As 2021 begins, it’s a good time to reflect on threats the Check Point Research group saw in 2020 to prepare for the year ahead. According to the 2021 Cyber Security Report, the Sunburst attacks that breached thousands of government and private sector organizations was just the tip of the iceberg with regard to 2020 cyberattacks. In fact, 87% of organizations experienced an attempted exploit of a known vulnerability.
In addition to the nation-state style attack of Sunburst, financially motivated threat actors continue to wage malware campaigns. They’re evolving their techniques to use voice phishing (vishing), double extortion ransomware, email thread hijacking, and attacks targeting cloud infrastructures. That said, there are also some silver linings on the horizon.
In the 2021 Cyber Security Report, the Check Point Research group outlined the leading network security issues, threats, and trends of 2020.
On December 8, 2020, cybersecurity firm FireEye revealed that they had discovered the Sunburst malware on their networks. The investigation into this infection uncovered a massive cyberattack campaign that affected 18,000 organizations, 425 companies on the Fortune 500 (including Microsoft), and also targeted government agencies.
The SUNBURST malware was distributed via compromised updates to the SolarWinds Orion network management software. The attackers managed to compromise SolarWinds using a novel attack against its Office 365 accounts, which allowed them to forge an Azure Active Directory token for a privileged account and use compromised admin credentials to gain access to the company’s update management server.
With access to the SolarWinds update management server, the attackers were able to modify updates while in the development pipeline to include the backdoor malware. This wide reach of attack made it the most successful known supply chain attack to date. In the SolarWinds attack, monitoring proved essential to first identifying and then responding to the attack.
Preventing future attacks requires implementing security best practices such as:
While phishing is the most well-known type of social engineering attack, other techniques can be just as effective. Over the phone, a visher can employ social engineering techniques to gain access to credentials and other key information, bypass 2FA, or persuade the victim to open a file or install malicious software.
Vishing is a growing threat to corporate cybersecurity. In August 2020, CISA and the FBI issued a warning about vishing attacks, and vishing has been used in malware campaigns and by APT groups. A high-profile attack enabled a teenager to take over several celebrity Twitter accounts in 2020. The threat of vishing will only get worse as deepfake recording technology improves and is more widely available.
Vishing is a low-tech attack, meaning that employee education is essential to protecting against it. Businesses can educate their employees to not give up sensitive information and to independently verify caller identification before complying with requests.
Ransomware was one of the most expensive cyber threats to organizations in 2020. It cost businesses $20B in 2020, up from $11.5B in 2019. In Q3 2020, the average ransom payment was $233,817, a 30% increase over the previous quarter.
In that quarter, nearly half of all ransomware incidents included a double extortion threat. This innovation is designed to improve the probability of the victim paying the ransom. It does so by employing a new second threat on top of encrypting files, i.e. extracting sensitive data and threatening public exposure or sale of the data. While backups may enable an organization to recover from a ransomware attack without paying, the threat of a breach of sensitive and personal information provides additional leverage to the attacker.
The rise of these double extortion attacks means that organizations must adopt a threat prevention strategy and not rely on detection or remediation alone. A prevention-focused strategy should include:
Thread hijacking attacks use your own emails against you. After compromising an internal email account, an attacker may respond to an email thread with an attachment containing malware. These attacks take advantage of the fact that the email thread looks legitimate…because it is.
Emotet banking malware, one of the largest botnets, topped malware rankings and targeted nearly 20% of global organizations in 2020. After infecting a victim, it uses the victim’s email to send malicious files to new victims. Qbot, another banking malware, employed similar email gathering techniques.
Protecting against thread hijacking requires training employees to watch emails for signs of phishing even when coming from a trusted source, and, if an email looks suspicious, verify the sender’s identity with a call. Organizations should also deploy an email security solution that uses AI to detect phishing and quarantines emails with malicious attachments and/or links.
The surge in remote work in the wake of COVID-19 made remote access a common target of cybercriminals in 2020. The first half of the year saw a dramatic increase in attacks against remote access technologies, such as RDP and VPN. Almost a million attacks against RDP were detected each day.
In the second half, cybercriminals shifted to focus on vulnerable VPN portals, gateways, and applications as new vulnerabilities in these systems became known. The Check Point sensor net saw an increase in attacks against eight known vulnerabilities in remote access devices, including Cisco and Citrix.
To manage the risks of remote access vulnerabilities, organizations should patch vulnerable systems directly or deploy virtual patching technologies such as IPS. They should also protect remote users by deploying comprehensive endpoint protection with endpoint detection and response (EDR) technologies to enhance remediation and threat hunting.
COVID-19 dominated the mobile threat sphere. Mobile device use increased dramatically due to remote work, as did malicious apps masquerading as coronavirus-related apps.
Mobile devices were also targets for large malware campaigns, including banking malware such as Ghimob, EventBot and ThiefBot in the US. APT groups also targeted mobile devices, such as the Iranian campaign to bypass 2FA to spy on Iranian expatriates. Notable vulnerabilities on mobile devices were Achilles 400 weaknesses in Qualcomm chips and vulnerabilities in apps like Instagram, Apple’s sign-in system and WhatsApp.
Enterprises can protect their users’ mobile devices with a lightweight mobile security solution for unmanaged devices. They should also train users to protect themselves by only installing apps from official app stores to minimize risk.
In our wrap-up of the top security issues we come full circle to the SolarWinds attack techniques. Unlike previous cloud attacks, which relied on misconfigurations that leave cloud assets like S3 buckets exposed (and which are still a concern), the cloud infrastructure itself is now being attacked as well.
The SolarWinds attackers targeted Active Directory Federation Services (ADFS) servers, which were also used in the organization’s single sign-on (SSO) system for access to cloud services like Office 365. At this point, attackers used a technique called Golden SAML to gain persistence and hard-to-detect full access to the victim’s cloud services.
Other attacks on cloud identity and access management (IAM) systems were notable as well. IAM roles can be abused using 22 APIs found in 16 AWS services. These attacks rely on a deep understanding of the components, architecture, and trust policy of IaaS and SaaS providers.
Enterprises need holistic visibility across public cloud environments and deploy unified, automated cloud-native protections. This enables businesses to reap the benefits that cloud brings while ensuring continuous security and regulatory compliance.
The COVID-19 made healthcare organizations top-of-mind for everyone, including cybercriminals. Some malware campaigns pledged to drop attacks against healthcare, but the promises held no substance – hospitals were still a focus for Maze and DopplePaymer malware.
In October, CISA, FBI, and DHS released a warning about attacks against healthcare, mentioning Trickbot malware used to deploy Ryuk ransomware. Also, nation-sponsored APT attacks targeted institutions involved in COVID-19 vaccine development.
Healthcare in the US was the most targeted by cyberattackers. Check Point research saw an increase of 71% from September to October and a global increase of over 45% in November and December.
While understanding the network security issues threats of 2020, it’s also important to note the many successful actions by law enforcement – supported by the cyber security community – to track down and indict numerous individuals and threat groups involved in cybercrime around the world.
Some examples of successful cyber law enforcement operations in 2020 include:
The cyber threats and network security concerns of 2020 are not limited to 2020. Many of these attack trends are ongoing, and 2021 bring new network security problems and cybercrime innovations. To protect against the evolving cyber threat landscape, we’ve put together the following recommendations:
To learn more about today’s major network security issues, check out the full 2021 Cyber Security Report. You’re also welcome to request a security checkup to identify the issues putting your organization’s security at risk.