By Felipe Ruiz | November 19, 2020
This year 2020 has not had a similar close precedent, with a COVID-19 spread worldwide affecting millions of people and, linked to it, within our particular context as a red team, considerable growth in the number of cyberattacks. Due to isolation, virtual activities have increased (e.g., learning, shopping, meeting, working). Consequently, the areas of action for cybercriminals have expanded.
Let’s start this first part of the State of Cybersecurity 2020-21 with some statistics that you may find a bit shocking:
A database with 250 million Microsoft customer records was found exposed in January.
In March, CSO reported that $17,700 are lost every minute because of phishing attacks.
According to CSO, 60% of breaches involved vulnerabilities for which the existing patch was not applied.
The average time to identify and contain a breach is 280 days.
The Dutch government lost hard drives with the personal data of approximately 7 million organ donors.
115 million Pakistani mobile user records were released in the first half of this year.
84% of cyberattacks are based on social engineering.
Taking advantage not only of curiosity but also of uncertainty and fear generated by the pandemic, malicious hackers have revitalized social engineering attacks, many times oriented to the theft of sensitive information, which were apparently in some decline. For instance, the FBI reported some months ago that the number of cybersecurity complaints they received was as high as 4,000 a day, a far cry from the 1,000 daily complaints they received before the pandemic. Criminals have been able to scam many people with coronavirus-related phishing emails containing links to fake login pages or malware to download as if they were sent by trusted entities (e.g., the World Health Organization) or by internal departments of an organization to their employees. As another example, in the middle of this year, Microsoft even reported that these COVID-19 themed attacks reached between 20,000 and 30,000 a day only in the US.
Hackers —maintaining monetization as their primary motivation— have even increased attempts to breach healthcare organizations, which become easier targets with very stressed and busy people highly focused on responding to or fighting against COVID-19. (Some of these attacks, highly planned and prepared, could even be aimed at theft of research data desired by major organizations.) As reported by ENISA (European Union Agency for Cybersecurity), it has occurred, for instance, with ransomware incidents. According to Zohar Pinhasi, a cyber counter-terrorism expert, this type of attack rose by 800% at the beginning of this year.
Malicious hackers and cybercriminals have also managed to pursue and attack multiple companies and government agencies in the midst of unexpected transitioning to remote working and cloud computing. In the previous year, according to ARIA on Medium, about 43% of Americans occasionally worked from home, but at the beginning of May of this year, 85% worked remotely full time —sometimes unsafely using home networks and their own devices. Additionally, about 90% of companies currently make use of some cloud service, as reported by Cyvolve.
This accelerated digital transformation, especially for complex systems, obviously meant chaos and high risks. The pressure to keep businesses active, in some instances coupled with ignorance and negligence in terms of cybersecurity, led to the establishment of many networks or infrastructures that were poorly or erroneously configured, overlooking security protocols. As a result, criminals have succeeded in exploiting diverse publicly known vulnerabilities in networks and other remote working tools and have even targeted communication platforms that are widely used today (e.g., Microsoft Teams, Zoom). All this without leaving aside the human factor, in this case concerning employees, which has been seen as a preliminary target in social engineering attacks on companies, especially in the middle market. A big mistake in this market —also considering small entities— is to believe that cybersecurity is usually an exclusive problem for large organizations, such as banks and governments.
Nowadays, cybercriminals have also been flexible enough to respond to global trends regarding the implementation and use of new technologies and techniques. As an example is something that Tech Guru shares concerning advances in the automotive field: new vehicles can be equipped "with automatic software for cruise control drivers, engine timing, door lock, airbags, and advanced driver assistance systems that enable smooth communication." The problem arises because these cars employ standard connection systems such as WiFi and Bluetooth and end up being exposed to cyber threats.
Another trend targeted by cybercriminals is undoubtedly the widespread and growing use of mobile devices, which currently are storing more and more business data. Following Statista’s data, "the number of mobile devices worldwide in 2020 stood at 14.02 billion, with forecasts suggesting this is likely to rise to 14.91 billion by 2021." Likewise, the number of threats to each type of file and procedure we perform on these daily use machines has increased. As Kaushik comments in Entrepreneur, "there are several ways in which mobile phones could be attacked: phishing or more specifically SMiShing (through SMS), broken cryptography or weak encryption algorithms, network spoofing, inappropriate session handling entailing apps sharing session tokens with malicious actors, riskware causing data leakage and spyware."
Moreover, we are at a time where 5G, "the fifth generation technology standard for broadband cellular networks," is beginning to expand. Billions of devices will be connected through this medium with greater bandwidth than their predecessors for countless personal, commercial and industrial activities with lots of applications. This is something that hackers are also aware of, namely the copious number of entry points that will become available to cyberattacks on the Internet of Things with low or no security devices and networks.
On the other hand, this year has also highlighted the prominence of Artificial Intelligence (AI) and Machine Learning (ML). Everyone is talking about it. And while many organizations have obtained benefits from each of these fields, it is also true that malicious hackers do not intend to be left behind. They have seen new opportunities here to transform and strengthen their attacks and make them more abundant and sophisticated. That is the case, for example, with AI fuzzing, which, according to Cyvolve, "couples traditional fuzzing methods of detecting system vulnerabilities with AI, that can be exploited by cybercriminals to launch zero-day attacks." For ML, there are cases like that in which the retraining of the systems is achieved through poisoned data sources, and the backdoor attacks, "which can fundamentally rewrite the model’s functionalities or even skew data."
Before finishing this part of the State of Cybersecurity 2020-21, to keep in mind what you or your company may face at present, here is the list of top 15 threats reported by ENISA covering the period January 2019-April 2020:
Malware (maintaining the same position from 2018)
Web application attacks
Physical manipulation, damage, theft and loss
We hope you have enjoyed reading this post. Soon, you will be able to read a second part on the topic. Any doubt? Do not hesitate to contact us!
Corporate member of The OWASP Foundation