What has the cybersecurity landscape looked like so far in 2020? Alif Ahmad and I recently held an Ask an Analyst: Email Threat Detection and Intelligence webinar to speak about email security concerns and trends observed so far in 2020 as well as to offer insights about what we expect in the second half of the year.
Cybersecurity Detection Trends
For years, SilverSky has gathered malicious and suspicious email activity data allowing us to identify seasonality in cyberattacks. The summer is usually an active season for cyberattacks, as is the fourth quarter, but typically, the first half of every year is relatively quiet. We saw an expected lull in cybercriminal activity in January 2020, but February through May experienced atypically aggressive pandemic-themed attack activity. Activity plateaued somewhat in April and May, but attacks picked up again in June, which is typical based on historical data.
New in 2020 has been the increase in pandemic themed email attack campaigns and the subsequent targeting of cloud service providers for the aim of business service impersonation. While Q1 2020 attacks were directly related to the pandemic, Q2 2020 saw spoofing of cloud service providers. Because of the pandemic and corresponding work-from-home constructs, the use of cloud services has increased. Unsurprisingly, cybercriminals adapted to this new opportunity.
Q1 2020 Cyberattack Tactics
Pandemic-themed attacks were the first phishing campaigns of 2020. Beginning in February, attackers began posing as authorities from government agencies such as the Centers for Disease Control and Prevention, the World Health Organization, and other entities claiming to offer critical information on the COVID-19 pandemic that had just hit the US. Email recipients were duped into offering log in credentials and other personal information.
As the campaigns evolved, emails began delivering URLs and attachments that downloaded malware. The attack techniques and payloads were not that novel, but attackers used the pandemic to attract the attention of email recipients during a time when the US was scared and grasping for information to understand the evolving crisis.
Q2 2020 Cyberattack Observations
The trend of exploiting human emotion using current events to enhance the effectiveness of attacks continued in the second quarter. When the Black Lives Matter (BLM) movement rapidly gained momentum in the US toward the end of May, attackers sent emails from recently registered domains to exploit this highly emotional situation. Just as with COVID-19, attackers posed as local, state, or federal government entities.
A common cyberattack approach included using surveys to gather opinions relating to BLM. These surveys tended to look like government forms; however, when the recipient downloaded an attached survey, they were required to enable macros that eventually downloaded TrickBot malware and executed a DLL payload onto the recipient’s computer. TrickBot, an evolving banking Trojan, has been around since 2016, but the variant used in the BLM campaigns had extended functions to steal credentials from victims’ emails, browsers, and installed apps.
Digital-Workspace and Cloud Service Provider Attacks
To facilitate work-from-home productivity, companies rapidly migrated to digital workspaces, creating new targets for cybercriminals. Initial attacks targeted Microsoft impersonating O365, Sharepoint and Microsoft Teams services. In Q2 2020, email attacks expanded to other cloud service providers including Zoom, Google, Dropbox, VoIP providers, and others.
In attacks targeting Zoom, attacks spoofed Zoom video conferencing service to trick users into handing over their confidential details. For example, emails with attention drawing subject lines such as “User Cancelled on XX/XX/2020” using a display name of “Zoom” were sent to victims from multiple randomly generated email addresses. The body of the message asked recipients to click on a “Reactivate Account” link. Upon clicking “Reactive Account,” customers were redirected to a compromised credential phishing website unrelated to Zoom.
Impersonating VoIP providers, attackers sent targeted emails to victims spoofing their company’s voicemail service. The emails included a link to allow the recipient to listen to the voicemail. When victims clicked on the link, they were directed to a page asking for their credentials.
We also observed a significant increase in Google APIs phishing URLs whereby hackers used Google Cloud Storage (GCS) to host phishing kits and redirect users to harmful pages on their websites. Our investigations indicated that this campaign was part of a mass-distributed general phishing campaign; however, there is not sufficient evidence to attribute these cases to specific a hacking group. Weaponizing third-party services, instead of hosting their own malicious websites, is a new trend among cybercriminals.
Although phishing emails with a link to a malicious site is a common approach, we are also seeing email with malicious attachments. Some of the attack techniques, like those utilized by the notorious Lazarus Group, have become even more sophisticated.
In May 2020, we learned of attacks containing job description documents for leading defense companies like Boeing, Lockheed Martin, and BAE Systems. The companies themselves were not targeted; instead, victims were tricked into believing they had received job-posting information from these companies. The emails contained falsified job description attachments or links to download an attachment.
The documents automatically downloaded a malicious document template through a template-injection attack technique. This approach allows these documents to evade static analysis from typical email and AV scans. Once the message template is downloaded and executed the main malicious payload.
A recent Valak malware campaign targeted organizations in healthcare, finance, manufacturing, and insurance industries. The emails contained a ZIP archive attachment and provided a password to extract the archive contents. The initial infection process of this malware involves Microsoft Word documents inside the ZIP file that include embedded VBA macro function as a downloader and handles executing DLL associated with Valak.
We anticipated election-themed attacks in the second half of the year; however, we’ve seen this activity pick up earlier than expected. So far, attacks have been mostly spam-like, but we expect increasingly aggressive and more targeted phishing campaigns in the upcoming weeks and months before the election.
To learn more about the cyberattacks observed so far this year, what we anticipate for the second half of 2020, and recommendations for increasing email security, I encourage you to watch the full on-demand webinar. Also, we update our Malicious Email Attack Report Library each month with new observations and insights.
As always, if SilverSky can help you better protect your digital estate from cybersecurity threats, don’t hesitate to contact us.