1、McAfee Labs COVID-19 Threats Report July 2020 REPORT 2McAfee Labs COVID-19 Threats Report, July 2020 Follow Share The dominant theme of 2020 has been the scale and impact cyber-related attacks have had on our wider society. Introduction What a year so far. What started as a trickle of phishing campa

2、igns and the occasional malicious app quickly turned into a deluge of thousands of malicious URLs and more-than- capable threat actors leveraging our thirst for more information as an entry mechanism into systems across the world. In this “Special Edition” threat report we take a deeper dive into CO

3、VID-19 related attacks. Additionally, we have launched the McAfee COVID-19 Threats Dashboard to complement this threat report and extend its impact beyond the publication date. Timeliness is a challenge for publishing any threat report, but through the development of MVISION Insights, our threat rep

4、orts will link to a live dashboard tracking the worlds top threats. We will also make available the IoCs, Yara rules, and mapping to the MITRE ATT&CK framework as part of our continuing commitment to sharing our actionable intelligence. I hope these McAfee resources will be useful to you, the reader

5、. This report was researched and written by: Christiaan Beek Taylor Dunton Dan Flaherty LyndaGrindstaff Steve Grobman Tracy Holden Tim Hux Abhishek Karnik Sriram P Tim Polzer Thomas Roccia Raj Samani Sekhar Sarukkai Craig Schmugar REPORTKEY TOPIC 3McAfee Labs COVID-19 Threats Report, July 2020 Follo

6、w Share The dominant theme of 2020 has been the scale and impact cyber-related attacks have had on our wider society. All too often, we are called into investigations where businesses have been halted, or victims have lost considerable sums of money. While we all have had to contend with pandemic lo

7、ckdown, criminals of all manner of capability have had a field day. We hope you enjoy these new threat report approaches, and moreover we would appreciate you sharing these findings far and wide. These tools and insights could be the difference between a business remaining operational or having to s

8、hut its doors at a time when we have enough challenges to contend with. Many thanks for your time. Raj Samani, McAfee Fellow and Chief Scientist Twitter Raj_Samani 4McAfee Labs COVID-19 Threats Report, July 2020 Spams and Scams 32 Table of Contents COVID-19 Cyberthreat Timelines, Distribution, and D

9、etection Threats To Sectors and Vectors Underground Marketplaces Threat Actors Target the Cloud Malware Threats Statistics URL Scams Malware Phishing and Trojans Recommendations 6 7 33 14 10 35 18 39 Ransomware 30 REPORTKEY TOPIC 5McAfee Labs COVID-19 Threats Report, July 2020 Follow Share Its no su

10、rprise that opportunistic cybercriminals are targeting employees working from home during the COVID-19 pandemic. The need for enterprises to quickly quarantine workforces has challenged SOCs and CTOs to adapt a secure work-from-home model the scope of which the security industry has never experience

11、d. Providing the collaboration and productivity systems sufficient to fuel a functioning work-from-home force has required a greater reliance on personal cyber hygiene as employees balance their everyday at-home bandwidth with the technical demands of their jobs. The workforce is also distracted by

12、the anxieties created by a departure from normalcy and routine, dealing with their familys needs at a time when the requirements of quarantining such as social distancing, personal protection equipment requirements, supply-and-demand shortages, increasing unemployment, and a full stop on the mental

13、benefits of expectations and routines. Cybercriminals see a remote, distracted, and vulnerable workforce as opportune targets. Cybercriminals are using COVID-19-themed ransomware, RDP exploits, scam URLs and spam designed to lure remote workers into mishandling external engagement. Clicking an unver

14、ified link or opening an ill-advised attachment, and other engagements designed to unleash their full arsenal of malware with tactics and techniques honed to target pandemic vulnerabilities and breach internal corporate resources. Since early reports of the Coronavirus, McAfee researchers have focus

15、ed our security research and resources on the tactics and techniques cybercriminals have wielded during the pandemics progression. We have worked to keep our customers and security community safe through the monitoring and adaptation of our detection stack to better manage the COVID-19 threat landsc

16、ape. Consult the McAfee Threat Center for the latest in evolving COVID-19 threats. REPORTKEY TOPIC 6McAfee Labs COVID-19 Threats Report, July 2020 Follow Share COVID-19 Cyberthreat Timelines, Distribution, and Detection REPORTKEY TOPIC 7McAfee Labs COVID-19 Threats Report, July 2020 Follow Share Thr

17、eats to Sectors and Vectors The volume of threats related to COVID-19 has been significant, with lures used in all manner of attacks. McAfee has observed malicious detections in almost all the countries impacted by the COVID-19 pandemic, although the volume differs greatly. Global Detection Heat Map

18、 The McAfee COVID-19 Threat Dashboard uses intelligence gathered and updated daily by McAfee Advanced Programs Group (APG). McAfee first observed a detection for known IoCs in mid-January. We observed detections in almost all the countries which have been impacted by the COVID-19 pandemic. Figure 1.

19、 Our COVID-19 Threats Dashboard extends the impact of this report with daily updated intelligence provided by McAfee Advanced Programs Group (APG). REPORTKEY TOPIC 8McAfee Labs COVID-19 Threats Report, July 2020 Follow Share Publicly Disclosed Security Incidents By Region (Number of reported breache

20、s) North AmericaMultipleEuropeAsiaAustralia 50 100 150 200 250 300 350 400 450 0 Q4Q1 20192020 Source: McAfee Labs, 2020. 0 50 100 150 200 250 Top 10 Targeted Countries U.S. Multiple N/A Great Britain Italy France India Q4 2019Q1 2020 Australia Canada Spain Germany Figure 2. McAfee Labs counted 458

21、publicly disclosed security incidents in the first quarter of 2020, including those in which the region target was non-applicable, an increase of 41% from Q4 of 2019. Disclosed incidents targeting North America increased 60% over the previous quarter, while Europe decreased 7%. Figure 3. Disclosed i

22、ncidents targeting the United States in Q1 2020 increased 61%, Great Britain increased 55%, and Canada increased 50% over the previous quarter. Source: McAfee Labs, 2020. REPORTKEY TOPIC 9McAfee Labs COVID-19 Threats Report, July 2020 Follow Share Top 10 Attack Vectors 0 25 50 75 100 125 150 175 200

23、 225 Malware Misconfi guration Account Hijacking Targeted Attack Unknown Malicious Vulnerability DDoS PoS Malware Spam SQLi Malicious Script Business Email Q4 2019Q1 2020 Security incidents data is compiled by McAfee Labs from several sources. Top 10 Targeted Industry Sectors 0 10 20 30 40 50 60 70

24、80 90 100 Entertainment Q4 2019Q1 2020 Individual Multiple Industries Public Healthcare Education Finance/Insurance Manufacturing Technology Retail/Wholesale Figure 4. Disclosed incidents detected in the first quarter of 2020 targeting Multiple Industries increased 94%, the Public sector increased 7

25、3%, the Individual sector increased 59%, and Manufacturing increased 44%, while incidents in Science and Technical decreased 19%. Figure 5. Overall, malware led disclosed attack vectors in the first quarter of 2020, followed by account hijacking and targeted attacks. Disclosed malware attacks increa

26、sed by 33% from the previous quarter, account hijacking attacks increased by 71%, and Targeted Attacks increased by 60%. Security incidents data is compiled by McAfee Labs from several sources. REPORTKEY TOPIC 10McAfee Labs COVID-19 Threats Report, July 2020 Follow Share Malware Threats Statistics T

27、he first quarter of 2020 saw significant increases in several threat categories: McAfee Labs observed 375 threats per minute in Q1 2020. New PowerShell Malware increased 689% in Q1 2020 when compared to the previous quarter. This increase can largely be attributed to the Donoff family of TrojanDownl

28、oader. Donoff also played a significant role in a 412% increase of New Macro Malware during Q1 2020. Total PowerShell malware grew 1,902% over the previous four quarters. New Mobile Malware increased 71% during Q1 2020 compared to the previous quarter, primarily due to Trojans. Total mobile malware

29、grew nearly 12% over previous four quarters. New IoT Malware (58%) and New MacOS Malware (51%) rose by more than 50%. New Coin Miner Malware increased 26%. New Linux rose 8%. The following categories showed reductions in Q1 2020 compared to the previous quarter: New Exploit Malware decreased 56%. Ne

30、w JavaScript Malware decreased 38%. New Malware decreased 35%. New Ransomware decreased 12%. New Malicious Signed Binaries decreased 11%. Total Malware 150,000,000 300,000,000 450,000,000 600,000,000 750,000,000 900,000,000 1,050,000,000 1,200,000,000 1,350,000,000 0 Q4Q1 2019 Q3 2020 Source: McAfee

31、 Labs, 2020. New PowerShell Malware 200,000 400,000 600,000 800,000 1,000,000 1,200,000 1,400,000 1,600,000 0 Q4Q1 2019 Q3 2020 Source: McAfee Labs, 2020. REPORTKEY TOPIC 11McAfee Labs COVID-19 Threats Report, July 2020 Follow Share New Macro Malware 200,000 400,000 600,000 800,000 1,000,000 1,200,0

32、00 1,400,000 1,600,000 1,800,000 0 Q4Q1 2019 Q3 2020 Source: McAfee Labs, 2020. New Mobile Malware 200,000 400,000 600,000 800,000 1,000,000 1,200,000 1,400,000 1,600,000 0 Q4Q1 2019 Q3 2020 Source: McAfee Labs, 2020. New IoT Malware 10,000 20,000 30,000 40,000 50,000 60,000 70,000 80,000 0 Q4Q1 201

33、9 Q3 2020 Source: McAfee Labs, 2020. New iOS Malware 500 1,000 1,500 2,000 2,500 3,000 0 Q4Q1 2019 Q3 2020 3,500 Source: McAfee Labs, 2020. REPORTKEY TOPIC 12McAfee Labs COVID-19 Threats Report, July 2020 Follow Share New Coin Miner Malware 500,000 1,000,000 1,500,000 2,000,000 2,500,000 3,000,000 3

34、,500,000 4,000,000 4,500,000 5,000,000 0 Q4Q1 2019 Q3 2020 Source: McAfee Labs, 2020. New Linux Malware 25,000 50,000 75,000 100,000 125,000 150,000 0 Q4Q1 2019 Q3 2020 Source: McAfee Labs, 2020. New Exploit Malware 100,000 200,000 300,000 400,000 500,000 600,000 0 Q4Q1 2019 Q3 2020 Source: McAfee L

35、abs, 2020. New JavaScript Malware 1,000,000 2,000,000 3,000,000 4,000,000 5,000,000 6,000,000 7,000,000 0 Q4Q1 2019 Q3 2020 Source: McAfee Labs, 2020. REPORTKEY TOPIC 13McAfee Labs COVID-19 Threats Report, July 2020 Follow Share New Ransomware 250,000 500,000 750,000 1,000,000 1,250,000 1,500,000 1,

36、750,000 2,000,000 0 Q4Q1 2019 Q3 2020 2,250,000 2,500,000 Source: McAfee Labs, 2020. New Malware 10,000,000 20,000,000 30,000,000 40,000,000 50,000,000 60,000,000 70,000,000 80,000,000 0 Q4Q1 2019 Q3 2020 Source: McAfee Labs, 2020. New Malicious Signed Binaries 100,000 200,000 300,000 400,000 500,00

37、0 600,000 0 Q4Q1 2019 Q3 2020 700,000 Source: McAfee Labs, 2020. REPORTKEY TOPIC 14McAfee Labs COVID-19 Threats Report, July 2020 Follow Share Threat Actors Target the Cloud The sudden, large-scale shift of the global workforce to work from home included a growth as high as 775% according to Microso

38、ft. In compiling the McAfee Cloud Adoption and Risk ReportWork From Home edition, McAfee aggregated and anonymized cloud usage data from more than 30 million McAfee MVISION cloud users worldwide between January and April 2020. The amount of threats from external actors targeting cloud services incre

39、ased 630% with the greatest concentration on collaboration services like Microsoft 365. McAfee separated external threats into two categories, both typically involving the use of stolen credentials: Excessive Usage from Anomalous Location. This begins with a login from a location that has not been p

40、reviously detected and is anomalous to the users organization. The threat actor then initiates high- volume data access and/or privileges access activity. Suspicious Superhuman. This is a login attempt from more than one geographically distant location impossible to travel to within a given period o

41、f time. McAfee tracks this across multiple cloud services for example, if a user attempts to log into Microsoft 365 in Singapore, then logs into Slack in California five minutes later. 2468101214 0 2 4 6 10 12 14 8 16 Global Threat Count (Normalized) Week Number, 2020 All ThreatsExternal: Excessive

42、Usage from Anomalous Location External: Suspicious Superhuman Total and External Cloud Threats: January to April 2020 Figure 6. Cloud threat events across all industries. Internal or insider threat categories remained the same indicating that employees didnt take advantage of working from home to at

43、tempt to steal more data. Most of the attacks McAfee observed were external cloud- native threats directly targeting cloud accounts. REPORTKEY TOPIC 15McAfee Labs COVID-19 Threats Report, July 2020 Follow Share McAfee ran an analysis of the source IP addresses used in attacks from external actors to

44、 see the locations they were sourced from. While source IP cant be used to determine attribution for an attack, it does offer a view of attack data that can assist with the implementation of security controls. The IPs monitored were not only used to attack cloud accounts, but also other malicious ac

45、tivity, pointing to the reuse of criminal infrastructure for multiple attacks. The data in the following IP chart indicates the number of IP addresses used to launch attacks by size of circle, and the peak number of threat events targeting individual organizations from these IPs by depth of color. V

46、ertical Focus: Cloud Threats Transportation and Logistics, Education, and Government experienced the largest increases in internal and external threat events in their cloud accounts. These industries increasingly depend on cloud services for productivity, and likewise, attackers followed the trend w

47、ith attempts to access their accounts and exfiltrate data. Energy and Utilities Financial Services Manufacturing Government Education Transportation and Logistics +773% +679% +571% +472% +1,114% +1,350% Percentage Increase In Cloud Threats by Vertical: January to April 2020 Figure 7. Increase in clo

48、ud threat events by industry. REPORTKEY TOPIC 16McAfee Labs COVID-19 Threats Report, July 2020 Follow Share The top 10 source IP geolocations for external attacks on cloud accounts from January to April 2020 (sorted by number of IPs used) are: Note: None of the countries in our top 10 are in Europe,

49、 which wields some of the most stringent data protection regulations in the world. The majority originated from countries historically active in cybercrime and others lacking resources to enforce cybercrimes regulations. Source IP Geolocation for External Cloud Threats: January to April 2020 1. Thailand 2. USA 3. China 4. India 5. Brazil 6. Russian Federation 7. Laos 8. Mexico 9. New Caledonia 10. Vietnam Figure 8. Global view of external attack sources on cloud accounts by source IP geolocation. REPORTKEY TOPIC 17McAfee Lab