Mad About Malware: Hot Spots and Trends in 2020


The business of cybercrime seems to be unhindered by the coronavirus this year. They continue to work hard through the pandemic, using it and other drivers to ply their trade. This year has been a banner year for them in many ways maximizing global events, with malware remaining a tried-and-true weapon of choice. The trends in malware that we’ve seen this year reflect both adversary intent and capability. 

Similar to IPS detections, malware picked up by sensors doesn’t always indicate confirmed infections but rather the weaponization and/or distribution of malicious code. Detections can occur at the network, application and host level on an array of devices. Threat researchers have seen some common trends and hot spots this year when it comes to malware. 

HTML and phishing continue to dominate the malware category

The HTML/Phish family that includes all variants of web-based phishing lures and scams was among the top five malware types in use earlier this year. Together with its HTML cousins of /ScrInject (browser script injection attacks) and /REDIR (browser redirection schemes), this demonstrates cybercriminals’ strong desire to get at people where they are often most vulnerable and gullible: browsing the web. 

Web-based malware often confuses and/or bypasses conventional antivirus products, increasing the chance of successful infection. That’s even more worrisome, because we noted a marked drop in corporate web traffic due to people surfing from home rather than the office. Home networks are typically less well-defended than corporate networks, yet they are linked to a greater degree now than ever before. Savvy defenders should note that the browser has been a prime delivery vector for malware this year and act accordingly to ensure consistent controls for remote systems.

Malware at the farthest edge

Attackers are evolving their tools and strategies to the expanding network edge. Corporate network attacks launched from a remote worker’s home network, particularly when attackers understand usage trends, can be carefully coordinated so they do not raise suspicions. Eventually, advanced malware could also discover even more valuable data and trends using new EATs (Edge Access Trojans) and perform invasive activities such as intercept requests off the local network to compromise additional systems or inject additional attack commands.

Cybercriminals may also turn their attention to the ultimate network edge – space – and seek to exploit the connectivity of satellite systems and overall telecommunications. As new communication systems scale and begin to rely more on a network of satellite-based systems, cybercriminals could target this convergence. Consequently, compromising satellite base stations and then spreading that malware through satellite-based networks could give attackers the ability to potentially target millions of users at scale or inflict DDoS attacks that could impede vital communications.

Malware that exploits old vulnerabilities still prevalent

The CVE-2017-11882 vulnerability allows an attacker to run arbitrary code in the context of the current user. It’s been public for several years now – though the bug itself is much, much older – but it steadily climbed in prevalence early in 2020 and held the top spot for four straight months. 

We weren’t the only ones to notice this upswing in use. In April, the U.S. Secret Service posted an alert about fraudulent COVID-19 emails using malicious attachments. A representative of the USSS’s Criminal Investigative Division observed that the malware spreaders were looking to exploit CVE-2017-11882 for multiple campaigns. 

A particularly mean campaign pretends to come from the U.S. Department of Health and Human Services (HHS) and informs the recipient that they’ve contracted COVID-19. Another targets medical equipment manufacturers with a malware-laden document sent via email asking them to provide equipment.

Bad actors are using encryption for malware 

Encryption is now a foundational element of today’s digital business, particularly as more customers, workers and applications connect to corporate resources across the public internet. This includes encrypting web traffic, a practice that has risen in prevalence from 55% to 85% in just three years. While encryption offers many benefits for organizations, cybercriminals are also taking notice of those benefits. 

Encryption is vital in that it enables organizations to securely move sensitive and confidential information around without exposing financial data, personally identifiable information (PII) or intellectual property (IP) to prying eyes. But because organizations don’t have visibility into most of that traffic, it may also be carrying unsanctioned applications and malware hidden in encrypted flows. 

Never ones to miss the opportunity to exploit a weakness, malicious actors are using this blind spot to get around security detection, knowing most people do not inspect it. They use encryption to hide their presence and escape detection, whether delivering malware or other invasive payloads.

Best practices in network defense

2020 has seen no lack of cybercriminal activity. Malware is a trusted favorite because it just keeps working, and HTML and phishing topped the attack types for five of the first six months. Because the browser was a main delivery vector for these attacks, organizations need to pay even more attention to maintaining consistent security controls – especially in light of their distributed workforces. Finally, 2020 has taught us to revisit the practice of inspecting encrypted traffic. These are all standard security protocols to step up in light of what cybercriminals are doing now.

view counter

Derek Manky is Chief of Security Insights and Global Threat Alliances at Fortinet’s FortiGuard Labs. Derek formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. Manky provides thought leadership to industry, and has presented research and strategy worldwide at premier security conferences. As a cybersecurity expert, his work includes meetings with leading political figures and key policy stakeholders, including law enforcement. He is actively involved with several global threat intelligence initiatives including NATO NICP, INTERPOL Expert Working Group, the Cyber Threat Alliance (CTA) working committee and FIRST – all in effort to shape the future of actionable threat intelligence and proactive security strategy.

Previous Columns by Derek Manky:
Tags:

Don't forget to share

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *