If all the holiday fuss isn’t reminder enough, 2020 is almost upon us. 2019 was an unusual year in the cyber world, with no landscape-defining, big-picture events (even though we almost got there with BlueKeep). Instead, the past year was shaped by more strategic threats—just because there wasn’t an Equifax-scale incident, doesn’t mean that the threat isn’t there. 2019 was littered with dozens of smaller, but still relevant data exposures, data breaches, ransomware attacks, and never-ending cybercrime.
In this blog, we discuss several significant trends and events that have helped shape the cyber threat landscape, all of which will almost certainly continue through 2020.
1. Ransomware will persist; small to medium governments and utilities will remain prime targets
2019 was a big year for ransomware. We saw the—purportedly deliberate—fall of GandCrab, a massively popular Ransomware-as-a-Service (RaaS), and the rise of Sodinokibi, its spiritual, if not actual successor. While (thankfully) there wasn’t any global ransomware event on the level of WannaCry or NotPetya in 2017, which largely targeted vulnerable devices indiscriminately, attacks in 2019 were more targeted. Our prediction for ransomware trends in 2019 holds up, and 2020 is not likely to be any different.
Small to medium size government and public-sector entities, particularly in the US, have taken the full brunt of ransomware attacks over the past year. Cybercriminals likely perceive these entities as less secure, more vulnerable, and more likely to pay out, especially when compared with larger government or private sector organizations. Information security may be seen as a lower priority for public sector entities with limited financial resources, which can result in outdated infrastructure, a lack of security awareness, and limited technical knowledge and support. All these are dangerous ingredients that can result in organizations falling victim to even the most basic of ransomware attacks. Although there are a few examples of ransomware using more sophisticated attack vectors (think SamSam), the majority still rely on tried and true social engineering techniques like phishing and spearphishing.
The financial impact of ransomware on governments and utility organizations can be substantial, even if the attack can be stopped without paying out. For example the replacement of compromised devices and estimated lost revenue from the ransomware attacks against Baltimore government systems in May 2019 was projected to cost over $18 million— even though the attackers only demanded $77,000. Organizations will also increasingly have to deal with multiple threats from ransomware as attackers adapt to common mitigation strategies. Having backups in place can help with recovery, but the “pay or get breached” model in ransomware variants like MegaCortex, where attackers threaten to publicly release your data if you don’t meet their ransom demand, means organizations have to consider contingency plans for ransomware and data breaches at the same time.
MegaCortex ransom note that threatens to publicly release data (Source: BleepingComputer)
In July 2019, the US Conference of Mayors, which represents local and state governments, passed a resolution in July 2019, calling on cities to not pay ransom demands, and several US government agencies have also recently warned against the dangers of ransomware. These are reasonable steps towards getting ransomware awareness into the mainstream, but more work needs to be done. As long as extortion payments continue to be made, and cybercriminals continue to profit from these schemes, targeted ransomware attacks will continue well past 2020.
2. Forums will continue to be the platform of choice for cybercriminals
The cybercriminal landscape, particularly in the English-speaking scene, is in a constant state of instability. In 2019, law enforcement action successfully took down several prominent cybercriminal platforms, like Wall Street and Dream Market, and there’s no doubt that 2020 will see even more high profile takedowns. But like a game of whack a mole, new markets and forums are always popping up (with varying levels of success). The dark web forum Torum, for example, though launched in 2017, saw explosive growth in 2019 after suspected law enforcement action disrupted the popular forum KickAss. Even in this sea of chaos, if there’s one thing that remains consistent, is that forums have remained the platform of choice, even with the emergence of other appealing alternatives.
Post count numbers on the dark web forum Torum, pre- and post-February 2019
Digital Shadows recently published a three-part blog series on the timeless appeal of cybercriminal forums. At the risk of spoiling the research, we highlighted how forums offer several critical features that newer technologies don’t, like a sense of community, pedigree, and arbitration and escrow systems. While applications like Telegram, Wickr, Discord, and platforms like marketplaces and automated vending carts (AVCs) have their advantages, they are increasingly being used in tandem with forums, rather than instead. As a result, you have cross-pollination in the cybercrime ecosystem: They are used to coordinate private messaging, advertise new and upcoming marketplaces, and as a central location for like-minded cybercriminals.
Forums are as much of a mindset as they are places for cybercrime, and they have proven remarkably resilient. In our research, we also took a deep-dive into the main threat actors that have major parts in shaping and supporting the forum ecosystem. In the end, everything comes back to forums. Unless 2020 brings drastic shakeups to the landscape, or the worldview of cybercriminals changes dramatically, forums are likely to continue being the apex of platforms.
3. Significant amounts of data will be inadvertently exposed
According to the Too Much Information: The Sequel report that Photon published earlier this year, 2.3 billion files were being left unguarded on publicly accessible technologies like Amazon S3 buckets, SMB file shares, and rsync servers. This was a 50% (5-0) increase over the last year.
So what changed over 2019? Several companies have been fined millions of dollars (or pounds, euros, whatever your country’s currency of choice) for leaving consumer data exposed and worse yet, breached by a threat actor. Amazon has been introducing new security controls to its AWS platforms. California has passed a new data protection regulation, the California Consumer Privacy Act (CCPA). This isn’t to say all of this has been in response to our paper (but that would be cool!), but it looks like the battle for data protection is being fought on multiple fronts. A good move in the right direction!
We already saw a decline in S3 exposure within our research once some of those new security controls were put in place; we think we’ll see more decline over 2020. We’re hoping that the Billions we saw last year would turn into Millions because, as we stated in the report, this isn’t an insurmountable problem.
Geographic distribution across most of the file storage technologies analyzed in Digital Shadows’ research
4. Mobile devices will increasingly be targeted as more business processes and payment options migrate to mobile
Mobile devices have taken center stage in the lives of just about everyone. We use them for shopping, banking, communication, and everything in between. This ever-increasing adoption of mobile devices has provided attackers with a large attack surface, something that could only be dreamed about ten years ago. The threat of mobile device targeting is only going to increase in 2020 and beyond as handheld devices continue to be prominent in our lives. Organizations should also be wary of the risk from Shadow IT, particularly as bring-your-own-device policies are becoming increasingly popular. Having comprehensive insight into devices connected to your corporate network can make all the difference in preventing inadvertent backdoors and data exposures. From cybercrime to nation-state cyber espionage, the threat of mobile device targeting is something that can affect anyone, from individual consumers up to Fortune 500 companies.
We’ve divided the threat of mobile targeting in 2020 into two main categories:
- Cybercrime: Instead of an attacker having to distribute malware themselves, by compromising or impersonating one popular app, they can reach a broad victim audience with minimal additional effort. Information stealing malware like banking trojans are hot commodities for cybercriminals. These can be configured to target specific banking and social media applications to take users’ personal and financial information, and are commonly sold and developed on criminal forums and marketplaces. 2020 will likely see the continued development of these types of malware, with a focus on obfuscation and evasion, which can make an infection all the more difficult to identify and remove. Third-party app stores that offer unregulated app downloads have their own set of issues, but attackers have been moving away from fringe app stores and into the mainstream. Official mobile app stores like Google Play and the Apple App Store do good jobs at vetting any apps before they get approved, but malicious apps still manage to slip through the cracks. Even if you’re downloading an app from an official store, you not only need to ensure that the app isn’t an impersonation but also be mindful of the permissions it requests on installation. An app that requires suspiciously-specific access to potentially sensitive parts of your phone could realistically be used harvest data and spread to other devices (why would a calculator need system access to my contacts and call records?).
- Cyber espionage: Throughout 2019, mobile devices have proven key avenues for cyber espionage campaigns. Commercial spyware has been used by governments to monitor, detect, and prevent terrorism and crime for almost a decade now, and these types of malware are only getting more sophisticated. One significant event in 2019 involved the Pegasus spyware incorporating a method of exploiting a vulnerability in WhatsApp as an initial attack vector; initiated by calling the phone number of the target, successful infection allegedly did not even require the target to pick up. As new vulnerabilities in mobile devices and software are identified in 2020, spyware operators are almost certainly going to be among the first to exploit them to their advantage.
5. Offensive nation-state activity will surge in the run-up to the 2020 US Presidential Election
The state of US politics leading into the 2020 Presidential elections is one of division. If the goal of Russia’s efforts in 2016 was to sow discord across the US political system, then I think some could argue that it was a rousing success, highlighting the many issues that were already present. In the years since 2016, there have been investigations, more investigations, and analysis on top of analysis. Tech companies like Facebook and Twitter have made efforts to keep political disinformation from appearing on their site, banning large swaths of fraudulent profiles with ties to disinformation campaigns.
However, despite accounts being exposed or banned from these platforms, they continue to persist. We think that as the United States comes closer and closer to November 2020, disinformation and other offensive nation-state activity will increase. Just this past week, the World Anti Doping Agency (WADA), in charge of illegal drug enforcement for Olympic athletes, announced that Russia would be banned from the 2020 Tokyo Olympics. Now, this is a ban of Russia, the country, rather than the athletes from Russia, as those not accused of doping charges can be invited to the events as a neutral athlete. Still, this is a blow for the Russian government. When the same “ban” happened for the 2018 Pyeongchang Olympics, threat actors linked to the Russian government launched several disinformation campaigns against WADA, attempting to discredit the agency as a whole. It’s likely that this, coupled with the impending 2020 US Presidential elections, will induce Russian nation-state activity.
With all of these trends to keep track of, 2020 is already shaping up to be interesting. But, like with most years, I’m sure we’ll see a couple of curveballs along the way.
We also put out a podcast around predictions for 2020. CISO Rick Holland joins our ShadowTalk hosts (Viktoria, Alex, and Harrison) for our holiday special. Check it out below:
To stay up to date with the latest security and threat intelligence trends in 2020, make sure to subscribe to our threat intel email list below. Happy holidays!