Top Network Security Issues, Threats, and Concerns

As 2021 begins, it’s a good time to reflect on threats the Check Point Research group saw in 2020 to prepare for the year ahead. According to the 2021 Cyber Security Report, the Sunburst attacks that breached thousands of government and private sector organizations was just the tip of the iceberg with regard to 2020 cyberattacks. In fact, 87% of organizations experienced an attempted exploit of a known vulnerability.

In addition to the nation-state style attack of Sunburst, financially motivated threat actors continue to wage malware campaigns. They’re evolving their techniques to use voice phishing (vishing), double extortion ransomware, email thread hijacking, and attacks targeting cloud infrastructures. That said, there are also some silver linings on the horizon.

Gartner Network Firewall MQ Report

Top Network Security Issues and Trends

In the 2021 Cyber Security Report, the Check Point Research group outlined the leading network security issues, threats, and trends of 2020.

#1. Supply Chain Attacks

On December 8, 2020, cybersecurity firm FireEye revealed that they had discovered the Sunburst malware on their networks. The investigation into this infection uncovered a massive cyberattack campaign that affected 18,000 organizations, 425 companies on the Fortune 500 (including Microsoft), and also targeted government agencies.

The SUNBURST malware was distributed via compromised updates to the SolarWinds Orion network management software. The attackers managed to compromise SolarWinds using a novel attack against its Office 365 accounts, which allowed them to forge an Azure Active Directory token for a privileged account and use compromised admin credentials to gain access to the company’s update management server.

With access to the SolarWinds update management server, the attackers were able to modify updates while in the development pipeline to include the backdoor malware. This wide reach of attack made it the most successful known supply chain attack to date. In the SolarWinds attack, monitoring proved essential to first identifying and then responding to the attack.

Preventing future attacks requires implementing security best practices such as:

  • Least Privilege and Network Segmentation: These best practices can help to track and control movements within an organization’s network.
  • DevSecOps: Integration of security into the development lifecycle can help with detecting if software (like the Orion updates) has been maliciously modified.
  • Automated Threat Prevention and Threat Hunting: Security Operations Centers (SOC) analysts should proactively defend against attacks across all environments, including the network, endpoint, cloud, and mobile.

#2. Vishing

While phishing is the most well-known type of social engineering attack, other techniques can be just as effective. Over the phone, a visher can employ social engineering techniques to gain access to credentials and other key information, bypass 2FA, or persuade the victim to open a file or install malicious software.

Vishing is a growing threat to corporate cybersecurity. In August 2020, CISA and the FBI issued a warning about vishing attacks, and vishing has been used in malware campaigns and by APT groups. A high-profile attack enabled a teenager to take over several celebrity Twitter accounts in 2020. The threat of vishing will only get worse as deepfake recording technology improves and is more widely available.

Vishing is a low-tech attack, meaning that employee education is essential to protecting against it. Businesses can educate their employees to not give up sensitive information and to independently verify caller identification before complying with requests.

#3. Ransomware

Ransomware was one of the most expensive cyber threats to organizations in 2020. It cost businesses $20B in 2020, up from $11.5B in 2019. In Q3 2020, the average ransom payment was $233,817, a 30% increase over the previous quarter.

In that quarter, nearly half of all ransomware incidents included a double extortion threat. This innovation is designed to improve the probability of the victim paying the ransom. It does so by employing a new second threat on top of encrypting files, i.e. extracting sensitive data and threatening public exposure or sale of the data. While backups may enable an organization to recover from a ransomware attack without paying, the threat of a breach of sensitive and personal information provides additional leverage to the attacker.

The rise of these double extortion attacks means that organizations must adopt a threat prevention strategy and not rely on detection or remediation alone. A prevention-focused strategy should include:

  • Anti-Ransomware Solutions: Organizations should deploy security solutions designed specifically to detect and eradicate ransomware infections on a system.
  • Vulnerability Management: Patching vulnerable systems or using virtual patching technologies, such as an intrusion prevention system (IPS), is necessary to close off common ransomware infection vectors like the remote desktop protocol (RDP).
  • Employee Education: Educate employees about the risks of opening attachments in or clicking on links in malicious emails.

#4. Thread Hijacking

Thread hijacking attacks use your own emails against you. After compromising an internal email account, an attacker may respond to an email thread with an attachment containing malware. These attacks take advantage of the fact that the email thread looks legitimate…because it is.

Emotet banking malware, one of the largest botnets, topped malware rankings and targeted nearly 20% of global organizations in 2020. After infecting a victim, it uses the victim’s email to send malicious files to new victims. Qbot, another banking malware, employed similar email gathering techniques.

Protecting against thread hijacking requires training employees to watch emails for signs of phishing even when coming from a trusted source, and, if an email looks suspicious, verify the sender’s identity with a call. Organizations should also deploy an email security solution that uses AI to detect phishing and quarantines emails with malicious attachments and/or links.

#5. Remote Access Vulnerabilities

The surge in remote work in the wake of COVID-19 made remote access a common target of cybercriminals in 2020. The first half of the year saw a dramatic increase in attacks against remote access technologies, such as RDP and VPN. Almost a million attacks against RDP were detected each day.

In the second half, cybercriminals shifted to focus on vulnerable VPN portals, gateways, and applications as new vulnerabilities in these systems became known. The Check Point sensor net saw an increase in attacks against eight known vulnerabilities in remote access devices, including Cisco and Citrix.

To manage the risks of remote access vulnerabilities, organizations should patch vulnerable systems directly or deploy virtual patching technologies such as IPS. They should also protect remote users by deploying comprehensive endpoint protection with endpoint detection and response (EDR) technologies to enhance remediation and threat hunting.

#6. Mobile Threats

COVID-19 dominated the mobile threat sphere. Mobile device use increased dramatically due to remote work, as did malicious apps masquerading as coronavirus-related apps.

Mobile devices were also targets for large malware campaigns, including banking malware such as Ghimob, EventBot and ThiefBot in the US. APT groups also targeted mobile devices, such as the Iranian campaign to bypass 2FA to spy on Iranian expatriates. Notable vulnerabilities on mobile devices were Achilles 400 weaknesses in Qualcomm chips and vulnerabilities in apps like Instagram, Apple’s sign-in system and WhatsApp.

Enterprises can protect their users’ mobile devices with a lightweight mobile security solution for unmanaged devices. They should also train users to protect themselves by only installing apps from official app stores to minimize risk.

#7. Cloud Privilege Escalation

In our wrap-up of the top security issues we come full circle to the SolarWinds attack techniques. Unlike previous cloud attacks, which relied on misconfigurations that leave cloud assets like S3 buckets exposed (and which are still a concern), the cloud infrastructure itself is now being attacked as well.

The SolarWinds attackers targeted Active Directory Federation Services (ADFS) servers, which were also used in the organization’s single sign-on (SSO) system for access to cloud services like Office 365. At this point, attackers used a technique called Golden SAML to gain persistence and hard-to-detect full access to the victim’s cloud services.

Other attacks on cloud identity and access management (IAM) systems were notable as well. IAM roles can be abused using 22 APIs found in 16 AWS services. These attacks rely on a deep understanding of the components, architecture, and trust policy of IaaS and SaaS providers.

Enterprises need holistic visibility across public cloud environments and deploy unified, automated cloud-native protections. This enables businesses to reap the benefits that cloud brings while ensuring continuous security and regulatory compliance.

Healthcare Attacks were Unprecedented in 2020

The COVID-19 made healthcare organizations top-of-mind for everyone, including cybercriminals. Some malware campaigns pledged to drop attacks against healthcare, but the promises held no substance – hospitals were still a focus for Maze and DopplePaymer malware.

In October, CISA, FBI, and DHS released a warning about attacks against healthcare, mentioning Trickbot malware used to deploy Ryuk ransomware. Also, nation-sponsored APT attacks targeted institutions involved in COVID-19 vaccine development.

Healthcare in the US was the most targeted by cyberattackers. Check Point research saw an increase of 71% from September to October and a global increase of over 45% in November and December.

Silver Linings

While understanding the network security issues threats of 2020, it’s also important to note the many successful actions by law enforcement – supported by the cyber security community – to track down and indict numerous individuals and threat groups involved in cybercrime around the world.

Some examples of successful cyber law enforcement operations in 2020 include:

  • In October, the Trickbot infrastructure connected to over a million infected hosts was taken down.
  • The EU headed investigations to take down DisRupTor operations, in which 179 vendors of illicit goods were arrested and the illicit goods seized by law enforcement.
  • Warrants have been issued for APT group threat actors in Russia and China.
  • Microsoft-led efforts like the TrickBot takedown also took down the Necurs botnet.
  • The British National Cyber Security Center (NCSC) took down more than 22,000 URLs associated with coronavirus-related scams.
  • The Cyber Threat Coalition (CTC) global cyber threat alliance united to share COVID-19 IoCs.
  • Cyber security researchers continue to find and responsibly disclose vulnerabilities.
  • Check Point found and disclosed a RCE vulnerability in cloud with a top CVE risk score of 10.0 and also the SigRed vulnerability in Windows DNS servers.
  • Industry researchers found bugs in Pulse Secure VPN and F5 Big-IP.
  • Bugs in malware were found that help take down the malware.
  • A buffer overflow bug in Emotet acted as a kill switch, enabling the take down for 6 months, followed by a January 2021 takedown of the Emotet botnet.

Recommendations for Staying Secure

The cyber threats and network security concerns of 2020 are not limited to 2020. Many of these attack trends are ongoing, and 2021 bring new network security problems and cybercrime innovations. To protect against the evolving cyber threat landscape, we’ve put together the following recommendations:

  • Focus On Real-Time Prevention: Incident detection and response is important, but detecting an attack once it occurs means that the damage may already be done. Focusing on threat prevention over detection limits the damage and cost associated with cyberattacks.
  • Secure Everything: Cybercriminals attack the low-hanging fruit, meaning that they will go looking for easy targets. Organizations need to secure every aspect of their attack surface, including their networks, cloud infrastructure, users, endpoints, and mobile.
  • Consolidate to Gain Visibility: Standalone cybersecurity solutions may be good at solving one problem, but a mess of disconnected security solutions is overwhelming for security teams and results in missed detections. Unifying security makes teams more efficient and more able to rapidly detect and respond to attacks.
  • Apply Zero Trust Paradigms: Excessive permissions and access make it too easy for a mistake or a compromised account to turn into a major security incident. Implementing zero trust enables an organization to manage access to resources on a case-by-case basis, minimizing cybersecurity risk.
  • Keep Threat Intelligence Up-To-Date: The cyber threat landscape is constantly evolving. Organizations require real-time access to threat intelligence to protect themselves against the latest cyber threats.

To learn more about today’s major network security issues, check out the full 2021 Cyber Security Report. You’re also welcome to request a security checkup to identify the issues putting your organization’s security at risk.

This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.