The threat landscape is continuously changing, especially during tumultuous times. In such a dynamic environment, and with absolute security as an impossible goal, businesses must be ready for anything. In our latest Global Threat Intelligence Report (GTIR), launched in May, we identified six areas where the threat landscape has changed over the last 12 months.
1. Threat actors are innovating
Unfortunately, cyber-criminals are also capitalising on the Covid-19 pandemic by re-purposing their toolsets, deploying new infrastructure and developing innovative campaigns to proactively target vulnerable organisations. The flow of trusted and untrusted information used to mask the activities of attackers has shown us that they will take advantage of any situation given the opportunity. Organisations need to be ready to respond to these and other threats in a constantly evolving landscape.
Attack volumes have increased across all industries between 2018 and 2019. Due to the overwhelming success of the use of tools such as web shells, exploit kits and targeted ransomware, cyber-criminals are still developing effective multi-function attack tools and capabilities.
The most common techniques globally were remote code execution (15 per cent) and injection (14 per cent) attacks. In most cases, these attacks continue to be effective due to poor organisational practices related to network, operating system and application configuration, testing, security controls and overall security hygiene.
Threat actors are also leveraging more advanced capabilities, including artificial intelligence and machine learning, and investing in the automation of attacks. Over a fifth (21 per cent) of malware was in the form of a vulnerability scanner, according to the GTIR, which supports the premise that automation is a key focus point for attackers.
2. The weaponization of IoT
Mirai and IoTroop lead in malware detections with more vulnerability scanning activity from these variants than any other family of malware. Many of these attacks are directly related to activity from botnets like Mirai and IoTroop, including the high levels of vulnerability scanning activity detected globally.
We have seen the re-emergence of IoT weaponization with IoT (Internet of Things) devices continuing to be compromised. In particular, we have seen a spike in IoT attacks in the Americas – a market that craves IoT but has not evolved to secure it effectively. Botnets, such as Mirai and derivatives, have advanced in automation, improving their propagation capabilities and this has helped spread IoT attacks.
3. Old vulnerabilities refuse to die
In our GTIR 2020 report, a total of 258 new vulnerabilities were identified in Apache frameworks and software over the last two years. Additionally, Apache software was the third-most targeted in 2019, accounting for over 15 per cent of all attacks observed.
Attackers are still focusing on exploiting vulnerabilities – including familiar ones like Heartbleed – that are several years old, have patches available, but are still not being addressed by organisations’ patch and configuration management programs.
Very few businesses have clear patch management policies, and even those that do often fail to implement policies on their networking infrastructures consistently. As a result, there have been notable increases in the vulnerability of networks.
4. Risky content management systems
Malicious actors leverage compromised web servers to steal valuable data and use these powerful resources to conduct additional cyber-attacks. Some of the most dominant activity during the past year was related to attacks against popular content management systems (CMS), such as WordPress, Joomla!, Drupal, and noneCMS, which account for about 70 per cent of CMS market share. They are the target of approximately 20 per cent of all attacks globally.
5. The evolution of governance, risk and compliance
Complacency can lead to serious consequences and put a business, employees and customers at risk. Moving forward steadfastly and continuing to make the appropriate investments is critical.
The regulatory landscape is constantly evolving, but the GTIR calls last year the ‘year of enforcement’ with the number of Governance, Risk and Compliance (GRC) initiatives growing. But greater complexity has created a more challenging global regulatory landscape.
Several acts and laws now influence how organisations handle data and privacy, including the General Data Protection Regulation (GDPR), which set a high standard for the rest of the world.
Authorities have gained a greater understanding of their role in holding businesses accountable for their use of personal data (i.e. information about people) and have demonstrated their commitment to enforcing legislation that protects individual rights.
In the last year, authorities in the EU and the US, in particular, have issued a number of fines against businesses that have failed to act transparently, fairly and responsibly in their use of personal data.
Global health emergencies like the Coronavirus outbreak do, and should, affect the way organisations manage security-related initiatives. Health and safety concerns over employees and the public override many compliance initiatives and should be taken into account when designing and implementing security controls, business continuity and disaster recovery plans.
6. A shift in the most targeted industry sectors
The technology and government sectors have now moved into the unenviable position of being the most targeted industries globally, while in the UK, Manufacturing became the most attacked sector representing almost a third of all attacks.
Technology, as the most attacked industry in 2019, accounted for a quarter of all attacks, compared to just 17 per cent the previous year, while attacks on the government sector, largely driven by geo-political activity, now represent 6 per cent of all attacks, compared to 9 per cent in the previous year. Technology also experienced the highest rate of ransomware of any industry; 9 per cent of all threat detections were ransomware; no other industry showed detections for this malware category above 4 per cent.
The WannaCry ransomware was the most commonly detected variant, accounting for 88 per cent of all ransomware detections. The OpenSSL vulnerability CVE-2017-3731 and the Joomla! CMS vulnerability CVE-2015-8562 accounted for 99 per cent of targeting. Some 23 per cent of detected malware belonged to the Remote Access Trojan (RAT) malware family.
When it comes to applications, the technology sector has the lowest performance of all industries with an average of over 12 serious vulnerabilities per site. The technology sector also has the most diverse set of applications from a diverse set of organisations.
Rory Duncan, Security Go To Market Leader UK, NTT Ltd