Posted: 3 Min ReadThreat Intelligence

Threat Landscape Trends – Q1 2020

A look at the cyber security trends from the first three months of 2020.

Towards the end of the first quarter of 2020, we took a look through telemetry from our vast range of data sources and selected some of the trends that stood out.

From COVID-19-themed malicious email and BEC scams to vulnerability exploits and IoT attacks, let’s take a quick look at the trends that shaped the cyber security threat landscape in the first three months of 2020.

Influx of Coronavirus Malicious Email

While news of the coronavirus pandemic began to circulate in December 2019, it was March 2020 before the subject began to be used noticeably as a lure in malware-bearing emails. In February, Symantec, a division of Broadcom (NASDAQ: AVGO), blocked approximately 5,000 malicious emails with “coronavirus”, “corona”, or “COVID-19” in the subject line. However, in March this number increased significantly to roughly 82,000.

More information on this trend can be found in our blog COVID-19 Outbreak Prompts Opportunistic Wave of Malicious Email Campaigns.

Figure 1. Coronavirus-related malicious email
Figure 1. Coronavirus-related malicious email

BEC Scams Resulted in $1.77 Billion in Losses for Victims

According to the FBI, business email compromise (BEC) scams are the most damaging and effective type of cyber crime, accounting for over $1.77 billion in losses for victims last year. While the number of organizations targeted by BEC scams was down from Q4 2019 numbers, there were still almost 31,000 organizations targeted in Q1 2020.

Figure 2. Organizations targeted by BEC scams
Figure 2. Organizations targeted by BEC scams

Formjacking Criminals Increase Efforts

The number of unique websites compromised with formjacking code increased in Q1 2020 as more criminals vie for their share of this lucrative malicious activity. There were 7,836 websites compromised with formjacking code in Q1 2020, up from 7,663 the previous quarter.

To learn more about formjacking, read our white paper: How Malicious JavaScript Code is Stealing User Data from Thousands of Websites Each Month

Figure 3. Websites compromised with formjacking code
Figure 3. Websites compromised with formjacking code
Figure 4. Top countries for formjacking
Figure 4. Top countries for formjacking

Hackers Rush to Exploit Vulnerabilities Emerging in Early 2020

A directory traversal vulnerability in Citrix Application Delivery Controller and Citrix Gateway (CVE-2019-19781) was disclosed on December 17, 2019. Patches for the flaw, which could permit a remote attacker to execute arbitrary code on vulnerable computers, were not rolled out until January 2020. There was a spike in exploit attempts for this vulnerability immediately after its disclosure, peaking in February with over 492,000 attempts blocked by Symantec (Web Attack: Citrix ADC RCE CVE-2019-19781).

Figure 5. Citrix vulnerability exploit attempts blocked
Figure 5. Citrix vulnerability exploit attempts blocked

Microsoft’s first Patch Tuesday release of 2020 disclosed a serious vulnerability in Windows CryptoAPI (CVE-2020-0601), a core component of the Windows operating system that handles cryptographic operations. Hackers were again quick to incorporate this vulnerability into their attacks, with blocked exploit attempts (Web Attack: Microsoft Windows CVE-2020-0601) reaching almost 82,500 in January. Attempts to exploit these vulnerabilities were blocked by Symantec’s Intrusion Prevention System (IPS).

Figure 6. CryptoAPI vulnerability exploit attempts blocked
Figure 6. CryptoAPI vulnerability exploit attempts blocked

Phishing Makes a Comeback

After declining markedly in 2019, phishing increased significantly during the first quarter of 2020, accounting for 1 in every 4,200 emails. Phishing activity is now back up to near where it was during 2018. The availability of more sophisticated phishing kits on the cyber underground may be driving a renewed interest in this form of attack. Some of the increase may also be accounted for by the upsurge in COVID-19-themed email attacks.

Figure 7. Phishing rate
Figure 7. Phishing rate

IOT Attacks on the Rise

The number of attacks against Symantec IOT honeypots* was up 13 percent in Q1 compared to Q4 of 2019.

*Symantec’s IOT honeypots emulate protocols used by virtually all IOT devices, such as routers, connected cameras, digital video recorders, and so on.

Figure 8. IoT honeypot attacks increased in Q1
Figure 8. IoT honeypot attacks increased in Q1

However, the number of unique IP addresses performing IOT attacks fell by 14 percent in the same period, indicating that while IoT botnets may be more aggressive in performing attacks, their relative size has fallen.

Figure 9. Unique IP addresses performing IoT attacks
Figure 9. Unique IP addresses performing IoT attacks

The top ten passwords used in attacks on IOT devices. Most of the credentials used by attackers are default or easily guessable.

Figure 10. Top passwords used in IoT attacks
Figure 10. Top passwords used in IoT attacks

The largest amount of attacks originated from IP addresses located in the U.S. followed by China, Vietnam, Taiwan, and South Korea. Since attacks are carried out by botnets of infected IOT devices, these countries have the highest number of infected IOT devices.

Figure 11. IoT attack origination
Figure 11. IoT attack origination

For the latest insights on threat intelligence visit Symantec Enterprise Blog/Threat Intelligence.

About the Author

Critical Attack Discovery and Intelligence Team

Symantec

The Critical Attack Discovery and Intelligence team is a group of security experts within Symantec whose mission is to investigate targeted attacks, drive enhanced protection in Symantec products, and offer analysis that helps customers respond to attacks.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.