Abstract
There's one thing you can rely on with cyber criminals – they never let a good crisis go to waste. And so it has proved with the Covid-19 pandemic, with scammers and hackers taking full advantage of people's fears and confusion and the disruption of normal working practices. At the same time, cyber criminals are getting smarter and adopting ever-greater use of automation, according to the ‘2020 Global Threat Intelligence Report' (GTIR) from NTT Security.
Global Threat Intelligence Report
“The current global crisis has shown us that cyber criminals will always take advantage of any situation and organisations must be ready for anything,” said Matthew Gyde, president and CEO of the security division of NTT. “We are already seeing an increased number of ransomware attacks on healthcare organisations and we expect this to get worse before it gets better. Now more than ever, it's critical to pay attention to the security that enables your business; making sure you are cyber-resilient and maximising the effectiveness of secure-by-design initiatives.”
The web continues to be a weak point for many organisations – and this is at a time when many of them are more reliant on the web to reach and interact with customers. Of the attack types covered by the report, most (88%) were what you might call old favourites, and a significant proportion of these involved web technologies of some kind.
Nearly a quarter (22%) of attacks targeted web applications. A further 20% focused on content management system (CMS) solutions such as WordPress, Joomla!, Drupal and noneCMS. Compromising these systems not only potentially provides attackers with a valuable haul of personal data but can also provide a pivot point deeper into the victim organisation. And 28% of attacks targeted other technologies used to support websites, such as ColdFusion and Apache Struts.
The most common attack types.
Source: NTT.
Much of this is business as normal for cyber criminals. But these are not normal times. Attackers have adapted their activities to take full advantage of the current situation. Phishing attacks, in particular, have taken on a distinct coronavirus flavour. Emails purporting to offer Covid-19 information and even fake track and trace alerts are currently some of the most popular among cyber criminals. Phishing emails generally lure victims to fake websites – usually posing as official sites but actually hosting exploit kits, malware or credential-stealing forms – and NTT's GTIR reports having seen as many as 2,000 such sites being created each day.
The pandemic has also resulted in a massive spike in people working from home, often via hastily improvised arrangements such as VPNs and teleconferencing. It's unlikely that many organisations have been able to implement the same kinds of security and other information protection safeguards – such as anti-malware and anti-phishing systems, data classification and data loss prevention, intrusion detection and prevention and so on – that employees would have when working at the office. It's more likely, too, that employees will more freely mix personal and business activities on the same device. The impact that all this is going to have on network security, regulatory and legal compliance and data privacy is something that only time will tell.
Cyber criminals continue to innovate, too. The exploitation of Internet of Things (IoT) devices for use as botnets is on the rise. With their notoriously poor security, Internet-connected devices such as CCTV cameras and DVRs, network devices and even toys are ripe pickings and easy to find with little more than an Internet search using a tool such as Shodan.
And criminals are quick to notice what works and what doesn't. “Due to the overwhelming success of the use of tools such as web shells, exploit kits, and targeted ransomware, adversaries are still developing effective multifunction attack tools and capabilities,” says the report. “The most common techniques observed globally were remote code execution (15%) and injection (14%) attacks. In most cases, these attacks continue to be effective due to organisations' poor practices related to network, operating system, and application configuration, testing, security controls and overall security hygiene. Adversaries are also leveraging artificial intelligence, machine learning, and investing in the automation of attacks. 21% of malware detected was in the form of a vulnerability scanner, which also supports the premise that automation is key focus point of attackers.”
At the same time, old vulnerabilities – many of them several years old – are still being exploited, and organisations' patching practices simply aren't good enough. For example, the Heartbleed vulnerability is still being successfully attacked. Considering the massive publicity, bordering on hysteria, that surrounded this issue, you would think that everyone would have got the message – but apparently not.
The tech industry itself is now the most commonly attacked, accounting for a quarter of all incidents, according to the report. (Previous years' reports had put it in second place). Application-specific and denial of service attacks exploiting IoT devices (particularly distributed denial of service – DdoS – attacks) feature large in this sector.
NTT's recommendations are pretty much what you'd expect – to adopt a ‘secure by design' approach to all development and business activities and to use threat intelligence services to inform constant monitoring of the threat environment.
The report is available at: https://hello.global.ntt/en-us/insights/2020-global-threat-intelligence-report.