, on all of the devices they use to access those resources.”

Europol analyzes latest trends, cybercrime impact within the EU and beyond

The global COVID-19 pandemic that hit every corner of the world forced us to reimagine our societies and reinvent the way we work and live. The Europol IOCTA 2020 cybercrime report takes a look at this evolving threat landscape.

europol IOCTA 2020

Although this crisis showed us how criminals actively take advantage of society at its most vulnerable, this opportunistic behavior should not overshadow the overall threat landscape. In many cases, COVID-19 has enhanced existing problems.

Europol IOCTA 2020

Social engineering and phishing remain an effective threat to enable other types of cybercrime. Criminals use innovative methods to increase the volume and sophistication of their attacks, and inexperienced cybercriminals can carry out phishing campaigns more easily through crime as-a-service.

Criminals quickly exploited the pandemic to attack vulnerable people; phishing, online scams and the spread of fake news became an ideal strategy for cybercriminals seeking to sell items they claim will prevent or cure COVID-19.

Encryption continues to be a clear feature of an increasing number of services and tools. One of the principal challenges for law enforcement is how to access and gather relevant data for criminal investigations.

The value of being able to access data of criminal communication on an encrypted network is perhaps the most effective illustration of how encrypted data can provide law enforcement with crucial leads beyond the area of cybercrime.

Malware reigns supreme

Ransomware attacks have become more sophisticated, targeting specific organizations in the public and private sector through victim reconnaissance. While the pandemic has triggered an increase in cybercrime, ransomware attacks were targeting the healthcare industry long before the crisis.

Moreover, criminals have included another layer to their ransomware attacks by threatening to auction off the comprised data, increasing the pressure on the victims to pay the ransom.

Advanced forms of malware are a top threat in the EU: criminals have transformed some traditional banking Trojans into modular malware to cover more PC digital fingerprints, which are later sold for different needs.

Child sexual abuse material continues to increase

The main threats related to online child abuse exploitation have remained stable in recent years, however detection of online child sexual abuse material saw a sharp spike at the peak of the COVID-19 crisis.

Offenders keep using a number of ways to hide this horrifying crime, such as P2P networks, social networking platforms and using encrypted communications applications.

Dark web communities and forums are meeting places where participation is structured with affiliation rules to promote individuals based on their contribution to the community, which they do by recording and posting their abuse of children, encouraging others to do the same.

Livestream of child abuse continues to increase, becoming even more popular than usual during the COVID-19 crisis when travel restrictions prevented offenders from physically abusing children. In some cases, video chat applications in payment systems are used which becomes one of the key challenges for law enforcement as this material is not recorded.

Payment fraud: SIM swapping a new trend

SIM swapping, which allows perpetrators to take over accounts, is one of the new trends. As a type of account takeover, SIM swapping provides criminals access to sensitive user accounts.

Criminals fraudulently swap or port victims’ SIMs to one in the criminals’ possession in order to intercept the one-time password step of the authentication process.

Criminal abuse of the dark web

In 2019 and early 2020 there was a high level of volatility on the dark web. The lifecycle of dark web market places has shortened and there is no clear dominant market that has risen over the past year.

Tor remains the preferred infrastructure, however criminals have started to use other privacy-focused, decentralized marketplace platforms to sell their illegal goods. Although this is not a new phenomenon, these sorts of platforms have started to increase over the last year.

OpenBazaar is noteworthy, as certain threats have emerged on the platform over the past year such as COVID-19-related items during the pandemic.

VP for Promoting our European Way of Life, Margaritis Schinas, who is leading the European Commission’s work on the European Security Union, said: “Cybercrime is a hard reality. While the digital transformation of our societies evolves, so does cybercrime which is becoming more present and sophisticated.

“We will spare no efforts to further enhance our cybersecurity and step up law enforcement capabilities to fight against these evolving threats.”

EU Commissioner for Home Affairs, Ylva Johansson, said: “The Coronavirus Pandemic has slowed many aspects of our normal lives. But it has unfortunately accelerated online criminal activity. Organised Crime exploits the vulnerable, be it the newly unemployed, exposed businesses, or, worst of all, children.

“The Europol IOCTA 2020 cybercrime report shows the urgent need for the EU to step up the fight against organised crime [online] and confirms the essential role of Europol in that fight”.

37% of remote employees have no security restrictions on corporate devices

ManageEngine unveiled findings from a report that analyzes behaviors related to personal and professional online usage patterns.

security restrictions devices

Security restrictions on corporate devices

The report combines a series of surveys conducted among nearly 1,500 employees amid the pandemic as many people were accelerating online usage due to remote work and stay-at-home orders. The findings evaluate users’ web browsing habits, opinions about AI-based recommendations, and experiences with chatbot-based customer service.

“This research illuminates the challenges of unsupervised employee behaviors, and the need for behavioral analytics tools to help ensure business security and productivity,” said Rajesh Ganesan, vice president at ManageEngine.

“While IT teams have played a crucial role in supporting remote work and business continuity during the pandemic, now is an important time to evaluate the long-term effectiveness of current strategies and augment data analytics to IT operations that will help sustain seamless, secure operations.”

Risky online behaviors could compromise corporate data and devices

63% of respondents report that their organization has provided them with a corporate device to utilize while working remotely.

Interestingly, 37% of those respondents also say that there are no security restrictions on these corporate devices. Therefore, risky online activities such as visiting unsecured websites, sharing personal information, and downloading third-party software could pose potential threats.

For example, 54% said they would still visit a website after receiving a warning about potential insecurities. This percentage is also significantly higher among younger generations – including 42% of people 18-24 years and 40% of 25-34 years.

Remote work has its hiccups, but IT teams have been responsive

79% of respondents say they experience at least one technology issue weekly while working from home. The most common issues include slowed functionality and download speeds (40%) and reliable connectivity (25%).

However, IT teams have been committed to solving these challenges. For example, 75% of respondents say it’s been easy to communicate with their IT teams to resolve these issues. Chatbots, AI, and automation are becoming increasingly more effective and trusted.

76% said their experience with chatbot-based support has been “excellent” or “satisfactory,” and 55% said their issue was resolved in a timely manner. As it relates to artificial intelligence, 67% say they trust these solutions to make recommendations for them.

The increasing comfort with automation technologies can help IT teams support both front and back-end business functions, especially during times of increased online activities due to the pandemic.

Cybersecurity practices are becoming more formal, security teams are expanding

Organizations are building confidence that their cybersecurity practices are headed in the right direction, aided by advanced technologies, more detailed processes, comprehensive education and specialized skills, a research from CompTIA finds.

cybersecurity practices

Eight in 10 organizations surveyed said their cybersecurity practices are improving.

At the same time, many companies acknowledge that there is still more to do to make their security posture even more robust. Growing concerns about the number, scale and variety of cyberattacks, privacy considerations, a greater reliance on data and regulatory compliance are among the issues that have the attention of business and IT leaders.

Elevating cybersecurity

Two factors – one anticipated, the other unexpected – have contributed to the heightened awareness about the need for strong cybersecurity measures.

“The COVID-19 pandemic has been the primary trigger for revisiting security,” said Seth Robinson, senior director for technology analysis at CompTIA. “The massive shift to remote work exposed vulnerabilities in workforce knowledge and connectivity, while phishing emails preyed on new health concerns.”

Robinson noted that the pandemic accelerated changes that were underway in many organizations that were undergoing the digital transformation of their business operations.

“This transformation elevated cybersecurity from an element within IT operations to an overarching business concern that demands executive-level attention,” he said. “It has become a critical business function, on par with a company’s financial procedures.”

As a result, companies have a better understanding of what do about cybersecurity. Nine in 10 organizations said their cybersecurity processes have become more formal and more critical.

Two examples are risk management, where companies assess their data and their systems to determine the level of security that each requires; and monitoring and measurement, where security efforts are continually tracked and new metrics are established to tie security activity to business objectives.

IT teams foundational skills

The report also highlights how the “cybersecurity chain” has expanded to include upper management, boards of directors, business units and outside firms in addition to IT personnel in conversations and decisions.

Within IT teams, foundational skills such as network and endpoint security have been paired with new skills, including identity management and application security, that have become more important as cloud and mobility have taken hold.

On the horizon, expect to see skills related to security monitoring and other proactive tactics gain a bigger foothold. Examples include data analysis, threat knowledge and understanding the regulatory landscape.

Cybersecurity insurance is another emerging area. The report reveals that 45% of large companies, 41% of mid-sized firms and 37% of small businesses currently have a cyber insurance policy.

Common coverage areas include the cost of restoring data (56% of policy holders), the cost of finding the root cause of a breach (47%), coverage for third-party incidents (43%) and response to ransomware (42%).

Large US hospital chain hobbled by Ryuk ransomware

US-based healtchare giant Universal Health Services (UHS) has suffered a cyberattack on Sunday morning, which resulted in the IT network across its facilities to be shut down.

UHS cyberattack

Location of UHC facilities

What happened?

UHS operates nearly 400 hospitals and healthcare facilities throughout the US, Puerto Rico and the UK.

“We implement extensive IT security protocols and are working diligently with our IT security partners to restore IT operations as quickly as possible. In the meantime, our facilities are using their established back-up processes including offline documentation methods,” the company stated on Monday.

“Patient care continues to be delivered safely and effectively. No patient or employee data appears to have been accessed, copied or misused.”

No more details were shared about the nature of the “IT security issue” (as they chose to call it), leaving the door open for unconfirmed reports from professed insiders (employees at some of the affected facilities) to proliferate online.

A Reddit thread started on Monday is chock full of them:

  • The attack involved ransomware – Ryuk ransomware, to be more specific
  • It’s unknown how many systems have been affected, i.e., how widespread is the damage
  • “All UHS hospitals nationwide in the US currently have no access to phones, computer systems, internet, or the data center”
  • Ambulances are being rerouted to other hospitals, information needed to treat patients – health records, lab works, cardiology reports, medications records, etc. – is either temporarily unavailable or received with delay, affecting patient treatment
  • “4 people died tonight alone due to the waiting on results from the lab to see what was going on”

Was it Ryuk?

While most of these reports have yet to be verified, it seems almost certain that ransomware is in play.

Bleeping Computer was told by an employee that the encrypted files sported the .ryk extension and another employee described a ransom note that points to Ryuk ransomware.

“Ryuk can be difficult to detect and contain as the initial infection usually happens via spam/phishing and can propagate and infect IoT/IoMT devices, as we’ve seen with UHS hospital phones and radiology machines. Once on an infected host, it can pull passwords out of memory and then laterally moves through open shares, infecting documents, and compromised accounts,” commented Jeff Horne, CSO, Ordr.

Justin Heard, Director of Security, Intelligence and Analytics at Nuspire, noted that up until recently, Ryuk was used solely to target financial services, but over the last several months Ryuk has been seen targeting manufacturing, oil and gas, and now healthcare.

“Ryuk is known to target large organizations across industries because it demands a very high ransom. The ransomware operators likely saw UHS as the opportunity to make a quick buck given the urgency to keep operations going, and the monetary loss associated with that downtime could outweigh the ransom demand,” he explained.

“Ryuk Ransomware is run by a group called Wizard Spider, which is known as the Russia-based operator of the TrickBot banking malware. Ryuk is one of the most evasive ransomware out there. Nuspire Intelligence has repeatedly seen the triple threat combo of Ryuk, TrickBot and Emotet to wreak the most damage to a network and harvest the most amount of data.”

Some ransomware operators have previously stated that they would refrain from hitting healthcare organizations. Despite that, the number of attacks targeting medical institutions continues to rise.

Rising reports of fraud signal that some COVID-related schemes may just be getting started

As the economic fallout of the COVID-19 crisis continues to unfold, a research from Next Caller, reveals the pervasive impact that COVID-related fraud has had on Americans, as well as emerging trends that threaten the security of contact centers, as we head towards what may be another wave of call activity.

COVID-related fraud

The company’s latest report found that 55% of Americans believe they’ve been a victim of COVID-related fraud, up more than 20% from when the company conducted a similar study in April.

Perhaps even more worrisome is the fact that 59% of Americans claim they haven’t taken any additional precautions to protect themselves from these attacks.

“Even with massive amounts of PII circulating the dark web and so many new opportunities for criminals to exploit because of the pandemic, it’s still alarming that over half of the country thinks they’ve been targeted by COVID-related fraud,” said Ian Roncoroni, CEO, Next Caller.

“Compounding the problem is COVID’s unique ability to distract and disengage people from carefully monitoring their accounts. Criminals who are already well-equipped to bypass security can now operate longer without detection, worsening the impact exponentially.”

Data has shown the clear correlation between the economic fallout of the crisis – specifically stimulus related events – and the meteoric spikes in overall call volumes and the number of high-risk calls taking place inside contact centers across today’s biggest brands.

Fraudsters eager to replicate their initial success

A pending second stimulus package, combined with a clear urgency from Americans around receiving it, indicates that another wave of activity from customers and criminals is on the horizon.

In regards to the latest findings, Roncoroni said, “We have to prepare for a more sophisticated criminal strategy this time around. Rising reports of fraud activity signal not only that fraudsters are eager to replicate their initial success, but that some of those early schemes may just be getting started.

“The phony mailing address unceremoniously added to a bank account in April is likely just the trojan horse for a scheme ready to be set in motion under the cover of the next stimulus package.”

COVID-related fraud

Key findings

  • 55% of Americans believe they’ve been targeted by COVID-related fraud
  • Despite that, 59% of Americans claiming that they have not taken any additional precautions to protect themselves from attacks
  • Almost 1-in-3 Americans are more worried about becoming a victim of fraud than they are about contracting the virus
  • 56% believe brands are equally responsible for providing flexible and accommodating customer service and protecting personal information
  • When asked about their view of the next stimulus checks, 41% of Americans said “I really need another check”
  • 53% of Americans say that they have already sought out information related to the next round of checks

Layered security becomes critical as malware attacks rise

Despite an 8% decrease in overall malware detections in Q2 2020, 70% of all attacks involved zero day malware – variants that circumvent antivirus signatures, which represents a 12% increase over the previous quarter, WatchGuard found.

malware detections Q2 2020

Malware detections during Q2 2020

Attackers are continuing to leverage evasive and encrypted threats. Zero day malware made up more than two-thirds of the total detections in Q2, while attacks sent over encrypted HTTPS connections accounted for 34%. This means that organizations that are not able to inspect encrypted traffic will miss a massive one-third of incoming threats.

Even though the percentage of threats using encryption decreased from 64% in Q1, the volume of HTTPS-encrypted malware increased dramatically. It appears that more administrators are taking the necessary steps to enable HTTPS inspection, but there’s still more work to be done.

“Businesses aren’t the only ones that have adjusted operations due to the global COVID-19 pandemic – cyber criminals have too,” said Corey Nachreiner, CTO of WatchGuard.

“The rise in sophisticated attacks, despite the fact that overall malware detections declined in Q2 2020, likely due to the shift to remote work, shows that attackers are turning to more evasive tactics that traditional signature-based anti-malware defences simply can’t catch.

“Every organization should be prioritising behaviour-based threat detection, cloud-based sandboxing, and a layered set of security services to protect both the core network, as well as remote workforces.”

JavaScript-based attacks are on the rise

The scam script Trojan.Gnaeus made its debut at the top of WatchGuard’s top 10 malware list for Q2, making up nearly one in five malware detections. Gnaeus malware allows threat actors to hijack control of the victim’s browser with obfuscated code, and forcefully redirect away from their intended web destinations to domains under the attacker’s control.

Another popup-style JavaScript attack, J.S. PopUnder, was one of the most widespread malware variants last quarter. In this case, an obfuscated script scans a victim’s system properties and blocks debugging attempts as an anti-detection tactic.

To combat these threats, organizations should prevent users from loading a browser extension from an unknown source, keep browsers up to date with the latest patches, use reputable adblockers and maintain an updated anti-malware engine.

Attackers increasingly use encrypted Excel files to hide malware

XML-Trojan.Abracadabra is a new addition to the top 10 malware detections list, showing a rapid growth in popularity since the technique emerged in April.

Abracadabra is a malware variant delivered as an encrypted Excel file with the password “VelvetSweatshop”, the default password for Excel documents. Once opened, Excel automatically decrypts the file and a macro VBA script inside the spreadsheet downloads and runs an executable.

The use of a default password allows this malware to bypass many basic antivirus solutions since the file is encrypted and then decrypted by Excel. Organizations should never allow macros from an untrusted source, and leverage cloud-based sandboxing to safely verify the true intent of potentially dangerous files before they can cause an infection.

An old, highly exploitable DoS attack makes a comeback

A six-year-old DoS vulnerability affecting WordPress and Drupal made an appearance on a list of top 10 network attacks by volume in Q2. This vulnerability is particularly severe because it affects every unpatched Drupal and WordPress installation and creates DoS scenarios in which bad actors can cause CPU and memory exhaustion on underlying hardware.

Despite the high volume of these attacks, they were hyper-focused on a few dozen networks primarily in Germany. Since DoS scenarios require sustained traffic to victim networks, this means there’s a strong likelihood that attackers were selecting their targets intentionally.

Malware domains leverage command and control servers to wreak havoc

Two new destinations made top malware domains list in Q2. The most common was findresults[.]site, which uses a C&C server for a Dadobra trojan variant that creates an obfuscated file and associated registry to ensure the attack runs and can exfiltrate sensitive data and download additional malware when users start up Windows systems.

One user alerted the WatchGuard team to Cioco-froll[.]com, which uses another C&C server to support an Asprox botnet variant, often delivered via PDF document, and provides a C&C beacon to let the attacker know it has gained persistence and is ready to participate in the botnet.

DNS firewalling can help organizations detect and block these kinds of threats independent of the application protocol for the connection.

Credential stuffing is just the tip of the iceberg

Credential stuffing attacks are taking up a lot of the oxygen in cybersecurity rooms these days. A steady blitz of large-scale cybersecurity breaches in recent years have flooded the dark web with passwords and other credentials that are used in subsequent attacks such as those on Reddit and State Farm, as well as widespread efforts to exploit the remote work and online get-togethers resulting from the COVID-19 pandemic.

credential stuffing

But while enterprises are rightly worried about weathering a hurricane of credential-stuffing attacks, they also need to be concerned about more subtle, but equally dangerous, threats to APIs that can slip in under the radar.

Attacks that exploit APIs, beyond credential stuffing, can start small with targeted probing of unique API logic, and lead to exploits such as the theft of personal information, wholesale data exfiltration or full account takeovers.

Unlike automated flood-the-zone, volume-based credential attacks, other API attacks are conducted almost one-to-one and carried out in elusive ways, targeting the distinct vulnerabilities of each API, making them even harder to detect than attacks happening on a large scale. Yet, they’re capable of causing as much, if not more, damage. And they’re becomingg more and more prevalent with APIs being the foundation of modern applications.

Beyond credential stuffing

Credential stuffing attacks are a key concern for good reason. High profile breaches—such as those of Equifax and LinkedIn, to name two of many—have resulted in billions of compromised credentials floating around on the dark web, feeding an underground industry of malicious activity. For several years now, about 80% of breaches that have resulted from hacking have involved stolen and/or weak passwords, according to Verizon’s annual Data Breach Investigations Report.

Additionally, research by Akamai determined that three-quarters of credential abuse attacks against the financial services industry in 2019 were aimed at APIs. Many of those attacks are conducted on a large scale to overwhelm organizations with millions of automated login attempts.

The majority of threats to APIs move beyond credential stuffing, which is only one of many threats to APIs as defined in the 2019 OWASP API Security Top 10. In many instances they are not automated, are much more subtle and come from authenticated users.

APIs, which are essential to an increasing number of applications, are specialized entities performing particular functions for specific organizations. Someone exploiting a vulnerability in an API used by a bank, retailer or other institution could, with a couple of subtle calls, dump the database, drain an account, cause an outage or do all kinds of other damage to impact revenue and brand reputation.

An attacker doesn’t even have to necessarily sneak in. For instance, they could sign on to Disney+ as a legitimate user and then poke around the API looking for opportunities to exploit. In one example of a front-door approach, a researcher came across an API vulnerability on the Steam developer site that would allow the theft of game license keys. (Luckily for the company, he reported it—and was rewarded with $20,000.)

Most API attacks are very difficult to detect and defend against since they’re carried out in such a clandestine manner. Because APIs are mostly unique, their vulnerabilities don’t conform to any pattern or signature that would allow common security controls to be enforced at scale. And the damage can be considerable, even coming from a single source. For example, an attacker exploiting a weakness in an API could launch a successful DoS attack with a single request.

API DoS

Rather than the more common DDoS attack, which floods a target with requests from many sources via a botnet, an API DoS can happen when the attacker manipulates the logic of the API, causing the application to overwork itself. If an API is designed to return, say, 10 items per request, an attacker could change that value to 10 million, using up all of an application’s resources and crashing it—with a single request.

Credential stuffing attacks present security challenges of their own. With easy access to evasion tools—and with their own sophistication improving dramatically – it’s not difficult for attackers to disguise their activity behind a mesh of thousands of IP addresses and devices. But credential stuffing nevertheless is an established problem with established solutions.

How enterprises can improve

Enterprises can scale infrastructure to mitigate credential stuffing attacks or buy a solution capable of identifying and stopping the attacks. The trick is to evaluate large volumes of activity and block malicious login attempts without impacting legitimate users, and to do it quickly, identifying successful malicious logins and alerting users in time to protect them from fraud.

Enterprises can improve API security first and foremost by identifying all of their APIs including data exposure, usage, and even those they didn’t know existed. When APIs fly under security operators’ radar, otherwise secure infrastructure has a hole in the fence. Once full visibility is attained, enterprises can more tightly control API access and use, and thus, enable better security.

Cyberwarfare predicted to damage the economy in the coming year

71% of CISOs believe cyberwarfare is a threat to their organization, and yet 22% admit to not having a strategy in place to mitigate this risk. This is especially alarming during a period of unprecedented global disruption, as 50% of infosec professionals agree that the increase of cyberwarfare will be detrimental to the economy in the next 12 months.

cyberwarfare

CISOs and infosec professionals however are shoring up their defenses — with 51% and 48% respectively stating that they believe they will need a strategy against cyberwarfare in the next 12-18 months.

These findings, and more, are revealed in Bitdefender’s global 10 in 10 Study, which highlights how, in the next 10 years, cybersecurity success lies in the adaptability of security decision makers, while simultaneously looking back into the last decade to see if valuable lessons have already been learnt about the need to make tangible changes in areas such as diversity.

It explores, in detail, the gap between how security decision makers and infosec professionals view the current security landscape and reveals the changes they know they will need to make in the upcoming months and years of the 2020s.

The study takes into account the views and opinions of more than 6,724 infosec professionals representing a broad cross-section of organizations from small 101+ employee businesses to publicly listed 10,000+ person enterprises in a wide variety of industries, including technology, finance, healthcare and government.

The rise and fall (and rise again) of ransomware

Outside of the rise of cyberwarfare threats, an old threat is rearing its head — ransomware. During the disruption of 2020, ransomware has surged with as much as 43% of infosec professionals reporting that they are seeing a rise in ransomware attacks.

What’s more concerning is that 70% of CISOs/CIOs and 63% of infosec professionals expect to see an increase in ransomware attacks in the next 12-18 months. This is of particular interest as 49% of CISOs/CIOs and 42% of infosec professionals are worried that a ransomware attack could wipe out the business in the next 12-18 months if they don’t increase investment in security.

But what is driving the rise in ransomware attacks? Some suggest it’s because more people are working from home — which makes them an easier target outside of the corporate firewall. The truth might however be tied to money.

59% of CISOs/CIOs and 50% of infosec professionals believe that the business they work for would pay the ransom in order to prevent its data/information from being published — making ransomware a potential cash cow.

A step change in communication is in high demand

Cyberwarfare and ransomware are complex topics to unpack, amongst many others in infosec. The inherent complexity of infosec topics does however make it hard to gain internal investment and support for projects. This is why infosec professionals believe a change is needed.

In fact, 51% of infosec professionals agree that in order to increase investment in cybersecurity, the way that they communicate about security has to change dramatically. This number jumps up to 55% amongst CISOs and CIOs — many of whom have a seat at the most senior decision-making table in their organizations.

The question is, what changes need to be made? 41% of infosec professionals believe that in the future more communication with the wider public and customers is needed so everyone, both in and organization and outside, better understands the risks.

In addition, 38% point out that there is a need for the facilitation of better communication with the C-suite, especially when it comes to understanding the wider business risks.

And last, but not least, as much as 31% of infosec professionals believe using less technical language would help the industry communicate better, so that the whole organization could understand the risks and how to stay protected.

“The reason that 63% of infosec professionals believe that cyberwarfare is a threat to their organization is easy,” said Neeraj Suri, Distinguished Professorship and Chair in Cybersecurity at Lancaster University.

“Dependency on technology is at an all-time high and if someone was to take out the WiFi in a home or office, no one would be able to do anything. This dependency wasn’t there a few years back–it wasn’t even as high a few months back.

“This high dependency on technology doesn’t just open the door for ransomware or IoT threats on an individual level, but also to cyberwarfare which can be so catastrophic it can ruin economies.

“The reason that nearly a quarter of infosec pros don’t currently have a strategy to protect against cyberwarfare is likely because of complacency. Since they haven’t suffered an attack or haven’t seen on a wide scale–the damage that can be done–they haven’t invested the time in protecting against it.”

Diversity, and specifically neurodiversity, is key to future success

Outside of the drastic changes that are needed in the way cybersecurity professionals communicate, there’s also a need to make a change within the very makeup of the workforce. The infosec industry as a whole has long suffered from a skills shortage, and this looks to remain an ongoing and increasingly obvious issue.

15% of infosec professionals believe that the biggest development in cybersecurity over the next 12-18 months will be the skills gap increasing. If the skills deficit continues for another five years, 28% of CISOs and CIOs say they believe that it will destroy businesses.

And another 50% of infosec professionals believe that the skills gap will be seriously disruptive if it continues for the next 5 years.

Today, however, it will take more than just recruiting skilled workers to make a positive change and protect organizations. In 2015, 52% of infosec workers would have agreed that there is a lack of diversity in cybersecurity and that it’s a concern.

Five years later, in 2020, this remains exactly the same — and that is a significant problem as 40% of CISOs/CIOs and infosec professionals say that the cybersecurity industry should reflect the society around it to be effective.

What’s more, 76% of CISOs/CIOs, and 72% of infosec professionals, believe that there is a need for a more diverse skill set among those tackling cybersecurity tasks. This is because 38% of infosec professionals say that neurodiversity will make cybersecurity defenses stronger, and 33% revealed a more neurodiverse workforce will level the playing field against bad actors.

While it’s clear that the cybersecurity skills gap is here to stay, it’s also clear why changes need to be made to the makeup of the industry.

cyberwarfare

Liviu Arsene, Global Cybersecurity Researcher at Bitdefender concludes, “2020 has been a year of change, not only for the world at large, but for the security industry. The security landscape is rapidly evolving as it tries to adapt to the new normal, from distributed workforces to new threats. Amongst the new threats is cyberwarfare.

“It’s of great concern to businesses and the economy — and yet not everyone is prepared for it. At the same time, infosec professionals have had to keep up with new threats from an old source, ransomware, that can affect companies’ bottom lines if not handled carefully.

“The one thing we know is that the security landscape will continue to evolve. Changes will happen, but we can now make sure they happen for better and not for worse. To succeed in the new security landscape, the way we as an industry talk about security has to become more accessible to a wider audience to gain support and investment from within the business.

“In addition, we have to start thinking about plugging the skills gap in a different way — we have to focus on diversity, and specifically neurodiversity, if we are to stand our ground and ultimately defeat bad actors.”

A look at the top threats inside malicious emails

Web-phishing targeting various online services almost doubled during the COVID-19 pandemic: it accounted for 46 percent of the total number of fake web pages, Group-IB reveals.

threats inside malicious emails

Ransomware, the headliner of the previous half-year, walked off stage: only 1 percent of emails analyzed contained this kind of malware. Every third email, meanwhile, contained spyware, which is used by threat actors to steal payment data or other sensitive info to then put it on sale in the darknet or blackmail its owner.

Downloaders, intended for the installation of additional malware, and backdoors, granting cybercriminals remote access to victims’ computers, also made it to top-3. They are followed by banking Trojans, whose share in the total amount of malicious attachments showed growth for the first time in a while.

Opened email lets spy in

According to the data, in H1 2020, 43 percent of the malicious mails on the radars of Group-IB Threat Detection System had attachments with spyware or links leading to their downloading.

Another 17 percent contained downloaders, while backdoors and banking Trojans came third with a 16- and 15-percent shares, respectively. Ransomware, which in the second half of 2019 hid in every second malicious email, almost disappeared from the mailboxes in the first six months of this year with a share of less than 1 percent.

These findings confirm adversaries’ growing interest in Big Game Hunting. Ransomware operators have switched from attacks en masse on individuals to corporate networks. Thus, when attacking large companies, instead of infecting the computer of a separate individual immediately after the compromise, attackers use the infected machine to move laterally in the network, escalate the privileges in the system and distribute ransomware on as many hosts as possible.

Top-10 tools used in attacks were banking Trojan RTM (30%); spyware LOKI PWS (24%), AgentTesla (10%), Hawkeye (5%), and Azorult (1%); and backdoors Formbook (12%), Nanocore (7%), Adwind (3%), Emotet (1%), and Netwire (1%).

The new instruments detected in the first half of the year included Quasar, a remote access tool based on the open source; spyware Gomorrah that extracts login credentials of users from various applications; and 404 Keylogger, a software for harvesting user data that is distributed under malware-as-a-service model.

Almost 70 percent of malicious files were delivered to the victim’s computer with the help of archives, another 18% percent of malicious files were masked as office documents (with .doc, .xls and .pdf file extensions), while 14% more were disguised as executable files and scripts.

Secure web-phishing

In the first six months of 2020, a total of 9 304 phishing web resources were blocked, which is an increase of 9 percent compared to the previous year. The main trend of the observed period was the two-fold surge in the number of resources using safe SSL/TLS connection – their amount grew from 33 percent to 69 percent in just half a year.

This is explained by the cybercriminals’ desire to retain their victim pool – the majority of web browsers label websites without SSL/TLS connection as a priori dangerous, which has a negative impact on the effectiveness of phishing campaigns.

Experts predict that the share of web-phishing with insecure connection will continue to decrease, while websites that do not support SSL/TLS will become an exception.

threats inside malicious emails

Pandemic chronicle

Just as it was the case in the second half of 2019, in the first half of this year, online services like ecommerce websites turned out to be the main target of web-phishers. In the light of global pandemic and the businesses’ dive into online world, the share of this phishing category increased to remarkable 46 percent.

The attractiveness of online services is explained by the fact that by stealing user login credentials, threat actors also gain access to the data of bank cards linked to user accounts.

Online services are followed by email service providers (24%), whose share, after a decline in 2019, resumed growth in 2020, and financial organizations (11%). Main web-phishing target categories also included payment services, cloud storages, social networks, and dating websites.

The leadership in terms of the number of phishing resources registered has persistently been held by .com domain zone – it accounts for nearly a half (44%) of detected phishing resources in the review period. Other domain zones popular among the phishers included .ru (9%), .br (6%), .net (3%) and .org (2%).

“The beginning of this year was marked by changes in the top of urgent threats that are hiding in malicious emails,” comments CERT-GIB deputy head Yaroslav Kargalev.

“Ransomware operators have focused on targeted attacks, choosing large victims with a higher payment capacity. The precise elaboration of these separate attacks affected the ransomware share in the top threats distributed via email en masse.

“Their place was taken by backdoors and spyware, with the help of which threat actors first steal sensitive information and then blackmail the victim, demanding a ransom, and, in case the demand is refused, releasing the info publicly.

“The ransomware operators’ desire to make a good score is likely to result in the increase of the number of targeted attacks. As email phishing remains the main channel of their distribution, the urgency of securing mail communication is more relevant than ever.”

Cybercriminals moved quickly to capitalize on the COVID-19 outbreak using malicious emails

While the COVID-19 outbreak has disrupted the lives and operations of many people and organizations, the pandemic failed to interrupt onslaught of malicious emails targeting people’s inboxes, according to an attack landscape update published by F-Secure.

malicious emails COVID-19

Increase of malicious emails utilizing COVID-19 issues

Beginning in March and continuing through most of the spring, there was a significant increase of malicious emails utilizing various COVID-19 issues as a lure to manipulate users into exposing themselves to various email attacks and scams.

Common COVID-19-related campaigns included in these emails range from attempting to trick users into ordering face masks from phony websites to infecting themselves with malware by opening malicious attachments.

Three-quarters of attachments in these emails contained infostealers – a type of malware that steals sensitive information (such as passwords or other credentials) from an infected system.

“Cybercriminals don’t have many operational constraints, so they can quickly respond to breaking events and incorporate them into their campaigns. The earliest days of the COVID-19 outbreak left a lot of people confused or worried, and attackers predictably tried to prey on their anxieties,” said Calvin Gan, a manager with F-Secure’s Tactical Defense Unit.

Spotting malicious emails isn’t typically a priority for busy employees, which is why attackers frequently attempt to trick them into compromising organizations.”

Additional trends from the first half of 2020

  • Finance was the most frequently spoofed industry in phishing emails; Facebook was the most frequently spoofed company
  • Email was the most popular way of spreading malware, and accounted for over half of all infection attempts
  • Infostealers were the most common type of malware spread by attackers; Lokibot was the most common malware family
  • Telnet and SSH were the most frequently scanned IP ports

The report also notes that attacks leveraging cloud-based email services are steadily increasing and highlights a significant spike in phishing emails that targeted Microsoft Office 365 users in April.

malicious emails COVID-19

“Notifications from cloud services are normal and employees are accustomed to trusting them. Attackers taking advantage of that trust to compromise targets is perhaps the biggest challenge companies need to address when migrating to the cloud,” explained F-Secure Director of B2B Product Management Teemu Myllykangas.

“Securing inboxes in general is already a challenge, so companies should consider a multilayer security approach that combines protection technologies and employee education to reduce their exposure to email threats.”