Towards the end of the first quarter of 2020, we took a look through telemetry from our vast range of data sources and selected some of the trends that stood out.
From COVID-19-themed malicious email and BEC scams to vulnerability exploits and IoT attacks, let’s take a quick look at the trends that shaped the cyber security threat landscape in the first three months of 2020.
Influx of Coronavirus Malicious Email
While news of the coronavirus pandemic began to circulate in December 2019, it was March 2020 before the subject began to be used noticeably as a lure in malware-bearing emails. In February, Symantec, a division of Broadcom (NASDAQ: AVGO), blocked approximately 5,000 malicious emails with “coronavirus”, “corona”, or “COVID-19” in the subject line. However, in March this number increased significantly to roughly 82,000.
More information on this trend can be found in our blog COVID-19 Outbreak Prompts Opportunistic Wave of Malicious Email Campaigns.
BEC Scams Resulted in $1.77 Billion in Losses for Victims
According to the FBI, business email compromise (BEC) scams are the most damaging and effective type of cyber crime, accounting for over $1.77 billion in losses for victims last year. While the number of organizations targeted by BEC scams was down from Q4 2019 numbers, there were still almost 31,000 organizations targeted in Q1 2020.
Formjacking Criminals Increase Efforts
The number of unique websites compromised with formjacking code increased in Q1 2020 as more criminals vie for their share of this lucrative malicious activity. There were 7,836 websites compromised with formjacking code in Q1 2020, up from 7,663 the previous quarter.
Hackers Rush to Exploit Vulnerabilities Emerging in Early 2020
A directory traversal vulnerability in Citrix Application Delivery Controller and Citrix Gateway (CVE-2019-19781) was disclosed on December 17, 2019. Patches for the flaw, which could permit a remote attacker to execute arbitrary code on vulnerable computers, were not rolled out until January 2020. There was a spike in exploit attempts for this vulnerability immediately after its disclosure, peaking in February with over 492,000 attempts blocked by Symantec (Web Attack: Citrix ADC RCE CVE-2019-19781).
Microsoft’s first Patch Tuesday release of 2020 disclosed a serious vulnerability in Windows CryptoAPI (CVE-2020-0601), a core component of the Windows operating system that handles cryptographic operations. Hackers were again quick to incorporate this vulnerability into their attacks, with blocked exploit attempts (Web Attack: Microsoft Windows CVE-2020-0601) reaching almost 82,500 in January. Attempts to exploit these vulnerabilities were blocked by Symantec’s Intrusion Prevention System (IPS).
Phishing Makes a Comeback
After declining markedly in 2019, phishing increased significantly during the first quarter of 2020, accounting for 1 in every 4,200 emails. Phishing activity is now back up to near where it was during 2018. The availability of more sophisticated phishing kits on the cyber underground may be driving a renewed interest in this form of attack. Some of the increase may also be accounted for by the upsurge in COVID-19-themed email attacks.
IOT Attacks on the Rise
The number of attacks against Symantec IOT honeypots* was up 13 percent in Q1 compared to Q4 of 2019.
*Symantec’s IOT honeypots emulate protocols used by virtually all IOT devices, such as routers, connected cameras, digital video recorders, and so on.
However, the number of unique IP addresses performing IOT attacks fell by 14 percent in the same period, indicating that while IoT botnets may be more aggressive in performing attacks, their relative size has fallen.
The top ten passwords used in attacks on IOT devices. Most of the credentials used by attackers are default or easily guessable.
The largest amount of attacks originated from IP addresses located in the U.S. followed by China, Vietnam, Taiwan, and South Korea. Since attacks are carried out by botnets of infected IOT devices, these countries have the highest number of infected IOT devices.
For the latest insights on threat intelligence visit Symantec Enterprise Blog/Threat Intelligence.
We encourage you to share your thoughts on your favorite social platform.