2020 was a big year for COVID and coronavirus, but also for another word starting with the letter c: cyber security. Several incidents have hit the headlines this year, bringing cyber security to the minds of many.
CERT NZ encourages businesses and individuals to report cyber security incidents to us, and our incident report numbers were at an all-time high this year. Between January and September we received 5,712 reports, compared to 4,740 for the entirety of 2019. (Our full 2020 figures will be available in March.)
A year of fits and starts
While it was a busy year, reports to CERT NZ of cyber security incidents started relatively slowly. Well, specifically in the first couple of months. A lull in reported activity around March could perhaps be attributed to lockdowns around the world. Like everyone else during this time, attackers were possibly taking stock of the life-changing situation on both a personal and business level.
As the rest of the world adjusted to the new normal, so too have attackers. They are, if nothing else, adaptive. The lull afforded them time to rework and finesse their operating models.
A surge in the reliance on working, transacting and communicating online, and the haste to facilitate this, created low-hanging fruit for attackers as this was not always done with security at the top of mind. In April we received 820 reports - the most reports CERT NZ has ever received in one month.
As the year draws to a close, we are seeing attackers hitting their stride, and expect to see further refinement of their capabilities, techniques and campaigns next year.
2020 cyber security incidents: financial motivation still leads the way
The majority of incidents we’ve seen this year have been financially motivated, with headline grabbers being ransomware, distributed denial-of-service (DDoS), and multi-stage malware. Each of these has evolved, and it’s worth looking at what has changed this year to see what might be in store for us next year.
Ransomware: The ransomware trend raged on in 2020, with attackers refining their money-making techniques. Over the last couple of years, we have seen attackers understanding the organisation they’ve compromised, and tailoring their ransom demands in response. What once was a stock $10,000 demand regardless of the affected organisation, has now changed to what an attacker thinks an organisation might pay, with some ransom demands of larger organisations hitting $10 million.
New for 2020, double ransom demands have become commonplace. This is when an attacker steals information from the organisation, before encrypting it. The attacker then demands money to decrypt the encrypted data, but also asks the organisation to pay them not to release the data they stole. It’s essentially a double-whammy tactic which attackers are capitalising on.
At this point it’s important to stress that CERT NZ does not recommend anyone pays a ransom. If the files are decrypted, they may have taken copies of them and may attempt to further blackmail you into paying to not release them publicly.
DDoS extortion: DDoS has re-entered many organisations’ mindsets this year after a number of particularly noisy extortion campaigns targeted New Zealand businesses in the second half of 2020.
Far from novel, these kind of attacks tend to come in cycles, and each wave comes with an increase in capability. For example, a few years ago we’d see attackers threatening to hit a website with a 300 gigabit attack. These days they’re actually hitting those numbers, and threatening to hit with 2 terabit. While that may not happen, an organisation that has been targeted should take the threat seriously. You can find out how to manage a DDoS incident here.
Multi-stage malware: We saw a variety of malware trends continuing on from 2019. This includes multi-stage malware attacks, which often end with ransomware. A common multi-stage attack in 2019 was the combination of Emotet, Trickbot, and Ryuk. While we aren’t seeing that particular combo as much in 2020, Emotet is still commonly used to deploy further kinds of malware once it gets a foothold.
After a quiet spell earlier in the year, Emotet had a resurgence through the second half of the year. Through one of our international partners, CERT NZ received 855 reports about Emotet in Quarter 3. Spread through a malicious attachment or link in an email, Emotet is pretty insidious. As well as stealing data, it self-replicates by sending emails to the infected person’s contact list, with malicious documents containing malware and can even infiltrate an existing email thread between contacts.
Unfortunately, Emotet infections can be tricky to detect without specialist knowledge. Anti-virus software and the avoidance of running macros when opening emails are the best defence against it. CERT NZ has actively been reaching out to internet service providers (ISPs) when we receive reports of compromised IP addresses so they can alert their customers, and help them respond and recover.
Glass half full
While people might start running to the hills at this point, take solace in the fact that 2020 wasn’t all bad. There were a number of significant victories in the fight against cyber security incidents.
For instance, the use of two-factor authentication (2FA) is on the rise. We’re also seeing more organisations turning to authenticator apps and hardware tokens, rather than use less secure SMS methods. This is a promising development, as a lack of 2FA remains one of the common causes of incidents we see. Because of this, 2FA is probably the most common recommendation we make when responding to incidents, or in our advisories.
Another positive step has been a significant reduction in the “dwell” time before an attack is discovered. This is the time it takes between an attacker accessing an environment and someone realising they’ve been compromised. Historically, this could be six months or longer - sometimes over a year – enough time for an attacker to wreak plenty of havoc. However, we’ve seen a significant drop in the average dwell time recently, both globally and regionally.
Improved international coordination was another win in 2020. For instance, information sharing amongst the cyber community in the Pacific is growing as a result of work conducted by PaCSON, an operational cyber security community of Pacific working-level cyber security experts. It’s heartening to see how much international engagement has continued and remained strong, despite the challenges we’ve had this year.
Another feather in the cyber resilience cap is more cyber security roles being established within New Zealand organisations. Not too long ago, cyber security was seen as a subset of an IT function and was frequently incorporated into a general IT role. Investing in dedicated cyber security professionals will enable businesses and organisations to really step up their cyber security game in the future.
Looking towards 2021
We expect attackers will continue to test and push boundaries next year. There are always going to be vulnerabilities to exploit. Knowing that most incidents are financially motivated, the goal is to make attacks cost more money. If attacks on New Zealanders don’t turn a profit, then attackers will turn their attentions elsewhere.
When it comes to keeping things safe and secure, perfect security is hard, but getting the basics right is usually enough for most people.
As the first port of call, check out our list of top 11 cyber security tips.
If you have a small to medium business, we have a separate list of 11 tips for your business.
If you’re working as a security professional for a larger organisation, we recommend taking a look at our critical controls.
No matter if you’re at home or at work, CERT NZ is here to help. We have advice to help you defend yourself, and there’s more coming in the New Year. If you have a cyber security incident, report it to us so we can help you recover, and give specific advice about how to prevent it from happening again.