The list of the Top 15 Threats is an annual list from ENISA, with only slight changes in positions for the various threats since last year. Malware remains in the Number 1 spot, and Web-based attacks remains Number 2. Phishing actually increased from 4th to 3rd position. Spam also rose this year, from 6th to 5th position. The threat making the greatest movement was Identity Theft, jumping from 13th to 7th position!
#1 Cyber Threat – Malware
ENISA ranks Malware as the #1 threat again, pointing out several troubling trends. Detection of malware on Business-owned Windows computers went up 13% from the previous year, and 71% of malware infections had spread from one infected user to another. 46.5% of malware delivered by email used a “.docx” file extension, indicating that our continued unsafe business practice of sharing Word documents by email continues to put our organizations and our employees at risk! Another change was that 67% of malware was delivered via an encrypted HTTPS connection — the “increased safety” of having encrypted web pages has also greatly increased our difficulty in understanding when an employee is receiving malware by visiting a webpage.
The number one malware family in this reporting period was Emotet, which targeted US-based businesses 71% of the time and UK targets 24% of the time.
An increasing number of banking trojans were also seen that targeted the Android operating system. Top families included Asacub, SVPeng, Agent, Faketoken, and HQWar.
The so-called File-less Malware was also a significant attack method, often using Windows Management Instrumentation or PowerShell scripts to perform complex attacks more or less “at the command line” rather than by downloading a Windows PE Executable.
For C2-based malware, a growing trend in having Russian-based Command & Control servers was observed, with the likelihood of a Russian-host going up 143% from the previous reporting period. these malware families included Emotet, JSECoin, XMRig, CryptoLoot, Coinhive, Trickbot, Lokibot, and AgentTesla (according to MalwareBytes, quoted in the report.)
ENISA says that 94% of all malware deliveries were via email during 2019, quoting from the EC3 Internet Organised Crime Threat Assessment
. Many such attacks were enabled by employee behavior and gained extended reach due to vulnerabilities in Windows, several of which allowed Remote Code Execution, making malware attacks “wormable” and able to spread throughout the enterprise, often due to poor patch management.
Proposed actions in this report include the need for better in-bound screening, including the ability to decrypt and inspect SSL/TLS traffic as it comes into the network, including web, email, and mobile applications. Security policies must also be updated to include what processes and escalations must occur “post-detection” in the case of an infection. Log monitoring must be improved.
One suggestion that I strongly agree with — “Organizations need to disable or reduce access to PowerShell functions” — so much malware this year, especially ransomware, would be stopped cold in its tracks if PowerShell were not so prevalently deployed and enabled in our organizations!
Although it is not mentioned by ENISA, my favorite document for understanding PowerShell threats is “The art and science of detecting Cobalt Strike
” from our friends at Talos Intelligence! More than any other attack platform, Cobalt Strike is being abused by malicious actors in order to fully compromise domains, often for the purpose of exfiltrating and encrypting for ransomware.
Please refer to the full report for additional recommendations.
#2 Cyber Threat – Web-Based Attacks
Web-Based Attacks are broken into four main vectors by ENISA. Drive-by downloads, Watering hole attacks, Form-jacking, and Malicious URLs.
As noted in part one, due to the age of the reporting window (January 2019 to April 2020) some of the particular attacks noted are more historical and of less keen interest by this time, however a couple trends are worth calling attention to.
“MageCart” attacks continue to be a prominent method for acquiring financial credentials. Because of the vast popularity of a small handful of online “checkout” systems, many organized crime groups are investing heavily in hackers who have “nation-state” level capabilities in order to create new zero day attacks into these systems. Shoppers are basically defenseless as their order information is transparently transmitted to criminals while they shop at even the largest and most prominent “trust-worthy” online vendors.
In addition to browser vulnerabilities that can make watering hole attacks quite successful, attackers are also attacking popular web browser extensions, which often have less rigorous security updates than the base browser products themselves.
Content Management Systems also present an enormous footprint of vulnerability as platforms such as WordPress provide millions of vulnerable websites that can be used at will by hackers to host both phishing sites and malware payload files.
#3 Cyber Threat – Phishing
Phishing has historically been email-based crime that lures a target to an illicit website via a social engineering email. It is the key to $26 Billion in losses due to Business Email Compromise, as well as to a growing number of scams linked to the COVID-19 Pandemic. In the FIRST MONTH of the COVID-19 Pandemic, ENISA reports that phishing attacks increased 667%! As previously mentioned, these dangerous emails are now very likely to contain a trojaned Microsoft Office family document.
ENISA warns that phishing URLs are now being seen more frequently delivered via SMS, WhatsApp, and Social Media platforms, expanding beyond the original email platform.
While phishing historically targeted financial institutions, ENISA says that webmail became the leading target of phishing in Q1 of 2019, with Microsoft 365 services being particularly targeted.
User education and user reporting remains a critical strategy, especially as ENISA says that 99% of phishing emails require human interaction in order to be effective.
The most effective means to combat phishing continues to be the implementation of 2FA. If a phisher cannot gain access to an account with simple userid and password, many schemes would be immediately blocked.
From a financial perspective, wiring money should ALWAYS require out of band confirmation. The cost of not getting the confirmation is simply too high, with some Business Email Compromise attacks costing tens of millions of dollars!
#5 Cyber Threat – Spam
As the ENISA report on Spam menions, after 41 years of dealing with spam, “nothing compared with the spam activity seen this year with the COVID-19 pandemic!”
During the reporting period, Emotet, Necurs, and Gamut were some of the top spamming families.
Some other findings:
85% of all emails exchanged in April of 2019 were spam, a 15-month high.
13% of data breaches could be traced back to malicious spam.
83% of companies were unprotected against email-based brand impersonation (DMARC)
42% of CISOs reported dealing with at least one spam-based security incident.
To bring this category up to date, we noticed that ENISA was fond of the Quarterly Spam & Phishing reports from Kaspersky. Please find below links to the 2020 Q1, Q2, and Q3 reports from Kasperky, which will technically be part of NEXT year’s ENISA reporting:
Kaspersky found that throughout the third quarter, spam was at least 48.9% of all email sent, a slight decline from Q2, however the portion of spam containing malicious emails was up significantly. Kaspersky identified 51 Million malicious attachments in that quarter, with 8.4% of them being the keylogger commonly known as Agent Tesla (Kaspersky uses the name “Trojan-PSW.MSIL.Agensla.gen”). Microsoft Office documents exploiting CVE-2017-11882 were the second most common.
They also noted 103 million phishing attacks, with the top targeted sectors being Online Stores (19.2%) and Global Web Portals (14.48%) which would include Office365. Only 10.8% of the phishing attacks observed by Kaspersky targeted banks!
My favorite spam campaign here was the “FTC Official Personal Data Protection Fund” which claimed that the Federal Trade Commission had found that the recipient was a victim of “personal data leakage” and they were eligible to be compensated for that loss, if they just filled out a simple form on their website (which harvested personal data, including credit card and social security number.)