Threat actors have widened their skills over the last year, making greater use of reconnaissance to select targets and identify vulnerabilities. The use of automation coupled with more sophisticated attacks shows how the wider threat actor community is using skills from nation-state attackers and cybercrime groups. That is the message from the NTT Ltd Global Threat Intelligence Report (GTIR) 2020 (registration required).
Commenting on the report, Mark Thomas, Global Head of Threat Intelligence at NTT Ltd, said: “Every year we produce a global threat intelligence report, and every year we try to do something a little bit different. This year, we’ve incorporated the managed security services data from our global security operations centres. We’ve incorporated our cybersecurity advisory data, which is essentially a business outcome-driven consulting engagement, and we’ve also included insights from White Hat Security, who specialise in Application Security insights.”
That data comes from over 4,000 customers across six continents. It also looks at some industry sectors in more detail, such as finance, technology, healthcare, manufacturing, and retail.
When asked about his key standouts, Thomas said: “Threat actors are innovating. We’re seeing attack volumes increasing across every industry between 2018 and 2019. Weaponisation of the Internet of Things has seen the re-emergence of the likes of Mirai and derivatives, which are targeting businesses right across the globe.
“Old vulnerabilities persistently remain an active target. A lot of organisations are challenged to patch new vulnerabilities, but they also forget the old ones as well. We’ve also seen a shift in sector targeting, so the technology sector now tops the list of most attacked sectors.”
Threat actors exploiting COVID-19
The emergence of COVID-19 has seen a shift in attacks. Its global impact has provided threat actors with greater opportunity than before. Any large scale event from a celebrity meltdown to a tsunami creates an increase in some attacks. Phishing, fake websites, malware and spam, all get a temporary boost.
With COVID-19, the attack landscape has changed significantly. The GTIR 2020 report comes with a timeline from January to April showing how different attacks emerged as the pandemic swept across the globe. Importantly, it also shows how quickly both nation-state actors and cybercrime groups sought to leverage global fear.
The list of attacks includes:
- Fake news websites: Up to 2,000 websites per day are being created. These offer fake news and conspiracy theories. Most distribute exploit kits and malware to unsuspecting visitors. Threat actors have even cloned key trusted sites such as the John Hopkins University to spread malware.
- Re-emergence of malware: Malware never dies; it just hides. COVID-19 has seen new campaigns around old malware such as Trickbot, Lokibot, Zeus Sphinx and Emotet. Attacks such as ransomware and credential stealers are targeting individuals working from home (WFH).
- Exploiting known vulnerabilities: Patching is still an issue across IT systems. Threat actors are successfully exploiting old vulnerabilities that organisations have forgotten to patch.
- CMS systems: As businesses look for new ways to connect with customers, many SMEs are expanding their web presence. WordPress, Joomla! Drupal and other CMS systems rely on plugins that many websites fail to update, leaving them open to exploitation. Card skimmers are placed on webshops, and malware is downloaded to visitors and credentials are stolen.
Technology under high levels of attack
“The technology sector accounted for 25% of all attacks,” says Rob Kraus, Senior Director, Global Threat Intelligence Center, Threat Communications & Alliances at NTT Ltd. “They’ve got a very diverse set of applications across a very diverse set of organisations. The technology industry tends to use a lot of its own technology, including IoT technology. Botnets like Mirai and IoTroop are automating those IoT attacks, making that cascade of attacks, even stronger.”
Major technology vendors have been issuing more patches lately. In March, April and May, Microsoft patched 115, 113 and 111 CVEs respectively, in addition to other patches. Zoom, Intel and Adobe have also issued large quantities of patches. Some organisations are applying this immediately, but others are not. Additionally, patches are not being applied consistently.
IT has no control over whether employees patch personal devices. It also has no control over what applications they use, what websites they visit or which family members share the device.
However, it is not fair to just blame employees. IT is part of the problem. Kraus says: “The most common attack techniques we observed were not necessarily new remote code execution and injection attacks. Both have been around for a while and made up nearly 30% of all attacks we saw.
“We detected vulnerabilities, or exploit attempts against vulnerabilities over 15, or 20, years old, and unpatched vulnerabilities continue to be a problem. Of the top five vulnerabilities observed being targeted in the Americas, the newest one is two and a half years old. The top 10 vulnerabilities detected in finance globally were all defined in 2017 or earlier. They all have patches. We are still detecting hundreds of thousands of attacks against them every year.”
Overstretched Healthcare is being slammed
Healthcare has seen a significant rise in attacks despite some threat actors saying it would be left alone during the pandemic. Ransomware attacks put the lives of patients at risk, yet threat actors continue to use it. With supply chains stretched, healthcare is also vulnerable to phishing attacks and fake websites offering PPE. The move to alternative ways of treating patients, such as telehealth, risks attacks against the video conference platforms in use.
Hospitals are also using more connected equipment than before. Reconnaissance attacks allow threat actors to build a picture of vulnerable systems for future attacks. It is not possible to replace, patch or update some older healthcare tech. This creates a headache for security teams and the industry. It will continue in use for several years. Overstretched healthcare IT budgets are not in a position to remediate these systems.
Manufacturing attacks looking at the long haul
Manufacturers accounted for 15% of all attacks, making it the third most attacked industry sector in 2019. In Europe, Germany and the UK saw significant increases in attacks on their manufacturing base. Germany is very dependent upon its manufacturing sector, and attacks against it are a significant concern.
Kraus says that the research shows that: “many of those attacks were reconnaissance.” It should be a major warning sign for manufacturers. They are large users of IoT and IIoT systems, and there is often a disconnect between IT and OT systems. OT systems, in particular, can be hard to patch and secure.
With many manufacturers shut down, attackers are taking advantage of low staffing levels to carry out their attacks. It is not always about immediate gains. For manufacturers who have complex supply chains that include many small companies, long-tail attacks are a concern.
Jon Heimerl, Senior Manager, Threat Intelligence Communication Team, NTT Ltd spoke to Enterprise Times. In a podcast, he said: “What I’m looking at is how do I get in and stay there and hang out for two, three, four, six months. In the future, when that company is more active, has ramped up production and is rolling again at full steam, I’ve already got my footprint in there. I’ve already got a way to extract their data and do what I need to do more quickly. We’ve definitely seen indications that’s going on.”
Manufacturers are also likely to see a new wave of automation and robotics as they recover from the global shutdown. They will need to pay particular attention to their OT systems to prevent threat actors from installing malware to disrupt or steal intellectual property.
Threat actors taking advantage of Work From Home
The current pandemic has shown how quickly threat actors can innovate. With employees now working from home, the lack of contact with c-workers and managers makes it hard to ask for help. Is this email, right? Did you ask for this data? Are these new banking details correct?
Heimerl says: “This really opens up a whole new ballgame for BEC and individualistic attacks. Getting an email attack, a social engineering attack or something directed at an individual who is now in their home office who, two months ago, was in the office every day, is a dramatic shift in the way that person has to think and work.
“It’s an escalating problem where people are more vulnerable. We have definitely seen attackers focusing on and understanding that attacking people in uncomfortable situations is a big win. It’s clearly an upgraded attack path for attackers, and they’re taking advantage of it.”
Enterprise Times: What does this mean?
This is another large report with a lot of data. The main report is 73 pages, and the executive summary is 22 pages. It gives a somewhat disturbing look at how quickly threat actors can pivot attacks and exploit vulnerabilities. It also shows that cybersecurity teams need to do more to protect systems, especially during times of crisis.
The boardroom often sees cybersecurity as a money pit that delivers little or no return on investment. Such a view is a severe hindrance to effective security. There is a need for the security industry, IT security teams, CISO’s and boardrooms to find a new relationship.
Cybercrime groups and nation-state actors are investing in their tooling and using reconnaissance to select the most vulnerable targets. This report shows how they are innovating and how they are adopting automation to improve their attacks.
Security needs to be much more dynamic and adaptable than it is today. If it doesn’t adjust, it will find itself continuously outmanoeuvred by threat actors