A CISO's Perspective - 2019 and 2020 Cyberattacks Trends

In an ever-changing digital threat landscape, cyberattacks and security breaches have become a day-to-day struggle for organizations. Every day, attackers are developing sophisticated and intrusive attack tactics to exploit their targets, whether they be independent hackers, cybercrime organizations, or private contractors.

In recent years, the trends and cybersecurity statistics show a massive rise in hacked and breached data using common attack techniques such as phishing, social engineering, supply chain compromise, distributed denial of service (DDoS), malware, and ransomware.

Let’s analyze the trends of cybersecurity breaches in 2019 and 2020 (get the whisky out) and predict the possibilities for 2021.

2019 and 2020 Cyberattacks Trends

·     Targeted Ransomware

Ransomware attacks have proliferated in the past two years and have become very active and targeted than ever.

Nowadays, instead of distributing ransomware to a vast number of targets, threat actors are after a “big game hunting.” They encrypt the critical infrastructure of the targeted organization and demand a high ransom payment. Moreover, to result in successful targeted ransomware attacks, there is growing cooperation between cybercriminals. For example: the Ryuk ransomware is distributed via very targeted spear-phishing emails that may contain a combination of Emotet, TrickBot, and Ryuk.

As if encrypting the file and demanding a ransom was not already bad enough, toward the end of 2019, cybercriminals included a new strategy in their ransomware playbook, “double extortion.” With this, ransomware operators exfiltrate the data prior to encryption and publicly display the sensitive data if victims refuse to pay the amount.

In November 2019, Maze ransomware group pioneered double extortion, which was quickly adopted by many of the other ransomware variant including Nemiti, Nefilim, DoppelPaymer, Clop, REvil/Sodinokibi, Netwalker, etc.

In 2020, most of the attacks observed were ransomware infections with double extortion being the most used tactic. More importantly, the ransomware operators have drastically shortened the time between the initial compromise and ransomware deployment. In one case, Ryuk was able to achieve the goal in just around 2 hours.

The ransomware victims at the top of the list includes health care, software services, and government sectors.

2019 most notable ransomware victims

o  Orange County CA,

o  Cleveland Hopkins International Airport,

o  City of Baltimore,

o  Riviera Beach City,

o  Lake City, Florida,

o  La Porte County IN,

o  The City of New Bedford MA

2020 most notable ransomware victims

o  Andrew Agencies

o  Pensacola

o  Southwire Company, LLC

o  Medical Diagnostic Laboratories (MDLab)

o  Bouygues Construction

o  Cognizant

o  Two Manitoba-based law firms

o  Grubman Shire Meiselas & Sacks

o  Travelex

o  Vierra Magen Marcus LLP

o  Los Angeles county

o  City of Edcouch, Texas

o  Mexico's Pemex Oil Company

o  The Chilean Ministry of Agriculture

o  Bretagne Télécom

o  City of New Orleans

o  National Veterinary Associates

o  New Bedford, Massachusetts

o  Lake City, Florida

o  Tribune Publishing

o  Volusia County

o  The New Orleans city government

·     Cloud Attacks

With the popularity of cloud computing, cybercriminals have found a new way to exploit the targeted organizations.

As organizations started to move to the cloud environment, an increase in cloud-based vulnerabilities was being exposed and exploited. Some of the common security issues with cloud-based services that were exploited in 2019 and 2020 were misconfiguration, insecure interfaces, and account hijacking.

In April 2019, an unprotected Amazon server exposed over 540 million user’s records through a third-party Facebook app. In March 2019, misconfigured Box accounts exposed terabytes of sensitive data. Similarly, in July 2019, the Magecart campaign breached a number of websites through misconfigured Amazon S3 Buckets and injected JavaScript skimmers.

In 2020, with the start of the COVID-19 pandemic, the rapid shift to the cloud infrastructure was a necessity and a requirement. However, the cybercriminals took this as an opportunity and quickly started exploiting cloud vulnerabilities to deploy crypto-mining malware, set up DDoS infrastructure, or other forms of cybercrime. It is interesting to note that the cloud based cyber-attacks spiked 250% from 2019 to 2020.

In one case, DoppelPaymer hacked a French cloud service provider using an unpatched Citrix server vulnerability and were able to encrypt 148 machines running Windows 7, Windows 8, and Windows 10.

·     Supply chain compromise

To gain initial access to the victim’s network, cyber threat actors have shifted their focus on compromising the supply chain as it is difficult to detect, and the impact of successful compromise is huge.

2019 and 2020 saw quite a number of supply chain attacks. Moreover, the supply chain attack increased by 430% in 2020 as compared to 2019.

In June 2019, the REvil ransomware group hacked at least three managed service providers (MSPs) using the Webroot SecureAnywhere remote management tools to deploy ransomware on MSP’s client’s network. In yet another attack named the Sea Turtle, in April 2019, cybercriminals targeted DNS registries, telecommunication companies, and ISPs to get a foothold on security organizations and ministries in the Middle East and North Africa.

In December 2020, a highly evasive threat actor (UNC2452) leveraged SolarWinds supply chain to compromise multiple global victims with SUNBURST/Solorigate backdoor. Multiple trojanzied updates were digitally signed and released on the SolarWinds website. SolarWinds security advisory state, “this attack was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack.”

·     Mobile Malware

With the change in the digital environment, cybercriminals have adjusted their weapons to evolving mobile technology.

2019 and 2020 saw a significant increase in mobile malware such as banking trojans, remote access trojans (RAT), cryptominers, adware, fake applications, and ransomware. These malware are designed to steal payment card data, credentials, PII, and funds from bank accounts.

With the COVID-19 pandemic, 2020 saw a surge of almost 30% over 2019, specifically in mobile-malware infections.

Some of the examples of active mobile malware are Anubis banking trojan, Triada, Looter, Hiddad, etc.

·     IoT Attacks

IoT and smart home devices have become a playground and crown jewels for cybercriminals. Consequently, cyberattacks on IoT devices are booming, and it has largely been used to capture banking passwords, online accounts, personally identifiable information, spy, inject malware and infect other devices, build a botnet network, etc.

Over 100 million attacks on IoT endpoints were observed in the first half of 2019 alone. While in 2020, with the coronavirus pandemic and exponential growth in the number of connected devices, IoT infections observed on wireless networks increased by 100 percent compared to 2019. Research says IoT devices are responsible for 32.72 percent of all infections in mobile and Wi-Fi networks as compared to 16.17 percent in 2019.

In between March and April 2019, a massive botnet attack that resembled a Mirai-style DDoS attack was observed, which utilized 400,000 connected devices over a period of 13 days. Similarly, in April 2020, Bitdefender researchers discovered a new IoT botnet with new and advanced capabilities that is certain to put most IoT botnet and malware to shame.

·     CryptoJacking Attacks

Cryptojacking is one of the emerging online threat which makes unauthorized use of computer resource to mine cryptocurrency. It is a lucrative option for cybercriminals.

Cryptojacking volume hit 52.7 million registered attacks in the first half of 2019, while it was 41 million in the first half of 2020.

In November 2019, security researchers at Eset discovered Stantinko botnet that added crypto-mining tactics to mine Monero and gained profit from the machines under their control. Similarly, in July 2020, security experts at Cisco Talos detected a cryptomining botnet attack named Prometei actively been used to mine Monero and had been active since March.

·     Social Engineering Attacks

Social engineering attack is one of the most effective ways used by malicious actors to attack the targeted organization. It has always been the top attack vectors and has caused technical and financial damage to businesses. The trend continued in 2019 and 2020 as well.

In August 2019, Toyota Boshoku Corporation fell victim to one of the infamous social engineering attacks. In the attack, attackers persuaded a finance executive to change recipient's bank account information in a wire transfer, which accounted for the loss of USD 37 million.

Similarly, in July 2020, Twitter fell victim to the most devastating security incident in its history. A number of high profile accounts like those of Elon Musk, Jeff Bezos, Bill Gates, Joe Biden, began tweeting what appeared to be a Bitcoin scam, promising to "give back" to the community by doubling any Bitcoin sent to their address.

Despite the fact of how obvious the scam was, the attackers received hundreds of transfers totaling around 13 BTC, which is worth more than $100,000. Although the scam was harmless, the scale of the incident was unprecedented.

Twitter scrambled to contain the attack, and stated

“We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.”

·     Phishing Attacks

Phishing attacks are an extremely common form of cyberattacks.

The Report shows that in 2019, around 90 percent of organizations worldwide faced business email compromise and spear-phishing attacks that resulted in 26.2 billion in losses.

While in 2020, with COVID-19, phishing attacks increased significantly. 22% of all the cybersecurity breaches started with phishing attacks. Cybercriminals changed their tactics to use COVID-19 related content as a part of their cyber operations. They have ramped-up attacks via spam, phishing, and other malicious campaigns. Google reported that it is blocking 18 million Coronavirus scam emails every day. Also, Google registered over 2 million phishing websites since the start of 2020. And, the National Cyber Security Center (NCSC) highlighted that it took down 2,000 coronavirus scams including 471 fake online shops, 555 malware distribution sites, 200 phishing sites, and 832 advance-free frauds.

·     Zero-Day and Known Vulnerabilities Attack

Both in 2019 and 2020, Cybercriminals actively exploited zero-day and known vulnerabilities to compromise targeted organizations.

However, in 2020, cybercriminals launched attacks against newly deployed remote access and teleworking infrastructure. For example, they exploited many publicly known vulnerabilities in VPNs and other remote working tools to steal valuable information. CISA and NCSC also reported the exploitation of vulnerabilities in Citrix, Pulse Secure, Fortinet, and Palo Alto and has also guided to mitigate vulnerabilities. Moreover, cybercriminals gained unauthorized access to popular communications platforms like Zoom, Microsoft Teams, etc. and eavesdropped on private conversations, hijacked online classroom, screen controls, and launched many other malicious attacks. It is reported that many Zoom meetings records are available online including financial meetings, therapy sessions, telehealth calls, etc.

2021 Prediction and Conclusion

2019 and 2020 presented a complex threat landscape where nation-states and cybercrime group accelerated the cyberattack race at an alarming pace. Moreover, in 2020, the COVID-19 changed the way we live and work. Remote work has become common and a new normal, thus creating a challenge alongside opportunities.

In 2021, we can expect that the types of attack will be more or less similar, but the way of execution will be different. To gain foothold inside the corporate network and exploit the target, cybercriminals will find new and innovative ways to attack individuals, their home network, and IoT devices, third party suppliers.

Some of the trend that we can expect to see in 2021 include

·     Rise and evolution of ransomware attack as one of the most feared cyberthreat.

·     Artificial intelligence driven automated spear-phishing campaigns.

·     Active exploitation of IoT and smart home devices to launch massive cyberattacks.

·     Active exploitation of VPNs and RDPs as remote work continues to become normal.

·     Rise of cybercrime-as-a-service that offers ransomware, malware, spam services, RDP access, and botnet.

·     Rise of advanced persistent threat (APT) and AI based cyberattacks.

New threats are emerging day by day, and no organizations are immune from a devastating cyberattack. So the risk of not securing organizational assets is more dangerous than ever. Organizations need to include security awareness training, preventative measures, and security best practices as a part of their culture to effectively fight against malicious activities.