Cyber-criminals changed their strategies during 2020, with the pandemic driving new methods of exploitation.

This is one of the findings from Cisco’s “Defending Against Critical Threats Report” which explored the ongoing complexity and evolution of cyber threats during a year in which transitioning to digital infrastructures became essential for all.

Increased Vulnerabilities with Remote Working

Cisco Umbrella – a cloud-driven Secure Internet Gateway – examined traffic running through its DNS servers, identifying mid-March 2020 as a peak period of increased remote connections. Between the first and last week of March alone, the number of remote workers had effectively doubled.

Cisco Talos noticed a rise in spam emails containing associates with words such as ‘pandemic’ and ‘Covid-19’ in early February 2020.

Researchers from the Cisco Umbrella team also showed that on a single day in March 2020, enterprise customers connected to 47 059 domains that contained ‘Covid’ or ‘corona’ in the name. Of these, four percent were blocked as malicious.

By late April, the percentage of domains blocked via e-mail filtering peaked as high as 75%.

The Evolution of Ransomware and Big-Game Hunting

One of the most prominent trends of 2020 was the widespread adoption of new tactics, techniques, and procedures (TTPs) related to the deployment of ransomware on corporate networks.

Rather than simply activating ransomware on the first successfully compromised system, adversaries are now leveraging systems as an initial access point into the network. They then move laterally throughout the network, gaining access to additional systems and escalating privileges.

Ransomware can be activated on all of these systems simultaneously, maximising the damage inflicted on the organisation.

This approach to the attack lifecycle has become known as ‘big-game hunting’ and has gained popularity, with many adversaries actively targeting backup systems, domain controllers, and other business-critical servers during the post-compromise phase of their attacks.

Fady Younes, cybersecurity director: Middle East and Africa at Cisco, comments: “The past year has presented enterprises with a number of new challenges, as they circumnavigated the complex threat landscape in an increasingly digital world. This year, CISOs and IT teams must ensure to implement next-generation firewall measures, advanced malware protection and secure network analytics to know who is connected to the network and for what purpose. ”

Targeted Threats for Maximum Impact

Other notable threats included Cisco Talos’ discovery of a new malware campaign in April, known as ‘PoetRAT’. Research showed that the malware was distributed using URLs that mimicked certain government domains, targeting private companies. Talos observed multiple new campaigns from these threat actors over the course of the year, indicating a change in the actor’s capabilities and showing their maturity toward better operational security.

In December 2020, a major supply chain attack was uncovered on a company producing infrastructure management applications. Systems had been compromised earlier in the year and malicious code was introduced into product updates that were made available on their website.

A number of organisations that use the software, and had patched with the malicious updates, subsequently reported that they had been breached, including security companies, government agencies, and others.

“Many of the new threats we have identified involve compromising endpoints, which are crucial to secure and maintain in today’s world of remote work,” says Younes. “Secure endpoints can protect an organization from major impact after an attack, whether on-premises or remote.

“Decision-makers should invest in technologies which integrate prevention, detection, threat hunting, and response capabilities in a single solution for greater visibility and more actionable insights to strengthen security posture.”