At the start of 2020, very few people would have predicted the events that unfolded. The COVID-19 global pandemic caused unprecedented changes to all of our lives, and has reshaped our entire working culture. From the accelerated pace of digital transformation and move to the cloud, to the increased use of collaboration tools, cybercriminals looked to take advantage of these rapid and widespread changes for their own purposes.
According to the Cyber Attack Trends: 2020 Mid-Year Report by Check Point Software, a cyber-security solutions global provider, criminal, political and nation-state threat actors have exploited the COVID-19 pandemic and related themes to target organizations across all sectors, including governments, industry, healthcare, service providers, critical infrastructure and consumers.
“The global response to the pandemic has transformed and accelerated threat actors’ business-as-usual models of attacks during the first half of this year, exploiting fears around COVID-19 as cover for their activities. We have also seen major new vulnerabilities and attack vectors emerging, which threaten the security of organizations across every sector,” said Maya Horowitz, Director, Threat Intelligence and Research, Products at Check Point Software. “Security experts need to be aware of these rapidly evolving threats so that they can ensure their organizations have with the best level of protection possible during the rest of 2020.”
Here are some of the cyber attacks trends the report discusses:
Ransomware actors have adopted a new strategy; in addition to making the victim’s files inaccessible, they now exfiltrate large quantities of data prior to its encryption in the final stage of the attack. Victims who refuse payment demands find their most sensitive data publicly displayed on dedicated websites.
Nation-state cyber activity has seen a surge in intensity and escalation in severity. In times when traditional tactics to gather intelligence and knowledge are no longer feasible due to social distancing, the use of offensive cyber weapons to support national missions appears to have expanded. The goal may be better understanding of the Corona virus or securing intelligence operations, and countries and industries are the targets.
Threat actors have been seeking new infection vectors in the mobile world, changing and improving their techniques to avoid detection in places such as the official application stores. In one innovative attack, threat actors used a large international corporation’s Mobile Device Management (MDM) system to distribute malware to more than
75% of its managed mobile devices.
Industries were required to make rapid infrastructure adjustments to secure their production when working remotely. In many cases, this would not have been possible without cloud technologies. However, it also exposed more misconfigured or simply unprotected assets to the internet. In addition, for the first time, alarming vulnerabilities
were revealed in Microsoft Azure infrastructure that could enable invaders to escape VM infrastructure and compromise other customers.
The Check Point Software states that the most common malware variants during the first half of 2020 were:
- Emotet (impacting 9% of organizations globally) – Emotet is an advanced, self-propagating and modular Trojan. Emotet was originally a banking Trojan, but recently has been used as a distributor of other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can also be spread through phishing spam emails containing malicious attachments or links.
- XMRig (8%) – XMRig is open-source CPU mining software used to mine the Monero cryptocurrency. Threat actors often abuse this open-source software by integrating it into their malware to conduct illegal mining on victims’ devices.
- Agent Tesla (7%) – AgentTesla is an advanced remote access trojan (RAT) which functions as a keylogger and password stealer and has been active since 2014. AgentTesla can monitor and collect the victim’s keyboard input and system clipboard and can record screenshots and exfiltrate credentials for a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client). AgentTesla is sold on various online markets and hacking forums.
Top cryptominers during the first half of 2020
- XMRig (responsible for 46% of all cryptomining activity globally) – XMRig is open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild in May 2017. Threat actors often abuse this open-source software by integrating it into their malware to conduct illegal mining on victims’ devices.
- Wannamine (6%) – WannaMine is a sophisticated Monero crypto-mining worm that spreads the EternalBlue exploit. WannaMine implements a spreading mechanism and persistence techniques by leveraging the Windows Management Instrumentation (WMI) permanent event subscriptions.
Top mobile malware during the first half of 2020
- xHelper (responsible for 24% of all mobile malware attacks) – xHelper is an Android malware which mainly shows intrusive popup ads and notification spam. It is very hard to remove once installed due to its reinstallation capabilities. First observed in March 2019, xHelper has infected more than 45,000 devices.
- PreAMo (19%) – PreAMo is a clicker malware for Android devices, first reported in April 2019. PreAMo generates revenue by mimicking the user and clicking on ads without the user’s knowledge. Discovered on Google Play, the malware was downloaded over 90 million times across six different mobile applications.
- Necro (14%) – Necro is an Android Trojan Dropper. It can download other malware, show intrusive ads, and fraudulently charge for paid subscriptions.
Top banking malware during the first half of 2020
- Dridex (responsible for 27% of all banking malware attacks) – Dridex is a Banking Trojan that targets Windows PCs. It is delivered by spam campaigns and Exploit Kits, and relies on WebInjects to intercept and redirect banking credentials to an attacker-controlled server. Dridex contacts a remote server, sends information about the infected system, and can also download and execute additional modules for remote control.
- Trickbot (20%) – Trickbot is a modular Banking Trojan that targets the Windows platform, and is mostly delivered via spam campaigns or other malware families such as Emotet.
- Ramnit (15%) – Ramnit is a modular banking Trojan first discovered in 2010. Ramnit steals web session information, giving its operators the ability to steal account credentials for all services used by the victim, including bank accounts, and corporate and social networks accounts.