During the last years, the industry and the governmental bodies assessing cyber threat have continuously raised alarms highlighting the increase in number and complexity of the detected cyber-attacks worldwide.
2020 represents one of the most challenging years for cybersecurity teams, due to COVID-19 pandemic, that has dramatically changed the pace of digital transformation for many organisations across the globe, increasing the attack surface and adding more complexity to the environments to protect.
“The pandemic, and its resulting changes to the business world, accelerated digitalisation of business processes, endpoint mobility and the expansion of cloud computing in most organisations, revealing legacy thinking and technologies,” says Peter Firstbrook, VP Analyst, Gartner.
Significant challenges as the shortage of technical security staff, accelerated migration to cloud computing, regulatory compliance requirements and the evolution of cyber threats are amplified because of the way COVID-19 pandemic refocused security teams on the value of cloud-delivered security, reviewing remote access policies and tools, migration to cloud data centres and SaaS applications, and securing new digitisation efforts to minimise person-to-person interactions.[1]
By analysing the latest reports and statistics publicly available, and also by using Silensec’s intelligence as an international MSSP, we identified ten of what we consider to be the most relevant threats of 2020 for business organisations:
1. Business email compromise with advanced phishing
Regarding email attacks, cybercriminals are becoming increasingly inventive, and their efforts are paying off because their primary target is the users, tricked into opening emails containing malware or a virus.
Among the most common threats are phishing campaigns, CEO fraud, ransomware and impersonation tactics. Account takeovers are on the rise, especially with more businesses using cloud services such as Office 365 without implementing proper security controls from the beginning.
Employees receive emails from a genuine email address which they have no reason not to trust, but which phish their credentials to allow access to the configuration of their email account and emails so that they can launch further attacks.
Even though phishing is associated with targeting humans, there are new types of phishing detected in the wild designed to evade the most advanced email filtering solution on the market today. The most dangerous phishing campaigns are targeted on a specific organisation. They are rarely detected by threat intelligence based email security solutions since the attackers are counting on the uniqueness of the attack and are making efforts not to reuse the infrastructures used in previous attacks (IoCs as IP, domains, hashes).
2. Ransomware as a service
Ransomware as a Service (RaaS) is a particularly worrying new trend, as it offers services to cybercriminals.
In much the same way as SaaS (Software as a Service) gives a done-for-you service, RaaS sells malware to criminals, saving them the time and effort of having to build it themselves.
RaaS providers operate as a business. One person (the aggregator) builds and sells scalable, easy-to-use malware kits to anyone looking to carry out a cyberattack (known as ‘ransomware operators’). These operators don’t require technical know-how, just the desire to cause damage to a business in return for money.[2]
Availability at the scale of the professional ransomware attacks delivered by using sophisticated and technical complex attack vectors maintain the risks posed by this type of threat on the rise.
3. Working Remotely due to COVID 19
Cybersecurity was not a top priority at the beginning of the pandemic, but now remote work poses one of the year’s biggest threats.
COVID-19 pandemic crisis management plans have forced many organisations to go fully or partially remote. However, the decision to keep employees remote in order to follow social distancing guidelines happened very fast; many companies did not properly prepare.
Cybersecurity was not a top priority at the beginning of the pandemic, but now remote work poses one of the year’s biggest threats.
Many companies and remote workers weren’t and aren’t prepared to work full-time from home.
In addition, home networks are usually less secure than corporate infrastructures, not benefiting of any specific security controls in place and making the remote workforce an attractive, and sometimes an easy target for the attackers.
4. Fileless attacks
Fileless malware is a type of malicious software that uses legitimate programs to infect a computer. It does not rely on files and leaves no footprint, making it challenging to detect and remove. Modern adversaries know the strategies organisations use to try to block their attacks, and they’re crafting increasingly sophisticated, targeted malware to evade defences. It’s a race against time, as the most effective hacking techniques are usually the newest ones. Fileless malware has been effective in avoiding all but the most sophisticated security solutions.[3]
According to most of the cybersecurity vendors on the market today, one of the trending threats in 2020 is the increase of fileless attacks occurrence.
“Many companies and consumers still assume most of their virtual threats will come from a malicious or infected file. But if they’re not equally prepared against fileless threats, they’re leaving themselves vulnerable to an increasingly common form of attack” Alun Baker, founder of Clario.
5. Mobile threats
According to an FBI report published in June 2020, there has been a 50% increase in mobile banking activity since the beginning of 2020. Threat actors are aware of this trend and are capitalising on it.
PhishLabs[4] identified two types of app-based threats to be cautious of, the first being banking trojans disguised as common apps such as games or tools. These mobile banking trojans are designed to lay dormant until the user’s legitimate banking app is launched. At that point, these trojans overlay the real banking app with a fake login screen that steals credentials. The trojan transfers the user to the legitimate banking app after the username and password have been entered so that they are not alerted to the scam.
The second type of mobile banking threat consists of apps that impersonate real financial institutions. These fraudulent applications are widely available in official and unofficial app stores, with the FBI’s report noting 65,000 have been detected in 2018 alone. If downloaded, these apps act as a legitimate login page only to steal the user’s credentials and obtain security codes texted to the mobile device.
6. Cloud services compromised
Unfortunately, it’s not just by guessing passwords that hackers can get into emails and systems. A recent phishing attack was able to access users’ Office 365 accounts through the Microsoft OAuth API.[5]
By posing as the Microsoft log-in page, the fake OAuth asks users to grant permission to a third-party tool or software. Once the user name and password has been submitted, their data can be accessed remotely and compromised.
7. Collaboration platforms as new attack vectors
Because of social distancing measures related to COVID-19, many people are new to working from home. As a result, the use of online collaboration platforms (e.g. Zoom, Google Drive, Microsoft OneDrive and Teams) is surging.
“While this is great for productivity, it poses a unique challenge for security professionals,” explains Liron Barak, CEO at BitDam. “These services are under constant attack—with increased frequency, sophistication and evasiveness. With new channels come new attack vectors, which also means that the risks and potential damage that can be caused keep growing.”[6]
8. The Internet of Things
The Internet of Things (IoT) allows us to be continuously connected, both at work and at home. Web-connected devices range from laptops and smartphones to smartwatches, smart locks, a huge amount of payment-enabled devices and “personal assistants” like Alexa and Google Home.
While the IoTs add an obvious value on our personal and business/professional projects and life, it also opens up endless new opportunities for hackers to access sensitive data, an increasing number of exploits and attacks targeting IoT being increasingly reported during the last months.
9. Application Programming Interface (API) Vulnerabilities and Breaches
A recent study by Imperva[7] indicates that application programming interface (API) security readiness typically lags behind web app security across the majority of organisations today. Additionally, more than two-thirds of the organisations readily make APIs available to the public to allow external developers and partners to tap into their app ecosystems and software platforms.
As the dependence on APIs increases, API-based breaches will become more prominent in 2020. This will trigger adverse impacts on high-profile apps in financial processes, messaging, peer-to-peer and social media. As more organisations continue to adopt APIs for their applications, API security will be exposed as the weakest link, which could lead to cloud-native threats and put user data and privacy at risk.
10. DDoS Attacks
Distributed denial of service (DDoS) attacks remain a significant cyber threat to many organisations. These attacks are designed to overwhelm a victim’s network resources so they cannot process legitimate traffic on their network. The methodology of these attacks can vary from one to the next and may involve varying levels of complexity. This is part of what makes DDoS attacks such a worrisome cybersecurity threat.
The second quarter of 2020 is notable for the number of DDoS attacks: the period from April through June normally sees a lull, but this year, DDoS activity increased in comparison to the previous reporting period. This is most likely due to the coronavirus pandemic and restrictive measures that lasted for part or all of the quarter in many countries. The forced migration of many day-to-day activities online led to an increase in potential DDoS targets. [8]
References:
[1] Gartner – Top 9 security and risk trends for 2020
[2] Medium – Top 10 cyber security risks to protect against in-2020
[3] Mcafee – What is fileless malware
[4] Info Phishlabs – FBI warns of growing mobile banking threats
[5] Techtelegraph – Phishing attack hijacks office 365 accounts using oauth apps
[6] I-sight – 11 Cybersecurity threats for 2020 plus 5 solutions