NTT Ltd has released its Global Threat Intelligence Report 2021. It focuses on a wide range of threats and challenges that NTT monitored and dealt with during 2020. While the headlines focused on ransomware and zoom bombing, NTT recorded a significant rise in crypto-mining. It also saw manufacturing and healthcare hit by record numbers of attacks. At 68 pages, there is a lot to take note of.
Of particular interest in this report is the theme of cyber resilience. Given the rise in ransomware, it might seem like a message to the converted. However, it is not just ransomware that saw outages for many companies. Distributed Denial of Service (DDoS) attacks rose last year. Additionally, many companies gutted their cybersecurity teams in the dash to support a suddenly report workforce. There is significant concern that attackers used this opportunity to plant malware that can be activated in the future.
One real surprise is that attacks against technology companies dropped in 2020. Where there were attacks, they were more targeted rather than widespread. The SolarWinds supply chain attack came right at the end of the reporting period. The fall-out from that and other attacks against technology vendors will likely underpin next years report.
Healthcare a major target
As might be expected, 2020 saw a significant increase in attacks against healthcare, accounting for 17% of all the attacks NTT recorded. As might be expected, a number of the attacks were Covid related. NTT saw cybercriminals trying to steal information around vaccines and disrupt the healthcare supply chain.
The rise in attack numbers is as much down to the overall state of cybersecurity in healthcare as it is increased attention from cybercriminals. It is an industry that has been heavily underfunded in most countries for decades. It is also difficult to secure all the endpoints due to the number of devices spread across facilities. Another risk factor is that it is a highly distributed industry with a lot of interactions between different healthcare providers.
According to Mark Thomas, Global Head of threat intelligence at NTT: “When it comes to security and maturity, it’s actually one of the least mature industries that we look at. It only scores about 1.02 out of a scale of six on our security, maturity index. We saw a lot of attacks and a very immature security capability. The challenge here for these organisations is really to uplift that security transformation that they’re on.
“It’s going to take a number of years, and we’ve seen a lot of different compromises from various organisations within the healthcare and pharmaceutical sector. But again, this is definitely needing much more focus and investment to uplift that security posture.”
Manufacturing another industry under threat
Another industry under threat, according to the GTIR, is manufacturing. It found itself in the top three attacks despite the pandemic reducing demand. Thomas also calls it out as one of the weakest industries around when it came to cybersecurity maturity.
Thomas told Enterprise Times: “We know that they’re one of the weakest industries out there. They don’t have the security capability to defend against some of the more advanced threat actors out there. They still struggle when it comes to security, vision and strategy, logical security architecture and controls, risk management frameworks, information, security frameworks, and so forth.”
The problem here is that a weak security posture means other things like patching and asset management can also be a risk. Thomas commented: “Manufacturing has one of the highest rates of vulnerabilities per site. It has about eight vulnerabilities per website, so we know that they’re challenged to be able to keep pace with patching applications.”
There is some hope for manufacturing. The move towards the cloud will bring access to Managed Security Services Providers (MSSPs). They have the people and tools to help secure manufacturers often complex environments.
A shift in the malware landscape
One of the biggest surprises in this report is the rise of coin miners as a share of malware. NTT says that they now account for 41% of all the malware that they see. Driving that is the demand for cryptocurrency that has exploded due to the pandemic. The problem is that many of the tools people are downloading are also used by cybercrime gangs.
Education tends to be a favourite of coin mining gangs, presumably as students look to take advantage of university IT networks. 72% of the malware detected in education was related to coin mining malware. One particular piece of malware, XMRig, was responsible for 62% of the malware. This is far higher than in any other industry.
Stefaan Hinderyckx, Senior Vice President, Cybersecurity at NTT Ltd, said: “The reason for the coin mining success is twofold. First of all, there’s a lot of money to be made. Remember that optimization ratio from the dark side, spend versus money made. You can make a lot of money if you have a coin miner installed because it will do all the work for you.”
However, there is also complacency and even complicity among IT departments. Hinderyckx commented: “Some organisations will say, well, it’s just taking some of my CPU resources in my server, so I’m not too bothered about it.” The problem here is that the malware used in coin mining can also install other malware onto a computer. Looking the other way is a dangerous route to take.
Work from home exacerbated application attacks
IT departments were caught completely off guard by the rapid closing of offices and remote working. Not so the cybercriminals. Application-specific (35%) and web-application (32%) attacks increased substantially from 2019. Insecure end-user devices enabled many of the attacks, although concerted campaigns targeted some industries.
One of those was healthcare. Doctors surgeries moved away from seeing large numbers of patients to telehealth. It exposed the healthcare digital infrastructure and web systems to an extraordinary number of attacks. The GTIR shows that 97% of all the hostile activity targeting healthcare was application-specific and web-application.
Many campaigns used phishing attacks with emails containing malicious PDF, RTF and Word documents. They were used to install a range of different malware on end-user devices. Many of the attacks targeted the login credentials of remote users so that the attackers could gain access to cloud infrastructure and corporate systems.
Enterprise Times: What does this mean?
While the level of attacks varied by region, 2020 was a bumper year for cyberattacks. Phishing, ransomware, coin mining, trojans, application-specific and web-application attacks all increased. The amount of money made by cybercriminals also rose as companies increasingly paid ransoms, only to find they were not going to get their data back.
There is concern over the level of attacks in 2020 and now 2021 and how that will impact organisations in the medium to long term. Many businesses may not know if or how they were breached. Cybercriminals are likely to have left malware sitting inside corporate systems waiting for future activation. It means that restoring systems may not restore a business. Organisations must begin sweeping their backups for anything that cybercriminals have left behind.
One of the challenges for organisations going forward will be improving their cyber resiliency. For some, that will mean a complete overhaul of existing policies and implementing security best practices.
The biggest challenge going forward will be how do organisations migrate their current IT environments to be more secure and cyber-resilient?