By Fady Younes, Cybersecurity Director, Middle East and Africa, Cisco
Cyber criminals have increasingly used the disruption caused by the COVID-19 pandemic to target businesses and organisations across industries in ever more sophisticated malware attacks. Some rely on deception while others install malicious programs onto computers to steal important information. But to effectively immunise an organisation against future threats it is first important to understand what the potential dangers are. Fortunately, Cisco has conducted research to discover the top malware threats across industries in 2020 with in its new “DNS Security” report. It follows extensive analysis of malicious DNS activity and threats from January to December last year.
The report aims to highlight the key trends businesses, across different industry sectors, can expect to face during 2021 so that the right safeguards can be implemented to protect companies and customers. The report was compiled from an analysis of data from Cisco Umbrella, the company’s cloud-based network security platform. It found phishing, trojans, cryptomining and ransomware were the biggest threats faced across industries as varied as Manufacturing, Healthcare, Technology, Finance, Higher Education and Government during 2020.
By conducting this type of research Cisco seeks to raise awareness of the top trends businesses should be aware of so they are better informed of the action they can take to protect employees, consumers and other stakeholders from advanced malware. These findings are based on comparisons of yearly DNS traffic totals to malicious sites by industry.
Cryptomining saw the largest amount of DNS incidents within the Technology sector with 58 percent of all traffic coming from this type of attack. In fact, Technology had the highest level of cryptomining cases of all the industrial sectors studied. Much of this can be attributed to bad actors but it is also possible that as interest surrounding cryptocurrencies has grown it could have led workers to install miners on their company computers. As a result, triggering DNS blocks in Umbrella due to company policy violations.
This was followed by phishing which made up 22 percent of traffic within the industry. Technology also saw the second-highest level of ransomware-related traffic at 6 percent, primarily driven by attacks involving Sodinobiki and Ryuk. Trojan activity at 5 percent was also high with Emotet and Trickbot used to distribute Ryuk.
Phishing resulted in the highest amount of malicious DNS traffic in the Financial Services sector at 46 percent. The sector saw 60 percent more phishing than the next-closest sector, Higher Education. Financial Services may be a more attractive phishing target for attackers simply because of its proximity to money. Supporting this theory is the fact that the sector saw more information-stealing threats than any other industry. At 2 percent, the sector saw five times as much traffic in this category than any other industry. Financial Services also had the second-highest amount of traffic in a number of categories, such as trojans (31 percent), botnets (2 percent), and remote access trojans (RATs) at 2 percent.
Healthcare organisations experienced significant trojan activity at 46 percent, more than any other sector, as well as higher numbers of droppers (2 percent). The main cause of trojan-based activity was related to Emotet. Cisco research found close to seven out of every ten trojans seen within the healthcare was Emotet. Add Trickbot and it made up a total of 83 percent of all trojan-related traffic. Phishing attacks accounted for 29 percent of incidents making it the second highest category while ransomware was also a prominent threat at 2 percent. Ryuk was particularly active, likely associated with the high activity surrounding Emotet. The Healthcare sector was also narrowly edged out of the second-highest place for ransomware, coming in only 1.5 percent lower in overall DNS traffic.
Cryptomining activity was high in the Manufacturing industry with 48 percent of traffic. There were almost three times as many endpoints in the Manufacturing sector involved in cryptomining. This leads Cisco’s researchers to believe that there were more machines resulting in less DNS activity due to less powerful endpoints compared to Technology. Many of these compromised machines may have been involved in the manufacturing process itself or related to Internet of Things (IoT). In these cases, cryptomining would likely have been slower, but could still impact production speeds. Manufacturing is also the most likely to be impacted by ransomware. Businesses in the sector had 20 percent of DNS traffic from this category, almost as much ransomware-related traffic as the next two closest industries combined.
With the shift to remote classes during the COVID-19 pandemic last year, students’ home networks experienced many more malicious attacks that would have otherwise been blocked by campus IT departments. This resulted in drop-offs in malicious activity for this sector in many categories from March onwards, and much lower overall numbers in 2020 than in previous years. However, certain activities that require access to campus resources did register their share of DNS activity with phishing making up the highest amount of attacks at 52 percent. Cryptomining was also a big source of traffic at 27 percent as hackers attempted to siphon off computing resources, or student-discounted cloud computing credits, to run their miners.
The Governmental sector had the most evenly distributed spread of DNS traffic categories. Phishing made up 51 percent of attacks during 2020. Cryptomining, which saw low numbers in the first three quarters of 2020, jumped in October as cryptocurrency values reached a high for the year and continued to climb. However, the month-on-month numbers did not fluctuate through the last quarter of the year, remaining at largely the same elevated level each month taking it to 16 percent of DNS traffic.
Fady Younes, cybersecurity director, Middle East and Africa, Cisco said: “Cisco’s DNS Security Report clearly highlights the ever-evolving cyber threats faced across different industries. The study shows how malicious actors are changing tactics to take advantage of the global situation. No industry or business is fully secure. However, by identifying the top threats stakeholders can be better placed to adapt their computer security, networks and policies in a way that can mitigate any problems as and when they arise. This approach not only safeguards a company but builds trust among customers and business partners”.