Copied link to clipboard.

McAfee
ATR
Threats
Report
4⋅21

Writing & Research

  • Christiaan Beek
  • Eoin Carroll
  • Mo Cashman
  • Sandeep Chandana
  • John Fokker
  • Melissa Gaffney
  • Steve Grobman
  • Tracy Holden
  • Tim Hux
  • Douglas McKee
  • Lee Munson
  • Chris Palm
  • Tim Polzer
  • Thomas Roccia
  • Raj Samani
  • Craig Schmugar

This latest report incorporates not only the malware zoo, but new analysis for what is being detected in the wild. We’ve also added statistics detailing the top MITRE ATT&CK techniques observed in Q4 2020 from Criminal/APT groups.

Welcome to our latest McAfee ATR® Threat Report and our coverage of the end of a tumultuous 2020. While you’ll notice a new, enhanced digital presentation showcasing our review of notable threats, this report also includes many new McAfee insights into the threat landscape.

Historically our reports detailed the volume of key threats, such as “what is in the malware zoo.” The introduction of MVISION Insights in 2020 has since made it possible to track the prevalence of campaigns (and their associated IoCs) and determine the in-field detections. This latest report incorporates not only the malware zoo, but new analysis for what is being detected in the wild. We have also added statistics detailing the top MITRE ATT&CK techniques observed in Q4 2020 from Criminal/APT groups.

These new, insightful additions really make for a bumper report! The analysis does not end there, however. The end of Q4 2020 saw the revelation about the SolarWinds breach, and the consequences associated with the compromised organizations. The focus of the narrative within this report will detail the findings of the SUNBURST malware which of course continues to dominate the headlines in Q1 2021.

In addition to these timely threat campaigns, the pandemic continued to have its effects on the threatscape. McAfee’s global network of more than a billion sensors registered a 605% increase in total Q2 COVID-19- themed threat detections. As you can track on our McAfee COVID-19 Threats Dashboard, pandemic-related campaigns continued to increase in Q3 and Q4 of 2020.

Figure 01. Weaponizing the challenges of living and working amidst a pandemic remained a popular threat tactic for bad actors as 2020 came to a close. McAfee’s global network of more than a billion sensors registered COVID-19-themed threat detections totaling 445,922 in Q2 2020 (605% increase), 1,071,257 in Q3 2020 (240% increase), and 1,224,628 in Q4 2020 (114% increase).

A screenshot of the McAfee COVID-19 dashboard. There is a world map showing various countries shaded by the amount of detections in each. Underneath are various charts and graphs showing more data.

We hope you enjoy this new McAfee ATR threat report presentation and find our new data valuable.

—Raj Samani
McAfee Fellow, Chief Scientist

Twitter @Raj_Samani

#Introduction

In this report, McAfee® ATR examines the threats that emerged in the third and fourth quarters of 2020. Our Advanced Threat Research team has aggressively tracked, identified, and researched the cause and effects of the prevalent and news-making campaigns threatening enterprises in the second half of 2020.

The world—and enterprises—adjusted amidst pandemic restrictions and sustained remote challenges, while security threats continued to evolve in complexity and increase in volume. Though a large percentage of employees grew more proficient and productive in working remotely, enterprises endured more opportunistic COVID-19-related campaigns among a new cast of bad-actor schemes. Prominent campaigns such as SUNBURST and new ransomware tactics left SOCs no time to rest.

As your enterprise meets new challenges in 2021, it remains imperative that workforces—both on-site and remote—be alert to potential threats emerging from seemingly routine communications. Remind and test your workforce’s resistance against clicking unverified links and engaging external email attachments. As this report confirms, ransomware and malware targeting vulnerabilities in work-related apps and work processes were active in the last half of 2020 and remain dangerous threats capable of taking over networks and data, while costing millions in assets and recovery costs.

McAfee researchers remain vigilant against new tactics and continuing techniques and focused on the race to thwart threats against our customers and security community. McAfee stands apart in the security industry utilizing one billion global sensors to provide timely intelligence and powerful insight toward defending your business, protecting your assets and helping your workforce remain productive even in a pandemic.

Visit the McAfee Threat Center to tap into industry-leading research and security guidance against the latest and most impactful evolving threats identified by our threat team.

#Threats to Sectors and Vectors

The volume of malware threats observed by McAfee ATR averaged 588 threats per minute, an increase of 169 threats per minute (40%) in the third quarter of 2020. The fourth quarter volume averaged 648 threats per minute, an increase of 60 threats per minute (10%).

Publicly disclosed Security incidents

Cloud Incidents by Country

#Malware Threats Statistics

The third and fourth quarters of 2020 saw significant increase in several threat categories:

New Malware Threats

#SUNBURST MALWARE AND SOLARWINDS SUPPLY CHAIN COMPROMISE

In Q4 of 2020, FireEye disclosed that threat actors compromised SolarWinds’s Orion IT monitoring and management software with a trojanized version of SolarWinds.Orion.Core.BusinessLayer.dll. The trojanized file delivers the SUNBURST malware through a backdoor as part of a digitally signed Windows Installer Patch. Use of a Compromised Software Supply Chain (T1195.002) as an Initial Access technique is particularly critical as it can go undetected for a long period. FireEye released countermeasures that can identify the SUNBURST malware.

McAfee reported on SUNBURST in this blog and additional analysis into the backdoor and continues to track the campaign as SolarWinds Chain Attack Multiple Global Victims with SUNBURST Backdoor through MVISION Insights. McAfee senior vice president and chief technology officer Steve Grobman detailed the game-changing impact of SolarWinds-SUNBURST. Customers can view the public version of MVISION Insights for the latest attack details, prevalence, techniques used and indicators of compromise.

Figure 07. MVISION Insights provides the indicators used by SUNBURST. The indicators will continue to update based on automated collection and human analysis. You can use the indicators to hunt on your network.

#TOP MITRE ATT&CK TECHNIQUES APT/CRIME

Table 1. Exploit Public-Facing Application; McAfee ATR observed uptick in the exploit of public-facing applications. Multiple reports from CISA, NSA warned the industry that state-sponsored threat actors were actively leveraging several CVEs related to public-facing applications such as popular remote management and VPN software. McAfee observed ransomware groups – in addition to state-sponsored groups – leveraging this initial access tactic. Process Injection: McAfee ATR has also observed several malware families and threat groups using this technique. These have ranged from Rat tools such as Remcos, ransomware groups such as REvil and multiple state-sponsored APT groups. McAfee ATR has also observed several attacks involving PowerShell.

Tactics Techniques
(Top 5 per Tactic)
Comments
Initial Access Exploit public facing application Uptick in the usage of this technique in Q4. Multiple reports from CISA, NSA warming the industry that State sponsored Threat actors are actively leveraging several CVE’s related to public facing applications such as popular Remote management and VPN software.

McAfee has observed that besides state sponsored groups, the ransomware groups were leveraging this initail access tactic.
  Replication through removable Media  
  Valid accounts  
  Drive-by-Compromise  
  Phishing  
Execution User execution  
  Command -line Interface  
  Scripting  
  Windows Management Instrumentation  
  Scheduled Task  
Persistence Scheduled Task  
  Registry Run Keys / Startup Folder  
  DLL Side-loading  
  Valid accounts  
  Startup Items  
Privilege Escalation Process Injection Process injection remains to be one of the top Privilege Escalation techniques, we have observed the usage of this technique by several Malware families and threat groups, ranging from Rat tools like Remcos, Ransomware groups like REvil and mulitple State Sponsored APT groups. We have observed several attacks involving PowerShell injecting code into another running process.
  Scheduled Task  
  Registry Run Keys / Startup Folder  
  DLL- Side loading  
  Exploitation for Privilege Escalation  
Defense Evasion Obfuscated Files or information “This is the second most observed technique for Q4 2020. This technique is synonymous for the Cat and Mouse game played between malware and security software.

Attackers constantly think of new ways to avoid being detected. One of the noteworthy methods we have observed in Q4 was by the threat actor group APT28 who used VHD files (or virtual Hard drives) to package and obfuscate their malicious payload.”
  Deobfuscate/Decode Files or Information  
  Masquerading  
  Modify Registry  
  Process Injection  
Credential Access Input Capture  
  Credential Capture  
  Keylogging  
  Brute Force  
  Steal Web Session Cookie  
Discovery System Information Discovery System Information Discovery was the most used MITRE technique of the Campaigns we observed in Q4 2020. The malware in these campaigns contained functionalities that gathered the OS version, hardware configuration and hostname from a victims machine and eventually communicated back to the Threat actor.
  File and Directory Discovery  
  Process Discovery  
  Query Registry  
  System Owner/User Discovery  
Lateral Movement Remote File Copy  
  Exploitation of Remote Services  
  Replication Through Removable Media  
  Logon Scripts  
  Remote Services  
Collection Data from Local System  
  Screen Capture  
  Automated Collection  
  Input Capture  
  Data Staged  
Command and Control Standard Application Layer Protocol  
  Remote File Copy  
  Commonly used Port  
  Web Service  
  Connection Proxy  
Exfiltration Exfiltration Over Command and Control Channel  
  Automated Exfiltration  
  Exfiltration Over Alternative Protocol  
  Exfiltration to Cloud Storage  
  Scheduled Transfer  
Impact Resource Hijacking This technique is often used by Crypto currency mining malware, where a systems resources are being abused to mine crypto currency.
  Data Encrypted for impact Data encrypted for impact technique can almost solely be attributed by Ransomware. Which remains a top cyber threat, also in Q4 of 2020.
  System Shutdown/Reboot  
  Firmware corruption  
  Inhibit System Recovery  

Top Ransomware Families and Techniques

McAfee observed a 69% increase in new ransomware from Q3 to Q4 of 2020, with Cryptodefense playing a factor in the surge. Data gathered by the McAfee Advanced Threat Research team include:

Top Families, MITRE ATT&CK Techniques and Primary Sectors

Figure 10. The list of ransomware families observed is topped by REvil, Thanos, Ryuk, RansomeXX, and Maze.

Top MITRE ATT&CK Techniques

Figure 11. Top MITRE ATT&CK Techniques observed include File & Directory Discovery (T1083), Data Encrypted for Impact (T1486), Stop Services (T1489), Obfuscated Files or Information (T1027), and System Information Discovery (T1082).

Figure 11. This is an example of how ransomware groups are recruiting for other teams or pen-testers to get access to corporate networks. Ransomware groups are no longer relying on spray-and-pay attacks but rather seeking access to high-value targets to steal their information before infecting with in the ransomware. More ransomware groups are looking for bad actors with expertise in backups/ESX server.

In Q4 2020, McAfee joined Microsoft and 17 other security firms, tech companies and non-profits to form a new Ransomware Task Force (RTF) to focus on stopping the rising threat of ransomware.