Digital criminals frequently made headlines in 2019 by directing their attack campaigns against organizations in education, government, healthcare and financial services, among other sectors. In an effort to boost the efficacy of their efforts, open up new attack channels and/or shield their operations from detection, many malicious actors adopted tools and techniques which the security community had never seen before. Some of these tricks caught on with their peers, changing the threat landscape more generally.
As we find ourselves at the start of a new year and decade, it’s important for organizations to understand some of the changes that occurred over the past year and how these developments might affect their digital security going forward. I recently sat down with Troy Gill, Manger of Security Research at AppRiver, to discuss what information security predictions he has for 2020. His expectations are presented below.
An Evolving Underground Ecosystem for Cybercrime
Gill explained that the underground cybercrime ecosystem has evolved in such a way that it has helped to create an industry of commoditized products and services for malicious actors. Whether they’re script kiddies or experienced attackers, nefarious individuals can now turn to the digital underground to easily obtain access to valuable information, such as users’ stolen data. They can also share their experience with and learn about the latest exploits, compromised machines and malware as a service (MaaS) platforms.
Threat actors are increasingly cooperating with each other to maximize their attacks’ effectiveness and profits. Some have even begun developing affiliate and revenue sharing models. Looking ahead, Gill expects these partnerships will increase in frequency in 2020 and beyond.
This forecast reflects the rise of MaaS platforms in the first half of 2019. Indeed, SonicWall saw an escalation of both ransomware as a service (RaaS) offerings and open-source malware kits during that time. Cerber ransomware led the way; SonicWall’s researchers documented three million hits for the Cerber.G_5 RaaS signature in June 2019 alone.
The Growing Frequency of Supply Chain Attacks
As attackers are relentless in their efforts to breach targets, they will increasingly turn to targeting a weaker point of entry in an organization’s supply chain. This could encompass anything hardware- or software-related. (Remember that those responsible for the 2013 Target breach infiltrated the retailer’s network and ultimately moved to its processing systems after exploiting the security vulnerabilities at a third-party HVAC vendor.) This means businesses of any size will be targeted more frequently and at the very least could become collateral damage.
In support of this prediction, Carbon Black found in its Q1 2019 Global Incident Response Threat Report that 50 percent of today’s digital attacks leverage “island hopping.” This technique helps bad actors reach their primary target after compromising the network of another target such as a vendor or supplier in its supply chain. Attack groups have made a name for themselves targeting specific industries in this regard. For instance, ESET observed the Winnti Group using a supply-chain attack campaign to target video game developers in Asia.
Identity Becoming More Difficult to Determine
Another method that has been trending upward recently is the exploitation of other compromised identities to commit attacks. Gill explained that attackers have leveraged this tactic cleverly so far and that these malicious actors will likely introduce new variants of these attacks in 2020. We’ve already seen voice/speech synthesis phishing attacks, for instance. With the emergence of technologies like those used to create “Deep Fakes,” this area will likely see heightened activity for years to come.
More Chained Attacks Involving Ransomware
Digital criminals are starting to move away from standalone ransomware attacks in order to ensure maximum gain from their victims. Specifically, Gill noted that malicious individuals are following up their ransomware attacks with infections by remote access trojans, wiper elements and backdoors that lead to banking trojans to bolster their efforts’ profitability. Towards this end, we’ve already seen a Maze ransomware attack that threatened to (and ultimately did) publish its victim’s data in a bid to increase the probability that their target would pay the ransom demand.
The Maze infection referenced above isn’t an isolated incident, unfortunately. As Bleeping Computer founder Lawrence Abrams noted in a blog post, ransomware attackers have been threatening to publish victims’ data for years. They’re now simply carrying through on their threats by putting this information online.
The Rise of IoT “Micro” Ruses
IoT micro ransoms or scams will trend up over time, predicted Gill. That’s because sales and low consumer prices remain primary goals for most IoT companies while security still typically languishes as an after-thought. This hierarchy of priorities creates a lack of security focus in the industry that’s ripe for exploitation. Indeed, the FBI warned consumers about the dangers of smart TVs that malicious actors could use for nefarious purposes. Smart locks are also an area of concern since most of them are susceptible to various types of security vulnerabilities.
Escalating Use of “Living off the Land” Techniques
Attackers will increasingly rely upon legitimate services like PowerShell to perpetrate many elements and stages of their attacks. This method gives a substantial boost to the false validity of an attack in the eyes of the target. In 2019, attackers took this “living off the land” tactic to a new level. As an example, Zix published an article in April 2019 about how malicious actors had begun hosting phishing sites on Microsoft’s own servers to prevent their attack emails from raising red flags with email gateways. Digital attackers are expected to continue that momentum and increasingly embrace living off the land techniques into 2020.
More Attacks Designed to Defeat MFA
Cybercriminals are successfully defeating MFA through social engineering attacks and other tech-based attacks. As adoption of MFA ramps up, Gill predicts that attackers’ efforts to defeat the added security measures will also grow.
Sextortion on the Rise
There is an upward trend of sextortion taking place within online dating communities, according to MarketWatch. In tandem with that, Gill said that he’s seen an uptick in sextortion email activity. The ease with which attackers can gather the contacts of friends and family, employers, social organizations online via social media and the web has helped fuel these attacks. It’s also spawned many variants. In October 2019, for instance, Check Point Software disclosed a campaign in which the Phorpiex (aka Trik) botnet had thus far used thousands of infected computers to deliver sextortion emails to unsuspecting users. It was a few months later when Malwarebytes observed sextortion scammers trying to wear down their victims with warning messages that contained a nonsensical amalgamation of technical terms.
Staying Safe in 2020
The predictions discussed above highlight the need for organizations to bolster their digital security posture going into the new year and decade. One of the best ways they can do this is by strengthening their email security. Ideally, they should invest in a security solution that’s capable of analyzing incoming email messages based upon their URLs, campaign patterns, malware indicators, IP addresses, and other factors. They should perform this analysis in real-time, all while allowing legitimate correspondence to make their way into the business.
Interested in learning how ZixProtect can serve as the foundation for your organization’s robust digital security posture in 2020 and beyond? Click here for more information.