As companies adopt remote and telecommuting systems to respond to the COVID-19 situation, the risk of becoming a target of cybercrime has increased. Security threats targeting the gaps between online services and digital technologies required to implement remote and telecommuting and information systems and IT infrastructures within existing companies are becoming more prominent. Security experts are of the opinion that cybercriminals are taking advantage of the COVID-19 situation.
border-top: 3px solid #cf0a2c;
According to the industry on the 1st, major domestic information security companies are the common denominator of security threats in the first half of this year, including the distribution of ransomware and malware targeting the entire industry including the corporate work environment and infrastructure, social engineering attacks that exploit the Corona 19 situation, and the country behind the scenes. They point to the expansion of threat activities by hacker organizations that operate on the premises. Here are the results of the analysis of threat trends in the first half of the year announced by AhnLab, East Security, Igloo Security, and ADT Caps.
AhnLab, a comprehensive information security company that provides network security solutions, security control services, and cloud security management, announced on the 16th that ‘Top 5 major security threat trends in the first half of 2021’, ‘increasing target-type ransomware attacks’ and ‘organizational infrastructure solutions’ Continuing abusive attacks’, ‘Distribution of information leaking malicious codes disguised as business emails’, ‘Active use of social issues for cyberattacks’, and ‘Activation of presumed state-supported hacking groups’ were selected.
Attackers invaded corporate and institutional computer networks with targeted malware attacks to steal data, infect systems with ransomware, and threaten to distribute the stolen data to those who did not respond to payment. AhnLab advises that an organization that has been attacked once and has internal information stolen can become a target of other threats, so it should be prepared by using security solutions and strengthening security education for internal employees.
Attacks that exploit organizational infrastructure solutions and supply chains, such as an attempt to hijack an Active Directory (AD) server using a penetration test tool and the distribution of ransomware targeting the vulnerability of the recent IT security management solution ‘Kaseya VSA’, continued from last year to the first half of this year. Vulnerability attacks in virtual private network (VPN) solutions required for remote work also occurred. In addition to general security policies, it is necessary to enhance response capabilities by using threat intelligence services.
According to the statistics of the AhnLab Security Response Center (ASEC), the most information-leaking malicious codes such as ‘Formbook’ and ‘Agent Tesla’ were found in the first half of this year. They were distributed in a way that induces execution of malicious URL links in attachments or texts by sending Korean business emails impersonating real companies or customers, such as invoices, order forms, and order forms. Avoid executing attachments and URLs in e-mails from unknown sources.
Due to the COVID-19 situation, there have been many attacks that induce execution of attachments or URL links in the body by sending malicious emails or text messages using keywords of high social interest. In the first half of this year, in particular, there was an attack with expressions such as the movement of confirmed patients, disaster support, and general information on support for small businesses. Experts said, “There is a high possibility that attackers will use keywords that are closely related to life,” and “use verified websites and platforms.”
The activities of hacker organizations presumed to be supported by the state were not limited to specific fields such as politics, society, economy, culture, defense, medical care, and cryptocurrency, but appeared widely. There have also been cyberattacks against domestic and foreign pharmaceutical companies that are developing vaccines and treatments for COVID-19. Techniques such as web browser-linked program vulnerability attack and domestic famous portal impersonation phishing site production are being advanced, and the latest update of the program being used is required.
Ransomware, social engineering attacks, and threat expansion by state-supported hacking groups were also selected in East Security’s ‘Top 5 major security threats in the first half of the year’ announced on the 21st. East Security particularly pointed out the activities of hacker organizations behind North Korea, and also highlighted that the ransomware threat is threatening the country’s core infrastructure, and the damage of personal information leakage is increasing.
According to East Security, in the first half of this year, North Korean hacker groups such as Lazarus and Thallium (Kim Soo-ki) carried out attack activities targeting specific targets such as those involved in defense, unification, diplomacy, security, and North Korea. There have been situations in which they attack the country’s core infrastructure and target private experts by using famous search services as a base, and there are also voices from the political circles calling for measures to prevent the recurrence of North Korea’s hacking attacks.
A ransomware attack presumed to have been carried out by the Russian hacker organization ‘Darkseid’ resulted in large-scale damage, such as stopping the system of ‘Colonial Pipeline’, an American oil pipeline management company. Although the FBI has successfully seized and retrieved $2.3 million worth of cryptocurrency, about half of the amount paid to hackers, warnings have been issued that countries around the world must prepare for such attacks in the future.
The topics of social engineering attacks with the theme of COVID-19 are becoming more diverse. In addition to the points pointed out by AhnLab, East Security recently announced that phishing emails and smishing attacks under the themes of ‘vaccine reservation’ and ‘vaccine-related survey’ are underway as the COVID-19 vaccine is distributed and inoculated. The spread of COVID-19, which had stalled at the beginning of this year, is expected to accelerate again, and such attacks are expected to continue for the time being.
Along with smishing, a number of malicious app attacks occurred, mainly threatening Android smartphone device users. Messages containing malicious URLs were sent to users in texts written with materials such as parcel delivery, health checkup, finance, investigative agencies, cryptocurrency, and wedding invitations, and when the URL was executed, a malicious app was installed on the device. The malicious app stole the device’s photos, contacts, call history, location information, etc. and caused damage that interfered with the use of the device.
The damage of a series of hacking attacks has expanded beyond the damage of the company itself to the leakage of personal information of ordinary customers stored in the information system. The ransomware attack on a famous domestic automobile manufacturer revealed customer personal information and company internal data on the dark web, and the information system of the overseas corporation was disrupted. In addition, cryptocurrency exchanges, medical institutions, game companies, and e-commerce have caused personal information leakage problems.
In the first half trends announced by Igloo Security on the 26th and ADT Caps on the 30th, respectively, the industry-wide spread of ransomware attacks such as ‘supply chain attacks’ through third-party software (SW), the US Colonial Pipeline case, and North Korea Among them, the increase in threats from state-supported hacker organizations, the increase in cases of internal information theft, the increase in information leakage damage through the dark web, and the threat of attacks taking advantage of the Corona 19 issue were cited.
Igloo Security first introduced the threat and severity of supply chain attacks. Representative examples of the so-called ‘SolarWinds Orion’ malware incident that attacked 18,000 major U.S. security and national institutions and security companies, and the ‘Microsoft Exchange Server ProxyLogon vulnerability’ hacking that caused damage to 5,000 systems in 115 countries pointed to It is also recommended to prepare for attacks using VPNs, which have increased usage due to telecommuting.
Attacks that caused large-scale damage with ransomware included ‘Ransomware as a Service (RaaS)’, a profit sharing model between hackers who provide malicious code technology and criminals who actually attack. The attackers attempted to maximize the profits of crime by demanding money not only for unauthorized data encryption using ransomware, but also for data theft and leakage before encryption and a distributed denial of service (DDoS) attack.
Igloo Security also pointed out how cybersecurity is spreading into diplomatic disputes between countries, such as the US government, which pointed out a state-supported hacker organization behind the hacking incidents at national security facilities and supply chain attacks in the first half of the first half, announcing a related executive order. As one of the social engineering techniques, it analyzed that the use of malicious attacks in new domains using keywords related to COVID-19 such as ‘Covidvirus’, ‘Covid19’, and ‘pandemic’ has increased.
ADT Caps also identified supply chain attacks, email phishing, corporate information dark web leakage, personal information leakage, and ransomware as issues. Thirty percent of breaches were concentrated in the manufacturing industry, and ‘credential stuffing’, which attempts to log in to another site with account information leaked from one site, accounted for 33% of the causes, and 36% of the breach types were ‘malware infection’. He pointed out and emphasized operational technology (OT) and industrial control system (ICS) security throughout the manufacturing sector.
The remote work threat scenarios in three areas, home, shared workspace, and cloud, have been embodied. He pointed out the possibility of attacking PC vulnerabilities, phishing, and physical intrusion when working from home. In shared offices and public places, they warned of threats of intrusion, credential stuffing, and hijacking of public Internet routers with duplicate access cards. Credential stuffing of cloud services, attacks through remote worker PCs, and cloud supply chain attacks through third parties were also pointed out.