Abording Cyber Threat Landscape


Do you know what companies, agencies, government companies, banks, manufacturers and even the health sector have in common? That during 2020 they suffered data losses, attacks and demands from ransomware operators. That is why Cybersecurity today tries to find its operational bases to face since the threat landscape has evolved. Threat agents remain determined to compromise systems for their own benefit, they change and adapt their choices of vectors and tactics attack, forcing both users and companies to stay one step ahead. 

As the COVID-19 pandemic wreaks damage on our global economies, the struggle to keep up with cybersecurity by businesses is constant, to the extent that updates could register from hour to hour. 

It is a fact that virtual private networks (VPNs) have become valuable tools in protecting network connections against external threats. However as with any software, VPN solutions can also harbor vulnerabilities which, if exploited, could allow attackers to steal proprietary information and carry out surveillance of their target’s systems. 

Perhaps you might be interested in our blog “The bet of companies to Cybersecurity in Mexico”

As an example, it is enough to know the VPN vulnerability, CVE-2019-11510, which accounted for almost 800,000 detections and participated in attacks during 2020, being used to send ransomware, a harmful program that restricts access to certain parts or files of the operating system infected and in many cases can ask for a ransom in exchange for removing this restriction. 

Malicious agents have also found other ways to incorporate VPN into their attacks, an instance was recently recorded where an attacker packaged a VPN installer with the Bladabindi accessory, known to be a backdoor designed to inject systems with malicious payloads, which could be used to collect information from infected computers. 

And as the examples exposed, effective methods of extortion, obfuscation and phishing will undoubtedly continue to emerge, due to the mismanagement of the cloud, infrastructures and connected assets, so that the security of companies will not be less complex, but will combine the risks traditional technologies with new technologies, such as artificial intelligence (AI) in commercial fraud. 

In addition, the rise of remote professional activities contributed to increasing the use of communication tools such as Zoom, Slack and Discord, generating an increase in attacks that took advantage of these applications: from jokes to how to break into virtual meetings, the better known as “Zoombombing” to malicious Zoom installers and of course, ransomware variants that used Slack webhooks and a spam email campaign that used Discord to deliver malware. 

However, the year was full of new opportunities for cybercriminals in terms of malicious activities since they took advantage of important events in their systems to turn them into illicit profits, through the use of new and old techniques that left vulnerabilities, configurations errors and other security gaps, while companies and individuals tried to move quickly to adopt technologies to adapt to new challenges. 

The ransomware operators, in addition to demanding money for restoring their victims’ access to encrypted data, even threatened to leak sensitive information if the victims did not disburse the money, therefore, the victim organizations gave their arm twisting when they felt exposed to the possible damage to your reputation if a leak occurred. 

Cybercriminals carry out transactions and interact regularly with each other delegating tasks for frequent jobs, commercializing clandestine services even selling access to stolen data collections thanks to the aforementioned emerging underground market, used by malicious actors in order to sell access to large amounts of stolen data. 

As such, the most important and crucial security concerns that emerged and persisted in 2020 provided the opportunity for both users and organizations to answer the question about how they can address a drastically evolving threat landscape. 

Up to this point we could ensure that organizations have improved their security, however, malicious agents continue to find ways to sneak into their systems compromising their partners located in their supply chain. By taking advantage of stable and trusted relationships between the attacked organization and its partners, supply chain attackers could carve a niche in the organization’s systems. 

“The Attacks Don’t Stop: Orion Case” 

In December 2020, one of the most widespread supply chain attacks appeared in the form of the attack involving Orion, a broad network management system software that had a vulnerability inserted into certain Orion builds allowing attackers compromise the servers running the software. Once the relevant update was passed to the clients, the attackers were able to implement back doors that gave them full access to the affected networks and allowed them to perform numerous malicious activities. 

Given the nature of some of the targets, including the main US government agencies, the attack could have had serious consequences, and at this point, it is important to answer the question, and how did they manage to infiltrate? And is that the vast majority of detections of threats related to COVID-19 came from malicious spam emails, including those aimed at obtaining financial and personal information, mostly from the United States, Germany and France, which curiously are also among the countries hardest hit by the pandemic. 

The sense of urgency and timeliness played an important role in the arrival of the scammers behind these threats, as they personalized the messages with important topics such as stimulus packages against COVID-19 and launch of vaccines. 

“Faced with the war against cybercriminals for information, our weapons are the solutions” 

Recently, the Trend Micro 2020 Annual Cybersecurity Report announced that in “the year of COVID-19,” the cloud became a more comprehensive tool for collaborators in the operations of numerous organizations. However, the correct configuration of services and assets in the cloud remains a challenge. In April for example, it was revealed that attackers had introduced cryptocurrency miners into Docker daemon API ports, using the Kinsing malware, which is known to be linked to a campaign targeting badly configured Docker Daemon API ports which allows threats to spread in Linux-based environments. Later, in October, an attack on the Docker API was reported that involved the use of shellcode as payload. It should be noted that shellcode is a set of commands generally programmed in assembly language and transferred to opcodes that are usually injected into the execution stack of a program to get the machine on which it resides to execute the operation that has been programmed, and at the same time being used as a load apparently became the first time this technique was used. 

It is evident that, given the constant Cybersecurity threats perpetrated by agents determined to compromise systems for their own benefit, it is more than necessary for companies to have cybersecurity solutions that protect any device from attacks and threats, solving visibility problems and management of corporate networks, combining the policy mechanisms that allow to protect networks effectively. 

If you liked our blog, we recommend you subscribe to our monthly newsletter to keep up to date on cybersecurity issues. 

Subscribe to our blog

Enter your email to receive our latest articles updates.