With a phenomenal shift to remote work last year, bad actors were found leveraging COVID-19-themed threats to disrupt enterprise security operations. As we enter 2021, these concerns are still at the forefront, as McAfee finds even more advanced cyber threats are likely to confront businesses in the months and years ahead.
“The ever-increasing use of connected devices, apps and web services in our homes will also make us more susceptible to digital home break-ins. This threat is compounded by many individuals continuing to work from home, meaning this threat not only impacts the consumer and their families, but enterprises as well. Attacks on cloud platforms and users will evolve into a highly polarized state where they are either “mechanized and widespread” or sophisticated and precisely handcrafted,” says Raj Samani, Chief Scientist and McAfee Fellow, Advanced Threat Research.
According to him, mobile users will need to beware of phishing or smishing messages aimed at exploiting and defrauding them through mobile payment services. The use of QR codes has notably accelerated during the pandemic, raising the specter of a new generation of social engineering techniques that seek to exploit consumers and gain access to their personal data.
“Finally, the most sophisticated threat actors will increasingly use social networks to target high-value individuals working in sensitive industry sectors and roles. A new year offers hope and opportunities for consumers and enterprises, but also more cybersecurity challenges,” says Samani.
In this context, McAfee researchers highlight six threat predictions CXOs should be careful of in the coming months.
- Supply Chain Backdoor Techniques to Proliferate
The revelations around the SolarWinds-SUNBURST espionage campaign will spark a proliferation in copycat supply chain attacks of this kind.
This SolarWinds-SUNBURST campaign is the first major supply chain attack of its kind and has been referred to by many as the “Cyber Pearl Harbor” that U.S. cybersecurity experts have been predicting for a decade and a half.
What makes this type of attack so dangerous is that it uses trusted software to bypass cyber defenses, infiltrate victim organizations with the backdoor and allow the attacker to take any number of secondary steps. This could involve stealing data, destroying data, holding critical systems for ransom, orchestrating system malfunctions that result in kinetic damage, or simply implanting additional malicious content throughout the organization to stay in control even after the initial threat appears to have passed.
McAfee believes the discovery of the SolarWinds-SUNBURST campaign will expose attack techniques that other malicious actors around the world will seek to duplicate in 2021 and beyond.
- Hacking the Home to Hack the Office
The increasingly dense overlay of numerous connected devices, apps and web services used in our professional and private lives will grow the connected home’s attack surface to the point that it raises significant new risks for individuals and their employers.
While the threat to connected homes is not new, what is new is the emergence of increased functionality in both home and business devices, and the fact that these devices connect to each other more than ever before. Compounding this is the increase in remote work – meaning many of us are using these connected devices more than ever.
The number of malicious phishing links McAfee blocked grew over 21% from March to November, at an average of over 400 links per home. This increase is significant and suggests a flood of phishing messages with malicious links entered home networks through devices with weaker security measures.
Millions of individual employees have become responsible for their employer’s IT security in a home office filled with “soft” targets, unprotected devices from the kitchen, to the family room, to the bedroom. Many of these home devices are “orphaned” in that their manufacturers fail to properly support them with security updates addressing new threats or vulnerabilities. By compromising the home environment, these malicious actors will launch a variety of attacks on corporate as well as consumer devices in 2021.
- Weaponized AI Attacks on Cloud Platforms and Users
Attacks on cloud platforms and cloud users will weaponize AI and evolve into a highly polarized state where they are either “mechanized and widespread” or “sophisticated and precisely handcrafted”.
The COVID-19 pandemic has also hastened the pace of the corporate IT transition to the cloud, accelerating the potential for new corporate cloud-related attack schemes. The increasing proportion of unmanaged devices accessing the enterprise cloud has effectively made home networks an extension of the enterprise infrastructure. We expect that widespread attacks will start weaponizing AI for better efficacy against thousands of heterogenous home networks.
As many as 65% of users reuse the same password for multiple or all accounts according to a 2019 security survey conducted by Google. AI will be leveraged to exploit this practice at scale. Where an attacker would traditionally need to manually encode first and last name combinations to find valid usernames, a learning algorithm could be used to predict O365 username patterns.
Additionally, instead of launching a classic brute force attack from compromised IPs until the IPs are blocked, resource optimization algorithms will be used to make sure the compromised IPs launch attacks against multiple services and sectors, to maximize the lifespan of compromised IPs used for the attacks. Distributed algorithms and reinforcement learning will be leveraged to identify attack plans primarily focused on avoiding account lockouts.
While the volume of sensitive data in motion increases and enterprise cloud postures mature, we also predict that the attackers will be forced to handcraft highly targeted exploits for specific enterprises, users and applications. We believe attackers will start leveraging threat surfaces across devices, networks and the cloud in these ways in the months and years ahead.
- New Mobile Payment Scams
As users become more and more reliant on mobile payments, cyber criminals will increasingly seek to exploit and defraud users with scam phishing or smishing messages containing malicious payment URLs.
Mobile payments have become more and more popular as a convenient mechanism to conduct transactions. Additionally, the COVID-19 pandemic has driven the adoption of mobile payment methods higher as consumers have sought to avoid contact-based payments such as cash or physical credit cards.
McAfee predicts there will be an increase in “receive”-based mobile payment exploits since they provide a quick mechanism for fraudsters that combines phishing or smishing messages with payment URLs.
This could take shape in schemes where fraudsters set up a fake call center using a product return and servicing scam, where the actors send a link via email or SMS, offering a refund via a mobile payment app, but the user is unaware that they are agreeing to pay versus receiving a refund. In the same way that mobile apps have simplified the ability to conduct transactions, McAfee predicts the technology is making it easier to take advantage of the convenience for fraudulent purposes.
- Qshing: QR Code Abuse in the Age of COVID
Cyber criminals will seek new and ever cleverer ways to use social engineering and QR Code practices to gain access to consumer victims’ personal data.
Mobile devices continue to be preferred devices for communication, messaging, entertainment, and quick transactions, and QR codes have emerged as a convenient input mechanism to make mobile transactions more efficient. QR code usage has proliferated into many areas, including payments, product marketing, packaging, restaurants, retail, and recreation just to name a few. Particularly in the age of pandemic, QR codes are helping limit direct contact between businesses and consumers in every setting from restaurants to personal care salons, to fitness studios. They allow them to easily scan the code, shop for services or items offered, and easily purchase them.
In India, the government’s Unique Identification Authority of India (UIDAI) uses QR codes in association with Aadhaar, India’s unique ID number, to enable readers to download citizens’ demographic information as well as their photographs.
The lack of user knowledge on how QR codes work makes them a useful tool for cyber criminals. They have been used in the past in phishing schemes to avoid anti-phishing solutions’ attempts to identify malicious URLs within email messages. They can also be used on web pages or social media.
In such schemes, victims scan fraudulent QRs and find themselves taken to malicious websites where they are asked to provide login, personal info, usernames and passwords, and payment information, which criminals then steal. The sites could also be used to simply download malicious programs onto a user’s device.
McAfee predicts that hackers will increasingly use these QR code schemes and also broaden them using social engineering techniques. For instance, knowing that business owners are looking to download apps that generate QR codes, bad actors will entice consumers into downloading malicious apps that pretend to do the same. But instead of generating a code, the app will steal the owner’s data, which scammers could then use for a variety of fraudulent purposes. Although the QR codes themselves are a secure mechanism, we expect them to be misused by bad actors in 2021 and beyond.
- Social Networks as Corporate Attack Vectors
McAfee predicts that sophisticated cyber adversaries will increasingly target, engage and compromise corporate victims using social networks as an attack vector.
Cyber adversaries have traditionally relied heavily on phishing emails as an attack vector for compromising organizations through individual employees. However, McAfee has observed more sophisticated threat actors increasingly using social networks such as LinkedIn, WhatsApp, Facebook and Twitter to engage, develop relationships with and then compromise corporate employees. Through these victims, they compromise the broader enterprises that employ them. McAfee predicts that such actors will seek to broaden the use of this attack vector in 2021 and beyond for a variety of reasons.
Operation North Star demonstrates a state-of-the-art attack of this kind. Discovered and exposed by McAfee in August 2020, the campaign showed how lax social media privacy controls, ease of development and use of fake LinkedIn user accounts and job descriptions could be used to lure and attack defence sector employees.
Just as individuals and organizations engage potential consumer customers on social platforms by gathering information, developing specialized content and conducting targeted interactions with customers, malicious actors can similarly use this platform attributes to target high-value employees with a deeper level of engagement. As attack vectors go, for instance, LinkedIn messaging is not the first cyber-attack vector of concern for the corporate security operations center (SOC).