Getty Images/iStockphoto

Top Risks of 1H 2020: Ransomware, Mobile, Health Infrastructure

Fueled by COVID-19, Skybox Security predicts over 20,000 vulnerability reports by the end of 2020, as hackers ramp up ransomware and health infrastructure and mobile device attacks.

The first half of 2020 has seen a spate of cyberattacks fueled by the COVID-19 pandemic with a spike in ransomware samples and mobile vulnerabilities, as well as a host of targeted attacks on critical infrastructure, including healthcare companies and research labs, according to a Skybox Security report

For its mid-year 2020 Vulnerability and Threat Trends Report, researchers analyzed a range of security feeds, dark web investigations, and other sources, in addition to manual and automated analyses to assess attack trends, cyber events, and attackers' tactics, techniques, and procedures. 

The report is designed to shed light on the vulnerabilities being exploited in the wild and other attack trends. These threats have rapidly expanded during the COVID-19 pandemic, fueled by the response and an increase in remote work.

Researchers predict that by the end of 2020 there will be well over 20,000 new vulnerability reports.

Ransomware Thrives

The creation of ransomware, trojans, and other malware variants have thrived amid the crisis, with an increase of 72 percent new samples. Researchers also saw 27 more trojan variants during the last six months. 

Further, there was an increase in nearly all malware types during the first half of 2020, with just cryptocurrency miners and worms seeing a decline in newly created samples when compared with 2019.

While the number of reported successful ransomware attacks on the healthcare sector declined during the first half of 2020 with just 41 providers reporting successful attacks, researchers stressed that the number of attempts remained constant.

And as one out of 10 ransomware attacks results in data theft, providers were urged not to mistake the lull in reports as a sign these malicious attempts would cease altogether.

“Of all malware types, the one with the most transparent motivation is ransomware,” researchers explained. “Its effects tend to be immediate, as attackers place deadlines on their ransoms. But a ransomware module per se is usually the last piece to be delivered in a malware chain, with criminals outsourcing infiltration to other programs.” 

“While organizations were vulnerable and distracted, hackers developed new ransomware samples and advanced existing tools to attack critical infrastructure — including vital research labs and healthcare organizations,” they added. “The sophistication of the malware and methods used by attackers over the first half of 2020 highlight just how complex cybersecurity management has become.” 

In particular, researchers predicted that the increase in new botnet and trojan categories were spurred by hackers leaning on Ryuk and Emotet, which commonly rely on outsourcing activity. 

Ransomware has also increased given improved sophistication of attack methods, such as those used by Sodinokibi and REvil hackers. These attacks have spread across several vectors in 2020, so far, with researchers warning “the particular growth path taken by Sodinokibi’s developers should be seen as an example of the organizational prowess that attackers now possess.” 

These sophisticated attacks have made ransomware profitable, adaptable, proven, and scalable, researchers stressed. 

“They have the strategic nous of large enterprises paired with strong technical capabilities that enable them to achieve their goals. It is clear that organizations are not facing up to lone wolves anymore — they are having to stave off threats from well–coordinated criminals,” researchers explained. 

Healthcare Infrastructure Targeted

The report also found hackers have been emboldened by the crisis with a spate of cyberattacks aimed at disrupting pharmaceutical firms and healthcare entities. Threat actors prey on the need for uninterrupted operations of these companies, in hopes of increasing the chance of a payoff.  

As seen with the ransomware attack on the University of California San Francisco School of Medicine, officials paid a $1.14 million ransom demand to unlock encrypted files. Hackers have also exploited ExecuPharm, Brno University Hospital, the World Health Organization, and Hammersmith Medicines Research, and a host of others amid the crisis. 

“While ExecuPharm is not playing a central role in the development of COVID–19 vaccines or treatment, the other two are, and targeting any part of the medical infrastructure at this time threatens the health and well–being of the entire general public,” researchers warned. 

Skybox researchers warned these healthcare and pharma entities must work to better protect their hybrid infrastructure by developing a holistic cybersecurity management strategy. However, the siloed nature between the operational technology and IT departments will make it difficult for organizations to put this plan into action. 

“Dismantling these silos needs to happen through iterative change. The teams charged with operating and developing OT devices need to develop foundational knowledge that can be used to protect these notoriously difficult–to–patch network areas,” researchers added. 

Mobile Vulnerabilities

Researchers observed a 50 percent increase in mobile vulnerabilities during the first half of 2020, increasing the risk to the enterprise as the pandemic blurred the lines between corporate and personal home networks. These flaws are driven solely by Android bugs.

Microsoft had the second-largest growth in flaws with an 80 percent increase in reported vulnerabilities. 

In total, there have been 492 Google Android vulnerabilities reported in the last six months, compared to 230 in 2019 during the same time period. These flaws don’t reflect poor design, rather, “a result of their ubiquity — the more well–known and widely used the product, the more third-party research into its flaws — and their transparency.” 

“The rise of these products, and the increase of the vulnerabilities that exist within them, has come at a time when organizations have switched to working remotely en masse...  with attackers now better able to take advantage of flaws within home networks to gain access to an organization’s critical assets,” researchers explained. 

“Securing a widened network perimeter has become a strategic priority for most businesses,” they continued. "Managing the crossover between personal and professional devices and ensuring that the vulnerabilities that sit within both cannot be exploited is now a prime concern.” 

Legacy Windows Vulnerabilities

In January, Microsoft ended its support of Windows 7 platforms but an estimated 200 million devices still operate on legacy Windows versions. Moreover, the healthcare sector relies heavily on these outdated technologies, with the majority of medical devices operating on older Windows platforms. 

According to the report, hackers are continuously looking to exploit these unpatched, exposed vulnerabilities, especially as “the COVID–19 crisis has blurred the lines between personal and corporate environments.” Attackers have been attempting to gain access to enterprise networks through systems too expensive to patch or unable to be updated. 

Specifically, researchers observed a significant increase in attempted exploits on the Remote Desktop Protocol (RDP), as hackers seek to capitalize on the COVID-19 pandemic. 

“By failing to address the security issues related to the termination of Microsoft’s support, they are being left wide open to attack,” researchers warned. “There are many companies, for example, who have still to apply RDP patches — something that should be seen as critical following the significant number of RDP exploits that have taken place over the first half of the year.”

Next Steps

Dig Deeper on Cybersecurity strategies