This report provides an overview of the most common threats and vulnerabilities in Q1 2020. There has been a significant rise in phishing emails, ransomware attacks, zero-day exploits of technology vulnerabilities and activities of targeted threat groups. These are some of the top common threats:
With the global spread of COVID-19, there has been a large increase in phishing attacks. The pandemic has become the preferred lure in phishing campaigns targeting individuals and organizations. Threat actors have capitalized on the expanding situation to both targets and impersonate different organizations. The phishing campaigns have used the common tactics of attaching malicious documents or including a link to a malicious site while preying on the recipient’s desire for additional information on the evolving scenario. Another tactic used by actors in successful phishing campaigns is the use of domains resembling that of the legitimate one for their attack. This can easily be overlooked by the target of the phishing email and lead them to believe the link is safe.
The phishing campaign has seen the increasing use of emails with attached documents disguised as relief payment information from the government. The recipients are asked to fill out the attached form in order to receive their relief payments. However, the document contains malware that infects the host.
To mitigate this risk, there should be security awareness training to educate teams on ways to recognize a phishing scam and other common social engineering tactics. Teams must avoid suspicious attachments and not enable of macros on untrusted documents. It is good practice to double-check any links by hovering over them to ensure you will not be redirected to a fraudulent website. URL domain names should be reviewed carefully for typos or missing characters. Also, IT departments must provide simple methods for employees to report suspicious messages.
There has been a resurgence of ransomware attacks, with recent attacks focused on international healthcare, local government, and education sectors, in particular. A ransomware cyber-attack occurs when malicious software is used to deny a user or business access to a computer system or data. The malware is typically spread through phishing emails or visits to malicious websites and asks for payment for the files to be unlocked.
The ongoing use of ransomware as an income stream for threat actors and cyber-criminals continues to increase. As with most malware, ransomware operators have started to add features that place victims under more pressure to pay up. Started by the hacker group Maze, and now being widely adopted by others, attackers can now steal files before starting the encryption process for a system. The operators then leverage the access to these files, along with the threat of public release, to demand that payments be received in a timely manner. To further increase the severity of the situation, the stolen data often contains personal employee information or sensitive business information. The latest ransomware also uses the wake-on-LAN feature to turn on devices that are turned off on a compromised network in order to encrypt offline devices and use spam and malicious attachments to infect victims. A variant of ransomware reboots infected Windows systems into safe mode to bypass the antivirus first and then encrypts victims’ files. A certain type of ransomware targets industrial control systems and encrypts all Windows devices connected to it.
The first quarter of 2020 saw the active exploitation of several zero-day vulnerabilities with many technology companies affected by these exploits. Prominent examples for such vulnerabilities include a flaw in Citrix NetScaler ADC and Citrix NetScaler Gateway exposing 80,000 companies around the globe, various critical Microsoft vulnerabilities, and Zoom, a popular video conferencing platform, been targeted to execute conference hijacking attacks during meetings. Zoom has released a patch for a vulnerability that made it possible for attackers to find and join unprotected meetings. Also, vulnerabilities in Pulse Secure VPN environments are being exploited to install ransomware.
To mitigate this risk, patches should be applied as soon as possible to limit exposure time. If a patch is not available at the time of disclosure, but mitigation steps are available, consider implementing the mitigation until the patch is published with critical systems.
The first quarter of 2020 has also seen an increase in the activities of advanced persistent threat groups (APT). APT groups that typically receive direction and support from established nation-states. Like other attackers, APT groups try to steal data, disrupt operations or destroy infrastructure. However, APT attackers pursue their objectives for relatively long periods. They adapt to cyber defenses and frequently retarget the same victim.
In February 2020, the Cybersecurity and Infrastructure Security Agency (CISA) released details on seven malware tools that they identified as being used by cyber group Hidden Cobra (Lazarus Group/APT38). The malware files have been named as follows: Hoplight, Buffetline, Artfulpie, Hotcroissant, Crowdedflounder, Slickshoes, and Bistromath. There has also been a rise in activity from the APT36 threat group, which used spear phishing and watering hole attacks to gain access with the goal of delivering the Crimson RAT malware. The FIN7 group has been connected to an attack campaign targeting organizations with malicious USB drives, often known as USB Rubber Ducky. The USB drives are usually mailed to Human Resources, Information Technology, or Executive Management employees and the package often contained an additional gift item such as a teddy bear or gift card.
Mitiget reviewed quarter 1 2020 security landscape globally and designed this report to inform our client and associates the top areas to continue oversight on through the year. We also explored some interesting stats and outline how companies and individuals can protect asset that supports collaboration, enhances productivity, and simplifies information governance and security.