BLOG: 2020 predictions in review

We review a series of forecasts we made at the start of the year, assessing whether our predictions were met or even exceeded.

“Shift towards continuous development cycles for malware”

At the beginning of the year, we assessed how malware developers, particularly those offering their products as-a-service to other cybercriminals, were increasingly adopting an iterative approach to releasing their code. We predicted a continuation of this trend with the specific forecast:

“We assess it as probable that there will be ten malware-as-a-service offerings using this continual development model by the end of 2020”

In making this prediction, we assessed there would be multiple drivers, including growing competition between malware-as-a-service offerings and the need to always stay ahead of endpoint security solutions.

Now near the end of 2020, we can look back and determine whether this prediction has been met. We have found there are well over ten malware-as-a-service offerings following a continual development model, with examples including:

• Amedy, a modular malware loader (see screenshot below)
• Smoke Loader, a modular malware loader
• Avaddon, a ransomware variant
• Raccoon Stealer, a basic info-stealer
• BitRAT, a remote access trojan
• RMSBuilder, a remote access trojan
• Bazar, a backdoor associated with the TrickBot crime-as-a-service solution

As our original prediction of ten malware variants demonstrates, we evidently underestimated the growth in malware-as-a-service. This may partly reflect our other underestimation, namely the increasing popularity of “double extortion” among ransomware groups (see section below). Many of these ransomware variants are also offered as-a-service, contributing to the growth of such services that exceeded our expectations.

Amedy is an example of a malware-as-a-service offering continuously updated in minor increments

“Geopolitical rivalries to provide drivers for state information operations”

The second of our forecasts for 2020 concerned nation states stealing and leaking sensitive information to further their geopolitical objectives. We specifically made the following prediction:

“We assess that it is almost certain that there will be public reporting concerning attempted targeting of WADA, or testing laboratories, or other Olympic infrastructure, by 31 December 2020, and probably before 24 July 2020. We assess that it is likely that Iran conducts its own information operations targeting international bodies. We assess that it is almost certain there will be public reporting in which efforts to target the US election and associated targets is attributed to Russia.”

As a result of the global COVID-19 pandemic, the Tokyo Olympics have been postponed until 2021, delaying any possible targeting. However, our prediction was still supported by the UK government disclosing in October that Russia had been planning to target the games and its organisers. While this was reportedly planned as a disruptive attack, an information operation may have accompanied it to maximise the impact.

In contrast, 2020 has definitively supported the second aspect of our forecast. Multiple state actors have been building their capability to conduct disinformation operations, with topics such as the pandemic and the US election proving to be fertile grounds for spreading conspiracy theories and eroding trust in state institutions. Iran has clearly been active in this respect, with the US government recently seizing 27 domains used for IRGC (Iranian Revolutionary Guard Corps) information operations. These operations have targeted international bodies. For example, in November, we assessed how an Iranian actor had targeted US government websites holding voter registration data, with the purpose of using this information in campaigns aimed at influencing voter behaviour.

With regards to the targeting of the US election and the third aspect of our forecast, Russia did in fact deploy its capability to this end. APT28, for example, which was the group most prominent in targeting the 2016 election, reportedly targeted over 200 organisations and individuals associated with the 2020 contest. Similar TTPs (tactics, techniques and procedures) to 2016 were used – namely targeting victims’ credentials – so it seems likely that the ultimate objective, as before, was to leak sensitive information in information operations designed to influence the outcome of the election. However, while the forecast regarding Russia held true, our reporting has illustrated how other states were involved in targeting the 2020 election (e.g. Iran, see above), supporting our broader assessment regarding the growing appeal of information operations.

“Ransomware to run rampant – with a twist”

Near the end of 2019, ransomware groups began stealing data as well as encrypting it, allowing for an additional means of extortion for when a victim is unwilling to pay the ransom. In light of this emerging trend, we predicted that the overall number of incidents in our intelligence reporting database where data confidentiality was impacted would increase, making the following forecast:

“We anticipate the volume of ransomware incidents affecting the confidentiality of data will double.”

As it has turned out, ransomware engaging in “double extortion” by both encrypting and stealing data has been one of the most prominent trends in 2020’s threat landscape. It is now the norm for most ransomware variants used in targeted operations and continues to mature as a practice, with cybercriminals setting up their own data leak websites, auctioning off stolen data and even promoting leaks by purchasing ads on Facebook.

The trend has been so prominent that our forecast was already met halfway into the year. While the rate of increase has since slowed, the overall percentage of recorded ransomware incidents affecting confidentiality is currently at 21% (see graph below), exceeding the 18% we predicted at the beginning of the year.

Ransomware incidents impacting data confidentiality have more than doubled since the start of the year, as our reporting  shows

As we assessed in a previous blog piece, there are multiple factors driving the popularity of “double extortion” among ransomware operators. Chief among these is the increased leverage, with cybercriminals able to successfully extort organisations even when they have sufficient back up policies in place to secure their data’s availability. There is also the parallel trend of “big-game hunting” against high-profile networks, where ransomware operators typically spend time carefully enumerating infrastructure before activating their payload. This approach, which has grown in popularity over the past year, naturally suits “double extortion” operations as cybercriminals can use their time to identify the target’s most sensitive data.

Another factor which accounts for the surging popularity of “double extortion” and may even explain why it surpassed our expectations is the widespread shift to remote working in many sectors as a result of the COVID-19 pandemic. This has both increased usage of remote access tools and disrupted patching cycles for addressing vulnerabilities in such tools. Cybercriminals are likely exploiting this opportunity, which would partly explain why CVEs such as CVE-2019-11510 in Pulse Secure VPN Gateway and CVE-2019-19781 have proven popular in ransomware attacks this year.

“Increasingly elaborate phishing techniques”

Cybercriminals are frequently finding novel ways for their phishing emails to bypass both endpoint and human defences, as they seek to stay ahead of improving security software and greater employee awareness, respectively. At the more advanced end of the scale, this has seen cybercriminals use AI-based “Deepfake” technology to mimic human voices, allowing for highly effective phishing or “vishing”, which is where a threat actor accompanies their email with a phone call. We anticipated this particular tactic would grow in popularity, making the following prediction:

“We assess that at least one previously unreported evolution to phishing techniques will be publicly documented by 31 December 2020. We forecast that reporting of AI-facilitated phishing attempts will increase five-fold by 31 December 2020 (from a baseline of a single incident in 2019).”

With regards to the first part of the forecast, we have seen multiple innovations in phishing this year. In January, for example, we reported on a campaign using a malicious Microsoft Office 365 OAuth app. OAuth is an open-standard authorisation protocol that allows users to share account information with third-party applications or websites without the need to provide these with access credentials. It does so by using authorisation tokens rather than password data. As such, it would be highly effective in a phishing context, as a threat actor could maintain access to a victim’s email account even if they were to change their credentials.

As for AI-facilitated phishing attempts, we have not seen any new reported instances since our 2020 forecast. Our assessment was based on the fact that TTPs, if proven successful, tend to filter down to other threat actors. Phishing innovations, however, typically require relatively little technical sophistication. As such, it is possible that AI-based phishing techniques are still beyond the capabilities of most cybercriminals, limiting their spread.

“Companies will fail to secure exposed databases”

The last of our forecasts made at the start of the year concerned the tendency for organisations to leave their databases exposed to the internet, without proper authentication. We assessed that this behaviour would continue, despite widely reported incidents where poorly-secured databases led to data theft or extortion attempts. Specifically, we predicted that by the end of 2020:

“Orpheus’ Cyber Risk Rating tool will show that 15% of companies will have ports associated with popular database services exposed to the internet.”

Using our Cyber Risk Rating tool shows that currently 10,828 out of 74,258 scanned organisations have database ports open on their infrastructure. This is equivalent to 14.6%, just short of our prediction. Again, the pandemic and the requirement to be able to access some of these databases remotely (albeit with proper authentication) has likely contributed to this percentage, although it has fallen short of the level we predicted.

We anticipate we will see a similar percentage in future assessments, given the aforementioned tendency for databases to remain exposed to the internet despite widespread reporting of the issue.