2019 CTI Trends and 2020 Predictions

In this blog post we are looking at the top trends and patterns that EclecticIQ Fusion Center analysts identified throughout 2019. The post is not an exhaustive account of all activities and threats in 2019 but will serve as a high-level overview to identify what the Fusion Center considers noteworthy from the end of 2018 and into the year 2020. Analysts used internal resources and external reporting to support findings.

Key Findings between 2018 and 2019

• Malware-as-a-Service is greatly expanding.
• Threat actor infrastructure is increasingly being coopted by other operators.
• Malware popularity was similar between 2018 and 2019.

Key Predictions for 2020

• Threat actor infrastructure will consolidate and make fingerprinting more difficult.
• Android will be the most victimized mobile OS.
• Phishing will continue to deliver the greatest volume of attacks.
• CVEs will increase in volume and popular CVEs will lead to more devastating attacks.
• Climate change policy will be the primary driver for further Hactivist activity.

Analysis of Last Year's Predictions for 2019 

Significant increase of using open and publicly available tools as malware platforms for operations.

Analysts observe a marked increase of Malware-as-a-Service (MaaS) attacks over 2019. MaaS commoditizes many pieces of malware into ‘tools’ that are licensed out for criminal activities within information networks.

There are two main drivers for expanding malware markets. First, malware development is fundamentally changing. Malware has been recorded developing at a rapid pace year-over-year, as measured by unique samples. Information Technology is passing a point where malware is no longer a scarce resource. Evidence of this is indicated by the marginal increase in new malware detections from 2018-2019. There are enough well-developed variants in circulation that a market of buyers and sellers is starting to emerge. MaaS employs different TTPs (Tactics, Techniques, and Procedures) than custom malware; Maas typically has heavy reuse of attack patterns. MaaS activity is further promoted in tandem with changes to Dark Web marketplaces that connect buyers and sellers to larger audiences (see report above). Increased malware circulation drives an increase in attack volume. Second, threat actors are increasingly and deliberately sharing infrastructure. Historically, threats and attacks were tailored to the specific systems or networks that they were attempting to access. This allowed analysts to identify unique attack patterns and command-and-control infrastructures (C2). Attribution was not as difficult. Throughout 2019, as an offshoot of growing MaaS operations, threat actors are sharing entire command and C2. This trend makes final attribution more difficult. MaaS samples are tailored in ways that make them highly modular and adaptable to different attacks. Part of the modular systems necessarily includes a robust C2 module. C2 networks increasingly leverage encryption and layers of obfuscation.  On a higher level, analysts observe more cooperation between well-organized cybercriminal gangs. Different groups partner to increase the effectiveness of attacks.

Increased political instability will lead to more nation-state attacks.

There has been an increase in political instability across the globe over 2019. There has also been an increase in reporting of APT activity. EclecticIQ Platform shows an increase of 425 additional APT reports in 2019 compared to 2018. However, there is not a clear causal relationship between these two observations as attribution is becoming more obscured. The success of past attacks and the spreading or sharing of attack infrastructure is likely supporting additional nation-state sponsored attacks. This is evident in Southeast-Asia (SEA) where analysts observe Vietnam-based groups greatly expanding State-backed operations in the region. The most active group was APT32.  There is evidence from 2019 that points to multiple nation-states taking interest in the Indonesian general election of 2019. China, continuing its Belt and Road initiative partnership with other nations, has launched a steady stream of espionage activities to give it a competitive advantage in negotiations.

Increased attacks are also evident in the Middle East region. Threat Intelligence analysts observe more activity that is very likely being stimulated by continued political struggle consolidating around Iran. Threat intelligence information sharing is enabling better detection and describing of advanced attacks that fall under the umbrella of State-sponsored attacks. This may provide a simple explanation of why more reporting is observed. Analysts also noted that dwell time is decreasing for attacks.

Attribution will add less value from a threat intelligence perspective.

A trend that EclecticIQ threat intelligence highlighted in 2019 included the blurring of attack infrastructure across the internet. This observation is represented by TTP sharing, discussed above. When threat actors use TTPs associated with other groups, it makes attribution less valuable because threat actors increasingly operate in similar ways with similar objectives. In addition to this observed trend, analysts also note that State-linked security companies are developing malware and selling it to governments. This is considered a special case of MaaS. Example organizations that develop highly advanced malware include, Intrusion Set: NSO Group operating out of Israel, and the Zerodium Group, known to release 0-days to governments (CVE-2018-16983). This type of malware allows for deeper penetration of special networks, such as the SS7 mobile network, that would otherwise be more difficult to access without specialized tools.

Activity Observed in 2019

APT and State-Linked Activities

EclecticIQ Analysts predicted further APT activity consolidated in the Middle East - mainly Iran. In Southeast Asia the focus centered on Vietnam, China, and North Korea. 2019 reporting of APT operations has been most heavily covering activities in the Middle East, Southeast Asia, and Russia. The uptick in middle east APT operations has been especially prevalent in 2019 with reporting of Iran-linked APT activity. Analysts expect to see heightened activity following the geopolitical rise in tensions in the Middle East; in this case, as Western countries confront Iran. Analysts have seen multiple aggressive campaigns operated by groups with links to Russia this year. There was a lengthy report covering The Dukes, Russian APT group(s), that shows Russia is still aggressively operating throughout the globe after the 2016 US Election interference. The “FinSpy” APT has also exhibited steady operations against global financial targets in 2019. Threat Actor TA2101 was active globally with advanced phishing operations. EclecticIQ analysts note that this focus may be the result of western bias within threat intelligence.

Malware and Attack Patterns (TTPs) in Review

Malware trends in 2019 are similar to those observed in the 2018 Trend Report. Bots, banking malware, and Remote Access Trojans (RATs) took the top spots in 2019. Current vendor reporting supports this evidence (Cisco , Proofpoint). Botnets are driven and supported in their main capabilities by robust C2 infrastructure. Increasingly, botnet C2 communications employ encryption, and have encoded algorithms that generate new C2 addresses dynamically Botnets open an organization to a variety of further risks. Banking malware is a prominently featured MaaS on many Dark Web marketplaces. This type of malware has seen significant developments increasing the scope of applications which can be targeted, and malware ability to retrieve login-overlay web templates from managed central repositories. These templates are very realistic and effective. In 2019 some of the most advanced banking malware originated inside and spread out from Brazil. Analysts do not see a marked increase in 2FA interception capabilities, but the threat persists. RATs are becoming highly specialized, more modular, and stealthier during installation. Specifically, some RAT families are evolving into specialized loaders, which initiate a further, final payload over multiple stages. Custom RATs are still featured as main payloads for more advanced campaigns. The attack patterns used to stage the malware typically involve Living-off-the-Land TTPs, which make the operations harder to detect, once they initially slip through perimeter defense. A large part of this development can be attributed to threat actors sharing infrastructure, which is speeding-up malware development. Ransomware is evolving rapidly as Big Game Hunting (BGH) ransoms are paid. Ransomware threat actor groups have been increasingly targeting organizations higher in software supply chains (MSPs, CDNs). TTPs used with ransomware have distinctly shifted to BGH attacks and attacks on health and education institutions. A major update to ransomware in 2019, highlighted by the Malware Maze family, uses TTPs whereby threat actors first exfiltrate all the information before performing encryption. The attackers release the company information publicly if the ransom is not paid. Mobile malware is currently a standard toolset for many APT intrusion sets. A good example of this is the WhatsApp 0-day from 2019. The increased drive in mobile malware follows our growing reliability on mobile devices. Reporting indicates there is now widespread penetration of cellular networks and mobile protocols, including targeted SIM card exploitation. This type of mobile spyware is in operation by unknown threat actors and was able to extensively penetrate the SS7 network to target specific individuals. It is highly suspected that this technology remains in the hands of State governments and has not yet spread widely.

Financial Crimes Exploit Systems Higher in Supply Chains.

In 2019, intrusion sets that target traditional electronic currency (credit cards) like Magecart targeted supply chains at a greater pace to include exploitation of CDNs and managed SaaS payment platforms.

Cryptocurrency attacks, while still targeting individuals, show a trend of targeted attacks on entire exchanges or trading platforms. Analysts observe ransomware currently offsetting cryptojacking attacks. This is expected to continue unless there is another spike in cryptocurrency valuation. Ransomware popularly targets MSPs to spread infection. Analysts also observed advanced campaigns, like ShadowHammer, use supply chain compromise as a cornerstone of their attack pattern with very effective results. Phishing continues to be a low-barrier attack vector and the most popular delivery vector by volume. Phishing TTPs continue to get better at penetrating human and machine defenses despite security advancements. One important development analysts have observed in 2019 is the ability of malware modules to intercept real email content and further weaponize it in additional attacks (Emotet malware).  BEC compromise was also notable in 2019. Active groups include: Silent Starling, London Blue, Silver Terrier. BEC TTPs use social engineering over multi-staged attacks to make their operations particularly effective. BEC TTPs in 2019 have been successful enough to draw attention from the FBI and BBB.

2020 Predictions

APT and State-linked operations will continue to follow geopolitical conflicts.

In Asia, analysts expect most activity will be driven by China and Russia. North Korea will remain a strong player, but their activity will likely depend on how aggressively they continue to pursue their weapons programs. Vietnam has shown signs of aggressive operations in SE Asia, as indicated by activities of Ocean Lotus, and is likely to be a key player next year.  The Middle East is likely to see escalating electronic threats mainly involving Iran, but Turkey is also demonstrating important geopolitical movement in the region that could likely to draw them into cyber conflicts. Infrastructure will further consolidate and will be further coopted by threat actors, including APT groups. Major criminal networks will develop stronger inter-networks with others to support operations. One effect this will have is to further blur the lines between State-linked APT and traditional criminal operations. Increased cooperation will further reduce attribution as a priority in threat intelligence. Attribution will increasingly focus on attack patterns and TTPs as malware variants and IOCs are further diluted.  Insufficient progress by nations to address climate change challenges may lead to increased hacktivism activity. In 2019 Brazilian Government entities and private companies had been targeted in response to increased destruction of the Amazon (#OpAmazonia). Business verticals at risk: agriculture, energy, mining, and water. Local hacktivist operations are very likely to continue in 2020 (#OpCatalonia, Anonymous Italy & LulzSecITA, #OpTurkey, #OpHongKong). Overall, the impact for organizations will probably be low (e.g. defacement and DDoS TTPs). 

Malware and Attack vectors

Malware variants are evolving to coordinate together. Different malware components will increasingly borrow and share interchangeable modules like plugins or apps involving multiple developers and code overlaps. This new operation style will serve to increase the effectiveness of attacks and decrease time spent on development. Analysts expect to see mobile malware attack volumes increase again through 2020.  Android OS will continue to be attacked in high volume due to its popularity, not only on mobile devices, but increasingly installed on IoT devices, such as public display boards. Ransomware TTPs now steal data and release it publicly if ransoms aren’t paid. Analysts expect to see formal State-level policy emerge from Western nations as a way to regulate ransomware-specific defenses and disincentivize ransom payments. Ransomware payments will increase in smaller, less capable industries and organizations. As BGH TTPs are exacerbated, threat actors will likely turn to smaller organizations using the same TTPs. Cryptocurrency attacks are expected to remain popular and steady, pending any significant crypto-valuation fluctuations. New major players entering cryptocurrency (Facebook Libra) are expected to increase attack volume.  APT style attack patterns are expected to become more widespread as MaaS and infrastructure sharing grow and introduce further threat-actor participants. Phishing attacks will become much more automated and low-touch for threat actors, while also maintaining high-efficacy. Ransomware will continue offsetting cryptojacking attacks unless there is a spike in cryptocurrency valuation. Email information gleaned from BEC attacks will become more specialized and valuable as threat actors coordinate further between different groups.  Threat actor cooperation and malware modularization will both make attribution more difficult in 2020, further to predictions made in 2019.  High levels of threat intelligence reporting will force high-profile APT groups to change TTPs in favor of completely custom operations as a way to avoid detection and attribution.  The disclosure of CVE's will continue to steadily rise. Trends over the past 5 years have shown that the submission and disclosure of CVEs have risen steadily, with numerous CVE's still awaiting CVE ID's. The number of CVEs submitted and disclosed will only increase as time goes by. Public bug bounty programs are also likely to boost vulnerability disclosure. The Weaponization of common vulnerabilities such as BlueKeep will continue. BlueKeep has such a large impact and attack surface, the weaponization into a Metasploit module and current usage to install cryptocurrency miners is only the beginning. A much larger attack is completely possible and inevitable.

Threat Intelligence-based 2020 Security Recommendations  

Move to a proactive defense that uses TTPs and Attack pattern detections in parallel with threat hunting efforts and a standard policy of whitelisting. A traditional security posture that uses IOCs and blacklists is inherently reactionary and is no longer sufficient. As attribution becomes increasingly obscure, it will make more sense to track attacks based on TTPs used and observed across a particular industry sector, rather than by tracking operators. A proactive approach tracking TTPs, rather than a reactive posture that focuses on IOCs, will allow organizations to move higher up the Pyramid of Pain. Defending from higher in the pyramid will disrupt attacks more effectively. Having access to a broad spectrum of high-quality threat intelligence will provide further visibility into specific TTP patterns that target your organization.