Welcome to our latest McAfee Labs® Threat Report and our coverage of the end of a tumultuous 2020. While you’ll notice a new, enhanced digital presentation showcasing our review of notable threats, this report also includes many new McAfee insights into the threat landscape.
Historically our reports detailed the volume of key threats, such as “what is in the malware zoo.” The introduction of MVISION Insights in 2020 has since made it possible to track the prevalence of campaigns (and their associated IoCs) and determine the in-field detections. This latest report incorporates not only the malware zoo, but new analysis for what is being detected in the wild. We have also added statistics detailing the top MITRE ATT&CK techniques observed in Q4 2020 from Criminal/APT groups.
These new, insightful additions really make for a bumper report! The analysis does not end there, however. The end of Q4 2020 saw the revelation about the SolarWinds breach, and the consequences associated with the compromised organizations. The focus of the narrative within this report will detail the findings of the SUNBURST malware which of course continues to dominate the headlines in Q1 2021.
In addition to these timely threat campaigns, the pandemic continued to have its effects on the threatscape. McAfee’s global network of more than a billion sensors registered a 605% increase in total Q2 COVID-19- themed threat detections. As you can track on our McAfee COVID-19 Threats Dashboard, pandemic-related campaigns continued to increase in Q3 and Q4 of 2020.
- Letter from Our Chief Scientist
- Threats to Sectors and Vectors
- Malware Threats Statistics
- SUNBURST MALWARE AND SOLARWINDS SUPPLY CHAIN COMPROMISE
- TOP MITRE ATT&CK TECHNIQUES APT/CRIME
We hope you enjoy this new McAfee Labs threat report presentation and find our new data valuable.
McAfee Fellow, Chief Scientist
In this report, McAfee® Labs examines the threats that emerged in the third and fourth quarters of 2020. Our Advanced Threat Research team has aggressively tracked, identified, and researched the cause and effects of the prevalent and news-making campaigns threatening enterprises in the second half of 2020.
The world—and enterprises—adjusted amidst pandemic restrictions and sustained remote challenges, while security threats continued to evolve in complexity and increase in volume. Though a large percentage of employees grew more proficient and productive in working remotely, enterprises endured more opportunistic COVID-19-related campaigns among a new cast of bad-actor schemes. Prominent campaigns such as SUNBURST and new ransomware tactics left SOCs no time to rest.
As your enterprise meets new challenges in 2021, it remains imperative that workforces—both on-site and remote—be alert to potential threats emerging from seemingly routine communications. Remind and test your workforce’s resistance against clicking unverified links and engaging external email attachments. As this report confirms, ransomware and malware targeting vulnerabilities in work-related apps and work processes were active in the last half of 2020 and remain dangerous threats capable of taking over networks and data, while costing millions in assets and recovery costs.
McAfee researchers remain vigilant against new tactics and continuing techniques and focused on the race to thwart threats against our customers and security community. McAfee stands apart in the security industry utilizing one billion global sensors to provide timely intelligence and powerful insight toward defending your business, protecting your assets and helping your workforce remain productive even in a pandemic.
Visit the McAfee Threat Center to tap into industry-leading research and security guidance against the latest and most impactful evolving threats identified by our threat team.
#Threats to Sectors and Vectors
The volume of malware threats observed by McAfee Labs averaged 588 threats per minute, an increase of 169 threats per minute (40%) in the third quarter of 2020. The fourth quarter volume averaged 648 threats per minute, an increase of 60 threats per minute (10%).
Publicly disclosed Security incidents
Cloud Incidents by Country
#Malware Threats Statistics
The third and fourth quarters of 2020 saw significant increase in several threat categories:
- Powershell threats grew 208% from Q3 to Q4, also pushed by Donoff
- MacOS malware exploded in Q3 420% due to EvilQuest ransomware, but came back to normal levels in Q4
- Office malware surged 199% from Q3 to Q4
- Mobile malware grew 118% from Q3 to Q4 driven by SMS Reg
- New Ransomware, driven by Cryptodefense, grew in volume 69% from Q3 to Q4
- New Linux malware increased 6% from Q3 to Q4
- Coin Miner malware decreased 35% in Q4
New Malware Threats
#SUNBURST MALWARE AND SOLARWINDS SUPPLY CHAIN COMPROMISE
In Q4 of 2020, FireEye disclosed that threat actors compromised SolarWinds’s Orion IT monitoring and management software with a trojanized version of SolarWinds.Orion.Core.BusinessLayer.dll. The trojanized file delivers the SUNBURST malware through a backdoor as part of a digitally signed Windows Installer Patch. Use of a Compromised Software Supply Chain (T1195.002) as an Initial Access technique is particularly critical as it can go undetected for a long period. FireEye released countermeasures that can identify the SUNBURST malware.
McAfee reported on SUNBURST in this blog and additional analysis into the backdoor and continues to track the campaign as SolarWinds Chain Attack Multiple Global Victims with SUNBURST Backdoor through MVISION Insights. McAfee senior vice president and chief technology officer Steve Grobman detailed the game-changing impact of SolarWinds-SUNBURST. Customers can view the public version of MVISION Insights for the latest attack details, prevalence, techniques used and indicators of compromise.
#TOP MITRE ATT&CK TECHNIQUES APT/CRIME
(Top 5 per Tactic)
|Initial Access||Exploit public facing application||
Uptick in the usage of this technique in Q4. Multiple reports from CISA, NSA warming the industry that State sponsored Threat actors are actively leveraging several CVE’s related to public facing applications such
as popular Remote management and VPN software.
McAfee has observed that besides state sponsored groups, the ransomware groups were leveraging this initail access tactic.
|Replication through removable Media|
|Command -line Interface|
|Windows Management Instrumentation|
|Registry Run Keys / Startup Folder|
|Privilege Escalation||Process Injection||Process injection remains to be one of the top Privilege Escalation techniques, we have observed the usage of this technique by several Malware families and threat groups, ranging from Rat tools like Remcos, Ransomware groups like REvil and mulitple State Sponsored APT groups. We have observed several attacks involving PowerShell injecting code into another running process.|
|Registry Run Keys / Startup Folder|
|DLL- Side loading|
|Exploitation for Privilege Escalation|
|Defense Evasion||Obfuscated Files or information||
“This is the second most observed technique for Q4 2020. This technique is synonymous for the Cat and Mouse game played between malware and security software.
Attackers constantly think of new ways to avoid being detected. One of the noteworthy methods we have observed in Q4 was by the threat actor group APT28 who used VHD files (or virtual Hard drives) to package and obfuscate their malicious payload.”
|Deobfuscate/Decode Files or Information|
|Credential Access||Input Capture|
|Steal Web Session Cookie|
|Discovery||System Information Discovery||System Information Discovery was the most used MITRE technique of the Campaigns we observed in Q4 2020. The malware in these campaigns contained functionalities that gathered the OS version, hardware configuration and hostname from a victims machine and eventually communicated back to the Threat actor.|
|File and Directory Discovery|
|System Owner/User Discovery|
|Lateral Movement||Remote File Copy|
|Exploitation of Remote Services|
|Replication Through Removable Media|
|Collection||Data from Local System|
|Command and Control||Standard Application Layer Protocol|
|Remote File Copy|
|Commonly used Port|
|Exfiltration||Exfiltration Over Command and Control Channel|
|Exfiltration Over Alternative Protocol|
|Exfiltration to Cloud Storage|
|Impact||Resource Hijacking||This technique is often used by Crypto currency mining malware, where a systems resources are being abused to mine crypto currency.|
|Data Encrypted for impact||Data encrypted for impact technique can almost solely be attributed by Ransomware. Which remains a top cyber threat, also in Q4 of 2020.|
|Inhibit System Recovery|
Top Ransomware Families and Techniques
McAfee observed a 69% increase in new ransomware from Q3 to Q4 of 2020, with Cryptodefense playing a factor in the surge. Data gathered by the McAfee Advanced Threat Research team include:
Top Families, MITRE ATT&CK Techniques and Primary Sectors
Top MITRE ATT&CK Techniques
In Q4 2020, McAfee joined Microsoft and 17 other security firms, tech companies and non-profits to form a new Ransomware Task Force (RTF) to focus on stopping the rising threat of ransomware.