Foreword
Welcome to the Q4 2020 issue of the ESET Threat Report!
2020 was many things (“typical” not being one of them), and it sure feels good to be writing about it in the past tense.
As if really trying to prove a point, the pandemic picked up new steam in the last quarter, bringing the largest waves of infections and further lockdowns around the world. Amid the chaos, the long-anticipated vaccine rollouts brought a collective sigh of relief — or, at least, a glimmer of hope somewhere in the not-too-far-distant future.
In cyberspace, events also took a dramatic turn towards the end of the year, as news of the SolarWinds supply-chain attack swept across the industry. With many high-profile victims, the incident is a stark reminder of the potential scope and impact of these types of attacks, which are also exceedingly difficult to detect and prevent.
While not all as earthshaking as the SolarWinds hack, supply-chain attacks are becoming a major trend: in Q4 alone, ESET uncovered as many as the whole sector saw annually just a few years back. And — seeing how much cybercriminals have to gain from them — their numbers are only expected to continue growing in the future.
Luckily, however, threat actors are not the only ones on the offensive. In October 2020, ESET took part in a global disruption campaign targeting TrickBot, one of the largest and longest-lived botnets. Thanks to the combined efforts of all who participated in this operation, TrickBot took a heavy blow with 94% of its servers taken down in a single week.
As we step into the new year, this report offers not only an overview of the Q4 threat landscape, but also commentary on the broader trends observed throughout 2020 as well as predictions for 2021 by ESET malware research and detection specialists.
With work from home being the new normal in many sectors — one of the largest shifts brought by the pandemic — the enormous 768% growth of RDP attacks between Q1 and Q4 2020 comes as no surprise. As the security of remote work improves, the boom in these types of attacks is expected to slow down — for which we already saw some signs in Q4. One of the most pressing reasons to pay attention to RDP security is ransomware, commonly deployed through RDP exploits, and posing a great risk to both private and public sectors.
In Q4 2020, the ultimatums made by ransomware gangs were more aggressive than ever, with threat actors demanding probably the highest ransom amounts to date. And while Maze, a pioneer of combining ransomware attacks and the threat of doxing, closed shop in Q4, other threat actors added more and more aggressive techniques to increase pressure on their victims. Seeing the turbulent developments on the ransomware scene throughout 2020, there is nothing to suggest these rampant attacks will not continue in 2021.
The growth of ransomware might have been an important factor in the decline of banking malware; a decline that only intensified over the last quarter of the year. Ransomware and other malicious activities are simply more profitable than banking malware, the operators of which already have to grapple with the heightening security in the banking sector. There was, however, one exception to this trend: Android banking malware registered the highest detection levels of 2020 in Q4, fueled by the source code leak of the trojan Cerberus.
With the pandemic creating fertile ground for all kinds of malicious activities, it is all but obvious that email scammers would not want to be left out. Our telemetry showed COVID-19 used as lures in illicit emails throughout all of 2020. Q4 also saw a rise in vaccine scams used as lures, a trend that is expected to continue in 2021.
In a development similar to the cryptocurrency boom of 2017, the value of bitcoin skyrocketed at the end of 2020. This was accompanied by a slight increase in cryptominer detections, the first since October 2018. If cryptocurrencies continue their growth, we can expect to see cryptocurrency-targeting malware, phishing and scams become more prevalent again.
The final quarter of 2020 was also rich in research findings, with ESET uncovering a number of supply-chain attacks: a Lazarus attack in South Korea, a Mongolian supply-chain attack named Operation StealthyTrident, and the Operation SignSight supply‑chain attack against a certification authority in Vietnam. Our researchers also discovered Crutch — a previously undocumented backdoor by Turla — and XDSpy, an APT group covertly operating at least since 2011.
For those especially interested in ESET research updates, this report also provides previously unpublished information regarding APT group operations, such as Operation In(ter)ception, InvisiMole, PipeMon, and more. These can be found in the APT Group Activity section.
ESET continues to actively contribute to the MITRE ATT&CK knowledge base, which saw five ESET entries added in the October update. And, as always, ESET researchers took multiple opportunities to share their expertise at various virtual conferences this quarter, speaking at Black Hat Asia, AVAR, CODE BLUE, and many others. If you are hungry for new cybersecurity content from ESET Research, you can look forward to our talks at the RSA conference in May 2021.
ESET presentations are not the only thing for which you can be excited in May — it is also the month when you can expect to read the revamped version of the ESET Threat Report, the T1 2021 report.
Until then… Happy reading, stay safe — and stay healthy!
Roman Kovác, Chief Research Officer