Q4 2020 and Year in Review Threat Report
A chaotic year shook up business operations and cybersecurity. Review the highlights below and download the full report for our in-depth analysis.
Download the full report
Lesson learned in 2020: Cybersecurity is not a solo effort.
COVID-19 and work-from-home taught us a few things: the importance of deployment speed, the necessity of assuming new levels of risk and the necessity of working with what we have. The top takeaway? Cybersecurity has to be customized and multipronged in its strategy.
RECOMMENDATIONS
2021 PREDICTIONS
Top Findings at a Glance
MALWARE
Largest spike in ransomware ever observed in Q4
BOTNETS
Highest number of infections in May
Extreme rise in Fortinet SSL-VPN activity in Q4
EXPLOITS
Q4 in Review
OCTOBER 21
Egregor Ransomware Samples Shared on Social Media
NOVEMBER 2
Hospitals and Healthcare Agencies Targeted in Ransomware Attack
NOVEMBER 3
Maze Ransomware Gang Announces Closing of Maze Project
NOVEMBER 5
Google Drive Notifications Abused in New Phishing Campaign
NOVEMBER 18
Holiday Shopping Phishing Scams on the Rise
NOVEMBER 25
Threat Actor Posts Exploits for Vulnerable Fortinet Devices
DECEMBER 4
APTs Target Fortinet SSL-VPN (CVE-2018-13379)
DECEMBER 8
NSA Advisory: Russian Threat Actors Exploit VMware Vulnerability
DECEMBER 14
CISA Directive: Active Exploitation of SolarWinds Orion Software
Let's Dive Into the Data
In Q4, the Visual Basic for Applications (VBA) agent dominated malware activity. Botnet activity declined steadily except for a spike linked to Torpig Mebroot. SMB Login was the top witnessed exploit.
Q4 in Review
MALWARE
OCTOBER 15
Election-based Phishing Scams on the Rise
BOTNETS
EXPLOITS
Malware activity declined steadily throughout the first part of the year and bottomed out in July. VBA agent activity caused a 467% spike in September, but Q4 activity trailed off slightly. The predominant themes in malspam emails? COVID-19, the U.S. election, invoices, shipping/package details and legal documents.
5,758,721
TOTAL MALWARE EVENTS
UNIQUE VARIANTS
1,030
INCREASE IN TOTAL ACTIVITY
57.93%
Total activity in Q4 declined by 30.7% but still increased by 57.93% compared to Q3.
700,000
600,000
0
100,000
200,000
300,000
400,000
500,000
Week 1
Week 3
Week 5
Week 7
Week 9
Week 11
Cybersecurity advisory for healthcare organizations targeted by Trickbot and BazarLoader malware in Q4
LEARN MORE
Hashes, domains and IP addresses for Emotet and Trickbot/BazarLoader malware
GAIN ACCESS TO THE INTEL
Methodology
Acquisition. Obtain threat intelligence and data from global sources, client devices and reputable third parties.
Analytics. Analyze data using a combination of machine learning, algorithm scoring and anomaly detection.
Analysis. Scrutinize the research and score and track existing and new threats.
Alerting. Ingest log data into our cloud-based SIEM, which alerts the security operations center (SOC). The SOC team then notifies clients and works with them to remediate threats.
Action. Improve threat intelligence by leveraging insights, reviewing processes and evaluation methods and disseminating knowledge via sandboxing, malware analysis, honeypot activity and alert creation.
DOWNLOAD THE REPORT FOR OUR FULL REVIEW
DETECTION, Q4 2020
How to Combat
PROACTIVE DETECTION AND MITIGATION MEASURES
To strengthen your defenses against malware activity you’ll need to adopt a multiprong approach including endpoint protection platforms and cyber awareness training.
CLICK TO ACCESS MORE STEPS
Malware Activity
Moving Average
TOTAL BOTNET EVENTS
1,218,224
UNIQUE VARIANTS
39
DECREASE IN TOTAL ACTIVITY
-19.85%
180,000
140,000
0
20,000
40,000
60,000
80,000
100,000
Week 1
Week 3
Week 5
Week 7
Week 9
Week 11
Botnet activity remained fairly consistent throughout the year except for May, in which activity spiked by 48%. The spike is attributed to the ZeroAccess botnet, which was the top-witnessed botnet during 2020 with close to 1,000,000 sightings.
Andromeda and Torpig Mebroot spiked 172% and 1,453%, respectively, although overall botnet activity declined.
DOWNLOAD THE REPORT FOR OUR FULL REVIEW
Botnet Activity
Moving Average
CLICK TO ACCESS MORE RECOMMENDATIONS
How to Combat
PROACTIVE DETECTION AND MITIGATION MEASURES
Step up your efforts to stop botnet activity, which is usually detected post-infection. We recommend detecting malicious activity and quarantining devices to minimize botnet spread throughout the network.
DETECTION, Q4 2020
160,000
120,000
DETECTION, Q4 2020
TOTAL EXPLOIT EVENTS
51,159,641
UNIQUE VARIANTS
326
INCREASE IN TOTAL ACTIVITY
67.84%
8,000,000
5,000,000
7,000,000
6,000,000
0
1,000,000
2,000,000
3,000,000
4,000,000
Week 1
Week 3
Week 5
Week 7
Week 9
Week 11
Exploit activity, which increased 116% for the year, reached its highest volume in December. Attackers searched for new vulnerabilities as well as old, unpatched vulnerabilities with a focus on remote connections. DoublePulsar was the top-utilized technique, followed by SMB Login brute force and HTTP Server Authorization Buffer Overflow.
Q4 exploit activity syncs closely with the release of intelligence about 49,000+ Fortinet FortiOS SSL-VPN devices vulnerable to CVE-2018-13379 and with a massive increase of SMB Login brute force attempts.
DOWNLOAD THE REPORT FOR OUR FULL REVIEW
Exploit Activity
Moving Average
CLICK TO ACCESS MORE RECOMMENDATIONS
How to Combat
PROACTIVE DETECTION AND MITIGATION MEASURES
Stop exploits before they do harm by patching systems and security monitoring to thwart attackers and decrease risk.
2021 Predictions
Unfortunately, there is more in store in the cybersecurity threat scape for 2021.
Download the full report to find out how you can prepare and tighten your security controls around the expected challenges highlighted by our security experts.
Download the full report
Download the full report
RECOMMENDATIONS
2021 PREDICTIONS
10,000%
spike in ransomware was observed in Q4
SEE DETAILS
infections per week in May 2020
135,075
SEE DETAILS
LEARN MORE
GAIN ACCESS TO THE INTEL
Extreme rise in Fortinet SSL-VPN activity in Q4
4,176%
SEE DETAILS
MALWARE
BOTNETS
EXPLOITS
DOWNLOAD THE REPORT FOR OUR FULL REVIEW
CLICK TO ACCESS MORE STEPS
DOWNLOAD THE REPORT FOR OUR FULL REVIEW
CLICK TO ACCESS MORE RECOMMENDATIONS
DOWNLOAD THE REPORT FOR OUR FULL REVIEW
CLICK TO ACCESS MORE RECOMMENDATIONS
Download the full report
INTERACTIVE REPORT SUMMARY
Access the full Threat Landscape Report.
Access the full Threat Landscape Report.
Access the full Threat Landscape Report.
Access the full Threat Landscape Report.
Access the full Threat Landscape Report.
Access the full Threat Landscape Report.
Access the full Threat Landscape Report.
Access the full Threat Landscape Report.
Access the full Threat Landscape Report.
Access the full Threat Landscape Report.
Access the full Threat Landscape Report.
Access the full Threat Landscape Report.
Access the full Threat Landscape Report.
Access the full Threat Landscape Report.
Access the full Threat Landscape Report.
Access the full Threat Landscape Report.
Access the full Threat Landscape Report.
Access the full Threat Landscape Report.
Access the full Threat Landscape Report.
Access the full Threat Landscape Report.
Access the full Threat Landscape Report.
Access the full Threat Landscape Report.
Access the full Threat Landscape Report.
Access the full Threat Landscape Report.
Access the full Threat Landscape Report.