With the start
of the new year Orpheus takes a look at the emerging threats, upcoming events,
and developing technology that we believe will shape the threat landscape in
2020. Below are five forecasts for the year ahead.
In
line with analytical best practice, Orpheus has attempted to ensure that these
forecasts are quantifiable, time-bound and based on a probability yardstick,[1] allowing for the accuracy
of these predictions to be assessed throughout the year. The nature of cyber
operations, where reporting is frequently fragmentary and sometimes misleading,
and where attribution is an inexact process, means that such well-defined
forecasts can be difficult to generate; however there is still assessed to be
value in highlighting likely trends in the coming year.
Shift towards continuous development cycles
for malware
Echoing
their legitimate counterparts on the surface web, malware developers are
increasingly adopting an iterative approach to releasing their code, with an
emphasis on continuous delivery. In 2020, this trend will be driven by both
push and pull factors – for example the continuing demand for
malware-as-a-service which will accelerate competition between these offerings
on one side; and improving mitigation measures for ransomware, which
necessitate more frequent releases on the other. We therefore anticipate that
to stay ahead of their peers and their targets, and in line with the broader
effort to imitate successful surface web business models, malware developers
will be increasingly agile and flexible in the way in which they release
malware in an attempt to retain and grow their customer base.
For
example, the Buran ransomware receives frequent updates to stay afloat in the
increasingly competitive ransomware-as-a-service market. In the screenshot
below, a member of its support team posts to announce that the fourth version
of the service includes significantly faster data processing.
Figure 1 Buran ransomware’s support team highlights the faster data processing in the latest version of their product
Forecast: We
assess it as probable that there will be ten malware-as-a-service offerings
using this continual development model by the end of 2020.
. Geopolitical rivalries to provide drivers
for state information operations
State
actors have persistently sought to breach and release potentially sensitive
information to support their own geopolitical objectives. Russia’s APT28 has
led this charge, targeting bodies such as the World Anti-Doping Agency (WADA)
and the US Anti-Doping Agency (USADA) in a bid to expose and undermine their
alleged anti-Russian bias. WADA’s current ban on Russian participation in the
2020 Tokyo Olympics means these motives remain, while Russia’s Olympic
Destroyer false flag attack on the 2018 Winter Olympics illustrates a
potentially more disruptive intent. This targeting rationale may also extend to
associated bodies, such as drug testing laboratories, national Olympic
committees or even the personal accounts of individual athletes and coaches.
Meanwhile,
the 2020 US presidential election is likely to encourage similar Russian
activity to that in 2016. As before, the aim will likely be to steal and leak
potentially sensitive information relating to Democratic candidates, mixed in
with disinformation. Reports that Russia’s APT28 group targeted Burisma, the
Ukrainian energy firm related to Trump’s impeachment, may indicate these
efforts are underway – and possibly expanding the US-only scope from the 2016
election.
Russia
will not be alone in the pursuit of these operations in 2020. Although Iran
will continue to dedicate a significant portion of its cyber capabilities to
controlling political dissent, we anticipate it will also use increasingly sophisticated
information operations to undermine its geopolitical rivals in 2020. Iran’s
desire to strike back at accessible US targets means that these may take a more
active shape – for example by breaching and releasing information from rival
governments and supranational bodies.
Forecast:
We assess that it is almost certain that there will be public reporting
concerning attempted targeting of WADA, or testing laboratories, or other
Olympic infrastructure, by 31 December 2020, and probably before 24 July 2020. We
assess that it is likely that Iran conducts its own information operations
targeting international bodies. We assess that it is almost certain there will
be public reporting in which efforts to target the US election and associated
targets is attributed to Russia.
3.
Ransomware to run rampant – with a twist
Despite
predictions of its demise, ransomware has successfully innovated to remain
relevant. We anticipate in 2020 new tactics will ensure its persistence.
Previously,
ransomware operators have threatened to publish stolen data unless the ransom
demand is met. More often than not, these data extortion threats remain just
that – threats. However, many organisations are resisting ransom demands as
they become more aware of the ransomware threat and better at implementing
back-up policies. We recently observed a new tactic when threat actor TA2101
infected a security staff provider with the Maze ransomware strain, and after
an unsuccessful extortion attempt, leaked part of the organisation’s data
online.
Forecast:
We predict that by 31 December 2020, 18% of all of our recorded ransomware
incidents will consist of cases where data confidentiality was also impacted,
representing twice the current 9% figure in our reporting.
We anticipate the volume of ransomware incidents affecting the
confidentiality of data will double
4.
Increasingly elaborate phishing techniques
Phishing:
the most popular infection vector and a seasonal nuisance. Many endpoint security solutions
filter emails deemed to be suspicious, and organisations are increasingly educating
employees on how to combat the threat phishing poses. Yet both technological
and human solutions, as they currently stand, may not be enough against
emerging Deepfake technology – particularly instances that use Artificial
Intelligence (AI) to mimic voices.[2]
Reports
that cybercriminals were able to defraud $243,000 from a CEO of a UK based
energy firm, who thought he was speaking to the chief executive of the firm’s
parent company, highlight the potential
risks associated with AI powered cyber attacks – particularly in support of CEO
fraud. 2020 will likely witness more phishing via audio Deepfakes, as its
potential profitability has been proven. This represents a natural evolution of
“vishing” efforts, where the perpetrator uses a phone call or a voice mail to
supplement their phishing email, making it appear more legitimate.
Forecast:
We assess that at least one previously unreported evolution to phishing
techniques will be publicly documented by 31 December 2020. We forecast that reporting
of AI-facilitated phishing attempts will increase five-fold by 31 December 2020
(from a baseline of a single incident in 2019).
5. Companies
will fail to secure exposed databases
Despite
repeated instances throughout 2019, companies will continue to fail to properly
secure databases in 2020. Amazon S3 buckets, MongoDB and Elasticsearch
instances will all remain exposed to the internet without proper
authentication. These instances will leave easy pickings for cybercriminals
looking to steal sensitive or personal data – or, more mercifully – security
researchers who are instead looking to notify the companies and raise publicity
of the issue.
Forecast:
Orpheus’ Cyber Risk Rating tool will show that 15% of companies will have ports
associated with popular database services exposed to the internet.
[1] Tetlock,
P.E. and Gardner, D., 2016. Superforecasting: The art and science of
prediction. Random House.
Get our latest cyber intelligence insights straight into your inbox every week
Fill out the short form below to subscribe to our newsletter so that you never miss out on
our cyber intelligence insights and news.
Privacy Overview
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Strictly Necessary Cookies
These cookies are strictly necessary to provide you with services available through our website and to use some of its features. These must be enabled at all times, so that we can save your preferences.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
If you do not enable Strictly Necessary Cookies, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
3rd Party Cookies
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Please enable Strictly Necessary Cookies first so that we can save your preferences!
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Request Demo Access
Fill out your details below and we'll be in touch to arrange demo access for you as soon as
possible.