Sophos has released its 2020 Threat Report, which reveals some of the recent changes in the cybersecurity threat landscape and details some of the key attack trends that are likely to continue in the New Year.
The cybersecurity threat landscape is in a constant state of flux, so it is impossible to predict what direction cybercriminals will take over the next 12 months, although the attack trends from the past few months provide insights into how businesses are likely to be attacked in 2020.
What is clear from the cyberattacks over the past few months is cybercriminals are becoming far stealthier and much more adept at exploiting vulnerabilities and mistakes. Even with advances in detection capabilities, attackers’ malicious activities remain well hidden as cybercriminals become more skilled at evading detection.
One of the main trends Sophos identified in 2019 is an increase in automated active attacks. This is the term given to human-directed compromises of internal business networks followed by the use of legitimate Windows network administration tools to move laterally and distribute malware. By using these tools, such as PowerShell and WMI, attackers can hide their activities and gain access to large numbers of networked devices after compromising a single machine. These tactics have been used effectively by the threat actors behind MegaCortex ransomware and SamSam ransomware to cause maximum damage, allowing them to demand huge ransom payments.
RDP-based attacks have proven popular in 2019 and there is no sign that this method of attack will stop any time soon. Hackers are scanning for open RDP machines via the internet and are conducted targeted attacks against RDP using brute force tactics to guess credentials. Sophos tested how long it took hackers to find honeypots that had been set up to look like genuine servers that had RDP exposed to the public. Over the course of 30 days in the spring of 2019, Sophos observed more than 3 million attempts to login to its honeypots. It is worth noting that these were not scans, they were actual attempts to login.
Sophos has found that the line between potentially unwanted programs and malware is becoming more blurred. Browser plug-ins and other potentially unwanted apps are increasingly being used for fileless attacks and for delivering malware. There has also been a notable increase in fleeceware Android apps, which provide basic services that are available for free or low cost through standard apps, but massively overcharge users for those services.
Attacks on cloud environments are also increasing, not because cloud resources cannot be secured, but because of mistakes made configuring those resources that leave them open to attack. As cloud environments become more complex and visibility into the entire cloud ecosystem remains poor, there is considerable potential for errors to be made and cybercriminals are ready and waiting to take advantage.
New research conducted in 2019 revealed machine learning systems, the very systems that are leveraged by cybersecurity companies to detect threats, can be fooled. Those systems can also be leveraged to conduct offensive activities, such as generating convincing fake content that can be disseminated on social media networks. Machine learning systems could be harnessed and used for a wide range of malicious purposes, including influencing the results of elections. This is certainly an area which will see heightened activity in years to come.