Cisco has revealed the findings of its ‘Defending Against Critical Threats Report’, noting changes in criminal activity during 2020 and new methods of exploitation, arising as a result of the pandemic.
During a year in which transitioning to digital infrastructures became essential for all, Cisco explores the ongoing complexity and evolution of cyberthreats, to inform organisations and empower stronger decision-making.
Increased vulnerabilities with remote working
Cisco Umbrella – a cloud-driven Secure Internet Gateway – examined traffic running through its DNS servers, identifying mid-March 2020 as a peak period of increased remote connections. Between the first and last week of March alone, the number of remote workers had effectively doubled.
Cisco Talos noticed a rise in spam emails containing associates with words such as ‘pandemic’ and ‘COVID-19’ in early February 2020. Researchers from the Cisco Umbrella team also showed that on a single day in March 2020, enterprise customers connected to 47,059 domains that contained ‘COVID’ or ‘corona’ in the name. Of these, 4% were blocked as malicious. By late April, the percentage of domains blocked via e-mail filtering peaked as high as 75%.
The evolution of ransomware and big-game hunting
One of the most prominent trends of 2020 was the widespread adoption of new tactics, techniques and procedures (TTPs) related to the deployment of ransomware on corporate networks.
Rather than simply activating ransomware on the first successfully compromised system, adversaries are now leveraging systems as an initial access point into the network. They then move laterally throughout the network, gaining access to additional systems and escalating privileges. Ransomware can be activated on all of these systems simultaneously, maximising the damage inflicted on the organisation.
This approach to the attack lifecycle has become known as ‘big-game hunting’ and has gained popularity, with many adversaries actively targeting backup systems, domain controllers and other business-critical servers during the post-compromise phase of their attacks.
Commenting on the findings, Fady Younes, Cybersecurity Director, Middle East and Africa (MEA), Cisco, said: “The past year has presented enterprises with a number of new challenges, as they circumnavigated the complex threat landscape in an increasingly digital world. This year, CISOs and IT teams must ensure to implement next-generation firewall measures, advanced malware protection and secure network analytics to know who is connected to the network and for what purpose.
Targeted threats for maximum impact
Other notable threats included Cisco Talos’ discovery of a new malware campaign in April, known as ‘PoetRAT’. Research showed that the malware was distributed using URLs that mimicked certain government domains, targeting private companies. Talos observed multiple new campaigns from these threat actors over the course of the year, indicating a change in the actor’s capabilities and showing their maturity toward better operational security.
In December 2020, a major supply chain attack was uncovered on a company producing infrastructure management applications. Systems had been compromised earlier in the year and malicious code was introduced into product updates that were made available on their website. A number of organisations that use the software and had patched with the malicious updates, subsequently reported that they had been breached, including security companies, government agencies and others.
“Many of the new threats we have identified involve compromising endpoints, which are crucial to secure and maintain in today’s world of remote work. Secure endpoints can protect an organisation from major impact after an attack, whether on-premises or remote. Decision makers should invest in technologies which integrate prevention, detection, threat hunting and response capabilities in a single solution for greater visibility and more actionable insights to strengthen security posture,” Younes added.