Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/17/2021
12:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Enterprise Windows Threats Drop as Mac Attacks Rise: Report

An analysis of 2020 malware activity indicates businesses should be worried about internal hack tools, ransomware, and spyware in the year ahead.

Just as the COVID-19 pandemic changed the way we live and work, malware operators changed the way they attack enterprise targets. Last year businesses saw Windows malware detections drop and Mac detections rise as criminals tossed old tactics and focused on targeted attacks.

Related Content:

Mac Attackers Remain Focused Mainly on Adware, Fooling Users

Special Report: Understanding Your Cyber Attackers

New From The Edge: Fighting Fileless Malware, Part 3: Mitigations

In the "2020 State of Malware" report, Malwarebytes researchers explore how attack techniques changed among criminals who sought to steal information and prey on victims' fears with more advanced threats. Windows malware detections dropped 24% for businesses and 11% among consumers. Mac malware detections went up 31% for companies but down 40% for consumers. 

The most obvious attack pattern across Windows, Mac, and Android came down to data theft, says Adam Kujawa, director of Malwarebytes Labs. COVID-19 changed so much about the way businesses operate; in doing so, it created a new target profile many criminals never considered: people working from home, accessing corporate resources from corporate laptops.

"So the bad guys now had to target folks who aren't where they are 'supposed to be,'" Kujawa explains. Employees are no longer falling for spear-phishing attacks from their office machines. 

"When chaos and confusion rise in the cybercrime world, they tend to both lean on what works and do what they can to prepare for the next stage of attack," he continues.

To prepare for this shift, attackers deployed malware aimed at gathering information, specifically financial data and cryptocurrency wallets. They joined systems to botnets and created backdoors for future access, getting a sense of what people had access to and how vulnerable they were to attack.

These information stealers, spyware, backdoors, and remote access Trojans (RATs) helped criminals figure out how to attack employees in their new environments, which drove the decline in malware detections in the first half of 2020. In the second half, researchers saw the return of big attackers like Trickbot and Emotet; however, they weren't using the same tactics. 

Attackers spent the second half of 2020 "experimenting," launching campaigns with less concern about being stopped and greater confidence in their ability to quickly compromise networks. Researchers noticed upgrades, new exploits added, new tools being utilized, and a new trend of Remote Desktop Protocol brute-forcing that results in manual infection, he says.

"I think these groups are empowered by limited security staff protecting corporate endpoints," Kujawa adds, noting that "less users on endpoints in an office reduces eyes that might notice something odd happening on the network." 

A Window Into Windows
The top detections for business Windows machines included Dridex, a banking and information stealing Trojan that spiked 973% in detections between 2019 and 2020. Farfli, a backdoor bot that gives criminals an entry point they can use or sell, went up 566%. The research also reflects increases in BitCoinMiner and KMS, a detection meant to identify software that enables people to use Microsoft software illegally. Detections of KMS spiked 2,251% in 2020, the report states.

"This suggests, along with the rest of our data, that the disruption from COVID-19 affected both victims and attackers, as many popular forms of malware used in 2019 were benched in favor of either new malware families or re-investment in existing and older malware families," the researchers explain in their report.

Hacking tools, which went up 173%, and information stealers "really took the crown" last year for enterprise threats targeting Windows, Kujawa says, noting that hacking tools were most concerning given how often researchers saw detections used for intrusion and attack. Mimikatz has appeared more often over the past couple of years but spiked in 2020, along with detections for tools like Cobalt Strike, which can aid attackers in quickly exploring and infecting a network. 

Ransomware has continued to threaten Windows, though not in the usual ways. He points to "a big push" by attackers to steal data they can leak or sell online, a move called "double extortion" that has reportedly earned attackers more money than encrypting files alone. 

"This new tactic in ransomware activity means that the confidence the criminals would attempt to establish with the victim is no longer needed," Kujawa says. "This erodes the victim's ability to negotiate with the actor and leaves them in a far worse place than if only their files were encrypted."

Mac Attacks: What's New and Different
Mac malware detections fell from the all-time high Malwarebytes reported in 2019, primarily due to a drop in detections of adware and potentially unwanted programs (PUPs). However, Mac threats targeting businesses increased 31% between 2019 and 2020, and the detections for consumer and enterprise Macs were quite different. 

In consumer products, PUPs made up more than 75% of all detections and adware made up the rest. For midsize to large businesses, PUPs only made up one-third of detections, while adware accounted for nearly two-thirds. Smaller businesses saw similar numbers to consumer devices, with more PUP detections. Business machines saw far more malware as well, researchers say.

The data indicates the main threats to enterprise environments are malware and adware. Of all malware detections on macOS, the top 10 malware families made up more than 99% of the total. Families like ThiefQuest, the most unusual malware researchers saw in 2020, experienced a major spike. ThiefQuest spread through seemingly legitimate installers found on torrent sites; these installers dropped malware in addition to the expected software, researchers explain. Infected Macs would start to see files getting encrypted.

Most non-adware malware activity on macOS has come from targeted attacks, much of which is from nation-state attackers such as North Korea or China, Malwarebytes reports. While there was non-targeted Mac malware in 2020, it was "relatively limited." 

Last year's increase in enterprise Mac threats may be linked to a greater intent by malware authors to use Macs as a stepping stone onto the corporate network, Kujawa suggests. Alternatively, the shift to work-from-home by employees using corporate Mac laptops could be causing them to face more threats due to the lack of IT security umbrella.

Picking a Target: Mac vs. Windows
Attacks targeting Windows and Mac devices usually differ for one of two reasons: Attacks only work on a specific OS or the profile of the target behind the machine, Kujawa says.

"Windows tends to give attackers the most capability in attacking a system," Kujawa says. "The ecosystem for Windows allows for all kinds of apps, from all types of developers, with very little [if any] oversight by Microsoft in what becomes available for the operating system."

This makes Windows a better business option, as they have more freedom and customization available, but it could also lead to more vulnerabilities, exploits, and flaws being abused by cybercriminals, he says. 

Macs, alternatively, are harder to target because Apple's limitations on the App Store limit what users and applications are able to do and modify within the OS. This may reduce the usefulness of the OS in some cases, but it makes the Mac a more difficult target compared with Windows, technically speaking, Kujawa explains. Attackers targeting each of these operating systems tend to differ because a single malware family won't work on both – unless it's designed to do so, which he says "is very rare and very hard."

"A Mac attack might require additional social engineering of the victims," he explains. "We see a lot of Mac infections occur because of torrent downloads and/or misleading information about an app that the user installs."

The same goes for Android, which has locked down its operating system to the extent that it's almost entirely up to social engineering, or a lack of monitoring for Google's app store, for a successful malware infection. For this reason, Kujawa says, most Android infections come from third-party app stores. Android users have the freedom to download and install software from wherever they choose; however, this additional freedom may contribute to additional risk.

What to Watch in 2021
Businesses should continue to be concerned about internal hacking tools such as Cobalt Strike and local administrator tools, as researchers notice a spike in "living off the land" attacks. IT security teams should lock down which applications are allowed to run and who is allowed to run them. Many of these tools are seen as legitimate and won't raise an alert until it's too late.

Ransomware will also continue to pose a threat, says Kujawa, who notes researchers observed attackers switching tactics and the emergence of big ransomware families such as Maze and Egregor. The rise of "double extortion" attacks, combined with an increase in malware that can spread laterally, will pose a threat to businesses in the year ahead. 

Spyware and backdoors should also be top of mind, he notes. Much of the malware distributed toward the start of the pandemic was designed to provide data and/or access to future attackers, and many of these infections were distributed using a COVID-19-related lure. Kujawa advises businesses to take the time to clean out their systems and check for backdoors that could be used to launch a ransomware attack or other operation when an attacker sees fit.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27099
PUBLISHED: 2021-03-05
In SPIRE before versions 0.8.5, 0.9.4, 0.10.2, 0.11.3 and 0.12.1, the "aws_iid" Node Attestor improperly normalizes the path provided through the agent ID templating feature, which may allow the issuance of an arbitrary SPIFFE ID within the same trust domain, if the attacker controls the v...
CVE-2021-28038
PUBLISHED: 2021-03-05
An issue was discovered in the Linux kernel through 5.11.3, as used with Xen PV. A certain part of the netback driver lacks necessary treatment of errors such as failed memory allocations (as a result of changes to the handling of grant mapping errors). A host OS denial of service may occur during m...
CVE-2021-28039
PUBLISHED: 2021-03-05
An issue was discovered in the Linux kernel 5.9.x through 5.11.3, as used with Xen. In some less-common configurations, an x86 PV guest OS user can crash a Dom0 or driver domain via a large amount of I/O activity. The issue relates to misuse of guest physical addresses when a configuration has CONFI...
CVE-2021-28040
PUBLISHED: 2021-03-05
An issue was discovered in OSSEC 3.6.0. An uncontrolled recursion vulnerability in os_xml.c occurs when a large number of opening and closing XML tags is used. Because recursion is used in _ReadElem without restriction, an attacker can trigger a segmentation fault once unmapped memory is reached.
CVE-2020-28502
PUBLISHED: 2021-03-05
This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.