State of Cybersecurity 2020-21, I

This year 2020 has not had a similar close precedent, with a COVID-19 spread worldwide affecting millions of people and, linked to it, within our particular context as a red team, considerable growth in the number of cyberattacks. Due to isolation, virtual activities have increased (e.g., learning, shopping, meeting, working). Consequently, the areas of action for cybercriminals have expanded.

Taking advantage not only of curiosity but also of uncertainty and fear generated by the pandemic, malicious hackers have revitalized social engineering attacks, many times oriented to the theft of sensitive data, which were apparently in some decline. For instance, the FBI reported some months ago that the number of cybersecurity complaints they received was as high as 4,000 a day. A far cry from the 1,000 daily complaints they received before the pandemic. Criminals have been able to scam many people with coronavirus-related phishing emails containing links to fake login pages or malware to download as if they were sent by trusted entities (e.g., the World Health Organization) or by internal departments of an organization to their employees. As another example, in the middle of this year, Microsoft even reported that these COVID-19 themed attacks reached between 20,000 and 30,000 a day only in the US.

Hackers —who keep monetization as their main motivation— have even increased attempts to breach healthcare organizations. These become easier targets with highly stressed and busy people, focused on responding to or fighting against COVID-19. (Some of these attacks, highly planned and prepared, could even be aimed at theft of research data desired by major organizations.) As reported by ENISA (European Union Agency for Cybersecurity), it has occurred, for instance, with ransomware incidents. According to Zohar Pinhasi, a cyber counter-terrorism expert, this type of attack rose by 800% at the start of this year.

Malicious hackers and cybercriminals have also managed to pursue and attack multiple firms and government agencies in the midst of unexpected transitioning to remote working and cloud computing. In the previous year, according to ARIA on Medium, about 43% of Americans occasionally worked from home. But as of early May of this year, 85% worked remotely full time —sometimes unsafely using home networks and their own devices. Additionally, about 90% of companies currently make use of some cloud service, as reported by Cyvolve.

This accelerated digital transformation, especially for complex systems, obviously meant chaos and high risks. The pressure to keep businesses active, in some instances coupled with ignorance and negligence in terms of cybersecurity, led to the establishment of many networks or infrastructures that were poorly or erroneously configured, overlooking security protocols. As a result, criminals have succeeded in exploiting diverse publicly known vulnerabilities in networks and other remote working tools and have even targeted communication platforms that are widely used today (e.g., Microsoft Teams, Zoom). All this without leaving aside the human factor, in this case concerning employees. They have been seen as a preliminary target in social engineering attacks on firms, especially in the middle market. A big mistake in this market —also considering small entities— is to believe that cybersecurity is usually an exclusive problem for large organizations, such as banks and governments.

Another trend targeted by cybercriminals is undoubtedly the widespread and growing use of mobile devices. More and more business data is now being stored on these devices. Following Statista's data, "the number of mobile devices worldwide in 2020 stood at 14.02 billion, with forecasts suggesting this is likely to rise to 14.91 billion by 2021." Likewise, the number of threats to each type of file and procedure we perform on these daily use machines has increased. As Kaushik comments in Entrepreneur, "there are several ways in which mobile phones could be attacked: phishing or more specifically SMiShing (through SMS), broken cryptography or weak encryption algorithms, network spoofing, inappropriate session handling entailing apps sharing session tokens with malicious actors, riskware causing data leakage and spyware."

Moreover, we're at a time where 5G, "the fifth generation technology standard for broadband cellular networks," is beginning to expand. Billions of devices will be connected through this medium with greater bandwidth than their predecessors for countless personal, commercial and industrial activities with lots of applications. This is something that hackers are also aware of, namely the copious number of entry points that will become available to cyberattacks on the Internet of Things with low or no security devices and networks.

On the other hand, this year has also highlighted the prominence of Artificial Intelligence (AI) and Machine Learning (ML). Everyone is talking about it. And while many organizations have obtained benefits from each of these fields, it is also true that malicious hackers do not intend to be left behind. They have seen new opportunities here to transform and strengthen their attacks and make them more abundant and sophisticated. That is the case, for example, with AI fuzzing, which, according to Cyvolve, "couples traditional fuzzing methods of detecting system vulnerabilities with AI, that can be exploited by cybercriminals to launch zero-day attacks." For ML, there are cases like that in which the retraining of the systems is achieved through poisoned data sources, and the backdoor attacks, "which can fundamentally rewrite the model's functionalities or even skew data."

Before finishing this part of the State of Cybersecurity 2020-21, to keep in mind what you or your company may face at present, here is the list of top 15 threats reported by ENISA covering the period January 2019-April 2020:

We hope you have enjoyed reading this post. Soon, you will be able to read a second part on the topic. Any doubt? Do not hesitate to contact us!