Our Quarterly Threat Situation Brief is intended to catch two birds with one stone by sharing with you our assessment of past security issues we have observed and by looking ahead and projecting what we foresee as trends. This is based on our study of relevant security sources on the one hand, and on the billions (!) of security events we have seen in our customers’ environments over the course of the last 3 months.

One of the most disturbing developments we have seen in early 2020 is cyber criminals’ exploitation of the tragedy around Corona virus pandemic for their own very malicious cause.

Covid-19: How cyber criminals exploit the global threat

While the world struggles with the outbreak of the Corona virus pandemic, cyber criminals use people’s fear and curiosity to spread malware and wreak havoc on their victims. This comes mostly in the form of phishing emails with subjects pointing to Corona virus such as online medication offerings or by promoting an app full of insights and statistics related to the virus, when it actually comes with malware instead, holding your contacts and data ransom while asking you to pay Bitcoins.

Due to a global lockdown, most businesses had to switch to a work-from-home solution for their employees, opening themselves to a whole new range of attack vectors either by badly implemented VPN solutions, missing penetration tests due to time pressure, and other factors. With your employees sitting at home, there is also less visibility of who is around them and what they are doing. Privacy risks are higher than ever. Lucky are those who have implemented USB port control solutions, a solid VPN solution based on 2 factor authentication, network access control solution and email sandboxing solutions or even Content disarm and reconstruction solutions (“CDR”).

General malware findings

Identified for the first time in 2014, Emotet is still around in ever new incarnations and variations, one of the most famous victims being the Heise Magazine, a German publication specialized on Information Technology.

A new backdoor for attackers is “Mozart”, using DNS protocol to communicate with remote attackers to bypass security software and intrusion detection systems in order to execute commands permitting to download and install various malicious software.

Latest ransomware uses the wake-on-LAN feature to turn on powered off devices on a compromised network in order to encrypt offline devices. Others are publishing stolen data from non-paying ransomware victims or use spam and malicious attachments to infect victims. Another new ransomware reboots infected Windows systems into safe mode to bypass the antivirus first, and then encrypts victims’ files. A certain type of ransomware targets industrial control systems and encrypts all Windows devices connected to it.

Zero-day exploits and critical vulnerabilities

Prominent examples for such vulnerabilities in the past 3 months were a flaw in Citrix NetScaler ADC and Citrix NetScaler Gateway exposing 80,000 companies around the globe, Dropbox for Windows and various critical Microsoft vulnerabilities. Also, continued attacks exploiting unpatched Pulse Secure VPN environments to install ransomware have been observed.

A recently disclosed zero-day vulnerability allows potential attackers to register “.com” and “.net” homograph domain names (among others), which is expected to be used in well-crafted phishing, and social engineering attacks against organizations. This flaw concerned Verisign and several large SaaS service providers including Google, Amazon and DigitalOcean.

Threats & trends

Cyber criminals are continuously professionalizing their attacks. Working with highly targeted approaches, adapting attacks to current developments such as Corona virus and increasingly well equipped to bypass traditional security tools.

On top of that, at the time writing this report, 12 potentially severe security vulnerabilities collectively named ‘SweynTooth’ were disclosed. Such unpatched flaws affect millions of Bluetooth enabled devices in a blink of an eye, which shows just how vulnerable the interconnected world in 2020 is.

Tips to #staysafe

Awareness campaigns for your employees regarding phishing and ransomware attacks – see Cybersecurity Trend Report
Awareness campaigns for your employees regarding privacy protection and EU GDPR when working from remote
Manage your vulnerabilities: patch early, patch frequently, patch quickly – and have solutions in place where patching does not work
Learn about Advanced Threat Detection sandboxing technology
Learn about Log Data Analytics (LDA)