McAfee report shows threat actor evolution during pandemic

McAfee report shows threat actor evolution during pandemic

McAfee, the device-to-cloud cybersecurity company, has released its McAfee COVID-19 Threat Report: July 2020, examining cybercriminal activity related to COVID-19 and the evolution of cyberthreats in Q1 2020. McAfee Labs saw an average of 375 new threats per minute and a surge of cybercriminals exploiting the pandemic through COVID-19 themed malicious apps, phishing campaigns, malware and more. New PowerShell malware increased 688% over the course of the quarter, while total malware grew 1,902% over the past four quarters. Disclosed incidents targeting the public sector, individuals, education and manufacturing increased; nearly 47% of all publicly disclosed security incidents took place in the US.

“Thus far, the dominant themes of the 2020 threat landscape have been cybercriminal’s quick adaptation to exploit the pandemic and the considerable impact cyberattacks have had,” said Raj Samani, McAfee Fellow and Chief Scientist. “What began as a trickle of phishing campaigns and the occasional malicious app quickly turned into a deluge of malicious URLs and capable threat actors leveraging the world’s thirst for more information on COVID-19 as an entry mechanism into systems across the globe.”

Each quarter, McAfee assesses the state of the cyberthreat landscape based on in-depth research, investigative analysis and threat data gathered by the McAfee Global Threat Intelligence cloud from over a billion sensors across multiple threat vectors around the world.

Capable threat actors exploit pandemic

McAfee researchers found it is typical of COVID-19 campaigns to use pandemic-related subjects including testing, treatments, cures and remote work topics to lure targets into clicking on a malicious link, downloading a file, or viewing a PDF. To track these campaigns, McAfee Advanced Programs Group (APG) has published a COVID-19 Threat Dashboard, which includes top threats leveraging the pandemic, most targeted verticals and countries and most utilised threat types and volume over time. The dashboard is updated daily at 4pmET.

“Cybersecurity cannot be solved by cookie cutter approaches. Each organisation is unique and has specific intelligence requirements and objectives,” said Patrick Flynn, Head of McAfee APG. “The McAfee COVID-19 Threat Dashboard utilises data to create true analysed intelligence, which allows users to understand the total threat environment, informing them of potential threats before they are weaponised.”

Data breaches: The new ransomware attack

Over the course of the first quarter of 2020, McAfee Advanced Threat Research (ATR) observed malicious actors focus on sectors where availability and integrity are fundamental, for example manufacturing, law and construction firms.

“No longer can we call these attacks just ransomware incidents. When actors have access to the network and steal the data prior to encrypting it, threatening to leak if you don’t pay, that is a data breach,” said Christiaan Beek, Senior Principal Engineer and Lead Scientist. “Using either weakly protected Remote Desktop Protocol or stolen credentials from the underground, we have observed malicious actors moving at light speed to learn the network of their victims and effectively steal and then encrypt their data.”

New ransomware declined 12% in Q1; total ransomware increased 32% over the past four quarters.

Q1 2020 threat activity

  • Malware overall. New malware samples slowed by 35%; total malware increased 27% over the past four quarters. New Mac OS malware samples increased by 51%.
  • Mobile malware. New mobile malware increased by 71%, with total malware growing nearly 12% over the past four quarters.
  • Regional Targets. Disclosed incidents targeting the Americas increased 60%, incidents targeting Asia-Pacific increased 27%, while Europe decreased 7%.
  • Security incidents. McAfee Labs counted 458 publicly disclosed security incidents, an increase of 41% from Q4. A total of 50% of all publicly disclosed security incidents took place in North America, followed 9% in Europe. Nearly 47% of all publicly disclosed security incidents took place in the US.
  • Vertical industry targets. Disclosed incidents targeting the public sector increased 73% individuals increased 59%, education increased 33%, and manufacturing increased 44%.
  • Attack vectors. Overall, malware-led disclosed attack vectors, followed by account hijacking and targeted attacks.
  • Cryptomining. New coinmining malware increased 26%. Total coinmining malware samples increased nearly 97% over the past four quarters.
  • Fileless malware. New JavaScript malware declined nearly 38%, while total malware grew nearly 24% over the past four quarters. New PowerShell malware increased 689%; total malware grew 1,902% over the past four quarters.
  • IoT. New malware samples increased nearly 58%; total IoT malware grew 82% over the past four quarters.

We spoke to Raj Samani, McAfee Fellow and Chief Scientist, to gather his thoughts on the findings.

Were you surprised by the threat activity figures from Q1 2020?

The slow pick up was perhaps a little surprising, but really, from about mid-March, I don’t think the volume was that unexpected. Perhaps more surprising was the geographies that were targeted — for some time, the most targeted country for malicious files, using COVID as a lure, was Spain and that was unexpected.

Was there anything that could have been done differently to avoid victims’ data being stolen?

Well, all of the metrics we presented were stopped. In fact, on malicious files alone, we stopped well over a million files that were intended to infect/defraud its victims. 

Why do you think attacks in the Americas increased, while those in Europe decreased?

In part, the US generally is one of the territories that is targeted more often. However, we also have to consider that unlike many other countries, it does have relatively mature reporting, so any attacks/breaches themselves can be identified and counted.

How do you predict the findings to change, moving forward?

The use of COVID as a lure is already fragmenting. We are now seeing attackers take advantage of some of the indirect consequence of the pandemic. For example, attackers are using the economic situation to bait individuals into clicking on links to malicious sites, under the guise that they will be able to claim stimulus cheques. Also, with more of us streaming content to our homes, we are seeing an uptick in phishing lures claiming that accounts have been suspended.

Browse our latest issue

Intelligent CIO Europe

View Magazine Archive