The year 2020 isn’t over yet, but so far, it’s been unprecedented from a threat landscape point of view – including the impact of the global pandemic and social movements on the cybersecurity landscape. The threat researchers at FortiGuard Labs have taken a good hard look at what was happening over the first six months of 2020 from a cybersecurity perspective, and we’ve identified some key trends that the industry needs to be aware of.


Capitalizing on a global crisis

First, it will come as a shock to no one that cyber actors aren’t willing to let a crisis go to waste. 

Cybercriminals across the spectrum, from opportunistic phishers to scheming nation-state actors, found many ways to exploit the global pandemic for their benefit, sometimes at enormous scale. Indicators of threat activity began to emerge almost immediately, mapping to the scope and ramifications of the pandemic. By comparing COVID-related web search trends and COVID-themed malicious URLs, we found that many of these malicious domains contained names such as "coronavirus," "vaccine," "chloroquine" and "remdesvir," and were created to harvest credentials or distribute malware and spam. 

Threat researchers also spotted an expanding range of malicious activity spanning many weeks that involved the use of COVID-19-related lures. This included nation-state backed campaigns, phishing and business email compromise schemes, and ransomware attacks. Specifically, in addition to browser-based attacks, there was a sharp increase in malicious emails, with infected documents pretending to contain pandemic-related guidance seemingly sent from trusted sources, such as the World Health Organization and the CDC. These trends, showing up almost immediately, demonstrate how swiftly bad actors can move to take advantage of major developments that have broad social impact. The need for cyber-distancing in terms of cyber hygiene has never been greater, and remains critical even now. 


Attacking the home networks of remote workers

Cyber adversaries immediately recognized the massive shift from corporate to home networks due to remote work as an opportunity. In the first half of 2020, exploit attempts against several consumer-grade routers and IoT devices were at the top of the list for IPS detections, replacing


the usual corporate network gear. In addition, Mirai and Gh0st, from 2016 and 2014, respectively, dominated the most prevalent botnet detections, driven by an apparent growing interest by attackers to target older vulnerabilities in unprotected consumer IoT products living on poorly secured home networks. As a result, Mirai surged into first place among botnets by early May, with Gh0st close on its heels. This trend is the result of cybercriminals seeking to gain a foothold in enterprise networks via employees’ home networks.


Targeting browsers

The work-from-home mandate enabled attackers to target individuals in multiple ways, including malware used in a variety of phishing attacks that targeted end users through their browsers. For example, web-based malware used in phishing campaigns and other scams outranked the more traditional email delivery vector early this year.

There was also a sizeable drop in corporate web traffic, as expected, due to people surfing and working from home rather than the office or school. The combination of these two trends means web browsers, not just devices, have become prime targets for cybercriminals as part of the strategy to target remote workers. 


Ransomware remains a continuing plague

In spite of the pandemic and other civil unrest events that captured the attention of many cybercriminals, FortiGuard Labs saw six more months of unrelenting ransomware activity targeting organizations worldwide. Attackers hid ransomware in COVID-19-themed messages and attachments, including Netwalker, Ransomware-GVZ, and CoViper variants. Ransomware-as-a-Service (RaaS) also expanded its offering, including Phobos, a ransomware that exploits the Remote Desktop Protocol (RDP) to gain access to a network. Selling malware using a RaaS model helps explain why ransomware continues to grow, as it is readily available even to less sophisticated threat actors.

Ransomware actors also added a new twist. Rather than just encrypting data and demanding a ransom, that data is also being posted on public servers. If the victim refuses to pay the ransom, perhaps because they plan to just reconfigure their devices using off-network data backups, the ransomers threaten to make the data publicly available. This reemphasizes the need to keep all sensitive data encrypted, whether at rest or in use.

Additionally, no industry was spared from ransomware activity. Data shows that the five most heavily targeted sectors for ransomware attacks during the first half of 2020 were education, government, telecommunications, manufacturing, and transportation. However, there were no clear standouts, and industries across the board were all affected fairly equally. Unfortunately, the growing availability of RaaS, and the evolution of certain variants suggests that the prevalence of ransomware will only continue.


OT continues to be a risk

Operational technology (OT) teams continued to struggle with securing industrial control systems (ICS) against cyber threats. Despite almost daily attention from OT leaders, business operations are increasingly at risk, thanks primarily to a growing number of intrusion strategies that get more sophisticated as time goes by. And now, the additional challenge of risks introduced by COVID-19, such as more employees working from home and the adoption of new technologies designed to support a remote workforce, have made the risks even greater. 

EKANS is an example of ransomware attacks targeting OT environments. And the Ramsay espionage framework – designed for the collection and exfiltration of sensitive files within air-gapped or highly restricted networks – is an example of criminals finding new ways to infiltrate these kinds of networks. And while the prevalence of threats targeting supervisory control and data acquisition (SCADA) systems and other types of industrial control systems (ICS) is less than IT, that does not diminish the importance of this trend. 


Confronting these threats

The first half of 2020 has delivered attacks that are notable not only for their dramatic scale and rapid evolution, but by the demonstration of cybercriminal’s ability to pivoting their attack vectors to capitalize on current events, such as the global pandemic. This level of agility requires organizations to adjust their defense strategies going forward, not only to properly protect against the waves of threats that have arisen so far this year, but as part of their approach to any sort of transformation efforts.

There is no time to waste, as malicious actors never rest. Organizations need to start by ensuring they have the visibility they need across their entire digital infrastructure. And given the rapid rate of change detected across the threat landscape, the addition of automation and AI-driven threat intelligence is crucial to enable prevention and incident response in real time, and should be considered as important additions to any comprehensive security strategy.