Our Quarterly Threat Situation Brief is intended to catch two birds with one stone by sharing with you our assessment of past security issues we have observed and by looking ahead and projecting what we foresee as trends. This is based on our study of relevant security sources on the one hand, and on the billions (!) of security events we have seen in our customers’ environments over the course of the last three months.

“Don’t let your guard down!” is the cybersecurity maxim in times of Corona pandemic. Alongside the current global downturn and an uncertain economic outlook, organizations are exposed to an escalated risk of malicious cyberattacks. An IT security health check is strongly recommended.

Covid-19: Healthcare in double trouble

As the world has been keeping a particular eye on healthcare in the past months since Corona pandemic started, so have cybercriminals. Around the globe, attackers have been focusing on providers of essential services such as hospitals threatening to publish the most sensitive personal data of individuals. A reminder of the importance of IT security, especially in critical infrastructure where losing control of data or system functions has direct and immense impact on so many levels.

An IT security health check, however, is recommended for any type of organization facing increasingly sophisticated attacks of all sorts as “the new normal” and with the continued successful exploitation of swiftly but insufficiently protected remote access solutions in enterprise environments.

General malware findings

Tired of ransomware attacks? While “ransomware fatigue” seems to set in company environments, we have been seeing an all-time high of such attacks targeting enterprises.  Attackers have been changing their distribution channels, also targeting air gapped environments. What may at first sight seem as a known attack under a familiar name, actually comes around much more advanced and enhanced. The “Emotet” of 2018, as an example, is not the “Emotet” we deal with today. Through this enhancement in methodology, all businesses no matter their size or organizational sophistication, may fall victim to such attacks.

Ransomware operators take evasive tactics to a new level and continuously find ways to bypass behavioral anti-ransomware tools. Therefore, a protection strategy solely built on applying endpoint detection and response (EDR) as well as artificial intelligence became insufficient. Human intelligence is needed to detect and neutralize early indicators of ongoing advanced attacks.

The most sophisticated ransomware recently has been “WastedLocker”, silently trying to spend as much time in company networks as possible in order to cause as much harm as possible. The Top 3 Most Popular Intrusion Methods include unsecured RDP endpoints, email phishing and the exploitation of corporate VPN appliances.

Zero-Day exploits and critical vulnerabilities

Distributed denial-of-service (DDoS) attacks have gotten more aggressive and have massively spiked up in 2020. The attacks flood a single target, thereby causing denial of service for users of the targeted system. Observed was a growing number of reflection amplification vectors that included DNS, CLDAP and NTP and also a rise of multi-vector attacks, making it harder to defend against. DDoS attacks from the cloud were in most cases using Microsoft Azure, AWS, and Google Cloud.

Topping the most common and dangerous weaknesses plaguing software, cross-site scripting (XSS) gives an easy to find and exploit tool to attackers that could lead to triggering a DDOS attack, steal sensitive data and take full control of vulnerable systems.

Threats & trends

To pay or not to pay might be an undesirable question for organizations to answer when not sufficiently protected from ransomware attacks. Vivid activity in this area will remain, being an attractive business model for cybercriminals. While this question upon occurrence of such attack has to be answered carefully for each organization, it is recommended to consider effects and handling beforehand as part of crisis planning while keeping in mind the possibility of attacks with no foreseen decryption.

Out of question on the other hand is the continuing trend of increasingly diversified and aggressive DDoS attacks as well as the trend of a significant increase in the number of ransomware attacks against hospitals, financial institutions, schools and other critical infrastructure in G7 countries. The latter to an extent causing G7 finance ministers expressing their concern about this development during the Covid-19 pandemic and including involvement of cryptocurrencies to facilitate money laundering.