According to the IBM Security 2021 X-Force Threat Intelligence Index, in 2020 threat actors sought to profit from the unprecedented socioeconomic, business, and political challenges brought on by the COVID-19 pandemic.
In an interview with Brian Pereira, Editor-in-Chief, CISO MAG, Prashant Bhatkal, Security Software Sales Leader, IBM Technology Sales, India/South Asia takes us through the findings of the report and comments on the top threat vectors, security trends, and the most targeted sectors.
Edited excerpts from the interview follow:
What threat vectors have been dominant during the pandemic? What kinds of attacks are escalating? And what does the X-Force research tell us about the reasons for these attacks?
We witnessed that targeting and tactics shifted through 2020 from spamming consumers to attacks on manufacturing and the COVID-19 supply chain.
The top three attack types observed by X-Force are:
1. Ransomware represented 23% of all 2020 attacks (a 7% increase since 2019.
2. Data theft represented 13% of attacks (160% increase in attacks since 2019).
- Emotet attacks, largely in Asia, made up 46% of the data theft activity X-Force research remediated in 2020. X-Force uncovered new features in Emotet malware samples such as anti-analysis capabilities, indicating that Emotet continues to pose a threat to organizations globally.
- Manufacturing bore the brunt of data theft attacks accounting for 33% of all data theft incidents. Energy followed at 21% of attacks, with finance and insurance third at 17% of data theft attacks.
3. Server access attacks represented 10% of attacks (233% increase in attacks since 2019).
- The exploitation of a path traversal Citrix flaw largely drove this trend (CVE-2019-19781).
- 36% of the server access attacks X-Force observed targeted the finance and insurance sectors, with business services (14%), manufacturing (7%), and health care (7%) also getting impacted.
What were the most common “Entry Points” into victim environments, as observed by X-Force research?
The top three initial access vectors observed by X-Force are:
1. Scan-and-exploit led to 35% of attacks, compared to 30% in 2019.
- Known vulnerabilities continue to soar with the total number of vulnerabilities reaching nearly 180K in 2020 (17.5K new ones just in 2020).
- Scanning and exploiting requires few resources and can be automated and scaled to target a wide variety of victims, which may account for why this vector saw such a high volume, while defenders struggle to keep up with patching.
- Attackers exploited the Citrix vulnerability CVE-2019-19781 in almost 60% of January 2020 attacks alone that X-Force responded to, and was directly related to 15% of incidents in the first half of 2020.
2. Phishing led to 33% of attacks, compared to 31% in 2019.
- Despite its slight drop, phishing remains a top concern for legitimate organizations, with spear phishing and spoofing remaining effective ways to infiltrate environments without raising suspicions of authoritative organizations.
3. Credential theft led to 18% of attacks, compared to 29% in 2019.
- Vulnerabilities may have been attackers’ primary vector of choice, but credential theft remains a major threat.
- A possible cause of this is the increasing use of MFA and behavioral analytics/biometrics, making unauthorized use of credentials more easily detected/blocked.
Can you briefly comment on some of the trends indicated in the X-force research report?
Cybercriminals Accelerate Use of Linux Malware – Linux currently powers 90% of cloud workloads and adoption is only accelerating amidst shifting business needs during the pandemic. Almost 70% of organizations using cloud services today plan to increase their cloud spending in the wake of the disruption caused by COVID-19 (Gartner). Attackers follow the trend: Of all the Linux crypto-miners Intezer saw in 2020, over 13% was new code – attackers are exploiting the expandable processing power that cloud environments provide and incurring heavy cloud usage charges on organizations. Of all the Linux ransomware and Trojans, 6% was new, previously unobserved code. Attackers who once were focused primarily on Windows malware are now expanding to Linux, scaling these attacks to increase effectiveness. From just nine Linux-related malware families in 2010 to 56 in 2020. In 2020 alone the report (Intezer) observed a 40% increase from the previous year.
Investment in Open Source Malware Threatens Cloud Environments – Attackers may be looking for ways to improve their margins — possibly reducing costs, increasing effectiveness, and creating opportunities to scale more profitable attacks. X-force highlights various threat groups such as APT28, APT29, and Carbanak turning to open source malware, indicating that this trend will be an accelerator for more cloud attacks in the coming times.
Pandemic Drives Top Spoofed Brands – During the onset of the pandemic, more than ever, people turned to technology tools and social networks to stay in touch with friends and family during an isolating time. With more companies shifting to collaboration tools to maintain their operations amidst the pandemic, spoofing followed suit. We saw attackers impersonate tools that were used as alternatives to in-person activities from work collaboration, to paying for goods, and to ordering online.
Cybercriminals Disguised as Celebrity Brand – Social engineering techniques have been successfully used by scamsters and the trend continues – we have seen scamsters target the trust and demand from consumers to lure them to visit sites disguised as well-known brands.
Vulnerabilities Surpass Phishing as Most Common Infection Vector – X-force observed that more attacks last year used vulnerability exploits to access victims surpassing phishing as the most successful infection vector.
Ransomware Groups Cash in On Profitable Business Model – The most successful ransomware groups in 2020 were focused on not only stealing and leaking data but also create Ransomware-as-a-Service cartels and outsourcing key aspects of their operations to cybercriminals that specialize in different aspects of an attack. Ransomware also employed double extortion tactics that helped the malware families to further increase their profitability. These various tactics together have helped Ransomware groups to become more profitable in 2020.
Ransomware dominates 2020 as the most common attack vector. And looking at the incidents that occurred this year, it looks like ransomware will continue to be a major security issue not just for private organizations but also for governments. What is the industry doing to fight ransomware? Can we expect to see some new standards (for decryption) emerging this year to fight ransomware?
Organizations can take the following measures to protect against ransomware:
- Backing-up data remains essential – While defenders may not have the same leverage with back-ups when dealing with double extortion tactics, this remains a baseline security requirement they must follow.
- Encrypt your data – Encryption removes the criminals’ leverage because they can’t sell or leak your data to encourage you to pay. So, if a bad guy gets their hands on your data and it’s unexploitable to them, they can’t make money off it, they’ll move on.
- Monitor what kind of cloud storage/file sharing solutions is being used in their environment. Most companies use a single solution, so anything that is being used that is not that solution would be worth investigating and blocked if possible.
- Leverage AI to identify and contextualize suspicious activity or access to data:
- Use the principle of least privilege to limit who has access to sensitive data to those that absolutely require it. They should also have archiving processes in place for data that no longer needs to be active on the network.
- Protect highly privileged accounts that are essentially allowed to go anywhere in the network and access any type of data. It’s essential to have Privileged Access Management (PAM) and Identity & Access Management (IAM) in place.
Per the report, which sectors are commonly being targeted? What do you observe specific to India?
In India, finance and insurance were the top attacked industry in India (60%), followed by manufacturing and professional services with threat actors targeting organizations that could not afford downtime owing to the nature of their services.
About the Interviewer