COVID-19 pandemic drives criminal and political cyberattacks across networks, cloud and mobile in H1 2020: Study

Criminal, political and nation-state threat actors have exploited the COVID-19 pandemic and related themes to target organizations across all sectors, including governments, industry, healthcare, service providers, critical infrastructure and consumers, according to Check Point Research’s study, titled Cyber Attack Trends: 2020 Mid-Year Report.

COVID-19 related phishing and malware attacks increased dramatically from under 5,000 thousand per week in February, to over 200,000 per week in late April. Also, in May and June, as countries started to ease lockdowns, threat actors also stepped up their non COVID-19 related exploits, resulting in a 34% increase in all types of cyberattacks globally at the end of June compared to March and April.

Key trends revealed in the report include:

• Cyber warfare escalates: Nation-state cyberattacks surged in intensity and severity in H1 as countries sought to gather intelligence on or disrupt rivals’ handling of the pandemic. This extended to targeting healthcare and humanitarian organizations such as the WHO, which reported a 500% increase in attacks.
• Double-extortion attacks: In 2020, a new form of ransomware attack has become widely-used in which the attackers exfiltrate large quantities of data prior to encrypting it. Victims who refuse to pay the ransom are threatened with the data being leaked, putting additional pressure on them to meet the criminals’ demands.
• Mobile exploits: Threat actors have been seeking new mobile infection vectors, improving their techniques to bypass security protections and place malicious apps in official application stores. In another innovative attack, threat actors used a large international corporation’s Mobile Device Management (MDM) system to distribute malware to more than 75% of its managed mobile devices.
• Cloud exposure: The rapid move to public clouds during the pandemic has led to an increase in attacks targeting sensitive cloud workloads and data. Threat actors are also using cloud infrastructure to store the malicious payloads used in their malware attacks.  In January, Check Point researchers found an industry-first critical vulnerability in Microsoft Azure which would have allowed hackers to compromise data and apps of other Azure tenants, showing that public clouds are not inherently secure.

“The global response to the pandemic has transformed and accelerated threat actors’ business-as-usual models of attacks during the first half of this year, exploiting fears around COVID-19 as cover for their activities. We have also seen major new vulnerabilities and attack vectors emerging, which threaten the security of organizations across every sector,” said Maya Horowitz, Director, Threat Intelligence & Research, Products at Check Point. “Security experts need to be aware of these rapidly evolving threats so that they can ensure their organizations have with the best level of protection possible during the rest of 2020.”

The most common malware variants during H1 2020 were:

Top malware overall during H1 2020

1. Emotet (impacting 9% of organizations globally) – Emotet is an advanced, self-propagating and modular Trojan. Emotet was originally a banking Trojan, but recently has been used as a distributer of other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can also be spread through phishing spam emails containing malicious attachments or links.
2. XMRig (8%) – XMRig is open-source CPU mining software used to mine the Monero cryptocurrency. Threat actors often abuse this open-source software by integrating it into their malware to conduct illegal mining on victims’ devices.
3. Agent Tesla (7%) – AgentTesla is an advanced remote access trojan (RAT) which functions as a keylogger and password stealer and has been active since 2014. AgentTesla can monitor and collect the victim’s keyboard input and system clipboard and can record screenshots and exfiltrate credentials for a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client). AgentTesla is sold on various online markets and hacking forums.

 Top cryptominers during H1 2020

1. XMRig (responsible for 46% of all cryptomining activity globally) – XMRig is open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild in May 2017. Threat actors often abuse this open-source software by integrating it into their malware to conduct illegal mining on victims’ devices.
2. Jsecoin (28%) – Web-based Crypto miner designed to perform unauthorized online mining of Monero cryptocurrency when a user visits a particular web page. The implanted JavaScript uses a large amount of the computational resources of the end-user’s machines to mine coins, thus impacting the performance of the system. JSEcoin stopped its activity in April 2020.
3. Wannamine (6%) – WannaMine is a sophisticated Monero crypto-mining worm that spreads the EternalBlue exploit. WannaMine implements a spreading mechanism and persistence techniques by leveraging the Windows Management Instrumentation (WMI) permanent event subscriptions.

Top mobile malware during H1 2020

1. xHelper (responsible for 24% of all mobile malware attacks) – xHelper is an Android malware which mainly shows intrusive popup ads and notification spam. It is very hard to remove once installed due to its reinstallation capabilities. First observed in March 2019, xHelper has infected more than 45,000 devices.
2. PreAMo (19%) – PreAMo is a clicker malware for Android devices, first reported in April 2019. PreAMo generates revenue by mimicking the user and clicking on ads without the user’s knowledge. Discovered on Google Play, the malware was downloaded over 90 million times across six different mobile applications.
3. Necro (14%) – Necro is an Android Trojan Dropper. It can download other malware, show intrusive ads, and fraudulently charge for paid subscriptions.

Top banking malware during H1 2020

1. Dridex (responsible for 27% of all banking malware attacks) – Dridex is a Banking Trojan that targets Windows PCs. It is delivered by spam campaigns and Exploit Kits, and relies on WebInjects to intercept and redirect banking credentials to an attacker-controlled server. Dridex contacts a remote server, sends information about the infected system, and can also download and execute additional modules for remote control.
2. Trickbot (20%) – Trickbot is a modular Banking Trojan that targets the Windows platform, and is mostly delivered via spam campaigns or other malware families such as Emotet.
3. Ramnit (15%) – Ramnit is a modular banking Trojan first discovered in 2010. Ramnit steals web session information, giving its operators the ability to steal account credentials for all services used by the victim, including bank accounts, and corporate and social networks accounts.