Cybersecurity threats becoming pervasive

“Our 2019 findings depict organisations under tremendous pressure contending with adversaries who are methodical in selecting their targets and masterful at finding new pathways into environments as the attack surface widens,” said Arthur Wong, chief executive officer at Trustwave. “We continue to see the global threat landscape evolve through novel malware delivery, inventive social engineering and the ways malicious behaviours are concealed. How fast threats are detected and eliminated is the top cybersecurity priority in every industry.”

The report is based on the analysis of a trillion logged security and compromise events, hundreds of hands-on data-breach and forensic investigations, penetration tests and red teaming exercises, network vulnerability scans and internal research. 

Key findings from the 2020 Trustwave Global Security Report include:

• Attacks on cloud services more than doubles -- Corporate environments continue to lead all environments targeted by cybercriminals at 54% slightly down 2% followed by e-commerce at 22% down 5% when compared to 2018. Cloud services saw the biggest increase and is now the third most targeted environment accounting for 20% of investigated incidents up significantly from 7% the previous year.
• Social engineering reigns supreme in method of compromise -- Social engineering remained the top method of compromise in 2019. Half of all incidents investigated by Trustwave analysts were the result of phishing or other social engineering tactics, up from 33% in 2018. 

·       Ransomware overtakes payment card data in breach incidents -- For the first time, ransomware incidents overtook payment card data when comparing types of information most targeted by cybercriminals. The quick monetary return of encrypting specific computer files or entire systems and demanding payment accounted for 18% of breach incidents observed in 2019 up from 4% in 2018. By comparison, the success of ransomware was slightly higher than the total percentage of incidents involving card-not-present and track data at 17%.   

·       Malware-laden spam drops to nearly zero -- Findings show a large decrease in the volume of spam email hitting organisations from 45.3% in 2018 to 28.3% in 2019 due to several large spamming operations reducing activities or vanishing altogether. Of the spam analysed in 2019 by Trustwave, only 0.2% contained malware down from 6% the previous year. This decrease although positive, supports findings cybercriminals are shifting tactics opting for more targeted and personal email attacks known as Business Email Compromise (BEC). In 2019, Trustwave saw the average volume of BEC messages captured at the gateway rise to an average of 60 messages per day up from 20 messages the previous year.

·       Malware capabilities and delivery evolves -- Downloaders at 24.9% made a significant jump in the largest single category of malware encountered up from 13% in 2018. The increase can be attributed to an uptick in “malware-as-a-service” bots such as Emotet. Criminals often use downloaders and droppers in multi-stage attacks to install additional malware varieties.

• Database information disclosure vulnerabilities increase -- The number of vulnerabilities patched in five of the most common database products was 202, up from 148 in 2019. Of those patched, 118 allowed denial of service (DOS) attacks followed by information disclosure at 28, up from 15 in 2018.  

·       Cryptojacking nearly vanishes from web-based attacks -- The 1,250% surge of cyrptojacking malware observed in 2018 used to place JavaScript coin miners on websites or infect carrier-grade routers all but vanished in 2019 after cryptomining service Coinhive shut down. To make up for lost revenue, cybercriminals stepped up social engineering efforts by sending fake update messages for browsers, operating systems and other software to trick users into installing malware.

• Internal detection crucial for reducing threat response time -- The median time duration from threat intrusion to detection when detected internally dropped to just two days, down from 11 days in 2018. The median time duration from threat intrusion to detection when detected externally by a third party however rose significantly to 86 days from 55 days just a year ago.
• Windows and remote code execution favored -- Sixty-nine percent of malware investigated by Trustwave targeted the Windows operating system followed by cross-platform at 23% and Unix at 8%. Of the exploited vulnerabilities observed, the top two at 61% when combined, allowed remote code execution. Surprisingly, 67% of exploits used against service providers involved CVE-2014-0780 giving remote attackers the ability to read administrative passwords in app files and execute arbitrary code in unspecified web requests.       

·       Magecart gains prominence -- Attacks from Magecart, a loose affiliation of cybercriminal groups who target e-commerce sites often through the Magento platform, accounted for nearly 6% of overall Trustwave investigations in 2019 up from zero instances four years ago. Retail and hospitality have been hardest hit as cybercriminals pivot from targeting point-of-sale (POS) terminals due to implementation of Europay, MasterCard and Visa (EMV)chip technology to targeting online storefronts.