Defending Against Critical Threats Report identifies migration to remote working and evolution of ransomware as key contributors towards diverse criminal activity

Cisco has revealed the findings of its Defending Against Critical Threats Report, noting changes in criminal activity during 2020 and new methods of exploitation, arising as a result of the pandemic.

During a year in which transitioning to digital infrastructures became essential for all, Cisco explores the ongoing complexity and evolution of cyber threats, to inform organizations and empower stronger decision-making.

Increased Vulnerabilities with Remote Working

Cisco Umbrella – a cloud-driven Secure Internet Gateway – examined traffic running through its DNS servers, identifying mid-March 2020 as a peak period of increased remote connections. Between the first and last week of March alone, the number of remote workers had effectively doubled.

Cisco Talos noticed a rise in spam emails containing associates with words such as ‘pandemic’ and ‘COVID-19’ in early February 2020. Researchers from the Cisco Umbrella team also showed that on a single day in March 2020, enterprise customers connected to 47,059 domains that contained ‘COVID’ or ‘corona’ in the name. Of these, four percent were blocked as malicious. By late April, the percentage of domains blocked via e-mail filtering peaked as high as 75 percent.

The Evolution of Ransomware and Big-Game Hunting

One of the most prominent trends of 2020 was the widespread adoption of new tactics, techniques, and procedures (TTPs) related to the deployment of ransomware on corporate networks.

Rather than simply activating ransomware on the first successfully compromised system, adversaries are now leveraging systems as an initial access point into the network. They then move laterally throughout the network, gaining access to additional systems and escalating privileges. Ransomware can be activated on all of these systems simultaneously, maximizing the damage inflicted on the organization.

This approach to the attack lifecycle has become known as ‘big-game hunting’ and has gained popularity, with many adversaries actively targeting backup systems, domain controllers, and other business-critical servers during the post-compromise phase of their attacks.

Commenting on the findings, Fady Younes, Cybersecurity Director, Middle East and Africa, Cisco said, “The past year has presented enterprises with a number of new challenges, as they circumnavigated the complex threat landscape in an increasingly digital world. This year, CISOs and IT teams must ensure to implement next-generation firewall measures, advanced malware protection and secure network analytics to know who is connected to the network and for what purpose.”

Targeted Threats for Maximum Impact

Other notable threats included Cisco Talos’ discovery of a new malware campaign in April, known as ‘PoetRAT’. Research showed that the malware was distributed using URLs that mimicked certain government domains, targeting private companies. Talos observed multiple new campaigns from these threat actors over the course of the year, indicating a change in the actor's capabilities and showing their maturity toward better operational security.

In December 2020, a major supply chain attack was uncovered on a company producing infrastructure management applications. Systems had been compromised earlier in the year and malicious code was introduced into product updates that were made available on their website. A number of organizations that use the software, and had patched with the malicious updates, subsequently reported that they had been breached, including security companies, government agencies, and others.

“Many of the new threats we have identified involve compromising endpoints, which are crucial to secure and maintain in today’s world of remote work. Secure endpoints can protect an organization from major impact after an attack, whether on-premises or remote. Decisionmakers should invest in technologies which integrate prevention, detection, threat hunting, and response capabilities in a single solution for greater visibility and more actionable insights to strengthen security posture,” Younes continued.