Earlier this month, CrowdStrike released its annual CrowdStrike Services Cyber Front Lines Report, a report that outlines the trends that the firm identified from client engagements and key cybersecurity themes identified from the prior year. Candidly, it’s a report that I consider one of the most insightful and that I look forward to the most each year for its ability to clearly articulate the cyber threats that organizations have faced in the past year, the vulnerabilities that left them exposed and the perpetrators responsible for attacks. It also provides clear recommendations and steps that readers can take to help protect their organization.
Writing the CrowdStrike Services Cyber Front Lines Report is invariably a tall task for its authors, in that it has to distill down a year’s worth of cyber findings from across the large ecosystem of CrowdStrike customers. But this year’s report must have truly been a labor of love because 2020 has been anything but a normal year for individuals, organizations and cybersecurity professionals.
The ongoing COVID-19 pandemic has been a public health emergency — as well as a driver of cybercrime. There were more than 40,000 cyber intrusions in the first half of 2020 alone, and much of that has to do with the COVID-19 pandemic. As Shawn Henry, President of CrowdStrike Services and CSO, recently explained, “In a crisis, people tend to lose sight of their better judgment. Meanwhile, criminal hackers and scammers are eager to take advantage of us.”
But that wasn’t the only reason why 2020 was a great year to be a cybercriminal. Here are three trends that CrowdStrike identified in 2020, and how they contributed to a year of cybercrime and extortion.
Operational changes increase attack surface
The mass movement to remote work that occurred early into the pandemic, and has persisted since, did a lot more than introduce Zoom meeting fails to the workplace and confuse our pets. It also had a direct and negative impact on organizational cybersecurity.
The need to rapidly pivot to online and remote work caught many IT departments and organizations off-guard. The infrastructure necessary to facilitate this move, including the movement toward VPNs and remote desktops, often had to be implemented quickly as organizations scrambled in early March to get their employees out of office spaces where they were at high risk of infection. This resulted in security gaps and errors that left organizations vulnerable. As the report explains:
“The operational … pivot to a work-from-anywhere model occurred under extreme time and operational pressures … many companies that did not previously permit remote access to corporate networks, like virtual private networks (VPNs), suddenly found that they needed to enable these technologies to support a fully remote workforce … Despite the best efforts of the technology teams that implemented these changes, attackers have consistently capitalized on new opportunities arising from security gaps or unintentional configuration errors.”
But it wasn’t just sloppy errors in VPNs that increased the attack surface for organizations. The movement toward remote work also drastically increased the number of personal devices on organizational networks and interacting with organizational data.
According to the 2020 CrowdStrike Global Security Attitude Survey that was recently conducted, 56% of respondents reported working from home more often. A significant majority (60%) of respondents also claimed to be using personal devices while working remotely. The pandemic effectively forced every government agency and private company to embrace the BYOD nightmare that many had been actively fighting against for years. And all of these remote work trends — combined — resulted in less secure organizations across the board.
Neglected clouds abound
When people get a shiny new car, they’re often militant about keeping it nice. They’ll wash it every weekend, and stop people from eating or drinking anything while inside. They may even park in multiple spots to keep folks away from their paint job. But that militant obsession with their automobile fades as it gets older and you start to see them at Sonic, downing a cheeseburger and slush with little concern for their interiors.
Something similar is starting to happen with the cloud. When the cloud first got huge, people were fastidious about ensuring cloud servers and services were secure. But since then, companies have adopted new cloud technologies or solutions and forgotten about some of their older cloud resources — often letting them languish with vulnerabilities, a lack of security updates, and no maintenance. And these neglected clouds become easy targets for cybercriminals.
The report emphasizes that while these cloud resources may be neglected, they, unfortunately, may still contain important applications and data. “One trend CrowdStrike saw in 2020 involved threat actors targeting cloud infrastructure slated for retirement or simply neglected for various reasons,” the report claims. “Unfortunately, CrowdStrike encountered cases where neglected cloud infrastructure still contained critical business data and systems …”
This was a trend that CrowdStrike saw accelerate significantly in 2020, but it wasn’t the only cloud trend they identified. They also saw an increase in hackers leveraging cloud solutions in their attacks. According to the report:
“Not only did the CrowdStrike Services team see cloud infrastructure as a target of attacks in 2020, the cloud also served as a vehicle to launch attacks. Over the past year, threat actors leveraged common cloud services, like Microsoft Azure, and data storage syncing services, like MEGA, to exfiltrate data and proxy network traffic.”
If these two trends are evidence that organizations are more susceptible to attack, the next trend identified by CrowdStrike shows why that is a particularly large problem right now.
More sophisticated and more cooperative
In the past year, CrowdStrike witnessed malicious actors evolving their tactics and utilizing more sophisticated approaches and tools in their activities. And it makes sense. With 63% of incidents investigated in 2020 being financially motivated, it’s clear that this is their business, and malicious actors will adapt and evolve to ensure that business stays good.
The year 2020 saw the evolution of the Ryuk ransomware into a new, more sophisticated tool called Conti. CrowdStrike also witnessed malware and other attack vectors evolving to avoid detection and deletion from antivirus and other cyber tools.
“Antivirus solutions failed to provide protection in 40% of the incidents CrowdStrike responded to in 2020 in which either malware was undetected or a portion of the attack sequence was missed by antivirus tools,” the report claims. Although, the report notes that, in some cases, there was user error at fault, “…in 30% of incidents, antivirus or endpoint detection and response (EDR) tools were not fully deployed, were improperly configured or were not supported on the operating system.”
The report also identifies another troubling trend regarding hackers and other malicious actors — they’re starting to work together:
“CrowdStrike has observed formal collaboration among eCrime adversaries as well as shared tactics. In June 2020, the self-named “Maze Cartel” was created when TWISTED SPIDER, VIKING SPIDER, and the operators of LockBit ransomware entered into an apparent collaborative business arrangement. After this occurred, leaks associated with VIKING SPIDER’s Ragnar Locker began appearing on TWISTED SPIDER’s dedicated leak site and Maze ransomware began deploying ransomware using common virtualization software, a tactic originally pioneered by VIKING SPIDER … In addition to formal collaboration, CrowdStrike Services has observed new tactics used and spread among eCrime actors.”
