2020 was unprecedented in nearly every way, and cyberattacks were no exception. The CrowdStrike 2021 Global Threat Report, from cloud-native cybersecurity company CrowdStrike, the states this was “perhaps the most active year in memory.”
For enterprises specifically, the report uncovers rising threats to watch in the coming year. Malicious actors furthered their shift toward attacks on high-value targets such as enterprises, known as “big game hunting,” which has become increasingly popular in recent years because of the more lucrative payday potential. Malicious actors also developed new tools and procedures, and formed alliances to bolster the strength and reach of their attacks. Most significantly, they increasingly integrated blackmail and extortion techniques into ransomware operations.
Malicious actors have escalated their efforts over the last 18 months, Adam Meyers, senior vice president of intelligence at CrowdStrike, told VentureBeat. They want “to steal as much data as they can get their hands on. Then they’ll say ‘If you don’t pay us, we’re going to release all this sensitive data,’ which could have reputational or even regulatory impact.”
Cyber criminals also exploited the COVID-19 pandemic, preying on fears, targeting the health sector, and taking advantage of the abrupt switch to remote work. According to the report, 71% of cybersecurity experts surveyed said they’re more worried about ransomware attacks as a result of COVID-19. Additionally, 2020 saw what is perhaps the most sophisticated and far-reaching supply-chain attack in history.
The best defense for enterprises is to be informed of the evolving threats, act quickly in the event of an attack, and be proactive with advanced security solutions. “You have to have a next-gen solution. Antivirus is dead,” Meyers said.
The findings in the 40-page report, which tracks and analyzes the activity of the world’s major cyber adversaries, were compiled using machine learning, firsthand observations from the company’s frontline cyber analysts, and insights from crowdsourced threat measurement, the company said. Here are the trends, threats, and security best practices for targeted enterprise, according to the report.
Cyber criminals exploit the COVID-19 crisis
The healthcare sector faces significant security threats in a typical year, and the stakes related to the pandemic only brought increased attention particularly to pharmaceutical companies, biomedical research companies, and government entities.
While early objectives for targeted intrusion actors may have included acquiring information on infection rates or country-level responses, the aim quickly shifted to vaccine development. Malicious actors based in China, North Korea, and Russia all targeted vaccine research, CrowdStrike said. In total, at least 104 healthcare organizations were infected with ransomware in 2020.
COVID-19 also proved effective for phishing, a technique that’s typically most successful when it taps into human emotions like hope, fear, and curiosity. Phishing scams targeted the federal COVID relief plan for businesses (PPE), financial assistance, and other government stimulus packages. They also pretended to offer information on testing and treatment and impersonated medical bodies including the World Health Organization (WHO) and U.S. Centers for Disease Control and Prevention (CDC).
Lastly, the abrupt shift to remote work thrust many enterprises into a security situation for which they were not prepared. The sudden use of personal computers, for example, means many people are working on devices that may have already been infected with malware. Another risk is the sharing of devices between family members, some of whom may not be aware of security threats they may encounter.
“The biggest impact is that it increased the attack surface,” Meyers said, referring to the sum of entry points a malicious actor can use to gain access.
Enterprises at greatest risk: private and government healthcare entities, newly remote organizations.
Nation-states go after IP
Beyond vaccine development, nation-state actors also targeted enterprises across sectors for intellectual property (IP). The report suggests they’re not letting up and will continue in 2021, echoing sentiments from around the industry.
China specifically has a “shopping list” of technologies it’s looking to develop and is using economic espionage to leapfrog the existing technology, especially in AI and machine learning. Some nation-state actors are also interested in accessing cybersecurity companies’ own toolkits that could aid them in further attacks, as happened in the case of FireEye.
Another threat comes from bilateral agreements or joint-venture purchases with companies based in other countries, which nation-state actors look to capitalize on. And beyond IP, a company’s negotiating strategies, expansion plans, and bottom lines are all potential targets.
Enterprises at greatest risk: clean energy, medical technology, digital agriculture, cybersecurity, mining/limited-supply resources, and emerging technologies.
Supply-chain attacks reach new heights
While supply-chain attacks are nothing new, 2020 saw one that some cybersecurity experts are calling “the hack of the decade.” A nation-state actor breached the network of IT software provider SolarWinds, maintaining access for 264 days and attacking customers through stealthy malware hidden in multiple software updates. The SEC identified at least 18,000 potential victims of the attack, including top-tier companies and governments. The actor even studied and downloaded Microsoft’s source code for authenticating customers.
Supply-chain attacks are uniquely damaging because of their domino effect, in which one intrusion can enable further breaches of multiple downstream targets.
“The scope, depth, and length of time this was out there, I would say, is unprecedented,” Meyers said, adding that supply-chain attacks, specifically in software, are what keep him up at night.
Ransomware meets extortion
Among increased ransomware activity, 2020 also saw the accelerated integration of data extortion and blackmail techniques, a practice the report warns will likely grow this year. This echoes another recent report from data protection specialist Acronis, which declared “2021 will be the year of extortion.”
A large part of this was the introduction of dedicated leak sites (DLSs), which are dark web posts where malicious actors detail — with proof — the exact data they’ve stolen, aming to increase pressure on targets to meet ransom demands. One notable example was the attack on New York-based law firm Grubman Shire Meiselas & Sacks. The responsible criminal group dropped posts hinting it had files of companies and celebrities including Madonna, Bruce Springsteen, Facebook, and more, eventually releasing a 2.4 GB archive containing Lady Gaga’s legal documents. Overall, this approach was adopted by at least 23 major ransomware operators in 2020. The average ransom paid was $1.1 million.
Threat actors deployed new data extortion techniques. This includes going after non-traditional targets within organizations, such as hypervisors like VMware ESXi. They’re also staggering the release of stolen data, which in the case of enterprises with high brand recognition can generate news and social media buzz that adds pressure to ransom negotiations. Threat actors also collaborated on extortion campaigns, forming alliances such as the self-proclaimed “Maze Cartel.” This could evolve into hosting each other’s victims’ data, increasing the risk it will be shared or sold, and making it more difficult to negotiate the full removal or destruction of stolen data.
New ransomware variants and families were also introduced, and one actor launched ransomware as a service (RaaS). The report also details the increased use of access brokers, wherein hackers who gain backend access to enterprises simply sell it directly to malware actors. This eliminates the time spent identifying targets and gaining access, allowing them to deploy more malware faster.
Enterprises at greatest risk: Although most ransomware operations are opportunistic, the industrial, engineering, and manufacturing sectors were especially targeted in 2020. Technology and retail sectors are also at high risk.
How enterprises can defend against threats
According to Meyers, these are the five things enterprises should be doing.
- Secure the enterprise. This means following best practices and having multiple safeguards, including solid vulnerability management, consistent patch cycles, and “the principle of least privilege.”
- Prepare to defend. CrowdStrike recommends a 1-10-60 rule: Identify an attack within one minute, respond to it within 10 minutes, investigate it, and prevent the attacker from carrying out their objective within one hour. Either cross-layer detection (XDR) or endpoint detection and response (EDR) should be in place, according to Meyers.
- Have a next-gen solution. Antivirus needs to have seen a threat before, but machine learning-based solutions can decipher threats without having ever seen them. This difference is crucial with the growing rate of ransomware today.
- Training and practice. Get executives, directors, and board members together and develop a response plan. Know everyone you’ll need to call, and don’t wait to handle attacks on the fly.
- Intelligence. Be aware of the threats, their techniques, and tools, as well which specific threats target your industry and geolocation.