Our Quarterly Threat Situation Brief is intended to catch two birds with one stone by sharing with you our assessment of past security issues we have observed and by looking ahead and projecting what we foresee as trends. This is based on our study of relevant security sources on the one hand, and on the billions (!) of security events we have seen in our customers’ environments over the course of the last three months.
From an IT perspective, 2020 was a year of unparalleled acceleration towards everyone and everything going virtual. What is and should be seen as an opportunity for businesses, does however not come without cybercriminals’ attention and a new trend for multi-level data extortion. Beware, the Cyber Security New Normal has been kicked off!
Dealing with the Cyber Security New Normal
Through 2020, we have seen remarkable acts of strength around the globe to accelerate digitalization at an unmatched pace with businesses rapidly deploying ecommerce solutions or remote systems and networks to support staff working from home. The massive virtualization from individual to small businesses, enterprises and critical infrastructure might lead us to a new digital era, but it has certainly triggered new types of attacks. It also brought to light the outcome of an underrated role of Cyber Security in past digital transformation programs.
The healthcare industry and pharmaceuticals including Covid-19 vaccination research have been facing increased and imminent cyber threats. Cases of data theft and disruption of healthcare services had far reaching consequences.
General malware findings
One of the dominating threats in 2020 was the botnet Emotet with several variations. The software has evolved from a Banking Trojan to a sophisticated attack tool with a flexible set of extensions and functionality, ranging from identity theft to other forms of destructive behaviour. The malware infrastructure has been successfully taken down due to an intervention of European investigators.
Creating major cyber security headaches and significant financial damage, ransomware attacks targeted victims across all sectors and company sizes, one of them being German Software AG. In an attack, which started in October, a double extortion strategy was employed by the attackers. Since the company refused to pay the ransom, the attackers started to publish confidential company data. As another example the attack on cyber security company FireEye in late 2020 seizing their red team tools evidently showed how even the best can be hit. Reputational damage and loss of intellectual property in this case came along with adding new threats to any other organization caused by this external takeover of the weaponry.
Furthermore, ongoing attacks against the healthcare sector ingloriously peaked in the unscrupulous attack against EU drug regulator European Medicines Agency in December, accessing data and later leaking manipulated versions of documents related to COVID-19 medicines and vaccines.
An interesting development that gained a lot of attention around the globe for a good reason was the recent SUNBURST (“SolarWinds.Orion.Core.BusinessLayer.dll”) attack on network management software vendor SolarWinds that was based on a supply chain compromise followed by a compromise of cloud assets. The chosen approach allowed an unknown attacker to distribute malware to potentially thousands of organizations through the IT footprint of their supply chain and applying a cross-domain approach. For any organization involved in any form of digital transformation endeavour this type of attack shows that Cyber Security does not begin or end at the fence or the firewall.
With regards to its broad outreach, phishing, scam, cyber fraud, ransomware and malicious domains remain the biggest digital threats across the world in the wake of the pandemic. With the internet browser being a main delivery vector for such attacks, organizations need to pay even more attention to maintaining consistent security controls.
Zero-Day exploits and critical vulnerabilities
The second half of 2020 showed bursts of DDoS attacks. The German BSI Report, an annual publication on the “State of IT Security in Germany” published by the German Federal Office for Information Security, confirmed our perception of steadily growing complexity of these attacks, certainly making their detection more challenging.
In Q4, experts at Radar Cyber Defense Center repeatedly recommended to isolate devices and machines that are still running with Windows 7 and Server 2008. Microsoft reacted with temporal patches. Additionally, researchers warned of a new vulnerability set called Amnesia:33. 150 IoT and OT vendors were affected. Amnesia:33 attacks may cause memory corruption, denial of service and remote code execution. Basic input validation, internal DNS servers, disabling IPv6 traffic as well as Network Behaviour Analytics are only a few of many prevention measures.
Threats & trends
2021 is expected to be the year of multi-level data extortion. As a result of organizations’ swift move to cloud services in 2020 in order to keep in business during the pandemic, attackers are extending their reach further into the cloud. Cybercriminals are expected to be targeting client-based applications, API services, and container frameworks such as Kubernetes with all its corresponding automation scripts while conventional security measures often fall short in protecting these new workloads.
In this same context, what we have seen from the SUNBURST attack can be interpreted as a starting point of a trend: Attackers will exploit weaknesses outside the actual organization under attack (e.g. through their supply chain) and through this gain access to company assets and subsequently cloud-based assets applying a cross-domain approach. Cybercriminals will, hence, be making full use of the entire IT footprint of an organization. This unfavourable trend will as a positive side effect hopefully lead to Cyber Security playing a much bigger role in digital transformation programs of organizations.
COVID-19 played an important role in 2020 and is likely to do so in 2021 as well. The sensitive topic will remain a preferred theme for phishing campaigns and attacks against insecure remote access infrastructure will continue just as well.
From a defense perspective, MITRE ATT&CK has become ubiquitous. The global knowledge base of adversary tactics and techniques is continuously growing. New mappings are being introduced on a regular basis with one of the most recent ones being the mapping of ATT&CK TTPs against the NIST framework, bringing detection and defense closer together.