Welcome to the end of 2020. The close of every year brings a lot of online activity—especially now, with everyone at home and socially distancing. Unfortunately, even as people stay at home to protect themselves, they are not safe from threat actors—who are busy developing exploits targeted at people working and shopping online.
In keeping with the season, let’s take a page from a famous holiday story and look at the past, present, and future of cybersecurity findings by the ThreatLabZ team.
Throughout 2020, the ThreatLabZ team published research collected from data in the Zscaler Zero Trust Exchange global cloud. Below are the five most-read stories we reported:
- In March, ThreatLabZ researchers detected several WordPress and Joomla sites serving Shade/Troldesh ransomware, backdoors, redirectors, and a variety of phishing pages. The most well-known threats to CMS sites result from vulnerabilities introduced by plugins, themes, and extensions. WordPress and Joomla have become popular for malicious actors to target sites on these platforms for hacking and injecting malicious content.
- In August, ThreatLabZ observed a malicious site that used LinkedIn as the lure for a social engineering scheme designed to steal a user’s credentials and spread malicious binaries.
- In September, Zscaler ThreatLabZ posted about the rise in Microsoft Azure domains to host phishing attacks and similar activity on the Google domains Appspot.com and Web.app. These campaigns use SSL certificates issued by Appspot.com and Web.app and have well-designed login pages that attempt to spoof popular brands widely used in business, such as Dropbox Business, Microsoft Outlook and SharePoint, and DocuSign. They are designed to capture login credentials, which are sent to a remote server.
- In September, the Zscaler ThreatLabZ team found seventeen applications in the Google Play store containing the Joker malware. The easy availability of those apps (which were downloaded 120,000 times) represents a significant threat to Android users. Perhaps more troubling is how easily attackers are (still) able to sneak malware-hiding apps through Google’s vetting process.
- In October, the Zscaler's ThreatLabZ team discovered Chinese state-sponsored threat actor APT 31 was responsible for several malicious binaries hosted on attacker-controlled GitHub accounts. These binaries dropped and displayed decoy content using a COVID-19 vaccine theme as a social engineering technique.
This year especially created a massive uptick in online activity. Cybercriminals are taking advantage of this increase and looking for ways to exploit it:
- With the holidays come Black Friday, Cyber Monday, and other enticements to lure consumers into buying products online. Zscaler noticed attackers taking advantage of this holiday activity for their targeted cybercrimes. Cybercriminals have always targeted Cyber Monday and Black Friday with phishing scams, malware attacks, and injecting malicious card skimmers into compromised e-commerce sites to steal payment card information. ThreatLabZ researchers saw a sudden spike in cyberattacks during the weeks leading to Cyber Monday (as expected), anticipating that the trend would continue in December.
- With most companies adopting some sort of public cloud offerings, ThreatLabZ analyzed the current state of Cloud (in)security. Cloud vendors have enormous security resources available, yet barely a day goes by without news of another cloud security incident. Most of these incidents can be traced back to the insecure use of cloud services rather than security flaws in the services themselves.
- ThreatLabZ found a fake version of the hugely popular game Among Us in the Google Play store. The phony app is titled Amoungus and is just adware. After downloading, the app bombards the user with advertisements. The app asks users to log in or register using Gmail credentials, but the current version does not send the attacker credentials.
The ThreatLabZ team not only keeps track of the past and present but also looks to the future with some predictions on cybersecurity issues we might see in 2021:
- The 2020 rush to remote work will fuel massive breaches in 2021. COVID-19 concerns forced many enterprises to set up nearly all employees with remote work. Organizations that didn’t properly configure their security architecture (cloud-native SASE architecture) for a distributed workforce expanded their attack surface and are ripe for cybercrime. Now that the dust is settling on the shift, we’ll start to see data breaches due to poorly thought-out security and corporate devices coming “in from the cold” bringing malware with them.
- Ransomware will be treated as a data breach. Organizations must come to grips with the surging sophistication of cyberattacks and ransomware as a company-wide responsibility, not just a CISO issue. Company-wide ransomware playbooks and response plans will dictate exactly what to do and how to mitigate any damage to the brand and address compliance matters related to leaked or stolen data.
- Cybercriminals will target specific markets. Pharmaceutical, biotech, and healthcare companies will see increases in targeted nation-state attacks. Cybercriminals’ goal will be stealing intellectual property, PHI data, and credential-skimming through targeted phishing campaigns that align with public interests (such as COVID-19 developments and breakthroughs).
- We will continue to see fallout from the SolarWinds supply chain attack (and others like it). On Dec. 12, 2020, FireEye provided detailed information on a widespread attack campaign involving a backdoored component of the SolarWinds Orion platform, which organizations use to monitor and manage IT infrastructure. Attackers will continue to attempt breaches that exploit compromised infrastructure software.
- Public clouds will continue to be a source of attack propagation. The increase of enterprise public cloud consumption will increase attacks hosted in public cloud resources. The only way to protect against these attacks is by maintaining a secure cloud workload.
- The need for cybersecurity expertise will grow more critical. There is an extreme skills shortage in cybersecurity and a massive gap between what we have and what we need. Understanding how to protect corporate assets in the cloud- and mobile-first world requires training and dedication. Enterprises would do well to increase resources for cybersecurity training programs and partners.
Zscaler manages the world’s largest security cloud. Each day, Zscaler blocks more than 100 million threats to its 4,000+ customers. Using state-of-the-art AI and machine-learning technology, the Zscaler ThreatLabZ security research team analyzes Zscaler Zero Trust Exchange traffic and shares its findings.
The Zscaler ThreatLabZ team wishes a happy and secure 2021, everyone!