Today we launch our 2019 Threats of the Year report; a look back at the major tools and tactics that cybercriminals have exploited over the past year.
Based on original research conducted for our ‘Threat of the Month’ blog series, we look into the impact of directed attacks against specific organizations, and how we can defend ourselves against these types of attack.
We also look at non-direct attacks – the attacks that are more of a numbers game for cybercriminals. In this case they are looking to hit as many victims as possible, without regard for the organizations or individuals that they affect.
Finally, we look at the cybercriminal ‘toolkit’. From remote access trojans, to hiding threats in encrypted traffic, we’ve seen various innovations in how cybercriminals have evaded detection this year.
As we look towards the end of the year (and decade), we also sought perspectives from Cisco Security experts looking back at 2019. When asked what one particular threat stood out this year, and to offer a New Year’s resolution for 2020 that all organizations could consider adopting, here’s what they said.
Martin Lee, Talos (Cisco Threat Intelligence)
This year will be remembered as the year when we saw that DNS data, as well as TLS certificates, could be ‘fake news’.
Although sporadic malicious activity had previously compromised DNS data, the discovery of the Sea Turtle campaign showed that DNS information could be compromised wholesale by attackers taking over top-level registries.
Consequently, legitimate domain-validated TLS certificates were granted to the attackers – since they controlled the domain’s DNS entries, meaning that the impersonation checking within TLS connections was subverted also. Attackers could thus divert a user from accessing a legitimate system to connect them to a malicious server while presenting a valid TLS certificate to authenticate the connection.
New Year’s resolution for 2020
Enable multi-factor authentication on every system that can support it. Passwords have never been a 100 percent effective or a secure mechanism for authenticating users. You can add two-factor authentication (2-FA) to all your system accounts so that even if someone steals or cracks your password, they can’t impersonate you to gain access to valuable data.
Andrea Kaiser, Cisco Umbrella (Protecting the DNS layer)
Malspam, or malicious unwanted email is still the predominant method used to cast a wide net and get up close and personal with the most vulnerable part of a network: users.
In 2019 we saw the Emotet botnet continue to spread malicious payloads and grow its victim base, expanding its malware-as-a-service tactic. Trickbot, Qakbot, IcedID, and Gootkit all spread through malicious document attachments as some of the payloads pushed by the Emotet botnet in 2019.
Emotet added the ability to hijack email threads by injecting responses into old or ongoing conversations from users’ email. The new response can include links or malicious attachments to download Emotet.
This is all possible due to Emotet’s ability to steal email content and mail account credentials. The initial access and further propagation of the botnet relies on the distribution of malspam. This past year showed that we need to be vigilant in looking for targeted social engineering attacks in our inboxes.
New Year’s resolution for 2020
Social engineering is a threat that can affect you regardless of it being used as a tactic of malware. It can be used in any social setting to gain sensitive information. Often times, all one needs to start the process is a tiny bit of information about a person – such as the year you graduated or the city in which you were born. That one seed of information can lead to a path to compromise your personal data. My recommendation for your New Year’s resolution is to limit the online availability of your personal information. Take a look out our Consumer Data Privacy report to learn more.
Patrick Garrity, Cisco Duo (Access/Multi-Factor Authentication Security)
For those of us in access security (endpoint and MFA), we’re concerned about exploits targeting device operating system and browser software.
This year, two major examples affected the Google Chrome browser, including a zero-day vulnerability impacting all major operating systems, including Windows, Apple’s MacOS and Linux.
The vulnerability was a ‘use-after-free’ type, which is a memory corruption flaw that allows a threat actor to exploit modified data in the memory of a machine and escalate privileges on that machine. This means if a user opens a PDF in a compromised Chrome browser, an attacker can hijack the browser to gain access to their machine.
While Google quickly released a patch to protect against this vulnerability, it’s an important example to highlight the importance of gaining visibility into your users’ endpoints running out-of-date software and browsers.
New Year’s Resolution for 2020
Make sure your devices are up to date by regularly obtaining visibility into the security status of your users’ devices. Then notify users of their out-of-date software and enforce policies that require software updates before allowing access to applications. Or, block access from any device that doesn’t meet your organization’s policies or requirements.
We encourage you to use this retrospective report in any security-focused board meetings or business planning sessions you might be holding over the next few months to guide you on planning the security tools and processes needed for 2020. You can also use it as a resource to help explain how your current security posture would perform with any such attacks, and identify any gaps.
Save the Date: We will be holding a Cisco Live chat on this threat report on 17th December at 9am PST. Tune in on Cisco.com or via any of our social channels – Twitter, Facebook, Youtube and our Security Community.
Sign up to receive our Threat of the Month blog series.