Cisco recently released its Defending Against Critical Threats report, a look back at 2020's threat landscape and how it evolved.
The report covers cyber threat trends including remote work, password theft and credential dumping and remote desktop and remote desktop protocol.
Examining the traffic running through its Umbrella DNS servers, the company saw the number of remote workers double between the first and last weeks of March 2020. Bad actors also made the most of the shift to WFH by attempting to gain unauthorised access to networks.
The company’s cyber threat intelligence team, Cisco Talos, investigated some of the most common methods of attempted unauthorised access such as spam and using malicious domains.
To determine the volume of spam, Talos examined emails with pandemic-related themes such as ‘COVID-19’, ‘pandemic’ or ‘corona’. According to the report, “It’s no news that spammers leverage the latest big stories in the news to help spread their wares. The pandemic has been no exception.”
“Some campaigns have sent out malicious emails that appear to share information on the pandemic while others claim to contain information regarding government stimulus payments.” The pandemic has seen spammers pivot to messages around package delivery, claiming that deliveries have been delayed by COVID restrictions. This type of attack saw a marked increase in mid-March, coinciding with the increased remote work and near-constant news coverage of the virus.
The Umbrella team also saw an increase in malicious domains leveraging the COVID theme to carry out attacks. According to the researchers, on March 19, around 71 000 (34%) new, COVID-related domains were blocked for being suspicious. The company said as many as 75% of these domains were blocked in April.
In addition, credential dumping, a technique whereby attackers scour compromised computers for credentials to carry out further attacks, is on the rise. Verizon’s 2020 Data Breach Investigations Report states that over 80% of breaches involve passwords compromised by brute force attacks or stolen credentials.
These stolen credentials are then used to gain access to a network. The danger of this is that attackers can go undetected as they move through the network.
Moreover, many companies used remote desktops as a way to ensure access to company resources during WFH, but this leaves organisations vulnerable to man-in-the-middle or remote code execution attacks where a hacker runs their own code on a machine or server.
Given the vulnerability of RDP, the report suggests that the simplest way to guard against this type of attack is not to use the protocol pointing to a remote desktop services vulnerability known as BlueKeep. This is a flaw in the way RDS handles RDP requests and can be used to spread malware from one un-patched system to another.
The evolution of ransomware
The report says that ransomware has again re-emerged as the payload of choice for threat actors, but the nature of these attacks has changed. The attacks can be carried out through double extortion, big game hunting or compromise-as-a-service.
Big game hunting emerged as one of the more popular attacks in 2020, which sees an attacker breaching a network, accessing more parts of the system and escalating privileges before finally activating the ransomware. Attackers go after domain controllers, backup systems and other business-critical servers. Aiming for maximum damage, attackers sometimes demand large sums to decrypt the data. Some organisations pay this ransom to ensure business continuity.
According to the report, “Throughout 2020, it was observed that many threat actors are no longer satisfied with simply causing widespread disruption to business operations. Many are now also exfiltrating sensitive information from corporate networks before activating their ransomware and making their presence in the environment known to the victim. This enables them to conduct what has become commonly referred to as “double extortion attacks”.
Organisations affected by this attack risk reputational damage and a decrease in customer and market confidence. The report suggests companies be aware of the multi-faceted nature of these threats. They should take a proactive approach in defending against these attacks; this can be done by focusing on the three phases of network defence: prevention, detection and response.
A market has opened up for bad actors to buy their way into networks. Hackers who initially get into systems then sell access on the dark Web or hacker platforms. This "compromise-as-a-service" is considered an attractive business model as hackers no longer have to gain access. Many big game hunt attacks can be traced back to initial system breaches that weren’t acted upon.
Read the full Cisco Secure Defending Against Critical Threats report here.
Share